1 / 58

Network Security Lecture 1: Introduction Attacks and Risks

Network Security Lecture 1: Introduction Attacks and Risks. Prof . Reuven Aviv Faculty of Information Technology King Mongkut’s University Of Technology, North Bangkok reuvenaviv@gmail.com. Prelude. 11 August 2003 The Worm MSBlast Attack What happened? How ?.

jordan-white
Download Presentation

Network Security Lecture 1: Introduction Attacks and Risks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NetworkSecurityLecture 1: IntroductionAttacks and Risks Prof. Reuven Aviv Faculty of Information Technology King Mongkut’s University Of Technology, North Bangkok reuvenaviv@gmail.com

  2. Prelude 11 August 2003 The Worm MSBlast Attack What happened? How?

  3. 11.8.2003: MSBlast DDoS Attack Targets Targets attacker victim Windows.update.com

  4. MSBlast last step: IP Spoofing & SYN Flood • 1. Target knows that host XX not working • 2. target Starts establishes a TCP connection with Victim, spoofing its IP address to XX XX (3) SYN(Src = T, Dest = XX) Victim (1) (2) SYN(src=XX) Target

  5. MSBlast: The infection process • Ensure you run again when Windows Starts how? • HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Windows auto update” = MBLASTER.EXE • Scan addresses for Targets with open port 135 • Send buffer overflowpacket to Target, port 135 • Target waits for commands on port 4444 • Command Target: download copyof MSBlaster • Command Target: run the copy • Target repeats contacts other target, restarts

  6. MSBlast: Summary of used techniques • Denial of Service Attack, using SYN flood • IP Spoofing • Scanning (Addresses, ports) • Application Layer Attack (Buffer Overflow) • Side effect: attacked computers were shutdown

  7. Course objectives • Recognize the internal working of security protocols and systems, their design considerations, and the way they are employed in organizations and in the Internet. • Have deep understanding of application level attacks and defense mechanism against them • Able to learn and master security topics now being researched

  8. Course Components • Lectures: Active Discussions 15% • 2-3 Problem Sets (individual submission) 15% • Attack Code Analysis Report (Team of 2) 15% • Research Project (Team of 2) 15% • Term Test (Open Books) 15% • Final Exam (Open Books) 15%

  9. Class Discussions • 1. Attacks, Risks, Defense • 2. Buffer Overflow Attack • 3 - 4 Classic & Public key Cryptography • 5. X.509 Public Key Infrastructure (PKI) • 6. Strong Password Authentication Protocols • 7. Web Security using SSL/TLS • 8. Kerberos Authentication System • 9. IP Security (IPSec) • 10. Electronic Mail Security with PGP • 11. OS Security – SE Linux • 12. Firewall Design • 13-14. Multi-layer security

  10. Team Assignments • Attack Code Analysis Report (Team of 2) 15% • Analyzing buffer overflow attack • Problems for attacker & solutions • Problems for the defender & solutions • Research Project (Team of 2) 15% • Topic selected by team • Written report & presentation of sub-topic • READ POLICY OF AUTHENTICITY

  11. Lecture 1: Attacks, Mitigation Services 1. Network Insecurity2. Security ServicesAppendix: Preview of next lectures

  12. 1. Network Insecurity

  13. The need for security • The Internet is constantly changing the way we live and conduct business. • hackers pose an increasing threat to the Internet resources with several different types of attacks why attacks are easier today?

  14. The need for security • Attacks: more prolific and easier to implement. • More vulnerable devices. • Easier to share knowledge on a global scale. • Easier developing hacking applications • Easy-to-use hack applications are distributed to the masses. • Internet Protocols are insecure. Examples? • Why Internet Protocols are insecure?

  15. insecurity of Internet protocols • Examples of lack of security in Internet Protocols • IP: No check if source addresses are true • TCP: No check for intentional delay of packets • Security was not designed into the specification of the Internet Protocols • Nobody predicted its wide spread use

  16. insecurity of Internet protocols • Most IP implementations are inherently insecure. • Various attacks are possible Give some types of attacks you heard

  17. 1. Sniffer attacks • application capturing network packets. • some data is cleartext (Telnet, FTP, SMTP) • sensitive information: usernames passwords how these are mitigated?

  18. 1. Sniffer attacks: Mitigation • Strong Authentication withone-time passwords(OTPs). • a PIN & OTP created by Hw/Sw Token card • Antisniffer: detect changes in the response time of hosts • Cryptography—The most effective method • Copied info is then useless. • Used by IPSec, SSL, SSH.

  19. 2. IP Spoofing Attack • Use a trusted forged IP address to attack • injection of malicious packets • Mitigation by Filtering (Router, Firewall) • deny traffic with “illegal”source address in both directions • ISP checks addresses of inbound data • Enforce Authentication of sender. why?how?

  20. 3. Denial of Service (DOS) Attacks • Making a service unavailable for normal use • flooding the network – TCP SYN, ICMP • DOS attacks exploit weakness in the overall architecture of the network • E.g. waiting for a connection to be opened • E.g. error/congestion notifications procedures via ICMP What is ICMP?

  21. ping icmp echo request icmp echo reply icmp echo request to a broadcast address: “from” victim attacker victim icmp echo reply from all hosts to victim Simple DOS attack: SMURF What can we do to mitigate DOS?

  22. 3. Denial of Service (DOS) Attacks: Mitigation • Require authentication - If hackers cannot mask their identities, they might not attack. • Anti-DoS features limit the amount of half-open connections that a system allows open at any given time. Done at edge routers • Traffic rate limiting – • collaborating with the ISP to reduce unusual traffic What are password attacks?

  23. 4. Password attacks • repeated attempts to identify a user account / password. E.g. during login Tool: nat

  24. 4. Password attacks: Reducing/Elimination • Limit number of password guessing • send hashed password over the net • use One Time Password • Enforce strong passwords: • by education • By password cracking or strength-assessing software • Authenticate user/process not by password • Use certificate/ticket based cryptographic authentication

  25. 5. Man in the middle attack • Hacker accesses network packets how? • Packets can be copied, destructed, delayed, reordered • Packets can be replayed, with forged sender or contents What are the damages?

  26. 5. Man in the middle attack: damages • theft / change / insertion of information • Session hijacking to gain access to a network • By forging identities (IP addresses and ports) • denial of service (by replaying) • impersonate one or both communicating parties How to mitigate MIM attacks?

  27. 5. Mitigating M.I.M attacks: Cryptography • Copies of encrypted data: meaningless • Destructing, replaying & reordering eliminated by sequence numbers, timestamps or nonces in the cryptographic envelopes of the data • Forging sender and or data is eliminating by authentication (signatures)

  28. 6. Application Layer attacks • Exploit weaknesses in servers (RPC, HTTP…) • Enforce remote server to invoke a certain program • Send “buffer overflow”: replaces server by shell • Via ports that are allowed through a firewall • Shell with same permissions as the server • Shell waiting for commands

  29. Buffer Overflow: Overflowing the stack on victim

  30. Sending buffer overflow to remote IIS IIS now waits on port 2002 for commands

  31. Taking full control of Victim How to mitigate application layer attacks?

  32. 6. Application Layer attacks: Mitigation • Firewall: Close ports • Proper system administration – patches, log files… • intrusion detection systems (IDSs) – HIDs/NIDs • Identifying patterns of SysCalls/stream of packets • Create alarms

  33. 7. Network Reconnaissance Attacks • First step of any attack: Analyze target network • 1. DNS queries: owner, addresses, topology • 2. Ping sweeps: live hosts. • 3. Port-scanning: list of services running • 4. examine servers: version, fixes, bugs • PRTIAL DEFENCE • Filter packets, identify scans • Use IDS to identify signature of reconnaisance scans

  34. Ping: Is Target running? Tool: Sam Spade

  35. Port Scanning: Which ports are active? Tool: SuperScan

  36. 8. Malicious Code • Worms, Viruses, Backdoors, ... • Run by itself, by a “host program” or waiting to be connected. Creating Damages • Mitigation: • antivirus software • Download signed software from developers certified by acceptable Certificate Authorities

  37. Attacks Scenarios Reconnaissance Packet Sniffing DOS Attack Application Layer Attack Un Authorized Access Man in the Middle Password Attack Malicious Code Trust Exploit Attack

  38. 2. Security Services What types of services do we need?

  39. Complexities of Security • Requirements are simple: • Confidentiality, Authentication, integrity, non-repudiation what are these? • Algorithms are non-intuitive • Due to hostile actions and countermeasures! • Where the algorithms are to be used? • Workstations? Routers? • Possession of secret information essential • how to create, distribute and protect secrets?

  40. Security Services: Confidentiality • Keeping private data private • protection from passive attacks • part of or all the information flow • Service provision. how? • End stations encrypt and decrypt data • Intermediate routers encrypt and decrypt data

  41. Security Services: Authentication • protection from masquerading/impersonation • assure that messages are really from the entity that claimed to send it • Service provision examples: how? • Sender: transmit a “certificate” to the receiver • an authentication server transmits a “proof of identity” ticket to the sender that will present it to the receiver (Kerberos)

  42. Security Services: Integrity • protection from data modification attack • Service provision examples: how? • The sender attaches to the message a secret “Message digest” • like parity or CRC

  43. Security Services: Non Repudiation • Protection from possible future denial of responsibility for sending previous message • Service provision example: how? • Sender adds to the message a “signature”, that depends on a secret known only to the sender • In court, sender cannot deny his signature • his “certificate” proves that he knows the secret, and the Certificate Authority testifies that it issued only one certificate, to sender

  44. Models for Information Security 1 • Secure information on transit • Use trusted parties (Certificate Authority)

  45. Models for network security 2 • Secure the Gate • Use trusted parties (the ISP)

  46. Summary • Internet is is where our life is • The Internet is not safe • Major Risks are theft of proprietary Info and Financial Fraud • We need secure communication in a hostile environment • Key ingredient of secure communication is cryptography

  47. 3. Preview of next lectures

  48. 2. Application Layer Attacks: Overflowing the stack

  49. 3. Conventional Encryption • Transformation: permutations & substitutions

  50. 4. Authentication by Digital signature • Alice: Create H - Hash function of Message M • Create E: Encrypt H with her private key • Send M and E. E is the “signature of Alice” • Bob: Create H – Hash function of Message M • Decrypt E with public key of Alice get H’ • Compare H with H’ . If OK signature verified Alice Bob

More Related