slides (PowerPoint)
Download
Report
Transcript slides (PowerPoint)
Vulnerabilities
CSE 525 – Paper Presentation
Winter 2004
Robert Nesius
Agenda
Practical attacks against wireless network
protocols (Supplemental Paper #1)
Exploiting Algorithmic Complexity
(Supplemental Paper #2).
Analysis of growth rates for Flash Worms,
proposal for dealing with future threats more
efficiently (Primary Paper).
Beating up on 802.11 some more.
802.11 Denial-of-Service Attacks: Real
Vulnerabilities & Practical Solutions
August, 2003
John Bellardo – Graduate student, UCSD
Stefan Savage – Assistant Professor,
UCSD
Key Points
Very practical paper
Authors describe some attacks, then
implement them on commodity
hardware!
Attacks are shown in action.
Propose non-cryptographic solutions.
Attack: Deauthentication
Attacker sends arbitrary deauthenticate message
Can target one host Client
Attacker
AP
Or everyone
Auth req
root cause – no
auth resp
mutual authentication on
assoc. req
session-management
assoc resp.
frames.
Fix – APs take waitdeauth
and-see approach.
Data
Attacks Identity
Deauth
More Attacks
Disassociation – exactly like deauthentication attack
but not as severe. (Identity)
Energy-Saver mode – disrupt timing on
synchronized wake-ups.
Media Access Vulnerabilities.
All 802.11 packets have a duration field.
Use RTS/CTS dialogs to “reserve channel”
Keep reserving it – never let anyone talk…
In practice – does not work due to poor standards
conformance. (Worked fine in simulation. So what?)
Collision Avoidance Attack
Very power-hungry attack (50,000 packets/sec.)
Summary of 802.11b bashing
Attacks are practical and feasible
Beware the Pocket-PC-of-Death
There are some workarounds
The workarounds have problems too.
Real solution is cryptographically secure
mutual authentication
See CSE 506scp for further details on
complications in this area.
Secure Protocol Design is HARD!
Algorithmic Complexity Attacks
Denial of Service Via Algorithmic
Complexity Attacks
Published 2003.
Scott A. Crosby – First Year PhD student.
Dan S. Wallach – Assistant Professor
Rice University
Big Idea: Hash Smashing
Hashes used by many internet
applications because of on-average
constant time lookups.
Evil input can induce quadratic O(n^2)
performance.
Evil input streams can be very small
¼ of dialup connection!
Similar to SSL RSA-Decryption DOS.
Generators
Generators are strings that yield a
given hash result, no matter the
number of times concatenated.
h(x) =0, h(xx) = 0, h(xxx) = 0.
Hash algorithms must be deterministic.
Applications of Algorithmic
Complexity Attacks
IDS systems use hash’s of IP addresses.
BOS (an Open Source IDS system) uses a
deterministic hash.
Send evil-packets to tie up BOS.
OS on BOS system starts dropping packets.
Launch real attack – no forensics evidence
is collected.
Paper demonstrated 16kbs stream DOS’d a
450Mghz Pentium-based IDS system.
Defenses
For binary-tree based algorithms:
use algorithms with guaranteed worst case
complexity. (Red-Black trees, etc…)
For Hashes:
use Universal Hashes
Parameters of the hashing function are
determined (randomly) at run-time.
Have been around since 1975.
Perform comparably to perl (slightly slower, but
safer).
“0wning” the Internet.
How to 0wn the Internet in Your Spare Time.
Stuart Staniford – Silicon Defense
MS in CS, PhD in Physics – UC Davis.
Vern Paxson – ICSI Center for Internet
Research. Senior Scientist @ LBNL.
Nicholas Weaver – UC Berkeley – PhD
Candidate
Talks about worm propagation
Concludes with high-level considerations
Published 2002.
I have a Dream… (Scream?)
One million 0wned host “End-of-Days”
scenario. (Wishful thinking? Or boring?)
Code Red – 359,000 hosts.
Slammer – 75,000 hosts (worse than CR)
Growth patterns
Logistics Equation – Governs the rate of growth
in a finite system when all entities are equally
likely to infect each other.
Used by CDC to monitor epidemics.
Code Red exhibited this. *gasp*
Growth Rates
Proposition
Given high-bandwidth nodes for initial
propagations, and enough initial high-probability
targets…
A flash worm could infect the target population
on the Internet in 15 minutes.
Kudos: Within one year, Slammer reached
peak scan-rates in 3 minutes.
Slammer was throttled by bandwidth constraints.
http://www.cs.ucsd.edu/~savage/papers/IEEESP03.pdf
Better Worm Practices
Hit-List – (high-probability targets, built via
stealth scans perhaps.)
Permutation Scanning (Divide and Conquer)
Warhol Worm - Hit-List + Permutation
Scanning
Topology based – Lower latencies.
Flash Worm – Conclusion based on above
analysis is that a “tight” worm with a good
hit-list could take down the population in
10’s of seconds.
Stealth Worms
Biological Metaphor extended:
Contagion
Infection occurs “in-band” with normal
communications.
Can escape detection by IDS systems.
Note the Peer-to-Peer infrastructure
could be particularly vulnerable to this.
Good analysis of KaZaA.
Programmatic Control & Updates
Two methods proposed.
Turn worms into peer-to-peer network to
pass updates around.
Or use a pull methodology to retrieve
instructions.
Authors don’t mention that this makes it
highly more likely the perp will be caught.
Floppy-disk virii from the ‘old days’?
Cyber “Center for Disease Control”
National-scale Defense (Homeland Security?)
Real CDC Mission – Monitor national and world-wide
progression of diseases, identify new threats… Authors
propose:
Identify Outbreaks – establish Comm channels, Automate
detection.
Rapidly Analyze Pathogens.
Fight Infections - Manage patches/Network devices?
Anticipate New Vectors – (All previous worms used known
exploits).
Devise Detectors – (being done commercially?)
Resist Future Threats – (Enforcing patching most effective
approach?)
Openness – Suggest partially open model for collaboration.
Raises trust issues/ Diminishes Effectiveness (CERT).
Summary
Denial-of-Service attacks exist in all aspects
of computing.
Low-bandwidth attack vectors exist, and
flash worms are a reality.
Wireless networks are hopelessly insecure.
One glaring root-cause not addressed –
unpatched systems.
This problem is not going away any time
soon.