Lecture 13 - Network Security

Similar documents
Lecture 19 - Network Security

CSC574 Computer and Network Security Module: Internet Malware

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Seminar Computer Security

Denial of Service Attacks

Denial of Service (DoS)

CS 356 Lecture 16 Denial of Service. Spring 2013

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Yahoo Attack. Is DDoS a Real Problem?

Denial Of Service. Types of attacks

Chapter 8 Security Pt 2

Denial of Service. Tom Chen SMU

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

CS5008: Internet Computing

SECURITY FLAWS IN INTERNET VOTING SYSTEM

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Acquia Cloud Edge Protect Powered by CloudFlare

Denial of Service (DoS) Technical Primer

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

CloudFlare advanced DDoS protection

How do DoS attacks work? CSE 123b Communications Software. Step 1: Attacker infiltrates machines. Step 2: Attacker sends commands to handler

SECURING APACHE : DOS & DDOS ATTACKS - I

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

co Characterizing and Tracing Packet Floods Using Cisco R

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Distributed Denial of Service

Sapphire/Slammer Worm. Code Red v2. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Why Was Slammer So Fast?

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

Denial of Service Attacks, What They are and How to Combat Them

Gaurav Gupta CMSC 681

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Abstract. Introduction. Section I. What is Denial of Service Attack?

CMPT 471 Networking II

How To Classify A Dnet Attack

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

The XenoService A Distributed Defeat for Distributed Denial of Service

Firewalls and Software Updates

Network Bandwidth Denial of Service (DoS)

Security Toolsets for ISP Defense

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

How To Stop A Ddos Attack On A Website From Being Successful

How To Defend Against A Ddos Attack On A Web Server

Announcements. No question session this week

Denial of Service Attacks

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Kick starting science...

Application Security Backgrounder

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CS549: Cryptography and Network Security

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

HoneyBOT User Guide A Windows based honeypot solution

Barracuda Intrusion Detection and Prevention System

Lecture 15 - Web Security

1 Introduction. Agenda Item: Work Item:

How To Attack A Server With A Ddos Attack On A Zombie Army Of Your Computer (For A Free Download)

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

How To Protect A Dns Authority Server From A Flood Attack

Survey on DDoS Attack Detection and Prevention in Cloud

TDC s perspective on DDoS threats

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

Frequent Denial of Service Attacks

VALIDATING DDoS THREAT PROTECTION

Network Incident Report

Denial of Service Attacks: Classification and Response

DDos. Distributed Denial of Service Attacks. by Mark Schuchter

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Windows Remote Access

DDoS Attacks & Defenses

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

E-BUSINESS THREATS AND SOLUTIONS

1 Introduction. Agenda Item: Work Item:

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Internet Worms, Firewalls, and Intrusion Detection Systems

DDoS Attacks Can Take Down Your Online Services

How To Protect Your Network From Attack From A Hacker On A University Server

Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures

Security: Attack and Defense

Intelligent Worms: Searching for Preys

Client Server Registration Protocol

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

CSE331: Introduction to Networks and Security. Lecture 14 Fall 2006

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Computer Security DD2395

Queuing Algorithms Performance against Buffer Size and Attack Intensities

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Survey on DDoS Attack in Cloud Environment

DDoS-blocker: Detection and Blocking of Distributed Denial of Service Attack

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Transcription:

Lecture 13 - Network Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

Exploiting the network... The Internet is extremely vulnerable to attack it is a huge open system... which adheres to the end-to-end principle smart end-points, dumb network Can you think of any large-scale attacks that would be enabled by this setup? 2

Malware Malware - software that exhibits malicious behavior (typically manifest on user system) virus - self-replicating code, typically transferring by shared media, filesystems, email, etc. worm - self propagating program that travels over the network The behaviors are as wide ranging as imagination backdoor - hidden entry point into system that allows quick access to elevated privileges rootkit - system replacement that hides adversary behavior key logger - program that monitors, records, and potentially transmits keyboard input to adversary trojan - malicious software disguised as legitimate program 3

4 Worms A worm is a self-propagating program. As relevant to this discussion 1. Exploits some vulnerability on a target host 2. (often) embeds itself into a host 3. Searches for other vulnerable hosts 4. Goto (1) Q: Why do we care?

The Danger What makes worms so dangerous is that infection grows at an exponential rate A simple model: s (search) is the time it takes to find vulnerable host i (infect) is the time is take to infect a host Assume that t=0 is the worm outbreak, the number of hosts at t=j is 2 (j/(s+i)) For example, if (s+i = 1), what is it at time t=32? 5

The result 6 5,000,000,000 4,500,000,000 4,000,000,000 3,500,000,000 3,000,000,000 2,500,000,000 2,000,000,000 1,500,000,000 point of criticality 1,000,000,000 500,000,000 0

The Morris Worm Robert Morris, a 23 year old doctoral student from Cornell Wrote a small (99 line) program November 3rd, 1988 Simply disabled the Internet How it did it Reads /etc/password, they tries the obvious choices and dictionary, /usr/dict words Used local /etc/hosts.equiv,.rhosts,.forward to identify hosts that are related Tries cracked passwords at related hosts (if necessary) Uses whatever services are available to compromise other hosts Scanned local interfaces for network information Covered its tracks (set is own process name to sh, 7

Code Red Anatomy of a worm: Maiffret (good reading) Exploited a Microsoft IIS web-server vulnerability A vanilla buffer overflow (allows adversary to run code) Scans for vulnerabilities over random IP addresses Sometimes would deface the served website July 16th, 2001 - outbreak CRv1- contained bad randomness (fixed IPs searched) CRv2 - fixed the randomness, added DDOS of www.whitehouse.gov Turned itself off and on (on 1st and 16th of month) August 4 - Code Red II Different code base, same exploit Added local scanning (biased randomness to local IPs) 8

9 Worms and infection The effectiveness of a worm is determined by how good it is at identifying vulnerable machines Morris used local information at the host Code Red used what? Multi-vector worms use lots of ways to infect E.g., network, DFS partitions, email, drive by downloads Another worm, Nimda did this Lots of scanning strategies Signpost scanning (using local information, e.g., Morris) Random IP - good, but waste a lot of time scanning dark or unreachable addresses (e.g., Code Red) Local scanning - biased randomness Permutation scanning - instance is given part of IP space

Other scanning strategies 10 Hit-list scanning Setup - use low and slow scanning to determine which hosts are vulnerable (i.e., create a hit list) Start the worm, passing the list of vulnerable hosts, reduce/ device the list at each host Gets past the slow start part, gets right into the exponential Essentially removes the window to stop worm 5,000,000,000 4,500,000,000 4,000,000,000 3,500,000,000 3,000,000,000 2,500,000,000 2,000,000,000 1,500,000,000 1,000,000,000 500,000,000 0

Other scanning strategies CSE497b Result: Introduction to Computer saturate and Network Security - Spring the 2007 Internet - Professor Jaeger is less than 30 seconds! 11 The doomsday worm: a flash worm Create a hit list of all vulnerable hosts Staniford et al. argue this is feasible Would contain a 48MB list Do the infect and split approach Use a zero-day vulnerability

Parasitic worm... Insight: most worm mitigation strategies are based on the detection of attack as it occurs What if a program was smart enough to find new vulnerabilities on its own? It could periodically change its infection strategy (mutate) Then forget old attack vectors Each mutation requires new detection mechanisms Result: basically unstoppable, point of criticality reached only after a few mutations [Butler 05] Attacks per Round 1e+06 100000 10000 1000 100 0% mutation prob 2% mutation prob 3% mutation prob 5% mutation prob 10% mutation prob 10 1 0.1 0 100 200 300 400 500 Time (in rounds) 12

Worms: Defense Strategies 13 (Auto) patch your systems: most, if not all, large worm outbreaks have exploited known vulnerabilities (with patches) Heterogeneity: use more than one vendor for your networks Shield (Ross): provides filtering for known vulnerabilities, such that they are protected immediately (analog to virus scanning) Shield Network Traffic Network Interface Operating System Filtering: look for unnecessary or unusual communication patterns, then drop them on the floor This is the dominant method, getting sophisticated (Arbor Networks)

Advanced Methods Quarantine - how do stop it once it is out? Internet Quarantine: Requirements for Containing Self-Propagating Code. David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage Assume you have a LAN/WAN environment We have already talked about how to prevent Q1: How do you recognize a worm? Q2: How do you stop a worm? Much work in this area... number of new addresses contacted number of incomplete IP handshakes number of connections to new local hosts (COI?) 14

Denial of Service Intentional prevention of access to valued resource CPU, memory, disk (system resources) DNS, print queues, NIS (services) Web server, database, media server (applications) This is an attack on availability (fidelity) Note: launching DOS attacks is easy Note: preventing DOS attacks is hard Mitigate the path most frequently traveled 15

D/DOS (generalized by Mirkovic) 16 Send a stream of packets/requests/whatever many PINGS, HTML requests,... Send a few malformed packets causing failures or expensive error handling low-rate packet dropping (TCP congestion control) ping of death Abuse legitimate access Compromise service/host Use its legitimate access rights to consume the rights for domain (e.g., local network) E.g., someone runs a recursive file operation on root of NFS partition

17 SMURF Attacks This is one of the deadliest and simplest of the DOS attacks (called a naturally amplified attack) Send a large number of PING packets on the broadcast IP addresses (e.g., 192.168.27.254) Set the source packet IP address to be your victim All hosts will reflexively respond to the ping at your victim and it will be crushed under the load. Fraggle: UDP based SMURF Host Host Host Host Host adversary Broadcast victim Host Host Host Host

Distributed denial of service 18 DDOS: Network oriented attacks aimed at preventing access to network, host or service Saturate the target s network with traffic Consume all network resources (e.g., SYN) Overload a service with requests Use expensive requests (e.g., sign this data ) Can be extremely costly (e.g., Amazon) Result: service/host/network is unavailable Frequently distributed via other attack Note: IP is often hidden (spoofed)

The canonical DDOS attack 19 (master) (router) Internet LAN (adversary) (zombies) (target)

20 Why DDOS What would motivate someone DDOS? An axe to grind Curiosity (script kiddies) Blackmail Information warfare Internet is an open system... Packets not authenticated, probably can t be Would not solve the problem just move it (firewall) Too many end-points can be remote controlled

Why is DDOS possible? (cont.) 21 Interdependence - services dependent on each other E.g., Web depends on TCP and DNS, which depends on routing and congestion control, Limited resources (or rather resource imbalances) Many times it takes few resources on the client side to consume lots of resources on the server side E.g., SYN packets consume lots of internal resources You tell me.. (as said by Mirkovic et al.) Intelligence and resources not co-located No accountability Control is distributed

DDOS Mitigation 22 Better Host Security Limit availability of zombies, not feasible Prevent compromise, viruses, Quality of Service Guarantees (QOS) Pre- or dynamically allocate bandwidth E.g., diffserv, RSVP Helps where such things are available Protocols traceback (reconstruct path based on marked packets) pushback (back-pressure) Content replication E.g,. CDS, for static content Ingress/Egress Filtering Helps spoofed sources, little else

DDOS Reality None of the protocol oriented solutions have really seen any adoption too many untrusting, ill-informed, mutually suspicious parties must play together well (hint: human nature) solution have many remaining challenges Real Solution Large ISP police their ingress/egress points very carefully Watch for DDOS attacks and filter appropriately e.g., BGP (routing) tricks, blacklisting, whitelisting Products in existing that coordinate view from many points in the network to identify upswings in Interestingly, this is the same way they deal with worms... 23

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information