Transcript Administrative Details

Network Security
Introduction
• Network security does not equal
cryptography
• Network insecurity
– Design problems
– Bugs in software
– The human factor
• Design and implementation
• Configuration
• Usage
Denial of Service (DoS)
Denial of Service
• The concept of DoS
• The attackers
–
–
–
–
Hackers, script kiddies
Ideologically motivated individuals
Criminals
Potentially government, military
• The targets
–
–
–
–
e-commerce sites
Departments of government
Large networks
Anyone else as well
Generic DoS Techniques
•
•
•
•
•
•
•
•
Brute Force (floods)
Unequal computational resources
Withholding information from target
Hooking up two unsuspecting targets to
communicate one with the other (storm)
Killing legitimate connection of target
Utilization of software bugs
Amplification by other unsuspecting hosts
Distributed DOS
Brute Force (Flood)
• Idea: send large amount of garbage traffic to
target. Consume resources of target
• Examples:
– ICMP flood
– UDP flood
• Defenses
– Identify flood situation
– Filter attacker’s address (however, spoofing)
– Filter flood traffic (ICMP ping, UDP ports etc.)
Unequal Resources
• Idea: attacker and target communicate,
attacker requires far less resources than
target
• Example: Diffie-Hellman in which attacker
sends random xZp
• Defense: no good defense. Target should
execute easiest parts of the protocol first
hoping that attacker stumbles
Withholding Info from Target
• Idea: target is waiting for information to be
supplied by attacker. Resources (storage etc.) are
tied up
• Examples:
– SYN flood
– Incomplete IP fragments attack
• Defenses:
– Set timer for each pending message
– Recycle resources
Hooking up Two Targets
• Idea: attacker poses as target1 sends traffic to
target2, the two targets begin to converse and
create a storm
• Examples:
– Out-of-office automatic e-mail replies
– Land attack
– UDP echo, chargen attack
• Defenses:
– Block unnecessary applications
– Rate-limit number of automatic answers
Killing Legitimate Connection
• Idea: attacker ends connection between target1 and
target2
• Examples:
– Bogus ICMP unreachable packets (port, host etc.)
– Bogus TCP RST packets
• Defenses:
– Randomize data to limit connection hijacking
– Wait timeout period before deleting connection
Software Bugs
• Idea: software may not be designed to deal
correctly with any inbound message. Applications
may be deleted, system crash etc.
• Examples:
– Ping of death (over-large ICMP packet)
– Teardrop (overlapping IP fragments)
• Defenses:
– Test software for illegal traffic
Amplification by Others
• Idea: convince a number of hosts to send traffic
together to target. Typically attacker spoofs
address as target
• Examples:
– Smurf attack
– Fraggle attack
• Defenses:
– Remove broadcast, multicast capabilities wherever
possible (however, not always interest of hosts)
DDoS
• Idea: take over large number of hosts. Orchestrate
synchronous attack on target
• Examples:
– Tribal Flood Network
– Trinoo
• Defenses:
– Filter upstream (at service provider network)
– Blocking first part of attack (installation of slaves) is
easier than stopping the DDoS
DDoS Graphically
Handler
Install Agent
Install Agent
Install Agent
Host1
…
Host2
Target
Hostn
DDoS Graphically
Handler
Attack target
Attack target
Attack target
Agent1
…
Agent2
Agentn
Flood
Flood
Flood
Target
E-mail or ICQ Bombs
• A program automatically generates a large number
of bogus messages and sends them to victim
• Victim wastes time on processing messages
• Mail-boxes may get overrun and stop receiving
valid messages
• Attack frequently caused by altercation between
attacker and victim
• Additional havoc may be caused by spoofing the
messages’ source
Address spoofing
• IP spoofing is changing the IP addresses on
a packet, thus faking source or destination
• Applications:
– Simple malice (DoS for the sake of it)
– Attack on commercial competitor (1997 URL
case)
– Benefit from popularity of another address as is
the case in URL hijacking (the
www.whitehouse.com case)
Physical World Spam
• Locate victim’s mailing address
• Sign victim up to free catalogs, magazines,
mailing lists etc.
• There are more than 250,000 different
forms online for registration
• Victim’s mailbox gets inundated
• The Alan Ralsky case (Spam king)
Malware
Types
•
•
•
•
•
Trojan Horses
Worms
Viruses
Adware
Spyware
Trojan Horses
• What is a Trojan?
• Goals:
–
–
–
–
Intelligence gathering
Consumption of resources
Platform for further misuse, e.g. spam
Rarely locally destructive
• Modes of transport
• The importance of stealth
A List of Trojans (a bit outdated)
•
•
•
•
Back-Orifice
NetBus
Sub-Seven
ICQ TROGEN – patched up ICQ program
which adds a Trojan
• IC Killer – published as an ICQ nuking
program, but has a back door. Hack the
hackers
Detecting Trojans
• Signatures are possible but not as efficient
against a sophisticated attacker
• File tampering
• Use of cryptographic hash functions and
tripwire (e.g. in Tiny software, hash may be
kept on each executable)
• The downside of this method
Viruses
• Why are they written?
• Modes of transport (vectors)
• Mechanism
– Infection
– Replication
• Defense: the signature paradigm
• Polymorphic viruses
Worms
• Similar to viruses
• First definition: rely on vulnerabilities to execute
automatically
• Second definition: don’t need to be part of other programs
• Specific vulnerabilities limit number of infected hosts
• Usually requires arbitrary code running vulnerability (e.g.
buffer overflow)
• Automatic distribution threatens national / Internet wide
infrastructure
• Demonstrated by the Morris worm (1988)
Infection strategies
• Quick infection – infect as many vulnerable hosts
as quickly as possible
– Random exponential infection
– Greater probability for local hosts, topologically aware
scanning
– Hit-list initialization
– Permutation scan
• Secret infection – infect with no trace:
– Requires slow infection rate – part of regular P2P or
client-server traffic
– Feasible defense - tripwire
2001 Worms
• Utilizing buffer overflows in IIS 4.0
• Code red I – random infection, web
defacement or DDoS payload against
www.whitehouse.gov
• Code red II – infection more probable
locally, remote back door
• Nimda – multi-vector infection, remained
active for months
Nimda Infection Vectors
• IIS vulnerability
• Bulk e-mail – acted as a virus. Facilitates
spread behind firewalls
• Copying across open Microsoft shares
• Addition of exploit code to infected web
servers in order to pass to web clients
(requires another vulnerability)
• Usage of Code-Red II and other backdoors
2003 Worms
• Slammer
– Microsoft SQL server vulnerability
– Random scanning worm
– Fastest spread in history, population doubling every 8.5
seconds, 75,000 hosts affected
• Blaster
– Microsoft DCOM service vulnerability. All Windows
2000 and XP machines were potential victims
– According to 2005 MS study, 25 million affected hosts
– Possibly affected US power outage August 2003
New Worms
• New vectors, through web vulnerabilities
• Examples:
– Santy, 2004, used a PHP vulnerability to deface
sites
– Samy, 2006, used an XSS vulnerability to
change profiles on Myspace.
• Most damage is done by mass-mailing
worms – MyDoom, Storm etc.
Firewall
Goal of TCP/IP Firewall
• Implement policy on TCP/IP traffic
• Mitigate effects of attacks:
– Limit traffic according to policy
– Force adherence to specification of protocols
• Partial protection against DoS
• Reduce the need for constant patching
Architectures
•
•
•
•
Personal FW
Network FW
DMZ
NAT
Packet Filter
Static Filtering
Rules
• Universe – a set of multi-dimensional points
• Rule – defines a pair:
– Subset of points
– Action to be taken on subset
• In TCP/IP the points are packet headers (and
optionally other data such as Time-of-Day)
• Usually, only certain fields are of interest – IP
addresses, IP protocol, TCP/UDP port
• In a firewall the basic actions are “allow” (the
packet to pass) or “deny”.
Policy
•
•
•
A policy is an ordered set of rules
A policy defines the action to be taken on each
point (e.g. each TCP/IP packet)
Two possible problems:
1. No action defined for certain point (packet)
2. Conflicting actions defined for point
•
First problem is solved by having a default rule,
e.g. in firewall drop all packets that haven’t been
explicitly allowed
Conflict Resolution
• Different strategies are possible, including
not allowing conflicts at all
• Most common strategy – resolve by order
• The action on a packet is decided by the
first rule it matches
• Default rule – the last rule
Example
Rule
No.
Source Dest.
Protocol Source
Address Address
Port
Dest.
Port
Action
1
1.1.1.1
2.2.2.2
TCP
Any
80
Deny
2
Any
2.2.2.2
TCP
Any
80
Allow
3
Any
Any
Any
Any
Any
Deny
Packet Filter
• A Static Pacjet Filter implements a policy
on IP traffic
• Each packet is checked against the policy
• Action on packet (allow, deny) decided by
rule which packet matches
• If packet matches several rules, conflict
resolution is used
Static Filter Insufficiency - TCP
• TCP protocol has a state machine
• SYN, SYN-ACK, ACK packet sequence begins
each TCP session
• Static filter rules do not factor the state of the
session
• The client-server model defines a well-known port
for the server and an arbitrary port for the client
• Problem1: opening many ports (different for client
and server)
• Problem2: no adherence to state machine
Static Filter Insufficiency - FTP
• Data ports may be opened dynamically during an
FTP session
• Example: FTP server may send PORT command
followed by a new port (number greater than
1024)
• Static Filter may:
– Have no rule for new port, deny traffic through it
– Allow all traffic for ports whose number is greater than
1024, causing security breach
Dynamic Filter
Keeping State
Sessions
• Data is stored for each TCP/IP session
• Session is identified by:
– Local IP address, Remote IP address,
– IP protocol
– Local port, remote port
• Data for session includes state information
• Packets are matched to session:
– Action on packet decided by session state
– Session state may change according to packet
Example: Telnet session
• Single rule in packet filter: allow packets
with destination port equal to Telnet port
• After first SYN, open session, which
identifies source port
• Additional packets are matched to session
Advantages of Stateful Inspection
• Open only what is necessary
• Ensure adherence to protocol
• Create “families” of related sessions:
– FTP
– VoIP
– P2P
• Allow or deny traffic through all family
sessions
ALG
•
•
•
•
•
Application Layer Gateway
Identify all application messages and states
Force policy according to application
A stateful machine for a single application
Networking low cost alternative to proxy
Personal Firewall
•
•
•
•
Firewall on the host
Firewall intercepts packets (usually in kernel)
Firewall enforces policy
Advantage over networking firewall: binding with
host’s applications
– Firewall “knows” which application is sending or
receiving traffic
• Disadvantage – too difficult for home users
Other
Gathering Information
• The first part of attacking a remote system is
intelligence gathering
• Items of interest
–
–
–
–
–
–
Network topology
Operating system
Open ports
Applications
The existence of firewalls/IDS/IPS etc.
Vulnerabilities
Password Crackers
• Begin with a dictionary
• Mutate each word: Upper and lower case, add a
number as prefix or suffix and so on
• Use each word as password
• Examples: l0phtCrack, John the Ripper, Crack
– www.atstake.com/research/lc3/index.html
– http://www.openwall.com/john/
– www.users.dircon.co.uk/~crypto
More Passwords
• Typical defense: lockout account after too
many wrong passwords
• Exploit: attempt to connect in order to
lockout legitimate user. Popular technique
in public auctions
Social Engineering
• People are often the weakest link of any security
system
• Social engineering takes advantage of human
weaknesses
• Phishing
• I love you virus
• Kournikova virus
• The sulfnbak.exe example
• Log on to my server (it is a great ICQ server…)
• Revealing a password, credit card number etc.
Sandbox
• Acts as filter between applications on a
computer, and system resources
• May restrict according to policy the
following:
–
–
–
–
Access to Registry
Access to system HW or SW services
Access to file system
Spawning of process
IDS / IPS
• Intrusion Detection/Prevention Systems are
the next step in filtering after firewalls
• Signature based or behavior based
• Network IDS (NIDS) – reside on network
element, e.g. Cisco router
• Host IDS – reside on end-user computer
• NIDS has more problems with application
level filtering
NIDS evasion
• Differences between NIDS and host
• TTL
• Unicode: introduces several problems to signature
based systems
– Several representations of symbols (in old Unicode and
in some implementations, e.g. IIS)
– Symbols may modify previous symbols
• IDS needs to translate Unicode to canonical form
and only then look for signatures