Foundations of Network and Foundations of Network and Computer SecurityComputer SecurityJJohn BlackLecture #16Oct 25th2005CSCI 6268/TLEN 5831, Fall 2005Announcements• Project #1 is assigned– See web page for description and cacert.pem– Due Thurs, Nov 3rd(distance students too!)– Note: Martin is out, Tomorrow thru Sunday next week• Distance students:– I have all but one Quiz #2, but won’t be graded until next week• Two more reading assignments on website– Both are a lot of fun to read• Midterm #2 is Nov 8th(2.5 weeks from now)Flash Viruses• Viruses can spread very fast– SQL/Slammer had only a 376 byte code size– No pause between propagation attempts• Reading assignment– Read “How to 0wn the Internet in your Spare Time”• A real problem– If you reinstall an old OS and attempt to download patches, you may be infected before you can patch!Prevention• Stay patched– windowsupdate.com– Linux patches (yum)• Reduce network services to those needed– “Best block is not be there” – Mr. Miagi– Windows still comes with a ton of stuff turned on• Getting better though!– SQL Slammer victims didn’t even know they were running an SQL server!– netstat –a • Might surprise youPrevention (cont)• Don’t open attachments unless you’re sure– Always run a virus scannerhttp://www.colorado.edu/its/security/antivirus/– Even Word docs are dangerous• Don’t visit questionable web sites– Esp if your browser is set to low security levels– Javascript is evil• Felton’s Javascript attackTrojans• Malicious code hidden within another object– Email attachments can contain trojans– This is how many viruses spread• Backdoor is usually considered as a synonym– Putting a backdoor into login.c qualifiesThompson’s Turing Award Lecture (1995)• Thompson and Ritchie won the Turing award for creating Unix• Thompson’s is my favorite Turing award lecture– “Reflections on Trusting Trust”– Please read it (it’s short)• His lecture has three stages– Stage I: a “Quine”– A Quine is a program which outputs its own source codeA Quine in Cchar*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c"; main(){printf(f,34,f,34,10);}• We printf the string f, inserting f into itself as a parameter–Yow!• We could attach any extra code we like here• File this away in your head for now: we can write a program which outputs its own source codeThompson, Stage II• Note that a C compiler is often written in C– Kind of strange chicken-and-egg problem– How to bootstrap• Interesting “learning behavior”– You add a feature, compile compiler with itself, then it “knows” the feature• Once you get a rudimentary compiler written, it can be arbitrarily extendedThompson, Stage III• Add a backdoor to login.c– Allow valid passwords plus some “master” password– Note that this would be caught soon enough because it exists in the login.c source code• Ok, so be sneakier– Add code in cc.c (the C compiler) to add the backdoor to login.c whenever compiling login.c– Add self-replicating code to the C compiler to reproduce itself plus the login.c backdoor!Implementing the Trojan• Now compile login.c – Compiler adds the backdoor• Compile cc.c– Compiler sees that it’s compiling itself and self-replicating code runs to ensure login.c trojan and cc.c trojan are compiled into cc binary• Now remove all this new code from cc.c– Back door exists only in binary!– login.c and cc.c will continue to have trojan even after infinite recompilesMoral of the Story• The amount of cleverness we haven’t even thought of yet is scary– We’re probably never going to have completely secure computers and networks– The most we can hope for is “best effort” from those we trust and from ourselves– It’s going to be an eternal battle between us and the criminalsDenial of Service• An old idea– Picket lines, blockades, doorbell ditch, false pizza orders, prank phone calls, etc.• First technological DoS I know of– Denver Taxi company in the 50’s– Promised a white driver every time– Civil rights protesters called and left phone off hook• Tied up phone lines back thenDoS (cont)• In the computer arena– Mail bombs• Large emails to fill up someone’s hard disk– Network traffic• Lots of bogus traffic aimed at just overwhelming victim• This is typically not TCP traffic– Why not?Network-Based DoS• Common methods– Large UDP packets• Max size is 65,536 bytes• Will fragment over IP and all frags hit victim• Victim tries to reassemble IP fragments–ICMP echo• Aka “ping”• Can also be large• (“Ping of death”)SYN Floods• A TCP-based method– Normal TCP handshake starts with SYN from client– Causes server to make an entry in the “SYN queue” and use up some time– SYNs are very small, so attacker sends a ton of them– A SYN at the server is called a “half-open connection”• These eventually time out, but it takes a whileFirst Attempted Remedy: Filtering• Victim can try and filter out the IP source address of the attacker– This has to be done upstream or the victim’s connection bandwidth is saturated• If ISP is willing to install a filter on the appropriate source address, this works– But attacker can spoof source IP• Attacker is not completing any TCP association, and wants to leave connections half-open• This is almost always doneReflection Attacks (aka “Smurfing”)• Technique for amplifying traffic– Often works behind firewalls as well– Instead of flooding victim V with SYNs, we send SYNsto hosts H1, H2, …, Hnand spoof the source address as V• (Here n is large… say, 1000 or more)• Hosts send SYN/ACK to V• V is very confused and reacts in various ways• If hosts are behind firewall, it appears as though attack is coming from local machines• Hosts are usually not overwhelmed, so they don’t feel the attackDDoS: Distributed DoS• Now, multiple attackersDDoS• Most famous attack was in Feb 2000 against Amazon, Yahoo, eBay, and other major e-commerce sites• Estimated losses of $1.2 billion US• Easy for almost anyone to launch– Most of these, by the way, are hackers attacking other hackersRecruiting “Zombies”• A “Zombie” is a computer which has been captured by the attacker– Typically by a virus or by just using some vulnerability• Each infiltrated computer receives a hidden program from the “Zombie