CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerCSE 543 - Computer Security(Fall 2006)Lecture 18 - Network SecurityNovember 7, 2006URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/1CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerDenial of Service•Intentional prevention of access to valued resource•CPU, memory, disk (system resources)•DNS, print queues, NIS (services)•Web server, database, media server (applications)•This is an attack on availability (fidelity)•Note: launching DOS attacks is easy•Note: preventing DOS attacks is hard•Mitigation the path most frequently traveled2CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerD/DOS (generalized by Mirkovic)•Send a stream of packets/requests/whatever …•many PINGS, HTML requests, ...•Send a few malformed packets •causing failures or expensive error handling•low-rate packet dropping (TCP congestion control)•“ping of death”•Abuse legitimate access•Compromise service/host•Use its legitimate access rights to consume the rights for domain (e.g., local network)•E.g., First-year graduate student runs a recursive file operation on root of NFS partition3CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerSMURF Attacks•This is one of the deadliest and simplest of the DOS attacks (called a naturally amplified attack)•Send a large number PING packet networks on the broadcast IP addresses (e.g., 192.168.27.254)•Set the source packet IP address to be your victim•All hosts will reflexively respond to the ping at your victim•… and it will be crushed under the load.HostHost HostHostHostHostHostHostHostadversaryBroadcastvictim4CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerCanonical (common) DOS - Request Flood•Attack: request flooding•Overwhelm some resource with legitimate requests•e.g., web-server, phone system•Note: unintentional flood is called a flash crowd5CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerDOS Prevention - Reverse-Turing Tests•Turing test: measures whether a human can tell the difference between a human or computer (AI)•Reverse Turning tests: measures whether a user on the internet is a person, a bot, whatever?•CAPTCHA - completely automated public Turing test to tell computers and humans apart•contorted image humans can read, computers can’t•image processing pressing SOA, making these harder•Note: often used not just for DOS prevention, but for protecting “free” services (email accounts)6CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerDOS Prevention - Puzzles•Make the solver present evidence of “work” done •If work is proven, then process request•Note: only useful if request processing significantly more work than •Puzzle design•Must be hard to solve•Easy to Verify•Canonical Example•Puzzle: given x-bits of output of h(r), where h is a cryptographic hash function•Solution: Invert h(r)•Q: Assume you are given 108 bits of output for 128-bit hash function, how hard would it be to solve the puzzle?7CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerDistributed denial of service•DDOS: Network oriented attacks aimed at preventing access to network, host or service•Saturate the target’s network with traffic•Consume all network resources (e.g., SYN)•Overload a service with requests•Use “expensive” requests (e.g., “sign this data”)•Can be extremely costly (e.g, Amazon)•Result: service/host/network is unavailable•Frequently distributed via other attack•Note: IP is often hidden (spoofed)8CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerThe canonical DDOS attack InternetLAN(target)(zombies)(router)(master)(adversary)9CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerAdversary Network(adversary)(masters)(zombies)(target)10CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerWhy DDOS•What would motivate someone DDOS?•An axe to grind …•Curiosity (script kiddies) …•Blackmail•Information warfare …•Internet is an open system ...•Packets not authenticated, probably can’t be•Would not solve the problem just move it (firewall)•Too many end-points can be remote controlled11CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerWhy is DDOS possible? (cont.)•Interdependence - services dependent on each other•E.g., Web depends on TCP and DNS, which depends on routing and congestion control, …•Limited resources (or rather resource imbalances)•Many times it takes few resources on the client side to consume lots of resources on the server side•E.g., SYN packets consume lots of internal resources•You tell me .. (as said by Mirkovic et al.)•Intelligence and resources not co-located•No accountability•Control is distributed12CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerDDOS and the E2E argument•E2E (a simplified version): We should design the network such that all the intelligence is at the edges.•So that the network can be more robust and scalable •Many think is the main reason why the Internet works•Downside:•Also, no real ability to police the traffic/content•So, many security solutions break this E2E by cracking open packets (e.g., application level firewalls)•DDOS is real because of this …13CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerQ: An easy fix?•How do you solve distributed denial of service?14CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Simple DDOS Mitigation•Ingress/Egress Filtering–Helps spoofed sources, not much else•Better Security –Limit availability of zombies, not feasible–Prevent compromise, viruses, …•Quality of Service Guarantees (QOS)–Pre- or dynamically allocate bandwidth –E.g., diffserv, RSVP–Helps where such things are available …•Content replication–E.g,. CDS–Useful for static contentCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Pushback•Initially, detect the DDOS–Use local algorithm, ID-esque processing–Flag the sources/types/links of DDOS traffic•Pushback on upstream routers–Contact upstream routers using PB protocol–Indicate some filtering rules (based on observed)•Repeat as necessary towards sources–Eventually, all (enough) sources will be filtered•Q: What is
View Full Document
Unlocking...