Security15-441With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar, and others115-411: securityOur “Narrow” Focus• Yes: Protecting network resources and limiting connectivity (Part I) Creating a “secure channel” for communication (Part II)N•No: Preventing software vulnerabilities & malware, “il i i”or “social engineering”. 215-411: securityFlashback .. Internet design goals1. Interconnection2F il ili2.Failure resilience3. Multiple types of service4. Variety of networks5. Management of resourcesg6. Cost-effective7.Low entry-cost7.Low entrycost8. Accountability for resourcesWhere is security?Where is security?315-411: securityWhy did they leave it out?• Designed for connectivity• Network designed with implicit trustgp No “bad” guys• Can’t security be provided at the edge?E ti A th ti ti tEncryption, Authentication etc End-to-end arguments in system design415-411: securitySecurity Vulnerabilities• At every layer in the protocol stack!• Network-layer attacks IP-level vulnerabilities Routing attacks• Transport-layer attacks TCP vulnerabilities• Application-layer attacks515-411: securityIP-level vulnerabilities• IP addresses are provided by the source Spoofing attacks• Using IP address for authenticatione.g., login with .rhostse.g., login with .rhosts •Some“features”that have been exploited•Some features that have been exploited Fragmentation B d t f t ffi lifi tiBroadcast for traffic amplification 615-411: securitySecurity Flaws in IP• The IP addresses are filled in by the originating hostAddress spoofingAddress spoofing• Using source address for authentication r-utilities (rlogin, rsh, rhosts etc..)2.1.1.1C•Can A claim it is B to the server S?Internet1.1.1.3S•ARP Spoofing•Can C claim it is B to1.1.1.1 1.1.1.2ABCan C claim it is B to the server S?•Source Routing715-411: securitySmurf AttackInternetAttacking SystemBroadcast Enabled NetworkVictim System815-411: securityICMP Attacks• No authentication•ICMP redirect message•ICMP redirect message Can cause the host to switch gateways Benefit of doing this?g Man in the middle attack, sniffing• ICMP destination unreachableCCan cause the host to drop connection• ICMP echo request/replyMany more•Many more… http://www.sans.org/rr/whitepapers/threats/477.php915-411: securityRouting attacks• Divert traffic to malicious nodesBlackholeBlack-hole Eavesdropping• How to implement routing attacks? Distance-Vector: Link-state:BGP l biliti•BGP vulnerabilities1015-411: securityRouting attacks• Divert traffic to malicious nodesBlackholeBlack-hole Eavesdropping• How to implement routing attacks? Distance-Vector: Announce low-cost routes Link-state: Dropping links from topologyBGP l biliti•BGP vulnerabilities Prefix-hijackingPath alterationPath alteration1115-411: securityTCP-level attacks• SYN-FloodsI l tti t tt t bfImplementations create state at servers before connection is fully established• Session hijackPretend to be a trusted hostPretend to be a trusted host Sequence number guessing• Session resetsCl l iti t tiClose a legitimate connection1215-411: securitySession HijackServerTrusted (T)First send a legitimate SYN tMalicious (M)SYN to server1315-411: securitySession HijackServerTrusted (T)Using ISN_S1 from earlier connection guess ISN S2!Malicious (M)connection guess ISN_S2!1415-411: securityTCP Layer Attacks• TCP SYN Flooding Exploit state allocated at server after initial SYN packet Send a SYN and don’t reply with ACK Server will wait for 511 seconds for ACK Finite queue size for incomplete connections (1024) Once the queue is full it doesn’t accept requests1515-411: securityTCP Layer Attacks• TCP Session Poisoning Send RST packet Will tear down connection Do you have to guess the exact sequence number?AhiidifiAnywhere in window is fine For 64k window it takes 64k packets to resetAbout 15 seconds for a T1About 15 seconds for a T11615-411: securityAn ExampleFiShimomura (S)Trusted (T)FingerShowmount -eSYN• Finger @S• showmount –e• Attack when no one is around• What other systems it trusts?Mitnick• Send 20 SYN packets to S • Determine ISN behavior1715-411: securityAn ExampleXShimomura (S)Trusted (T)Syn floodX• Finger @S• showmount –e• Attack when no one is around• What other systems it trusts?yMitnick• Send 20 SYN packets to S• SYN flood T• Determine ISN behavior• T won’t respond to packets1815-411: securityAn ExampleXSYN|ACKShimomura (S)Trusted (T)XSYNACK• Finger @S• showmount –e• Attack when no one is around• What other systems it trusts?Mitnick• Send 20 SYN packets to S• SYN flood T• Determine ISN behavior• T won’t respond to packets• Send SYN to S spoofing as T• Send ACK to S with a guessed number• S assumes that it has a session with Tg1915-411: securityAn ExampleXShimomura (S)Trusted (T)X++ > rhosts• Finger @S• showmount –e• Attack when no one is around• What other systems it trusts?Mitnick• Send 20 SYN packets to S• SYN flood T• Determine ISN behavior• T won’t respond to packets• Send SYN to S spoofing as T• Send ACK to S with a guessed number• S assumes that it has a session with T•Give permission to anyone g• Send “echo + + > ~/.rhosts”pyfrom anywhere2015-411: securityWhere do the problems come from?• Protocol-level vulnerabilities Implicit trust assumptions in design• Implementation vulnerabilitiesBoth on routers and end-hostsBoth on routers and endhostsIncomplete specifications•Incomplete specifications Often left to the imagination of programmers2115-411: securityOutline – Part I• Security Vulnerabilities• Denial of Service•Worms•Worms• Countermeasures: Firewalls/IDS2215-411: securityDenial of Service• Make a service unusable/unavailable• Disrupt service by taking down hostsEifdthE.g., ping-of-death• Consume host-level resources E.g., SYN-floods• Consume network resources E.g., UDP/ICMP floods2315-411: securitySimple DoS•Attacker usually spoofs source address ypto hide origin•Aside: Backscatter Analysis•When attack traffic results in replies from the victimE TCP SYN ICMP ECHO•E.g. TCP SYN, ICMP ECHOAttacker VictimLots of traffic2415-411: securityBackscatter Analysis• Attacker sends spoofed TCP SYN packets to www haplessvictim
View Full Document