Security Part One:Attacks and Countermeasures15-441With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar15-411: F08 security 1Flashback .. Internet design goals1. Interconnection2F il ili2.Failure resilience3. Multiple types of service4. Variety of networks5. Management of resourcesg6. Cost-effective7.Low entry-cost7.Low entrycost8. Accountability for resourcesWhere is security?Where is security?15-411: F08 security 2Why did they leave it out?• Designed for connectivity• Network designed with implicit trustgp No “bad” guys• Can’t security be provided at the edge?E ti A th ti ti tEncryption, Authentication etc End-to-end arguments in system design15-411: F08 security 3Security Vulnerabilities• At every layer in the protocol stack!• Network-layer attacks IP-level vulnerabilities Routing attacks• Transport-layer attacks TCP vulnerabilities• Application-layer attacks15-411: F08 security 4IP-level vulnerabilities• IP addresses are provided by the source Spoofing attacks• Using IP address for authenticatione.g., login with .rhostse.g., login with .rhosts •Some“features”that have been exploited•Some features that have been exploited Fragmentation B d t f t ffi lifi tiBroadcast for traffic amplification 15-411: F08 security 5Security Flaws in IP• The IP addresses are filled in by the originating hostAddress spoofingAddress spoofing• Using source address for authentication r-utilities (rlogin, rsh, rhosts etc..)2.1.1.1C•Can A claim it is B to the server S?Internet1.1.1.3S•ARP Spoofing•Can C claim it is B to1.1.1.1 1.1.1.2ABCan C claim it is B to the server S?•Source Routing15-411: F08 security 6Smurf AttackInternetAttacking SystemBroadcast Enabled NetworkVictim System15-411: F08 security 7ICMP Attacks• No authentication•ICMP redirect message•ICMP redirect message Can cause the host to switch gateways Benefit of doing this?g Man in the middle attack, sniffing• ICMP destination unreachableCCan cause the host to drop connection• ICMP echo request/replyMany more•Many more… http://www.sans.org/rr/whitepapers/threats/477.php15-411: F08 security 8Routing attacks• Divert traffic to malicious nodesBlackholeBlack-hole Eavesdropping• How to implement routing attacks? Distance-Vector: Link-state:BGP l biliti•BGP vulnerabilities15-411: F08 security 9Routing attacks• Divert traffic to malicious nodesBlackholeBlack-hole Eavesdropping• How to implement routing attacks? Distance-Vector: Announce low-cost routes Link-state: Dropping links from topologyBGP l biliti•BGP vulnerabilities Prefix-hijackingPath alterationPath alteration15-411: F08 security 10TCP-level attacks• SYN-FloodsI l tti t tt t bfImplementations create state at servers before connection is fully established• Session hijackPretend to be a trusted hostPretend to be a trusted host Sequence number guessing• Session resetsCl l iti t tiClose a legitimate connection15-411: F08 security 11Session HijackServerTrusted (T)First send a legitimate SYN tMalicious (M)SYN to server15-411: F08 security 12Session HijackServerTrusted (T)Using ISN_S1 from earlier connection guess ISN S2!Malicious (M)connection guess ISN_S2!15-411: F08 security 13TCP Layer Attacks• TCP SYN Flooding Exploit state allocated at server after initial SYN packet Send a SYN and don’t reply with ACK Server will wait for 511 seconds for ACK Finite queue size for incomplete connections (1024) Once the queue is full it doesn’t accept requests15-411: F08 security 14TCP Layer Attacks• TCP Session Poisoning Send RST packet Will tear down connection Do you have to guess the exact sequence number?AhiidifiAnywhere in window is fine For 64k window it takes 64k packets to resetAbout 15 seconds for a T1About 15 seconds for a T115-411: F08 security 15An ExampleFiShimomura (S)Trusted (T)FingerShowmount -eSYN• Finger @S• showmount –e• Attack when no one is around• What other systems it trusts?Mitnick• Send 20 SYN packets to S • Determine ISN behavior15-411: F08 security 16An ExampleXShimomura (S)Trusted (T)Syn floodX• Finger @S• showmount –e• Attack when no one is around• What other systems it trusts?yMitnick• Send 20 SYN packets to S• SYN flood T• Determine ISN behavior• T won’t respond to packets15-411: F08 security 17An ExampleXSYN|ACKShimomura (S)Trusted (T)XSYNACK• Finger @S• showmount –e• Attack when no one is around• What other systems it trusts?Mitnick• Send 20 SYN packets to S• SYN flood T• Determine ISN behavior• T won’t respond to packets• Send SYN to S spoofing as T• Send ACK to S with a guessed number• S assumes that it has a session with Tg15-411: F08 security 18An ExampleXShimomura (S)Trusted (T)X++ > rhosts• Finger @S• showmount –e• Attack when no one is around• What other systems it trusts?Mitnick• Send 20 SYN packets to S• SYN flood T• Determine ISN behavior• T won’t respond to packets• Send SYN to S spoofing as T• Send ACK to S with a guessed number• S assumes that it has a session with T•Give permission to anyone g• Send “echo + + > ~/.rhosts”pyfrom anywhere15-411: F08 security 19Where do the problems come from?• Protocol-level vulnerabilities Implicit trust assumptions in design• Implementation vulnerabilitiesBoth on routers and end-hostsBoth on routers and endhostsIncomplete specifications•Incomplete specifications Often left to the imagination of programmers15-411: F08 security 20Outline• Security Vulnerabilities• Denial of Service•Worms•Worms• Countermeasures: Firewalls/IDS15-411: F08 security 21Denial of Service• Make a service unusable/unavailable• Disrupt service by taking down hostsEifdthE.g., ping-of-death• Consume host-level resources E.g., SYN-floods• Consume network resources E.g., UDP/ICMP floods15-411: F08 security 22Simple DoS•Attacker usually spoofs source address ypto hide origin•Aside: Backscatter Analysis•When attack traffic results in replies from the victimE TCP SYN ICMP ECHO•E.g. TCP SYN, ICMP ECHOAttacker VictimLots of traffic15-411: F08 security 23Backscatter Analysis• Attacker sends spoofed TCP SYN packets to www haplessvictim comwww.haplessvictim.com With spoofed addresses chosen at random• My network sees TCP SYN-ACKs from www haplessvictim comat rate
View Full Document