security. security threats impersonation pretend to be someone else to gain access to information...
TRANSCRIPT
![Page 1: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/1.jpg)
Security
![Page 2: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/2.jpg)
Security Threats
Impersonation Pretend to be someone else to gain access to information or services
Lack of secrecy Eavesdrop on data over network
Corruption Modify data over network
Break-ins Take advantage of implementation bugs
Denial of Service Flood resource to deny use from legitimate users
![Page 3: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/3.jpg)
Security Vulnerabilities
Security Problems in the TCP/IP Protocol Suite – Steve Bellovin - 89
Attacks on Different Layers IP Attacks ICMP Attacks Routing Attacks TCP Attacks Application Layer Attacks
• These are, today, the most common• But today we’ll be (mostly) focusing on vulnerabilities that are inherent to the network, not just enabled by it
![Page 4: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/4.jpg)
Three Levels of Defense
Firewalls Filtering “dangerous” traffic at a middle point in the network
Network level security (e.g. IPsec) Host-to-host encryption and authentication Can provide security without application knowledge
Application level security True end-to-end security Requires extra effort per application Libraries help, like SSL/TLS
![Page 5: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/5.jpg)
Who is the enemy? The Troubled Genius
Has a deep understanding of systems Capable of finding obscure vulnerabilities in OS’s, apps, and protocols, and exploiting them
Extremely skilled at evading countermeasures
Can dynamically adapt to new environments The Idiot
Little or no true understanding of systems Blindly downloads & runs code written by T.G.
Can usually be stopped by calling his mother
Who do you think causes more damage?
Mitnick
Simpson
![Page 6: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/6.jpg)
Application Vulnerabilities
Getting a network service to do something the designers didn’t want
The network isn’t the fundamental weakness Buffer overflows (unchecked input length)• Expecting 100 bytes, send lots more
SQL injection attacks Open FTP servers that execute code Many, many more…
![Page 7: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/7.jpg)
buffer overflowson the stack
func_1(){ int a, b;
func_2();}
a, bc, d
func_2(){ int c, d;
func_3();}
func 1’s address
buf
func_3(){ char buf[100];
read_user_input(buf);}
func 2’s address
![Page 8: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/8.jpg)
buffer overflowson the stack
func_1(){ int a, b;
func_2();}
a, bc, d
func_2(){ int c, d;
func_3();}
func 1’s address
buf
func_3(){ char buf[100];
read_user_input(buf);}
func 2’s address
evil_assembly_code()
buf’s address
Attacker is supplying input to buf… so buf gets a very carefully constructed string containing assembly code,and overwriting func 2’s address with buf’s address.When func3 returns, it will branch to buf instead of func2.
![Page 9: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/9.jpg)
SQL Injection
Imagine a web site that takes your name, looks up info about you in a database You might write code that says something like “select * from table where name=‘$NAME’
What if $NAME is: Joe’; update table set BankAccount=1000000 --
![Page 10: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/10.jpg)
XKCD #327
![Page 11: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/11.jpg)
Security Flaws in IP
The IP addresses are filled in by the originating host Address spoofing
Using source address for authentication r-utilities (rlogin, rsh, rhosts etc..)
InternetInternet
2.1.1.1 C
1.1.1.1 1.1.1.2A B
1.1.1.3 S
•Can A claim it is B to the server S?
•ARP Spoofing
•Can C claim it is B to the server S?
•Source Routing
![Page 12: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/12.jpg)
Firewalls
Originally, fairly basic: intent was to do per-packet inspection to block unused ports, for example
Make sure we know exactly what’s getting into the network and carefully think about their security
Problem: a bug in your HTTP server (or its configuration) won’t be caught by a basic firewall!
Later firewalls became smarter – they’d reconstruct the flow. Keep per-flow state (previously impossible)
Deny, for example, a HTTP request that contains “bobby tables”.
![Page 13: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/13.jpg)
Reconstructing Flows
Let’s say you want to search for the text “USER root”. Is it enough to just search the data portion of TCP segments you see?
USER root
HDR USERTCP: HDR root
HDR USHDR ERHDR HDR HDR ro HDR otIP:
(Uh oh… we have to reassemble frags and resequence segs)
![Page 14: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/14.jpg)
Fun with Fragments
HDR USHDR
ERHDR
HDR HDR ro
HDR ot
Think of the entire campus as being a massively parallel computer.That supercomputer is solving the flow-reconstruction problem.Now we’re asking a single host to try to solve that same problem.
1.
2.
4.
5.
3. 1,000,000 unrelated fragments
Imagine an attacker sends:
![Page 15: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/15.jpg)
More Fragment Fun
HDR USHDR
ERHDR
HDR HDR ro
HDR otShould we consider 3a part of the data stream “USER root”?Or is 3b part of the data stream? “USER foot”!• If the OS makes a different decision than the monitor: Bad.• Even worse: Different OS’s have different protocol interpretations,so it’s impossible for a firewall to agree with all of them
1.
2.
3b.
4.
Imagine an attacker sends:
HDR HDR fo
3a.
Seq. #
Time
![Page 16: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/16.jpg)
Trickery
Non-standard parts of standards IP fragment overlap behavior TCP sequence number overlap behavior Invalid combinations of TCP options
Other ways to force a disparity between the monitor and the end-station TTL Checksum Overflowing monitor buffers
See http://www.secnet.com/papers/ids-html/ for detailed examples
![Page 17: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/17.jpg)
Security Flaws in IP
Source IP address can be forged Leads to the “Smurf Attack”
Protocols that require no handshake (UDP) can be tricked if they do IP-based authentication
IP fragmentation attack End hosts need to keep the fragments till all the fragments arrive
Denial of service
![Page 18: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/18.jpg)
Ping Flood: The Smurf Attack
evil
ICMP_ECHO_REQ
Source: victimDest: big
(broadcast addr)big
victim
ICMP_ECHO_RPLSource: bigDest: victim
Typically: evil has slow link (modem) victim has fast link (T1) big has very fast link (T3+)
![Page 19: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/19.jpg)
ICMP Attacks
No authentication ICMP redirect message
Can cause the host to switch gateways Benefit of doing this?
• Man in the middle attack, sniffing ICMP destination unreachable
Can cause the host to drop connection ICMP echo request/reply Many more…
http://www.sans.org/rr/whitepapers/threats/477.php
![Page 20: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/20.jpg)
TCP Attacks
ClientServer
SYN xSYN y | ACK x+1
ACK y+1
![Page 21: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/21.jpg)
TCP Layer Attacks
TCP SYN Flooding Exploit state allocated at server after initial SYN packet
Send a SYN and don’t reply with ACK Server will wait for 511 seconds for ACK Finite queue size for incomplete connections (1024)
Once the queue is full it doesn’t accept requests
Solution: “Syn Cookies” Construct a special sequence number that has connection info “encrypted”
Client sends it back with the ACK; re-encrypt and make sure it matches
![Page 22: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/22.jpg)
TCP Layer Attacks
TCP Session Hijack When is a TCP packet valid?
• Address/Port/Sequence Number in window How to get sequence number?
• Sniff traffic• Guess it
– Many earlier systems had predictable initial sequence number
Inject arbitrary data to the connection
![Page 23: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/23.jpg)
TCP Layer Attacks
TCP Session Poisoning Send RST packet
• Will tear down connection Do you have to guess the exact sequence number?• Anywhere in window is fine• For 64k window it takes 64k packets to reset
• About 15 seconds for a T1 Can reset BGP connections
![Page 24: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/24.jpg)
DNS Attacks
Cache poisoning: Ask for EVILHOST.COM (say, because of spam)
EvilHost.com’s DNS server complies, but also “just happens” to tell you the IP of BankOfAmerica.com
DNS client puts it in cache. Fun! Once this bug was found, DNS clients stopped accepting info they didn’t request
![Page 25: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/25.jpg)
Routing Attacks
Distance Vector Routing Announce 0 distance to all other nodes
• Blackhole traffic• Eavesdrop
Link State Routing Can claim direct link to any other routers A bit harder to attack than DV
BGP ASes can announce arbitrary prefix ASes can alter path
Today, these are generally just solved through reputation: don’t accept updates from people you haven’t arranged for in advance.
![Page 26: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/26.jpg)
Denial of Service
Objective make a service unusable by overloading
Consume host resources TCP SYN floods ICMP ECHO (ping) floods
Consume bandwidth UDP floods ICMP floods
Crashing the victim Ping-of-Death TCP options (unused, or used incorrectly)
Forcing more computation on routers Taking long path in processing of packets
![Page 27: Security. Security Threats Impersonation Pretend to be someone else to gain access to information or services Lack of secrecy Eavesdrop on data](https://reader035.vdocuments.mx/reader035/viewer/2022062718/56649e7e5503460f94b8277a/html5/thumbnails/27.jpg)
Summary
The Internet is dangerous
Many of the original trust assumptions no longer hold
Network security needs to be addressed at different levels Better protocols, better routers, better application level features, etc.
The root cause of security problems? Classes like this one. Security should be integral to everything, not tacked on at the end.