Download slides

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
Document related concepts

Computer security wikipedia , lookup

Net bias wikipedia , lookup

Lag wikipedia , lookup

Distributed firewall wikipedia , lookup

Internet protocol suite wikipedia , lookup

Wireless security wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Deep packet inspection wikipedia , lookup

TCP congestion control wikipedia , lookup

Cross-site scripting wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Network Security
Denial of Service Attacks
Dina Katabi
[email protected]
nms.csail.mit.edu/~dina
Announcements


DP2 extension until Sunday 5pm
Online evaluation is open at
http://web.mit.edu/subjectevaluation
Attacker’s Goals

Makes a service inaccessible



Links, servers, routing, etc.
Hide
Maximize damage for little work on
the side of the attacker
Attacker Wants to Hide

Spoof the source (IP address, email account, ...)

Indirection

Attacker
Reflector attacks: E.g., Smurf Attack
ICMP Echo Req
Src: Victim’s addr
Dest: brdct addr
gateway
Victim
Attacker Wants to Hide

Spoof the source (IP address, email account, ...)

Indirection

Reflector attacks: E.g., Smurf Attack
gateway
Attacker
ICMP Echo Reply
Dest: Victim
Victim
Increase Damage  Go Fully Distributed
 Use a Botnet
Attacker
Master
Master
Unidirectional
commands
Master
Coordinating
communication
Daemon Daemon Daemon Daemon Daemon Daemon Daemon Daemon Daemon Daemon
Victim
Attack
traffic
Trinoo Transcript
Connection to port (default 27665/tcp)
attacker$ telnet 10.0.0.1 27665
Trying 10.0.0.1
Connected to 10.0.0.1
Escape character is '^]'.
Kwijibo
Connection closed by foreign host. . . .
attacker$ telnet 10.0.0.1 27665
Trying 10.0.0.1
Connected to 10.0.0.1
Escape character is '^]'.
Betaalmostdone
trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]
trinoo>
Trin00 Commands

dos <IP> - command to initiate a DoS against the
targeted <IP> address

mdos <IP1:IP2:IP3> - sends command to attack three IP
addresses, sequentially

die – shut down the master

mdie <password> - if correct password specified, packet
is sent out to all daemon nodes to shutdown

mping – ping sent to all nodes in the deamon list

killdead – delete deamon nodes from list that didn’t
reply to ping

bcast – gives a list of all active daemons

mstop – Attempts to stop an active DoS attack. Never
implemented by the author(s), but the command is there
Attacks
Attacks on Bandwidth

Brute force attack

Attacker sends traffic to consume link bandwidth
Defending against bandwidth attacks is hard
Bottleneck Link
ISP network
Victim network



Should drop packets before the bottleneck, i.e., at ISP
But
 ISPs are not willing to deploy complex filters for each client
 ISPs have no strong incentive; they charge clients for traffic
Big companies defend themselves by using very high bandwidth
access links
Attacks on TCP
TCP DoS Attacks:
TCP SYN Flood
Client
Server
SYNC
Listening
SYNS, ACKC
Store data
Wait
ACKS
Connected
TCP DoS Attacks:
TCP SYN Flood
C
S
SYNC1
SYNC2
SYNC3
SYNC4
SYNC5
Listening
Store data
TCP DoS Attacks:
TCP SYN Flood

Usually targets connection memory  Too many
half-open connections

Potential victim is any TCP-based server such as
a Web server, FTP server, or mail server

To check for SYN flood attacks


Run netstat -s |grep "listenqueue overflows“ and check whether many
connections are in "SYN_RECEIVED"
How can the server deal with it?


Server times out half-open connection
SYN cookies and SYN caches prevent spoofed IP attacks
SYN Cookie


Ensures source IP is
not spoofed
Server delay
resource reservation
until it checks that
the client can receive
a packet at the
claimed source
address
C
S
SYN
SYNACK
(seqs=cookie)
No state is stored.
Initialize TCP seq
number to a
random cookie
ACK
(seqs=cookie+1)
Check seq to
ensure client
received cookie
Attacks on Routers
Attacks on Routers:
Attacks on Routing Table
ZA, Cost 1
Z
A
Routing
Info
B
Y
X
YZA, Cost 2

Attacker needs to get access to a router

Attacks

BYZA, Cost 3
Prefix hijacking by announcing a more desirable route

Z can lie about its route to A

Overload routers CPU by too many routing churns

Overload the routing table with too many routes

Causes router to run out of memory or CPU power for processing routes

E.g., AS7007
Attacks on Routers:
Countering Routing Table Attacks

Authenticate peer routers

Secure BGP [Kent et al]


Every ISP sign their advertisements creating a chain of
accountability (e.g., Y sends { X: {A}X }Y
Too many signatures  too slow

With no authentication needs a few usec; authentication needs 2
orders of magnitude more time
DoS Attacks on Web Servers
DoS Attacks on Servers:
Attacks that Mimic Legitimate Traffic
GET LargeFile.zip
DO LongDBQuery



Attacker compromises many machines causing them to flood victim with
HTTP requests
Attacked resources
 DB and Disk bandwidth
 Socket buffers, processes, …
 Dynamic content, password checking, etc.
Hard to detect; attack traffic is indistinguishable from legitimate traffic
CAPTCH-Based Solution
Suspected attack! To access www.foo.com
enter the above letters:

Need to ensure:


Cheap ways to send test and check answer
Some people can’t or don’t want to answer graphical tests
but are legitimate users (e.g., Blind users)
Detection
Network Intrusion Detection
Linux
XP
Linux
Mac
Win98
NT
Linux
Win95

NIDS box monitors traffic entering and leaving your network

In contrast to firewalls, NIDS are passive
Approaches to Intrusion Detection
1.
Signature Based: Keeps a DB of known attack signatures and
matches traffic against DB (e.g., Bro, Snort)

Pros



Cons

2.
Can’t discover new attacks
Anomaly Based: Matches traffic against a model of normal
traffic and flags abnormalities (e.g., EMERALD)

Pros


Can deal with new attacks
Cons



3.
Easy to understand the outcome
More accurate in detecting known attacks
Modeling normal. it is hard to describe what is normal
Limits new applications
Less accurate detection of known attacks
Hybrid: Matches against DB of known attacks. If no match, it
checks for anomaly
Evasion Problem in NIDS


Consider scanning traffic for a particular
string (“USER root”)
Easiest: scan for the text in each packet


Okay, remember text from previous packet


No good: text might be split across multiple packets
No good: out-of-order delivery
Okay, fully reassemble byte stream


Costs state ….
…. and still evadable
Source: Vern Paxson
Evading Detection Via
Ambiguous TCP Retransmission
Sender
15 hops
20 hops
NIDS
Receiver
Evading Detection Via
Ambiguous TCP Retransmission
n
r
Attacker
TTL=17, seq=1
Timed out
TTL=23, seq=1
NIDS
r
n or r?
Receiver
Evading Detection Via
Ambiguous TCP Retransmission
n
i
Timed out
TTL=23, seq=1
r
o
TTL=17, seq=1
r
TTL=21, seq=2
o
TTL=15, seq=2
Attacker
Timed out
NIDS
n or r?
i or o?
Receiver
Evading Detection Via
Ambiguous TCP Retransmission
TTL=17, seq=1
n
Timed out
TTL=23, seq=1
r
r
TTL=21, seq=2
o
o
TTL=15, seq=2
i
o
c
t
Timed out
TTL=20, seq=3
o
TTL=19, seq=4
Timed out
TTL=27, seq=4
Attacker
t
NIDS
n or r?
i or o?
o
c or t?
Receiver
noot? niot? rooc? nooc?
nioc? riot? root? …
Bypassing NIDS
 Evasion
 Insertion
 DoS
it
 Hack
it
 Cause
many false alarms until admin
stops paying attention
Related documents
Skating on Stilts
Skating on Stilts
dos_nanog
dos_nanog
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
No Slide Title
No Slide Title
www.bestitdocuments.com
www.bestitdocuments.com
Honeynet Project
Honeynet Project
Systems Security
Systems Security
ch08 - Columbus State University
ch08 - Columbus State University
Presentation_Sharmistha_Roy
Presentation_Sharmistha_Roy
Forms of Network Attacks
Forms of Network Attacks