A1.1.1.11.1.1.2 1.1.1.3S B



Similar documents
Flashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out?

Firewalls. Chapter 3

CS5008: Internet Computing

Content Distribution Networks (CDN)

1. Firewall Configuration

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

CS 356 Lecture 16 Denial of Service. Spring 2013

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Chapter 8 Security Pt 2

A Very Incomplete Diagram of Network Attacks

TCP/IP Security Problems. History that still teaches

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

CMPT 471 Networking II

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewall Firewall August, 2003

Firewalls. Network Security. Firewalls Defined. Firewalls

Firewalls and System Protection

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

CIT 480: Securing Computer Systems. Firewalls

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Cryptography and network security

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Firewalls and Intrusion Detection

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Attack Lab: Attacks on TCP/IP Protocols

CIT 480: Securing Computer Systems. Firewalls

Firewalls. Ahmad Almulhem March 10, 2012

8. Firewall Design & Implementation

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CSCE 465 Computer & Network Security

Firewalls, IDS and IPS

Security vulnerabilities in the Internet and possible solutions

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Chapter 7 Protecting Against Denial of Service Attacks

CSCE 465 Computer & Network Security

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Solution of Exercise Sheet 5

co Characterizing and Tracing Packet Floods Using Cisco R

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewall Design Principles Firewall Characteristics Types of Firewalls

Abstract. Introduction. Section I. What is Denial of Service Attack?

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

GregSowell.com. Mikrotik Security

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Overview. Firewall Security. Perimeter Security Devices. Routers

Cisco Configuring Commonly Used IP ACLs

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

INTRODUCTION TO FIREWALL SECURITY

Secure Software Programming and Vulnerability Analysis

Brocade NetIron Denial of Service Prevention

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Attack and Defense Techniques

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Basic Network Configuration

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewalls. Pehr Söderman KTH-CSC

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Security Technology White Paper

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Firewalls, Tunnels, and Network Intrusion Detection

allow all such packets? While outgoing communications request information from a

Linux Network Security

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Network Security Fundamentals

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Stateful Firewalls. Hank and Foo

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Lecture 6: Network Attacks II. Course Admin

10 Configuring Packet Filtering and Routing Rules

Chapter 7. Address Translation

Firewall Design Principles

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Chapter 8 Network Security

Implementing Network Address Translation and Port Redirection in epipe

Denial Of Service. Types of attacks

Strategies to Protect Against Distributed Denial of Service (DD

Denial of Service Attacks

Security: Attack and Defense

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

CMS Operational Policy for Firewall Administration

Security of IPv6 and DNSSEC for penetration testers

SECURING APACHE : DOS & DDOS ATTACKS - I

Transcription:

CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security Suite Problems Steve Vulnerabilities Application Attacks Attacks Different Layer Attacks in the Layers Bellovin, TCP/IP 1989 1

Host TCP/IP Had Assumed Security Software its was Why origins to designed have the lots an innocent Flaws? Some left implementation to elements the not bugs implementers intrinsic the vulnerabilities of specification to for trust design connectivity worldwere Using The Address IP addresses Security spoofingare filled Flaws in by in originating IP Internet r-utilities source (rlogin, address 2.1.1.1C rsh, rhostsetc..) for authenticationhost A1.1.1.11.1.1.2 1.1.1.3S B Can server ARP Much Source A C claim S? Spoofing harder it Routing? is B to the IP Traffic End IP Problems? all fragmentation allows the Security hosts amplification fragments broadcast need attack to arrive Flaws keep attack destination the fragments IPtill 2

Attacking SystemPing Flood Internet System Victim Broadcast Enabled Network No ICMP authentication redirect ICMP message Attacks Many Can http://www.sans.org/rr/whitepapers/threats/477. php Man more cause destination middle host unreachable attack, to switch drop sniffing connection gateways Link BGP Distance Can Announce Blackholetraffic Eavesdrop State claim Vector links direct Routing 0 distance randomly link Routing to any all other Attacks ASescan Could bit harder even announce alter happen path attack due arbitrary to than misconfigurations DV prefix nodes router 3

Issues? needs TCP to keep Attacks Server and y+1recognizes Client waiting based for on ACK IP address/port y+1 TCP Exploit SYN TCP state Flooding Layer allocated Attacks at server after Client Send Server Finite Once initial connections requests a the queue SYN will queue packet wait (1024) and size is don t for full 511 incomplete reply it seconds doesn t with accept for ACK ACK TCP When How Inject Address/Port/Sequence Sniff Guess Session Many to TCP is arbitrary traffic get a earlier TCP sequence Hijack Layer systems packet data had number? Attacks to valid? Number predictable the connection in ISN window SYN y ACK x+1 SYN x ACK y+1 Server 4

TCP Send Do number? Will Anywhere For About Session you TCP RST 64k tear have 15 window packet down seconds Poisoning Layer to window guess connection it for takes a the Attacks fine T1 64k exact packets sequence to reset Applications Authentication DNS FTP, don t information Layer authenticate Attacks DNS insecurity Telnet, poisoning zone transfer POP in clear properly Finger showmount e Send 20 @SYN Shimomura packets (S) to An S Finger Showmount-e Example SYN Mitnick Attack What Determine Trusted other when ISN systems no (T) one behavior is it around trusts? 5

Finger showmount e Send@SShimomura(S) An Example SYN flood 20 SYN T packets to SMitnickSynfloodX Attack What Determine T won t Trusted(T) other when respond ISN systems no one behavior to packets is it around trusts? Finger showmount e @SShimomura(S) An Mitnick(M) Example SYN T Send flood 20 SYN SYN T packets spoofing to as SSYNSYN ACK guessed ACK number to S with a Attack What Determine T S with won t assumes TX trusted other when respond that ISN systems no (T) it one behavior to has packets is it a around trusts? session Finger showmount e SYN@SShimomura(S) An Example T Send guessed flood 20 ACK echo number to T+ S + packets > with spoofing ~/.rhosts a to as S++ > Mitnick rhosts Attack What Determine T S with Give anywhere won t assumes Tpermission Trusted other when respond X that ISN systems no (T) it one to behavior has anyone packets is it a around trusts? session from 6

Objective Consume by TCP overloading Denial make the server a of service Service UDP ICMP SYN ECHO floods host bandwidth floods (ping) resources floodsor unusable, networkusually Crashing Forcing Ping-of-Death TCP Taking options more slow Denial the path (unused, victim computation in processing of or used Service incorrectly) of packets The Easy source Attacker to address blockusually to VictimVictimVictim hide Simple spoofed originattacker DoS 7

Coordinated Attacker VictimVictimVictim AttackerDoS The Harder first Attacker to attacker deal usually withattacks spoofed a different source address victim to cover hide origin up the real attack AgentAgentAgentAgentAgent Distributed HandlerHandler AttackerDoS Victim The Very How Crowd? Easy Already Flash handlers agents to hide infected Distributed are the are usually attack and the packets home agent very users installed high DoS Generally Slashdot Victoria difficult Crowd differentiate the Secret Effect Many to flash track Webcast crowd clients between down disappears using the DDoS a service attacker when volume with and the legitimately DSL/Cable Flash servers Sources flooded Also, requests in flash crowd have a pattern are clusterednetwork is 8

Network Traffic Destination Indicate Routers Sink Scrub, Capabilities decision DDoS explicitly by inserting decides Defenses Issues? packets all Scrubbers scrub, traffic en route scrub to check a back-end for valid whether capabilities in or not in to packets subsequent allow Lots Users Solution? Lots Limit of don t vulnerabilities keep Firewalls Put Don t Trust firewalls of access trust patches exploits insiders(!!!) outsiders to across the in systems wild network the (no on perimeter hosts patch up to for in date of network them) network Firewall Has Allows Drops Two Packet a pre-defined traffic inspects Firewalls specified traffic policyin through (contd ) Internet Types everything Filters, Proxies elsefirewallthe policy itinternal Network 9

Packet Usually Can one and screening packet network filter Packet interface selectively Filters harder routers internal be done filtering to router detect networks by within a bridge dedicated and a attack router to passes another than network between screening packets element external from Data Actions IP Transport TCP/UDP ICMP Packet Allow Drop source Available Packet message options source and protocol destination type (Fragment and Filters (TCP, destination UDP, Size addresses Contd. Alter Log information the Available packet about (Notify to (NAT?) go the through Sender/Drop packet or etc.) ports ICMP) Silently) Example Block SMTP domain Packet all servers filters packets traffic connections Filters to from a list from outside of Contd. a domains specified except for 10

Internal External DMZ Advantages? access Intranet Internet Typical and hosts DMZ hosts only Internet can only, Firewall can access not access Configuration If compromised cannot hosts a service affect gets in internal DMZ it Internet Stateless Rules If All action Example a (Condition, rules are condition is processed checked taken packet satisfied Firewall filtering Action) in top-down for a firewall Rules packet order Allow Sample Firewall Rule SSH-2 SSH-1 Rule Two How AckSet? Problems? Inbound: Outbound: Protocol=TCP SSH Dir rules know from Src Addr Ext and Int src-port>1023, a src-port=22, packet outbound external > Src Port 1023Ext Client is for dst-port>1023 Dst hosts Addr dst-port=22 SYN/ACK Int SSH? > Dst to internal Port 22TCP Server ProtoAck hosts Set?Action Any Yes Allow X Intranet X DMZ 11

Default Egress Ingress Benefits? Why? Outbound Inbound Default Deny Filtering Traffic traffic from Firewall internal external address Drop Rules EgressInInt IntDst Port RuleOut Any DirSrc Addr Any ExtSrc Port AnyDst AddrProtoAck ExtAny AnySet?Action AdvantagesPacket Filters Deny Disadvantages What Transparent Simple Usually Very Doesn t Does Who hard the packet port fail have to 22 open fix? user to enough configure always filters application/user accessing mean information can the SSH? the be rules SSH? efficient to take actions Stateful Keep Easier More Problems? the popular to explosion for packet connection specify Alternatives UDP/ICMP? filters rules states connection level 12

Proxy Requires Two connections Firewalls Alternatives linked the Either Or SOCKS HTTP proxy at libraries) at proxy applications transport to instead level be level (or modified of dynamically oneto use Data Advantages? Disadvantages? Application User Better Fail Available closed information policy logging level Proxy enforcement information Firewall Doesn t One Client proxy modification perform each as well application TCP/IP DOS Firewalls Spoofing Flooding TCP and session security D-DOS attacks poisoning Summary Packet ProxyFiltersvulnerabilities 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information