Presentation is loading. Please wait.

Presentation is loading. Please wait.

@Yuan Xue CS 285 Network Security Internet Security and DoS Yuan Xue Fall 2011.

Published byScott Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "@Yuan Xue CS 285 Network Security Internet Security and DoS Yuan Xue Fall 2011."— Presentation transcript:

1 @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security Internet Security and DoS Yuan Xue Fall 2011

2 @Yuan Xue (yuan.xue@vanderbilt.edu) Review Multi/Demultiplex port CW port Congestion window port Congestion window port SSL_CTX SSL SSL_SESSION HTTP Application Transport Network Link Fragment/Reassemble Forward Routing IP Address Routing table Forwarding table IEEE 802.11 SMTP PGP FTP User ID/Email/Key ID UDPTCP SSL HTTPS CW port Stream Frame Packet payloadTCP hdr payload SSL hdr payloadSSL hdr payloadIPSecSSLIP IPSec SADB TCP payloadIPSecSSLIPTCP (Transport mode) MAC Web Security

3 @Yuan Xue (yuan.xue@vanderbilt.edu) Let’s move on to availability We are happy that we know how to protect our networked application! and network itself (partially..) Achieve data confidentiality/integrity Good use of popular security protocols/services Wait a minute…how about availability? We can’t believe that the professor still remembers it. It is already after Thanksgiving!

4 @Yuan Xue (yuan.xue@vanderbilt.edu) Internet is a Network of Networks local network Internet service provider (ISP) backbone ISP local network TCP/IP for packet routing and connections Border Gateway Protocol (BGP) for route discovery Domain Name System (DNS) for IP address discovery Autonomous system (AS) is a collection of IP networks under control of a single administrator (e.g., ISP)

5 @Yuan Xue (yuan.xue@vanderbilt.edu) TCP (Transmission Control Protocol) Sender: break data into packets Sequence number is attached to every packet Receiver: reassemble packets in correct order Acknowledge receipt; lost packets are re-sent Connection state maintained on both sides

6 @Yuan Xue (yuan.xue@vanderbilt.edu) IP (Internet Protocol) Connectionless Unreliable, “best-effort” protocol Uses public addresses for routing Typically several hops in the route Alice’s computer Alice’s ISP Bob’s ISP Bob’s computer Packet Source 128.83.130.239 171.64.66.201 3 Dest Seq 128.83.130.239 171.64.66.201 ICMP (Control Message Protocol) Provides feedback about network operation Error reporting, congestion control, reachability, etc.

7 @Yuan Xue (yuan.xue@vanderbilt.edu) Internet Security When Internet is first designed, security consideration is not incorporated. Flaws in both protocol design and implementation Attacks towards TCP/IP protocols Attack to IP: forged routing information, ping death; smurf attacks Attack to TCP: SYN flooding, sequence number prediction Attacks towards high level protocols DNS cache poison Result: data communication is disrupted

8 @Yuan Xue (yuan.xue@vanderbilt.edu) Overview of DoS Denial-of-Service attack The host or the network can no longer serves legitimate users Types Logic attack  Exploit existing software flaws  Countermeasures: upgrade software Flooding attack Consume the resource of a host or network  CPU, memory, network connectivity, network bandwidth, battery energy  Easy concept, nontrivial to practice  try yourself in homework 5!  Once successful, hard to address, especially in distributed form  Worm attack

9 @Yuan Xue (yuan.xue@vanderbilt.edu) Attacks Towards TCP TCP connection requires state  TCP SYN Flood TCP Sequence number prediction TCP reset attack

10 @Yuan Xue (yuan.xue@vanderbilt.edu) TCP SYN Flood TCP handshake

11 @Yuan Xue (yuan.xue@vanderbilt.edu) TCP SYN Flood A stream of TCP SYN packets directed to a listening TCP port at the victim The host victim must allocate new data structures to each SYN request New thread, connection state maintained until timeout Fixed bound on half-open connections Once resources exhausted, requests from legitimate clients are denied Combine with IP address spoofing

12 @Yuan Xue (yuan.xue@vanderbilt.edu) TCP SYN Flood This is a classic denial of service attack Resource consumption, not a bandwidth consumption attack Common pattern: it costs nothing to TCP initiator to send a connection request, but TCP responder must spawn a thread for each request – Asymmetry!

13 @Yuan Xue (yuan.xue@vanderbilt.edu) Preventing SYN flood DoS is caused by asymmetric state allocation If responder opens new state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses Cookies ensure that the responder is stateless until initiator produced at least two messages Responder’s state (IP addresses and ports of the con- nection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator

14 @Yuan Xue (yuan.xue@vanderbilt.edu) SYN Cookies [Bernstein and Schenk] CS SYN C Listening… Does not store state F(source addr, source port, dest addr, dest port, coarse time, server secret) SYN S, ACK C sequence # = cookie Cookie must be unforgeable and tamper-proof (why?) Client should not be able to invert a cookie (why?) F=Rijndael or crypto hash Recompute cookie, compare with with the one received, only establish connection if they match ACK S (cookie) Compatible with standard TCP; simply a “weird” sequence number scheme More info: http://cr.yp.to/syncookies.html

15 @Yuan Xue (yuan.xue@vanderbilt.edu) Another Defense: Random Deletion 121.17.182.45 231.202.1.16 121.100.20.14 5.17.95.155 SYN C If SYN queue is full, delete random entry Legitimate connections have a chance to complete Fake addresses will be eventually deleted Easy to implement half-open connections

16 @Yuan Xue (yuan.xue@vanderbilt.edu) TCP Connection Spoofing Each TCP connection has associated state Sequence number, port number TCP state is easy to guess Port numbers standard seq numbers is random, but still guessable Can inject packets into existing connections If attacker knows initial sequence number and amount of traffic, can guess likely current number Guessing a 32-bit seq number is not easy, BUT…  Most systems accept large windows of sequence numbers (to handle massive packet losses)  Send a flood of packets with likely sequence numbers

17 @Yuan Xue (yuan.xue@vanderbilt.edu) Example 1: DoS by Connection Reset If attacker can guess the current sequence number for an existing connection, can send Reset packet to close it Especially effective against long-lived connections For example, BGP route updates

18 @Yuan Xue (yuan.xue@vanderbilt.edu) Example 2: “Blind” IP Spoofing Attack Trusted connection between Alice and Bob uses predictable sequence numbers Alice Bob  SYN-flood Bob’s queue  Send packets to Alice that resemble Bob’s packets  Open connection to Alice to get initial sequence number Can’t receive packets sent to Bob, but maybe can penetrate Alice’s computer if Alice uses IP address-based authentication rlogin and other remote access tools use address-based authentication Connection Hijacking

19 @Yuan Xue (yuan.xue@vanderbilt.edu) Example 3: “Teardrop” and “Bonk” TCP fragments contain Offset field Attacker sets Offset field to overlapping values Bad implementation of TCP/IP stack will crash when attempting to re-assemble the fragments … or to very large values Target system will crash

20 @Yuan Xue (yuan.xue@vanderbilt.edu) User Datagram Protocol (UDP) UDP is a connectionless protocol Simply send datagram to application process at the specified port of the IP address Source port number provides return address Applications: media streaming, broadcast No acknowledgement, no flow control, no message continuation Denial of service by UDP data flood Bandwidth consumption  worm attack

21 @Yuan Xue (yuan.xue@vanderbilt.edu) Attacks Towards IP/ICMP IP addresses are public (no authentication) Smurf attacks Implementation errors Ping of Death Routing information is not authenticated

22 @Yuan Xue (yuan.xue@vanderbilt.edu) Example 1: “Smurf” Attack gateway victim 1 ICMP Echo Req Src: victim’s address Dest: broadcast address Looks like a legitimate “Are you alive?” ping request from the victim Every host on the network generates a ping (ICMP Echo Reply) to victim Stream of ping replies overwhelms victim Solution: reject external packets to broadcast addresses

23 @Yuan Xue (yuan.xue@vanderbilt.edu) Example 2: “Ping of Death” Logic attack IP packet with a size larger than 65,536 bytes is illegal by standard Many operating system did not know what to do when they received an oversized packet, so they froze, crashed or rebooted. Solution: patch OS, filter out ICMP packets

24 @Yuan Xue (yuan.xue@vanderbilt.edu) BGP Overview AS: Internet routers are grouped into management domains called Autonomous Systems (AS). BGP: Routing information between AS is exchanged via BGP UPDATE messages.

25 @Yuan Xue (yuan.xue@vanderbilt.edu) BGP Security Threat BGP does not have any security protection over routing information, for example:  Routing information source authentication  UPDATE message integrity protection If malicious attacker injects or modifies routing information (UPDATE messages), BPG routing will be interrupted and packets will get dropped.  Can blackhole traffic to certain IP prefixes

26 @Yuan Xue (yuan.xue@vanderbilt.edu) YouTube (Normally) AS36561 (YouTube) advertises 208.65.152.0/22

27 @Yuan Xue (yuan.xue@vanderbilt.edu) YouTube (February 24, 2008) Pakistan government wants to block YouTube AS17557 (Pakistan Telecom) advertises 208.65.153.0/24 All YouTube traffic worldwide directed to AS17557 Result: two-hour YouTube outage

28 @Yuan Xue (yuan.xue@vanderbilt.edu) Other BGP Incidents May 2003: Spammers hijack unused block of IP addresses belonging to Northrop Grumman Entire Northrop Grumman ends up on spam blacklist Took two months to reclaim ownership of IP addresses May 2004: Malaysian ISP hijacks prefix of Yahoo’s California data center Dec 2004: Turkish ISP advertises routes to the entire Internet, including Amazon, CNN, Yahoo

29 @Yuan Xue (yuan.xue@vanderbilt.edu) S-BGP Three security mechanisms are employed Public Key Infrastructure (PKI) is used to support the authentication of AS's identity, and BGP router's identity. BGP transitive path attribute is employed to carry digital signatures covering the routing information in a BGP UPDATE message. IPsec is used to provide data and partial sequence integrity, and to enable BGP routers to authenticate each other for exchanges of BGP control traffic. Further reading Stephen Kent, Charles Lynn, and Karen Seo, Secure Border Gateway Protocol (Secure-BGP), IEEE Journal on Selected Areas in Communications Vol. 18, No. 4, April 2000, pp. 582-592 Stephen Kent, Charles Lynn, J. Mikkelson, and Karen Seo, Secure Border Gateway Protocol (S-BGP) -- Real World Performance and Deployment Issues, in ISOC Symposium on Network and Distributed System Security, 2000.

30 @Yuan Xue (yuan.xue@vanderbilt.edu) Reference and Acknowledgement The Strange Tale of the Denial of Service Attacks Against GRC.com Distributed Reflection Denial of Service Slides by John Mitchell and Vitaly Shmatikov

Download ppt "@Yuan Xue CS 285 Network Security Internet Security and DoS Yuan Xue Fall 2011."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.

Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Slide 1 Vitaly Shmatikov CS 378 Attacks on TCP/IP.

Slide 1 Vitaly Shmatikov CS 378 Attacks on TCP/IP.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
Slide 1 Isaac Ghansah Attacks on TCP/IP. slide 2 Internet Infrastructure local network Internet service provider (ISP) backbone ISP local network uTCP/IP.

Slide 1 Isaac Ghansah Attacks on TCP/IP. slide 2 Internet Infrastructure local network Internet service provider (ISP) backbone ISP local network uTCP/IP.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks

Similar presentations

Ads by Google