Attack Detection and Prevention
|
|
- Ethelbert Lester
- 8 years ago
- Views:
Transcription
1 Chapter 17 Attack Detection and Prevention Attack Overview, Taxonomy, and Examples Attack Detection Principles of Intrusion Detection Systems Knowledge-based Anomaly detection Distributed attack detection Attack Prevention [NetSec], WS 2005/
2 Introduction Definition: Intrusion An Intrusion is unauthorized access to and/or activity in an information system. Definition: Intrusion Detection The process of identifying that an intrusion has been attempted, is occurring or has occurred. National Security Telecommunications Advisory Committee (NSTAC) Intrusion Detection Subgroup [NetSec], WS 2005/
3 Introduction Intrusion Detection Attack- / Invasion detection: Tries to detect unauthorized access by outsiders Misuse Detection: Tries to detect misuse by insiders, e.g. users that try to access services on the internet by bypassing security directives Anomaly Detection: Tries to detect abnormal states within a network, e.g. sudden appearance of never used protocols, big amount of unsuccessful login attempts Intrusion Prevention An IPS adds further functionality to an IDS. After detecting a possible attack the IPS tries to prevent the ongoing attack, e.g. by closing network connections or reconfiguring firewalls [NetSec], WS 2005/
4 Introduction Attack Sophistication vs. Intruder Knowledge [NetSec], WS 2005/
5 Categorizing Attacks Who / which device is attacking? Normal user device located outside the infrastructure: Examples: PC, PDA, mobile phone,... Commanded by a normal user not aware of what he is doing, or Hacked and commanded by a malicious attacker Device located inside the infrastructure: Examples: router, management workstation,... Either deliberately placed by an attacker inside the infrastructure, or Being part of the genuine infrastructure but hacked and commanded by a malicious attacker Which layer(s) is the attack aiming at? Physical, MAC / Data Link, Network, Transport, Application Which kind of attack is performed? Attacking user data PDUs: eavesdropping, replay, modification,... Resource depletion: TCP-SYN flood, SMURF attack, [NetSec], WS 2005/
6 Ensuring Availability: The Key Challenge for the Next Years Security of transmitted information in the sense of confidentiality, authenticity, etc. is well researched and many network security protocols have been developed & standardized during the past decade Examples: PPP/PPTP, L2TP, IPSec, SSL/TLS, SSH, GSM/GPRS/UMTS security protocols,... In infrastructure networks (like the Internet), routing threats can be effectively countered by deploying PKI-based approaches like S-BGP However, ensuring availability of our IT- and communication infrastructure requires more than can be realized by standard network security protocols, and thus turns out to be the major challenge for the next years of security research! [NetSec], WS 2005/
7 Denial of Service What is Denial of Service? Denial of Service (DoS) attacks aim at denying or degrading legitimate users access to a service or network resource, or at bringing down the servers offering such services Motivations for launching DoS attacks: Hacking (just for fun, by script kiddies,...) Gaining information leap ( 1997 attack on bureau of labor statistics server; was possibly launched as unemployment information has implications to the stock market) Discrediting an organization operating a system (i.e. web server) Revenge (personal, against a company,...) Political reasons ( information warfare )... [NetSec], WS 2005/
8 Denial of Service Attacking Techniques Resource destruction (disabling services): Hacking into systems Making use of implementation weaknesses as buffer overrun Deviation from proper protocol execution Resource depletion by causing: Storage of (useless) state information High traffic load (requires high overall bandwidth from attacker) Expensive computations ( expensive cryptography!) Resource reservations that are never used (e.g. bandwidth) Origin of malicious traffic: Genuineness of source addresses: either genuine or forged Number of sources: single source, or multiple sources (Distributed DoS, DDoS) [NetSec], WS 2005/
9 Examples: Resource Destruction Hacking: Exploiting weaknesses that are caused by careless operation of a system Examples: default accounts and passwords not disabled, badly chosen passwords, social engineering (incl. worms), etc. Making use of implementation weaknesses: See later slides on security aware system design & implementation Deviation from proper protocol execution: Example: exploit IP s fragmentation & reassembly Send IP fragments to broadcast address Operating systems with origins in BSD often respond to this address as a broadcast address In order to respond, the packets have to be reassembled first If an attacker sends a lot of fragments without ever sending a first / last fragment, the buffer of the reassembling system gets overloaded As some routers use BSD-based TCP/IP stacks, even the network infrastructure can be attacked this way! [NetSec], WS 2005/
10 Countering Attacks: Three Principle Classes of Action Prevention: All measures taken in order to avert that an attacker succeeds in realizing a threat Examples: Cryptographic measures: encryption, computation of modification detection codes, running authentication protocols, etc. Firewall techniques: packet filtering, service proxying, etc. Preventive measures are by definition taken before an attack takes place Attention: it is generally impossible to prevent every potential attack! Detection: All measures taken to recognize an attack while or after it occurred Examples: Recording and analysis of audit trails On-the-fly traffic monitoring and intrusion detection Reaction: All measures taken in order react to ongoing or past attacks [NetSec], WS 2005/
11 Attack Taxonomy Source: [Mircovic2004] [NetSec], WS 2005/
12 Attack Strategy Scan for vulnerabilities Detection of vulnerable hosts and applications Compromising hosts Manual hacking Viruses, Trojans, Worms Distributed denial-of-service attack Bandwidth depletion Resource depletion [NetSec], WS 2005/
13 Port Scan Background Identification of vulnerable systems / applications Automated distribution of worms Scan types Vertical scan: sequential or random scan of multiple (5 or more) ports of a single IP address from the same source during a one hour period Horizontal scan: scan of several machines (5 or more) in a subnet at the same target port from the same source during a one hour period Coordinated scan: scans from multiple sources (5 or more) aimed at a particular port of destinations in the same /24 subnet within a one hour window; also called distributed scan Stealth scan: horizontal or vertical scans initiated with a very low frequency to avoid detection [NetSec], WS 2005/
14 Port Scan (2) Scan characteristics Port distribution Source distribution Scan rates for top 10 destination port categories between May-July, Distribution of coordinated, horizontal and vertical scans for the month of June, 2002 Source: [Yegneswaran2003] [NetSec], WS 2005/
15 Distributed Denial-of-Service Attacks Bandwidth depletion Resource depletion Flood UDP flood ICMP flood Amplification (i.e. using a reflector network) Smurf (ICMP echo request) Fraggle (UDP echo, e.g. chargen) Protocol exploit TCP SYN PUSH+ACK (to unload TCP buffer + ACK to overflow a receiver) Malformed packet attacks Usage of incorrect formatted IP packets to crash the victim system Sleep deprivation Rendering a pervasive computing device inoperable by draining the battery [NetSec], WS 2005/
16 Distributed Denial-of-Service Attacks (2) mostly ICMP traffic Source: [Moore2001] [NetSec], WS 2005/
17 History of Intrusion Detection 1980 James Anderson: Computer Security Threat Monitoring and Surveillance 1983 Dorothy Denning (SRI-International): Analysis of audit trails from government mainframe computers 1984 Dorothy Denning: Intrusion Detection Expert System (IDES) 1988 Lawrence Liverpool Laboratories: Haystack Projekt 1990 Heberlein: A Network Security Monitor (NSM) 1994 Wheel Group: First commercial NIDS (NetRanger) 1997 ISS: Real Secure... Boom of Intrusion Detection System [NetSec], WS 2005/
18 Intrusion Detection Data collection issues Reliable and complete data Collection is expensive, collecting the right information is important Detection techniques Misuse detection (or signature-based or knowledge-based) Anomaly detection Response Counteracting an attack Evaluation System effectiveness, performance, network-wide analysis False-positive rate False-negative rate [NetSec], WS 2005/
19 Classification of Attack Detection Four dimensions Host based Knowledge based Anomaly detection Network based [NetSec], WS 2005/
20 Classification of Attack Detection (2) Host Intrusion Detection Systems (HIDS) Works on information available on a system, e.g. OS-Logs, application-logs, timestamps Can easily detect attacks by insiders, as modification of files, illegal access to files, installation of Trojans or rootkits Problems: has to be installed on every System, produces lots of information, often no realtime-analysis but predefined time intervals, hard to manage a huge number of systems Network Intrusion Detection System (NIDS) Works on information provided by the network, mainly packets sniffed from the network layer. Uses signature detection (stateful), protocol decoding, statistical anomaly analysis, heuristical analysis Detects: DoS with buffer overflow attacks, invalid packets, attacks on application layer, DDoS, spoofing attacks, port scans Often used on network hubs, to monitor a segment of the network [NetSec], WS 2005/
21 Placement of a Network Intrusion Detection System Monitors all incoming traffic High load High rate of false alarms Internet Monitors all traffic to and from systems in the DMZ Reduced amount of Data Can only detect Intrusions on these Computers Monitors all traffic within the corporate LAN Possible detection of misuse by insiders Possible detection of intrusion via mobile machines (notebooks...) DMZ LAN [NetSec], WS 2005/
22 Knowledge-based Detection Based on signatures or patterns of well-known attacks Working principles Scan for attacks using well known vulnerabilities, e.g. patterns to attack IIS web server or MSSQL databases Scan for pre-defined numbers of ICMP, TCP SYN, etc. packets Patterns can be specified at each protocol level Network protocol (e.g. IP, ICMP) Transport protocol (e.g. TCP, UDP) Application protocol (e.g. HTTP, SMTP) Pros Fast, requires few state information, low false-positive rate Cons Recognizes only known attacks Examples Snort, Bro [NetSec], WS 2005/
23 Snort OpenSource Support for Windows, UNIX, Linux,... Rule Based Intrusion Detection Ruleset can be edited individually Huge number of predefined rules Daily community rules update Reporting into: Logfiles, LogServer, Database Different formats for captured data supported: libpcap,... Supports packet de-fragmentation, protocol decoding, state inspection Possible reactions: TCP reset, ICMP unreachable, configuration of firewalls, alerting via , pager, SMS (plugins) Graphical tools for administration and analysis are available [NetSec], WS 2005/
24 Snort (2) Mainly signature based, each intrusion needs a predefined rule alert tcp $HOME_NET any -> any 9996 \ (msg:"sasser ftp script to transfer up.exe"; \ content:" 5F75702E "; depth:250; flags:a+; classtype: misc-activity; \ sid: ; rev:3) Three step processing of captured information (capturing is done by libpcap): Preprocessing (normalized and reassembled packets) Detection Engine works on the data and decides what action should be taken Action is taken (log, alert, pass) Modular structure allows to change many parts as Preprocessor, Detection, Action Modules [NetSec], WS 2005/
25 Anomaly Detection Based on the analysis of long-term and short-term traffic behavior Working principles Scan for anomalies in Traffic behavior Protocol behavior Application behavior Pros Recognizes unknown attacks as well Cons False-positive rate might be high Examples PHAD/ALAD, Emerald [NetSec], WS 2005/
26 Anomaly Detection (2) Generic anomaly detection system Source: [Estevez-Tapiador2004] [NetSec], WS 2005/
27 Anomaly Detection (3) Source: [Estevez-Tapiador2004] [NetSec], WS 2005/
28 Anomaly Detection (4) Classification criteria Source: [Estevez-Tapiador2004] [NetSec], WS 2005/
29 ALAD Application Layer Anomaly Detection (ALAD) [Mahoney2002] Extension to PHAD Five models: 1. P(src IP dest IP) Learns normal set of clients for each host, i.e. the set of clients allowed on a restricted service 2. P(src IP dest IP, dest port) Like (1), but one model for each server on each host 3. P(dest IP, dest port) Learns the set of local servers which normally receive requests 4. P(TCP flags dest port) Learns the set of TCP flags for all packets of a particular connection 5. P(keyword dest port) Examines the text in the incoming request (first 1000 bytes) [NetSec], WS 2005/
30 Defense Taxonomy Source: [Mircovic2004] [NetSec], WS 2005/
31 Defense Challenges Need for a distributed response at many points on the Internet Coordinated response is necessary for successful countermeasures Economic and social factors Deployment of response systems at parties that do not suffer direct damage from the DDoS attack Lack of detailed information Thorough understanding of attacks is required Lack of defense system benchmarks Difficulty of large-scale testing [NetSec], WS 2005/
32 Attack Prevention / Counteracting Anti-Spoof Mechanisms Filtering of forged packets Cryptographic authentication Traceback Counteracting DDoS attacks Counteracting TCP SYN flood Distributed Firewalling Congestion control [NetSec], WS 2005/
33 Address Spoofing The Spoofing Problem: Packet routing in IP networks is based on destination address information only, correctness of source address is not verified Most (D)DoS attacks consist of packets with spoofed or faked source addresses in order to disguise the identity of the attacking systems Identification of the attacking systems is needed for installing efficient defense mechanisms Some detection mechanisms also require valid information about the attack sources Further issues: legal prosecution of attackers and prevention of new attacks [NetSec], WS 2005/
34 Anti-Spoof Mechanisms Filtering of forged packets Ingress filtering: implementation of anti-spoof ACLs based on (static/dynamic) knowledge about own IP address range RPF: reverse path forwarding, known from multicast routing, fails for dynamic load-balancing SAVE: source address validity enforcement protocol [Li2002] Associates interfaces with valid source address ranges Also useful for RPF check, e.g. for multicast routing Cryptographic authentication IPSec authentication, problem: key management Traceback Real-time / Forensic methods Most promising solution! [NetSec], WS 2005/
35 Traceback (1) Goal: Identify the source address (or at least the ingress point) and the attack path of a packet without relying on the source address information Challenges: Short path reconstruction time Processing and storage requirements Scalability Compatibility with existing protocols [NetSec], WS 2005/
36 Traceback (2) Taxonomy of traceback mechanisms Traceback active passive packet insertion packet marking network reconfig. packet logging flow logging link testing backscatter analysis [NetSec], WS 2005/
37 Packet Insertion ICMP traceback (ITrace) [Bellovin2000]: For 1 out of packets, routers send an ITrace message with router ID and information about original packet to the same destination packet P R1 R2 ITrace(R1, P) If a flow contains enough packets, the destination is likely to receive ITrace messages from every router on the path. Limitations: Router infrastructure has to be modified Requires large number of packets/flow long t.b. time for distributed low-rate attacks Destination has to store original packets for later comparison with ITrace message ITrace messages need to be authenticated, e.g. using PKI Inserted ICMP packets may influence network behavior ICMP traffic is often rate-limited by routers and preferentially dropped during congestion [NetSec], WS 2005/
38 TCP-SYN flood >90% of DDoS attacks use TCP [Moore2001] Several defense mechanisms SYN cache, SYN cookies, SynDefender, SYN proxying, stateful, have to be installed at victims FW, rely on traceback Flooding detection system (FDS) [Wang2002] Stateless, low computation overhead Relies on SYN-FIN/RST pairs Uses CUSUM (cumulative sum) algorithm Automated model approach [Tupakula2004] Controller-agent model #SYN - #ACK > limit? Agent sends an alarm to the controller Central controller verifies alarm signatures and issues countermeasures Basic idea: detection, source identification, firewall configuration [NetSec], WS 2005/
39 SYN Flood Protection (3) Reminder: Regular TCP 3-Way Handshake The client sends a TCP SYN message seq number = x (chosen by the client) client server ACK flag = 0 SYN seq=x SYN flag = 1 The server allocates a memory for the Transmission Control Block (TCB) The server sends a TCP SYN ACK SYN seq=y, ACK x+1 seq number = y (chosen by the server) ack number = x + 1 ACK flag = 1 ACK y+1 SYN flag = 1 The client sends a CONNECT ACK connection seq number = x + 1 established ack number = y + 1 ACK flag = 1 SYN flag = 0 The handshake ensures that both sides are ready to transmit data. [NetSec], WS 2005/
40 SYN Flood Protection: TCP SYN cookies (1) SYN cookies as a reaction to an attack SYN cookies are a particular choice of the initial seq number. The server generates the initial sequence number α such as: α = h(s SYN, D SYN, K) S SYN : src addr of the SYN packet D SYN : addr of the server K: a secret key h is a cryptographic hash function. At arrival of the ACK message, the server calculates α again. Then, it verifies if the ack number is correct. If yes, it assumes that the client has sent a SYN message recently (considered as normal behavior), and allocates TCB memory. client SYN seq=x SYN seq= α, ACK x+1 server No resources are allocated here ACK α +1 connection established [NetSec], WS 2005/
41 References [Estevez-Tapiador2004] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, "Anomaly detection methods in wired networks: a survey and taxonomy," Computer Communications, vol. 27, July 2004, pp [Kemmerer2002] R. Kemmerer and G. Vigna, "Intrusion Detection: A Brief History and Overview," IEEE Computer - Special Issue on Security and Privacy, April 2002, pp [Lee2004] R. B. Lee, "Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures," Princeton University, Technical Report, [Li2002] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, "SAVE: Source Address Validity Enforcement Protocol," Proceedings of IEEE Infocom 2002, New York, USA, June [Mirkovic2004] J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, April 2004, pp [Paxson1999] V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, vol. 31, December 1999, pp [Porras1997] P. A. Porras and P. G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," Proceedings of National Information Systems Security Conference, October [Roesch1999] M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," Proceedings of 13th USENIX Conference on System Administration, 1999, pp [Tupakula2004] U. K. Tupakula, V. Varadharajan, and A. K. Gajam, "Counteracting TCP SYN DDoS Attacks using Automated Model," Proceedings of IEEE Globecom 2004, Dallas, TX, USA, December [Wang2002] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks," Proceedings of IEEE INFOCOM 2002, [Yegneswaran2003] V. Yegneswaran, P. Barford, and J. Ullrich, "Internet Intrusions: Global Characteristics and Prevalence," Proceedings of ACM SIGMETRICS, June [NetSec], WS 2005/
Chapter 16 Attack Detection and Prevention
Chapter 16 Attack Detection and Prevention Attack Overview, Taxonomy, and Examples Attack Detection Principles of Intrusion Detection Systems Distributed attack detection Attack Prevention [NetSec], WS
More informationNetwork Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Part I: Attack Prevention Network Security Chapter 9 Attack prevention, detection and response Part Part I:
More informationChapter 15 Attack Detection
Computer and Communication Systems (Lehrstuhl für Technische Informatik) Chapter 15 Attack Detection Principles of Intrusion Detection Systems Categories Detection quality Tools [NetSec] Summer 2012 Attack
More informationChapter 15 Attack Detection
Chapter 15 Attack Detection Principles of Intrusion Detection Systems Categories Detection quality Tools [NetSec], WS 2008/2009 15.1 Introduction Definition: Intrusion An Intrusion is unauthorized access
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationCS 356 Lecture 16 Denial of Service. Spring 2013
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationSecurity: Attack and Defense
Security: Attack and Defense Aaron Hertz Carnegie Mellon University Outline! Breaking into hosts! DOS Attacks! Firewalls and other tools 15-441 Computer Networks Spring 2003 Breaking Into Hosts! Guessing
More informationTECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS
TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationCHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM
59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationTIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13
COURSE TITLE : INFORMATION SECURITY COURSE CODE : 5136 COURSE CATEGORY : ELECTIVE PERIODS/WEEK : 4 PERIODS/SEMESTER : 52 CREDITS : 4 TIME SCHEDULE MODULE TOPICS PERIODS 1 Introduction to Computer Security
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationFirewalls, IDS and IPS
Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not
More information1. Firewall Configuration
1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationDistributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment
Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Keyur Chauhan 1,Vivek Prasad 2 1 Student, Institute of Technology, Nirma University (India) 2 Assistant Professor,
More informationIntrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12
Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationHow To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)
Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationDos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)
Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker
More informationIDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for
Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts
More informationCS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24
Introduction to Computer Networks Lecture24 Network security (continued) Key distribution Secure Shell Overview Authentication Practical issues Firewalls Denial of Service Attacks Definition Examples Key
More informationHögskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :
Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationHow To Protect Your Network From Attack From A Hacker On A University Server
Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationIntrusion Detection for Mobile Ad Hoc Networks
Intrusion Detection for Mobile Ad Hoc Networks Tom Chen SMU, Dept of Electrical Engineering tchen@engr.smu.edu http://www.engr.smu.edu/~tchen TC/Rockwell/5-20-04 SMU Engineering p. 1 Outline Security problems
More informationINTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad
INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad OUTLINE Security incident Attack scenario Intrusion detection system Issues and challenges Conclusion
More informationNetworks: IP and TCP. Internet Protocol
Networks: IP and TCP 11/1/2010 Networks: IP and TCP 1 Internet Protocol Connectionless Each packet is transported independently from other packets Unreliable Delivery on a best effort basis No acknowledgments
More informationComparing Two Models of Distributed Denial of Service (DDoS) Defences
Comparing Two Models of Distributed Denial of Service (DDoS) Defences Siriwat Karndacharuk Computer Science Department The University of Auckland Email: skar018@ec.auckland.ac.nz Abstract A Controller-Agent
More informationAbstract. Introduction. Section I. What is Denial of Service Attack?
Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss
More informationIntrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)
1 of 8 3/25/2005 9:45 AM Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Intrusion Detection systems fall into two broad categories and a single new one. All categories
More informationDenial Of Service. Types of attacks
Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service
More informationChapter 16 Attack Mitigation and Countermeasures
Chapter 16 Attack Mitigation and Countermeasures Defense techniques TCP SYN flood, ICMP/UDP flood IP address spoofing and traceback Firewalls [NetSec], WS 2007/2008 16.1 Defense Taxonomy Source: [Mircovic2004]
More informationBarracuda Intrusion Detection and Prevention System
Providing complete and comprehensive real-time network protection Today s networks are constantly under attack by an ever growing number of emerging exploits and attackers using advanced evasion techniques
More informationFirewalls Netasq. Security Management by NETASQ
Firewalls Netasq Security Management by NETASQ 1. 0 M a n a g e m e n t o f t h e s e c u r i t y b y N E T A S Q 1 pyright NETASQ 2002 Security Management is handled by the ASQ, a Technology developed
More informationFirewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.
Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationTrack 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT
Track 2 Workshop PacNOG 7 American Samoa Firewalling and NAT Core Concepts Host security vs Network security What is a firewall? What does it do? Where does one use it? At what level does it function?
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More informationChapter 16 Attack Mitigation and Countermeasures
Computer and Communication Systems (Lehrstuhl für Technische Informatik) Chapter 16 Attack Mitigation and Countermeasures Defense techniques IP address spoofing and traceback Firewalls [NetSec] Summer
More informationIntrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of
Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code
More informationDDoS Protection Technology White Paper
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
More informationSurvey on DDoS Attack Detection and Prevention in Cloud
Survey on DDoS Detection and Prevention in Cloud Patel Ankita Fenil Khatiwala Computer Department, Uka Tarsadia University, Bardoli, Surat, Gujrat Abstract: Cloud is becoming a dominant computing platform
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationDefending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationDenial of Service. Tom Chen SMU tchen@engr.smu.edu
Denial of Service Tom Chen SMU tchen@engr.smu.edu Outline Introduction Basics of DoS Distributed DoS (DDoS) Defenses Tracing Attacks TC/BUPT/8704 SMU Engineering p. 2 Introduction What is DoS? 4 types
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationApplication Security Backgrounder
Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationDenial of Service Attacks, What They are and How to Combat Them
Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001
More informationDDoS Overview and Incident Response Guide. July 2014
DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More informationFirewalls, NAT and Intrusion Detection and Prevention Systems (IDS)
Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan
More informationFinal exam review, Fall 2005 FSU (CIS-5357) Network Security
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
More informationModule II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University
Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls
CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman
More informationKeywords Attack model, DDoS, Host Scan, Port Scan
Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection
More informationAnalysis of Automated Model against DDoS Attacks
Analysis of Automated Model against DDoS Attacks Udaya Kiran Tupakula Vijay Varadharajan Information and Networked Systems Security Research Division of Information and Communication Sciences Macquarie
More informationLecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.
Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. 1 Information systems in corporations,government agencies,and other organizations
More informationChapter 8 Network Security
[Computer networking, 5 th ed., Kurose] Chapter 8 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 84Securing 8.4 e-mail 8.5 Securing TCP connections: SSL 8.6 Network
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationFirewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT
Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of
More informationFirewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls
CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationNETWORK SECURITY (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information
More informationChapter 4: Security of the architecture, and lower layer security (network security) 1
Chapter 4: Security of the architecture, and lower layer security (network security) 1 Outline Security of the architecture Access control Lower layer security Data link layer VPN access Wireless access
More informationHow To Protect Your Network From Attack From Outside From Inside And Outside
IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationCSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)
CSCI 454/554 Computer and Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Outline Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS
More informationName. Description. Rationale
Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.
More informationinformation security and its Describe what drives the need for information security.
Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.
More information