computer security dd2395
play

Computer Security DD2395 - PowerPoint PPT Presentation

Nov 30, 2023 •636 likes •1.08k views

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 8, Feb. 10, 2010 Malicious Software, Denial of Service Announcements ! Lab reports ! Bonus points !

  1. Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 8, Feb. 10, 2010 Malicious Software, Denial of Service

  2. Announcements ! Lab reports ! Bonus points ! Presentation topics, tasks ! Guest lecture on audits, Feb. 17 Feb. 8, 2010 KTH DD2395 Sonja Buchegger 2

  3. Virus Countermeasures ! prevention - ideal solution but difficult ! realistically need: ! detection ! identification ! removal ! if detect but can’t identify or remove, must discard and replace infected program Feb. 8, 2010 KTH DD2395 Sonja Buchegger 3

  4. Anti-Virus Evolution ! virus & antivirus tech have both evolved ! early viruses simple code, easily removed ! as become more complex, so must the countermeasures ! generations ! first - signature scanners ! second - heuristics ! third - identify actions ! fourth - combination packages Feb. 8, 2010 KTH DD2395 Sonja Buchegger 4

  5. Generic Decryption ! runs executable files through GD scanner: ! CPU emulator to interpret instructions ! virus scanner to check known virus signatures ! emulation control module to manage process ! lets virus decrypt itself in interpreter ! periodically scan for virus signatures ! issue is long to interpret and scan ! tradeoff chance of detection vs time delay Feb. 8, 2010 KTH DD2395 Sonja Buchegger 5

  6. Digital Immune System Feb. 8, 2010 KTH DD2395 Sonja Buchegger 6

  7. Behavior-Blocking Software Feb. 8, 2010 KTH DD2395 Sonja Buchegger 7

  8. Worms ! replicating program that propagates over net ! using email, remote exec, remote login ! has phases like a virus: ! dormant, propagation, triggering, execution ! propagation phase: searches for other systems, connects to it, copies self to it and runs ! may disguise itself as a system process ! concept seen in Brunner’s “Shockwave Rider” ! implemented by Xerox Palo Alto labs in 1980’s Feb. 8, 2010 KTH DD2395 Sonja Buchegger 8

  9. Morris Worm ! one of best know worms ! released by Robert Morris in 1988 ! various attacks on UNIX systems ! cracking password file to use login/password to logon to other systems ! exploiting a bug in the finger protocol ! exploiting a bug in sendmail ! if succeed have remote shell access ! sent bootstrap program to copy worm over Feb. 8, 2010 KTH DD2395 Sonja Buchegger 9

  10. Worm Propagation Model Feb. 8, 2010 KTH DD2395 Sonja Buchegger 10

  11. Recent Worm Attacks ! Code Red ! July 2001 exploiting MS IIS bug ! probes random IP address, does DDoS attack ! consumes significant net capacity when active ! Code Red II variant includes backdoor ! SQL Slammer ! early 2003, attacks MS SQL Server ! compact and very rapid spread ! Mydoom ! mass-mailing e-mail worm that appeared in 2004 ! installed remote access backdoor in infected systems Feb. 8, 2010 KTH DD2395 Sonja Buchegger 11

  12. Worm Technology ! multiplatform ! multi-exploit ! ultrafast spreading ! polymorphic ! metamorphic ! transport vehicles ! zero-day exploit Feb. 8, 2010 KTH DD2395 Sonja Buchegger 12

  13. Countermeasures Feb. 8, 2010 KTH DD2395 Sonja Buchegger 13

  14. Worm Countermeasures ! overlaps with anti-virus techniques ! once worm on system A/V can detect ! worms also cause significant net activity ! worm defense approaches include: ! signature-based worm scan filtering ! filter-based worm containment ! payload-classification-based worm containment ! threshold random walk scan detection ! rate limiting and rate halting Feb. 8, 2010 KTH DD2395 Sonja Buchegger 14

  15. Proactive Worm Containment Feb. 8, 2010 KTH DD2395 Sonja Buchegger 15

  16. Network Based Worm Defense Feb. 8, 2010 KTH DD2395 Sonja Buchegger 16

  17. Bots ! program taking over other computers ! to launch hard to trace attacks ! if coordinated form a botnet ! characteristics: ! remote control facility ! via IRC/HTTP etc ! spreading mechanism ! attack software, vulnerability, scanning strategy ! various counter-measures applicable Feb. 8, 2010 KTH DD2395 Sonja Buchegger 17

  18. Rootkits ! set of programs installed for admin access ! malicious and stealthy changes to host O/S ! may hide its existence ! subverting report mechanisms on processes, files, registry entries etc ! may be: ! persistent or memory-based ! user or kernel mode ! installed by user via trojan or intruder on system ! range of countermeasures needed Feb. 8, 2010 KTH DD2395 Sonja Buchegger 18

  19. Rootkit System Table Mods Feb. 8, 2010 KTH DD2395 Sonja Buchegger 19

  20. Summary ! introduced types of malicous software ! incl backdoor, logic bomb, trojan horse, mobile ! virus types and countermeasures ! worm types and countermeasures ! bots ! rootkits Feb. 8, 2010 KTH DD2395 Sonja Buchegger 20

  21. Denial of Service ! denial of service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space ! attacks ! network bandwidth ! system resources ! application resources ! have been an issue for some time Feb. 8, 2010 KTH DD2395 Sonja Buchegger 21

  22. Classic Denial of Service Attacks ! can use simple flooding ping ! from higher capacity link to lower ! causing loss of traffic ! source of flood traffic easily identified Feb. 8, 2010 KTH DD2395 Sonja Buchegger 22

  23. Classic Denial of Service Attacks Feb. 8, 2010 KTH DD2395 Sonja Buchegger 23

  24. Source Address Spoofing ! use forged source addresses ! given sufficient privilege to “raw sockets” ! easy to create ! generate large volumes of packets ! directed at target ! with different, random, source addresses ! cause same congestion ! responses are scattered across Internet ! real source is much harder to identify Feb. 8, 2010 KTH DD2395 Sonja Buchegger 24

  25. SYN Spoofing ! other common attack ! attacks ability of a server to respond to future connection requests ! overflowing tables used to manage them ! hence an attack on system resource Feb. 8, 2010 KTH DD2395 Sonja Buchegger 25

  26. TCP Connection Handshake Feb. 8, 2010 KTH DD2395 Sonja Buchegger 26

  27. SYN Spoofing Attack Feb. 8, 2010 KTH DD2395 Sonja Buchegger 27

  28. Countermeasure ! One way of preventing such DoS: Make it costly to connect. Whoever wants to connect has to do solve a computation-heavy problem. ! Is this effective? ! When? Why? ! When not? Why? Feb. 8, 2010 KTH DD2395 Sonja Buchegger 28

  29. SYN Spoofing Attack ! attacker often uses either ! random source addresses ! or that of an overloaded server ! to block return of (most) reset packets ! has much lower traffic volume ! attacker can be on a much lower capacity link Feb. 8, 2010 KTH DD2395 Sonja Buchegger 29

  30. Types of Flooding Attacks ! classified based on network protocol used ! ICMP Flood ! uses ICMP packets, eg echo request ! typically allowed through, some required ! UDP Flood ! alternative uses UDP packets to some port ! TCP SYN Flood ! use TCP SYN (connection request) packets ! but for volume attack Feb. 8, 2010 KTH DD2395 Sonja Buchegger 30

  31. Distributed Denial of Service Attacks ! have limited volume if single source used ! multiple systems allow much higher traffic volumes to form a Distributed Denial of Service (DDoS) Attack ! often compromised PC’s / workstations ! zombies with backdoor programs installed ! forming a botnet ! e.g. Tribe Flood Network (TFN), TFN2K Feb. 8, 2010 KTH DD2395 Sonja Buchegger 31

  32. DDoS Control Hierarchy Feb. 8, 2010 KTH DD2395 Sonja Buchegger 32

  33. Reflection Attacks ! use normal behavior of network ! attacker sends packet with spoofed source address being that of target to a server ! server response is directed at target ! if send many requests to multiple servers, response can flood target ! various protocols e.g. UDP or TCP/SYN ! ideally want response larger than request ! prevent if block source spoofed packets Feb. 8, 2010 KTH DD2395 Sonja Buchegger 33

  34. Reflection Attacks ! further variation creates a self-contained loop between intermediary and target ! fairly easy to filter and block Feb. 8, 2010 KTH DD2395 Sonja Buchegger 34

  35. Amplification Attacks Feb. 8, 2010 KTH DD2395 Sonja Buchegger 35

  36. DNS Amplification Attacks ! use DNS requests with spoofed source address being the target ! exploit DNS behavior to convert a small request to a much larger response ! 60 byte request to 512 - 4000 byte response ! attacker sends requests to multiple well connected servers, which flood target ! need only moderate flow of request packets ! DNS servers will also be loaded Feb. 8, 2010 KTH DD2395 Sonja Buchegger 36

  37. DoS Attack Defenses ! high traffic volumes may be legitimate ! result of high publicity, e.g. “slash-dotted” ! or to a very popular site, e.g. Olympics etc ! or legitimate traffic created by an attacker ! three lines of defense against (D)DoS: ! attack prevention and preemption ! attack detection and filtering ! attack source traceback and identification Feb. 8, 2010 KTH DD2395 Sonja Buchegger 37

  38. Attack Prevention ! block spoofed source addresses ! on routers as close to source as possible ! still far too rarely implemented ! rate controls in upstream distribution nets ! on specific packets types ! e.g. some ICMP, some UDP, TCP/SYN ! use modified TCP connection handling ! use SYN cookies when table full ! or selective or random drop when table full Feb. 8, 2010 KTH DD2395 Sonja Buchegger 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 11, Nov. 29, 2010 Multi-Level Security Trusted Computing and Multilevel Security present some interrelated

1k views • 41 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012 Sonja Buchegger buc@kth.se Lecture 9 Firewalls (maybe start on Multilevel Security) DD2395 Sonja Buchegger 1 Catch-up Labs l Labbvecka in June

540 views • 35 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 13, Dec. 6, 2010 Auditing Security Audit an independent review and examination of a system's records

353 views • 33 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 3 User Authentication KTH DD2395 Sonja Buchegger 1 More Follow-up Courses l EP2500: Networked Systems

821 views • 26 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 8 Denial of Service DD2395 Sonja Buchegger 1 Course Admin l WANTED: Student representatives for the

1.29k views • 37 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software DD2395 Sonja Buchegger 1 Course Admin l Lab 2: - prepare before lab session - signup!

844 views • 39 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 10, Nov. 24, 2011 Social Engineering DD2395, Sonja Buchegger 1 Course Admin GPG Lab 1 bonus results in

1.22k views • 39 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 2, Jan. 20, 2010 Cryptography Scope of Computer Security Jan. 20, 2010 KTH DD2395 Sonja Buchegger 2

469 views • 45 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 2, Oct. 27, 2010 Cryptography Oct. 27, 2010 KTH DD2395 Sonja Buchegger 1 Questionnaire Results Prior

602 views • 42 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 4 Access Control 1 Access Control l The prevention of unauthorized use* of a resource, including the

429 views • 39 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Feb. 8, 2010 Malicious Software Malicious Software programs exploiting system vulnerabilities known

427 views • 10 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 1, Oct. 25, 2010 Introduction Oct. 25, 2010 Computer Security, Sonja Buchegger 1 Outline for Today About

670 views • 43 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 1, Oct. 25, 2011 Introduction Oct. 25, 2011 Computer Security, Sonja Buchegger 1 Outline for Today ! About

565 views • 45 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Nov. 15, 2010 Malicious Software, Denial of Service Nov. 15, 2010 DD2395 Sonja Buchegger 1 Malicious

589 views • 48 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 3 User Authentication KTH DD2395 Sonja Buchegger 1 User Authentication KTH DD2395 Sonja Buchegger 2 User

485 views • 27 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Fou our Case S e Studies es o on Just T Transiti tion: Le Less ssons s for I Ireland

Fou our Case S e Studies es o on Just T Transiti tion: Le Less ssons s for I Ireland

Fou our Case S e Studies es o on Just T Transiti tion: Le Less ssons s for I Ireland and SINA AD MERC RCIER CONSU NSULTANT O T ON C CLIMATE C TE CHANGE A GE AND ND J JUST T T TRANSI SITI TION L LAW A AND P POLICY TH

382 views • 14 slides
MPI Review Computational Example Common approach for grid-based computations on distributed

MPI Review Computational Example Common approach for grid-based computations on distributed

Lecture 9: Distributed Memory More on MPI Communication costs Hardware / Network topologies from Rauber and Runger MPI Review Computational Example Common approach for grid-based computations on distributed memory uses domain

753 views • 37 slides
Introductory Lecture on Astrophysics (for astroparticle physicists) Pasquale D. Serpico

Introductory Lecture on Astrophysics (for astroparticle physicists) Pasquale D. Serpico

Introductory Lecture on Astrophysics (for astroparticle physicists) Pasquale D. Serpico International School on AstroParticle Physics - Zaragoza 13/07/2010 Disclaimer Disclaimer Astrophysics is a huge field: In no way I can provide anything

1.01k views • 58 slides
Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web

Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web

Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web Applications Diploma Thesis Presentation Nina S. Marwede Abteilung Software Engineering Fakultt II Department fr Informatik August 26, 2008

654 views • 41 slides
I nformation Technology Advisory Committee (I TAC) Public Business Meeting February 2, 2018

I nformation Technology Advisory Committee (I TAC) Public Business Meeting February 2, 2018

I nformation Technology Advisory Committee (I TAC) Public Business Meeting February 2, 2018 Teleconference Hon. Sheila F . Hanson Chair, Information Technology Advisory Committee 1 Administrative Matters Open Meeting I. Call to Order,

770 views • 33 slides
iot.schema.org Overview and Update July 1, 2018 Semantic Interoperability What? Common

iot.schema.org Overview and Update July 1, 2018 Semantic Interoperability What? Common

iot.schema.org Overview and Update July 1, 2018 Semantic Interoperability What? Common ways to describe interactions with the physical world Abstract Interactions e.g. Temperature How? Detailed instructions for protocol

494 views • 17 slides
Relating Multiset Rewriting and Process Algebra for Immediate Decryption Protocols Iliano

Relating Multiset Rewriting and Process Algebra for Immediate Decryption Protocols Iliano

Relating Multiset Rewriting and Process Algebra for Immediate Decryption Protocols Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano Joint work with S. Bistarelli, G. Lenzini,

498 views • 21 slides
Large-Scale API Protocol Mining for Automated Bug Detection Michael Pradel Department of

Large-Scale API Protocol Mining for Automated Bug Detection Michael Pradel Department of

Large-Scale API Protocol Mining for Automated Bug Detection Michael Pradel Department of Computer Science ETH Zurich 1 Motivation LinkedList pinConnections = ...; Iterator i = pinConnections.iterator (); while ( i.hasNext () ) { PinLink

1.55k views • 127 slides

More recommend