handout 15 computer network security
Download
Skip this Video
Download Presentation
Handout # 15: Computer Network Security

Loading in 2 Seconds...

play fullscreen
1 / 29

Handout # 15: Computer Network Security - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Handout # 15: Computer Network Security. SII 199 – Computer Networks and Society. Professor Yashar Ganjali Department of Computer Science University of Toronto [email protected] http://www.cs.toronto.edu/~yganjali. Announcements. Final project Intermediate report

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Handout # 15: Computer Network Security' - jaimie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
handout 15 computer network security

Handout # 15:Computer Network Security

SII 199 – Computer Networks and Society

Professor Yashar Ganjali

Department of Computer Science

University of Toronto

[email protected]

http://www.cs.toronto.edu/~yganjali

announcements
Announcements
  • Final project
    • Intermediate report
      • Due: Fri. Nov. 16th, 5PM
    • In class presentations
      • Wed. Nov. 21st
        • We already have 6 teams
      • Wed. Nov. 28th
      • 15 minute presentation
  • Assignment 3
    • Due: Fri. Nov. 16th
    • Email your solutions to me, or bring to my office (BA 5238)
  • Volunteer for lecture notes?
    • Last chance!

University of Toronto – Fall 2012

the story
The Story …
  • Introduction to computer networks
  • The science of networks
  • Computer networks and healthcare
  • Computer networks and business
  • Computer networks and entertainment
  • Cloud computing /storage
  • Phishing, spam, and fraud in the Internet
  • Privacy in online social networks
  • This week: computer networks and security

University of Toronto – Fall 2012

the problem
The Problem
  • Computer networks create interconnectivity
    • We have seen many examples of good uses
  • Same connectivity can be used for evil
    • It is easier to
      • Access someone’s private information
      • Spread malicious code
      • Gain control of somebody’s machine

University of Toronto – Fall 2012

viruses trojan horses and worms
Viruses, Trojan Horses, and Worms
  • Viruses
    • Small pieces of malicious software
    • Usually piggyback on real programs
    • Or documents: PDF files, spreadsheets, …
    • Reproduce by attaching to other programs
  • Worms
    • Replicates itself using security holes
    • Using computer networks
    • Without human interaction
  • Trojan Horses
    • A program that claims and appears to be useful (say a game)
    • … but in reality can be damaging (e.g. delete files)
    • Can create backdoors for attackers
    • Do not replicate

University of Toronto – Fall 2012

life just before slammer
Life Just Before Slammer

University of Toronto – Fall 2012

life just after slammer
Life Just After Slammer

University of Toronto – Fall 2012

a lesson in economy
A Lesson in Economy
  • Slammer used an extremely lightweight attack
  • Entire worm fit in a single packet! (376 bytes)
    • When scanning, worm could “fire and forget”.
    • Stateless!
  • Worm infected 75,000+ hosts in 10 minutes (despite broken random number generator).
    • At its peak, doubled every 8.5 seconds.
  • Progress limited by the Internet’s carrying capacity(= 55 million scans/sec)

University of Toronto – Fall 2012

why security
Why Security?
  • First victim at 12:45 am
  • By 1:15 am, transcontinental links starting to fail
  • 300,000 access points downed in Portugal
  • All cell and Internet in Korea failed (27 million people)
  • 5 root name servers were knocked offline
  • 911 didn’t respond (Seattle)
  • Flights canceled

University of Toronto – Fall 2012

witty worm
Witty Worm

University of Toronto – Fall 2012

witty worm cont d
Witty Worm – Cont’d
  • Attacks firewalls and security products (ISS)
  • First to use vulnerabilities in security software
  • ISS announced a vulnerability
    • Buffer overflow problem
    • Attack in just one day!
  • Attack started from a small number of compromised machines
  • In 30 minutes 12,000 infected machines
    • 90 Gb/s of traffic

University of Toronto – Fall 2012

network telescope
Network Telescope
  • Large piece of globally announced network addresses
  • No legitimate hosts (almost)
  • Inbound traffic is almost always anomalous
  • 1/256th of the all addresses (IPv4 space)
    • One packet in every 256 packets if unbiased random generators used.
  • Provides global view of the spread of Internet worms.

University of Toronto – Fall 2012

today
Today
  • Network Security Goals
  • Security vs. Internet Design
  • Attacks
  • Defenses

University of Toronto – Fall 2012

network security goals
Network Security Goals
  • Availability
    • Everyone can reach all network resources all the time
  • Protection
    • Protect users from interactions they don’t want
  • Authenticity
    • Know who you are speaking with
  • Data Integrity
    • Protect data en-route
  • Privacy
    • Protect private data

University of Toronto – Fall 2012

today1
Today
  • Network Security Goals
  • Security vs. Internet Design
  • Attacks
  • Defenses

University of Toronto – Fall 2012

internet design
Internet Design
  • Destination routing
  • Packet based (statistical multiplexing)
  • Global addressing (IP addresses)
  • Simple to join (as infrastructure)
  • Power in end hosts (end-to-end argument)

University of Toronto – Fall 2012

internet design vs security
Internet Design vs. Security
  • Destination routing
    • Makes Internet routers simpler
    • How do we know where packets are coming from?
  • Packet based (statistical multiplexing)
  • Global addressing (IP addresses)
  • Simple to join (as infrastructure)
  • Power in end hosts

University of Toronto – Fall 2012

internet design vs security1
Internet Design vs. Security
  • Destination Routing
  • Packet Based (statistical multiplexing)
    • Simple + Efficient
    • Difficult resource bound per-communication
      • How to keep someone from hogging?(remember, we can’t rely on source addresses)
  • Global Addressing (IP addresses)
  • Simple to join (as infrastructure)
  • Power in End Hosts

University of Toronto – Fall 2012

internet design vs security2
Internet Design vs. Security
  • Destination routing
  • Packet based (statistical multiplexing)
  • Global Addressing (IP addresses)
    • Very democratic
    • Even people who don’t necessarily want to be talked to
      • “every psychopath is your next door neighbor” – Dan Geer
  • Simple to join (as infrastructure)
  • Power in end hosts

University of Toronto – Fall 2012

internet design vs security3
Internet Design vs. Security
  • Destination routing
  • Packet based (statistical multiplexing)
  • Global addressing (IP addresses)
  • Simple to join (as infrastructure)
    • Very democratic
    • Misbehaving routers can do very bad things
      • No model of trust between routers
  • Power in End Hosts

University of Toronto – Fall 2012

internet design vs security4
Internet Design vs. Security
  • Destination routing
  • Packet based (statistical multiplexing)
  • Global addressing (IP addresses)
  • Simple to join (as infrastructure)
  • Power in end-hosts
    • Decouple hosts and infrastructure = innovation at the edge!
    • Giving power to least trusted actors
      • How to guarantee good behavior?

University of Toronto – Fall 2012

today2
Today
  • Network Security Goals
  • Security vs. Internet Design
  • Attacks
  • Defenses

University of Toronto – Fall 2012

denial of service dos attacks
Denial of Service (DoS) Attacks
  • Send many requests to a server
    • Make the requests look legitimate
  • Exhaust some of the resources
    • Processing (CPU)
    • Bandwidth (uplink/downlink)
    • Memory

University of Toronto – Fall 2012

dos via resource exhaustion
DoS: Via Resource Exhaustion

User-time

CPU

Uplinkbandwidth

Downlinkbandwidth

Memory(e.g. TCP TCBexhaustion)

University of Toronto – Fall 2012

distributed dos ddos
Distributed DoS (DDoS)
  • Attacker compromises multiple hosts
  • Installs malicious program to do her biding(bots)
  • Bots flood (or otherwise attack) victims on command; Attack is coordinated
  • Bot-networks of 80k to 100k have been seen in the wild
    • Aggregate bandwidth > 20Gbps (probably more)

University of Toronto – Fall 2012

today3
Today
  • Network Security Goals
  • Security vs. Internet Design
  • Attacks
  • Defenses

University of Toronto – Fall 2012

firewalls
Firewalls
  • What is a firewall?
    • Device designed to permit or deny network transmissions
      • E.g. traffic entering or leaving your home network
      • Works based on a set of rules
      • Used to protect networks from unauthorized access
        • While permitting legitimate communications to pass.
  • Can be done in the network (e.g. network perimeter) or at the host
  • Configuration is not straight forward
    • Requires knowledge of the network

University of Toronto – Fall 2012

how can we prevent network attacks
How Can We Prevent Network Attacks?
  • Without changing current Internet’s design
  • What if we can change everything?
    • Clean slate design

University of Toronto – Fall 2012

final comments
Final Comments
  • Internet not designed for security
  • Many, many attacks
    • Defense is very difficult
    • Attackers are smart; broken network aids them!
  • The impact can be sever
    • As we rely more on computer networks over time
  • Time for new designs/principles?

University of Toronto – Fall 2012

ad