Security Part One: Attacks and CountermeasuresFlashback .. Internet design goalsWhy did they leave it out?Security VulnerabilitiesIP-level vulnerabilitiesSecurity Flaws in IPSmurf AttackICMP AttacksRouting attacksSlide 10TCP-level attacksSession HijackSlide 13TCP Layer AttacksSlide 15An ExampleSlide 17Slide 18Slide 19Where do the problems come from?OutlineDenial of ServiceSimple DoSBackscatter AnalysisReflector AttackDistributed DoSSlide 27Slide 28Worm OverviewScanning TechniquesRandom ScanningSubnet ScanningRouting WormTopologicalSome proposals for countermeasuresSlide 37Countermeasure OverviewDesign questions ..FirewallsFirewalls (contd…)Packet FiltersPacket Filters: Possible ActionsSome examplesTypical Firewall ConfigurationFirewall implementationSample Firewall RuleDefault Firewall RulesSlide 49AlternativesIntrusion Detection SystemsClasses of IDSSignature-based IDSAnomaly-based IDSNetwork-based IDSHost-based IDSSummarySecurity Part One:Attacks and Countermeasures15-441With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar15-411: F08 security 1Flashback .. Internet design goals1. Interconnection2. Failure resilience3. Multiple types of service4. Variety of networks5. Management of resources6. Cost-effective7. Low entry-cost8. Accountability for resourcesWhere is security?15-411: F08 security 2Why did they leave it out?•Designed for connectivity•Network designed with implicit trustNo “bad” guys•Can’t security be provided at the edge?Encryption, Authentication etcEnd-to-end arguments in system design15-411: F08 security 3Security Vulnerabilities•At every layer in the protocol stack!•Network-layer attacksIP-level vulnerabilitiesRouting attacks•Transport-layer attacksTCP vulnerabilities•Application-layer attacks15-411: F08 security 4IP-level vulnerabilities•IP addresses are provided by the sourceSpoofing attacks•Using IP address for authentication e.g., login with .rhosts •Some “features” that have been exploitedFragmentation Broadcast for traffic amplification 15-411: F08 security 5Security Flaws in IP•The IP addresses are filled in by the originating hostAddress spoofing•Using source address for authenticationr-utilities (rlogin, rsh, rhosts etc..)InternetInternet2.1.1.1C1.1.1.1 1.1.1.2AB1.1.1.3S•Can A claim it is B to the server S?•ARP Spoofing•Can C claim it is B to the server S?•Source Routing15-411: F08 security 6Smurf AttackAttacking SystemInternetInternetBroadcast Enabled NetworkBroadcast Enabled NetworkVictim System15-411: F08 security 7ICMP Attacks•No authentication•ICMP redirect messageCan cause the host to switch gatewaysBenefit of doing this?Man in the middle attack, sniffing•ICMP destination unreachableCan cause the host to drop connection•ICMP echo request/reply•Many more… http://www.sans.org/rr/whitepapers/threats/477.php15-411: F08 security 8Routing attacks•Divert traffic to malicious nodesBlack-holeEavesdropping•How to implement routing attacks?Distance-Vector:Link-state:•BGP vulnerabilities15-411: F08 security 9Routing attacks•Divert traffic to malicious nodesBlack-holeEavesdropping•How to implement routing attacks?Distance-Vector: Announce low-cost routesLink-state: Dropping links from topology•BGP vulnerabilitiesPrefix-hijackingPath alteration15-411: F08 security 10TCP-level attacks•SYN-FloodsImplementations create state at servers before connection is fully established•Session hijackPretend to be a trusted hostSequence number guessing•Session resetsClose a legitimate connection15-411: F08 security 11Session HijackTrusted (T)Malicious (M)Server1.SYN (ISN_X)SRC = X2.SYN(ISN_S1), ACK(ISN_X)First send a legitimate SYN to server15-411: F08 security 12Session HijackTrusted (T)Malicious (M)Server1.SYN (ISN_X)SRC = T2.SYN(ISN_S2), ACK(ISN_X)3.ACK(ISN_S2)SRC = TUsing ISN_S1 from earlier connection guess ISN_S2!15-411: F08 security 13TCP Layer Attacks•TCP SYN FloodingExploit state allocated at server after initial SYN packetSend a SYN and don’t reply with ACKServer will wait for 511 seconds for ACKFinite queue size for incomplete connections (1024)Once the queue is full it doesn’t accept requests15-411: F08 security 14TCP Layer Attacks•TCP Session PoisoningSend RST packetWill tear down connectionDo you have to guess the exact sequence number?Anywhere in window is fineFor 64k window it takes 64k packets to resetAbout 15 seconds for a T115-411: F08 security 15An ExampleShimomura (S)Trusted (T)MitnickFinger• Finger @S• showmount –e• Send 20 SYN packets to S• Attack when no one is around• What other systems it trusts?• Determine ISN behaviorShowmount -eSYN15-411: F08 security 16Shimomura (S)Trusted (T)MitnickAn Example• Finger @S• showmount –e• Send 20 SYN packets to S• SYN flood T• Attack when no one is around• What other systems it trusts?• Determine ISN behavior• T won’t respond to packetsSyn floodX15-411: F08 security 17Shimomura (S)Trusted (T)MitnickAn Example• Finger @S• showmount –e• Send 20 SYN packets to S• SYN flood T• Send SYN to S spoofing as T• Send ACK to S with a guessed number• Attack when no one is around• What other systems it trusts?• Determine ISN behavior• T won’t respond to packets• S assumes that it has a session with TXSYNSYN|ACKACK15-411: F08 security 18Shimomura (S)Trusted (T)MitnickAn Example• Finger @S• showmount –e• Send 20 SYN packets to S• SYN flood T• Send SYN to S spoofing as T• Send ACK to S with a guessed number• Send “echo + + > ~/.rhosts”• Attack when no one is around• What other systems it trusts?• Determine ISN behavior• T won’t respond to packets• S assumes that it has a session with T• Give permission to anyone from anywhereX++ > rhosts15-411: F08 security 19Where do the problems come from?•Protocol-level vulnerabilitiesImplicit trust assumptions in design•Implementation vulnerabilitiesBoth on routers and end-hosts•Incomplete specificationsOften left to the imagination of programmers15-411: F08 security 20Outline•Security Vulnerabilities•Denial of Service•Worms•Countermeasures: Firewalls/IDS15-411: F08 security 21Denial of Service•Make a service unusable/unavailable•Disrupt service by taking down hostsE.g., ping-of-death•Consume host-level resourcesE.g., SYN-floods•Consume network
View Full Document