CS 640: Introduction To Computer Networks: Aditya Akella Lecture 25 - Network Security
CS 640: Introduction To Computer Networks: Aditya Akella Lecture 25 - Network Security
CS 640: Introduction To Computer Networks: Aditya Akella Lecture 25 - Network Security
Computer Networks
Aditya Akella
Lecture 25
Network Security
Security Vulnerabilities
Security Problems in the TCP/IP
Protocol Suite Steve Bellovin, 1989
Attacks on Different Layers
IP Attacks
ICMP Attacks
Routing Attacks
TCP Attacks
Application Layer Attacks
Security Flaws in IP
The IP addresses are filled in by the originating host
Address spoofing
ARP Spoofing
Interne
t
1.1.1.3
Much harder
A
1.1.1.1
1.1.1.2
Source Routing?
Security Flaws in IP
IP fragmentation attack
End hosts need to keep the fragments till
all the fragments arrive
Traffic amplification attack
IP allows broadcast destination
Problems?
Ping Flood
Internet
Attacking System
Broadcast
Enabled
Network
Victim
System
ICMP Attacks
No authentication
ICMP redirect message
Many more
http://www.sans.org/rr/whitepapers/threats/477.
php
Routing Attacks
Distance Vector Routing
BGP
TCP Attacks
SYN x
SYN y | ACK x+1
Client
Issues?
ACK y+1
Server
DNS insecurity
DNS poisoning
DNS zone transfer
An Example
Shimomura (S)
Finger
Showmount -e
SYN
Trusted (T)
Finger @S
showmount e
Mitnick
An Example
Shimomura (S)
Syn flood
Trusted(T)
Finger @S
showmount e
Mitnick
An Example
SYN|ACK
Shimomura (S)
SYN
ACK
trusted (T)
Finger @S
showmount e
SYN flood T
An Example
Shimomura (S)
++ > rhosts
Trusted (T)
Finger @S
showmount e
SYN flood T
Mitnick
Denial of Service
Objective make a service unusable, usually
by overloading the server or network
Consume host resources
TCP SYN floods
ICMP ECHO (ping) floods
Consume bandwidth
UDP floods
ICMP floods
Denial of Service
Crashing the victim
Ping-of-Death
TCP options (unused, or used incorrectly)
Simple DoS
The Attacker usually spoofed
source address to hide origin
Attacker
Easy to block
Victim
Victim
Victim
Coordinated DoS
Attacker
Victim
Attacker
Victim
Attacker
Victim
The first attacker attacks a different victim to cover up the real attack
The Attacker usually spoofed source address to hide origin
Harder to deal with
Distributed DoS
Attacker
Handler
Agent
Agent
Handler
Agent
Victim
Agent
Agent
Distributed DoS
The handlers are usually very high volume servers
Easy to hide the attack packets
DDoS Defenses
Network Capabilities
Traffic Scrubbers
Firewalls
Lots of vulnerabilities on hosts in network
Users dont keep systems up to date
Lots of patches
Lots of exploits in wild (no patch for them)
Solution?
Firewalls (contd)
Internal Network
Packet Filters
Packet filter selectively passes packets from
one network interface to another
Usually done within a router between external
and internal networks
screening router
Actions Available
Internet
DMZ
X
Advantages?
If a service gets
compromised in DMZ it
cannot affect internal
hosts
Intranet
Server
Ack Set?
Problems?
ACK
Rule
Dir
Src
Addr
Src
Port
Dst
Addr
Dst
Port
Proto
Ack
Set?
Action
SSH-1
In
Ext
> 1023
Int
22
TCP
Any
Allow
SSH-2
Out
Int
22
Ext
> 1023
TCP
Yes
Allow
Ingress Filtering
Inbound Traffic from internal address Drop
Benefits?
Default Deny
Why?
Rule
Dir
Src
Addr
Src
Port
Dst
Addr
Dst
Port
Proto
Ack
Set?
Action
Egress
Out
Ext
Any
Ext
Any
Any
Any
Deny
Ingress
In
Int
Any
Int
Any
Any
Any
Deny
Default
Any
Any
Any
Any
Any
Any
Any
Deny
Packet Filters
Advantages
Transparent to application/user
Simple packet filters can be efficient
Disadvantages
Alternatives
Stateful packet filters
Alternatives
Proxy Firewalls
Two connections instead of one
Either at transport level
SOCKS proxy
Or at application level
HTTP proxy
Proxy Firewall
Data Available
Advantages?
Disadvantages?
Summary
TCP/IP security vulnerabilities
Spoofing
Flooding attacks
TCP session poisoning