Unformatted text preview:

cs526 Information Security Cristina Nita Rotaru Internet April 21 May 8 2003 Typical corporate network Firewall Intranet Demilitarized Zone DMZ Mail forwarding File Server Web Server Mail server DNS internal DNS DMZ Web Server User machines User machines User machines Firewall Internet Internet OSI ISO Model Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link Data Link Physical Layer Physical Layer Infrastructure Protocols Transport IP between computers TCP UDP between processes Routing inter domain BGP path vector intra domain OSPF link state RIP distance vector WLAN AODV distance vector DSR path vector Service DNS Security Services 1 Confidentiality information is available for reading only to authorized parties 2 Authentication Data source authentication the data is coming from an authorized party Entity authentication the entity is who it says it is 3 Integrity data was not modified from the source to the destination Security Services 2 4 Non repudiation neither the sender nor the receiver of a message are able to deny the transmission 5 Access control only authorized parties can use specific resources 6 Availability resources services available to authorized parties What is Network Security About Protection of networks and their services from unauthorized modification destruction or disclosure and provision of assurance that the network performs its critical functions correctly WHERE ARE WE NOW Solving confidentiality integrity authentication for 2 party protocols standards like IPSEC SSL Authentication and access control Kerberos now integrated in Windows 2000 Availability Here we re in trouble Distributed Denial of Service Exploit protocols vulnerabilities or design Flooding based attacks Single source attacks Multiple source attacks Reflector attacks particular case of multiple source attacks DDoS distributed attack employs a combination of attacks can attack one machine or more DDOS Tools collection of attacks attacks is coordinated master slaves architecture Tools like Trin00 Tribe Flood Network Stacheldracht Direct DDOS Attack Target Slaves Masters Reflector DDOS Attack TCP SYN ICMP UDP with victim s addr as the src IP addr Reflections Target Machines that reflect Machines used to attack How to Defend The players Victim network Intermediate network Source network Attack is usually observed close to victim but must be stopped close to the source Intermediate network used to traceback the attack probabilistic marking or to slow down the attacks distributed filters Reactive methods after the attack and proactive methods prevents the attack methods Defence Methods at Victim Intrusion detection and firewall detect packets that look like attacks known attack signature Make the attack costly for attacker for example have clients to solve puzzles if they want to access server s resources Increase server resources distributed clusters load balancing Intermediate Network IP traceback where is the attack coming from forensics Push back mechanism Route based packet filtering Attacks Against TCP Transmission Control Protocol TCP Connection oriented protocol for a user process establishes a connection channel between two endpoints Reliable full duplex channel acknowledgements retransmissions timeouts Congestion control mechanisms The packets are delivered in the same order in which they were sent TCP Handshake client server SYNx Resources allocated There is a max number of connections that can be in this state SYN RECVD state SYNy ACKx 1 Wait for the ACK 75 seconds If timeout expires or RST received data deallocated If ACK received connection established ACKy 1 can also contain data connection established SYN Attack An attacker sends many SYN with source address spoofed packets to a target If the limit is reached target machine will refuse any incoming connections till the timeout expires Spoofed address chosen to be a non existent one If the spoofed address belongs to a machine then SYN ACK packet will reach that machine and trigger a RST answer that will close the connection Basis of the Attack There is no authentication of the source of the packets Addresses can be spoofed The protocol requires asymmetric allocation of resources Configuration Optimizations System configuration Reduce the timeout to 10 seconds Increase the size of the queue Disable non essential services reducing the number of ports to be attacked Router configuration Block outside coming packets that have source addresses from the internal network Block packets to the outside that have source addresses from outside the internal network Infrastructure Improvements If addresses prefixes separate clear the inside from the outside then router configuration can be improved Example routers that attach an organization or an ISP to a backbone network Firewall Approach Main idea each packet for inside network if first examined by the firewall Additional delays Two approaches Firewall as a relay Firewall as a gateway Firewall as a Relay Attack Scenario firewall client SYNx SYNy ACKx 1 server Firewall as a Semi transparent Gateway Attack Scenario firewall client SYN SYN ACK ACK Timeout RST server Active Monitoring Monitor the TCP traffic within a local area network and figure out which ones are illegitimate connections Send RST for the illegitimate connections this closes the connection Does not require protocol stack modification Monitor can be tricked to classify bad addresses as good addresses So Far Attacks require high rate transmission flood of SYN packets unusual network traffic attackers are relatively easy to detect and filter However TCP can be attacked by using TCP friendly traffic exploit congestion control mechanism low rate therefore it can cause maximal damage without detection TCP Congestion Control Source determines how much bandwidth is available for it to send it starts slow and increases the window of send packet based on ACKS ACKS are also used to control the transmission of packets Uses Additive Increase Multiplicative Decrease AIMD Uses Retransmission Timeout RTO to avoid congestion TCP Fairness if k TCP sessions share same bottleneck link of bandwidth B each should have average rate of B k TCP Congestion Control 20 Congestion occurs Congestion avoidance 15 Congestion window Threshold 10 5 Slow start 0 Copyright 2000 The McGraw Hill Companies Round trip times Leon Garcia Widjaja Communication Networks Figure 7 63 The Attack All the attacker


View Full Document

Purdue CS 52600 - Information Security

Loading Unlocking...
Login

Join to view Information Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Information Security and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?