15-744: Computer NetworkingOverviewBasic IPRoutingSlide 5ICMPTCPSequence Number Guessing AttackSlide 9DNSSlide 11Denial of Service: What is it?TCP Reminder: 3-Way HandshakeExample DoS: TCP SYN FloodsPreventing SYN floodsSYN CookiesBandwidth FloodsReflector AttacksInferring DoS Activity: BackscatterBandwidth DOS Attacks - SolutionsSpoofing 1: Ingress/Egress FilteringSpoofing 2: RPF ChecksSecure Overlay ServicesSlide 25CapabilitiesUnforgeable CapabilitiesTVA (Capability)Fine-Grained CapabilitiesSlide 31Bounded Router StateBalancing Authorized TrafficShort, Slow or Asymmetric FlowsSlide 36Filters & PushbackThe Need for TracebackApproaches to TracebackIP TracebackSlide 41Edge SamplingLog-Based TracebackChallenges to LoggingSolution: Packet DigestingInvariant ContentBloom FiltersMistake Propagation is LimitedAdjusting Graph AccuracyHow long can digests last?15-744: Computer NetworkingL-22 Security and DoS2Overview•Security holes in IP stack•Denial of service•Capabilities•Traceback3Basic IP•End hosts create IP packets and routers process them purely based on destination address alone (not quite in reality)•Problem – End host may lie about other fields and not affect delivery•Source address – host may trick destination into believing that packet is from trusted source•Many applications use IP address as a simple authentication method•Solution – reverse path forwarding checks, better authentication•Fragmentation – can consume memory resources or otherwise trick destination/firewalls•Solution – disallow fragments4Routing•Source routing•Destinations are expected to reverse source route for replies•Problem – Can force packets to be routed through convenient monitoring point •Solution – Disallow source routing – doesn’t work well anyway!5Routing•Routing protocol•Malicious hosts may advertise routes into network•Problem – Bogus routes may enable host to monitor traffic or deny service to others•Solutions•Use policy mechanisms to only accept routes from or to certain networks/entities•In link state routing, can use something like source routing to force packets onto valid route•Routing registries and certificates6ICMP•Reports errors and other conditions from network to end hosts•End hosts take actions to respond to error•Problem•An entity can easily forge a variety of ICMP error messages•Redirect – informs end-hosts that it should be using different first hop route•Fragmentation – can confuse path MTU discovery•Destination unreachable – can cause transport connections to be dropped7TCP•Each TCP connection has an agreed upon/negotiated set of associated state•Starting sequence numbers, port numbers•Knowing these parameters is sometimes used to provide some sense of security•Problem•Easy to guess these values•Listening ports #’s are well known and connecting port #’s are typically allocated sequentially•Starting sequence number are chosen in predictable way•Solution – make sequence number selection more random8Sequence Number Guessing AttackAttacker Victim: SYN(ISNx), SRC=Trusted HostVictim Trusted Host: SYN(ISNs), ACK(ISNx)Attacker Victim: ACK(ISNguess of s), SRC=Trusted HostAttacker Victim: ACK(ISNguess of s), SRC=T, data = “rm -r /”•Attacker must also make sure that Trusted Host does not respond to SYNACK•Can repeat until guess is accurate9TCP•TCP senders assume that receivers behave in certain ways (e.g. when they send acks, etc.)•Congestion control is typically done on a “packet” basis while the rest of TCP is based on bytes•Problem – misbehaving receiver can trick sender into ignoring congestion control•Ack every byte in packet!•Send extra duplicate acks•Ack before the data is received (needs some application level retransmission – e.g. HTTP 1.1 range requests)•Solutions•Make congestion control byte oriented•Add nonces to packets – acks return nonce to truly indicate reception10DNS•Users/hosts typically trust the host-address mapping provided by DNS•Problems •Zone transfers can provide useful list of target hosts•Interception of requests or comprise of DNS servers can result in bogus responses•Solution – authenticated requests/responses11Overview•Security holes in IP stack•Denial of service•Capabilities•TracebackDenial of Service: What is it?•Crash victim (exploit software flaws)•Attempt to exhaust victim's resources•Network: Bandwidth•Host•Kernel: TCP connection state tables, etc.•Application: CPU, memory, etc.•Often high-rate attacks, but not always12Attacker VictimTCP Reminder: 3-Way Handshake13CSSYNCSYNS, ACKCACKSListeningCreate TCBWaitConnectedslide credit: FeamsterExample DoS: TCP SYN Floods•Each arriving SYN stores state at the server•TCP Control Block (TCB) •~ 280 bytes•FlowID, timer info, Sequence number, flow control status, out-of-band data, MSS, other options•Attack:•Send TCP SYN packets with bogus src addr•Half-open TCB entries exist until timeout•Kernel limits on # of TCBs•Resources exhausted requests rejected14Preventing SYN floods•Principle 1: Minimize state before auth•(3 way handshake == auth)?•Compressed TCP state•Very tiny state representation for half-open conns•Don't create the full TCB•A few bytes per connection == can store 100,000s of half-open connections15SYN Cookies•Idea: Keep no state until auth.•In response to SYN send back self-validating token to source that source must attach to ACK •SYN SYN/ACK+token ACK+token•Validates that the receiver's IP is valid•How to do in SYN? sequence #s!•top 5 bits: time counter•next 3: Encode the MSS•bottom 24: F(client IP, port, server IP, port, t)?•Downside to this encoding: Loses options.16Bandwidth Floods•1990s: Brute force from a few machines•Pretty easy to stop: Filter the sources•Until they spoof their src addr!•Late 90s, early 00s: Traffic Amplifiers•Spoofed source addrs (next)?•Modern era: Botnets•Use a worm to compromise 1000s+ of machines•Often don't need to bother with spoofing17Reflector Attacks•Spoof source address•Send query to service•Response goes to victim•If response >> query, “amplifies” attack•Hides real attack source from victim•Amplifiers:•DNS responses (50 byte query 400 byte resp)?•ICMP to broadcast addr (1 pkt 50 pkts) (“smurf”)18Inferring DoS Activity: Backscatter19IP address spoofing creates
View Full Document
Unlocking...