chapter 0 introduction - villanova universitymdamian/past/cybersecurityfa14/... · 2014. 8. 28. ·...

8/28/14

1

Chapter 0 Outline

❀ Internet architecture ❀ Access networks ❀ Network core ❀ Packet switching and circuit

switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security

Chapter 0 Introduction

8/28/14

2

Chapter 0 Outline



Internet architecture (1)

router

PC

server

wireless laptop

smartphone

Wired Communication links

access points

switch

cellular tower

Optical 8iber Network

Core Internet backbone

Global ISP Global ISP

Root DNS servers

Regional ISP

Regional ISP

Regional ISP

Mobile/cell network

Corporate/institute network

HFC or DSL

Home network ISP: Internet service provider HFC: hybrid 8iber coax DSL: digital subscriber line

8/28/14

3

Internet architecture (2) ❀  Internet: an interconnected network of network

" Connects billions of hosts " Hierarchical networks:

µ  Internet backbone: connec3ng the ISPs’ backbones µ  ISP backbone: connec3ng organiza3ons’ backbones µ Organiza3on backbone connects local area networks (LANs) µ LAN connects end systems

❀  Communication links " connect end systems/routers/switches/access points " fiber, copper and radio " transmission rate/bandwidth " resource allocation/reservation

Internet architecture (3) ❀  Routers

" connect local area networks " Generate/maintain a routing table " forward packets

❀  Access networks " connects a local area network or a host to the Internet

❀  Internet backbone (network core) " a group of interconnected routers using optical fiber " infrastructure name servers, such as DNS root servers for Naming

8/28/14

4

Chapter 0 Outline



Edge Router and Subnet

❀  Internet uses a gateway (edge router) to connect a Local Area Network (LAN) or a subnet to the hierarchical network

….

….

Subnet

Subnet

Internet

Edge router

8/28/14

5

Home networks ❀  DSL or cable modem to ISP ❀  Router cannot perform routing functions such as generating routing tables

" It is called a router because of NAT (network address translation) " E.g., 192.168.1.x to a given IP address from ISP

❀  Router that may contain a firewall/VPN/IPS " VPN: virtual private network " IPS: intrusion prevention system

❀  Ethernet switch (built in router)/wireless access point

Ethernet

Wireless access point

Wireless laptops

Router/ Firewall/ VPN/IPS Cable/

DSL modem

Internet Service Provider (ISP)

Coax, phone line, power line, 8iber

Local Area Networks (LAN) ❀  Organization/home local area

network (LAN) or subnet connects hosts to edge router

❀  Edge router connects LANs to Internet

❀  Ethernet LAN " Hosts connect into Ethernet

switch " 10Mbps, 100Mbps, 1Gbps,

10Gbps Ethernet

Edge router

Internet

ATM over Fiber

8/28/14

6

Building LANs: From the Ground Up

How to Build a LAN? ❀  Start with just two nodes

❀  This is the most basic “network” " Also called direct or dedicated connection

" Message placed on one link end is delivered to the other end " No contention for use of transmission media

" Media: serial or parallel cable, coax, twisted pair, fiber optic cable, infrared, radio wave, microwave

LINK

8/28/14

7

Multiple (Shared) Access (1)

❀  Two nodes is boring. How do we connect more nodes? " Attach computers to a single, long cable

" Bus (above) or hub (below) arrangement

" All nodes share communication link, compete for access

. . .

Hub Hub

Multiple Access (2)

❀  Broadcast medium " All stations receive a copy of the message sent " But most communication is intended to be only between two computers on a

network

❀  To allow sender to specify destination, each station is assigned a hardware address (MAC address)

sender receiver

Signal propagates along the entire cable

8/28/14

8

MAC Addressing ❀  Example: Ethernet Addressing

" Unique 48-bit MAC address

" First 24 bits is manufacturer code - assigned by IEEE

" Second 24 bits are sequentially assigned and UNIQUE

❀  MAC address must be unique in a multiple access network

❀  Extending an Ethernet with repeaters

❀  Repeaters " Electronic devices that simply copy signals (at higher power) between segments " Propagate valid signals as well as collisions " Do not have hardware addresses " Any Ethernet segment is limited to 500 meters " One repeater doubles the length to 1,000 meters. " At most 4 repeaters can be placed between any 2 machines

Multiple Access (3)

. . . . . . R

8/28/14

9

❀  Extending an Ethernet with bridges (switches)

❀  Bridges (level 2 switches) " Electronic devices that operate on packets, not signals " Have a NIC like any other station " Maintain a list of computers on each segment " Forward a packet only if necessary " Useful for controlling congestion

Multiple Access (4)

. . . . . . B

Switched Networks (LANs) ❀  Extend the network segment by switching

" Groups of nodes are connected by intermediate hardware (switches or bridges) which regulate traffic

" Switches inside cloud implement the network, nodes outside the cloud use the network

S

incoming links

outgoing links

Switch

Memory

Store-‐and-‐Forward

8/28/14

10

Internetworks ❀  Getting bigger - connect heterogeneous networks

" Using routers (sometimes called gateways) " Different networks may use different technologies " A technology provides its own implementation of services

R

Routers vs. Switches ❀  Bridges and Layer 2 switches understands only MAC addresses

" Process packets and directs them toward the correct port. " The switching table is learned from each source’s MAC address

❀  Routers and Layer 3 switches understand both IP addresses and MAC addresses " Routers work together to generate routing tables " A router or layer 3 switch knows the next hop's IP address from the routing table

8/28/14

11

Chapter 0 Outline



Network Core

❀  Routers and fiber links (in orange) form the Internet core ❀  Routers work together to figure out the most efficient path for routing a packet

from source to destination host " A distributed algorithm can adapt to changing Internet conditions " Routing tables are generated and maintained in real time

Network Core

Internet backbone

Global ISP Global ISP

Root DNS servers

Regional ISP

Regional ISP

Regional ISP

Tier-1 ISPs

Tier-2 ISPs

8/28/14

12

Internet eXchange Point (IXP)

At these IXPs, major ISPs accept traf8ic from each other and agree to carry the other's packets to their downstream destination point without charge.

AT&T backbone

Source: http://www.corp.att.com/globalnetworking/media/network_map.swf

8/28/14

13

Verizon backbone

Source: http://www.verizonbusiness.com/us/about/network/

Chapter 0 Outline


switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security ❀ Internet history

8/28/14

14

Information switching ❀  Data transfer in the Internet

" Packet switching µ Header contains source and des3na3on IP address µ Best-‐effort delivery

[  Packets may be lost [  Packets may be corrupted [  Packets may be delivered out of order

" Circuit switching µ Dedicated circuit per call

[  Dial-up modem [  Virtual circuit, such as classical IP over ATM, or leased lines

Analogy: Circuit switching: a traveler paid a round trip ticket with reserved seats Packet switching: an airline employee uses free, open tickets to fly (no reserved seats)

Circuit Switching ❀  End-to-end resources reserved for a connection

" Establish a connection before data transfer " Circuit-like (guaranteed) performance

❀  Dedicated resources " No sharing

µ Using FDM, TDM or ATM (virtual circuit switching) µ Resource is idle if not used by the call’s owner µ No queueing delay

" Call setup and teardown required

8/28/14

15

Packet Switching ❀  The base of the Internet. Each host data stream is segmented into packets ❀  Source and Destination IP address is in the packet header

❀  Packets use available resources provided by routers ❀  Packets may be lost while traveling or received out of order ❀  Transport layer must put the received packets in the correct order and reassemble

them at destination

Statistical Multiplexing

❀  Packet switching is based on statistical multiplexing " Packets are sent by hosts A and B " If there is no priority set, then every packet is treated the same based on the

order of arrival " Router 1’s T1 link bandwidth is shared by packets from hosts A and B

❀  In contrast, FDM and TDM let each host use the same slot and there is no resource contention

A

B

C Ethernet

1.5 Mbps (T1 link)

Statistical Multiplexing

queue of packets waiting for output link

Router 1

8/28/14

16

Packet switching versus circuit switching

❀  Packet switching is great for bursty data " Best effort delivery " Better for resource sharing " Network congestion

µ Packet delay in the router’s queue µ Packet loss due to queue overflow

" Protocols pay overhead for reliable data transfer, congestion and flow control

❀  Circuit switching is great for voice and video " Bandwidth guarantee " Timing, latency, and latency jitter guarantee " Complex mechanisms lead to high cost for equipment and management

µ Most enterprise networks replaced ATM LANs with Gigabit or 10 Gbit Ethernets

Marry packet and circuit switching ❀  IP based approach

" Protocols based on IP for streaming video/audio over the Internet µ The Resource Reserva3on Protocol (RSVP): is a Transport Layer protocol for reserving

resources in order to achieve an integrated services Internet µ The Real-‐3me Streaming Protocol (RTSP) uses RTP and RTCP to deliver video/audio

[  RTSP permits the reservation of resources for a flow using RSVP

µ Real-‐3me Transport Protocol (RTP): best effort delivery µ Real-‐3me Transport Control Protocol (RTCP): QoS is handled by RTCP

8/28/14

17

Chapter 0 Outline



Latency in packet switching network

❀  Store and forward packets in a router ❀  If the link is available, it takes L/R

seconds to transmit one packet from Router 1 to Router 2 " Transmission delay

❀  Entire packet must arrive at one router before it can be forwarded on the next link

❀  Host to host delay = 3L/R + propagation delay + other delays

❀  Example: ❀  L = 1000 Mbits ❀  R = 100 Mbps (Ethernet) ❀  Transmission delay per link = 10

sec ❀  Total transmission delay = 30 sec

Packet length: L bits Link Rate: R bps

Router 1 Router 2

8/28/14

18

4 packet delay factors

A

B Router buffer

Buffer over8low: arriving packets dropped (loss) if no free buffers

1. Packet processing: check bit errors and forward to output port

2. Packet queueing, depending on congestion

3. Transmission delay: L/R

4. Propagation delay: d/s

Router 2

Router 3

Router 1

Total Delay of a node = processing delay + transmission delay + propagation delay + queueing delay

Congestion Control ❀  Congestion occurs when source hosts send out more data than the network can

handle ❀  Loss and delay causes packets to be resent in TCP ❀  Negative feedback causes even more congestion ❀  Congestion control regulates the output rate of source hosts to relieve congestion by

using the symptom of congestion " Packet loss " Packet delay " Buffer overflow

8/28/14

19

Flow Control ❀  Flow control is necessary when the destination cannot digest the data as fast as it

arrives " Server has

µ Powerful CPU µ Vast memory µ 1 or 10 Gbps link

" Client: smart phone has µ Baber-‐powered CPU µ very lible memory µ Low-‐bandwidth link

❀  Goal: to optimize the throughput rate (bits/sec) between source and destination

Chapter 0 Outline



8/28/14

20

Modularization by layering ❀  Develop Internet: Divide and conquer by many people ❀  Internet can be modularized by layers ❀  Modularization eases

" Development (one company can tackle one module) " Maintenance " Updating the system

❀  Interaction between layers " Each layer relies on services from layer below " Each layer exports services to layer above

❀  Interface between layers defines interaction " Hides implementation details " Layers can change without disturbing other layers

Internet protocol stack: US DoD Model (1)

❀  Application Layer " Network applications " HTTP, SMTP

❀  Transport Layer " Process-to-process data transfer " Segment message at source and reassemble message

at destination " TCP: reliable transport with overhead

µ Transmission Control Protocol " UDP: best effort delivery with little overhead

µ User Datagram Protocol " SCTP: reliable transport based on transaction

µ Stream Control Transmission Protocol

Application

Transport

Network

Data Link

Physical Layer 1

Layer 2

Layer 3

Layer 4

Layer 5

8/28/14

21

Internet protocol stack: US DoD Model (2)

❀  Network Layer " Routing of datagrams from source subnet to

destination subnet " IP and routing protocols

❀  Data Link Layer " Data transfer between adjacent neighboring

network nodes connected by a physical medium (copper, fiber or wireless)

" Ethernet, WiFi ❀  Physical Layer

" Bits propagate using copper, fiber and radio

Application

Transport

Network

Data Link

Physical

OSI reference model (International standard)

❀  OSI (open system interconnect) 7 layer model " US pledged to use OSI in 1980s " OSI was never finished " US DoD had sufficient funding to complete its protocol stack

❀  US DoD Internet stack does not explicitly modularize two layers " Presentation Layer

µ Allowing applica3ons to deal with coding of data, e.g., encryp3on, compression and unicode

" Session Layer µ Grouping connec3ons together for efficiency, synchroniza3on,

recovery or data exchange " These services, if needed, must be implemented in

application layer in the US DoD model

Application

Transport

Network

Data Link

Physical

Session

Presentation

8/28/14

22

The TCP/IP Protocol Suite

The Hourglass Model

Waist

The waist facilitates interoperability

FTP HTTP TFTP DNS

TCP UDP

IP

NET1 NET2 NETn …

Applications

HTTP FTP SMTP

TCP UDP

IP

Data link layer protocols

Physical layer protocols

Protocols ❀  Network protocols

" All communication and activities in the Internet are governed by protocols µ E.g. DHCP provides a client with an IP address, gateway IP address and DNS IP address

" Protocols define µ Packet format

[  Service (port) number in the TCP header, e.g. port 80 for http [  Sequence and acknowledgement numbers are in the TCP header

µ The sequence of packets sent and received among network en33es µ Ac3ons taken based on the parameters in the fields of a received packet

[  Retransmit of a packet depends on the acknowledgement number

❀  Speaking the same language using the same standard set by IETF ❀  Syntax and semantics are critical

8/28/14

23

Terms for bits processed in each layer

Message

Segment

Datagram

Frame

Message

Segment

Datagram

Frame

Internet

Application

Transport

Network

Data Link

Physical

Application

Transport

Network

Data Link

Physical

End Hosts vs. Routers

HTTP

TCP

IP

Ethernet interface

HTTP

TCP

IP

Ethernet interface

IP IP

Ethernet interface

Ethernet interface

SONET interface

SONET interface

host host

router router

HTTP message

TCP segment

IP datagram IP datagram IP datagram

frame

8/28/14

24

Protocol Use Example

HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144

Ethernet Ethernet Ethernet

IP

HTTP

TCP

IP

neon.tcpip-lab.edu128.143.71.21

Ethernet

router71.tcpip-lab.edu

128.143.137.100:e0:f9:23:a8:20


128.143.71.1

HTTP protocol

TCP protocol

IP protocol

Ethernet

IP protocol

Ethernet

00:20:af:03:98:28


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20

router137.tcpip-lab.edu128.143.71.1

Send HTTP Request to neon

00:20:af:03:98:28

8/28/14

25


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20


Establish a connection to 128.143.71.21 at port 80

00:20:af:03:98:28


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20


Open TCP connection to 128.143.71.21 port 80

00:20:af:03:98:28

8/28/14

26


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20


Send a datagram (which contains a connection request) to 128.143.71.21

00:20:af:03:98:28

Send IP datagram to 128.143.71.21


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20

router137.tcpip-lab.edu128.143.71.1 00:20:af:03:98:28

8/28/14

27

Send datagram to 128.143.137.1

HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20



00:20:af:03:98:28


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20


Send Ethernet frame to 00:e0:f9:23:a8:20

00:20:af:03:98:28

8/28/14

28


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20


Frame is an IP datagram

00:20:af:03:98:28

Send IP datagram to 128.143.71.21


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20

router137.tcpip-lab.edu128.143.71.1 00:20:af:03:98:28

8/28/14

29

Send datagram to 128.143.7.21

HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20



00:20:af:03:98:28


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20


Send Ethernet frame to 00:20:af:03:98:28

00:20:af:03:98:28

8/28/14

30


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20


Frame is an IP datagram

00:20:af:03:98:28


HTTP

TCP

IP

argon.tcpip-lab.edu

128.143.137.144


IP

HTTP

TCP

IP


Ethernet


128.143.137.100:e0:f9:23:a8:20


IP datagram is a TCP segment for port 80

8/28/14

31

Different Views of Networking ❀  Different Layers of the protocol stack have a different view of the network.

This is HTTP’s and TCP’s view of the network.

HTTP client

TCP client

Argon128.143.137.144

HTTPserver

TCP server

Neon128.143.71.21

IP Network

HTTPserver

TCP server

Network View of IP Protocol

8/28/14

32

Network View of Ethernet

❀  Ethernet’s view of the network

00:e0:f9:23:a8:20

Layers and Services ❀  Service provided by TCP to HTTP:

" reliable transmission of data over a logical connection

❀  Service provided by IP to TCP: " unreliable transmission of IP datagrams across an IP network

❀  Service provided by Ethernet to IP: " transmission of a frame across an Ethernet segment

❀  Other services: " DNS: translation between domain names and IP addresses " ARP: Translation between IP addresses and MAC addresses

8/28/14

33

neon.tcpip-lab.edu"Neon"

128.143.71.21

argon.tcpip-lab.edu"Argon"128.143.137.144

router137.tcpip-lab.edu"Router137"

128.143.137.1

router71.tcpip-lab.edu"Router71"128.143.71.1

Ethernet NetworkEthernet Network

Router

Example: Sending a packet from Argon to Neon

DNS: What is the IP address of “neon.tcpip-lab.edu”?

DNS: The IP address of “neon.tcpip-lab.edu” is 128.143.71.21


128.143.71.21



128.143.137.1



Router

Sending a packet from Argon to Neon

8/28/14

34


128.143.71.21



128.143.137.1



Router

Sending a packet from Argon to Neon 128.143.71.21 is not on my local network. Therefore, I need to send the packet to my default gateway with address 128.143.137.1

ARP: What is the MAC address of 128.143.137.1?


128.143.71.21



128.143.137.1



Router


8/28/14

35


128.143.71.21



128.143.137.1



Router

ARP: The MAC address of 128.143.137.1 is 00:e0:f9:23:a8:20



128.143.71.21



128.143.137.1



Router


frame

128.143.71.21 is on my local network. Therefore, I can send the packet directly.

8/28/14

36


128.143.71.21



128.143.137.1



Router


ARP: What is the MAC address of 128.143.71.21?

frame


128.143.71.21



128.143.137.1



Router


ARP: The MAC address of 128.143.137.1 is 00:20:af:03:98:28

frame

8/28/14

37


128.143.71.21



128.143.137.1



Router


frame

Header for each layer ❀  Each layer has a header

" A header analogy is an envelope that contains source and destination addresses

❀  Link layer has a header containing MAC (medium access control) addresses ❀  Network layer has a header containing IP addresses ❀  Transport layer has a header containing the port (service) number

8/28/14

38

Encapsulation and Demultiplexing ❀  As data is moving down the protocol stack, each protocol is adding layer-specific

control information

HTTP

TCP

IP

Ethernet

User data

User data HTTP Header

TCP Header

TCP Header IP Header

TCP Header IP Header Ethernet Hdr. Ethernet Trailer

IP datagram

TCP segment

Ethernet frame




Application

Transport

Network

Link

Physical

Application

Transport

Network

Link

Physical

Link

Physical

Link

Physical

Network

Link

Physical

Source

Destination

Link-‐layer Switch


Router

1. Delivery from Source to Switch

M

M Ht

M Ht Hn

M Ht Hn Hl

8/28/14

39

Application

Transport

Network

Link

Physical

Application

Transport

Network

Link

Physical

Link

Physical

Link

Physical

Network

Link

Physical

Source

Destination



Router

M Ht Hn Hl

M Ht Hn Hl

M Ht Hn

M Ht

5. Delivery between the Internet Layers.

Chapter 0 Outline



8/28/14

40

Internet Security ❀  Attacks on the Internet information infrastructure:

" Malware " Denial of service: deny access by valid hosts to resources

❀  Internet and host security improvement " Security must be in all protocol layers " Host OS must be hardened " Anti-malware capability in hosts and routers

❀  Losing battle " Malware life cycle is 2 hours in 2009 " Nortel's internal network "owned" by hackers for almost a decade (Wall Street Journal,

2/13/2012) µ  Stolen passwords from seven top-‐level execu3ves

5 Types of Malware/Capabilities ❀  Spyware

" Recording keystrokes/crucial activities

" Capturing video/audio without consent

" Uploading info to collection site ❀  Virus

" Providing illegal access to host resources

" Infected by receiving object (e.g., e-mail attachment) in hosts

" May contain spyware, Trojan or worm

" Actively propagates to other hosts

❀  Worm: " Actively propagating to other hosts " Infected by passively receiving object

that gets itself executed ❀  Trojan:

" Providing a backdoor for illegal access to a host

" May be contained in spyware, a virus and Worms

❀  Rootkits " Hidden in a host’s file system

❀  Currently, a single piece of malware possesses 5 types of capabilities in order to expand its territory, control the infected hosts and steal information

8/28/14

41

Exponential increase in threats

Source: Symantec Global Internet Security Threat Report 2009

MOTIVATION: FINANCIAL GAIN FOR PROFESSIONAL DEVELOPERS

Delivery of Malware ❀  Email ❀  Worm ❀  Website-based attacks

" Highly reputed sites were hacked for delivering malware " E.g. US Dept. of Treasury

❀  Start a hacker career (https://www.youtube.com/watch?v=zFdxoLyOTLM, 3 mins) " Buy Zeus crimeware toolkit and establish a website " Lure people to go to the site " Infect with malware " Propagate malware to other computers " Establish a botnet: a business for rent " Send SPAM by botnet: a business for rent

8/28/14

42

Crimeware toolkit (1): Zeus ❀  The Zeus crimeware toolkit has grown over time to be the most established

crimeware toolkit in the underground economy " $4000 PER COPY " Ease-of-use, can create tailored Trojan botnets. Favored toolkit for entry-level

criminals " Symantec alone has detected over 154,000 computers infected with the Zeus

Trojan

Crimeware toolkit (2): SpyEye http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot

❀  In late December 2009 a new crimeware toolkit emanating from Russia, known as SpyEye V1.0, started to appear for sale on Russian underground forums " Retailing at $500, it expects to take a chunk of the Zeus crimeware toolkit market " Symantec detects this threat as Trojan.Spyeye

❀  The SpyEye toolkit is similar to Zeus in many ways " It contains a builder module for creating the Trojan bot executable with a config file and a Web

control panel for command and control (C&C) of the botnet

8/28/14

43

ZeuS homes in on SMS-TAN process (1) http://www.h-online.com/security/news/item/Banking-trojan-ZeuS-homes-in-on-SMS-TAN-process-1097104.html

❀  According to a report on the S21sec blog, " New versions of the ZeuS banking trojan are now homing in on the SMS-TAN

procedure (also known as mobile TAN or mTAN) " In the SMS-TAN procedure, transaction numbers (TANs) for online transactions are

sent to the customer's cell phone to authenticate that person for an online bank transfer, initiated for instance from a web browser µ  Second communica3on channel is intended to make phishing and Trojan abacks impossible µ  Aher all, the transac3on can only be hacked if users do not carefully check the data in the text

message, if their cell phones get stolen, or the device is infected with a Trojan that passes on the text message to the phisher

❀  However, the developers of ZeuS have pursued the strategy to get Trojans onto mobile devices in an attack requiring multiple stages " The most important step is still infecting a Windows PC " Then, victims view a specially crafted web site that masquerades as a security update

for the victims cell phone.

ZeuS homes in on SMS-TAN process (2)

" Victims are asked to enter their cell phone number so they can receive a link for the download in a text message

" The PC infected with the Trojan then promptly sends a text message containing a link to what appears to be a new security certificate

" Users are then asked to download and install the certificate on their mobile phones, which requires an internet connection on the phone µ The downloaded file contains the mobile version of ZeuS, which then analyses and

forwards all incoming text messages

❀  Criminals can then use the account access data stolen from the PC along with the TAN to make bank transactions from the account

❀  Police in the U.K. have arrested 19 people on charges that they used the Zeus Trojan with stealing more than $9.4 million from U.K. banks

8/28/14

44

Stuxnet worm ❀  World's most sophisticated malware ever

" Stuxnet is designed to attack the SCADA (Supervisory Control And Data Acquisition) system µ  These SCADA systems are installed in big facili3es (like nuclear plants and u3lity companies) to

manage opera3ons

❀  Stuxnet works by infecting Windows machines " It used 20 zero-day vulnerabilities

µ  One zero-‐day is used to spread the worm to a machine using a USB s3ck. µ  A Windows printer-‐spooler vulnerability is used to propagate the malware from one infected

machine to others on a network µ  Other zero-‐day vulnerabili3es help the malware gain administra3ve privileges on infected

machines to feed the system commands " The malware is digitally signed with legitimate certificates stolen from two certificate

authorities Read More http://www.wired.com/threatlevel/2010/09/stuxnet/#ixzz10kcTAGUH

Watch https://www.youtube.com/watch?v=7g0pi4J8auQ

Duqu: the next Stuxnet ❀  Duqu is a Trojan with remote access capabilities that appears to have been created

specifically to gather information about industrial control systems " Stuxnet is designed to sabotage industrial control systems

µ  In a detailed analysis of the Duqu malware, Symantec labeled it as the next Stuxnet because of similari3es in code and func3on

µ Duqu was likely created by Stuxnet's authors " Duqu has been used to carry out attacks against systems in six organizations in

eight countries: France, India, Iran, Netherlands, Switzerland, Sudan, Ukraine and Vietnam

❀  Zero-day code execution vulnerability in the Windows kernel

8/28/14

45

Flame ❀  Flame makers used a cryptographic collision attack to acquire digital "signatures," or

certificates, that certified the code as Microsoft's, and used those certificates to sign malicious files that posed as legitimate Windows updates " Microsoft revoked three certificates, which were used to sign code in Flame, on

June 3, 2012

❀  Flame can infect fully-patched Windows PCs and servers ❀  Microsoft announced it would revamp how Windows updates are secured by

dedicating a new CA to Windows Update in order to unlink the service from all other Microsoft-generated certificates

Cyberespionage operation: attacks to SCADA

http://arstechnica.com/tech-‐policy/2011/07/how-‐digital-‐detectives-‐deciphered-‐stuxnet-‐the-‐most-‐menacing-‐malware-‐in-‐history/

Malware Date of operation

Size Special features

Stuxnet June 2009 500 kilobytes Sabotage program: sabotaging uranium centrifuges

DuQu September 2011 300 kilobytes Information gathering

Flame March 2010 20 megabytes A spyware program; Windows Update deception; Connect with Bluetooth devices in the area

8/28/14

46

US's ICS under daily cyber-attack ❀  Critical control systems inside two US power generation facilities were found

infected with computer malware " According to the US Industrial Control Systems Cyber Emergency Response Team

(October, November, and December of 2012) µ  Source: hbps://threatpost.com/en_us/blogs/malware-‐infects-‐two-‐power-‐plants-‐lacking-‐basic-‐security-‐controls-‐011413

❀  Department of Homeland Security (DHS): US's water and power utilities under daily cyber-attack (4/4/2012) " These industrial-control systems (ICS) and their networks are used to control

water, chemical and energy systems µ Only about half a dozen major manufacturers, such as Siemens and GE µ Most ICS’s are using either Microsoh Windows or Linux OS

" On a daily basis under constant cyber-espionage and denial-of-service attacks according to the team of specialists from the U.S. µ Only nine incidents were reported in 2009 µ  In 2011 this grew to 198 incident 3ckets. Just over 40% came from water-‐sector

u3li3es, with the rest from various energy, nuclear energy and chemical providers

Defensive Measures for Cybersecurity

Name Security check Action taken

Firewall TCP/IP Header Inspection Block

Intrusion Detection Systems (IDS)

TCP/IP Header and Content Inspection Alert

Intrusion Prevention Systems (IPS)

TCP/IP Header and Content Inspection Block and Alert

VPN:SSL/TLS Authentication, Encryption, Integrity Communication protection

VPN: IPSec Authentication, Encryption, Integrity Communication protection

Network Access Control (NAC)

Host health inspection, Authentication, Encryption, Integrity

Access Control

8/28/14

47

Firewall, IDS & IPS (1) ❀  Perimeter defense by firewall, Intrusion Detection/Prevention System (IDS/IPS)

" Place at the critical entry/exit points " Protect critical assets, such as a server farm, financial database " Use firewall, IDS/IPS

❀  Firewall " Computer host firewall protects a host " Network firewall protects the entrance to a network " Block packets based on IP address and port number in the header " Stateful inspection by maintaining a state transition table for a connection

❀  Host defense " Host IDS/IPS, Anti-Virus (AV) and host firewall " A.k.a. Endpoint defense

Firewalls ❀  Isolate organization’s

internal network (intranet) from Internet

❀  DMZ: demilitarized zone serving public information

❀  Allow: " Internet to DMZ " DMZ to Internet " Internal to

Internet

❀  Block: " Internet to

Internal except via VPN

Web, DNS servers

Internal network

public Internet

Firewall

DMZ

8/28/14

48

IDS & IPS

❀  IDS (Intrusion Detection System)/ IPS (Intrusion Prevention System) " Identify or block suspicious packets at the entrances of critical assets " Monitor potentially malicious traffic by inspecting the whole packet " IDS lets malicious packets pass, but sends alerts to a network administrator " IPS blocks malicious packets and sends alerts to a network administrator

Web, DNS servers

Internal network

public Internet

Firewall

DMZ

Secure information transmission/ access

❀  Guarded by encryption, authentication and authorization ❀  SSL/TLS: between session and transport layer

" For Internet shopping and web mail " For VPN (virtual private network)

❀  IPsec: network layer " VPN (virtual private network)

❀  Firewall allows SSL/TLS and VPN to pass through

Web, DNS servers

Internal network

Public Internet

Firewall

DMZ

8/28/14

49

Introduction: Key concepts ❀  Internet architecture: network edge, network core, and access network ❀  Switch and router functions ❀  Internet protocol layers and models ❀  Packet-switching-versus-circuit-switching ❀  Packet loss, delay, congestion and throughput ❀  Encapsulation and demultiplexing ❀  Internet security

" Malware types: spyware, virus, worm, rootkit " Crimeware toolkits " Firewalls, IDS/IPS " Encryption, Authentication and Authorization: SSL/TSL and IPsec

chapter 0 introduction - villanova universitymdamian/past/cybersecurityfa14/... · 2014. 8. 28. ·...

Documents