Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010.

Slides:



Advertisements
Similar presentations
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
FLAME: A Flow-level Anomaly Modeling Engine
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.
Gursharan Singh Tatla Transport Layer 16-May
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
MITACS-PINTS Prediction In Interacting Systems Project Leader : Michael Kouriztin.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Network Packet Generator Midway presentation Supervisor: Mony Orbach Presenting: Eugeney Ryzhyk, Igor Brevdo.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
PA3: Router Junxian (Jim) Huang EECS 489 W11 /
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
Computer Security 2014 – Ymir Vigfusson Some slides borrowed from Amir Masoumzadeh’s INFSCI 1075, Dan
DoS/DDoS attack and defense
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
© 2002, Cisco Systems, Inc. All rights reserved..
Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:
Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Chien-Chung Shen Cyber Scanning Chien-Chung Shen
Advanced Network Labs & Remote Network Agent
Chapter 5 Network and Transport Layers
Port Scanning James Tate II
Port Scanning (based on nmap tool)
Information Gathering
Magda El Zarki Professor, ICS UC, Irvine
Module 18 (More Network Discovery)
-sI Idlescan Greatest stealth of any nmap scan
SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke
IIT Indore © Neminath Hubballi
Process-to-Process Delivery: UDP, TCP
TCP Connection Management
Presentation transcript:

Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010

Outline  Introduction  Related Work  Formalizing Non-interference Analysis  Finding Idle Scan  Experimental confirmation of counterexamples 2Advanced Defense Lab

Introduction  Network reconnaissance is the important first step of virtually all network attacks. [Link]Link  Idle scans were introduced by Antirez in a [Link]Link Based on non-random, sequential IPIDs of older network stacks Advanced Defense Lab3

Introduction - Idle Scan Advanced Defense Lab4

Introduction - Idle Scan  IPID-based idle scans have been implemented in nmap [Link]Link  But modern network stacks randomize the IPID [Link]Link  FTP bounce scans are currently the only known way to port scan a victim host or network without routing forged packets to that host or network from the attacker [Link]Link This paper proposes another one Advanced Defense Lab5

Related Work  Staniford et al. use simulated annealing to detect stealthy scans. [Link]Link  Leckie and Kotagiri present a probabilistic approach  Gates and Kang et al. consider the problem of stealth port scans based on using many distributed hosts (e.g., a botnet) to perform the scan. Advanced Defense Lab6

Related Work(cont.)  Non-interference [Link] is a widely used concept of information flow securityLink  Non-interference proved to be a very useful property because it can be specified with Linear Temporal Logic (LTL [Link]).Link Advanced Defense Lab7

Formalizing Non-interference Analysis  A host is viewed to be at the end of the network, i.e., an end host. Advanced Defense Lab8

SYN Cache [Link]Link  The SYN cache is a cache for pending SYN packets for which a SYN/ACK has been sent and the host is waiting for an ACK.  In our model packets are only removed from the SYN cache when a TCP RST is received from the source IP address and port of the original SYN packet Advanced Defense Lab9

Idel Scan model Advanced Defense Lab10

Non-interference Analysis Model Advanced Defense Lab11

Formalizing Non-interference Analysis  Using SAL [Link] for modelingLink SAT-based [Link] bounded model checkerLink Advanced Defense Lab12

Advanced Defense Lab13

Advanced Defense Lab14

Formalizing Non-interference Analysis -- Assumptions  A major abstraction is that we consider the proper reply to SYN/ACK packets to be “drop” for open ports and RST for closed ports.  Another major abstraction is that each of the two buffers in our split SYN cache has only a single entry. Advanced Defense Lab15

Port Status Advanced Defense Lab16

Finding Idle Scan  RST rate limit Advanced Defense Lab17

Finding Idle Scan  SYN cache Advanced Defense Lab18

Experimental confirmation of counterexamples  Setup VirtualBox TUN/TAP [Link]Link Zombie ○ kernel 2.4 host (Fedora Core 1) ○ Windows XP host with no service packs ○ Linux kernel 2.6 host (CentOS 5.2) ○ FreeBSD host Advanced Defense Lab19

Experimental confirmation of counterexamples - RST rate  For a real FreeBSD system, RSTs are limited to a default of 200 per second  Our implementation sends 2000 each of two different types of packets, each at a rate of 180 per second, to the victim and FreeBSD zombie, respectively Advanced Defense Lab20

Experimental confirmation of counterexamples - RST rate Advanced Defense Lab21

Experimental confirmation of counterexamples – SYN cache  Linux kernel 2.4 uses a simple buffer for the SYN cache, with between 128 and 1024 entries depending on the memory available on the system.  our implementation 50 forged SYNs, then 50 each of forged SYNs and SYNs where the attacker uses their own return IP (1000 per second) 200 more forged SYNs (1000 per second) sends 200 each of forged SYNs and SYNs where the attacker uses their own return IP address (400 per second) Advanced Defense Lab22

Experimental confirmation of counterexamples – SYN cache  Result between different OSes Advanced Defense Lab23

Experimental confirmation of counterexamples – SYN cache  Idle port scan 20,000 forged SYN packets (with random return ports that are closed on the zombie) At half the rate, alternating forged SYNs with the target port on the victim as the source port and valid SYNs with the return address of the attacker Advanced Defense Lab24

Experimental confirmation of counterexamples – SYN cache  Result for idle port scan Advanced Defense Lab25

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.