1 Winter 2008 CS244a 1 CS244a: An Introduction to Computer Networks Security Winter 2008 CS244a 2 Announcements (?)2 Winter 2008 CS244a 3 Life Just Before Slammer Winter 2008 CS244a 4 Life Just After Slammer3 Winter 2008 CS244a 5 A Lesson in Economy  Slammer exploited connectionless UDP service, rather than connection-oriented TCP.  Entire worm fit in a single packet! (376 bytes) ⇒ When scanning, worm could “fire and forget”. Stateless!  Worm infected 75,000+ hosts in 10 minutes (despite broken random number generator).  At its peak, doubled every 8.5 seconds  Progress limited by the Internet’s carrying capacity (= 55 million scans/sec) Winter 2008 CS244a 6 Why Security?  First victim at 12:15am  By 12:45, transcontinental links starting to fail  300,000 access points downed in Portugal  All cell and Internet in Korea failed (27 million people)  5 root name servers were knocked offline  911 didn’t respond (Seattle)  Flights canceled4 Winter 2008 CS244a 7 Witty Worm Winter 2008 CS244a 8 Today  Network Security Goals  Security vs. Internet Design  Attacks  Defenses  Worms5 Winter 2008 CS244a 9 Network Security Goals  Availability (everyone can reach all network resources all the time)  Protection (protect users from interactions they don’t want)  Authenticity (know who you are speaking with)  Data Integrity (protect data en-route)  Privacy Winter 2008 CS244a 10 Network Security Goals  Availability (everyone can reach all network resources all the time)  Protection (protect users from interactions they don’t want)  Authenticity (know who you are speaking with)  Data Integrity (protect data en-route)  Privacy6 Winter 2008 CS244a 11 Today  Network Security Goals  Security vs. Internet Design  Attacks  Defenses  Worms Winter 2008 CS244a 12 Internet Design  Destination routing  Packet based (statistical multiplexing)  Global addressing (IP addresses)  Simple to join (as infrastructure)  Power in end hosts (end-to-end arg)  “Ad hoc” naming system7 Winter 2008 CS244a 13 Internet Design vs. Security  Destination routing  Keeps forwarding tables small  Simple to maintain forwarding tables  How do we know where packets are coming from? – Probably simple fix to spoofing, why isn’t it in place?  Packet based (statistical multiplexing)  Global addressing (IP addresses)  Simple to join (as infrastructure)  Power in end hosts (end-to-end arg)  “Ad hoc” naming system Winter 2008 CS244a 14 Internet Design vs. Security  Destination Routing  Packet Based (statistical multiplexing)  Simple + Efficient  Difficult resource bound per-communication – How to keep someone from hogging? (remember, we can’t rely on source addresses)  Global Addressing (IP addresses)  Simple to join (as infrastructure)  Power in End Hosts (end-to-end arg)  “Ad hoc” naming system8 Winter 2008 CS244a 15 Internet Design vs. Security  Destination routing  Packet based (statistical multiplexing)  Global Addressing (IP addresses)  Very democratic  Even people who don’t necessarily want to be talked to (“every psychopath is your next door neighbor” – Dan Geer)  Simple to join (as infrastructure)  Power in end hosts (end-to-end arg)  “Ad hoc” naming system Winter 2008 CS244a 16 Internet Design vs. Security  Destination routing  Packet based (statistical multiplexing)  Global addressing (IP addresses)  Simple to join (as infrastructure)  Very democratic  Misbehaving routers can do very bad things  No model of trust between routers  Power in End Hosts (end-to-end arg)  “Ad hoc” naming system9 Winter 2008 CS244a 17 Internet Design vs. Security  Destination routing  Packet based (statistical multiplexing)  Global addressing (IP addresses)  Simple to join (as infrastructure)  Power in end-hosts (end-to-end arg)  Decouple hosts and infrastructure = innovation at the edge!  Giving power to least trusted actors – How to guarantee good behavior?  “Ad hoc” naming system Winter 2008 CS244a 18 Internet Design vs. Security  Packet Based (statistical multiplexing)  Destination Routing  Global Addressing (IP addresses)  Simple to join (as infrastructure)  Power in End Hosts (end-to-end arg)  “Ad hoc” naming system  Seems to work OK  Fate sharing w/ hierarchical system  Off route = more trusted elements10 Winter 2008 CS244a 19 Today  Network Security Goals  Security vs. Internet Design  “Attacks” (how attacks leverage these weaknesses in practice)  Denial of service  Indirection  Reconnaissance  Defenses  Worms Winter 2008 CS244a 20 DoS: Via Resource Exhaustion Downlink bandwidth Uplink bandwidth Memory (e.g. TCP TCB exhaustion) CPU User-time11 Winter 2008 CS244a 21 DoS: Via Resource Exhaustion  Uplink bandwidth  Saturate uplink bandwidth using legitimate requests (e.g. download large image)  Solution: use a CDN (Akamai)  Solution: admission control at the server (not a network problem ??)  CPU time similar to above  Victim Memory  TCP connections require state, can try to exhaust  E.g. SYN Flood (next few slides) Winter 2008 CS244a 22 TCP Handshake C S SYNC SYNS, ACKC ACKS Listening Store data Wait Connected12 Winter 2008 CS244a 23 Example: SYN Flooding C S SYNC1 Listening Store data SYNC2 SYNC3 SYNC4 SYNC5 Winter 2008 CS244a 24 Protection against SYN Attacks  SYN Cookies  Client sends SYN  Server responds to Client with SYN-ACK cookie  sqn = f(src addr, src port, dest addr, dest port, rand)  Server does not save state  Honest client responds with ACK(sqn)  Server checks response  If matches SYN-ACK, establishes connection  Drop Random TCB in SYN_RCVD state (likely to be attackers) [Bernstein, Schenk]13 Winter 2008 CS244a 25 Distributed DoS (DDoS)  Attacker compromises multiple hosts  Installs malicious program to do her biding (bots)  Bots flood (or