Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
CSE543 - Introduction to Computer and Network Security Page
CSE543 - Introduction to Computer and Network Security
Module: Network Security
Professor Patrick McDanielFall 2008
1
CSE543 - Introduction to Computer and Network Security Page
Networking• Fundamentally about transmitting information between
two devices• Direct communication is now possible between any
two devices anywhere (just about)‣ Lots of abstraction involved‣ Lots of network components‣ Standard protocols‣ Wired and wireless‣ Works in protection environment
• What about ensuring security?
2
CSE543 - Introduction to Computer and Network Security Page
Network Security• Every machine is connected‣ What is trust model of the network?
• Not just limited to dogs as users‣ What other ‘dogs’ are out there?
3
CSE543 - Introduction to Computer and Network Security Page
Exploiting the network ...• The Internet is extremely vulnerable to attack‣ it is a huge open system ...‣ which adheres to the end-to-end principle
• smart end-points, dumb network
• Can you think of any large-scale attacks that would be 4
CSE543 - Introduction to Computer and Network Security Page
E2E Argument• Clark et. al discussed a property of good systems that
says features should be placed as close to resources as possible‣ In communication, this means that we want the middle
of the network to be simple, and the end-points to be smart (e.g., do everything you can at the end-points• “Dumb, minimal network”
‣ This is the guiding principle of IP (Internet)‣ Q: Does this have an effect on security?
• Note: this is a departure from the early networks which smart network, dumb terminals
5
CSE543 - Introduction to Computer and Network Security Page
• Bellovin’s observations about the security problems of the IP protocols‣ Not really a study of how IP is misused, e.g., IP addresses for
authentication, but really what is inherently bad about the way in which IP is setup
• A really, really nice overview of the basic ways in which security and the IP design is at odds
Security Problems in the TCP/IP Protocol Suite
6
CSE543 - Introduction to Computer and Network Security Page
• TCP/IP uses a three-way handshake to establish a connection
1. C -> S: QC
2. S -> C: QS, ack(QC) where sequence number QS is nonce
3. C -> S: ack(QS) … then send data
2. However assume the bad guy does not hear msg 2, if he can guess QS, then he can get S to accept whatever data it wants (useful if doing IP authentication, e.g., “rsh”)
Client Server
Adversary
Sequence number prediction
7
CSE543 - Introduction to Computer and Network Security Page
• The only way you really fix this problem to stop making the sequence numbers predictable:‣ Randomize them -- you can use DES or some other
mechanism to generate them randomly‣ There is an entire sub-field devoted to the creation and
management of randomness in OSes
• Also, you could look for inconsistencies in timing information‣ Assumption: the adversary has different timing than‣ OK, maybe helpful, but far from definitive
Sequence Number Prediction (fixes)
8
CSE543 - Introduction to Computer and Network Security Page
• RIP - routing information protocol‣ Distance vector routing protocol used for local network
‣ Routers exchange reachability and “distance” vectors for all the sub-networks within (a typically small) domain
‣ Use vectors to decide which is best, notification of changes is propagated quickly
• So, the big problem is that you receive vast amounts of data that a router uses to form the routing table‣ So, just forge that, and the game is up
‣ Manipulate paths, DOS, hijack connections, etc.
• Solutions:
Routing Manipulation
9
CSE543 - Introduction to Computer and Network Security Page
• ICMP is used as a control plane for IP messages‣ Ping (connectivity probe)
‣ Destination Unreachable (error notification)
‣ Time-to-live exceeded (error notification)
• These are used for good purposes, and are largely indispensable tools for network management and control‣ Error notification codes can be used to reset connections
without any
• Solution: verify/sanity check sources and content‣ ICMP “returned packets”
Internet Control Message Protocol
10
CSE543 - Introduction to Computer and Network Security Page
• In 1996, someone discovered that many operating systems, routers, etc. could be crash/rebooted by sending a single malformed packet‣ It turns out that you can send a IP packet larger than 65,535
(216), it would crash the system
‣ The real reason lies in the way fragmentation works• It allows somebody to send a packet bigger than IP allows
• Which blows up most fixed buffer size implementations
• … and dumps core, blue screen of death, etc.
‣ Note: this is not really ICMP specific, but easy (try it)
% ping -l 65510 your.host.ip.address
• This was a popular pastime of early hackers
The “ping of death” …
11
CSE543 - Introduction to Computer and Network Security Page
• Protocol used to map IP address onto the physical layer addresses (MAC) 1) ARP request: who has x.x.x.x? 2) ARP response: me!
• Policy: last one in wins• Used to forward packets on the appropriate interfaces
by network devices (e.g., bridges)
• Q: Why would you want to spoof an IP address?
Address Resolution Protocol
12
CSE543 - Introduction to Computer and Network Security Page
• Attack: replace good entries with your own• Leads to ‣ Session hijacking‣ Man-in-the-middle attacks‣ Denial of service, etc.
• Lots of other ways to abuse ARP.• Nobody has really come up with a good solution‣ Except smart bridges, routers that keep track of MACs
• However, some not worried‣ If adversary is in your perimeter, you are in big trouble‣ You should never should validate the source of each pack
ARP poisoning
13
CSE543 - Introduction to Computer and Network Security Page
• Finger user identity (my advisor hated this)‣ host gives up who is logged in, existence of identities
PSU.local Presentations > finger megan Login: megan Name: Megan SmithDirectory: /Users/megan Shell: /bin/bashLast login Mon 23 Aug 13:19 (EDT) on consoleNo Mail.No Plan.PSU.local Presentations >
• This is horrible in a distributed environment‣ Privacy, …
‣ Lots of information to start a compromise of the user.
Other flawed protocols/services
14
CSE543 - Introduction to Computer and Network Security Page
• Post office protocol - mail retrieval‣ Passwords passed in the clear (duh)‣ Solution: SSL, SSH, Kerberos
• Simple mail transport protocol (SMTP) - email‣ Nothing authenticated: SPAM‣ Nothing hidden: eavesdropping‣ Solution: your guess is as good as mine
• File Transfer protocol - file retrieval‣ Passwords passed in the clear (duh)‣ Solution: SSL, SSH, Kerberos
POP/SMTP/FTP
15
CSE543 - Introduction to Computer and Network Security Page
• DNS maps between IP address (12.1.1.3) and domain and host names (ada.cse.psu.edu)‣ How it works: the “root” servers redirect you to the top
level domains (TLD) DNS servers, which redirect you to the appropriate sub-domain, and recursively ….
‣ Note: there are 13 “root” servers that contain the TLDs for .org, .edu, and country specific registries (.fr, .ch)
Host (resolver)
cse.psu.eduroot psu.edu.edu
ada.cse.psu.edu? 130.203.16.130
DNS - The domain name system
16
CSE543 - Introduction to Computer and Network Security Page
• Nothing is authenticated, so really the game is over‣ You can not really trust what you hear …‣ But, many applications are doing just that.‣ Spoofing of DNS is really dangerous
• Moreover, DNS is a catalog of resources‣ Zone-transfers allow bulk acquisition of DNS data‣ … and hence provide a map for attacking the network
• Lots of opportunity to abuse the system‣ Relies heavily on caching for efficiency -- cache pollution‣ Once something is wrong, it can remain that way in caches
for a long time (e.g., it takes a long time flush)‣ Data may be corrupted before it gets to authoritative server
DNS Vulnerabilities
17
CSE543 - Introduction to Computer and Network Security Page
• A standard-based (IETF) solution to security in DNS‣ Prevents data spoofing and corruption‣ Public key based solution to verifying DNS data‣ Authenticates
• Communication between servers• DNS data• Public keys (a bootstrap for PKI?)
DNSsec
18
CSE543 - Introduction to Computer and Network Security Page
• TSIG : transaction signatures protect DNS operations‣ Zone loads, some server to server requests (master -> slave), etc.
‣ Time-stamped signed responses for dynamic requests‣ A misnomer -- it currently uses shared secrets for TSIG
(HMAC) or do real signatures using public key cryptography
• SIG0: a public key equivalent of TSIG‣ Works similarly, but with public keys‣ Not as popular as TSIG, being evaluated
• Note: these mechanisms assume clock sync. (NTP)
DNSsec Mechanisms
19
CSE543 - Introduction to Computer and Network Security Page
• Securing the DNS records‣ Each domain signs their “zone” with a private key‣ Public keys published via DNS‣ Indirectly signed by parent zones‣ Ideally, you only need a self-signed root, and follow keys down
the hierarchy
cse.psu.eduroot psu.edu.eduSigns Signs Signs
DNSsec Mechanisms
20
CSE543 - Introduction to Computer and Network Security Page
• Incremental deployability‣ Everyone has DNS, can’t assume a flag day
• Resource imbalances‣ Some devices can’t afford real authentication
• Cultural‣ Most people don’t have any strong reason to have secure
DNS ($$$ not justified in most environments)
‣ Lots of transitive trust assumptions (you have no idea how the middlemen do business)
• Take away: DNSsec will be deployed, but it is unclear whether it will be used appropriately/widely
DNSsec challenges
21
CSE543 - Introduction to Computer and Network Security Page
Communications Security• Harden the communication against mal-intent ...
22http://artfiles.art.com/images/-/Philip-Gendreau/Jolly-Roger-the-Pirates-Flag-Giclee-Print-C10274009.jpeg
CSE543 - Introduction to Computer and Network Security Page
Communications Security• A host wants to establish a secure channel to remote
hosts over an untrusted network‣ Not Login – end-users may not even be aware that
protections in place‣ Remote hosts may be internal or external
• The protection service must …‣ Authenticate the end-points (each other)‣ Negotiate what security is necessary (and how)‣ Establish a secure channel‣ Process the traffic between the end points
23
CSE543 - Introduction to Computer and Network Security Page
IPsec (not IPSec!)• Host level protection service‣ IP-layer security (below TCP/UDP)‣ De-facto standard for host level security‣ Developed by the IETF (over many years)‣ Now available in most operating systems
• E.g., Available in XP, OS X, Linux, BSD*, …
‣ Implements a wide range of protocols and cryptographic algorithms
• Provides ….‣ Confidentiality, integrity, authenticity, replay protection, DOS
protection
24
CSE543 - Introduction to Computer and Network Security Page
IPsec and the IP protocol stack• IPsec puts the two main
protocols in between IP and the other protocols‣ AH - authentication header‣ ESP - encapsulating security
payload• Tunnel vs. transport?‣ Key management/authentication‣ Policy
• Other function provided by external protocols and architectures
SMTPFTP
TCPHTTP
ESPAH
IP
UDP
25
CSE543 - Introduction to Computer and Network Security Page
Tunneling• “IP over IP”‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls
IP layer…
IP layer…
26
CSE543 - Introduction to Computer and Network Security Page
IPsec Protocol Suite
(IKE)Internet Key
Exchange
(AH)Authentication
Header
(ESP)Encapsulating
Security Payload
(SPS)Security Policy
SystemManual
Policy/Configuration
ManagentKey
ManagementPacket
Processing
27
CSE543 - Introduction to Computer and Network Security Page
Internet Key Exchange (IKE)• Built on of ISAKMP framework• Two phase protocol used to establish parameters
and keys for session‣ Phase 1: authenticate peers, establish secure channel‣ Phase 2: negotiate parameters, establish a security
association (SA)
• The details are unimaginably complex• The SA defines algorithms, keys, and policy used to
secure the session
28
CSE543 - Introduction to Computer and Network Security Page
IPsec
IPsec: Packet Handling (Bump …)
Network (IP)
Physical
Application
Presentation
Session
Transport
Data Link
IP Protocol Stack
SADB
29
CSE543 - Introduction to Computer and Network Security Page
Authentication Header (AH)• Authenticity and integrity‣ via HMAC‣ over IP headers and data
• Advantage: the authenticity of data and IP header information is protected‣ it gets a little complicated with mutable fields, which are
supposed to be altered by network as packet traverses the network
‣ some fields a immutable, and are protected
• Confidentiality of data is not preserved• Replay protection via AH sequence numbers‣ note that this replicates some features of TCP (good?)
30
CSE543 - Introduction to Computer and Network Security Page
IPsec AH Packet Format
IPv4 Header
IPv4 AH Packet Format
Next Header Length Reserved
Security Parameter Index
Authentication Data (variable number of 32-bit words)
AH Header Format
31
Authentication HeaderHigher Level
Protocol Data
CSE543 - Introduction to Computer and Network Security Page
Authentication Header (AH)• Modifications to the packet format
32
IP Header AH HeaderMAC Payload
AH Packet
EncryptedAuthenticated
IP Header Payload
CSE543 - Introduction to Computer and Network Security Page
IPsec Authentication• SPI: (spy) identifies the security association for this packet– Type of crypto checksum, how large it is, and how it is computed
– Really the policy for the packet
• Authentication data– Hash of packet contents include IP header as as specified by SPI
– Treat transient fields (TTL, header checksum) as zero
• Keyed MD5 Hash is default
Headers and data being sentKey KeySecret Key
MD5 Hash
33
CSE543 - Introduction to Computer and Network Security Page
Encapsulating Security Payload (ESP)
• Confidentiality, authenticity and integrity‣ via encryption and HMAC‣ over IP payload (data)
• Advantage: the security manipulations are done solely on user data‣ TCP packet is fully secured‣ simplifies processing
• Use “null” encryption to get authenticity/integrity only• Note that the TCP ports are hidden when encrypted‣ good: better security, less is known about traffic‣ bad: impossible for FW to filter/traffic based on port
34
CSE543 - Introduction to Computer and Network Security Page
IPsec ESP Packet Format
IPv4 ESP Packet Format
IP HeaderOther IP Headers
ESP Header Encrypted Data
ESP Header FormatSecurity Parameter Identifier (SPI)
Opaque Transform Data, variable length
Unencrypted Encrypted
Security Parameters Index (SPI)
Initialization Vector (optional)
Replay Prevention Field (incrementing count)
Payload Data (with padding)
Authentication checksum
DES + MD5 ESP Format
35
CSE543 - Introduction to Computer and Network Security Page
Encapsulating Security Payload
• Modifications to packet format
36
IP Header ESP Header Payload ESP Trailer MAC
ESP Packet
EncryptedAuthenticated
IP Header Payload
CSE543 - Introduction to Computer and Network Security Page
Practical Issues and Limitations• IPsec implementations‣ Often not compatible (ungh.)‣ Large footprint
• resource poor devices are in trouble• New standards to simplify (e.g, JFK, IKE2)
‣ Slow to adopt new technologies
• Issues‣ IPsec tries to be “everything for everybody at all times”
• Massive, complicated, and unwieldy
‣ Policy infrastructure has not emerged ‣ Large-scale management tools are limited (e.g., CISCO)‣ Often not used securely (common pre-shared keys)
37
CSE543 - Introduction to Computer and Network Security Page
Isolation• Countermeasure to physically separate the devices/
environment from mal-intent
38
CSE543 - Introduction to Computer and Network Security Page
Network Isolation: VPNs• Idea: I want to create a collection of hosts which
operate in a coordinated way‣ E.g., a virtual security perimeter over physical network‣ Hosts work as if they are isolated from malicious hosts
• Solution: Virtual Private Networks‣ Create virtual network topology over physical network‣ Use communications security protocol suites to secure
virtual links “tunneling”‣ Manage networks as if they are physically separate‣ Hosts can route traffic to regular networks (split-tunneling)
39
CSE543 - Introduction to Computer and Network Security Page
VPN Example: RW/Telecommuter
Internet
LAN
(network edge)
Physical LinkLogical Link (IPsec)
40
CSE543 - Introduction to Computer and Network Security Page
VPN Example: Hub and Spoke
Internet
LAN
(network edge)
Physical LinkLogical Link (IPsec)
41
CSE543 - Introduction to Computer and Network Security Page
VPN Example: Mesh
Internet
LAN
(network edge)
Physical LinkLogical Link (IPsec)
42
CSE543 - Introduction to Computer and Network Security Page
Virtual LANs (VLANs)• VPNs build with hardware‣ No encryption – none needed‣ “wire based isolation”‣ Switches increasingly support VLANs‣ Allows networks to be reorganized without rewiring
• Example usage: two departments in same hallway‣ Each office is associated with department‣ Configuring the network switch gives physical isolation‣ Note: often used to ensure QoS
43
CSE543 - Introduction to Computer and Network Security Page
Aside: Malware• Malware - software that exhibits malicious behavior
(typically manifest on user system)‣ virus - self-replicating code, typically transferring by shared
media, filesystems, email, etc.
‣ worm - self propagating program that travels over the network
• The behaviors are as wide ranging as imagination‣ backdoor - hidden entry point into system that allows quick
access to elevated privileges
‣ rootkit - system replacement that hides adversary behavior
‣ key logger - program that monitors, records, and potentially transmits keyboard input to adversary
44
CSE543 - Introduction to Computer and Network Security Page
Worms
45
CSE543 - Introduction to Computer and Network Security Page
Worms• A worm is a self-propagating program.• As relevant to this discussion
1. Exploits some vulnerability on a target host …2. (often) imbeds itself into a host …3. Searches for other vulnerable hosts …4. Goto (1)
• Q: Why do we care?46
CSE543 - Introduction to Computer and Network Security Page
The Danger• What makes worms so dangerous is that infection
grows at an exponential rate‣ A simple model:
• s (search) is the time it takes to find vulnerable host
• i (infect) is the time is take to infect a host
‣ Assume that t=0 is the worm outbreak, the number of hosts at t=j is
2(j/(s+i))
‣ For example, if (s+i = 1), what is it at time t=32?
47
CSE543 - Introduction to Computer and Network Security Page
The result
0
500,000,000
1,000,000,000
1,500,000,000
2,000,000,000
2,500,000,000
3,000,000,000
3,500,000,000
4,000,000,000
4,500,000,000
5,000,000,000
48
CSE543 - Introduction to Computer and Network Security Page
The Morris Worm• Robert Morris, a 23 doctoral student from Cornell‣ Wrote a small (99 line) program
‣ November 3rd, 1988
‣ Simply disabled the Internet
• How it did it‣ Reads /etc/password, they tries the obvious choices and
dictionary, /usr/dict words
‣ Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts that are related• Tries cracked passwords at related hosts (if necessary)
• Uses whatever services are available to compromise other hosts
‣ Scanned local interfaces for network information49
CSE543 - Introduction to Computer and Network Security Page
Code Red• Anatomy of a worm: Maiffret (good reading)• Exploited a Microsoft IIS web-server vulnerability‣ A vanilla buffer overflow (allows adversary to run code)‣ Scans for vulnerabilities over random IP addresses‣ Sometimes would deface the served website
• July 16th, 2001 - outbreak‣ CRv1- contained bad randomness (fixed IPs searched)‣ CRv2 - fixed the randomness,
• added DDOS of www.whitehouse.gov• Turned itself off and on (on 1st and 16th of month)
‣ August 4 - Code Red II• Different code base, same exploit
50
CSE543 - Introduction to Computer and Network Security Page
Worms and infection• The effectiveness of a worm is determined by how good it is at
identifying vulnerable machines‣ Morris used local information at the host‣ Code Red used what?
• Multi-vector worms use lots of ways to infect‣ E.g., network, DFS partitions, email, drive by downloads …‣ Another worm, Nimda did this
• Lots of scanning strategies‣ Signpost scanning (using local information, e.g., Morris)‣ Random IP - good, but waste a lot of time scanning dark or
unreachable addresses (e.g., Code Red)‣ Local scanning - biased randomness‣ Permutation scanning - instance is given part of IP space
51
CSE543 - Introduction to Computer and Network Security Page
Other scanning strategies• The doomsday worm: a flash worm
‣ Create a hit list of all vulnerable hosts
• Staniford et al. argue this is feasible
• Would contain a 48MB list
‣ Do the infect and split approach
‣ Use a zero-day vulnerability
• Result: saturate the Internet is less than 30 seconds!52
0
500,000,000
1,000,000,000
1,500,000,000
2,000,000,000
2,500,000,000
3,000,000,000
3,500,000,000
4,000,000,000
4,500,000,000
5,000,000,000
CSE543 - Introduction to Computer and Network Security Page
Worms: Defense Strategies• (Auto) patch your systems: most, if not all, large worm outbreaks
have exploited known vulnerabilities (with patches)• Heterogeneity: use more than one vendor for your networks• Shield (Ross): provides filtering for known vulnerabilities, such that
they are protected immediately (analog to virus scanning)
• Filtering: look for unnecessary or unusual communication patterns, then drop them on the floor ‣ This is the dominant method, getting sophisticated (Arbor Networks)
OperatingSystem
Network Interface
Shield NetworkTraffic
53
CSE543 - Introduction to Computer and Network Security Page
Denial of Service• Intentional prevention of access to valued
resource‣CPU, memory, disk (system resources)‣DNS, print queues, NIS (services)‣Web server, database, media server (applications)
• This is an attack on availability (fidelity)• Note: launching DOS attacks is easy• Note: preventing DOS attacks is hard‣Mitigation the path most frequently traveled
54
CSE543 - Introduction to Computer and Network Security Page
Canonical (common) DOS - Request Flood
• Attack: request flooding‣ Overwhelm some resource with legitimate requests
‣ e.g., web-server, phone system
• Note: unintentional flood is called a flash crowd55
CSE543 - Introduction to Computer and Network Security Page
Example: SMURF Attacks• This is one of the deadliest and simplest of the DOS attacks
(called a naturally amplified attack)‣ Send a large number PING packet networks on the broadcast IP
addresses (e.g., 192.168.27.254)
‣ Set the source packet IP address to be your victim
‣ All hosts will reflexively respond to the ping at your victim
‣ … and it will be crushed under the load.
‣ Fraggle: UDP based SMURF
Host
Host Host Host
Host
Host
Host
Host
Host
adversary Broadcast victim
56
CSE543 - Introduction to Computer and Network Security Page
Distributed denial of service• DDOS: Network oriented attacks aimed at
preventing access to network, host or service‣ Saturate the target’s network with traffic‣Consume all network resources (e.g., SYN)‣Overload a service with requests
• Use “expensive” requests (e.g., “sign this data”)
‣Can be extremely costly (e.g, Amazon)
• Result: service/host/network is unavailable• Frequently distributed via other attack
• Note: IP is often hidden (spoofed)57
CSE543 - Introduction to Computer and Network Security Page
D/DOS (generalized by Mirkovic)
• Send a stream of packets/requests/whatever …‣ many PINGS, HTML requests, ...
• Send a few malformed packets ‣ causing failures or expensive error handling‣ low-rate packet dropping (TCP congestion control)‣ “ping of death”
• Abuse legitimate access‣ Compromise service/host‣ Use its legitimate access rights to consume the rights for
domain (e.g., local network)‣ E.g., First-year graduate student runs a recursive file
operation on root of NFS partition58
CSE543 - Introduction to Computer and Network Security Page
The canonical DDOS attack
Internet
LAN
(target)(zombies)
(router)(master)
(adversary)59
CSE543 - Introduction to Computer and Network Security Page
Adversary Network
(adversary)
(masters)
(zombies)
(target)
60
CSE543 - Introduction to Computer and Network Security Page
Why DDOS• What would motivate someone DDOS?‣ An axe to grind …
‣ Curiosity (script kiddies) …
‣ Blackmail
‣ Information warfare …
• Internet is an open system ...‣ Packets not authenticated, probably can’t be
• Would not solve the problem just move it (firewall)
61
CSE543 - Introduction to Computer and Network Security Page
Why is DDOS possible? • Interdependence - services dependent on each other‣ E.g., Web depends on TCP and DNS, which depends on
routing and congestion control, …
• Limited resources (or rather resource imbalances)‣ Many times it takes few resources on the client side to
consume lots of resources on the server side
‣ E.g., SYN packets consume lots of internal resources
• You tell me .. (as said by Mirkovic et al.)‣ Intelligence and resources not co-located
‣ No accountability
‣ Control is distributed62
CSE543 - Introduction to Computer and Network Security Page
DDOS and the E2E • E2E (a simplified version): We should design the
network such that all the intelligence is at the edges.‣ So that the network can be more robust and scalable ‣ Many think is the main reason why the Internet works
• Downside:‣ Also, no real ability to police the traffic/content‣ So, many security solutions break this E2E by cracking open
packets (e.g., application level firewalls)‣ DDOS is real because of this …
63
CSE543 - Introduction to Computer and Network Security Page
Q: An easy fix?• How do you solve distributed denial of service?
64
CSE543 - Introduction to Computer and Network Security Page
Simple DDOS Mitigation• Ingress/Egress Filtering‣ Helps spoofed sources, not much else
• Better Security ‣ Limit availability of zombies, not feasible‣ Prevent compromise, viruses, …
• Quality of Service Guarantees (QOS)‣ Pre- or dynamically allocate bandwidth ‣ E.g., diffserv, RSVP‣ Helps where such things are available …
• Content replication‣ E.g,. CDS‣ Useful for static content
65
CSE543 - Introduction to Computer and Network Security Page
DOS Prevention - Reverse-Turing Tests
• Turing test: measures whether a human can tell the difference between a human or computer (AI)
• Reverse Turning tests: measures whether a user on the internet is a person, a bot, whatever?
• CAPTCHA - completely automated public Turing test to tell computers and humans apart‣ contorted image humans can read, computers can’t‣ image processing pressing SOA, making these harder
• Note: often used not just for DOS prevention, but for protecting “free” services (email accounts)
66
CSE543 - Introduction to Computer and Network Security Page
DOS Prevention - Puzzles• Make the solver present evidence of “work” done ‣ If work is proven, then process request‣ Note: only useful if request processing significantly more work
than
• Puzzle design‣ Must be hard to solve‣ Easy to Verify
• Canonical Example‣ Puzzle: given all but k-bits of r and h(r), where h is a
cryptographic hash function‣ Solution: Invert h(r)‣ Q: Assume you are given all but 20 bits, how hard would it be to
solve the puzzle?67
CSE543 - Introduction to Computer and Network Security Page
Pushback• Initially, detect the DDOS‣ Use local algorithm, ID-esque processing‣ Flag the sources/types/links of DDOS traffic
• Pushback on upstream routers‣ Contact upstream routers using PB protocol‣ Indicate some filtering rules (based on observed)
• Repeat as necessary towards sources‣ Eventually, all (enough) sources will be filtered
• Q: What is the limitation here?
R1 R2 R3 R4R1 R2 R3 R4
68
CSE543 - Introduction to Computer and Network Security Page
Traceback• Routers forward packet data to source‣ Include packets and previous hop …‣ At low frequency (1/20,000) …
• Targets reconstruct path to source (IP unreliable)‣ Use per-hop data to look at‣ Statistics say that the path will be exposed
• Enact standard‣ Add filters at routers along the path
R1 R2 R3 R4
R1 R2 R3
69
CSE543 - Introduction to Computer and Network Security Page
DDOS Reality• None of the “protocol oriented” solutions have really
seen any adoption‣ too many untrusting, ill-informed, mutually suspicious parties
must play together well (hint: human nature)‣ solution have many remaining challenges
• Real Solution‣ Large ISP police there ingress/egress points very carefully‣ Watch for DDOS attacks and filter appropriately
• e.g., BGP (routing) tricks, blacklisting, whitelisting
‣ Products in existing that coordinate view from many points in the network to identify upswings in
‣ Interestingly, this is the same way they deal with worms ...
70