Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

network security

No description
by

prabhshish wasu

on 29 October 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of network security

Encryption
A packet sniffer, sometimes referred to as network analyzer, can be used legally by a network to troubleshoot network traffic. Using the information captured by the packet sniffer an administrator can identify erroneous packets and use the data to pinpoint bottlenecks and help maintain efficient network data transmission.

Packet Sniffing

Network Security ?
Firewalls And IPsec
NETWORK SECURITY
Firewall
Network security consists of the policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources.
Network security covers a variety of computer networks, both public and private, that are used in everyday jobs conducting transactions and communications among businesses, government agencies and individuals.
What is Encryption ?
The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.
Network security starts with authenticating, commonly with a username and a password. Since this requires just one detail authenticating the user name —i.e. the password— this is sometimes termed one-factor authentication. With two-factor authentication, something the user 'has' is also used (e.g. a security token or 'dongle', an ATM card, or a mobile phone); and with three-factor authentication, something the user 'is' is also used (e.g. a fingerprint or retinal scan).
Typically, the packet sniffer would only capture packets that were intended for the machine in question. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing ALL packets traversing the network regardless of destination,using this a malicious intruder can capture and analyze all of the network traffic.


Your user name and password for any given site are passed in the clear for anyone to gather. This can be especially crippling if you use the same password for all your accounts on-line.

The hacker can also view everything you are doing on the internet.
TCP Hijacking
“What is
TCP
”..?
•TCP = Transmission Control Protocol
• a connection-based protocol
• a point-to-point protocol.
•It is used for data transfer across
network between two points.
•Once a machine has another’s IP address TCP can start.
•A sequence number (SN) is used to help order the packets


A TCP connection is made unique through 5 parameters. An attacker needs to know all 5;
•Source IP address •Destination IP address •Source Port
•Destination Port
•Sequence Number
Getting a destination port is easy
Guessing a source port –with sniffing shouldn't be difficult
its easy to guess or brute-force the sequence number
A firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted.Firewalls exist both as a software solution and as a hardware appliance. Many hardware-based firewalls also offer other functionality to the internal network they protect, such as acting as a DHCP server for that network.

Blind Hijacking
•Now that an attacker has all 5 of the parameters, so a packet within the window would be accepted..
•Sending a “valid” packet with a RST flag would drop the connection.
•Sending a “valid” packet with a SYN flag would reset the connection.
•Both of the above can be very nasty as DOS attacks.
•Sending a packet with a valid payload would get the host to execute a command.

•In this respect we either take over a session or we inject characters into it,in order to do this the attacker would have to insert itself into the process.
•This is called a man-in-the-middle attack (MITM) .
•This causes the client to view the attacker as the server, and the server to view the attacker as the client.
•Once this happens any data travelling between the client and server is compromised.This completely bypasses authentication
Network Session Hijacking
Software Based Vs Hardware Based
-> external to the computer
-> no additional software needs to be configured or running for normal operation
->protects many computers at once, since it intercepts all traffic from the Internet before it enters the internal private network.
-> If your computer is a laptop and travels to other locations, the hardware-based firewall in your home can't protect you.
->Hardware-based firewalls for home and home-office use are relatively inexpensive and easy to install.
->Software-based or "personal" firewalls are often the last line of defense between you and the Internet.
->Since a software-based firewall is physically part of your computer, this protection follows you everywhere.
->useful for home, work, and wireless hotspots.
->Advantage of identifying which applications on the computer are creating security risks.
->A personal firewall can't prevent viruses from entering your system through legitimate sources such as a web browser or through email.
Hardware Based
Software Based
IPsec
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host)
IPsec operates under two different modes -:
Transport Mode
IPsec is present between the Transport layer and the Network layer . The packet that is passed from the transport layer to the network layer is encapsulated with an IPsec Header and a Trailer. The resultant packet moves to the Network layer where the IP header is added. In this protection is provided only to the Network layer payload and not the IP header.
Tunnel Mode

Here IPsec protects the entire IP packet.IPsec methods are applied to the entire packet and then a new IP header is added.The packet resulting from the Network layer is acted upon by the IPsec and then the new packet is again sent to the Network layer for addition of a new IP header.




In symmetric-key schemes, the encryption and decryption keys are the same. Thus communicating parties must have the same key before they can achieve secret communication.
In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it.

Encryption does not of itself prevent interception, but denies the message content to the interceptor.

In an encryption scheme, the message or information, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted.
Process of Encryption
Commonly Used Modes of Software Encryption
Public key encryption
Symmetric key encryption
Symmetric Key Encryption
Public key encryption
In public-key encryption schemes, the encryption key is published for anyone to use and encrypt messages. However, only the receiving party has access to the decryption key that enables messages to be read.
SSL
SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client
TLS
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to authenticate the counter-party with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties.
Communication Security Over Internet
SSL
TSL
Types of Encryption
Uses a dedicated processor physically located on the encrypted drive
Processor contains a random number generator to generate an encryption key, which the user’s password will unlock
Increased performance by off-loading encryption from the host system
Safeguard keys and critical security parameters within crypto-hardware
Authentication takes place on the hardware
Cost-effective in medium and larger application environments, easily scalable
Encryption is tied to a specific device, so encryption is “always on”
Does not require any type of driver installation or software installation on the host PC
Protects against the most common attacks, such as cold boot attacks, malicious code and brute force attacks
Hardware Based Encryption
Software Based Encryption
Hardware Based Encryption
Software Based Encryption
Shares computers resources to encrypt data with other programs on the computer
Only as safe as your computer
Uses the user’s password as the encryption key that scrambles data
Can require software updates
Susceptible to brute force attacks, computer tries to limit the number of decryption attempts but hackers can access the computer’s memory and reset the attempt counter
Cost-effective in small application environments
Can be implemented on all types of media
SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.
TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security.
ATTACKS
There are two types of attacks :

1. Passive - When a network intruder intercepts data traveling through the network .

2. Active - When an intruder initiates commands to disrupt the network's normal operation .

PASSIVE ATTACKS
Wiretapping :- Monitoring of Telephone or
Internet conversations by Third
Party
Active Attacks
Spoofing :- When a person gains
unauthorized access to user's
system by pretending to be a
user
Packet Sniffing :- It is act of capturing
packets of data flowing on
a network
Cyber Attack :- An attempt by hackers
destroy a whole
computer network
Types Of Firewalls
Packet-Filter Firewall
Proxy Firewall
Following are few real world examples of various targets of DOS attacks:
A worm called MyDoom started propagating which had a real target in mind - www.sco.com. It was engineered to launch a Denial Of Service (DOS) attack against SCO starting on February 1. Damage and total cost estimates from MyDoom are still in progress, but CEI now estimates the total may exceed $ 4 billion, making it one of the most costly cyber attacks on record.
In January 2001 a series of DoS attacks overwhelmed the multicast infrastructure with an unusually large number of Source Active messages. An Internet worm, called the Ramen Worm, triggered these attacks with the simple attack mechanism.

Real world targets and metrics

Protecting – Among the aspects of protecting our systems and our business, are looking at network design, discussing our agreement with your ISP, putting detection mechanisms and a response plan in place, and perhaps taking out an insurance policy. Proper preparation is essential for effective detection and reaction. Unfortunately, some sites begin their cycle with detection and reaction, triggering preparation steps after a “lessons learned” experience.


Detecting – Our ability to detect attacks directly affects our ability to react appropriately and to limit damages. Among the approaches we can take are instituting procedures for analyzing logs and using automated intrusion detection systems.

Reacting – Reaction steps, hopefully put in place as part of preparing for an attack, include following our response plan, implementing specific steps based on the type of attack, calling our ISP, enabling backup links, moving content, and more. Technical steps include traffic limiting, blocking, and filtering.

How to handle DoS

Insurance & Bandwidth cost: Network traffic generated by the attack can result in incremental bandwidth costs—when we pay per byte, we also pay for the increased traffic caused by the attack.
In addition, our upstream Internet provider might or might not be amenable to waiving penalty charges caused by flood traffic.
Other issues that create hidden costs are insurance or legal fees or possible third-party liability resulting from our involvement in an attack.

Damage & Costs (contd.)

Logging costs: We may have additional costs because of the need to size notification resources (such as logs, mail spools, and paging services) to absorb attack-related events. Logging systems need to cope with significant deviations in the amount of data logged during attacks.


Extra network channels: Ideally, logging systems should use an out-of-band channel so that logging traffic does not add to the volume of DoS traffic that may be passed to the internal network. Centralized logging systems, considered a best security practice, may be stressed by receiving log data from multiple locations. Mail queues may fill up during a prolonged outage.

Damage & Costs (contd.)

Hidden Costs: There may be hidden costs associated with denial-of-service attacks. For example, the direct target of a DoS attack may not be the only victim. An attack against one site may affect network resources that serve multiple sites.


Bandwidth wastage: Resources we share with other parties (upstream bandwidth) may be consumed by an attack on someone else—another customer of our Internet service provider is attacked, so our upstream connections and routers are not as available to handle our legitimate traffic. Thus, even when we are not the target of an attack, we might experience increased network latency and packet loss, or possibly a complete outage.

Damage & Costs

Their results in February’ 2001 were that using backscatter analysis, they observed 12,805 attacks on over 5,000 distinct Internet hosts belonging to more than 2,000 distinct organizations during a three-week period.


In addition, CAIDA reports that 90% of attacks last for one hour or less; 90% are TCP based attacks, and around 40% reach rates of 500 Packets Per Second (PPS) or greater.


Analyzed attacks peaked at around 500,000 PPS. Other anecdotal sources report larger attacks consuming 35 megabits per second (Mbps) for periods of around 72 hours, with high-volume attacks reaching 800 Mbps.

Frequency & Scope (contd.)

How prevalent are denial-of-service attacks in the Internet today?

Researchers at the Cooperative Association for Internet Data Analysis (CAIDA) address this question in their paper, “Inferring Internet Denial-of-Service Activity”. Using a technique called backscatter analysis, the researchers monitored unsolicited traffic to unpopulated address space. Their theory is that DoS traffic that uses random spoofed source addresses will generate some response traffic to the entire Internet address space, including unpopulated space.

Frequency & Scope

A normal packet is sent. A second packet is sent which has a fragmentation offset claiming to be inside the first fragment. This second fragment is too small to even extend outside the first fragment. This may cause an unexpected error condition to occur on the victim host which can cause a buffer overflow and possible system crash on many operating systems.

Teardrop attacks target a vulnerability in the way fragmented IP packets are reassembled. Fragmentation is necessary when IP Datagrams are larger than the maximum transmission unit (MTU) of a network segment across which the Datagrams must traverse. In order to successfully reassemble packets at the receiving end, the IP header for each fragment includes an offset to identify the fragment's position in the original un-fragmented packet. In a Teardrop attack, packet fragments are deliberately fabricated with overlapping offset fields causing the host to hang or crash when it tries to reassemble them.

Teardrop Attack

Most implementations of the ICMP protocol use packet header size of 8 octets but allow the user to specify larger packet header sizes.
In the attack, the ICMP packet is sent in the form of a fragmented message which, when reassembled is larger than the maximum legal IP packet size.

Ping of Death Attack (contd.)

In cases where the victim's host is a router, this attack may result in a routing loop consuming large quantities of bandwidth (unless filtered in advance).
One of the variations of this attack targets a certain TCP service provided by the victim. In this case the attacker uses the same source and destination ports which used by the victim's service. This may consume the victim's host CPU resources.

Land Attack (contd.)

Land Attack
Ping of Death Attack
Fragmentation Attack and Teardrop Attack

Software Vulnerability Attacks

DNS name server Attack (contd.)

The most common method seen involves an intruder sending a large number of UDP-based DNS requests to a Nameserver using a spoofed source IP address. Any Nameserver response is sent back to the spoofed IP address as the destination.
In this scenario, the spoofed IP address represents the victim of the denial of service attack. The Nameserver is an intermediate party in the attack. The true source of the attack is difficult for an intermediate or a victim site to determine due to the use of spoofed source addresses.

DNS name server Attack

Smurf Attack
DNS name server Attack

Protocol Attacks

UDP protocol is a connectionless unreliable protocol which doesn't require session negotiation between client and server application. UDP provides easy to use interface for producing large quantity of packets.
A common attack which exploits UDP simply floods the network with UDP packets destined to a victim's host. Due to the relative simplicity of this protocol an attacker can produce large bandwidth capacity with relatively small effort.

UDP Flood Attacks

SYN Flood Attack

Ping Flood Attack (ICMP echo)
SYN Flood Attack (DoS attack)
DDoS Attack (Distributed SYN Flood)
UDP Flood Attacks

Bandwidth/Throughput Attacks

Unusually slow network performance
Unavailability of a particular website
Inability to access any website
Dramatic increase in the amount of spam

Symptoms and Manifestations

Denial-of service attacks can essentially disable the computer or the network. Depending on the nature of the enterprise, this can disable your organization.
Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an “asymmetric attack”.
For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or network.

Impact

One way to attack a company’s network or website is to flood its systems with information.
Web and e-mail servers can only handle a finite amount of traffic and an attacker overloads the targeted system with packets of data.

How does an attack work?

A distributed denial of service (DDoS) attack is accomplished by using the Internet to break into computers and using them to attack a network. Hundreds or thousands of computer systems across the Internet can be turned into “zombies” and used to attack another system or website.

What is distributed denial of service?

When a denial of service (DoS) attack occurs, a computer or a network user is unable to access resources like e-mail and the Internet. An attack can be directed at an operating system or at the network.

What is denial of service attack?

Denial of Service (DoS)

Conclusion

Susceptibility to attacks could be alleviated with better Internet Architectures (goal of class).
Don’t leave all the decision making to the machines on either end of a connection
Provide ‘intelligent’ support along the path (e.g. No Blind forwarding of packets)
Create “Hardened” networks







In the following figure, a source test port simulates a Teardrop attack by sending one, and then many IP packet fragments with overlapping Fragment Offset fields. This attack traffic is first sent to the Device Under Test (DUT) interface connected to the source test port and then to the DUT's loopback address. The DUT's ability to drop this attack traffic is verified. Finally, normal background traffic is sent at the same time as attack traffic, so the DUT's performance during a Teardrop attack can be measured.

Teardrop Attack (contd.)

Ping of Death Attack (contd.)

Ping of Death is an attempt by an attacker to crash, reboot or freeze a system by sending an illegal ICMP (over IP) packet to the host under attack.
The TCP/IP specification allows for a maximum packet size of up to 65536 octets. In some TCP stack implementation encountering packets of greater size may cause the victim's host to crash.

Ping of Death Attack

Here DUT is the Device Under Test

Land Attack (contd.)

In this attack, an attacker sends spoofed TCP SYN packets, with the same source and destination addresses as the victim's host address.
In some TCP/IP stack implementations those kinds of packets may cause the victim's host to crash.
Any remote user that can send spoofed packets to a host can crash or "hang" that host.
Possible solution for this attack is to block IP-spoofed packets. Attacks like those of the Land tool rely on the use of forged packets, that is, packets where the attacker deliberately falsifies the origin address. With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can reduce the likelihood of your site's networks being used to initiate forged packets by filtering outgoing packets that have a source address different from that of your internal network.

Land Attack

Smurf Attack (contd.)

In this attack, spoofed IP packets containing ICMP Echo-Request with a source address equal to that of the attacked system and a broadcast destination address are sent to the intermediate network.
Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the network to respond with an ICMP response packet, thus creating a large mass of packets which are routed to the victim's spoofed address.

Smurf Attack

The idea behind this attack is focusing Internet connection bandwidth of many machines upon one or a few machines. This way it is possible to use a large array of smaller (or “weaker”) widely distributed computers to create the big flood effect.

DDoS Attack

An attempt by an attacker on a high bandwidth connection to saturate a network with ICMP echo request packets in order to slow or stop legitimate traffic going through the network.

Ping Flood Attack

DoS attacks exploit the asymmetric nature of certain types of network traffic. One attack method seeks to cause the target to use more resources processing traffic than the attacker does sending the traffic. Another method is to control multiple attackers. Therefore DoS attacks can be classified into three categories
Bandwidth/Throughput Attacks
Protocol Attacks
Software Vulnerability Attacks

Attack classification

Middlewalls

Dos Defense

simple special-purpose high-speed firewalls being deployed in the core of the Internet at inter-domain boundaries to serve as a filter of sorts
Gives Upstream access control to a server under stress

RPF Checking of Server Addresses

Dos Defense

Using path-based client addresses severely restricts source-address spoofing by a client, but it does not restrict spoofing by servers.
Reverse Path Forwarding largely prevents a server from spoofing the address of a server in a different domain.

Separate Client and Server Addresses

Dos Defense

The IP address space can be divided into a set of client addresses and a set of server addresses.
allow clients to initiate connections to servers, but not vice versa
nor servers to initiate connections to servers.

How do we defend against a
Dos attack??

Dos Defense

Nonglobal Client Addresses

path based addressing

Dos Defense

Third parties

Compromised
host

Victim

Bad guy

DoS

Denial of Service

Owned
host

Third parties

Slave agents
(zombies, bots)

Victim (s)

Master
agent

Bad guy

DDoS

Distributed Denial of Service

Denial of Service (DoS)

Following are few real world examples of various targets of DOS attacks:
A worm called MyDoom started propagating which had a real target in mind - www.sco.com. It was engineered to launch a Denial Of Service (DOS) attack against SCO starting on February 1. Damage and total cost estimates from MyDoom are still in progress, but CEI now estimates the total may exceed $ 4 billion, making it one of the most costly cyber attacks on record.
In January 2001 a series of DoS attacks overwhelmed the multicast infrastructure with an unusually large number of Source Active messages. An Internet worm, called the Ramen Worm, triggered these attacks with the simple attack mechanism.

Real world targets and metrics

Insurance & Bandwidth cost: Network traffic generated by the attack can result in incremental bandwidth costs—when we pay per byte, we also pay for the increased traffic caused by the attack.
In addition, our upstream Internet provider might or might not be amenable to waiving penalty charges caused by flood traffic.
Other issues that create hidden costs are insurance or legal fees or possible third-party liability resulting from our involvement in an attack.

Damage & Costs (contd.)

Hidden Costs: There may be hidden costs associated with denial-of-service attacks. For example, the direct target of a DoS attack may not be the only victim. An attack against one site may affect network resources that serve multiple sites.


Bandwidth wastage: Resources we share with other parties (upstream bandwidth) may be consumed by an attack on someone else—another customer of our Internet service provider is attacked, so our upstream connections and routers are not as available to handle our legitimate traffic. Thus, even when we are not the target of an attack, we might experience increased network latency and packet loss, or possibly a complete outage.

Damage & Costs

A normal packet is sent. A second packet is sent which has a fragmentation offset claiming to be inside the first fragment. This second fragment is too small to even extend outside the first fragment. This may cause an unexpected error condition to occur on the victim host which can cause a buffer overflow and possible system crash on many operating systems.

Teardrop attacks target a vulnerability in the way fragmented IP packets are reassembled. Fragmentation is necessary when IP Datagrams are larger than the maximum transmission unit (MTU) of a network segment across which the Datagrams must traverse. In order to successfully reassemble packets at the receiving end, the IP header for each fragment includes an offset to identify the fragment's position in the original un-fragmented packet. In a Teardrop attack, packet fragments are deliberately fabricated with overlapping offset fields causing the host to hang or crash when it tries to reassemble them.

Teardrop Attack

Ping of Death Attack (contd.)

Most implementations of the ICMP protocol use packet header size of 8 octets but allow the user to specify larger packet header sizes.
In the attack, the ICMP packet is sent in the form of a fragmented message which, when reassembled is larger than the maximum legal IP packet size.

Ping of Death Attack (contd.)

Ping of Death is an attempt by an attacker to crash, reboot or freeze a system by sending an illegal ICMP (over IP) packet to the host under attack.
The TCP/IP specification allows for a maximum packet size of up to 65536 octets. In some TCP stack implementation encountering packets of greater size may cause the victim's host to crash.

Ping of Death Attack

In cases where the victim's host is a router, this attack may result in a routing loop consuming large quantities of bandwidth (unless filtered in advance).
One of the variations of this attack targets a certain TCP service provided by the victim. In this case the attacker uses the same source and destination ports which used by the victim's service. This may consume the victim's host CPU resources.

Land Attack (contd.)

In this attack, an attacker sends spoofed TCP SYN packets, with the same source and destination addresses as the victim's host address.
In some TCP/IP stack implementations those kinds of packets may cause the victim's host to crash.
Any remote user that can send spoofed packets to a host can crash or "hang" that host.
Possible solution for this attack is to block IP-spoofed packets. Attacks like those of the Land tool rely on the use of forged packets, that is, packets where the attacker deliberately falsifies the origin address. With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can reduce the likelihood of your site's networks being used to initiate forged packets by filtering outgoing packets that have a source address different from that of your internal network.

Land Attack

DNS name server Attack (contd.)

The most common method seen involves an intruder sending a large number of UDP-based DNS requests to a Nameserver using a spoofed source IP address. Any Nameserver response is sent back to the spoofed IP address as the destination.
In this scenario, the spoofed IP address represents the victim of the denial of service attack. The Nameserver is an intermediate party in the attack. The true source of the attack is difficult for an intermediate or a victim site to determine due to the use of spoofed source addresses.

DNS name server Attack

In this attack, spoofed IP packets containing ICMP Echo-Request with a source address equal to that of the attacked system and a broadcast destination address are sent to the intermediate network.
Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the network to respond with an ICMP response packet, thus creating a large mass of packets which are routed to the victim's spoofed address.

Smurf Attack

UDP protocol is a connectionless unreliable protocol which doesn't require session negotiation between client and server application. UDP provides easy to use interface for producing large quantity of packets.
A common attack which exploits UDP simply floods the network with UDP packets destined to a victim's host. Due to the relative simplicity of this protocol an attacker can produce large bandwidth capacity with relatively small effort.

UDP Flood Attacks

SYN Flood Attack

Ping Flood Attack (ICMP echo)
SYN Flood Attack (DoS attack)
DDoS Attack (Distributed SYN Flood)
UDP Flood Attacks

Bandwidth/Throughput Attacks

DoS attacks exploit the asymmetric nature of certain types of network traffic. One attack method seeks to cause the target to use more resources processing traffic than the attacker does sending the traffic. Another method is to control multiple attackers. Therefore DoS attacks can be classified into three categories
Bandwidth/Throughput Attacks
Protocol Attacks
Software Vulnerability Attacks

Attack classification

Denial-of service attacks can essentially disable the computer or the network. Depending on the nature of the enterprise, this can disable your organization.
Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an “asymmetric attack”.
For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or network.

Impact

One way to attack a company’s network or website is to flood its systems with information.
Web and e-mail servers can only handle a finite amount of traffic and an attacker overloads the targeted system with packets of data.

How does an attack work?

A distributed denial of service (DDoS) attack is accomplished by using the Internet to break into computers and using them to attack a network. Hundreds or thousands of computer systems across the Internet can be turned into “zombies” and used to attack another system or website.

What is distributed denial of service?

Conclusion

Susceptibility to attacks could be alleviated with better Internet Architectures (goal of class).
Don’t leave all the decision making to the machines on either end of a connection
Provide ‘intelligent’ support along the path (e.g. No Blind forwarding of packets)
Create “Hardened” networks







Protecting – Among the aspects of protecting our systems and our business, are looking at network design, discussing our agreement with your ISP, putting detection mechanisms and a response plan in place, and perhaps taking out an insurance policy. Proper preparation is essential for effective detection and reaction. Unfortunately, some sites begin their cycle with detection and reaction, triggering preparation steps after a “lessons learned” experience.


Detecting – Our ability to detect attacks directly affects our ability to react appropriately and to limit damages. Among the approaches we can take are instituting procedures for analyzing logs and using automated intrusion detection systems.

Reacting – Reaction steps, hopefully put in place as part of preparing for an attack, include following our response plan, implementing specific steps based on the type of attack, calling our ISP, enabling backup links, moving content, and more. Technical steps include traffic limiting, blocking, and filtering.

How to handle DoS

Logging costs: We may have additional costs because of the need to size notification resources (such as logs, mail spools, and paging services) to absorb attack-related events. Logging systems need to cope with significant deviations in the amount of data logged during attacks.


Extra network channels: Ideally, logging systems should use an out-of-band channel so that logging traffic does not add to the volume of DoS traffic that may be passed to the internal network. Centralized logging systems, considered a best security practice, may be stressed by receiving log data from multiple locations. Mail queues may fill up during a prolonged outage.

Damage & Costs (contd.)

Their results in February’ 2001 were that using backscatter analysis, they observed 12,805 attacks on over 5,000 distinct Internet hosts belonging to more than 2,000 distinct organizations during a three-week period.


In addition, CAIDA reports that 90% of attacks last for one hour or less; 90% are TCP based attacks, and around 40% reach rates of 500 Packets Per Second (PPS) or greater.


Analyzed attacks peaked at around 500,000 PPS. Other anecdotal sources report larger attacks consuming 35 megabits per second (Mbps) for periods of around 72 hours, with high-volume attacks reaching 800 Mbps.

Frequency & Scope (contd.)

How prevalent are denial-of-service attacks in the Internet today?

Researchers at the Cooperative Association for Internet Data Analysis (CAIDA) address this question in their paper, “Inferring Internet Denial-of-Service Activity”. Using a technique called backscatter analysis, the researchers monitored unsolicited traffic to unpopulated address space. Their theory is that DoS traffic that uses random spoofed source addresses will generate some response traffic to the entire Internet address space, including unpopulated space.

Frequency & Scope

In the following figure, a source test port simulates a Teardrop attack by sending one, and then many IP packet fragments with overlapping Fragment Offset fields. This attack traffic is first sent to the Device Under Test (DUT) interface connected to the source test port and then to the DUT's loopback address. The DUT's ability to drop this attack traffic is verified. Finally, normal background traffic is sent at the same time as attack traffic, so the DUT's performance during a Teardrop attack can be measured.

Teardrop Attack (contd.)

Here DUT is the Device Under Test

Land Attack (contd.)

Land Attack
Ping of Death Attack
Fragmentation Attack and Teardrop Attack

Software Vulnerability Attacks

Smurf Attack (contd.)

Smurf Attack
DNS name server Attack

Protocol Attacks

The idea behind this attack is focusing Internet connection bandwidth of many machines upon one or a few machines. This way it is possible to use a large array of smaller (or “weaker”) widely distributed computers to create the big flood effect.

DDoS Attack

An attempt by an attacker on a high bandwidth connection to saturate a network with ICMP echo request packets in order to slow or stop legitimate traffic going through the network.

Ping Flood Attack

Unusually slow network performance
Unavailability of a particular website
Inability to access any website
Dramatic increase in the amount of spam

Symptoms and Manifestations

When a denial of service (DoS) attack occurs, a computer or a network user is unable to access resources like e-mail and the Internet. An attack can be directed at an operating system or at the network.

What is denial of service attack?

Separate Client and Server Addresses

Dos Defense

The IP address space can be divided into a set of client addresses and a set of server addresses.
allow clients to initiate connections to servers, but not vice versa
nor servers to initiate connections to servers.

How do we defend against a
Dos attack??

Dos Defense

Middlewalls

Dos Defense

simple special-purpose high-speed firewalls being deployed in the core of the Internet at inter-domain boundaries to serve as a filter of sorts
Gives Upstream access control to a server under stress

RPF Checking of Server Addresses

Dos Defense

Using path-based client addresses severely restricts source-address spoofing by a client, but it does not restrict spoofing by servers.
Reverse Path Forwarding largely prevents a server from spoofing the address of a server in a different domain.

Nonglobal Client Addresses

path based addressing

Dos Defense

Third parties

Compromised
host

Victim

Bad guy

DoS

Denial of Service

Owned
host

Third parties

Slave agents
(zombies, bots)

Victim (s)

Master
agent

Bad guy

DDoS

Distributed Denial of Service

IPsec Security Protocols
Full transcript