DOC PREVIEW
UCSD CSE 127 - Lecture

This preview shows page 1-2 out of 5 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1 CSE 127 Computer Security Spring 2011 More on network security Chris Kanich (standing in for Hovav) [some slides courtesy Dan Boneh & John Mitchell] Todayʼs outline  NAT, Firewalls  IDS  DDoS TCP/IP Protocol Stack Application Transport Network Link Application protocol (e.g. HTTP) TCP protocol IP protocol Data Link IP Network Access IP protocol Data Link Application Transport Network Link Basic Firewall Concept  Separate local area net from internet Router Firewall All packets between LAN and internet routed through firewall Local network Internet Firewall goals  Prevent malicious attacks on hosts ◆ Port scan, syn flooding, … ◆ Worm propagation » Exploit buffer overflow in program listening on network  Provide defense in depth ◆ Defend everywhere ◆ Programs contain bugs and are vulnerable to attack ◆ Network protocols may contain; » Design weaknesses (SSH CRC) » Implementation flaws (SSL, NTP, FTP, SMTP...) Packet Filtering  Uses transport-layer information only ◆ IP Source Address, Destination Address ◆ Protocol (TCP, UDP, ICMP, etc) ◆ TCP or UDP source & destination ports ◆ TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ◆ ICMP message type  Examples ◆ DNS uses port 53 » Block incoming port 53 packets except known trusted servers  Issues ◆ Stateful filtering ◆ Encapsulation: address translation, other complications ◆ Fragmentation2 Packet Filtering Examples  Policy: Do not allow outbound email ◆ Implementation?  Policy: Do not allow inbound connections ◆ Implementation?  Policy: Do not allow HTTP GET requests ◆ Implementation? April 20, 2011 7 CSE 127 -- Lecture 5: User Authentication Normal IP Fragmentation Flags and offset inside IP header indicate packet fragmentation Complication for firewalls April 20, 2011 9 Abnormal Fragmentation Low offset allows second packet to overwrite TCP header at receiving host NAT: Network Address Translation 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 138.76.29.7 local network (e.g., home network) 10.0.0/24 rest of Internet Datagrams with source or destination in this network have 10.0.0/24 address for source, destination (as usual) All datagrams leaving local network have same single source NAT IP address: 138.76.29.7, different source port numbers Illustration: Kurose and Ross Advantages of NAT  Motivations for NAT ◆ Limited address space ◆ Prevent unsolicited inbound requests » Port numbering: host behind NAT not reachable as server ◆ Avoid renumbering if provider changes » Small/mid-sized LANs inherit address space from ISP  Addresses hidden by NAT ◆ Normal routing » Outgoing msg from 171.64.78.90 contains sending address » Recipient or observer can access 171.64.78.90 ◆ Addressing with NAT » NAT rewrites outgoing packet so recipient sees public addr only » An outside computer cannot see 171.64.78.903 Stateful or Dynamic Packet Filtering Application layer (HTTP)  Turn click into HTTP request GET http://www.yahoo.com/r/mp HTTP/1.1 Host: www.yahoo.com Connection:keep-alive … April 20, 2011 CSE 127 -- Lecture 12 – Network Security I 15 Transport layer (TCP)  Break message into packets (TCP segments)  Should be delivered reliably & in-order GET http://www.yahoo.com/r/mp HTTP/1.1 Host: www.yahoo.com Connection:keep-alive … GET htt 1 “and let me know when they got there” p://www. 2 yahoo.c 3 Intrusion Detection April 20, 2011 16 General intrusion detection  Many intrusion detection systems ◆ Close to 100 systems with current web pages ◆ Network-based, host-based, or combination  Two basic models ◆ Misuse detection model » Maintain data on known attacks » Look for activity with corresponding signatures ◆ Anomaly detection model » Try to figure out what is “normal” » Report anomalous behavior  Fundamental problem: too many false alarms Misuse detection – port scan  Attacks can be OS specific ◆ Bugs in specific implementations ◆ Oversights in default configuration  Attacker scans network to find vulnerabilities ◆ Port scan tries many ports on many IP addresses ◆ If characteristic behavior detected, mount attack » SGI IRIX responds TCPMUX port (TCP port 1) » If machine responds, SGI IRIX vulnerabilities can be tested and used to break in  Port scan activity can be detected4 IDS Circumvention  IDS circumvention ◆ Outsource vulnerability detection » Live demo! ◆ Obfuscate attack code April 20, 2011 19 (D)DoS  (Distributed) Denial of Service Attack  Anything that keeps legitimate users away  Dumb, Smart, & in between April 20, 2011 20 Floods  Lots of Packets – works!  ICMP Ping Flood  Syn Flood ◆ Resource Exhaustion Attack ◆ Start TCP handshake; never finish April 20, 2011 21 Syn Flood Mitigation  Problem: syn queue overflow  Intuition: ACK must include (serverʼs ACK#+1) as clientʼs ACK#  Solution: encode a secret value in the ACK# ◆ Initial ACK# = (time) . (MSS) . s(serverip, serverport,clientip,clientport,t)  Server can reconstruct & verify all information from SYN using cookie value April 20, 2011 22 Reflection Attack  Problem: Source & Destination address fields in IP packets not authenticated  Problem: When receiving unexpected SYN, must respond with RST  Attack: Set SRC=target, DST=any, FLAGS=syn  What happens? April 20, 2011 23 Reflection Attack  Detection ◆ Internet path lengths are not guessable ◆ Initial TTL fields usually not random ◆ Does RST path length ≈ real path length?  Reflection attack prevention? April 20, 2011 245 Aside: Backscatter  Source spoofer – usually picks a random source address  Individual IP vantage point – looks like noise  Large segment of IPv4: can see attacks April 20, 2011 25 CSE 127 -- Lecture 5: User Authentication Application level DDoS  IRC Botnet  Voluntary Botnets ◆ LOIC  slowloris April 20, 2011 26 CSE 127 -- Lecture 5: User Authentication Questions?  As an attacker: ◆ Manipulate assumptions ◆ Use Riceʼs Theorem to your advantage ◆ Use old attacks in new domains  As a defender: ◆ Defense in depth »


View Full Document

UCSD CSE 127 - Lecture

Documents in this Course
Load more
Download Lecture
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?