Embed Size (px)
Citation preview
Service availability: Betting website versus independent online radio
Online Radio as well as online betting is being used in day-‐to-‐day life and it is very important to have complete availability for the websites, as the consequences of unavailability would be threatening. The first part of the essay would discuss about the design of an online radio system, online lottery. The next section would be about the security design of both the systems followed by an analysis of Denial of Service attacks on both the systems. Then we would analyze the security principles, which are common and different between the two systems. 1. Design of an Online Radio An online radio comprises of three major participants, the DJ, audience interacting with the DJ and the other audience. The systems used would consist of an uploading channel where the audio content (the interviews, music etc.) are converted into streams of data and fed over the Internet to reach the listeners. [1]The listener would be having an appropriate audio decoder, to decode the data stream back into playable audio files. Internet radio stations broadcast their content either using unicast or multicast links. There are several mechanisms by which a listener can tune in to the broadcast. They tune-‐in either by entering the IP address or access the native website like an online broadcast site (e.g.: www.radiostations.co.uk). Further, the computers should also authenticate the validity of the stream and verify if it is coming from the legitimate channel. The stream should not interfere with any other channel. It should be noted that not all online radio services need the user to register and hence, the user can listen to the broad cast even without being a member.
Audio Broadcast
Convert audio to data stream
Encode the data stream with a secret key
Figure -‐1a Uplink process in Online Radio
2. Design of Online Lottery An online lottery system mainly consists of a lottery management server, connected to an open network and a database connected to the processor. [2] The processor collects lottery ticket sales information from a terminal connected to an open network. The processor stores the lottery ticket sales information in the database. The processor transfers funds from a user account when a lottery ticket is purchased. Each lottery ticket is unique and is mapped to a single user, (using his log-‐in credentials). The unique ID would be stored in the database and the entire unique ID’s associated with the lottery numbers would be submitted to the lottery control server. The lottery management server, acting as a provider and authority for Internet lottery, may issue the serial number and confirmation code, which may be stored with the participant’s ticket information in secure database. After all number sets are processed; the confirmations are stored in the database. The lottery management server tracks the purchased numbers, storing them in association with the participant identification information along with confirmation data or other data necessary to the lottery game. The summaries of the data or analysis of the data may be delivered to a state lottery organization. When the lottery authority issues the winning numbers, the control server provides the winning numbers to the management server, which matches against the purchased ticket numbers, and the winners are identified. The lottery management server may transfer the winnings from a lottery bank account to the Winning participant’s virtual Wallet. The money in the virtual Wallet may be transferred to the participant’s bank account or used to purchase further lottery tickets.
Receive Broadcast from the Internet
Match the encryption key with the audio decoder
Decode the audio stream
Listener can play
Figure -‐1b Downlink process in Online Radio
3. DENIAL OF SERVICE ATTACKS Before discussing about the security policies of the two systems, it is important to know about the various kinds of Denial of Service (DoS) attacks and about the detection and prevention schemes. [5] [6] In a DoS attack, an adversary floods the network with many requests and uses full connectivity of the Internet. A DoS attack can be either a single-‐source attack, originating at only one host, or a multi-‐source (Distributed DoS), wherein multiple hosts flood the user with attack packets. DoS attacks attempt to exhaust or disable access to network bandwidth, computing power, or operating system data structures. [4] 3.1 Types of DoS Attacks A. Zombie Attack: An adversary attacks the Internet hosts by exploiting security holes, installs the attack tools on the zombie systems and hence it would be able to attack any victim. Using this advantage, the adversary send packages which have an incorrect checksum, wrong header values or invalid flag combinations. [3] B. Software Exploits: The adversary sends packets, which would install software bugs within the OS or application to disable the victim. [3]
INTERNET
UID database
LOTTERY MANAGEMENT
SERVER
LOTTERY CONTROL
LOTTERY MANAGEMENT FUNCTIONS
FIGURE 2 ONLINE LOTTERY SYSTEMS
C. Flooding Attacks: The most common DoS attack by which the adversaries send packets that flood the link and disrupt the bandwidth or computing resources. [3] D. Reflector Attacks: These attacks masquerade the adversary or amplifies an attack. By spoofing the IP address in the source field of the request, the host is used as a reflector and directs all the responses back to the victim hence blocking him from network access. On sending packets to the broadcast address, it requests for a response from every host on the LAN and hence acts as amplifiers. As these pretend to be legitimate hosts, it is difficult to identify and remove. [3] E. Targeted Attacks By injecting interference into the control packet, a particular victim is chosen to receive these and hence cripple his actions. [3] F. Jamming Attacks “A constant jammer continually emits radio signals of a completely random sequence of bits, electromagnetic energy transmissions. The goal of this type of jammer is twofold: (a) to pose interference on any transmitting node in order to corrupt its packets at the receiver and (b) to make a legitimate transmitter sense the channel busy, thereby preventing it from gaining access to the channel. The deceptive jammer continually injects regular packets on the channel without any gaps between the transmissions. This makes an overhearing user believe that there is a legitimate transmission going on. Consequently, every node will remain in the listening state even if it has data to transmit. An important difference is that deceptive jamming is harder to detect using network monitoring tools, since these tools will sense legitimate traffic on the medium.” [3] 3.2 Intrusion detection A. Traceback: This involves backtracking the network traffic information to a particular IP address and hence triangulating the position of the adversary. This is effective when the traffic rates and packet types are known. But, in case of multiple jammers, this scheme is not fruitful. [3] However, because attackers can forge most packet information, characterizing attacks as B. Backscatter Analysis: “The backscatter technique allows detection of attacks that uniformly spoof source addresses in the complete IP address space. E.g.: Moore et al used backscatter analysis and detected 12,805 attacks during a period of 3 weeks. However, this technique fails to detect reflection techniques, subnet spoofing.” [4] C. Spectral Analysis: During a high volume DoS attack, the change in periodicities is identified in the traffic and the analysis is made to find out the adversary. [4] D. Consistency check: a) Signal strength consistency check – “If we measure low PDR and high RSS then it is most likely that the node is jammed. On the other hand, if we measure low PDR with low RSS,
then this can be due to a network failure or poor link quality.” b) Location consistency check: “The detection system measures the PDR, along with the location of the neighbors of the node under consideration.” (Note: PDR =Packets That Pass The CRC/Packets Received, RSS: Received Signal Strength) [3] E. Wireless Distributed Intrusion detection system: The nodes in the network would monitor the traffic and lists the evidences relating to the events taking place Eg: packet quantity, idle period time stamps, number of corrupted packets, etc. When a list is created for the users, the nodes exchange the lists and matches the events to get a clear picture about the events occurring in the network and also to differentiate between the channel failures and the jamming attack. But, this is not viable for real time detection, as the exchange would not work during the period of attack. [3] F. Packet Header Analysis: “From header analysis we can make several observations about the prevalence of attack techniques in the wild. First, 87% of the zombie attacks use illegal packet formats or randomize fields, indicating the presence of root access on the zombies.” [4] G. Arrival Late Analysis: By analysis of the transfer of the time the packets reach the victim, an analysis can be made based on the clustering on the lower packet rates or the higher rates as these determine the aggregation of traffic. Intrusion Prevention A. Frequency Hopping: Frequency hopping can be either reactive or proactive. In case of reactive, on realizing a jammed network, the node switches to a different channel and sends a beacon message on the new channel. Hence the non-‐jammed neighbors sense the absence and change their bands of operation to check for beacons. If the beacons are not sent, they assume that the node has lost its way. If a beacon is found, they networks change their channel and the entire network works on this non-‐jammed channel. The drawback would be multiple devices jamming different bands hence making the whole spectrum useless and hence frequency hopping would not work [3] B. Spatial Retreats: When a node senses a jammed network it executes a detection algorithm trying to stay connected with its previous neighbors by moving along the boundary of the jammed area.[3] C. Spread Spectrum: “This technique decreases the potential interference to other receivers, by making use of a sequential, noise-‐like, signal structure to spread the narrow band information signal over a relatively wider (radio) frequency. The receiver correlates the received signals to retrieve the original information signal and hence prevents DoS.” [3] D. Covert channels: “In a jamming environment where only the reception of a packet is being affected, the receiver can identify the reception of a (corrupted) packet. By encoding data based on the
inter-‐arrival times between received corrupted packets, a low rate channel under jamming can be established.” [3] E. Protocol Mechanism Hopping: SPREAD (Second-‐generation Protocol Resiliency Enabled by Adaptive Diversification), hides the vulnerabilities that the adversary tries provides robustness against intelligent jamming attacks by choosing and hopping across various protocol parameters based on the strategy being used by the jammer. SPREAD hinders the effectiveness of the jammer by hiding the underlying vulnerabilities that the jamming entity tries to exploit. [3] F. Virtual Server: This server stores the copy of the data in the actual server. When an attacker is busy flooding the lines from the server known to him, the virtual server can send the packets to the legitimate user. This would not work when the attacker tries to sabotage the network connecting to the user instead of flooding the server. 4. SECURITY DESIGN OF ONLINE RADIO The security of the online radio is of prime importance as the information being broadcasted is political and hence would have more listeners and the company cannot afford any mistakes as it would affect its reputation, lose audiences and the listeners would fail to listen to the important highlights. [7] The policies of prime importance would be
1. Availability: To ensure continuity of the broadcast without any interference, delays or disturbances. (Uninterrupted, timely, secure or free from error)
2. Confidentiality and integrity of the user’s log-‐in data, IP address 3. Anonymity: if the user does not wish to log-‐in 4. Authenticity: The details shared should be authentic
The principals of this system are the users of the online radio service, the listeners of the radio interview. The assets for this system are the audio data streams and reputation of the company. The trusted computing base would consist of the database where the audio files are being stored after recording, the listeners who sign-‐on, OS of the listeners, audio encoder and decoder, secure network and the hardware used for the transmission. The threat model can be described as follows; an adversary may obtain the passwords of the users logged into for using the service or they may jam the service by any of the DoS attacks mentioned earlier using the resources like bandwidth or weakness in network, bypass the listeners to hear the show spoofed with their resources while the actual show is blocked. In the given scenario of recent DoS and blocking, the property that was violated is “Availability”. 4.1 How to ensure “Availability” The availability of the online radio can be brought upon by efficient detection and prevention of DoS attacks. The company can try to use the following prevention mechanisms-‐ spatial retreats (as moving away from the locality of DoS emitter would render the attack useless), covert channel, and Protocol mechanism hopping. These mechanisms are by far the best for an online radio system as the number of users accessing the system is
unknown and the system has a wide range of audience who are not confined to a single area. An attacker should jam a wide spectrum to block the availability of the service. By implementing the covert channel, a low rate channel under jamming can be established and hence the availability would be increased. 5. SECURITY DESIGN OF AN ONLINE LOTTERY SYSTEM As we are dealing with the money of the users and the company as well, the security design of the online lottery system is more complicated than the Online Radio station. It is to be noted that the adversary for this system can be a user as well as third party agency or a competitor [8]. The security policies involved would be
1. Availability: The user should be able to view the draws and participate at anytime and at any place (Uninterrupted, timely, secure or free from error)
2. Confidentiality and integrity of the user’s log-‐in data, IP address, logs of purchases, logs of victory
3. Integrity in terms of giving the prize money to the right person 4. No repetition: Care should be taken that no user logs in twice from the same account
at the same instance to accept the prize, as in some cases, the prize gets credited twice by mistake.
5. Anonymity: To safeguard the details of the users from one another, from third parties
The principals of this system are the users, who have logged into the service, participants of the lucky draw who have bought the tickets in shops, lottery house. The assets of the system are the physical, virtual lottery tickets, unique number created for the lottery, reputation of the lottery company, virtual money. The trusted Computing base is similar to that of the Online Radio but has an addition of Lottery servers, which decide the winner contestants. The threat model is similar to the online radio but to add upon, an adversary can be a selfish user who tries to sabotage the network to increase his winning chances, a user can influence the random ticket chooser and hence win the (Elevation of privilege). 5.1 How to ensure “Availability” Availability being a major responsibility for the system, the DoS prevention methods like frequency hopping, spatial retreats, spread spectrum and protocol mechanism hopping can be used as the system includes the details of both users who don’t use the computer as well as those who use. The DoS detection methods include traceback, backscatter, spectral, header analysis as well as consistency check. Similar to the online radio system, the adversary should jam a wide spectrum to block the availability of the service. Using a consistency check would work the best in this system as the network traffic is highly regulated in this scheme.
6. ANALYSIS OF SECURITY PRINCIPLES
POLICY SIMILARITY DIFFERENCES ONLINE RADIO ONLINE LOTTERY
Security Policy
Availability, Confidentiality and Anonymity
Authenticity Integrity, non-‐repetition
Access List Users through web sign-‐in Anonymous users who do
not sign up Users who buy the tickets from shops to participate
DoS Prevention Mechanism
Spatial Retreats, Protocol mechanism Hopping
Covert Channel Frequency hopping, spread spectrum,
DoS Detection Mechanism
Backscatter Analysis, Spectral Analysis, Consistency Check
Wireless Distributed Intrusion detection system, Arrival late analysis
Traceback, Header analysis
Adversaries Access
DoS attack, compromise Log-‐in
1. Can listen to the show and replay something else 2. Create Distortions or noise
1. Can jam the system and increase the chances of winning 2. Can influence the random lottery chooser to win
SUMMARY As the use of Internet increases for day-‐to-‐day activities, the security over the Internet should also increase proportionately. It is therefore important to incorporate the standards discussed above to safeguard the Online Radio and Online Lottery system from actions of adversaries, which would cause unavailability and breaches in privacy, secrecy and other policies. REFERENCES (Anderson, 1999, Chung-‐Ming Huang *, 2000, David D. Minter, Jun. 10, 2003, Garber, 2000, Kevin J. Houle and George M. Weaver, October 2001, Konstantinos Pelechrinis, 2011, Papadopoulos, 2003, Robert Ziegler, Dec. 4, 2004)
1. DAVID D. MINTER, A. S. B. Jun. 10, 2003. INTERNET RADIO SYSTEM WITH SELECTIVE
REPLACEMENT CAPABILITY. United States patent application 09/465,740. Jun. 10, 2003.
2. ROBERT ZIEGLER, S., TX (US). Dec. 4, 2004. METHOD AND SYSTEM FOR LOTTERY TRANSACTIONS OVER AN OPEN NETWORK. United States patent application 11/005,499. Jul. 14, 2005.
3. KONSTANTINOS PELECHRINIS, M. I. A. S. V. K. 2011. Denial of Service Attacks in Wireless Networks: The Case of Jammers. VOL. 13, 245 -‐ 257.
4. PAPADOPOULOS, A. H. J. H. C. 2003. A Framework for Classifying Denial of Service Attacks∗. SIGCOMM’03. Karlsruhe, Germany.
5. KEVIN J. HOULE, C. C. & GEORGE M. WEAVER, C. C. October 2001. Trends in Denial of Service Attack Technology. CERT® Coordination Center. Carnegie Mellon University: Carnegie Mellon University.
6. GARBER, L. 2000. Denial-‐of-‐Service Attacks Rip the Internet. Technology News.
7. CHUNG-‐MING HUANG *, P.-‐C. L. 2000. IDRS: an interactive digital radio station over Internet. The Journal of Systems and Software 51 (2000) 51, 229 -‐ 243.
8. ANDERSON, R. 1999. How to Cheat at the Lottery (or, Massively Parallel Requirements Engineering). University of Cambridge Computer Laboratory, 19 -‐ 28.
