network 5 denial of service and firewalls most slides
play

Network #5: Denial of Service and Firewalls (Most Slides stolen - PowerPoint PPT Presentation

Aug 14, 2023 •128 likes •597 views

Computer Science 161 Fall 2016 Popa and Weaver Network #5: Denial of Service and Firewalls (Most Slides stolen from Dave Wagner) 1 Theme of This Lecture: Why Twitter & Reddit Sucked Last Week Computer Science 161 Fall 2016

  1. Computer Science 161 Fall 2016 Popa and Weaver Network #5: 
 Denial of Service and Firewalls (Most Slides stolen from 
 Dave Wagner) 1

  2. Theme of This Lecture: 
 Why Twitter & Reddit Sucked Last Week Computer Science 161 Fall 2016 Popa and Weaver 2

  3. Theme of This Lecture In Song: 
 50 Whys to Stop A Server... Computer Science 161 Fall 2016 Popa and Weaver • You are a bad guy... • And you want to stop some server from being available • Why? You name it... • Because its hard for someone to frag you in an online game if you "boot" him from the network • Because people will pay up to stop the attack • Because it conveys a political message • Get paid for by others 3

  4. The Easy DoS on a System: 
 Resource Consumption... Computer Science 161 Fall 2016 Popa and Weaver • Bad Dude has an account on your computer... • And wants to disrupt your work on Project 2... • He runs this simple program: • while(1): • Write random junk to random files • (uses disk space, thrashes the disk) • Allocate a bunch of RAM and write to it • (uses memory) • fork() • (creates more processes to run) • Only defense is some form of quota or limits: 
 The system itself must enforce some isolation 4

  5. The Network DOS Computer Science 161 Fall 2016 Popa and Weaver 5

  6. Or, another visual explanation... Computer Science 161 Fall 2016 Popa and Weaver • https://twitter.com/kokonoe0825/status/ 789536739887112192 6

  7. DoS & Networks Computer Science 161 Fall 2016 Popa and Weaver • How could you DoS a target’s Internet access? • Send a zillion packets at them • Internet lacks isolation between tra ffi c of di ff erent users! • What resources does attacker need to pull this o ff ? • At least as much sending capacity ( bandwidth ) as the bottleneck link of the target’s Internet connection • Attacker sends maximum-sized packets • Or: overwhelm the rate at which the bottleneck router can process packets • Attacker sends minimum-sized packets! • (in order to maximize the packet arrival rate) 7

  8. Defending Against Network DoS Computer Science 161 Fall 2016 Popa and Weaver • Suppose an attacker has access to a beefy system with high-speed Internet access (a “big pipe”). • They pump out packets towards the target at a very high rate. • What might the target do to defend against the onslaught? • Install a network filter to discard any packets that arrive with attacker’s IP address as their source • E.g., drop * 66.31.33.7:* -> *:* • Or it can leverage any other pattern in the flooding tra ffi c that’s not in benign tra ffi c • Attacker’s IP address = means of identifying misbehaving user 8

  9. Filtering Sounds Pretty Easy … Computer Science 161 Fall 2016 Popa and Weaver • … but DoS filters can be easily evaded: • Make tra ffi c appear as though it’s from many hosts • Spoof the source address so it can’t be used to filter • Just pick a random 32-bit number of each packet sent • How does a defender filter this? • They don’t! • Best they can hope for is that operators around the world implement anti-spoofing mechanisms (today about 75% do) • Use many hosts to send tra ffi c rather than just one • Distributed Denial-of-Service = DDoS (“dee-doss”) • Requires defender to install complex filters • How many hosts is “enough” for the attacker? • Today they are very cheap to acquire … :-( 9

  10. It’s Not A “Level Playing Field” Computer Science 161 Fall 2016 Popa and Weaver • When defending resources from exhaustion, need to beware of asymmetries, where attackers can consume victim resources with little comparable e ff ort • Makes DoS easier to launch • Defense costs much more than attack • Particularly dangerous form of asymmetry: amplification • Attacker leverages system’s own structure to pump up the load they induce on a resource 10

  11. Amplification Computer Science 161 Fall 2016 Popa and Weaver • Example of amplification: DNS lookups • Reply is generally much bigger than request • Since it includes a copy of the reply, plus answers etc. • Attacker spoofs DNS request to a patsy DNS 
 server, seemingly from the target • Small attacker packet yields large flooding packet • Doesn’t increase # of packets, but total volume • Note #1: these examples involve blind spoofing • So for network-layer flooding, generally only works for UDP-based protocols (can’t establish a TCP connection) • Note #2: victim doesn’t see spoofed source addresses • Addresses are those of actual intermediary systems 11

  12. Botnets Computer Science 161 Fall 2016 Popa and Weaver • If an attacker can control a lot of systems • They gain a huge amount of bandwidth • Modern DOS attacks approach 1 Terabit-per-second with direct connections • And it becomes very hard to filter them out • How do you specify 1M machines you want to ignore? • You control these "bots" in a "botnet" • So you can issue commands that cause all these systems to do what you want • This is what took down dyn DNS (and with it Twitter, Reddit, etc...): A botnet composed primarily of compromised cameras and DVRs 12

  13. Transport-Level Denial-of-Service Computer Science 161 Fall 2016 Popa and Weaver • Recall TCP’s 3-way connection establishment handshake – Goal: agree on initial sequence numbers Server Client (initiator) SYN, SeqNum = x Server creates state SYN + ACK, SeqNum = y, Ack = x + 1 associated with connection here 
 (buffers, timers, Attacker doesn’t counters) ACK, Ack = y + 1 even need to send this ack 13

  14. Transport-Level Denial-of-Service Computer Science 161 Fall 2016 Popa and Weaver • Recall TCP’s 3-way connection establishment handshake • Goal: agree on initial sequence numbers • So a single SYN from an attacker su ffi ces to force the server to spend some memory Server Client (initiator) SYN, SeqNum = x Server creates state SYN + ACK, SeqNum = y, Ack = x + 1 associated with connection here 
 (buffers, timers, Attacker doesn’t counters) ACK, Ack = y + 1 even need to send this ack 14

  15. TCP SYN Flooding Computer Science 161 Fall 2016 Popa and Weaver • Attacker targets memory rather than network capacity • Every (unique) SYN that the attacker sends burdens the target • What should target do when it has no more memory for a new connection? • No good answer! • Refuse new connection? • Legit new users can’t access service • Evict old connections to make room? • Legit old users get kicked o ff 15

  16. TCP SYN Flooding Defenses Computer Science 161 Fall 2016 Popa and Weaver • How can the target defend itself? 
 • Approach #1: make sure they have tons of memory! • How much is enough? • Depends on resources attacker can bring to bear (threat model), which might be hard to know • Back of the envelope: • If we need to hold 10kB for 1 minute: to exhaust 1GB, an attacker needs... • 100k packets/minute, or a bit more than 1,000 packets per second 16

  17. TCP SYN Flooding Defenses Computer Science 161 Fall 2016 Popa and Weaver • Approach #2: identify bad actors & refuse their connections • Hard because only way to identify them is based on IP address • We can’t for example require them to send a password because doing so requires we have an established connection! • For a public Internet service, who knows which addresses customers might come from? • Plus: attacker can spoof addresses since they don’t need to complete TCP 3-way handshake • Approach #3: don’t keep state! (“SYN cookies”; only works for spoofed SYN flooding) 17

  18. SYN Flooding Defense: Idealized Computer Science 161 Fall 2016 Popa and Weaver • Server: when SYN arrives, rather than keeping state locally, send it to the client … • Client needs to return the state in order to established connection Client (initiator) Server Do not save state SYN, SeqNum = x here; give to client S+A, SeqNum = y, Ack = x + 1, <State> Server only saves ACK, Ack = y + 1, <State> state here 18

  19. SYN Flooding Defense: Idealized Computer Science 161 Fall 2016 Popa and Weaver • Server: when SYN arrives, rather than keeping state locally, send Problem: the world isn’t so ideal! 
 it to the client … • Client needs to return the state in order to established connection TCP doesn’t include an easy way to add a new <State> field like this. Client (initiator) Server Do not save state Is there any way to get the same SYN, SeqNum = x here; give to client functionality without having to S+A, SeqNum = y, Ack = x + 1, <State> change TCP clients? Server only saves ACK, Ack = y + 1, <State> state here 19

  20. Practical Defense: SYN Cookies Computer Science 161 Fall 2016 Popa and Weaver • Server: when SYN arrives, encode connection state entirely within SYN-ACK’s sequence # y • y = encoding of necessary state, using server secret • When ACK of SYN-ACK arrives, server only creates state if value of y from it agrees w/ secret Client (initiator) Server Instead, encode it here Do not create 
 SYN, SeqNum = x state here SYN and ACK, SeqNum = y, Ack = x + 1 Server only creates state here ACK, Ack = y + 1 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls, cont / Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson TAs:

Firewalls, cont / Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson TAs:

Firewalls, cont / Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 19, 2013 Goals

603 views • 42 slides
Denial of Service Denial of Service An attack designed to disrupt or completely deny

Denial of Service Denial of Service An attack designed to disrupt or completely deny

1 Denial of Service Denial of Service An attack designed to disrupt or completely deny legitimate users access to network, servers, services, or other resources Two basic favors: Target resource starvation Network

430 views • 19 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and anonymity combined lecture Anonymous communications techniques Stephen McCamant

665 views • 10 slides
Network Security: Network Flooding Seungwon Shin, KAIST Most slides from Dr. Dan Boneh and

Network Security: Network Flooding Seungwon Shin, KAIST Most slides from Dr. Dan Boneh and

Network Security: Network Flooding Seungwon Shin, KAIST Most slides from Dr. Dan Boneh and Darren Anstee What is a Denial of Service Attack? Goal take out a large site with little computing work Network Bandwidth Computing Power Processor

694 views • 31 slides
Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

CSE/ISE 311: Systems Administra5on Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on Firewalls: An Essen2al Tool Previous Lectures: Every service

469 views • 20 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke

Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke

Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke (g.oke@imperial.ac.uk) Intelligent Systems and Networks Group Dept. of Electrical and Electronic Engineering Imperial College London Multi-Service

681 views • 21 slides
Denial of Service Attacks that prevent legitimate users from doing their work By flooding

Denial of Service Attacks that prevent legitimate users from doing their work By flooding

Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing tables Or flooding routers Or destroying key packets Lecture 9 Page 1 CS 236 Online How Do Denial of

259 views • 15 slides
CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Denial of Service Intentional prevention

663 views • 25 slides
Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service

Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service

Terminus: Towards a Network-Level Deployable Architecture Against Distributed Denial-of- Service Attacks Felipe Huici and Mark Handley Networks Research Group Department of Computer Science Overview Terminus architecture Protecting

553 views • 27 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Network Firewalls the outside world is a poten7al aCack

Network Firewalls the outside world is a poten7al aCack

4/29/14 CSE/ISE 311: Systems Administra5on CSE/ISE 311: Systems Administra5on Firewalls: An Essen7al Tool Previous Lectures: Every service on a system visible

400 views • 4 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks Kathleen M. Moriarty

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks Kathleen M. Moriarty

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks Kathleen M. Moriarty MIT Lincoln Laboratory 22 October 2002 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations,

336 views • 7 slides
Botnets, Collective Defense, and Project MARS Jeff Williams Principal Group Program Manager

Botnets, Collective Defense, and Project MARS Jeff Williams Principal Group Program Manager

Botnets, Collective Defense, and Project MARS Jeff Williams Principal Group Program Manager Microsoft Malware Protection Center The Basics A Picture of Health? Location 1Q2010 2Q10 3Q10 4Q10 Delta 4.2% United States 11,025,811

468 views • 31 slides
An analysis of Social Network-based Sybil defenses Bimal Viswanath Ansley Post Krishna

An analysis of Social Network-based Sybil defenses Bimal Viswanath Ansley Post Krishna

An analysis of Social Network-based Sybil defenses Bimal Viswanath Ansley Post Krishna Gummadi Alan Mislove MPI-SWS Northeastern University SIGCOMM 2010 1 Sybil attack Fundamental problem in distributed systems Attacker

519 views • 40 slides
SoK: The Evolution of Sybil Defense via Social Networks Alessandro Epasto 1 joint work with L.

SoK: The Evolution of Sybil Defense via Social Networks Alessandro Epasto 1 joint work with L.

IEEE Symposium on Security &amp; Privacy SAN FRANCISCO 21 ST MAY 2013 SoK: The Evolution of Sybil Defense via Social Networks Alessandro Epasto 1 joint work with L. Alvisi 2 , A. Clement 3 , S. Lattanzi 4 , A. Panconesi 1 Sapienza U.

855 views • 41 slides
Forwarding-Loop Attacks in Content Delivery Networks Jianjun Chen , Jian Jiang, Xiaofeng Zheng,

Forwarding-Loop Attacks in Content Delivery Networks Jianjun Chen , Jian Jiang, Xiaofeng Zheng,

Forwarding-Loop Attacks in Content Delivery Networks Jianjun Chen , Jian Jiang, Xiaofeng Zheng, Haixin Duan, Jinjin Liang, Kang Li, Tao Wan, Vern Paxson 1 Content Delivery Networks CDN is now an important Internet infrastructure, it is a

381 views • 22 slides
ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner Nicholas Carlini Return Oriented Programming Basic ROP Mo(va(ons DEP Data

712 views • 11 slides
CSCI 8260 Spring 2016 Computer Network Attacks and Defenses Syllabus Prof. Roberto Perdisci

CSCI 8260 Spring 2016 Computer Network Attacks and Defenses Syllabus Prof. Roberto Perdisci

CSCI 8260 Spring 2016 Computer Network Attacks and Defenses Syllabus Prof. Roberto Perdisci perdisci@cs.uga.edu Who is this course for? l Open to graduate students only l Students who complete this course successfully will receive

492 views • 20 slides
Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc Juarez 3 1 Royal Holloway University of London 2 University College London 3 imec-COSIC KU Leuven 19th July 2017, PETS17, Minneapolis, MN, USA

735 views • 17 slides
CSCI 1650: Software Security and Exploitation Introduction Vasileios (Vasilis) Kemerlis

CSCI 1650: Software Security and Exploitation Introduction Vasileios (Vasilis) Kemerlis

CSCI 1650: Software Security and Exploitation Introduction Vasileios (Vasilis) Kemerlis September 09, 2020 Department of Computer Science Brown University vpk@cs.brown.edu (Brown University) CSCI 1650 Fall 20 1 / 6 Course Overview (1/2)

238 views • 19 slides

More recommend