network websecurity
Download
Skip this Video
Download Presentation
Network & WebSecurity

Loading in 2 Seconds...

play fullscreen
1 / 20

Network & WebSecurity - PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on

Network & WebSecurity. Dina Katabi [email protected] nms.csail.mit.edu/~dina. Denial of Service Attack (DoS). Goal: prevents legit access to an Internet service Mechanism: Typically tries to congest the service or bring it down

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Network & WebSecurity' - synnove


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
network websecurity

Network & WebSecurity

Dina Katabi

[email protected]

nms.csail.mit.edu/~dina

denial of service attack dos
Denial of Service Attack (DoS)
  • Goal: prevents legit access to an Internet service
  • Mechanism: Typically tries to congest the service or bring it down
  • Types: can target any resource, e.g., link bandwidth, routing system, access to database
  • Example: attacker transmits too many packets to congest the access link of the server causing legitimate connections to suffer excessive drops and timeout
botnets
BotNets
  • A Botnet is a large collection of compromised machines controlled by an attacker
  • Botnets can be used to mount distributed DoS or DDoS
  • Machines in a botnet are compromised via Internet worms, viruses, Trojans, etc.
  • One can rent a Botnet of $10K machines for about $200/day
a botnet is typically organized in hierarchy
Unidirectional commands

Coordinating communication

Attack traffic

A Botnet is typically organized in hierarchy

Attacker

Master

Master

Master

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Daemon

Victim

slide5
Specialized software is installed on the compromised machines, e.g., Trinoo

Connection to port (default 27665/tcp)

attacker$ telnet 10.0.0.1 27665

Trying 10.0.0.1

Connected to 10.0.0.1

Escape character is '^]'.

Kwijibo

Connection closed by foreign host. . . .

attacker$ telnet 10.0.0.1 27665

Trying 10.0.0.1

Connected to 10.0.0.1

Escape character is '^]'.

Betaalmostdone

trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]

trinoo>

slide6
Trin00 Commands
  • dos - command to initiate a DoS against the targeted address
  • mdos - sends command to attack three IP addresses, sequentially
  • die – shut down the master
  • mdie - if correct password specified, packet is sent out to all daemon nodes to shutdown
  • mping – ping sent to all nodes in the deamon list
  • killdead – delete deamon nodes from list that didn’t reply to ping
  • bcast – gives a list of all active daemons
  • mstop – Attempts to stop an active DoS attack. Never implemented by the author(s), but the command is there
approaches to intrusion detection
Approaches to Intrusion Detection
  • Signature Based: Keeps a DB of known attack signatures and matches traffic against DB (e.g., Bro, Snort)
    • Pros
      • Easy to understand the outcome
      • More accurate in detecting known attacks
    • Cons
      • Can’t discover new attacks
  • Anomaly Based: Matches traffic against a model of normal traffic and flags abnormalities (e.g., EMERALD)
    • Pros
      • Can deal with new attacks
    • Cons
      • Modeling normal. it is hard to describe what is normal
      • Limits new applications
      • Less accurate detection of known attacks
  • Hybrid: Matches against DB of known attacks. If no match, it checks for anomaly
slide8
Evasion Problem in NIDS
  • Consider scanning traffic for a particular string (“USER root”)
  • Easiest: scan for the text in each packet
    • No good: text might be split across multiple packets
  • Okay, remember text from previous packet
    • No good: out-of-order delivery
  • Okay, fully reassemble byte stream
    • Costs state ….
    • …. and still evadable

Source: Vern Paxson

slide9
Receiver

Sender

15 hops

20 hops

Evading Detection ViaAmbiguous TCP Retransmission

NIDS

slide10
Receiver

Attacker

Evading Detection ViaAmbiguous TCP Retransmission

TTL=17, seq=1

Timed out

n

TTL=23, seq=1

r

r

NIDS

n or r?

slide11
Receiver

Attacker

Evading Detection ViaAmbiguous TCP Retransmission

TTL=17, seq=1

Timed out

n

TTL=23, seq=1

r

r

TTL=21, seq=2

o

o

TTL=15, seq=2

Timed out

i

NIDS

n or r?

i or o?

slide12
Receiver

Attacker

Evading Detection ViaAmbiguous TCP Retransmission

TTL=17, seq=1

Timed out

n

TTL=23, seq=1

r

r

TTL=21, seq=2

o

o

TTL=15, seq=2

Timed out

i

TTL=20, seq=3

o

o

TTL=19, seq=4

Timed out

c

TTL=27, seq=4

t

t

NIDS

n or r?

i or o?

o

c or t?

noot? niot? rooc? nooc?

nioc? riot? root? …

tcp syn flood
TCP SYN Flood

TCP DoS Attacks:

Client

Server

SYNC

Listening

Store data

SYNS, ACKC

Wait

ACKS

Connected

tcp syn flood1
TCP SYN Flood

TCP DoS Attacks:

C

S

SYNC1

Listening

SYNC2

Store data

SYNC3

SYNC4

SYNC5

tcp syn flood2
TCP SYN Flood

TCP DoS Attacks:

  • Usually targets connection memory  Too many half-open connections
  • Potential victim is any TCP-based server such as a Web server, FTP server, or mail server
  • How can the server deal with it?
    • Server times out half-open connection
attacks that mimic legitimate traffic
DoS Attacks on Servers: Attacks that Mimic Legitimate Traffic

GET LargeFile.zip

  • Attacker compromises many machines causing them to flood victim with HTTP requests
  • Attacked resources
    • DB and Disk bandwidth
    • Socket buffers, processes, …
    • Dynamic content, password checking, etc.
  • Hard to detect; attack traffic is indistinguishable from legitimate traffic

DO LongDBQuery

slide18
Suspected attack! To access www.foo.com enter the above letters:

CAPTCH-Based Solution

  • Need to ensure:
    • Cheap ways to send test and check answer
    • Some people can’t or don’t want to answer graphical tests but are legitimate users (e.g., Blind users)
web attacks
Web Attacks
  • Most web attacks exploit java scripts
  • Java scripts can appear in a web page as
    • The instructions between do not appear on the web page; they get executed by the browser
    • If the instructions are malicious they can do a lot of harm to the client, e.g., steal web cookies
  • Cross-site scripting are one of the most common attack on web browsers
cross site scripting xss
Cross-Site Scripting (XSS)
  • Say you have a trusted web server that accepts entries from users,
    • e.g.,TrustedBlog.com has a box for users to enter comments on prior blogs
  • Attacker can embed an executable script in his comment like:
    • When a user browse the trusted server, the server sends the comments and the victim’s browser executes the script sending the victim’s cookie to the attacker’s site
ad