1 Outline CSci 5271 Introduction to Computer Security Day 21: Malware and Denial of Service Stephen McCamant University of Minnesota, Computer Science & Engineering Firewalls and NAT boxes Intrusion detection systems Malware and the network Denial of service and the network What a firewall is Inbound and outbound control Basically, a router that chooses not to forward some traffic Based on an a-priori policy More complex architectures have multiple layers DMZ: area between outer and inner layers, for outward-facing services Most obvious firewall use: prevent attacks from the outside Often also some control of insiders Block malware-infected hosts Employees wasting time on Facebook Selling sensitive info to competitors Nation-state Internet management May want to log or rate-limit, not block Default: deny IPv4 address scarcity Usual whitelist approach: first, block everything Then allow certain traffic Basic: filter packets based on headers More sophisticated: proxy traffic at a higher level Design limit of 2 32 hosts Actually less for many reasons Addresses becoming gradually more scarce over a many-year scale Some high-profile exhaustions in 2011 IPv6 adoption still very low, occasional signs of progress
2 Network address translation (NAT) Middlebox that rewrites addresses in packets Main use: allow inside network to use non-unique IP addresses RFC 1918: 10.*, *, etc. While sharing one outside IP address Inside hosts not addressable from outside De-facto firewall Packet filtering rules Match based on: Source IP address Source port Destination IP address Destination port Packet flags: TCP vs. UDP, TCP ACK, etc. Action, e.g. allow or block Obviously limited in specificity Client and server ports TCP servers listen on well-known port numbers Often < 1024, e.g. 22 for SSH or 80 for HTTP Clients use a kernel-assigned random high port Plain packet filter would need to allow all high-port incoming traffic Stateful filtering In general: firewall rules depend on previously-seen traffic Key instance: allow replies to an outbound connection See: port to port 80 Allow incoming port To same inside host Needed to make a NAT practical Circuit-level proxying Firewall forwards TCP connections for inside client Standard protocol: SOCKS Supported by most web browsers Wrapper approaches for non-aware apps Not much more powerful that packet-level filtering Application-level proxying Knows about higher-level semantics Long history for, e.g., , now HTTP most important More knowledge allows better filtering decisions But, more effort to set up Newer: transparent proxy Pretty much a man-in-the-middle
3 Tunneling Outline Any data can be transmitted on any channel, if both sides agree E.g., encapsulate IP packets over SSH connection Compare covert channels, steganography Powerful way to subvert firewall Some legitimate uses Firewalls and NAT boxes Intrusion detection systems Malware and the network Denial of service and the network Basic idea: detect attacks Network and host-based IDSes The worst attacks are the ones you don t even know about Best case: stop before damage occurs Marketed as prevention Still good: prompt response Challenge: what is an attack? Network IDS: watch packets similar to firewall But don t know what s bad until you see it More often implemented offline Host-based IDS: look for compromised process or user from within machine Signature matching Anomaly detection Signature is a pattern that matches known bad behavior Typically human-curated to ensure specificity See also: anti-virus scanners Learn pattern of normal behavior Not normal is a sign of a potential attack Has possibility of finding novel attacks Performance depends on normal behavior too
4 Recall: FPs and FNs Signature and anomaly weaknesses False positive: detector goes off without real attack False negative: attack happens without detection Any detector design is a tradeoff between these (ROC curve) Signatures Won t exist for novel attacks Often easy to attack around Anomaly detection Hard to avoid false positives Adversary can train over time Base rate problems If the true incidence is small (low base rate), most positives will be false Example: screening test for rare disease Easy for false positives to overwhelm admins E.g., 100 attacks out of 10 million packets, 0.01% FP rate How many false alarms? Adversarial challenges FP/FN statistics based on a fixed set of attacks But attackers won t keep using techniques that are detected Instead, will look for: Existing attacks that are not detected Minimal changes to attacks Truly novel attacks Wagner and Soto mimicry attack Host-based IDS based on sequence of syscalls Compute A \ M, where: A models allowed sequences M models sequences achieving attacker s goals Further techniques required: Many syscalls made into NOPs Replacement subsequences with similar effect Outline Firewalls and NAT boxes Intrusion detection systems Malware and the network Denial of service and the network
5 Malicious software Trojan (horse) Shortened to Mal... ware Software whose inherent goal is malicious Not just used for bad purposes Strong adversary High visibility Many types Looks benign, has secret malicious functionality Key technique: fool users into installing/running Concern dates back to 1970s, MLS (Computer) viruses Worms Attaches itself to other software Propagates when that program runs Once upon a time: floppy disks More modern: macro viruses Have declined in relative importance Completely automatic self-propagation Requires remote security holes Classic example: 1988 Morris worm Golden age in early 2000s Internet-level threat seems to have declined Fast worm propagation Initial hit-list Pre-scan list of likely targets Accelerate cold-start phase Permutation-based sampling Systematic but not obviously patterned Pseudorandom permutation Approximate time: 15 minutes Warhol worm Too fast for human-in-the-loop response Getting underneath Lower-level/higher-privilege code can deceive normal code Rootkit: hide malware by changing kernel behavior MBR virus: take control early in boot Blue-pill attack: malware is a VMM running your system
6 Malware motivation User-based monetization Once upon a time: curiosity, fame Now predominates: money Modest-size industry Competition and specialization Also significant: nation-states Industrial espionage Stuxnet (not officially acknowledged) Adware, mild spyware Keyloggers, stealing financial credentials Ransomware Application of public-key encryption Malware encrypts user files Only $300 for decryption key Bots and botnets Bot: program under control of remote attacker Botnet: large group of bot-infected computers with common master Command & control network protocol Once upon a time: IRC Now more likely custom and obfuscated Centralized! peer-to-peer Gradually learning crypto and protocol lessons Bot monetization Click (ad) fraud Distributed DoS (next section) Bitcoin mining Pay-per-install (subcontracting) Spam sending Malware/anti-virus arms race Signature-based AV Anti-virus (AV) systems are really general anti-malware Clear need, but hard to do well No clear distinction between benign and malicious Endless possibilities for deception Similar idea to signature-based IDS Would work well if malware were static In reality: Large, changing database Frequent updated from analysts Not just software, a subscription Malware stays enough ahead to survive
7 Emulation and AV Polymorphism Simple idea: run sample, see if it does something evil Obvious limitation: how long do you wait? Simple version can be applied online More sophisticated emulators/vms used in backend analysis Attacker makes many variants of starting malware Different code sequences, same behavior One estimate: 30 million samples observed in 2012 But could create more if needed Packing Fake anti-virus Sounds like compression, but real goal is obfuscation Static code creates real code on the fly Or, obfuscated bytecode interpreter Outsourced to independent protection tools Major monentization strategy recently Your system is infected, pay $19.95 for cleanup tool For user, not fundamentally distinguishable from real AV Outline DoS versus other vulnerabilities Firewalls and NAT boxes Intrusion detection systems Malware and the network Denial of service and the network Effect: normal operations merely become impossible Software example: crash as opposed to code injection Less power that complete compromise, but practical severity can vary widely Airplane control DoS, etc.
8 When is it DoS? Algorithmic complexity attacks Very common for users to affect others performance Focus is on unexpected and unintended effects Unexpected channel or magnitude Can an adversary make your algorithm have worst-case behavior? O(n 2 ) quicksort Hash table with all entries in one bucket Exponential backtracking in regex matching XML entity expansion XML entities (HTML <) are like C macros #define B (A+A+A+A+A) #define C (B+B+B+B+B) #define D (C+C+C+C+C) #define E (D+D+D+D+D) #define F (E+E+E+E+E) Compression DoS Some formats allow very high compression ratios Simple attack: compress very large input More powerful: nested archives Also possible: zip file quine decompresses to itself DoS against network services Tiny bit of queueing theory Common example: keep legitimate users from viewing a web site Easy case: pre-forked server supports 100 simultaneous connections Fill them with very very slow downloads Mathematical theory of waiting in line Simple case: random arrival, sequential fixed-time service M/D/1 If arrival rate service rate, expected queue length grows without bound
9 SYN flooding SYN is first of three packets to set up new connection Traditional implementation allocates space for control data However much you allow, attacker fills with unfinished connections Early limits were very low (10-100) SYN cookies Change server behavior to stateless approach Embed small amount of needed information in fields that will be echoed in third packet MAC-like construction Other disadvantages, so usual implementations used only under attack DoS against network links Traffic multipliers Try to use all available bandwidth, crowd out real traffic Brute force but still potentially effective Baseline attacker power measured by packet sending rate Third party networks (not attacker or victim) One input packet causes n output packets Commonly, victim s address is forged source, multiply replies Misuse of debugging features Smurf broadcast ping Distributed DoS ICMP echo request with forged source Sent to a network broadcast address Every recipient sends reply Now mostly fixed by disabling this feature Many attacker machines, one victim Easy if you own a botnet Impractical to stop bots one-by-one May prefer legitimate-looking traffic over weird attacks Main consideration is difficulty to filter
Chapter 18: Network Attack and Defense CHAPTE R 18 Network Attack and Defense Whoever thinks his problem can be solved using cryptography, doesn t understand his problem and doesn t understand cryptography.
9854_C034.qxd 7/1/2004 6:05 PM Page 1 34 Network Security and Secure Applications Christopher Kruegel University of California 34.1 Introduction...34-1 34.2 Security Attacks and Security Properties...34-2
INTRODUCING THE WATCHGUARD INTELLIGENT LAYERED SECURITY ARCHITECTURE: BETTER SECURITY FOR THE GROWING ENTERPRISE NOVEMBER 2005 WHY INTELLIGENT LAYERED SECURITY? The security landscape grows more complex
A Tutorial on Network Security: Attacks and Controls Natarajan Meghanathan Associate Professor of Computer Science Jackson State University Jackson, MS 39217, USA Phone: 1-601-979-3661; Fax: 1-601-979-2478
Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology Karen Scarfone Paul Hoffman NIST Special Publication
Defense Readiness Strategies Security Audit Security audits measure an information system s performance against a list of criteria. Vulnerability Assessment A vulnerability assessment involves a comprehensive
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
1 DDoS Attack and Defense: Review of Some Traditional and Current Techniques Muhammad Aamir and Mustafa Ali Zaidi SZABIST, Karachi, Pakistan Abstract Distributed Denial of Service (DDoS) attacks exhaust
Defeating Windows Personal Firewalls: Filtering Methodologies, Attacks, and Defenses Chris Ries Security Research Analyst VigilantMinds Inc. 4736 Penn Avenue Pittsburgh, PA 15224 email@example.com
The dangers faced by your corporate network GFI Software www.gfi.com firstname.lastname@example.org Introduction This paper helps you identify key features needed to effectively deal with spam. Introduction... 2 Abstract...
Enterprise Security Architecture Jian Ren and Tongtong Li, Michigan State University Introduction 1 Security Policies and Requirements 3 Enterprise Network Security Zones 5 Internet................ 5 Internet
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics Mark Handley and Vern Paxson AT&T Center for Internet Research at ICSI (ACIRI) International Computer Science
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
Network Monitoring Based on IP Data Flows Best Practice Document Produced by CESNET led working group on Network monitoring (CBPD131) Authors: Martin Žádník March 2010 TERENA 2010. All rights reserved.
Application-level simulation for network security Stephan Schmidt, Rainer Bye, Joël Chinnow Karsten Bsufka, Ahmet Camtepe and Sahin Albayrak email@example.com DAI-Labor, Berlin Institute of Technology,
Fundamental Principles of Network Security By Christopher Leidigh White Paper #101 Executive Summary Security incidents are rising at an alarming rate every year. As the complexity of the threats increases,
Port Blocking A BROADBAND INTERNET TECHNICAL ADVISORY GROUP TECHNICAL WORKING GROUP REPORT A Uniform Agreement Report Issued: August 2013 Copyright / Legal Notice Copyright Broadband Internet Technical
A Websense White Paper ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS: THREAT ANALYSIS AND DEFENSE STRATEGIES FOR SMB, MID-SIZE, AND ENTERPRISE ORGANIZATIONS REV 2 ADVANCED PERSISTENT THREATS AND
SYMANTEC ADVANCED THREAT RESEARCH The Teredo Protocol: Tunneling Past Network Security and Other Security Implications Dr. James Hoagland Principal Security Researcher Symantec Advanced Threat Research
1 1.1 Introduction This whitepaper summarizes incidents to which IIJ responded, based on general information obtained by IIJ itself related to the stable operation of the Internet, information from observations
Log Correlation Engine Best Practices August 14, 2012 (Revision 3) Copyright 2012. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable
How can I protect a system from cyber attacks? System Technical Note Cyber security recommendations Design your architecture 2 Disclaimer This document is not comprehensive for any systems using the given