Download L21 - Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts

Domain Name System Security Extensions wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Network Attacks
• Network Trust Issues
– TCP Congestion control
– IP Src Spoofing
– Wireless transmission
• Denial of Service Attacks
– TCP-SYN
– Name Servers
• DDoS (DNS)
– DNS Amplification attack
Network Trust Issues
The Gullible Network
• A lot of network protocols assume people are
well intentioned
– TCP: Congestion Control
– Wireless: Transmit power
– BGP Route-advertisements
Cheating TCP
x
A
y
D
A
B
E
D  Increases by 1
Increases by 5
22, 22
10, 35
35, 10
15, 15
(x, y)
Increases by 1
Increases by 5
Individual incentives: cheating pays
Social incentives: better off without cheating
Too aggressive
Losses
Throughput falls
Classic Prisoner Dilemma: resolution depends on accountability
5
Cheating Wireless
B
A
10X Power
10X Power
Normal power
C
Normal power
5Mbps, 5Mbps
0MBps,
20MBps
20Mbps,
0Mbps
10Mbps,
10Mbps
Individual incentives: cheating pays
Social incentives: better off without cheating
Classic Prisoner Dilemma: resolution depends on accountability
6
Origin: IP Address Ownership and Hijacking
• Who can advertise a prefix with BGP?
– By the AS who owns the prefix
– … or, by its upstream provider(s) in its behalf
• Implicit trust between upstream & downstream
providers
• However, what’s to stop someone else?
– Prefix hijacking: another AS originates the prefix
– BGP does not verify that the AS is authorized
7
Prefix Hijacking: full or partial control
4
3
5
2
7
1
6
12.34.0.0/16
12.34.0.0/16
• Consequences for the affected ASes
8
– Blackhole: data traffic is discarded
– Snooping: data traffic is inspected, and then redirected
– Impersonation: data traffic is sent to bogus destinations
DoS
Denial of Service Attack
• Prevent other people from using a service:
– A server
– A link in a network
• High level idea
– Sent a lot of packets and ensure 100% utilization
• No one else can use it.
DNS: Denial Of Service
• Flood DNS servers with requests until they fail
• What was the effect?
– … users may not even notice
– Caching is almost everywhere
• More targeted attacks can be effective
– Local DNS server  cannot access DNS
– Authoritative server  cannot access domain
11
TCP: Denial Of Service (SYN Flood)
• Send a bunch of SYN Packets to a server
– Server allocates buffer and TCP sockets
– You allocate nothing 
– Eventually the server runs out of space.
• How to solve this problem?
12
Recall: TCP Handshake
• No allocations
• No resource
committed
A
Server
Server allocates:
• Allocates data structures
• E.g buffer space
TCP: Denial Of Service (SYN Flood)
• Send a bunch of SYN Packets to a server
–
–
–
–
Server allocates buffer and TCP sockets
Server responds with ‘SYN/ACK’
You allocate nothing
Eventually Server runs out of space.
• How to solve this problem?
– SYN Cookies: server stores nothing and instead
responds with a special cookie
– If cookie is returned in subsequent packet, then server
allocates space
– Assumption: If you come back then you aren’t a bad
person
14
Problems with DoS
• One person attacks one server/link
– Easy to figure out who ….
– Easy to block ….
– Takes a while for the attack to work…..
DDoS
Distributed Denial of Service Attack
• Take over a number of machines
– Use a BotNet
• Use all machines to conduct a DoS on a server
– Much more effective than regular DoS
– Harder to stop and shutdown
DNS Amplification Attack
DNS Amplification attack: ( 40 amplification )
DNS Query
SrcIP: DoS Target
EDNS Reponse
(60 bytes)
DoS
Source
(3000 bytes)
DNS
Server
DoS
Target
580,000 open resolvers on Internet (Kaminsky-Shiffman’06)
Solutions
ip spoofed packets
attacker
prevent
ip spoofing
open
amplifier
disable
open amplifiers
victim
DDOS
DNS Requests
Name
Server
BotNet
DNS Responses
victim
Related documents
Midterm Review - UTK-EECS
Midterm Review - UTK-EECS
Name - Computer Science Department
Name - Computer Science Department
4_hDNS - take2theweb
4_hDNS - take2theweb
FootPrinting - PSU
FootPrinting - PSU
TCP/IP Configuration
TCP/IP Configuration
Slide 1
Slide 1
Week 4: Monetary Transactions in Ecommerce
Week 4: Monetary Transactions in Ecommerce
(DOS) Attack
(DOS) Attack
Document 8927335
Document 8927335
networking
networking