Security Part Two: Attacks and CountermeasuresFlashback .. Internet design goalsWhy did they leave it out?Security VulnerabilitiesIP-level vulnerabilitiesRouting attacksTCP-level attacksWhere do the problems come from?OutlineDenial of ServiceSimple DoSBackscatter AnalysisDistributed DoSSlide 14Smurf AttackReflector AttacksSlide 17Worm OverviewWorm Spreading ModelWorm Spreading modelProbing TechniquesRandom ScanningSubnet ScanningRouting WormHit ListTopologicalSome proposals for countermeasuresSlide 28FirewallsFirewalls (contd…)Packet FiltersSome examplesTypical Firewall ConfigurationFirewall implementationSample Firewall RuleSlide 36AlternativesIntrusion Detection SystemsClasses of IDSSummarySecurity Part Two:Attacks and CountermeasuresFlashback .. Internet design goals1. Interconnection2. Loss-resilience3. Multiple types of service4. Variety of networks5. Management of resources6. Cost-effective7. Low entry-cost8. Accountability for resourcesWhere is security?Why did they leave it out?•Designed for connectivity•Network designed with implicit trustNo “bad” guys•Security requirements are at the edgeEnd-to-end arguments in system designSecurity Vulnerabilities•At every layer in the protocol stack!•Network-layer attacksIP-level vulnerabilitiesRouting attacks•Transport-layer attacksTCP vulnerabilities•Application-layer attacksIP-level vulnerabilities•IP addresses are provided by the sourceSpoofing attacks!•Implicit use of IP address for authenticationRhosts•Fragmentation •Traffic amplificationRouting attacks•Black-hole attacks•Eavesdropping•Distance-VectorAnnounce low-cost routes•Link-stateDropping links from topologyMore robust than DV•BGPPrefix-hijackingPath alterationTCP-level attacks•SYN-FloodsImplementations setup state at servers before connection is fully established•Session hijackPretend to be a trusted hostSequence number guessing•Session resetsClose a legitimate connectionWhere do the problems come from?•Protocol-level vulnerabilitiesImplicit trust•Implementation vulnerabilitiesRoutersHosts•Incomplete specificationsOften left to the imagination of programmersOutline•Security Vulnerabilities•Denial of Service•Worms•Countermeasures: Firewalls/IDSDenial of Service•Make a service unusable, usually by overloading the server or network•Disrupt service by taking down hostsE.g., ping-of-death•Consume host-level resourcesE.g., syn-floods•Consume network resourcesE.g., UDP floodsE.g., ICMP floodsSimple DoSAttackerVictim VictimVictim• Attacker usually spoofs source address to hide origin• Aside: Backscatter AnalysisBackscatter Analysis•Attacker is sending spoofed TCP SYN packets to www.haplessvictim.comWith spoofed address chosen at random•My network sees TCP SYN-ACKs from www.haplessvictim.com at rate R•What is the rate of the attack?Assuming addresses chosen are uniform(2^32/ Network Address space) * RDistributed DoSAttackerHandler HandlerAgent Agent Agent Agent AgentVictimDistributed DoS•The handlers are usually very high volume serversEasy to hide the attack packets•The agents are usually home users with DSL/CableAlready infected and the agent installed•Very difficult to track down the attacker•How to differentiate between DDoS and Flash Crowd?Flash Crowd Many clients using a serviceSlashdot EffectSmurf AttackAttacking SystemInternetInternetBroadcast Enabled NetworkBroadcast Enabled NetworkVictim SystemReflector AttacksOutline•Security, Vulnerabilities•Denial of Service•Worms•Countermeasures: Firewalls/IDSWorm Overview•Self-propagate through network•Typical Steps in Worm PropagationProbe host for vulnerable software Sends bogus input (for buffer overflow)Attacker can do anything that the privileges of the buggy program allows Launches copy of itself on compromised host•Spread at exponential rate 10M hosts in < 5 minutesHard to deal with manual interventionWorm Spreading ModelLet R be the scan-rate Let f be the fraction of vulnerable hosts at time tWorm Spreading modelQuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.Probing Techniques•Random Scanning•Local Subnet Scanning•Routing Worm•Pre-generated Hit List•TopologicalRandom Scanning•32 bit number is randomly generated and used as the IP addressAside: IPv6 worms will be different …•E.g., Slammer and Code Red I•Hits black-holed IP space frequentlyOnly 28.6% of IP space is allocatedAside: can track worms by monitoring unused addressesHoneypotsSubnet Scanning•Generate last 1, 2, or 3 bytes of IP address randomly•Code Red II and Blaster•Some scans must be completely random to infect whole internetRouting Worm•BGP information can tell which IP address blocks are allocated•This information is publicly availablehttp://www.routeviews.org/http://www.ripe.net/ris/Hit List•Hit list of vulnerable machines is sent with payloadDetermined before worm launch by scanning•Gives the worm a boost in the slow start phase•Skips the phase that follows the exponential modelInfection rate looks linear in the rapid propagation phase•Can avoid detection by the early detection systemsTopological•Uses info on the infected host to find the next targetMorris Worm used /etc/hosts , .rhosts Email address booksP2P systems usually store info about hosts it connects toSome proposals for countermeasures•Better software safeguardsSafe versions of system calls•Host-diversityAvoid same exploit on multiple machines•IP address space randomizationMake scanning ineffective•Host-level solutionsMemory randomizationStack guards•Rate-limitingContain the spread of the attacks•Content-based filteringUse signatures in packet payloads•……Outline•Security, Vulnerabilities•Denial of Service•Worms•Countermeasures: Firewalls/IDSFirewalls•Lots of vulnerabilities on hosts in network•Users don’t keep systems up to dateLots of patchesLots of exploits in wild (no patch for them)•Solution?Limit access to the networkPut firewalls across the perimeter of the networkFirewalls (contd…)•Firewall inspects traffic through it•Allows traffic specified in the policy•Drops everything else•Two TypesPacket Filters, ProxiesInternetInternetInternal NetworkFirewallPacket Filters•Selectively passes packets from one
View Full Document