Introduction toNetwork Security

Guest LectureDebabrata Dash

OutlineSecurity VulnerabilitiesDoS and D-DoSFirewallsIntrusion Detection Systems

Security VulnerabilitiesSecurity Problems in the TCP/IP Protocol Suite Steve Bellovin - 89Attacks on Different LayersIP AttacksICMP AttacksRouting AttacksTCP AttacksApplication Layer Attacks

Why?TCP/IP was designed for connectivityAssumed to have lots of trust

Host implementation vulnerabilitiesSoftware had/have/will have bugsSome elements in the specification were left to the implementers

Security Flaws in IPThe IP addresses are filled in by the originating hostAddress spoofingUsing source address for authenticationr-utilities (rlogin, rsh, rhosts etc..)Internet2.1.1.1C1.1.1.11.1.1.2AB1.1.1.3SCan A claim it is B to the server S?ARP SpoofingCan C claim it is B to the server S?Source Routing

Security Flaws in IPIP fragmentation attackEnd hosts need to keep the fragments till all the fragments arrive

Traffic amplification attackIP allows broadcast destinationProblems?

Ping FloodAttacking SystemInternetBroadcast Enabled NetworkVictim System

ICMP AttacksNo authenticationICMP redirect messageCan cause the host to switch gatewaysBenefit of doing this?Man in the middle attack, sniffingICMP destination unreachableCan cause the host to drop connectionICMP echo request/replyMany more http://www.sans.org/rr/whitepapers/threats/477.php

Routing AttacksDistance Vector RoutingAnnounce 0 distance to all other nodesBlackhole trafficEavesdropLink State RoutingCan drop links randomlyCan claim direct link to any other routersA bit harder to attack than DVBGPASes can announce arbitrary prefixASes can alter path

TCP AttacksIssues?Server needs to keep waiting for ACK y+1Server recognizes Client based on IP address/port and y+1

TCP Layer AttacksTCP SYN FloodingExploit state allocated at server after initial SYN packetSend a SYN and dont reply with ACKServer will wait for 511 seconds for ACKFinite queue size for incomplete connections (1024)Once the queue is full it doesnt accept requests

TCP Layer AttacksTCP Session HijackWhen is a TCP packet valid?Address/Port/Sequence Number in windowHow to get sequence number?Sniff trafficGuess itMany earlier systems had predictable ISNInject arbitrary data to the connection

TCP Layer AttacksTCP Session PoisoningSend RST packetWill tear down connectionDo you have to guess the exact sequence number?Anywhere in window is fineFor 64k window it takes 64k packets to resetAbout 15 seconds for a T1

Application Layer AttacksApplications dont authenticate properlyAuthentication information in clearFTP, Telnet, POPDNS insecurityDNS poisoningDNS zone transfer

An ExampleFinger Finger @S showmount e Send 20 SYN packets to S

Attack when no one is around What other systems it trusts? Determine ISN behaviorShowmount -eSYN

An Example Finger @S showmount e Send 20 SYN packets to S SYN flood T Attack when no one is around What other systems it trusts? Determine ISN behavior T wont respond to packetsSyn floodX

An Example Finger @S showmount e Send 20 SYN packets to S SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number Attack when no one is around What other systems it trusts? Determine ISN behavior T wont respond to packets S assumes that it has a session with TXSYNSYN|ACKACK

An Example Finger @S showmount e Send 20 SYN packets to S SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number Send echo + + > ~/.rhosts Attack when no one is around What other systems it trusts? Determine ISN behavior T wont respond to packets S assumes that it has a session with T Give permission to anyone from anywhereX++ > rhosts

OutlineSecurity VulnerabilitiesDoS and D-DoSFirewallsIntrusion Detection Systems

Denial of ServiceObjective make a service unusable, usually by overloading the server or network

Consume host resourcesTCP SYN floodsICMP ECHO (ping) floods

Consume bandwidthUDP floodsICMP floods

Denial of ServiceCrashing the victimPing-of-DeathTCP options (unused, or used incorrectly)

Forcing more computationTaking long path in processing of packets

Simple DoSAttackerVictimVictimVictim The Attacker usually spoofed source address to hide origin Easy to block

Coordinated DoSAttackerVictimVictimVictimAttackerAttacker The first attacker attacks a different victim to cover up the real attack The Attacker usually spoofed source address to hide origin Harder to deal with

Distributed DoS

Distributed DoSThe handlers are usually very high volume serversEasy to hide the attack packetsThe agents are usually home users with DSL/CableAlready infected and the agent installedVery difficult to track down the attackerHow to differentiate between DDoS and Flash Crowd?Flash Crowd Many clients using a service legimitalySlashdot EffectVictoria Secret WebcastGenerally the flash crowd disappears when the network is floodedSources in flash crowd are clustered

OutlineSecurity VulnerabilitiesDoS and D-DoSFirewallsIntrusion Detection Systems

FirewallsLots of vulnerabilities on hosts in networkUsers dont keep systems up to dateLots of patchesLots of exploits in wild (no patch for them)Solution?Limit access to the networkPut firewalls across the perimeter of the network

Firewalls (contd)Firewall inspects traffic through itAllows traffic specified in the policyDrops everything elseTwo TypesPacket Filters, ProxiesInternetInternal NetworkFirewall

Packet FiltersPacket filter selectively passes packets from one network interface to anotherUsually done within a router between external and internal networksscreening router

Can be done by a dedicated network elementpacket filtering bridgeharder to detect and attack than screening routers

Packet Filters Contd.Data AvailableIP source and destination addressesTransport protocol (TCP, UDP, or ICMP)TCP/UDP source and destination portsICMP message typePacket options (Fragment Size etc.)Actions AvailableAllow the packet to go throughDrop the packet (Notify Sender/Drop Silently)Alter the packet (NAT?)Log information about the packet

Packet Filters Contd.Example filtersBlock all packets from outside except for SMTP serversBlock all traffic to a list of domainsBlock all connections from a specified domain

Typical Firewall Configuration Internal hosts can access DMZ and Internet External hosts can access DMZ only, not Intranet DMZ hosts can access Internet only Advantages? If a service gets compromised in DMZ it cannot affect internal hostsInternetIntranetDMZXX

Example Firewall RulesStateless packet filtering firewallRule (Condition, Action)Rules are processed in top-down orderIf a condition satisfied action is taken

Sample Firewall RuleDst PortDst AddrProtoAck Set?ActionSrc PortSrc AddrDirRuleAllow SSH from external hosts to internal hostsTwo rulesInbound and outboundHow to know a packet is for SSH?Inbound: src-port>1023, dst-port=22Outbound: src-port=22, dst-port>1023Protocol=TCPAck Set?Problems?

Default Firewall RulesEgress FilteringOutbound traffic from external address DropBenefits?Ingress FilteringInbound Traffic from internal address DropBenefits?Default DenyWhy?AnyDst PortDenyAnyAnyExtAnyExtOutEgressDst AddrProtoAck Set?ActionSrc PortSrc AddrDirRule

Packet FiltersAdvantagesTransparent to application/userSimple packet filters can be efficientDisadvantagesUsually fail openVery hard to configure the rulesDoesnt have enough information to take actionsDoes port 22 always mean SSH?Who is the user accessing the SSH?

AlternativesStateful packet filtersKeep the connection statesEasier to specify rulesMore popularProblems?State explosionState for UDP/ICMP?

AlternativesProxy FirewallsTwo connections instead of oneEither at transport levelSOCKS proxyOr at application levelHTTP proxyRequires applications (or dynamically linked libraries) to be modified to use the proxy

Proxy FirewallData AvailableApplication level informationUser informationAdvantages?Better policy enforcementBetter loggingFail closedDisadvantages?Doesnt perform as wellOne proxy for each applicationClient modification

OutlineSecurity VulnerabilitiesDoS and DDoSFirewallsIntrusion Detection Systems

Intrusion Detection SystemsFirewalls allow traffic only to legitimate hosts and servicesTraffic to the legitimate hosts/services can have attacksCodeReds on IISSolution?Intrusion Detection SystemsMonitor data and behaviorReport when identify attacks

Types of IDSHost-basedNetwork-basedSignature-basedAnomaly-based

Signature-based IDSCharacteristicsUses known pattern matching to signify attackAdvantages?Widely availableFairly fastEasy to implementEasy to updateDisadvantages?Cannot detect attacks for which it has no signature

Anomaly-based IDS CharacteristicsUses statistical model or machine learning engine to characterize normal usage behaviorsRecognizes departures from normal as potential intrusions Advantages?Can detect attempts to exploit new and unforeseen vulnerabilitiesCan recognize authorized usage that falls outside the normal pattern Disadvantages?Generally slower, more resource intensive compared to signature-based IDSGreater complexity, difficult to configureHigher percentages of false alerts

Network-based IDSCharacteristicsNIDS examine raw packets in the network passively and triggers alertsAdvantages?Easy deploymentUnobtrusiveDifficult to evade if done at low level of network operationDisadvantages?Fail OpenDifferent hosts process packets differentlyNIDS needs to create traffic seen at the end hostNeed to have the complete network topology and complete host behavior

Host-based IDSCharacteristicsRuns on single hostCan analyze audit-trails, logs, integrity of files and directories, etc.AdvantagesMore accurate than NIDSLess volume of traffic so less overheadDisadvantagesDeployment is expensiveWhat happens when host get compromised?

SummaryTCP/IP security vulnerabilitiesSpoofingFlooding attacksTCP session poisoningDOS and D-DOSFirewallsPacket FiltersProxyIDSSignature and Anomaly IDSNIDS and HIDS