229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web server � replication. � main idea: each replica is located in a different geographic area, � main idea: each replica is located in a different geographic area, rather then in the same server farm. A CDN usually consists of the following components: � � A set of web servers and/or cache servers � A dedicated intelligent distribution mechanism to move data between the various servers � A mechanism to intelligently match the requesting user with the most efficient server. main issues of a CDN: � � to which replica should a user’s request be forwarded � how to direct a request (“global redirection”) � how to ensure consistency among the various replicas: • how to synchronize changes such that the same request to two different replicas at the same time will get the same response Reuven Cohen Internet networking 230 Content Distribution Networks (cont.) Like web caching, a CDN helps in � � reducing the response time to users’ requests � saving expensive bandwidth � saving expensive bandwidth However, whereas a web cache is usually operated by an ISP, a CDN � is operated by (of for) a content provider like CNN.com � the CDN saves the cost of an expensive access link from the content provider to its ISP. Reuven Cohen Internet networking 115
231 Request-routing using HTTP-redirect The request is received by a single director � The director determines the IP address of the server closest to the user � It th It then responds by an HTTP redirect (301) message d b HTTP di t (301) � The client browser transparently connects to the selected server. � director director client in Boston client in Boston server 1 (NY) server 1 (NY) server 2 (LA) server 2 (LA) GET Redirect (NY) GET Response Reuven Cohen Internet networking 232 Request routing using a DNS director when the CDN is operated by a CDN provider A DNS director is used in order to balance the access to mirror servers. � The client searches for the IP address of www.com1.com � The client local DNS server sends a DNS query for www.com1.com Th li t l l DNS d DNS f 1 � The com1.com DNS server refers the client’s DNS server to � dd.cdn.com � cdn.com is a CDN provider The local DNS sends to dd.cdn.com a DNS query for www.com1.com � Based on IP address of the calling DNS serve and on information about � the location of the relevant mirror servers, the distributor director determines the best server for the client and returns the IP address of d t i th b t f th li t d t th IP dd f that server to the client. Reuven Cohen Internet networking 116
new slide 233 Part 6 : Network Attacks and Security Security vulnerabilities are There is no generic tool for � � everywhere: addressing all security vulnerabilities. � In the IP protocol p However, two common tools are � In TCP � very often used: � In HTTP � In routing protocols � firewalls � In DNS, in ARP, and so on… � cryptography Where do the problem come � from? � Protocol-level vulnerabilities • I • Implicit trust assumptions li it t t ti in design � Implementation vulnerabilities • Both on routers and end- hosts Incomplete specifications � � Often left to the imagination of programmers Reuven Cohen Internet networking 234 IP spoofing The attacker alters the source IP address of its packets, so that they � appear to have come from another source � since the attacker does not get the response packets, this is also � since the attacker does not get the response packets, this is also considered as a “blind spoofing” � with “blind spoofing” it is difficult for the attacker to complete the setup of a TCP connection because of the random initial sequence number selected by the server Main motivation for IP address spoofing: � � to gain access to protected resources, from servers that honor requests only from specific addresses � to hide the source in a Distributed Denial of Service (DDoS) attack. Reuven Cohen Internet networking 117
235 SYN attack This attack takes advantage of vulnerability of IP and of TCP. � The idea: an attacker sends thousands of SYN packets to a given � source, usually from multiple spoofed addresses. source, usually from multiple spoofed addresses. The response of the server is not received by the attacker, but in any � case the attacked machine tries to open a TCP connection. � It waits for a long time (naïve implementations wait up to 9 minutes) for the ACK of the initiator, and then drops the connection. � The number of pending connections, which wait for an ACK, is upper bounded, and when this maximum is reached, any new SYN is dropped. This attack is popular because: � � It is very difficult to locate an attacker who uses a spoofed IP addresses. � It is very difficult to block this attack, especially if the attacker uses multiple spoofed IP addresses. Reuven Cohen Internet networking 236 Prevention of source address spoofing RFC-2827 proposes to block packets with spoofed IP addresses using � the concept of “ingress filtering”. � main idea: don’t allow a packet to be received over an interface which does not lead to the source. E.g., if R2 receives from Net-5 an IP packet whose source IP address � belongs to Net-1, the packet is dropped • Because the shortest path to Net-1 is through interface Net-2 Net-1 Net-2 R2 R1 Net-7 Net 5 Net-5 Net-3 Net-4 R4 Net-6 R3 But this approach does not work for Inter-AS routing � Reuven Cohen Internet networking 118
237 More attack examples An attack on a router: � � the attacker floods an ISP’s router with IP packets carrying uncommon destination IP addresses � These packets blows the router’s router cache, and therefore reduces the router speed substantially. ICMP flooding: � � send an “ICMP Echo Request” message whose destination address is directed broadcast and source address is a forged IP address � all the hosts in the destination network will send an “ICMP Echo Reply” to the forged address DNS cache poison: � � works if the victim server support recursive queries � the attacker sends a request to the attacked DNS server � the server forwards this request to another server � the attacker sends a reply, pretending to be the contacted server • this requires the attacker to predict the sequence number used by the victim server Reuven Cohen Internet networking 238 More attack examples (cont.) Web server “man in the middle” attack � � attacker uses DNS cache poisoning to associate the IP of its server with the name www.abc.com of a real server. with the name www.abc.com of a real server. � when a client accesses the attacker server, this server acts as a proxy • it forwards the client request to the real server and the server’s response to the client • consequently, the attacker is able to listen to the whole session between the real client and the real server Reuven Cohen Internet networking 119
239 What’s a firewall A security mechanism usually used to protect data and computers on a � private network from the uncontrolled activities of untrusted users. � Security: enables to selectively permit or deny access to the network, on the basis of protocol used, source/destination hosts, time-of-day etc. � Policy: may enforce restrictions on outbound traffic. � Auditing: may gather usage statistics. The main issue in the firewall design: at what layer should it operate. � � higher layer security has more intelligence � but lower layer security is more efficient firewall The Internet A Private network Reuven Cohen Internet networking 240 Three types of firewalls internal host a packet filtering firewall external host Application Application TCP TCP TCP/UDP IP IP IP internal host a transport layer firewall external host Application Application TCP TCP TCP TCP IP IP IP IP internal host an application layer firewall external host Application App. App. Application TCP TCP TCP TCP IP IP IP IP Reuven Cohen Internet networking 120
241 A packet filtering firewall Works on a per-packet basis. � � Looks at the various fields in the IP and UDP/TCP headers. Determines whether or not to pass a packet based on the source and Determines whether or not to pass a packet based on the source and � � destination IP addresses and port numbers. E.g. a firewall administrator may not allow any incoming packets, � except those destined for the local web server. E.g. a firewall administrator may allow local users to contact remote � web servers by allowing outgoing packets whose destination port is 80 and incoming packets whose source port is 80 � But this does not work if the remote web sever is set up on port � But this does not work if the remote web sever is set up on port 8080 or any other port. Reuven Cohen Internet networking 242 Examples for a packet filtering firewall Using the following rules, only traffic for the local web server can pass � through the firewall Source Source Dest. Dest. Direction Action Protocol IP address port No. IP address port No. our inbound allow * > 1023 80 TCP web server our outbound allow 80 * > 1023 TCP web server Reuven Cohen Internet networking 121
Recommend
More recommend
