SysSec 7 Network Security. Aurélien Francillon
|
|
- Liliana Houston
- 8 years ago
- Views:
Transcription
1 SysSec 7 Network Security Aurélien Francillon
2 News of the week 2
3
4 Overview Reconnaissance: discovering topology and servers Using network tools Fingerprinting Offensive Man In The Middle attacks, Bugs, Attacks on routing Bypassing network restrictions, Denial of service 4
5 Network Reconnaissance
6 Reconnaissance Network reconnaissance is always a first step Nmap, Hping2 Netcat Understanding open/filtered ports What services are running Discovering machines 6
7 Reconnaissance Network reconnaissance is always a first step Public databases always a good start whois iseclab.org dig iseclab.org whois Zone transfers? If very lucky: dig axfr See 7
8 Reconnaissance Robtex : the Internet swiss army knife GeoIP: approximate physical location of an IP address More accurate solutions exist Finger directory service to provide information about users Almost not used anymore 8
9 Scanning Basics : Send TCP Syn packet Closed port: reply with a RST Open port: reply with Syn/Ack Filtered port: nothing back or ICMP error packet nmap -A -T4 scanme.nmap.org Smarter techniques : OS Detection Idle Scan 9
10 Idle Scan 2 main purposes: Stealth Reconnaissance Port may be blocked for you on server Maybe not for the zombie? Idle scan allows to discover this 10
11 Scanning for vulnerabilities directly Nessus / OpenVAS Has a list of test for discovering daemon type, version, kind of service, options set etc Has a list of vulnerabilities associated Will check that automatically and generate reports Client/server side can be programmed to run regularly Useful for Network administrators to check for vulnerabilities on the network Lazy attackers to find an attack point! 11
12 Routing AS etc... Internet is a set of Autonomous Systems (AS) e.g. Renater, France Telecom, Proxad (free) They are interconnected by links between their routers BGP is the protocol that is used to know on which links to send packets depending on their destination Some of the BGP/AS information is publicly available Whois records Looking glass 12
13 Network Attacks
14 Denial of Service Attacks DoS is an attack that aims at disrupting a service such that none of the customers can enjoy the services The consequence of flooding or vulnerability attacks Flooding : an attack that consumes the application resources at such a rate that the service becomes unresponsive In a vulnerability attack, a vulnerability cause the application to crash or go to an infinite loop How common is DoS? Answer: Very common Research showed ~4,000 reported attacks in a week (and most attacks go unreported) How likely are you to be victim of DoS? A report showed 25% of large companies suffer DoS attacks at some point 14
15 Denial of Service Attacks DDoS Distributed Denial of Service Attacking machines are called daemons, slaves, zombies or agents. Zombies are usually poorly secured machines that are exploited Machines that control and command the zombies are called masters or handlers. Attacker would like to hide trace: He hides himself behind machines that are called stepping stones 15
16
17 Denial of Service Amplification A DoS attacker may look for Network reflectors: To hide source of the attack Prevent blocking it e.g. ICMP reply to forged source address Network amplifiers To perform efficient DoS Find a service that replies N packets when 1 packet is sent with forged source This will amplify the DoS 17
18 Denial of Service Amplification Examples SYN flood with forged source address Smurf attack : e.g. send a ping packet to a broadcast address (x.x.x.255) DNS can generate many requests when the server is asked about a record not in cache DNSSec packets much larger 18
19 Denial of Service Attacks Web applications are particularly susceptible to denial of service attacks A web application can t easily tell the difference between an attack and ordinary traffic Because there is no reliable way to tell from whom an HTTP request is coming from, it is very difficult to filter out malicious traffic. Slashdotted effect Most web servers can handle several hundred concurrent users under normal use, but a single attacker can still generate enough traffic from a single host to swamp many applications Defending against denial of service attacks is difficult and only a small number of limited solutions exist 19
20 Who are the attackers? Research has shown that the majority of attacks are launched by script-kiddies Such attacks are easier to detect and defend against Kids use readily available tools to attack E.g. LOIC tool Some DoS attacks, however, are highly sophisticated and very difficult to defend against 20
21 Denial of Service Attacks: Defenses IP layer Drop IP connections from a list of IP addresses, Put in list those that send too many Syn Firewall : rate limiting, broadcast packets... Reroute BGP to a provider with lots of bandwidth; e.g. Spamhaus Event:
22 Denial of Service Attacks: Defenses HTTP layer Change the DNS to a CDN (Content Distribution Network) With a lot of bandwidth Caches HTTP requests Applies filtering rules (OWASP) e.g., Akamai: ml Limit complex requests in complexity per IP 22
23 Denial of Service Attacks: Other Defenses Use a CAPTCHA if a human is expected to interact But they are annoying and not that hard to guess by machines after all Use a Cryptographic Puzzle : Some challenges are slow to compute by the client fast but to verify by the Server Sent by the server to the client before handling any further request Not very efficient against DDoS Make sure your hosts are patched against DoS vulnerabilities Anomaly detection and behavioral models Ingress filtering Firewall : rate limiting, broadcast packets 23
24 TCP connection-hijacking A bit old-school Was used by Kevin Mitnick in 1995 Attack on RSH to gain access on a server With control of a computer on the network Principle of the attack: Impersonate a computer with IP spoofing TCP sequence number guessing to send packets while ignoring responses DoS the spoofed machine to avoid the spoofed machine to reset the connection 24
25 TCP connection-hijacking: RSH Remote Shell Ancestor of SSH Can be configured to allow/deny connection based on: Remote username IP address No crypto in place... but hijacking an IP address is not easy. 25
26 TCP connection-hijacking: TCP
27 TCP connection-hijacking: TCP 3-way handshake Establishing a connection Source: 27
28 TCP connection-hijacking: TCP Syn-flooding Server keeps a state for each opening connection in a buffer This buffer has a limited size Server Client SYN SYN/ACK 28
29 TCP connection-hijacking: IP Spoofing Sending packets with spoofed IP address is as simple as forging source IP in a crafted packet Usually requires root (raw socket) MAC / IP address forging May be blocked by the switch / ISP Called Ingress filtering Packets with forged IP address Easy to send But no response received Is it still possible to exploit it?
30 IP address spoofing Can be used directly to exploit stateless protocols e.g., based only on UDP But on TCP how do we perform the 3-way handshake? We don't receive the response packets As we don't control the return path... How to guess the seq nr / prevent spoofed host to respond
31 Mitnick attack DoS Server Send packets to target guessing sequence numbers If guess is OK packets are accepted Replies will go to server Not seen by attacker Server DoS'ed will not send an error msg Used to send command over RSH echo + + >>/.rhosts Access to target gained!
32
33 ARP Poisoning ARP is a protocol to map MAC address to IP address on Ethernet: Who has <IP>? <IP> is at <mac> Needed to know where to send IP packets over Ethernet This can be abused to inject a wrong MAC address <=> IP address association Perform a Man in the Middle on a switched Ethernet network
34 ARP Poisoning
35 Source routing The route taken by TCP/IP packets is determined by router's routing tables Source routing allows to bypass this Specify the path that packets should take E.g., Authorized host can specify path Auth host A C D Server Auth host A B D Server
36 Source routing This allows an attacker to Discover network Have its packets go trough a specific network path Bypass IP address rules (TCP wrappers ) Access computers behind a NAT / private address space Solution : always disallow source routing, works :)
37 DNS Domain Name Service Maps host names to IP addresses on the Internet Makes Internet more user friendly A distributed system Root servers are at fixed IP The hints file They provide IP addresses of TLD servers Top Level Domains (.com,.net,.org ) DNS servers provide IP addresses for domains Etc... 37
38 DNS Their security is very important Integrity of DNS responses Availability SSL certificates certifies hostnames not IP addresses No DNS no Internet :( Scalability Extensive Caching 38
39 Recursive DNS Request 39
40 Recursive DNS Request 40
41 Recursive DNS Request 41
42 Recursive DNS Request 42
43 Recursive DNS Request 43
44 Recursive DNS Request 44
45 Recursive DNS Request 45
46 Recursive DNS Request 46
47 Recursive DNS Requests Record obtained from DNS architecture the first time Will remain in cache until TTL timeout This record must not be corrupted 47
48 Kaminsky Attack I 2007 Dan Kaminsky found a serious issue Almost all DNS servers implementations were vulnerable to cache poisoning Allow to insert malicious information in a cache server Attacker controlled glue records Allows to forge DNS server for a domain in the cache 48
49 Cache poisoning attacks How do we know the response received is actually received as a reply to a query? Rely on transaction serial number Can be predicted by attacker? 49
50 Normal DNS Request 50
51 Basic Poisoning Attack Overview
52 DNS Cache poisoning Query ID can be guessed... Solution? So they should be random? with good random number generators! Randomize the Query ID 16-bit field 64k possibilities An attacker has large chances to fail When it fails the targeted record is loaded in cache 52
53 Glue records There is a chicken and Egg problem in the DNS System, e.g.: Q: Who is the NS for domain.com? R: ns.domain.com We need a Glue record Glue records are used when name server is a host of that domain and provide IP address Q: Who is the NS for domain.com? R: ns.domain.com and it is at a.b.c.d 53
54 Kaminsky Attack Glue records are cached as well, What if we poison a glue record? Completely owns the domain, can forge any hostname of that domain. Query ID randomization? A failed attempt is not a problem, so we can try many times! 54
55 Kaminsky Attack Wrap-up
56 DNS cache poisoning Very damaging attacks, Mitigations: Cache servers should not face the Internet e.g. not be at the same time a cache server and an authoritative server for a domain Randomize : Query ID Source port Host name capitalization DNSsec : authenticated DNS records
57 The Border Gateway Protocol :: The art of building the Internet The Internet is divided into thousands of smaller networks called Autonomous Systems (ASes) administered by a single entity (e.g., an Internet Service Provider, a company, a university) AS3 AS1 AS5 AS4 AS2
58 The Border Gateway Protocol :: The art of building the Internet Each AS owns or is responsible for managing a set of network IP addresses (e.g., AS3 is responsible for the IP address block /16) / / /16 AS3 AS1 AS5 AS4 AS / / / /24
59 The Border Gateway Protocol :: The art of building the Internet The Border Gateway Protocol (BGP) allows ASes to interconnect with each other by exchanging network IP address block reachability information BGP glues ASes together to form the Internet / / /16 AS3 AS1 AS5 AS4 AS /8 physical link BGP message / / /24
60 The Border Gateway Protocol :: The art of building the Internet The Border Gateway Protocol (BGP) allows ASes to interconnect with each other by exchanging network IP address block reachability information BGP glues ASes together to form the Internet AS3 to AS1,AS4: I am AS3 and I am responsible for /16! / / /16 AS3 AS1 AS5 AS4 AS /8 physical link BGP message / / /24
61 The Border Gateway Protocol :: The art of building the Internet The Border Gateway Protocol (BGP) allows ASes to interconnect with each other by exchanging network IP address block reachability information BGP glues ASes together to form the Internet / / /16 AS3 AS1 AS5 AS1 to AS2: AS3 told me he is responsible for /16! AS4 AS /8 physical link BGP message / / /16 AS4 to AS2,AS5: AS3 told me he is responsible for /16!
62 The Border Gateway Protocol :: The art of building the Internet The Border Gateway Protocol (BGP) allows ASes to interconnect with each other by exchanging network IP address block reachability information BGP glues ASes together to form the Internet / / /16 AS3 AS1 AS5 AS4 AS / / / /8 All networks on the Internet can eventually talk to each other!
63 The Border Gateway Protocol :: The art of building the Internet BGP messages record the path of ASes they go through to avoid routing loops INTERNET Network: /24 AS path : AS702,AS35289 Network: /24 AS path : AS5466,AS35289 AS5466 Eircom Ltd Network: /24 AS path : AS35289 BGP message AS702 Verizon AS35289 Symantec Ltd /24 Network: /24 AS path : AS35289
64 The Border Gateway Protocol :: The art of building the Internet Inter-AS links reflect the business relationships between their respective owner (e.g., some provide transit connectivity to the Internet to their customers) INTERNET (UPSTREAM) TRANSIT AS5466 AS702 Eircom Ltd Verizon PROVIDERS CUSTOMER AS35289 Symantec Ltd /24
65 BGP hijacking :: The art of breaking the Internet CAUSES The injection of erroneous network reachability information into BGP Trust-based exchange of network reachability information No widely deployed security mechanism yet EFFECTS Blackhole (e.g., Youtube hijack by Pakistan Telecom) Impersonation (e.g., Spamhaus hijack) MITM (e.g., BGP MITM [1]) of the victim network EXPLANATIONS Router misconfiguration, operational fault (e.g., AS7007 incident [2]) Malicious intent? [1] Stealing The Internet An Internet-Scale Man In The Middle Attack (Defcon 2008) [2]
66 BGP hijack incidents that made the headlines
67 BGP hijack incidents that made the headlines RENESYS 1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013
68 BGP hijack incidents that made the headlines RENESYS 1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013 ISC SEVERAL BANKS TARGETED BY BGP HIJACKS
69 BGP hijack incidents that made the headlines RENESYS 1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013 ISC SEVERAL BANKS TARGETED BY BGP HIJACKS BGPmon.net BGP HIJACK ATTACK AGAINST ANTI-SPAM COMPANY SPAMHAUS
70 BGP hijack incidents that made the headlines? MALICIOUS! BENIGN!
71 BGP hijacks :: Separate the wheat from the chaff Identifying BGP hijacks is challenging BGP hijacks look similar to some legitimate BGP engineering practices lack of ground truth information, only the owner of a network can precisely diagnose routing events related to his network
72 Case I :: BGP blackhole DoS of the victim network similar to Youtube hijack Here is an example INTERNET Network: /25 Network: /25 AS path : ASX,AS35289 AS5466 Eircom Ltd ASX ispam Inc BGP message AS702 Verizon AS35289 SYMANTEC Symantec Ltd NETWORK IS /24 BLACKHOLED
73 Case II : BGP impersonation Fly-by spammers CONJECTURE Spammers would use BGP hijacking to send spam from the stolen IP space and evade spam sender blacklists BGP spectrum agility : short-lived (< 1 day) spam networks [3] POTENTIAL EFFECTS Misattribute attacks launched from hijacked networks due to hijackers stealing IP identity Spam filters heavily rely on IP reputation as a first layer of defense [3] Understanding the Network-level Behavior of Spammers (SIGCOMM 2006)
74 Fly-by spammers :: Hijack signature Hijacked networks are dormant IP address blocks, i.e., by the time the networks are hijacked they have been left unadvertised by their owner advertised for a rather short period of time AS hijack: prefix is advertised in BGP from an apparently legitimate AS but via a presumably illegitimate upstream provider AS Prefix hijack: prefix is advertised in BGP from an apparently rogue AS but via a presumably legitimate upstream provider AS
75 Fly-by spammers :: AS hijack illustration spam spam INTERNET Network: A.B.C.D/E AS path : ASX,ASY BGP message A.B.C.1 A.B.C.255 ASX ispam Inc ILLEGITIMATE (UPSTREAM) TRANSIT PROVIDER AS ASY Owner of A.B.C.0/24 LEGITIMATE AS A.B.C.0/24
76 Fly-by spammers :: case study IP prefixes are only announced when spam is received! Few blacklisted spam sources at the time of the BGP announcements!
77 Case III :: BGP Man-In-The-Middle Step 1: discover path between AS_Mallory (attacker) and AS_Alice (victim) AS_Mallory AS_D AS_A AS_Alice Step 2: advertise more specific prefix /24 and secure backup route (P) Step 3: adjust TTLs (ultimate stealth!) Stealing The Internet An Internet-Scale Man In The Middle Attack (Defcon 2008)
78 Securing BGP? Security extensions to BGP e.g., RPKI, ROVER Similar to DNSSEC for DNS Deployment is expansive BGP monitoring Analyze BGP updates and trigger alarm upon abnormal routing change, e.g., BGP hijack e.g., BGPmon.net, Renesys (Dyn), UCLA Cyclops BGP best current practices e.g., Customer routes filtering Seldom followed by network operators
79 Conclusion Network attack and defense Can be surprisingly easy Many countermeasures known already And many are in place on most networks Still some very difficult attacks to solve and countermeasures to deploy DoS DNSsec
CS 356 Lecture 16 Denial of Service. Spring 2013
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationSecurity of IPv6 and DNSSEC for penetration testers
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationOutline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg
Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright
More informationAttack and Defense Techniques
Network Security Attack and Defense Techniques Anna Sperotto, Ramin Sadre Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attack Taxonomy Many different kind of
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationDenial of Service Attacks
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
More informationDistributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment
Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Keyur Chauhan 1,Vivek Prasad 2 1 Student, Institute of Technology, Nirma University (India) 2 Assistant Professor,
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationHow To Protect A Dns Authority Server From A Flood Attack
the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point
More information1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained
home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationDNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008
DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008 Kim Davies Internet Assigned Numbers Authority Internet Corporation for Assigned Names & Numbers Agenda How do you
More informationA Very Incomplete Diagram of Network Attacks
A Very Incomplete Diagram of Network Attacks TCP/IP Stack Reconnaissance Spoofing Tamper DoS Internet Transport Application HTTP SMTP DNS TCP UDP IP ICMP Network/Link 1) HTML/JS files 2)Banner Grabbing
More informationBotnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno
CSE 490K Lecture 14 Botnets and Spam Tadayoshi Kohno Some slides based on Vitaly Shmatikov s Botnets! Botnet = network of autonomous programs capable of acting on instructions Typically a large (up to
More informationContent Distribution Networks (CDN)
229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the
More informationSECURING APACHE : DOS & DDOS ATTACKS - I
SECURING APACHE : DOS & DDOS ATTACKS - I In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era. Denial
More informationHow To Understand A Network Attack
Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different
More informationSession Hijacking Exploiting TCP, UDP and HTTP Sessions
Session Hijacking Exploiting TCP, UDP and HTTP Sessions Shray Kapoor shray.kapoor@gmail.com Preface With the emerging fields in e-commerce, financial and identity information are at a higher risk of being
More informationSecurity: Attack and Defense
Security: Attack and Defense Aaron Hertz Carnegie Mellon University Outline! Breaking into hosts! DOS Attacks! Firewalls and other tools 15-441 Computer Networks Spring 2003 Breaking Into Hosts! Guessing
More informationDenial Of Service. Types of attacks
Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
More informationCSE 127: Computer Security. Network Security. Kirill Levchenko
CSE 127: Computer Security Network Security Kirill Levchenko December 4, 2014 Network Security Original TCP/IP design: Trusted network and hosts Hosts and networks administered by mutually trusted parties
More informationCSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks
CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic
More informationInternet Security [1] VU 184.216. Engin Kirda engin@infosys.tuwien.ac.at
Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at Administration Challenge 2 deadline is tomorrow 177 correct solutions Challenge 4 will
More informationOutline. Outline. Outline
Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather
More informationTCP/IP Security Problems. History that still teaches
TCP/IP Security Problems History that still teaches 1 remote login without a password rsh and rcp were programs that allowed you to login from a remote site without a password The.rhosts file in your home
More informationDenial of Service Attacks
(DoS) What Can be DoSed? First Internet DoS Attack The TCP State Diagram SYN Flooding Anti-Spoofing Better Data Structures Attacking Compact Data Structures Generic Solution SYN Cookies It s Not Perfect
More informationDos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)
Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method
More informationNetworks: IP and TCP. Internet Protocol
Networks: IP and TCP 11/1/2010 Networks: IP and TCP 1 Internet Protocol Connectionless Each packet is transported independently from other packets Unreliable Delivery on a best effort basis No acknowledgments
More informationPort Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology
Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance
More informationComputer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System
Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce 18/02/15 Networks: DNS attacks 1 Domain Name System The domain name system (DNS) is an applica>on- layer protocol
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationAttack Lab: Attacks on TCP/IP Protocols
Laboratory for Computer Security Education 1 Attack Lab: Attacks on TCP/IP Protocols Copyright c 2006-2010 Wenliang Du, Syracuse University. The development of this document is funded by the National Science
More informationTDC s perspective on DDoS threats
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationGaurav Gupta CMSC 681
Gaurav Gupta CMSC 681 Abstract A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing Denial of Service for users of the
More informationAbstract. Introduction. Section I. What is Denial of Service Attack?
Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss
More informationDDoS Protection Technology White Paper
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
More informationMONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN
MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India
More informationHow Cisco IT Protects Against Distributed Denial of Service Attacks
How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN
More informationDNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org
DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be
More informationDDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest
DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service
More informationCYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE
CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE Due to the encouraging feedback this series of articles has received, we decided to explore yet another type of cyber intrusionthe Man In The Middle (MITM)
More informationGeneral Network Security
4 CHAPTER FOUR General Network Security Objectives This chapter covers the following Cisco-specific objectives for the Identify security threats to a network and describe general methods to mitigate those
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationUnderstanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business
& Preventing (Distributed Denial of Service) A Report For Small Business According to a study by Verizon and the FBI published in 2011, 60% of data breaches are inflicted upon small organizations! Copyright
More informationEvading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant
Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant What infrastructure security really means? Infrastructure Security is Making sure that your system services are always running
More informationAPNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10)
APNIC elearning: Network Security Fundamentals 20 March 2013 10:30 pm Brisbane Time (GMT+10) Introduction Presenter/s Nurul Islam Roman Senior Training Specialist nurul@apnic.net Specialties: Routing &
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationDDoS Overview and Incident Response Guide. July 2014
DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More informationDefending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks
More informationLecture 6: Network Attacks II. Course Admin
Lecture 6: Network Attacks II CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena Adopted from previous lectures by Keith Ross, and Gene Tsudik Course Admin HW/Lab 1 We are grading (should return
More informationNetwork Security Fundamentals
APNIC elearning: Network Security Fundamentals 27 November 2013 04:30 pm Brisbane Time (GMT+10) Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6
More informationDenial of Service. Tom Chen SMU tchen@engr.smu.edu
Denial of Service Tom Chen SMU tchen@engr.smu.edu Outline Introduction Basics of DoS Distributed DoS (DDoS) Defenses Tracing Attacks TC/BUPT/8704 SMU Engineering p. 2 Introduction What is DoS? 4 types
More informationOLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS
OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:
More informationSeminar Computer Security
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
More informationTECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS
TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor
More informationNetwork Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)
Network Security ICMP, TCP, DNS, Scanning Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Agenda A couple of examples of network protocols that
More informationThe Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)
The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0) US-CERT Summary US-CERT has been alerted to an increase in distributed denial of service (DDoS) attacks using spoofed recursive DNS
More informationNetwork Security Workshop
Network Security Workshop Threat Pragmatics Fakrul (Pappu) Alam bdhub Limited fakrul@bdhub.com Targets Many sorts of targets: Network infrastructure Network services Application services User machines
More informationNetwork Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015
Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,
More informationDRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014
DRDoS Attacks: Latest Threats and Countermeasures Larry J. Blunk Spring 2014 MJTS 4/1/2014 Outline Evolution and history of DDoS attacks Overview of DRDoS attacks Ongoing DNS based attacks Recent NTP monlist
More informationComplete Protection against Evolving DDoS Threats
Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion
More informationAnnouncements. No question session this week
Announcements No question session this week Stretch break DoS attacks In Feb. 2000, Yahoo s router kept crashing - Engineers had problems with it before, but this was worse - Turned out they were being
More informationDenial of Service Attacks. Notes derived from Michael R. Grimaila s originals
Denial of Service Attacks Notes derived from Michael R. Grimaila s originals Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident
More informationDISTRIBUTED DENIAL OF SERVICE OBSERVATIONS
: DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationV-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks
Enabling Precise Defense against New DDoS Attacks 1 Key Points: DDoS attacks are more prone to targeting the application layer. Traditional attack detection and defensive measures fail to defend against
More informationDNS security: poisoning, attacks and mitigation
DNS security: poisoning, attacks and mitigation The Domain Name Service underpins our use of the Internet, but it has been proven to be flawed and open to attack. Richard Agar and Kenneth Paterson explain
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationWhat is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services
Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and
More informationPresented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important
Presented By: Holes in the Fence Dave Engebretson, Contributing Technology writer, SDM Magazine Industry Instructor in Fiber and Networking Prevention of Security System breaches of networked Edge Devices
More information1. LAB SNIFFING LAB ID: 10
H E R A LAB ID: 10 SNIFFING Sniffing in a switched network ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources 1. LAB
More informationNetwork Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones
Network Security Security in Compu5ng, Chapter 7 Topics l Network AAacks l Reconnaissance l AAacks l Spoofing l Web Site Vulnerabili5es l Denial of Service l Network Defences l Firewalls l Demilitarised
More informationCYBER ATTACKS EXPLAINED: PACKET CRAFTING
CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure
More informationCIT 380: Securing Computer Systems
CIT 380: Securing Computer Systems Scanning CIT 380: Securing Computer Systems Slide #1 Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting 5. Vulnerability Scanning
More informationNetwork Security. Mobin Javed. October 5, 2011
Network Security Mobin Javed October 5, 2011 In this class, we mainly had discussion on threat models w.r.t the class reading, BGP security and defenses against TCP connection hijacking attacks. 1 Takeaways
More informationMalicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software
CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationDNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!
DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013 About us Bar Ilan University
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationBREAKING HTTPS WITH BGP HIJACKING. Artyom Gavrichenkov R&D Team Lead, Qrator Labs ag@qrator.net
BREAKING HTTPS WITH BGP HIJACKING Artyom Gavrichenkov R&D Team Lead, Qrator Labs ag@qrator.net ABSTRACT OVERVIEW OF BGP HIJACKING GLOBAL AND LOCAL HIJACKING HIJACKING A CERTIFICATE AUTHORITY MITIGATIONS
More informationCS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24
Introduction to Computer Networks Lecture24 Network security (continued) Key distribution Secure Shell Overview Authentication Practical issues Firewalls Denial of Service Attacks Definition Examples Key
More informationTools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.
Tools for penetration tests 1 Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus. What is a penetration test? Goals: 1. Analysis of an IT-environment and search
More informationFirewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.
Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and
More informationThis Lecture. The Internet and Sockets. The Start 1969. If everyone just sends a small packet of data, they can all use the line at the same.
This Lecture The Internet and Sockets Computer Security Tom Chothia How the Internet works. Some History TCP/IP Some useful network tools: Nmap, WireShark Some common attacks: The attacker controls the
More informationNetwork Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media
IT 4823 Information Security Concepts and Administration March 17 Network Threats Notice: This session is being recorded. Happy 50 th, Vanguard II March 17, 1958 R.I.P. John Backus March 17, 2007 Copyright
More information