network security denial of service dos anonymity n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Network Security: Denial of Service (DoS ), Anonymity PowerPoint Presentation
Download Presentation
Network Security: Denial of Service (DoS ), Anonymity

Loading in 2 Seconds...

play fullscreen
1 / 59

Network Security: Denial of Service (DoS ), Anonymity - PowerPoint PPT Presentation


  • 146 Views
  • Uploaded on

Network Security: Denial of Service (DoS ), Anonymity. Tuomas Aura. Outline. Denial of Service DoS principles Packet-flooding attacks on the Internet Distributed denial of service (DDoS) Filtering defenses Most effective attack strategies Infrastructural defenses

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Network Security: Denial of Service (DoS ), Anonymity' - santo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline

Denial of Service

  • DoS principles
  • Packet-flooding attacks on the Internet
  • Distributed denial of service (DDoS)
  • Filtering defenses
  • Most effective attack strategies
  • Infrastructural defenses
  • DoS-resistant protocol design

Anonymity

  • Anonymity and privacy
  • High-latency anonymous routing
  • Low-latency anonymous routing — Tor
denial of service dos
Denial of service (DoS)
  • Goal of denial-of-service (DoS) attacks is to prevent authorized users from accessing a resource, or to reduce the quality of service (QoS) that authorized users receive
  • Several kinds of DoS attacks:
    • Destroy the resource
    • Disable the resource with misconfiguration or by inducing an invalid state
    • Exhaust the resource or reduce its capacity
resource exhaustion attacks
Resource exhaustion attacks
  • Attacker overloads a system to exhaust its capacity → never possible to prevent completely
  • Examples:
    • Flooding a web server with requests
    • Filling the mailbox with spam
  • It is difficult to tell the difference between attack and legitimate overload (e.g. Slashdotting, flash crowds)
    • For highly scalable services, may need to try
  • Some resource in the system under attack becomes a bottleneck i.e. runs out first → Attacks can exploit a limited bottleneck resource:
    • SYN flooding and fixed-size kernel tables
    • Public-key cryptography on slow processors
internet characteristics
Internet characteristics
  • Open network: anyone can join, no central control
  • End to end connectivity: anyone can send packets to anyone
  • No global authentication or accountability
  • Flat-rate charging
  • Unreliable best-effort routing; congestion causes packet loss
  • Q: Could these be changed?
packet flooding attack
Packet-flooding attack
  • Ping flooding: attacker sends a flood of ping packets (ICMP echo request) to the target
    • Unix command ping -f can be used to send the packets
  • Any IP packets can be used for flooding, not just ping
  • Packets can be sent with a spoofed source IP address
  • Q: Where is the bottleneck resource that fails first?

Typically, packet-flooding exhausts the ISP link bandwidth, in which case the router before the congested link will drop packets

    • Other potential bottlenecks: processing capacity of the gateway router , processing capacity of the IP stack at the target host
traffic amplification
Traffic amplification
  • Example: Smurf attack in the late 90s used IP broadcast addresses for traffic amplification
  • Any protocol or service that can be used for DoS amplification is dangerous! → Non-amplification is a key design requirement
traffic reflection
Traffic reflection
  • Reflection attack: get others to send packets to the target
  • Hides attacker IP address:
    • Confuses IP traceback
    • Some forms get around topological filtering and amplify traffic
  • Example:
    • Attacker pings various hosts, sets the source address of the ICMP Echo Request to the attack-target address
attack impact
Attack impact
  • When HR+AR < C, some packets dropped by router
  • With FIFO or RED queuing discipline at router, dropped packets are selected randomly
  • Packet loss = (HR+AR-C)/(HR+AR) if HR+AR > C; 0 otherwise

When HR<<AR, packet loss = (AR-C)/AR

attack impact1
Attack impact
  • Packet loss = (HR+AR-C)/(HR+AR) if HR+AR > C; 0 otherwise

When HR<<AR, packet loss = (AR-C)/AR

→ Attacker needs to exceed C to cause packet loss

→ Packet-loss for low-bandwidth honest connections only depends on AR

→ Any AR > C severely reduces TCP throughput for honest client

→ Some honest packets always make it thought;

to cause 90% packet loss, need attack traffic A = 10 × C,

to cause 99% packet loss, need attack traffic A = 100 × C

botnet and ddos
Botnet and DDoS
  • Attacker controls thousands of compromised computers and launches a coordinated packet-flooding attack
botnets
Botnets
  • Bots (also called zombies) are home or office computers infected with virus, Trojan, rootkit etc.
    • Controlled and coordinated by attacker, e.g. over IRC, P2P
    • Hackers initially attacked each other; now used by criminals
  • Examples:
    • MyDoom worm, HTTP GET flooding against www.sco.com
    • Storm botnet, commercially available DDoS service
    • Conficker >10M hosts
  • Dangers:
    • Overwhelming flooding capacity of botnets can exhaust any link; no need to find special weaknesses in the target
    • No need to spoof IP address ; filtering by source IP is hard
  • Q: Are criminals interested in DDoS if they can make money from spam and phishing? What about politically motivated attacks or rogue governments?
filtering dos attacks
Filtering DoS attacks
  • Filtering near the target is the main defense mechanisms against DoS attacks
    • Protect yourself → immediate benefit
  • Configure firewall to drop anything not necessary:
    • Drop protocols and ports no used in the local network
    • Drop “unnecessary” protocols such as ping or all ICMP, UDP etc.
    • Stateful firewall can drop packets received at the wrong state e.g. TCP packets for non-existing connections
    • Application-level firewall could filter at application level; probably too slow
    • Filter dynamically based on ICMP destination-unreachable messages

(Q: Are there side effects?)

flooding detection and response
Flooding detection and response
  • Filter probable attack traffic
  • Network or host-based intrusion detection to separate attacks from normal traffic based on traffic characteristics
  • Limitations:
    • IP spoofing → source IP address not reliable for individual packets
    • Attacker can evade detection by varying attack patterns and mimicking legitimate traffic

(Q: Which attributes are difficult to mimic?)

preventing source spoofing
Preventing source spoofing
  • How to prevent spoofing of the source IP address?
  • Ingress and egress filtering:
    • Gateway router checks that packets routed from a local network to the ISP have a local source address
    • Generalization: reverse path forwarding
    • Deployment slow: selfless defense without immediate payoff
  • IP traceback
    • Mechanisms for tracing IP packets to their source
    • Limited utility: take-down thought legal channels is slow; automatic blacklisting of attackers can be misused
  • SYN cookies (we’ll come back to this)
syn flooding
SYN flooding
  • Attackers goal: make filtering ineffective → honest and attack packets dropped with equal probability
  • Target destination ports that are open to the Internet, e.g. HTTP (port 80), SMTP (port 25)
  • Send initial packets → looks like a new honest client
  • SYN flooding:
    • TCP SYN is the first packet of TCP handshake
    • Sent by web/email/ftp/etc. clients to start communication with a server
    • Flooding target or firewall cannot know which SYN packets are legitimate and which attack traffic → has to treat all SYN packets equally
dns flooding
DNS flooding
  • DNS query is sent to UDP port 53 on a DNS server
  • Attack amplification using DNS:
    • Most firewalls allow DNS responses through
    • Amplification: craft a DNS record for which 60-byte query can produce 4000-byte responses (fragmented)
    • Botnet queries the record via open recursive DNS servers that cache the response → traffic amplification happens at the recursive server
    • Queries are sent with a spoofed source IP address, the target address → DNS response goes to the target
over provisioning
Over-provisioning
  • Increase bottleneck resource capacity to cope with attacks
  • Recall:

Packet loss = (HR+AR-C)/(HR+AR) if HR+AR > C; 0 otherwise

When HR<<AR, packet loss = (AR-C)/AR

→ Does doubling link capacity C help? Depends on AR:

    • If attacker sends 100×C to achieve 99% packet loss, doubling C will result in 98% packet loss
    • If attacker sends 10×C to achieve 90% packet loss, doubling C will result in 80% packet loss
    • If attacker sends 2×C to achieve 50% packet loss, doubling C will result in zero (or minimal) packet loss
qos routing
QoS routing
  • QoS routing mechanisms can guarantee service quality to some important clients and services
  • Resource reservation, e.g. Intserv, RSVP
  • Traffic classes, e.g. Diffserv, 802.1Q
    • Protect important clients and connections by giving them a higher traffic class
    • Protect intranet traffic by giving packets from Internet a lower class
  • Prioritizing existing connections
    • After TCP handshake or after authentication
  • Potential problems:
    • How to take into account new honest clients?
    • Cannot trust traffic class of packets from untrusted sources
    • Political opposition to Diffserv (net neutrality lobby)
some research proposals
Some research proposals
  • IP traceback to prevent IP spoofing
  • Pushback for scalable filtering
  • Capabilities, e.g. SIFF, for prioritizing authorized connections at routers
  • New Internet routing architectures:
    • Overlay routing (e.g. Pastry, i3), publish-subscribe models
    • Claimed DoS resistance remains to be fully proven
stateless handshake ikev2
Stateless handshake (IKEv2)
  • Responder stores per-client state only after it has received valid cookie:

COOKIE = hash(Kr, initiator and responder IP addresses)

where Kr is a periodically changing key known only by responder

→ initiator cannot spoof its IP address

  • No state-management problems caused by spoofed initial messages
tcp syn cookies
TCP SYN Cookies
  • Random initial sequence numbers in TCP protect against IP spoofing: client must receive msg 2 to send a valid msg 3
  • SYN cookie: stateless implementation of the handshake;

y = hash(Kserver, client addr, port, server addr, port)

where Kserver is a key known only to the server.

  • Server does not store any state before receiving and verifying the cookie value in msg 2
  • Sending the cookie as the initial sequence number; in new protocols, a separate field would be used for the cookie
client puzzle hip
Client puzzle (HIP)
  • Client “pays” for server resources by solving a puzzle first
  • Puzzle is brute-force reversal of a K-bit cryptographic hash; puzzle difficulty K can be adjusted according to server load
  • Server does not do public-key operations before verifying solution
  • Server can also be stateless; puzzle created like cookies above
routing loop
Routing loop
  • Againstmobilityprotocolswith a forwardingagent: Mobile IP, MIPv6, NEMO etc.

Home address

H1

I’vemoved!

Home addressH1New addressH2

C

Mobilecomputer=attacker

I’vemoved!

Home addressH2New addressH1

H2

Anotherhome address

further reading
Further reading
  • David Moore, Geoffrey M. Voelker, and Stefan, Savage, Inferring Internet Denial-of-Service Activity, ACM TACS, 24(2), May 2006.
    • http://www.cs.ucsd.edu/~savage/papers/Tocs06.pdf
  • Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson, Network Support for IP Traceback
  • SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks
    • http://www.ece.cmu.edu/~adrian/projects/siff.pdf
  • Mahajan et al., Aggregate-Based Congestion Control
    • http://www.icir.org/pushback/pushback-tohotnets.pdf
anonymity terminology
Anonymity terminology
  • Identity, identifier
  • Anonymity— they don’t know who you are
  • Unlinkability — they cannot link two events or actions (e.g. messages) with each other
  • Pseudonymity — intentionally allow linking of some events to each other
    • E.g. sessions, payment and service access
  • Authentication — strong verification of identity
  • Weak identifier — not usable for strong authentication but may compromise privacy
    • E.g. nickname, IP address, SSID, service usage profile
  • Authorization — verification of access rights
    • Does not always imply authentication (remember SPKI)
anonymity in communications
Anonymity in communications
  • Anonymity towards communication peers
    • Sender anonymity — receiver does not know who and where sent the message
    • Receiver anonymity — can send a message to a recipient without knowing who and where they are
  • Third-party anonymity — an outside observer cannot know who is talking to whom
    • Unobservability — an outside observer cannot tell whether communication takes place or not
    • Strength depends on the capabilities of the adversary
  • Anonymity towards access network
    • Access network does not know who is roaming there
  • Relate concept: location privacy
who is the adversary
Who is the adversary?
  • Discussion: who could violate your privacy and anonymity?
  • Global attacker, your government
    • e.g. total information awareness, retention of traffic data
  • Servers across the Internet, colluding commercial interests
    • e.g. web cookies, trackers, advertisers
  • Criminals
    • e.g. identity theft
  • Employer
  • People close to you
    • e.g. stalkers, co-workers, neighbors, family members
strong anonymity
Strong anonymity?
  • Anonymity and privacy of communications mechanisms are not strong in the same sense as strong encryption or authentication
  • Even the strongest mechanisms have serious weaknesses
    • Need to trust many others to be honest
    • Services operated by volunteers and activists
    • Side-channel attacks
  • Anonymity tends to degrade over time for persistent communication
mix 1
Mix (1)
  • Mix is an anonymity service [Chaum 1981]
  • Attacker sees both sent and received messages but cannot link them to each other → sender anonymity, third-party anonymity against a global observer
  • The mix receives encrypted messages (e.g. email), decrypts them, and forwards to recipients
mix 2
Mix (2)
  • Attacker can see the input and output of the mix
  • Attacker cannot see how messages are shuffled in the mix
  • Anonymity set = all nodes that could have sent (or could be recipients of) a particular message
mix 3
Mix (3)
  • Two security requirements:
    • Bitwise unlinkability of input and output messages — cryptographic property, must resist active attacks
    • Resistance to traffic analysis — add delay or inject dummy messages
  • Not just basic encryption!
    • Resist adaptive chosen-ciphertext attacks (IND-CCA2 i.e. NM-CCA2)
    • Replay prevention and integrity check needed at the mix
  • Examples of bad mix designs:
    • Missing random initialization vector, padding or freshness
    • Malleable encryption, e.g. stream cipher, or no integrity check
    • FIFO order of delivering messages
mixing in practice
Mixing in practice
  • Threshold mix — wait to receive k messages before delivering
    • Anonymity set size k
  • Pool mix — mix always buffers k messages, sends one when it receives one
  • Both strategies add delay → high latency
  • Not all senders and receivers are always active
    • In a closed system, injecting cover traffic can fix this; in the Internet, not
  • Real communication (email, TCP packets) does not comprise single, independent messages but common traffic patterns such as connections
    • Attacker can observe beginning and end of connections
    • Attacker can observe requests and response pairs

→ statistical attacks

who sends to whom
Who sends to whom?

Threshold mix with threshold 3

anonymity metrics
Anonymity metrics
  • Size of the anonymity set: k-anonymity
    • Suitable for one round of threshold mixing
  • Problems with k-anonymity:
    • Multiple rounds → statistical analysis based on understanding common patterns of communications can reveal who talks to whom, even if k for each individual message is high
    • Pool mix → k = ∞
  • Entropy: E = Σi=1…n(pi∙ log2pi)
    • Measures the amount of missing in information in bits: how much does the attacker not know
    • Can measure entropy of the sender, recipient etc.
  • Problems with measuring anonymity:
    • Anonymity of individual messages vs. anonymity in a system
    • Depends on the attacker’s capabilities and background information
    • Anonymity usually degrades over time as attacker collects more statistics
trusting the mix
Trusting the mix
  • The mix must be honest
  • Example: anonymous remailers for email
    • anon.penet.fi 1993–96

→ Route packets through multiple mixes to avoid single point of failure

  • Attacker must compromise all mixes on the route
    • Compromising almost all may reduce the size of the anonymity set
mix network 2
Mix network (2)
  • Mix network is just a distributed implementation of mix
mix networks
Mix networks
  • Mix cascade — all messages from all senders are routed through the same sequence of mixes
    • Good anonymity, poor load balancing, poor reliability
  • Free routing — each message is routed independently via multiple mixes
  • Other policies between these two extremes
    • But remember that the choice of mixes could be a weak identifier
  • Onion encryption:

Alice → M1: EM1(M2,EM2(M3,EM3(Bob,M)))

M1 → M2: EM2(M3,EM3(Bob,M))

M2 → M3: EM3(Bob,M)

M3 → Bob: M

    • Encryption at every layer must provide bitwise unlinkability

→ detect replays and check integrity

→ for free routing, must keep message length constant

  • Re-encryption mix — special crypto that keeps the message length constant with multiple layers of encryption
sybil attack
Sybil attack
  • Attack against open systems which anyone can join
    • Mixes tend to be run by volunteers
  • Attacker creates a large number of seemingly independent nodes, e.g. 50% off all nodes → some routes will go through only attacker’s nodes
  • Defence: increase the cost of joining the network:
    • Human verification that each mix is operated by a different person or organization
    • The IP address of each mix must be in a new domain
    • Require good reputation of some kind that takes time and effort to establish
    • Select mixes in a route to be at diverse locations
  • Sybil attacks are a danger to most P2P systems, not just anonymous routing
    • E.g. reputation systems, content distribution
other attacks
Other attacks
  • (n-1) attack
    • Attacker blocks all but one honest sender, floods all mixes with its own messages, and finally allows one honest sender to get though → easy to trace because all other packets are the attacker’s
    • Potential solutions: access control and rate limiting for senders, dummy traffic injection, attack detection
  • Statistical attacks
    • Attacker may accumulate statistics about the communication over time and reconstruct the sender-receiver pairs based on its knowledge of common traffic patterns
receiver anonymity
Receiver anonymity
  • Alice distributes a reply onion: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K))))
  • Messages from Bob to Alice:

Bob → M3: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K)))), M

M3 → M2: EM2(M1,k2,EM1(Alice,k1,EAlice(K))), Ek3(M)

M2 → M1: EM1(Alice,k1,EAlice(K)), Ek2(Ek3(M))

M1 → Alice: EAlice(K), Ek1(Ek2(Ek3(M)))

Alice can be memoryless: ki = h(K, i)

slide54
Tor
  • “2nd generation onion router”
  • Mix networks are ok for email but too slow for interactive use like web browsing
  • New compromise between efficiency and anonymity:
    • No mixing at the onion routers
    • All packets in a session, in both directions, go through the same routers
    • Short route, always three onion routers
    • Tunnels based on symmetric cryptography
    • No cover traffic
    • Protects against local observers at any part of the path, but vulnerable to a global attacker
  • More realistic attacker model: can control some nodes, can sniff some links, not everything
  • SOCKS interface at clients → works for any TCP connection
tunnels in tor
Tunnels in Tor

[Danezis]

Alice

OR1

OR2

OR3

Bob

Authenticated DH

Alice – OR1

Alice not authenticated, only the ORs

K1

K1

Encrypted with K1

Authenticated DH, Alice – OR2

K2

K1,K2

Encrypted with K1, K2

Authenticated DH, Alice – OR3

K1,K2,K3

K3

Encrypted with K1, K2, K3

TCP connection Alice –Bob

Last link unencrypted

tunnels in tor1
Tunnels in Tor

[Danezis]

Alice

OR1

OR2

OR3

Bob

Authenticated DH

Alice – OR1

Alice not authenticated, only the ORs

K1

K1

Encrypted with K1

Authenticated DH, Alice – OR2

K2

K1,K2

Encrypted with K1, K2

Authenticated DH, Alice – OR3

K1,K2,K3

K3

Additionally, linkwise TLS connections:Alice–OR1–OR2–OR3

Encrypted with K1, K2, K3

TCP connection Alice –Bob

Last link unencrypted

tor limitations 1
Tor limitations (1)
  • Identifying packet streams is very easy
    • Passive fingerprinting by packet size, timing
    • Active traffic shaping (stream watermarking)

→ Anonymity compromised if attacker can see or control the first and last link

    • Includes attackers who own the first and last OR→ longer routes do not help
    • If c is the fraction of compromised ORs, probability of compromise is c2
  • Why three routers?
    • Out of habit?
    • Attacker in control of 1st or last router cannot immediately go and compromise the other when there is a middle router
tor limitations 2
Tor limitations (2)
  • Client must know the addresses and public keys of all onion routers
    • If client only knows a small subset of routers, it will always choose all three routers from this subset → implicit identifier
    • E.g. client knows 10 out of 1000 routers = 1% → Attacker in control of the last router can narrow down the client identity to (0.01)2 = 0.01% of all clients

→ Attacker in control of two last routers can narrow the client identity down to (0.01)3 = 0.0001% of all clients

  • Blacklisting of entry or exit nodes
applications of anonymous routing
Applications of anonymous routing
  • Censorship resistance, freedom or speech
  • Protection against discrimination, e.g. geographic access control or price differentiation
  • Business intelligence, police investigation, political and military intelligence
  • Whistle blowing, crime reporting
  • Electronic voting
  • Crime, forbidden and immoral activities?