A S B

Transcription

1 CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security Suite Problems Steve Vulnerabilities Application Attacks Attacks Different Layer Attacks in the Layers Bellovin, TCP/IP

2 Host TCP/IP Had Assumed Security Software its was Why origins to designed have the lots an innocent Flaws? Some left implementation to elements the not bugs implementers intrinsic the vulnerabilities of specification to for trust design connectivity worldwere Using The Address IP addresses Security spoofingare filled Flaws in by in originating IP Internet r-utilities source (rlogin, address C rsh, rhostsetc..) for authenticationhost A S B Can server ARP Much Source A C claim S? Spoofing harder it Routing? is B to the IP Traffic End IP Problems? all fragmentation allows the Security hosts amplification fragments broadcast need attack to arrive Flaws keep attack destination the fragments IPtill 2

3 Attacking SystemPing Flood Internet System Victim Broadcast Enabled Network No ICMP authentication redirect ICMP message Attacks Many Can php Man more cause destination middle host unreachable attack, to switch drop sniffing connection gateways Link BGP Distance Can Announce Blackholetraffic Eavesdrop State claim Vector links direct Routing 0 distance randomly link Routing to any all other Attacks ASescan Could bit harder even announce alter happen path attack due arbitrary to than misconfigurations DV prefix nodes router 3

4 Issues? needs TCP to keep Attacks Server and y+1recognizes Client waiting based for on ACK IP address/port y+1 TCP Exploit SYN TCP state Flooding Layer allocated Attacks at server after Client Send Server Finite Once initial connections requests a the queue SYN will queue packet wait (1024) and size is don t for full 511 incomplete reply it seconds doesn t with accept for ACK ACK TCP When How Inject Address/Port/Sequence Sniff Guess Session Many to TCP is arbitrary traffic get a earlier TCP sequence Hijack Layer systems packet data had number? Attacks to valid? Number predictable the connection in ISN window SYN y ACK x+1 SYN x ACK y+1 Server 4

5 TCP Send Do number? Will Anywhere For About Session you TCP RST 64k tear have 15 window packet down seconds Poisoning Layer to window guess connection it for takes a the Attacks fine T1 64k exact packets sequence to reset Applications Authentication DNS FTP, don t information Layer authenticate Attacks DNS insecurity Telnet, poisoning zone transfer POP in clear properly Finger showmount e Send Shimomura packets (S) to An S Finger Showmount-e Example SYN Mitnick Attack What Determine Trusted other when ISN systems no (T) one behavior is it around trusts? 5

6 Finger showmount e Send@SShimomura(S) An Example SYN flood 20 SYN T packets to SMitnickSynfloodX Attack What Determine T won t Trusted(T) other when respond ISN systems no one behavior to packets is it around trusts? Finger showmount An Mitnick(M) Example SYN T Send flood 20 SYN SYN T packets spoofing to as SSYNSYN ACK guessed ACK number to S with a Attack What Determine T S with won t assumes TX trusted other when respond that ISN systems no (T) it one behavior to has packets is it a around trusts? session Finger showmount e SYN@SShimomura(S) An Example T Send guessed flood 20 ACK echo number to T+ S + packets > with spoofing ~/.rhosts a to as S++ > Mitnick rhosts Attack What Determine T S with Give anywhere won t assumes Tpermission Trusted other when respond X that ISN systems no (T) it one to behavior has anyone packets is it a around trusts? session from 6

7 Objective Consume by TCP overloading Denial make the server a of service Service UDP ICMP SYN ECHO floods host bandwidth floods (ping) resources floodsor unusable, networkusually Crashing Forcing Ping-of-Death TCP Taking options more slow Denial the path (unused, victim computation in processing of or used Service incorrectly) of packets The Easy source Attacker to address blockusually to VictimVictimVictim hide Simple spoofed originattacker DoS 7

8 Coordinated Attacker VictimVictimVictim AttackerDoS The Harder first Attacker to attacker deal usually withattacks spoofed a different source address victim to cover hide origin up the real attack AgentAgentAgentAgentAgent Distributed HandlerHandler AttackerDoS Victim The Very How Crowd? Easy Already Flash handlers agents to hide infected Distributed are the are usually attack and the packets home agent very users installed high DoS Generally Slashdot Victoria difficult Crowd differentiate the Secret Effect Many to flash track Webcast crowd clients between down disappears using the DDoS a service attacker when volume with and the legitimately DSL/Cable Flash servers Sources flooded Also, requests in flash crowd have a pattern are clusterednetwork is 8

9 Network Traffic Destination Indicate Routers Sink Scrub, Capabilities decision DDoS explicitly by inserting decides Defenses Issues? packets all Scrubbers scrub, traffic en route scrub to check a back-end for valid whether capabilities in or not in to packets subsequent allow Lots Users Solution? Lots Limit of don t vulnerabilities keep Firewalls Put Don t Trust firewalls of access trust patches exploits insiders(!!!) outsiders to across the in systems wild network the (no on perimeter hosts patch up to for in date of network them) network Firewall Has Allows Drops Two Packet a pre-defined traffic inspects Firewalls specified traffic policyin through (contd ) Internet Types everything Filters, Proxies elsefirewallthe policy itinternal Network 9

10 Packet Usually Can one and screening packet network filter Packet interface selectively Filters harder routers internal be done filtering to router detect networks by within a bridge dedicated and a attack router to passes another than network between screening packets element external from Data Actions IP Transport TCP/UDP ICMP Packet Allow Drop source Available Packet message options source and protocol destination type (Fragment and Filters (TCP, destination UDP, Size addresses Contd. Alter Log information the Available packet about (Notify to (NAT?) go the through Sender/Drop packet or etc.) ports ICMP) Silently) Example Block SMTP domain Packet all servers filters packets traffic connections Filters to from a list from outside of Contd. a domains specified except for 10

11 Internal External DMZ Advantages? access Intranet Internet Typical and hosts DMZ hosts only Internet can only, Firewall can access not access Configuration If compromised cannot hosts a service affect gets in internal DMZ it Internet Stateless Rules If All action Example a (Condition, rules are condition is processed checked taken packet satisfied Firewall filtering Action) in top-down for a firewall Rules packet order Allow Sample Firewall Rule SSH-2 SSH-1 Rule Two How AckSet? Problems? Inbound: Outbound: Protocol=TCP SSH Dir rules know from Src Addr Ext and Int src-port>1023, a src-port=22, packet outbound external > Src Port 1023Ext Client is for dst-port>1023 Dst hosts Addr dst-port=22 SYN/ACK Int SSH? > Dst to internal Port 22TCP Server ProtoAck hosts Set?Action Any Yes Allow X Intranet X DMZ 11

12 Default Egress Ingress Benefits? Why? Outbound Inbound Default Deny Filtering Traffic traffic from Firewall internal external address Drop Rules EgressInInt IntDst Port RuleOut Any DirSrc Addr Any ExtSrc Port AnyDst AddrProtoAck ExtAny AnySet?Action AdvantagesPacket Filters Deny Disadvantages What Transparent Simple Usually Very Doesn t Does Who hard the packet port fail have to 22 open fix? user to enough configure always filters application/user accessing mean information can the SSH? the be rules SSH? efficient to take actions Stateful Keep Easier More Problems? the popular to explosion for packet connection specify Alternatives UDP/ICMP? filters rules states connection level 12

13 Proxy Requires Two connections Firewalls Alternatives linked the Either Or SOCKS HTTP proxy at libraries) at proxy applications transport to instead level be level (or modified of dynamically oneto use Data Advantages? Disadvantages? Application User Better Fail Available closed information policy logging level Proxy enforcement information Firewall Doesn t One Client proxy modification perform each as well application TCP/IP DOS Firewalls Spoofing Flooding TCP and session security D-DOS attacks poisoning Summary Packet ProxyFiltersvulnerabilities 13