Presentation is loading. Please wait.

Presentation is loading. Please wait.

15-441 Computer Networking Other Transport Issues, Attacks and Security Threats, Firewalls.

Published byHenry Turner Modified over 8 years ago

Similar presentations

Presentation on theme: "15-441 Computer Networking Other Transport Issues, Attacks and Security Threats, Firewalls."— Presentation transcript:

1 15-441 Computer Networking Other Transport Issues, Attacks and Security Threats, Firewalls

2 Lecture #17: 11-01-012 TCP Overview Revisited TCP modern loss recovery TCP options TCP interactions TCP modeling Workload changes TCP & routers TCP header compression

3 Lecture #17: 11-01-013 Queuing Disciplines Each router must implement some queuing discipline Queuing allocates both bandwidth and buffer space: Bandwidth: which packet to serve (transmit) next Buffer space: which packet to drop next (when required) Queuing also affects latency

4 Lecture #17: 11-01-014 Packet Drop Dimensions Aggregation Per-connection state Single class Drop position Head Tail Random location Class-based queuing Early drop Overflow drop

5 Lecture #17: 11-01-015 Typical Internet Queuing FIFO + drop-tail Simplest choice Used widely in the Internet FIFO (first-in-first-out) Implies single class of traffic Drop-tail Arriving packets get dropped when queue is full regardless of flow or importance Important distinction: FIFO: scheduling discipline Drop-tail: drop policy

6 Lecture #17: 11-01-016 FIFO + Drop-tail Problems Leaves responsibility of congestion control to edges (e.g., TCP) Does not separate between different flows No policing: send more packets  get more service Synchronization: end hosts react to same events

7 Lecture #17: 11-01-017 Active Queue Management Design active router queue management to aid congestion control Why? Router has unified view of queuing behavior Routers can distinguish between propagation and persistent queuing delays Routers can decide on transient congestion, based on workload

8 Lecture #17: 11-01-018 Internet Problems Full queues Routers are forced to have have large queues to maintain high utilizations TCP detects congestion from loss Forces network to have long standing queues in steady-state Lock-out problem Drop-tail routers treat bursty traffic poorly Traffic gets synchronized easily  allows a few flows to monopolize the queue space

9 Lecture #17: 11-01-019 Design Objectives Keep throughput high and delay low Accommodate bursts Queue size should reflect ability to accept bursts rather than steady-state queuing Improve TCP performance with minimal hardware changes

10 Lecture #17: 11-01-0110 Lock-out Problem Random drop Packet arriving when queue is full causes some random packet to be dropped Drop front On full queue, drop packet at head of queue Random drop and drop front solve the lock-out problem but not the full-queues problem

11 Lecture #17: 11-01-0111 Full Queues Problem Drop packets before queue becomes full (early drop) Intuition: notify senders of incipient congestion Example: early random drop (ERD): If qlen > drop level, drop each new packet with fixed probability p Does not control misbehaving users

12 Lecture #17: 11-01-0112 Random Early Detection (RED) Detect incipient congestion, allow bursts Keep power (throughput/delay) high Keep average queue size low Assume hosts respond to lost packets Avoid window synchronization Randomly mark packets Avoid bias against bursty traffic Some protection against ill-behaved users

13 Lecture #17: 11-01-0113 RED Algorithm Maintain running average of queue length If avg < min th do nothing Low queuing, send packets through If avg > max th, drop packet Protection from misbehaving sources Else mark packet in a manner proportional to queue length Notify sources of incipient congestion

14 Lecture #17: 11-01-0114 RED Operation Min thresh Max thresh Average Queue Length min th max th max P 1.0 Avg queue length P(drop)

15 Lecture #17: 11-01-0115 Explicit Congestion Notification (ECN) The goal is to provide explicit congestion notification to senders. Complements the implicit feedback through packet drops Bits 6-7 of the TOS bit form the ECN field. The ECN-Capable Transport (ECT) bit is set by the sender to indicate that the end-points are ECN-capable The Congestion Experience (CE) bit is set by the router to signal congestion The ECN is received by the receiver, who is responsible for forwarding the information to the sender V/HL TOS Length ID Flags/Offset TTL Prot. H. Checksum Source IP address Destination IP address Options.. DSCP ECT /CE ECT /CE

16 Lecture #17: 11-01-0116 ECN in TCP Receiver signals congestion to the sender by setting the ECN-Echo flag in the TCP header. Bit 9 in the reserved field of the TCP header Handles asymmetric routes ECN-Echo flag also used to negotiate ECN use Source Port Dest. Port Sequence Number Acknowledgment HL/Flags Window D. Checksum Urgent Pointer Options.. HL ECE /CWR ECE /CWR Flags IP TCP

17 Lecture #17: 11-01-0117 Use of ECN with TCP The TCP sender should respond to ECN feedback as if a single packet loss occurred. Reduce the congestion window size Send “Congestion Window Reduced” flag (Bit 8) to ack So receiver knows to stop ECE bit ECN and RED can leverage each other. The router should set the CE bit if it would otherwise have dropped the packet (for a non-ECN enabled flow) When RED is used, this happens before the queues fill up so ECN and RED combined can result in congestion notification without packet loss Deployment seems quite practical. Can be introduced one router at a time Strong incentive for end-points to adopt ECN

18 Lecture #17: 11-01-0118 Attacks and Security Threats Packet Sniffing IP Spoofing TCP Connection Spoofing Denial of Service

19 Lecture #17: 11-01-0119 Packet Sniffing broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets many protocols (ftp, telnet) send passwords in the clear! A B C src:B dest:A payload

20 Lecture #17: 11-01-0120 IP Spoofing can generate “raw” IP packets, putting any value into IP source address field routers process IP packets based on destination address alone (not quite in reality) receiver can’t tell if source is spoofed e.g.: C pretends to be B A B C src:B dest:A payload

21 Lecture #17: 11-01-0121 IP Spoofing Many applications use IP address as a simple authentication method Solution – reverse path forwarding checks, better authentication Fragmentation – can consume memory resources at destination or otherwise trick destination/firewalls Solution – disallow fragments

22 Lecture #17: 11-01-0122 TCP Connection Spoofing Each TCP connection has an agreed upon/negotiated set of associated state Starting sequence numbers, port numbers Knowing these parameters is sometimes used to provide some sense of security (in addition to 3-way handshake) Problem Easy to guess these values Listening ports #’s are well known and connecting port #’s are typically allocated sequentially Starting sequence numbers are chosen in predictable way Solution – make sequence number selection more random

23 Lecture #17: 11-01-0123 Sequence Number Guessing Attack Attacker  Victim: SYN(ISN x ), SRC=Trusted Host Victim  Trusted Host: SYN(ISN s ), ACK(ISN x ) Attacker  Victim: ACK(ISN guess of s ), SRC=Trusted Host Attacker  Victim: ACK(ISN guess of s ), SRC=Trusted Host, data = “rm -r /” Attacker must also make sure that Trusted Host does not respond to SYN ACK Can repeat until guess is accurate

24 Lecture #17: 11-01-0124 More TCP Attacks TCP senders assume that receivers behave in certain ways (e.g. when they send acks, etc.) Congestion control is typically done on a “packet” basis while the rest of TCP is based on bytes Problem – misbehaving receiver can trick sender into ignoring congestion control Ack every byte in packet! Send (one) extra duplicate ack Ack before the data is received (needs some application level retransmission – e.g. HTTP 1.1 range requests) Solutions Make congestion control byte oriented Add nonces to packets – acks return nonce to truly indicate reception

25 Lecture #17: 11-01-0125 Routing (Strict) Source routing Destinations are expected to reverse source route for replies Problem – Can force packets to be routed through convenient monitoring point Solution – Disallow source routing – doesn’t work well anyway! Routing protocol Malicious hosts may advertise routes into network Problem – Bogus routes may enable host to monitor traffic or deny service to others Solutions Use policy mechanisms to only accept routes from or to certain networks/entities In link state routing, can use something like source routing to force packets onto valid route

26 Lecture #17: 11-01-0126 ICMP Reports errors and other conditions from network to end hosts End hosts take actions to respond to error Problem An entity can easily forge a variety of ICMP error messages Redirect – informs end-hosts that it should be using different first hop route Fragmentation – can confuse path MTU discovery Destination unreachable – can cause transport connections to be dropped

27 Lecture #17: 11-01-0127 DNS Users/hosts typically trust the host-address mapping provided by DNS Problems Zone transfers can provide useful list of target hosts Interception of requests or compromise of DNS servers can result in bogus responses Solution – authenticated requests/responses

28 Lecture #17: 11-01-0128 Denial of Service flood of maliciously generated packets “swamp” receiver Distributed DOS (DDOS): multiple coordinated sources swamp receiver e.g., C and remote host SYN-attack A A B C SYN

29 Lecture #17: 11-01-0129 SYN Flooding Attack Server responds with SYNACK keeps state about TCP half-open connection Eventually server memory is exhausted with this state Solution: SYN cookies – make the SYNACK contents purely a function of SYN contents, therefore, it can be recomputed on reception of next ACK More recent attacks have used bandwidth floods How do we stop these?

30 Lecture #17: 11-01-0130 Bandwidth DOS Attacks Possible solutions Ingress filtering – examine packets to identify bogus source addresses Link testing – how routers either explicitly identify which hops are involved in attack or use controlled flooding and a network map to perturb attack traffic Logging – log packets at key routers and post-process to identify attacker’s path ICMP traceback – sample occasional packets and copy path info into special ICMP messages IP traceback

31 Lecture #17: 11-01-0131 IP Traceback Node append (record route) – high computation and space overhead Node sampling – each router marks its IP address with some probability p P(receiving mark from router d hops away) = p(1 – p) d-1 p > 0.5 prevents any attacker from inserting false router Must infer distance by marking rate  relatively slow Doesn’t work well with multiple routers at same distance  I.e. multiple attackers

32 Lecture #17: 11-01-0132 IP Traceback Edge sampling Solve node sampling problems by encoding edges & distance from victim in messages Start router sets “start” field with probability p and sets distance to 0 If distance is 0, router sets “end” field All routers increment distance As before, P(receiving mark from router d hops away) = p(1 – p) d-1 Multiple attackers can be identified since edge identifies splits in reverse path

33 Lecture #17: 11-01-0133 Edge Sampling Major problem – need to add about 72bits (2 address + hop count) of info into packets Solution Encode edge as xor of nodes  reduce 64 bits to 32 bits Ship only 8bits at a time and 3bits to indicate offset  32 bits to 11bits Use only 5 bit for distance  8bits to 5bits Use IP fragment field to store 16 bits Some backward compatibility issues Fragmentation is rare so not a big problem

34 Lecture #17: 11-01-0134 Firewalls Basic problem – many network applications and protocols have security problems that are fixed over time Difficult for users to keep up with changes and keep host secure Solution Administrators limit access to end hosts by using a firewall Firewall and limited number of machines at site are kept up-to-date by administrators

35 Lecture #17: 11-01-0135 Typical Firewall Topology Intranet DMZ Internet Firewall Web server, email server, web proxy, etc

36 Lecture #17: 11-01-0136 Types of Firewalls Proxy End host connects to proxy and asks it to perform actions on its behalf Policy determines if action is secure or insecure Transport level relays (SOCKS) Ask proxy to create, accept TCP (or UDP) connection Cannot secure against insecure application Application level relays (e.g. HTTP, FTP, telnet, etc.) Ask proxy to perform application action (e.g. HTTP Get, FTP transfer) Can use application action to determine security Requires applications (or dynamically linked libraries) to be modified to use the proxy Considered to be the most secure since it has most information to make decision

37 Lecture #17: 11-01-0137 Types of Firewalls Packet filters Set of filters and associated actions that are used on a packet by packet basis Filters specify fields, masks and values to match against packet contents, input and output interface Actions are typically forward or discard Such systems have difficulty with things like fragments and a variety of attacks Typically a difficult balance between the access given and the ability to run applications E.g. FTP often needs inbound connections on arbitrary port numbers – either make it difficult to use FTP or limit its use

38 Lecture #17: 11-01-0138 Types of Firewalls Stateful packet filters Typically allow richer parsing of each packet (variable length fields, application headers, etc.) Actions can include the addition of new rules and the creation of state to process future packets Often have to parse application payload to determine “intent” and determine security considerations Rules can be based on packet contents and state created by past packets Provides many of the security benefits of proxies but without having to modify applications

Download ppt "15-441 Computer Networking Other Transport Issues, Attacks and Security Threats, Firewalls."

Similar presentations

15-441 Computer Networking Lecture 20 – Queue Management and QoS.

Computer Networking Lecture 20 – Queue Management and QoS.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.

1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.
TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:

TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:
William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.

William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.
Traffic Shaping Why traffic shaping? Isochronous shaping

Traffic Shaping Why traffic shaping? Isochronous shaping
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Explicit Congestion Notification (ECN) RFC 3168 Justin Yackoski DEGAS Networking Group CISC856 – TCP/IP Thanks to Namratha Hundigopal.

Explicit Congestion Notification (ECN) RFC 3168 Justin Yackoski DEGAS Networking Group CISC856 – TCP/IP Thanks to Namratha Hundigopal.
Explicit Congestion Notification (ECN) Qi (Gill) Wang CISC 856 – TCP/IP, Fall 2012 Special thanks to: Dr. Paul Amer Guna Ranjan, Justin.

Explicit Congestion Notification (ECN) Qi (Gill) Wang CISC 856 – TCP/IP, Fall 2012 Special thanks to: Dr. Paul Amer Guna Ranjan, Justin.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
15-744: Computer Networking L-11 Queue Management.

15-744: Computer Networking L-11 Queue Management.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
15-744: Computer Networking L-23 Security. L -23; 4-17-02© Srinivasan Seshan, 20022 Security Denial of service IPSec Firewalls Assigned reading [SWKA00]

15-744: Computer Networking L-23 Security. L -23; © Srinivasan Seshan, Security Denial of service IPSec Firewalls Assigned reading [SWKA00]

Similar presentations

Ads by Google