L21 - Security

advertisement
Network Attacks
• Network Trust Issues
– TCP Congestion control
– IP Src Spoofing
– Wireless transmission
• Denial of Service Attacks
– TCP-SYN
– Name Servers
• DDoS (DNS)
– DNS Amplification attack
Network Trust Issues
The Gullible Network
• A lot of network protocols assume people are
well intentioned
– TCP: Congestion Control
– Wireless: Transmit power
– BGP Route-advertisements
Cheating TCP
x
A
y
D
A
B
E
D  Increases by 1
Increases by 5
22, 22
10, 35
35, 10
15, 15
(x, y)
Increases by 1
Increases by 5
Individual incentives: cheating pays
Social incentives: better off without cheating
Too aggressive
Losses
Throughput falls
Classic Prisoner Dilemma: resolution depends on accountability
5
Cheating Wireless
B
A
10X Power
10X Power
Normal power
C
Normal power
5Mbps, 5Mbps
0MBps,
20MBps
20Mbps,
0Mbps
10Mbps,
10Mbps
Individual incentives: cheating pays
Social incentives: better off without cheating
Classic Prisoner Dilemma: resolution depends on accountability
6
Origin: IP Address Ownership and Hijacking
• Who can advertise a prefix with BGP?
– By the AS who owns the prefix
– … or, by its upstream provider(s) in its behalf
• Implicit trust between upstream & downstream
providers
• However, what’s to stop someone else?
– Prefix hijacking: another AS originates the prefix
– BGP does not verify that the AS is authorized
7
Prefix Hijacking: full or partial control
4
3
5
2
7
1
6
12.34.0.0/16
12.34.0.0/16
• Consequences for the affected ASes
8
– Blackhole: data traffic is discarded
– Snooping: data traffic is inspected, and then redirected
– Impersonation: data traffic is sent to bogus destinations
DoS
Denial of Service Attack
• Prevent other people from using a service:
– A server
– A link in a network
• High level idea
– Sent a lot of packets and ensure 100% utilization
• No one else can use it.
DNS: Denial Of Service
• Flood DNS servers with requests until they fail
• What was the effect?
– … users may not even notice
– Caching is almost everywhere
• More targeted attacks can be effective
– Local DNS server  cannot access DNS
– Authoritative server  cannot access domain
11
TCP: Denial Of Service (SYN Flood)
• Send a bunch of SYN Packets to a server
– Server allocates buffer and TCP sockets
– You allocate nothing 
– Eventually the server runs out of space.
• How to solve this problem?
12
Recall: TCP Handshake
• No allocations
• No resource
committed
A
Server
Server allocates:
• Allocates data structures
• E.g buffer space
TCP: Denial Of Service (SYN Flood)
• Send a bunch of SYN Packets to a server
–
–
–
–
Server allocates buffer and TCP sockets
Server responds with ‘SYN/ACK’
You allocate nothing
Eventually Server runs out of space.
• How to solve this problem?
– SYN Cookies: server stores nothing and instead
responds with a special cookie
– If cookie is returned in subsequent packet, then server
allocates space
– Assumption: If you come back then you aren’t a bad
person
14
Problems with DoS
• One person attacks one server/link
– Easy to figure out who ….
– Easy to block ….
– Takes a while for the attack to work…..
DDoS
Distributed Denial of Service Attack
• Take over a number of machines
– Use a BotNet
• Use all machines to conduct a DoS on a server
– Much more effective than regular DoS
– Harder to stop and shutdown
DNS Amplification Attack
DNS Amplification attack: ( 40 amplification )
DNS Query
SrcIP: DoS Target
EDNS Reponse
(60 bytes)
DoS
Source
(3000 bytes)
DNS
Server
DoS
Target
580,000 open resolvers on Internet (Kaminsky-Shiffman’06)
Solutions
ip spoofed packets
attacker
prevent
ip spoofing
open
amplifier
disable
open amplifiers
victim
DDOS
DNS Requests
Name
Server
BotNet
DNS Responses
victim
Download