DOC PREVIEW
Berkeley COMPSCI 161 - Network Security

This preview shows page 1-2 out of 5 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 5 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1Network SecurityDawn [email protected] slides from John Mitchell2BackboneISPISPInternet Infrastructure• Local and interdomain routing– TCP/IP for routing, connections– BGP for routing announcements• Domain Name System– Find IP address from symbolic name (www.cs.stanford.edu)3TCP Protocol StackApplicationTransportNetworkLinkApplication protocolTCP protocolIP protocolData LinkIPNetwork AccessIP protocolData LinkApplicationTransportNetworkLink4Data FormatsApplicationTransport (TCP, UDP)Network (IP)Link LayerApplication message - dataTCP data TCP data TCP dataTCP HeaderdataTCPIPIP HeaderdataTCPIPETH ETFLink (Ethernet)HeaderLink (Ethernet)Trailersegment packetframemessage5Internet Protocol• Connectionless– Unreliable– Best effort• Transfer datagram– Header– DataIPVersion Header LengthType of ServiceTotal LengthIdentificationFlagsTime to LiveProtocolHeader ChecksumSource Address of Originating HostDestination Address of Target HostOptionsPaddingIP DataFragment Offset6IP Routing• Internet routing uses numeric IP address• Typical route uses several hopsAliceBobISPOffice gateway121.42.33.12132.14.11.51SourceDestinationPacket121.42.33.12121.42.33.1132.14.11.51132.14.11.17IP Protocol Functions• Routing– IP host knows location of router (gateway)– IP gateway must know route to other networks• Fragmentation and reassembly– If max-packet-size less than the user-data-size• Error reporting– ICMP packet to source if packet is dropped8User Datagram Protocol• IP provides routing– IP address gets datagram to a specific machine• UDP separates traffic by port– Destination port number gets UDP datagram to particular application process, e.g., 128.3.23.3, 53– Source port number provides return address• Minimal guarantees– No acknowledgment– No flow control– No message continuationUDP9Transmission Control Protocol• Connection-oriented, preserves order– Sender » Break data into packets» Attach packet numbers– Receiver» Acknowledge receipt; lost packets are resent» Reassemble packets in correct orderTCPBook Mail each page Reassemble book19511110Internet Control Message Protocol• Provides feedback about network operation– Error reporting– Reachability testing– Congestion Control• Example message types– Destination unreachable– Time-to-live exceeded– Parameter problem– Redirect to better gateway– Echo/echo reply - reachability test– Timestamp request/reply - measure transit delayICMP11Basic Security Problems• Internet was designed with a different trust model– No security in mind• Network packets pass by untrusted hosts– Eavesdropping, packet sniffing (e.g., “ngrep”)• TCP state can be easy to guess– TCP spoofing attack• TCP connection requires state– SYN flooding attack• DDoS attacks12Packet Sniffing• Promiscuous NIC reads all packets– Read all unencrypted data (e.g., “ngrep”)– ftp, telnet send passwords in clear!• Solution– EncryptionAlice BobEveNetworkNetwork13TCP HandshakeCSSYNCSYNS, ACKC+1ACKS+1ListeningStore dataWaitConnected14TCP Connection Spoofing• Each TCP connection has an associated state– Client & Server’s IP and port number– Sequence numbers• Problem– Easy to guess state» Port numbers are standard» Sequence numbers often chosen in predictable way15TCP Session Hijacking• Need high degree of unpredictability– If attacker knows initial seq # and amount of traffic sent, can estimate likely current values– Send a flood of packets with likely seq numbers– Attacker can inject packets into existing connection• Some implementations are vulnerable16Force TCP Session Close• Suppose attacker can guess seq. number for an existing connection:– Attacker can send Reset packet to close connection. Results in DoS.– Naively, success prob. is 1/232(32-bit seq. #’s).– Most systems allow for a large window of acceptable seq. #’s» Much higher success probability.• Attack is most effective against long lived connections, e.g. BGP.17SYN FloodingCSSYNC1 ListeningStore dataSYNC2SYNC3SYNC4SYNC518SYN Flooding• Attacker sends many connection requests– Spoofed source addresses • Victim allocates resources for each request– Connection requests exist until timeout– Fixed bound on half-open connections• Resources exhausted ⇒ requests rejected– SYN flooding may require much less bandwidth than a bandwidth exhaustion attack• Defense: SYN Cookie– Server computes MAC of TCP header info, including src/dst IP addresses, port #– Use this MAC value as SYN/ACK #19Denial-of-Service (DoS) Attack• A Denial-of-Service (DoS) attack is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as CPU, memory, bandwidth, and disk space– A DoS attack can be local (within a single host) or network-based• A Distributed Denial-of-Service (DDoS) attack is a networked-based DoS attack using a multiple attacking hosts192020Distributed Denial-of-Service• Hacker(s) compromise machines (“zombies”) and use them to flood a particular server.– Network Resource Attack– Server Processing Attack• IP Spoofing– Complicateseffectivefiltering*modified from grc.com 21Smurf DoS Attack• Send ping request to broadcast addr (ICMP Echo Req) • Lots of responses:– Every host on target network generates a ping reply (ICMP Echo Reply) to victim– Ping reply stream can overload victimPrevention: reject external packets to broadcast addressgatewayDoSSourceDoSTarget1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr3 ICMP Echo ReplyDest: Dos Target22Reflector Attacks• Put victim’s IP as the source address in requests to reflectors• Use reflectors to flood victim• Advantages– Bandwidth amplification– Hiding origin of attack• Many examples– DNS» Register.com (Jan 2001)23Long History of DDoS Attacks• Early attacks took down Yahoo!, eBay for fun & fame (2000)– Early DDoS tools & zoombie network• Recent attacks– Botnets– Extortion for profit– 10,000 online game servers in games such as Return to Castle Wolfenstein, Halo, Counter-Strikeattacked by “RUS” hacker group (2007)• Cyber warfare?– Attacks on Estonia government website (May 2007)– Attacks on Georgia government website before war (2008)24DDoS Activity Measurement: Backscatter• Use Internet telescope– Monitor large blocks of IP addresses• Receive TCP SYN ACKs in IP spoofing DDoS attacks•


View Full Document

Berkeley COMPSCI 161 - Network Security

Documents in this Course
Rootkits

Rootkits

11 pages

Load more
Download Network Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Network Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Network Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?