CS 640: Introduction to
Computer Networks
Aditya Akella
Lecture 25
Network Security
�The Road Ahead
Security Vulnerabilities
DoS and D-DoS
Firewalls
�Security Vulnerabilities
Security Problems in the TCP/IP
Protocol Suite Steve Bellovin, 1989
Attacks on Different Layers
IP Attacks
ICMP Attacks
Routing Attacks
TCP Attacks
Application Layer Attacks
�Why the Flaws?
TCP/IP was designed for connectivity
Had its origins in an innocent world
Assumed to have lots of trust
Security not intrinsic to design
Host implementation vulnerabilities
Software bugs
Some elements in the specification were
left to the implementers
�Security Flaws in IP
The IP addresses are filled in by the originating host
Address spoofing
Using source address for authentication
r-utilities (rlogin, rsh, rhosts etc..)
2.1.1.1
Can A claim it is B to the
server S?
ARP Spoofing
Interne
t
1.1.1.3
Can C claim it is B to the
server S?
Much harder
A
1.1.1.1
1.1.1.2
Source Routing?
�Security Flaws in IP
IP fragmentation attack
End hosts need to keep the fragments till
all the fragments arrive
Traffic amplification attack
IP allows broadcast destination
Problems?
�Ping Flood
Internet
Attacking System
Broadcast
Enabled
Network
Victim
System
�ICMP Attacks
No authentication
ICMP redirect message
Can cause the host to switch gateways
Man in the middle attack, sniffing
ICMP destination unreachable
Can cause the host to drop connection
Many more
http://www.sans.org/rr/whitepapers/threats/477.
php
�Routing Attacks
Distance Vector Routing
Announce 0 distance to all other nodes
Blackhole traffic
Eavesdrop
Link State Routing
Can drop links randomly
Can claim direct link to any other router
A bit harder to attack than DV
BGP
ASes can announce arbitrary prefix
ASes can alter path
Could even happen due to misconfigurations
�TCP Attacks
SYN x
SYN y | ACK x+1
Client
Issues?
ACK y+1
Server
Server needs to keep waiting for ACK y+1
Server recognizes Client based on IP address/port
and y+1
�TCP Layer Attacks
TCP SYN Flooding
Exploit state allocated at server after
initial SYN packet
Send a SYN and dont reply with ACK
Server will wait for 511 seconds for ACK
Finite queue size for incomplete
connections (1024)
Once the queue is full it doesnt accept
requests
�TCP Layer Attacks
TCP Session Hijack
When is a TCP packet valid?
Address/Port/Sequence Number in window
How to get sequence number?
Sniff traffic
Guess it
Many earlier systems had predictable ISN
Inject arbitrary data to the connection
�TCP Layer Attacks
TCP Session Poisoning
Send RST packet
Will tear down connection
Do you have to guess the exact sequence
number?
Anywhere in window is fine
For 64k window it takes 64k packets to reset
About 15 seconds for a T1
�Application Layer Attacks
Applications dont authenticate properly
Authentication information in clear
FTP, Telnet, POP
DNS insecurity
DNS poisoning
DNS zone transfer
�An Example
Shimomura (S)
Finger
Showmount -e
SYN
Trusted (T)
Finger @S
Attack when no one is around
showmount e
What other systems it trusts?
Send 20 SYN packets to S
Mitnick
Determine ISN behavior
�An Example
Shimomura (S)
Syn flood
Trusted(T)
Finger @S
Attack when no one is around
showmount e
What other systems it trusts?
Send 20 SYN packets to S
SYN flood T
Mitnick
Determine ISN behavior
T wont respond to packets
�An Example
SYN|ACK
Shimomura (S)
SYN
ACK
trusted (T)
Finger @S
Attack when no one is around
showmount e
What other systems it trusts?
Send 20 SYN packets to S
Mitnick (M) Determine ISN behavior
SYN flood T
T wont respond to packets
Send SYN to S spoofing as
T
S assumes that it has a session
with T
Send ACK to S with a
guessed number
�An Example
Shimomura (S)
++ > rhosts
Trusted (T)
Finger @S
Attack when no one is around
showmount e
What other systems it trusts?
Send 20 SYN packets to S
Determine ISN behavior
SYN flood T
Mitnick
T wont respond to packets
Send SYN to S spoofing as
T
S assumes that it has a session
with T
Send ACK to S with a
guessed number
Give permission to anyone from
anywhere
Send echo + + > ~/.rhosts
�Denial of Service
Objective make a service unusable, usually
by overloading the server or network
Consume host resources
TCP SYN floods
ICMP ECHO (ping) floods
Consume bandwidth
UDP floods
ICMP floods
�Denial of Service
Crashing the victim
Ping-of-Death
TCP options (unused, or used incorrectly)
Forcing more computation
Taking slow path in processing of packets
�Simple DoS
The Attacker usually spoofed
source address to hide origin
Attacker
Easy to block
Victim
Victim
Victim
�Coordinated DoS
Attacker
Victim
Attacker
Victim
Attacker
Victim
The first attacker attacks a different victim to cover up the real attack
The Attacker usually spoofed source address to hide origin
Harder to deal with
�Distributed DoS
Attacker
Handler
Agent
Agent
Handler
Agent
Victim
Agent
Agent
�Distributed DoS
The handlers are usually very high volume servers
Easy to hide the attack packets
The agents are usually home users with DSL/Cable
Already infected and the agent installed
Very difficult to track down the attacker
How to differentiate between DDoS and Flash
Crowd?
Flash Crowd Many clients using a service legitimately
Slashdot Effect
Victoria Secret Webcast
Generally the flash crowd disappears when the network is
flooded
Sources in flash crowd are clustered
Also, requests have a pattern
�DDoS Defenses
Network Capabilities
Destination explicitly decides whether or not to allow
packets
Indicate decision by inserting capabilities in packets
Routers en route check for valid capabilities in subsequent
packets
Issues?
Traffic Scrubbers
Sink all traffic to a back-end
Scrub, scrub, scrub
Issues?
�Firewalls
Lots of vulnerabilities on hosts in network
Users dont keep systems up to date
Lots of patches
Lots of exploits in wild (no patch for them)
Solution?
Limit access to the network
Dont trust outsiders
Trust insiders(!!!)
Put firewalls across the perimeter of the network
�Firewalls (contd)
Firewall inspects traffic through it
Has a pre-defined policy
Allows traffic specified in the policy
Drops everything else
Two Types
Packet Filters, Proxies
Firewall
Internet
Internal Network
�Packet Filters
Packet filter selectively passes packets from
one network interface to another
Usually done within a router between external
and internal networks
screening router
Can be done by a dedicated network element
packet filtering bridge
harder to detect and attack than screening
routers
�Packet Filters Contd.
Data Available
IP source and destination addresses
Transport protocol (TCP, UDP, or ICMP)
TCP/UDP source and destination ports
ICMP message type
Packet options (Fragment Size etc.)
Actions Available
Allow the packet to go through
Drop the packet (Notify Sender/Drop Silently)
Alter the packet (NAT?)
Log information about the packet
�Packet Filters Contd.
Example filters
Block all packets from outside except for
SMTP servers
Block all traffic to a list of domains
Block all connections from a specified
domain
�Typical Firewall Configuration
Internal hosts can access
DMZ and Internet
Internet
External hosts can
access DMZ only, not
Intranet
DMZ hosts can access
Internet only
DMZ
X
Advantages?
If a service gets
compromised in DMZ it
cannot affect internal
hosts
Intranet
�Example Firewall Rules
Stateless packet filtering firewall
Rule (Condition, Action)
Rules are processed in top-down order
If a condition satisfied for a packet
action is taken
All rules checked
�Sample Firewall Rule
Allow SSH from external hosts to internal hosts
Two rules
Inbound and outbound
Client
How to know a packet is for SSH?
Server
Inbound: src-port>1023, dst-port=22
SYN
Outbound: src-port=22, dst-port>1023
Protocol=TCP
SYN/ACK
Ack Set?
Problems?
ACK
Rule
Dir
Src
Addr
Src
Port
Dst
Addr
Dst
Port
Proto
Ack
Set?
Action
SSH-1
In
Ext
> 1023
Int
22
TCP
Any
Allow
SSH-2
Out
Int
22
Ext
> 1023
TCP
Yes
Allow
�Default Firewall Rules
Egress Filtering
Outbound traffic from external address Drop
Benefits?
Ingress Filtering
Inbound Traffic from internal address Drop
Benefits?
Default Deny
Why?
Rule
Dir
Src
Addr
Src
Port
Dst
Addr
Dst
Port
Proto
Ack
Set?
Action
Egress
Out
Ext
Any
Ext
Any
Any
Any
Deny
Ingress
In
Int
Any
Int
Any
Any
Any
Deny
Default
Any
Any
Any
Any
Any
Any
Any
Deny
�Packet Filters
Advantages
Transparent to application/user
Simple packet filters can be efficient
Disadvantages
Usually fail open
Very hard to configure the rules
Doesnt have enough information to take actions
Does port 22 always mean SSH?
Who is the user accessing the SSH?
What is the fix?
�Alternatives
Stateful packet filters
Keep the connection states
Easier to specify rules connection level
More popular
Problems?
State explosion
State for UDP/ICMP?
�Alternatives
Proxy Firewalls
Two connections instead of one
Either at transport level
SOCKS proxy
Or at application level
HTTP proxy
Requires applications (or dynamically
linked libraries) to be modified to use
the proxy
�Proxy Firewall
Data Available
Application level information
User information
Advantages?
Better policy enforcement
Better logging
Fail closed
Disadvantages?
Doesnt perform as well
One proxy for each application
Client modification
�Summary
TCP/IP security vulnerabilities
Spoofing
Flooding attacks
TCP session poisoning
DOS and D-DOS
Firewalls
Packet Filters
Proxy
