1 / 29

Handout # 15: Computer Network Security

Handout # 15: Computer Network Security. SII 199 – Computer Networks and Society. Professor Yashar Ganjali Department of Computer Science University of Toronto yganjali@cs.toronto.edu http://www.cs.toronto.edu/~yganjali. Announcements. Final project Intermediate report

jaimie
Download Presentation

Handout # 15: Computer Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Handout # 15:Computer Network Security SII 199 – Computer Networks and Society Professor Yashar Ganjali Department of Computer Science University of Toronto yganjali@cs.toronto.edu http://www.cs.toronto.edu/~yganjali

  2. Announcements • Final project • Intermediate report • Due: Fri. Nov. 16th, 5PM • In class presentations • Wed. Nov. 21st • We already have 6 teams • Wed. Nov. 28th • 15 minute presentation • Assignment 3 • Due: Fri. Nov. 16th • Email your solutions to me, or bring to my office (BA 5238) • Volunteer for lecture notes? • Last chance! University of Toronto – Fall 2012

  3. The Story … • Introduction to computer networks • The science of networks • Computer networks and healthcare • Computer networks and business • Computer networks and entertainment • Cloud computing /storage • Phishing, spam, and fraud in the Internet • Privacy in online social networks • This week: computer networks and security University of Toronto – Fall 2012

  4. The Problem • Computer networks create interconnectivity • We have seen many examples of good uses • Same connectivity can be used for evil • It is easier to • Access someone’s private information • Spread malicious code • Gain control of somebody’s machine • … University of Toronto – Fall 2012

  5. Viruses, Trojan Horses, and Worms • Viruses • Small pieces of malicious software • Usually piggyback on real programs • Or documents: PDF files, spreadsheets, … • Reproduce by attaching to other programs • Worms • Replicates itself using security holes • Using computer networks • Without human interaction • Trojan Horses • A program that claims and appears to be useful (say a game) • … but in reality can be damaging (e.g. delete files) • Can create backdoors for attackers • Do not replicate University of Toronto – Fall 2012

  6. Life Just Before Slammer University of Toronto – Fall 2012

  7. Life Just After Slammer University of Toronto – Fall 2012

  8. A Lesson in Economy • Slammer used an extremely lightweight attack • Entire worm fit in a single packet! (376 bytes) • When scanning, worm could “fire and forget”. • Stateless! • Worm infected 75,000+ hosts in 10 minutes (despite broken random number generator). • At its peak, doubled every 8.5 seconds. • Progress limited by the Internet’s carrying capacity(= 55 million scans/sec) University of Toronto – Fall 2012

  9. Why Security? • First victim at 12:45 am • By 1:15 am, transcontinental links starting to fail • 300,000 access points downed in Portugal • All cell and Internet in Korea failed (27 million people) • 5 root name servers were knocked offline • 911 didn’t respond (Seattle) • Flights canceled University of Toronto – Fall 2012

  10. Witty Worm University of Toronto – Fall 2012

  11. Witty Worm – Cont’d • Attacks firewalls and security products (ISS) • First to use vulnerabilities in security software • ISS announced a vulnerability • Buffer overflow problem • Attack in just one day! • Attack started from a small number of compromised machines • In 30 minutes 12,000 infected machines • 90 Gb/s of traffic University of Toronto – Fall 2012

  12. Network Telescope • Large piece of globally announced network addresses • No legitimate hosts (almost) • Inbound traffic is almost always anomalous • 1/256th of the all addresses (IPv4 space) • One packet in every 256 packets if unbiased random generators used. • Provides global view of the spread of Internet worms. University of Toronto – Fall 2012

  13. Today • Network Security Goals • Security vs. Internet Design • Attacks • Defenses University of Toronto – Fall 2012

  14. Network Security Goals • Availability • Everyone can reach all network resources all the time • Protection • Protect users from interactions they don’t want • Authenticity • Know who you are speaking with • Data Integrity • Protect data en-route • Privacy • Protect private data University of Toronto – Fall 2012

  15. Today • Network Security Goals • Security vs. Internet Design • Attacks • Defenses University of Toronto – Fall 2012

  16. Internet Design • Destination routing • Packet based (statistical multiplexing) • Global addressing (IP addresses) • Simple to join (as infrastructure) • Power in end hosts (end-to-end argument) University of Toronto – Fall 2012

  17. Internet Design vs. Security • Destination routing • Makes Internet routers simpler • How do we know where packets are coming from? • Packet based (statistical multiplexing) • Global addressing (IP addresses) • Simple to join (as infrastructure) • Power in end hosts University of Toronto – Fall 2012

  18. Internet Design vs. Security • Destination Routing • Packet Based (statistical multiplexing) • Simple + Efficient • Difficult resource bound per-communication • How to keep someone from hogging?(remember, we can’t rely on source addresses) • Global Addressing (IP addresses) • Simple to join (as infrastructure) • Power in End Hosts University of Toronto – Fall 2012

  19. Internet Design vs. Security • Destination routing • Packet based (statistical multiplexing) • Global Addressing (IP addresses) • Very democratic • Even people who don’t necessarily want to be talked to • “every psychopath is your next door neighbor” – Dan Geer • Simple to join (as infrastructure) • Power in end hosts University of Toronto – Fall 2012

  20. Internet Design vs. Security • Destination routing • Packet based (statistical multiplexing) • Global addressing (IP addresses) • Simple to join (as infrastructure) • Very democratic • Misbehaving routers can do very bad things • No model of trust between routers • Power in End Hosts University of Toronto – Fall 2012

  21. Internet Design vs. Security • Destination routing • Packet based (statistical multiplexing) • Global addressing (IP addresses) • Simple to join (as infrastructure) • Power in end-hosts • Decouple hosts and infrastructure = innovation at the edge! • Giving power to least trusted actors • How to guarantee good behavior? University of Toronto – Fall 2012

  22. Today • Network Security Goals • Security vs. Internet Design • Attacks • Defenses University of Toronto – Fall 2012

  23. Denial of Service (DoS) Attacks • Send many requests to a server • Make the requests look legitimate • Exhaust some of the resources • Processing (CPU) • Bandwidth (uplink/downlink) • Memory • … University of Toronto – Fall 2012

  24. DoS: Via Resource Exhaustion User-time CPU Uplinkbandwidth Downlinkbandwidth Memory(e.g. TCP TCBexhaustion) University of Toronto – Fall 2012

  25. Distributed DoS (DDoS) • Attacker compromises multiple hosts • Installs malicious program to do her biding(bots) • Bots flood (or otherwise attack) victims on command; Attack is coordinated • Bot-networks of 80k to 100k have been seen in the wild • Aggregate bandwidth > 20Gbps (probably more) University of Toronto – Fall 2012

  26. Today • Network Security Goals • Security vs. Internet Design • Attacks • Defenses University of Toronto – Fall 2012

  27. Firewalls • What is a firewall? • Device designed to permit or deny network transmissions • E.g. traffic entering or leaving your home network • Works based on a set of rules • Used to protect networks from unauthorized access • While permitting legitimate communications to pass. • Can be done in the network (e.g. network perimeter) or at the host • Configuration is not straight forward • Requires knowledge of the network University of Toronto – Fall 2012

  28. How Can We Prevent Network Attacks? • Without changing current Internet’s design • What if we can change everything? • Clean slate design University of Toronto – Fall 2012

  29. Final Comments • Internet not designed for security • Many, many attacks • Defense is very difficult • Attackers are smart; broken network aids them! • The impact can be sever • As we rely more on computer networks over time • Time for new designs/principles? University of Toronto – Fall 2012

More Related