Transcript Network Security - Oregon State University

Security (Continued)
V.T. Raja, Ph.D.,
Oregon State University
Outline
• Denial of Service (DoS) Attack
– Smurf Attack
– Half-open telnet sessions
– SYN Flood Attack
• Distributed DoS Attack
• Network Address Translation
– NAT Proxy Server
• Demilitarized Zone (DMZ)
Denial of Service (DoS) Attacks
• Denial of Service attacks
– “Ping” attacks
– Smurf attack
– SYN flood attack
– Half-open telnet sessions
• Distributed Denial of Service attacks
Denial of Service (DoS) Attack
•
•
Hacker attempts to disrupt the network by flooding the network with
messages so that the network cannot process messages from legitimate
users
Examples:
1. Hacker’s program continuously pings target computer.
– Consequence:
– Solution:
2. Hacker’s program continuously send “ping” requests to the target that list the
target as the sender
– Consequence:
– Solution:
3. Smurf attack:
What is a smurf attack?
What is the consequence of a smurf attack?
4. SYN Flood attack:
What is a SYN flood attack?
What is the consequence of such an attack?
Telnet
• A protocol used for remote login
• Does not transfer data in bulk
• Interactive
– Each character typed by Telnet user is sent to remote host
– Remote host sends back a copy of each character to Telnet user,
which will be displayed on the Telnet user’s screen (echo back)
– Echo back is used to ensure that characters seen by Telnet user
have already been received and processed at remote site .
– Each character thus traverses the network twice between the
time the user hits the key and the time the character is displayed
on the user’s monitor
Half-open Telnet sessions
Client
Server
TCP header: Packet #s (Sequence #s)
• Assume a file has 500,000 bytes
• Assume TCP breaks this file into packets, where
each packet size is 1000 bytes
• Each packet is given a packet #
• The packet # for a packet is the number of the
first byte in that packet.
– The packet # of first packet would be 1
– The packet # of next packet would be 1001
– The packet # of third packet would be 2001 and so on
TCP: Acknowledgement #
• Assume A transmits to B
• B acknowledges receipt of A’s message, by
specifying an acknowledgment #.
• The ACK # sent by B is the packet # of the next
packet that B is expecting from A.
• Example:
– After A sends first packet, B sends an
acknowledgment to A by specifying ACK# 1001.
– After A sends second packet, B acknowledges by
specifying ACK# 2001.
TCP SYN for a simple Telnet application
• TCP stands for: Transmission Control
Protocol
• SYN stands for: Synchronize Sequence
Numbers
• Assume Client A initiates a Telnet session
with Server B. Assume client A has typed
the letter “C.”
Half-open TCP SYN
Client
Server
SYN Flood Attack
•
•
•
•
•
Attacker (client) sends a TCP SYN (Synchronize
Sequence/Packet Number) request to server.
The server responds by sending a TCP SYN/ACK
packet.
The attacker does not respond – resulting in halfopen session using up server resources.
The attacker sends a flood of such TCP SYN
requests without responding.
Requests from other legitimate clients are unable to
reach the server due to multiple half-open sessions
Distributed DoS (DDos) attack
• In A DDoS attack, a hacker first gains control of
hundreds/thousands of computers.
• Plants software referred to as DDoS agent on
each of the slaves (Zombies)
• Hacker then uses software referred to as DDoS
handler (master zombie) to control the agents
(slave zombies)
• Attacker launches attacks from all the slaves so
that it is difficult to trace hacker
High Profile Victims of DDoS
• Yahoo, eBay, Amazon and eTrade
websites were rendered inaccessible to
legitimate visitors after being flooded with
traffic from hundreds of hijacked system
• www.msn.com; www.expedia.com;
www.carpoint.com sites were flooded with
DDoS attack for almost one day
• DDoS attack high-level DNS servers on
the Internet
Network Address Translation
• Network address translation (NAT) is used
to shield a private network from outside
interference.
• An NAT proxy server uses an address table,
translating network addresses inside the
organization into aliases for use on the
Internet. So, internal IP addresses remain
hidden.
• It is common to combine DMZ, firewalls and
proxy servers. (See Figure).
Figure: Network design using firewalls, DMZ and NAT Proxy Servers