CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCSE 543 - Computer SecurityLecture 22 - Denial of ServiceNovember 15, 2007URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/1CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerDenial of Service•Intentional prevention of access to valued resource•CPU, memory, disk (system resources)•DNS, print queues, NIS (services)•Web server, database, media server (applications)•This is an attack on availability (fidelity)•Note: launching DOS attacks is easy•Note: preventing DOS attacks is hard•Mitigation the path most frequently traveled2CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerSMURF Attacks•This is one of the deadliest and simplest of the DOS attacks (called a naturally amplified attack)•Send a large number PING packet networks on the broadcast IP addresses (e.g., 192.168.27.254)•Set the source packet IP address to be your victim•All hosts will reflexively respond to the ping at your victim•… and it will be crushed under the load.HostHost HostHostHostHostHostHostHostadversaryBroadcastvictim3CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCanonical (common) DOS - Request Flood•Attack: request flooding•Overwhelm some resource with legitimate requests•e.g., web-server, phone system•Note: unintentional flood is called a flash crowd4CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerDOS Prevention - Reverse-Turing Tests•Turing test: measures whether a human can tell the difference between a human or computer (AI)•Reverse Turning tests: measures whether a user on the internet is a person, a bot, whatever?•CAPTCHA - completely automated public Turing test to tell computers and humans apart•contorted image humans can read, computers can’t•image processing pressing SOA, making these harder•Note: often used not just for DOS prevention, but for protecting “free” services (email accounts)5CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerDOS Prevention - Puzzles•Make the solver present evidence of “work” done •If work is proven, then process request•Note: only useful if request processing significantly more work than •Puzzle design•Must be hard to solve•Easy to Verify•Canonical Example•Puzzle: given x-bits of output of h(r), where h is a cryptographic hash function•Solution: Invert h(r)•Q: Assume you are given 108 bits of output for 128-bit hash function, how hard would it be to solve the puzzle?6CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerWorms7CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerWorms•A worm is a self-propagating program.•As relevant to this discussion1.Exploits some vulnerability on a target host …2.(often) imbeds itself into a host …3.Searches for other vulnerable hosts …4.Goto (1)•Q: Why do we care?8CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerThe Danger•What makes worms so dangerous is that infection grows at an exponential rate•A simple model:•s (search) is the time it takes to find vulnerable host•i (infect) is the time is take to infect a host•Assume that t=0 is the worm outbreak, the number of hosts at t=j is2(j/(s+i))•For example, if (s+i = 1), what is it at time t=32?9CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerThe result0500,000,0001,000,000,0001,500,000,0002,000,000,0002,500,000,0003,000,000,0003,500,000,0004,000,000,0004,500,000,0005,000,000,00010CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerThe Morris Worm•Robert Morris, a 23 doctoral student from Cornell•Wrote a small (99 line) program•November 3rd, 1988•Simply disabled the Internet•How it did it•Reads /etc/password, they tries the obvious choices and dictionary, /usr/dict words•Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts that are related•Tries cracked passwords at related hosts (if necessary)•Uses whatever services are available to compromise other hosts•Scanned local interfaces for network information•Covered its tracks (set is own process name to sh, prevented accurate cores, re-forked itself)11CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerOther scanning strategies•The doomsday worm: a flash worm•Create a hit list of all vulnerable hosts•Staniford et al. argue this is feasible•Would contain a 48MB list•Do the infect and split approach•Use a zero-day vulnerability•Result: saturate the Internet is less than 30 seconds!12CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerWorms: Defense Strategies•(Auto) patch your systems: most, if not all, large worm outbreaks have exploited known vulnerabilities (with patches)•Heterogeneity: use more than one vendor for your networks•Shield (Ross): provides filtering for known vulnerabilities, such that they are protected immediately (analog to virus scanning)•Filtering: look for unnecessary or unusual communication patterns, then drop them on the floor •This is the dominant method, getting sophisticated (Arbor Networks)OperatingSystemNetwork InterfaceShieldNetworkTraffic13CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerD/DOS (generalized by Mirkovic)•Send a stream of packets/requests/whatever …•many PINGS, HTML requests, ...•Send a few malformed packets •causing failures or expensive error handling•low-rate packet dropping (TCP congestion control)•“ping of death”•Abuse legitimate access•Compromise service/host•Use its legitimate access rights to consume the rights for domain (e.g., local network)•E.g., First-year graduate student runs a recursive file operation on root of NFS partition14CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerDistributed denial of service•DDOS: Network oriented attacks aimed at preventing access to network, host or service•Saturate the target’s network with traffic•Consume all network resources (e.g., SYN)•Overload a service with requests•Use “expensive” requests (e.g., “sign this data”)•Can be extremely costly (e.g, Amazon)•Result: service/host/network is unavailable•Frequently distributed via other attack•Note: IP is often hidden (spoofed)15CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerThe canonical DDOS attack
View Full Document
Unlocking...