CS 475 : Lecture 9 Network Attacks and Defenses. Rachel Greenstadt

Similar documents
A S B

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Network Security. Mobin Javed. October 5, 2011

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

TCP/IP Security Problems. History that still teaches

Firewalls and Intrusion Detection

CS5008: Internet Computing

CSCE 465 Computer & Network Security

Security vulnerabilities in the Internet and possible solutions

Linux Network Security

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Client Server Registration Protocol

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Firewalls, Tunnels, and Network Intrusion Detection

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Chapter 8 Security Pt 2

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Network Security Informik Version

IPsec Details 1 / 43. IPsec Details

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Secure Software Programming and Vulnerability Analysis

Post-Class Quiz: Telecommunication & Network Security Domain

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Security Technology White Paper

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Networks: IP and TCP. Internet Protocol

co Characterizing and Tracing Packet Floods Using Cisco R

BASIC ANALYSIS OF TCP/IP NETWORKS

Midterm. Name: Andrew user id:

Attack Lab: Attacks on TCP/IP Protocols

Content Distribution Networks (CDN)

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

Security of IPv6 and DNSSEC for penetration testers

Network Access Security. Lesson 10

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Description: Objective: Attending students will learn:

Cisco Configuring Commonly Used IP ACLs

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Network Security Fundamentals

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

CS 3251: Computer Networking 1 Security Protocols I

INTRODUCTION TO FIREWALL SECURITY

Distributed Denial of Service (DDoS)

Solution of Exercise Sheet 5

Firewalls. Chapter 3

Protocol Rollback and Network Security

Firewalls. Ahmad Almulhem March 10, 2012

General Network Security

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Topics in Network Security

Lectures 1 and 2 INFS 766/INFT 865. Internet Security Protocols. Lectures 1 and 2 Firewalls and Their Limitations. Prof. Ravi Sandhu REFERENCE BOOKS

Implementing Cisco IOS Network Security

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Reducing the impact of DoS attacks with MikroTik RouterOS

CNT4406/5412 Network Security Introduction

Lecture 6: Network Attacks II. Course Admin

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Best Practices Guide: Vyatta Firewall. SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013

How to protect your home/office network?

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Defending Computer Networks Lecture 10: Firewalls. Stuart Staniford Adjunct Professor of Computer Science

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

DNS Best Practices. Mike Jager Network Startup Resource Center

GregSowell.com. Mikrotik Security

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

1. Firewall Configuration

CS 356 Lecture 16 Denial of Service. Spring 2013

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing _06_2000_c1_sec3

Network Fundamentals Carnegie Mellon University

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Announcements. No question session this week

Architecture Overview

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Wireless Encryption Protection

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Seminar Computer Security

A Very Incomplete Diagram of Network Attacks

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Networking Test 4 Study Guide

Chapter 10. Network Security

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Transcription:

CS 475 : Lecture 9 Network Attacks and Defenses Rachel Greenstadt

Quiz 2 Graded Solutions will be posted on website Statistics Mean 71, Median 69, Stdev 15

Schedule changes There will be no project 3 (no time to do a good job) Instead, focus on the final security review By Tuesday, March 5 pick a system to review and a group Come to class with a diagram of the system We will do an exercise to get started

Network Review Applications --------------------------- System Independent data --------------------------- Basically Ignored --------------------------- Reliable Streams ---------------------------- Routing --------------------------- Packets ----------------------------- Unstructured bits OSI Reference Model

Network Review OSI Reference Model

Network Desired Properties (Assets) Availability Integrity (Consistency) Authentication Confidentiality

Types of Attack (Adversaries) Passive attack Eavesdrop but do not modify Active attack Transmit, replay, modify, delete messages from network, covert channels Local vs remote attacks

Basic Problems (Threats) Network protocols have no integrity or confidentiality Why? It was a more innocent time Export controls Mary had a little key (It s all she could export) And all the email that she sent Was opened at the fort. -- Ron Rivest (via Kaufman, Perlman, and Speciner)

Basic Problems (Threats) Network protocols have no integrity or confidentiality Vulnerabilities in network services enable remote exploits End-to-end argument If you want security (or anything else) then get it But what if the ends are incompetent? Or what if only one end supports it?

What network layer should you secure? Layer 4 (transport/tcp) and below in OS Above that is user level process OS (SSL/TLS and SSH) But if you secure layer 3, security happens automagically without application mods (IPSec) Plus, SSL can t tell TCP that it s integrity check Easier to deploy if you don t need to change the failed, so SSL will discard bad data, then TCP will discard resent good data as duplicates.

On the other hand... IPSec can t tell layers above it anything else that which IP something was sent from (not which user, even if it knows) Same as IPSec between two firewalls Address-based authentication No other authentication Encrypt Traffic - eavesdropper protection Policies can allow/deny IP addresses/ports

Physical Layer Attacks Wire taps (or wire cutting) Electronic emanation

Link Layer (LANs) ARP is protocol for finding the link layer (MAC) address from IP address on local network ARP Request. Computer A asks the network, "Who has this IP address?" ARP Reply. Computer B tells Computer A, "I have that IP. My MAC address is [whatever it is]." Reverse ARP Request (RARP). Same concept as ARP Request, but Computer A asks, "Who has this MAC address?" RARP Reply. Computer B tells Computer A, "I have that MAC. My IP address is [whatever it is]" Replies can be sent without requests, results are cached... Any problems with this?

Abusing ARP Can send ARP messages claiming to be another computer on the LAN, bad result cached Traffic gets sent to attacker instead Snooping, modifying, or DOS (associate a nonexistent MAC address with them)

Abusing TCP/IP Three way handshake produces many opportunities for denial of service

SYN Flood Send many SYN packets, never acknowledge the replies Too many open connections overload machine SYNcookie defense: choose Y to be E(X), no need to keep state about open connection Can reconstruct queue if needed

Stateless cookie protocol Initiator Bob I want to talk c = hash (IP addr, secret) c, start rest of protocol verify c before continuing

Smurf Attacks Broadcast IP addresses allow you to send messages to a whole subnet at once Send ICMP echo requests (ping) to broadcast address but spoof the return address as victim The subnet will now flood the victim with pings Fix - don t answer pings to a broadcast address and shun those who do

Distributed DOS (DDOS) Gather a botnet of machines Have them all send traffic to target More traffic, harder to track down or block

Further Spoofing Email spoofing (change from, reply, reply-to) DNS spoofing return the wrong address for a page by guessing TXN ID and poison cache (summer 2008) Session hijacking - Mallory wants to pretend to be Alice to Bob, DOS Alice, guess TCP sequence number (so sequence numbers should be random)

DNS Vulnerabilities maps names to ip addresses www.drexel.edu 144.118.31.11 distributed: root server delegates to.edu server delegates to drexel.edu server don t want badhacker.drexel.edu answering for www.drexel.edu supposed to be solved by transaction ID (# btwn 0 and 65535 that real server knows, others don t)

DNS Attack Once an answer is received it is cached for TTL (usually one day) 1 day * 65,536 lookups / 2 = 84.5 years for 50% chance (not exactly) Four observations by Dan Kaminsky Bad guy doesn t have to look anything up, so replies first (if right TXID) Bad guy can try numbers until good guy returns (maybe 100?) TTL only stops lookups for www.foo.com, not random other names like name1.foo.com, name2.foo.com, etc name83.foo.com can win www.foo.com by delegating his answer to www.foo.com at some wrong address (6.6.6.6)

The Stopgap fix Many ways to force a lookup, do this attack So, add another 16 bits of randomness, via source port Before: 65536 to 1 odds After: Between 163,840,000 to 1 and 2,147,483,648 to 1 odds This is an improvement That s a lot of traffic to go unnoticed Not necessarily too much Long term solution?

Routing Routers/ Switches SRC I want to know DST the shortest path So, the routers must exchange local information!

Routing Attacks Routers assume computers are honest and rely on them to tell them about paths through the Internet So the attacker lies Easy to black hole traffic (advertise a short route to nowhere) Pakistan did this to youtube

BGP Eavesdropping Border Gateway Protocol used to advertise paths between ASes on Internet Intercept traffic to target addresses Routers listen to the most specific advertisement (smallest set of IP addresses) so attacker advertise a narrower chunk to the wrong place AS-path prepending to cause select routers to reject advertisement and forward traffic to real destination (so no one notices)

Encrypting Network Traffic Before 90s, most attacks were network attacks Watch the traffic, grab a password SSH made a big difference

Secure Network Configurations Best way to secure a network, secure machines in the network Keep them patched, don t run insecure services, teach users about security This is expensive and difficult

Firewalls Most commercially successful network security product

Types of Firewalls Ingress filtering Block addresses and port numbers coming in Block connections based on TCP headers Application proxies - serve as intermediaries for mail, web, etc...strip out bad stuff (spam, active web content) Egress filtering - block packets leaving network (classified information, attacks from within) DMZ - space between multiple firewalls

Firewall weaknesses Firewalls are obsolete now that we have users behind them Hard to block bad things without blocking good things Oppresses sophisticated users Firewalls have holes One internal machine can spread attack

VPNs Encrypt and integrity-protect traffic between firewalls Privacy and security while traversing Internet

Intrusion Detection Signature detection Prevent known attack vectors Won t catch new attacks Anomaly detection Block weird traffic - false positive problem Receiving operator characteristic (ROC curve)

ROC curves Plot detection probability vs false alarm probability Dominant curves (above and to the left) Random

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information