network threats attacks
play

Network Threats & Attacks 1 Internet Structure backbone ISP - PowerPoint PPT Presentation

Oct 04, 2023 •221 likes •769 views

CS 134 Winter 2018 Lecture 16 Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single

  1. CS 134 Winter 2018 Lecture 16 Network Threats & Attacks 1

  2. Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single administrator (e.g., ISP) ◆ TCP/IP for packet routing and connections ◆ Border Gateway Protocol (BGP) for route discovery ◆ Domain Name System (DNS) for IP address discovery 2

  3. OSI Protocol Stack email, Web, NFS application presentation RPC session TCP transport IP network Ethernet data link physical 3

  4. Data Formats application message Application data layer transport TCP TCP TCP segment data data data header header header layer network IP TCP packet data header header layer data link Ethernet IP TCP Ethernet frame data header header header trailer layer IPv6 only (IPv4 may fragment) 4

  5. TCP (Transmission Control Protocol) ◆ Sender: break data into segments • Sequence number is attached to every packet ◆ Receiver: reassemble segments • Acknowledge receipt; lost packets are re-sent ◆ Connection state maintained by both sides

  6. IP (Internet Protocol) ◆ Connectionless • Unreliable, “ best-effort ” protocol ◆ Uses addresses (and prefixes thereof) used for routing • Longest-prefix match Bob ’ s ISP • Typically several hops in route Alice ’ s computer Alice ’ s ISP IP Packet 128.83.130.239 Bob ’ s computer Source 128.83.130.239 171.64.66.201 Dest 171.64.66.201 Seq # 33040

  7. ICMP (Control Message Protocol) ◆ Provides feedback about network operation • Out-of-band (control) messages carried in IP packets • Error reporting, congestion control, reachability, etc. ◆ Example messages: • Destination unreachable • Time exceeded • Parameter problem • Redirect to better gateway • Reachability test (echo / echo reply) • Timestamp request / reply 7

  8. Security Issues in TCP/IP ◆ Network packets pass by and thru untrusted hosts • Eavesdropping (packet sniffing) ◆ IP addresses are public • E.g., Ping-of-Death, Smurf attacks ◆ TCP connection requires state • SYN flooding ◆ TCP state easy to guess • TCP spoofing and connection hijacking 8

  9. Packet Sniffing ◆ Many old applications send data unencrypted • Plain ftp, telnet send passwords in the clear (as opposed to sftp and ssh) ◆ Network Interface Card (NIC), e.g., Ethernet device, in “ promiscuous mode ” can read all data on its broadcast segment network Solution: encryption (e.g., IPsec), improved routing 9

  10. “ Smurf ” Attack Looks like a legitimate “ Are you alive? ” ping request from the victim 3. Flood of ping replies overwhelms victim 1. ICMP Echo Req Src: victim ’ s address Dest: broadcast address Victim router 2. Every host on the segment might be local or remote generates a ping reply (ICMP Echo Reply) to victim’s address Solution: reject external packets to broadcast addresses 10

  11. “ Ping of Death ” ◆ When an old Windows machine receives an ICMP packet with payload over 64K, it crashes and/or reboots • Programming error in older versions of Windows • Packets of this length are illegal, so programmers of old Windows code did not account for them Solution: patch OS, filter out ICMP packets 11

  12. “ Teardrop ” and “ Bonk ” ◆ TCP packets contain Offset field ◆ Attacker sets Offset field to: • overlapping values – Bad/old implementation of TCP/IP stack crashes when attempting to re-assemble the fragments • … or to very large values – Target system crashes Solution: use up-to-date TCP/IP implementation 12

  13. “ LAND ” ◆ Single-packet denial of service (DoS) attack ◆ IP packet with: <source-address,port> equal to <destination-address,port>, SYN flag set ◆ Triggers loopback in Windows XP SP2 implementation of TCP/IP stack • Locks up CPU Solution: ingress filtering??? 13

  14. TCP Handshake Reminder C S SYN C Listening… Spawn thread, store data SYN S , ACK C (connection state, etc.) Wait ACK S Connected 14

  15. SYN Flooding Attack S SYN C1 Listening… Spawn a new thread, SYN C2 store connection data SYN C3 … and more SYN C4 … and more … and more SYN C5 … and more … and more 15

  16. SYN Flooding Explained ◆ Attacker sends many connection requests (SYNs) with spoofed source addresses ◆ Victim allocates resources for each request • New thread, connection state maintained until timeout • Fixed bound on half-open connections ◆ Once resources exhausted, requests from legitimate clients are denied ◆ This is a classic DoS attack example: ASYMMETRY!!! • Common pattern: it costs nothing to TCP client to send a connection request, but TCP server must spawn a thread for each request • Other examples of this behavior? 16

  17. Preventing Denial of Service ◆ DoS is caused by asymmetric state allocation • If server opens new state for each connection attempt, attacker can initiate many connections from bogus or forged IP addresses ◆ Cookies allow server to remain stateless until client produces: • Server state (IP addresses and ports) stored in a cookie and originally sent to client ◆ When client responds, cookie is verified 17

  18. SYN Cookies [Bernstein and Schenk] C S SYN C Listening… Does not store state Compatible with standard TCP; SYN S , ACK C simply a “ weird ” sequence number scheme sequence # = cookie • Cookie must be fresh, and unforgeable F(source addr, source port, • Client should not be able to dest addr, dest port, invert a cookie (why?) F=AES or a truncated hash coarse time, server secret ) ACK S (cookie) Recompute cookie, compare with with the one received, only establish connection if they match More info: http://cr.yp.to/syncookies.html 18

  19. Anti-Spoofing Cookies: Basic Pattern ◆ Client sends request (message #1) to server ◆ Typical protocol: • Server sets up connection, responds with message #2 • Client may complete session or not (potential DoS) ◆ Cookie version: • Server responds with hashed connection data instead of message #2 – Does not spawn any threads, does not allocate resources! • Client confirms by returning cookie (with other fields) – If source IP address is bogus, attacker can ’ t confirm – WHY? 19

  20. Passive Defense: Random Deletion half-open connections SYN C 121.17.182.45 231.202.1.16 121.100.20.14 5.17.95.155 ◆ If SYN queue is full, delete random entry • Legitimate connections have a chance to complete • Fake addresses will be eventually deleted. WHY? ◆ Easy to implement 20

  21. TCP Connection Spoofing ◆ Each TCP connection has associated state • Sequence number, port number ◆ TCP state is easy to guess • Port numbers standard, seq numbers are predictable ◆ Can inject packets into existing connections • If attacker knows initial sequence number and amount of traffic, can guess current number • Guessing a 32-bit seq number is not practical, BUT… • Most systems accept a large window of sequence numbers (to handle massive packet losses) • Send a flood of packets with likely sequence numbers 21

  22. “ Blind ” IP Spoofing Attack Trusted connection between Alice and Bob uses predictable sequence numbers  SYN-flood Bob ’ s queue Alice Bob Œ Open connection to Alice to get initial sequence number Ž Send packets to Alice that resemble Bob ’ s packets ◆ Can’t receive packets sent to Bob, but maybe can penetrate Alice’s computer if Alice uses IP address-based “ authentication ” • rlogin and other (insecure) remote access tools use address-based authentication 22

  23. DoS by Connection Reset ◆ If attacker can guess the current sequence number for an existing connection, can send Reset packet to close it ◆ Especially effective against long-lived connections • For example, BGP route updates – Adjacent BGP routers keep long-lived TCP connections 23

  24. User Datagram Protocol (UDP) ◆ UDP – alternative to TCP, connectionless protocol • Simply sends datagram to application process at the specified port of the IP address • Source port number provides return address • Applications: media streaming, broadcast ◆ No acknowledgements, no flow control ◆ So…. Denial of Service by UDP data flood is easy 24

  25. Countermeasures ◆ Above transport layer: Kerberos • Provides authentication, protects against application- layer spoofing • Does not protect against connection hijacking ◆ Above network layer: SSL/TLS and SSH • Protects against connection hijacking and injected data • Does not protect against DoS by spoofed packets ◆ Network (IP) layer: IPsec • Protects against hijacking, injection, DoS using connection resets, IP address spoofing • But muddled/poor key management… ◆ Below network layer? 25

  26. IP Routing ◆ Routing of IP packets is based on IP addresses • 32-bit host identifiers (128-bit in IPv6) ◆ Routers use a forwarding table (FIB) • Entry = [ destination, nxt hop, interface, metric ] • Table look-up for each IP packet to decide how to route it ◆ Routers learn routes to hosts and networks via routing protocols • Host identified by its IP address, network – by IP prefix ◆ BGP (Border Gateway Protocol) is the core Internet protocol for establishing inter-AS routes 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Lecture 17 CS 134 Spring 2019 Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) local network collection of IP networks under control of a

643 views • 25 slides
WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre,

337 views • 22 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Outline A taxonomy of CR security threats Primary user emulation attacks Cognitive Radio

Outline A taxonomy of CR security threats Primary user emulation attacks Cognitive Radio

10/25/19 Outline A taxonomy of CR security threats Primary user emulation attacks Cognitive Radio Network Security Byzantine failures in distributed spectrum sensing Security vulnerabilities in IEEE 802.22 Yao Zheng 1 2

383 views • 7 slides
Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1

Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1

Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1 Layers 1 &amp; 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a single subnetwork

809 views • 54 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser on mobile device in WiFi communication to attack victims. Hackers send

464 views • 30 slides
Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor

Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor

Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor Bradley Department of ECE Virginia Tech Acknowledgements FAME Project Team https://sites.google.com/view/famechip Supported through National

1.01k views • 72 slides
Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory GDR SoC17, Bordeaux Summary Introduction &amp; Cryptographic Background Side Channel Attacks Fault Injection Attacks Protections

1.87k views • 166 slides
Successive Network Coding (SNC): A Mitigating Mechanism Against Eavesdropping Attacks In Network

Successive Network Coding (SNC): A Mitigating Mechanism Against Eavesdropping Attacks In Network

Successive Network Coding (SNC): A Mitigating Mechanism Against Eavesdropping Attacks In Network Coding Based Systems Vahid N. Talooki, University of Aveiro, Portugal Network Coding (NC) allows intermediate nodes not only to store and forward

307 views • 4 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of Control Methods of Taking Control Common Points of Attack Multifront Attacks Chapter 12 Auditing to Recognize Attacks Malicious

535 views • 7 slides
RiskRoute: A Framework for Mi3ga3ng Network Outage Threats

RiskRoute: A Framework for Mi3ga3ng Network Outage Threats

RiskRoute: A Framework for Mi3ga3ng Network Outage Threats Ramakrishnan Durairajan + Brian Eriksson * , Paul Barford + * Technicolor Palo Alto + University

472 views • 30 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication

876 views • 60 slides
CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage, David Wagner, and Nick Weaver Threat Modeling for Network Attacks Basic security goals:

804 views • 31 slides
Presented by: Mark Elkins Invitation to ICANN GNSO ISPCP The Internet Service Providers

Presented by: Mark Elkins Invitation to ICANN GNSO ISPCP The Internet Service Providers

Presented by: Mark Elkins Invitation to ICANN GNSO ISPCP The Internet Service Providers Connectivity Providers Constituency, ICANN Generic Names Supporting Organization What is ICANN Internet Corporation for Assigned Names and

130 views • 9 slides
CompSci 356: Computer Network Architectures Lecture 20: Domain Name System (DNS) and Content

CompSci 356: Computer Network Architectures Lecture 20: Domain Name System (DNS) and Content

CompSci 356: Computer Network Architectures Lecture 20: Domain Name System (DNS) and Content distribution networks Chapter 9.3.1 Xiaowei Yang xwy@cs.duke.edu Overview Domain Name System Content Distribution Networks Domain Name

777 views • 50 slides
CSE 6345 Mobile Computer Systems Topic 3 : Mobile IP With Dr. Mohan Kumar Kumar 1 Mobile IP

CSE 6345 Mobile Computer Systems Topic 3 : Mobile IP With Dr. Mohan Kumar Kumar 1 Mobile IP

CSE 6345 Mobile Computer Systems Topic 3 : Mobile IP With Dr. Mohan Kumar Kumar 1 Mobile IP Internet Access Access to information IP connectivity PDAs, cellular phones etc. Kumar 2 Mobile IP Internet Access Access to information IP

367 views • 34 slides
Sa Safer er Si Six IP IPv6 v6 Se Security urity in a Nut utsh shel ell Joha hann nna

Sa Safer er Si Six IP IPv6 v6 Se Security urity in a Nut utsh shel ell Joha hann nna

Sa Safer er Si Six IP IPv6 v6 Se Security urity in a Nut utsh shel ell Joha hann nna a Ull llrich ich I think there is a world market for maybe five computers Thomas Watson Reasons nicholsoncartoons.com.au connect.de

551 views • 33 slides
ELEC / COMP 177 Fall 2013 Some slides from Kurose

ELEC / COMP 177 Fall 2013 Some slides from Kurose

ELEC / COMP 177 Fall 2013 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Project 2 Python HTTP Server++ Work

629 views • 23 slides
Reference Architecture for the Operationalization of a BCMS Boban Kr i , Chief Information

Reference Architecture for the Operationalization of a BCMS Boban Kr i , Chief Information

Reference Architecture for the Operationalization of a BCMS Boban Kr i , Chief Information Security Officer verinice.XP - Berlin, 07. February 2017 DENIC Mission Founded in 1996 as a cooperative in Frankfurt / Main. Act as a

426 views • 31 slides
Communication Networks II www.kom.tu-darmstadt.de www.httc.de Addressing - Protocols Prof.

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Addressing - Protocols Prof.

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Addressing - Protocols Prof. Dr.-Ing. Ralf Steinmetz TU Darmstadt - Technische Universitt Darmstadt, Dept. of Electrical Engineering and Information Technology, Dept. of Computer

627 views • 36 slides
TCP/IP Networks Dr. Miled M. Tezeghdanti October 7, 2011 Dr. Miled M. Tezeghdanti () TCP/IP

TCP/IP Networks Dr. Miled M. Tezeghdanti October 7, 2011 Dr. Miled M. Tezeghdanti () TCP/IP

TCP/IP Networks Dr. Miled M. Tezeghdanti October 7, 2011 Dr. Miled M. Tezeghdanti () TCP/IP Networks October 7, 2011 1 / 94 Outline TCP/IP IP ARP ICMP TCP/UDP Dr. Miled M. Tezeghdanti () TCP/IP Networks October 7, 2011 2 / 94

1.55k views • 116 slides

More recommend