Afcea 4 internet networks

Internet Networks

AFCEA - Cyber Operations, Lecture #5

Paul A. Strassmann, George Mason University, 5/22/2012

1

Attacks on Cyber Security

Social Media Attacks

2

Cyber Security is Asymmetric

• A phony “Robin Sage”, easily masquerading as an employee of the Naval Network Warfare command, was able to accumulate in a few months 300 friends on LinkedIn, 110 on Facebook and had 141 followers on Twitter.

• She connected with the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the U.S. Marines and the a chief of staff for the U.S. House of Representatives.

3

A Social Media Cyber-Attack

1. The cybercriminal sets up a bogus profile, such as “Ana Maria”.

2. An encrypted malware string is coded as text and then uploaded into the bogus profile.

3. After the message enters into a customer’s machine it will search for the string, which will signal the beginning of the malware code.

4. The malware is then executed. If it is a Trojan or a bot, it can proceed to attack the customer’s computer or to propagate further.

4

Example of Bounties for Bug Catchers, by Google

$3,137 to Sergey Glazunov for bug 68666 $1,337 to Sergey Glazunov for bug 35724 $1,337 to Sergey Glazunov for bug 45400 $1,337 to Sergey Glazunov for bug 50553 $1,337 to Keith Campbell for bug 51630 $1,337 to Aki Helin from OUSPG for bug 59036 $1,337 to Sergey Glazunov for bug 65764 $1,337 to Sergey Glazunov for bug 70165 $1,000 to Tokuji Akamine for bug 30660 $1,000 to kuzzcc for bug 37383 $1,000 to Jordi Chancel for bug 40445

•http://dev.chromium.org/Home/chromium-security/hall-of-fame

•http://dev.chromium.org/Home/chromium-security/hall-of-fame

5

“Safe Browsing” Service- Two Factor Authentication

• Safe Browsing is a service provided by Google that enables applications to check URLs against Google's constantly updated lists of suspected phishing and malware pages.

• Here are some of the things you can do with the Safe Browsing service:

• Warn users before clicking on links that appear in your site when they lead to malware-infected pages.

• Prevent users from posting links to known phishing pages from your site.

• Check a list of pages against Google's lists of suspected phishing and malware pages.

6

Attacks on Cyber Security

Attack Prospects

7

Power of Microprocessors: A Historical Perspective

8http://www.jetpress.org/volume1/moravec.htm

Projected Development of Machine Intelligence

9

10

Outline of Internet Networks

Topology of Internet Networks

11

12

Internet Advantage

• Any properly configured computer can act as a host for a personal web-page.

• Any of several hundred million other computers can view that personal web-page.

• Any of several hundred million other computers can connect to another computer capable of delivering an information processing service.

13

Internet Liabilities

• 17,000+ partially secure, poorly connected networks with practically unlimited number of unverifiable points of access;

• The most frequently used security protocol (SSL- Secure Socket Layer) authenticates destination servers, but not the sending sources;

• Networks are mostly small, with large ISPs managing less than 10% of network traffic;

• Performance of the network depends on “peering relationships” between ISP (Information Service Providers), each providing network capacity and router switching capacity ;

• Delivery of packets cannot be guaranteed because network performance determined by routers that may not have sufficient capacity to handle traffic spikes.

Components of the Internet

• The (BGP) Border Gateway Protocol are ISP instructions for forwarding packets from one network link to another. BGP is unreliable if router tables are in error;

• Average broad-band web-page download time to LAN can be well over 0.5 seconds, if message “packet” traverses several “hops”;

• (DNS) Domain Name System can be compromised, by diversion of communications;

• Software robots (Botnets) can automatically proliferate and convey destructive software such as “worms”, “rootkits” or parasitic “malware” such as “Trojans” for finding “backdoors” into computers.

• Denial of service attacks can be launched.

Problems with Nets and Servers

• Capacity limitations for peak loads;• Congestion in access to data sources;• Excessive delays for global access;• Expensive to scale capacity for growth;• Problem not in bandwidth, but mostly in switching;• Depends on reliability and capacity of ISP “peers” to forward

data to the destination;• Conflicting economic interests among “peers” can inhibit

growth and performance.

16


Structure of Internet Protocols

17

Layer 7: ApplicationApplication Services

Layer 6: PresentationData Representation

Layer 5: SessionInter-host Communications

Layer 4: TransportEnd-to-End Connectivity

Layer 3: NetworkPath Determination

Layer 2: Data LinkLink Reliability

Layer 1: PhysicalSignal Transmission

The Internet “Stack”

OSI Protocols

19

All Packets Traverse All Stack Layers

20

All Internet Transmissions in “Hops” (Total elapsed time 6 seconds)

21

From: [email protected] 7 Dec 2008 15:05:39

1. Received: from 48151 invoked from network

2. Received: from localhost (localhost [127.0.0.1])

3. Received: from rn-out-0910.google.com

4. Received: by rn-out-0910.google.com

5. Received: by 10.100.255.10

6. Received: by 10.100.124.12

7. Received: by 10.65.53.19

8. Received: from qs1473.pair.com

9. Received: from localhost [127.0.0.1]

10. Received: from mta3.srv.hcvlny.cv.net

11. Received: from [10.240.3.210]

Forwarded-To: [email protected] 7 Dec 2008 15:05:45

Above message = 29 “packets”

mailto:[email protected]

mailto:[email protected]

All Internet Transmissions via “Packets”

22

HeaderSource Address Destination

Address Data

What is in an IPv4 Internet Packet Header

• 4 bits that contain the version, that specifies IPv4 or IPv6 packet,• 4 bits that contain the length of the header,• 8 bits that contain the Type of Service - Quality of Service (QoS), • 16 bits that contain the length of the packet,• 16 bits identification tag to reconstruct the packet from fragments,• 3 bits flag that says if the packet is allowed to be fragmented or not,• 13 bits identify which fragment this packet is attached to,• 8 bits that contain the Time to live (TTL) number of hops allowed• 8 bits that contain the protocol (TCP, UDP, ICMP, etc..)• 16 bits that contain the Header Checksum,,• 32 bits that contain the source IP address,• 32 bits that contain the destination address.

23

What Drives Computing to “the Edge”?

24

LAN Connection2 “hops”Latency: 0.01 seconds

MIDDLE MILE : 8-20 “hops”TCP Retransmits at each “hop”

Latency: 0.1 to 0.5 seconds

Channel Connection1 “hop”

Latency: 0.001 seconds

LOCAL WORKSTATION

CENTRAL COMPUTER

24

“Middle Mile” In Transmission Takes Microseconds

25

26

Example: “Hops” from Desktop to Server


IPv4 vs. IPv6

27

Is Conversion from IPv4 to IPv6 Necessary Now?

• Total capacity of IPv4 is 4.3 billion addresses.• Xerox, IBM, HP, Apple and Ford each have 16.8 million

addresses.• Xerox employment is 53,500.• DoD has available 134.2 million addresses

28http://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks

Current IPv4 vs. IPv6 Status

• IPv4 allows 32 bits for the Internet Protocol. • IPv6 uses a 128-bit address and supports a practically infinite

number of addresses.• As of the end of 2010 only 533 million unique IP addresses

have been assigned. • Though the USA currently has 26.4% of the global IP

population, it has obtained more than 50% of the IP addresses, while the quickly growing China is exhausting its allocation.

• There are enough IP addresses, on the average, except that they have been misallocated. An immediate rush into IPv6 in the USA cannot be justified.

29


Virtual Private Networks

30

VPN Features

• VPN offers site-to-site connectivity• The protocols are used for “tunneling” the traffic• The tunnel's termination point unpacks the protocol.• VPN enables several levels of security.• Cryptographic tunneling protocols provide confidentiality by

blocking intercepts and packet sniffing.• VPN allows sender authentication to block identity spoofing,

and message alteration.

31

Examples of VPN Protocols

• “IPSEC” VPN protocol developed for IPv6. • Transport Layer Security (SSL/TLS) can tunnel complete

network traffic.• Datagram Transport Layer Security (DTLS), solves

Transmission Control Protocol (TCP) issues.• Special fixes offered by Microsoft:

– Microsoft Point-to-Point Encryption (MPPE).– Microsoft Secure Socket Tunneling Protocol (SSTP).

• Secure Shell (SSH) VPN – Offers secure tunneling for inter-network links.

32


Network Switches

33

Internet Messages Pass Through Routers and Switches

34

RT

RT

RT

RT

RT

RT

RT

RT

RT

RT

RT

RT

RT= ROUTING TABLES

SWITCHROUTERS

SWITCH

Internet Switch that Connects ISPs

35

Principal Attack Scenarios on Internet Switches

• Flooding Attacks on a Switch• Address Resolution Spoofing• “Man-in-the-Middle” Attack• Denial of Service Attack• Switch Hijacking Attack• Spanning Tree Attack• The Root Claim Attack• Forcing Eternal Root Election Attack• VLAN Hopping Attack

36

Flooding Attacks on a Switch

• The Media Access Control (MAC) protocol defines for a switch what transmissions are allowed to access which connection.

• A switch will keep a Content Addressable Memory (CAM) table for identification of MAC destinations. CAM tables have a limited memory and will overflow.

• Attack tools that can auto generate +100,000 bogus entries per minute, which then overloads the switch so that it malfunctions.

37

VLAN Hopping Attack

• Virtual LANs (VLAN) make it possible to group users into logically separate networks.

• A switch partitions local area networks into isolated VLANs. The computers and peripherals are then restricted from communicating with each other.

• Separate subnets are compromised if an attacker manages to send across different zones (hopping). That will make VLAN subdivisions useless.

• For instance, a NIPRNET LAN could be used to initiate a denial of service against computers on SIPRNET.

38

Address Resolution Spoofing

• Attacker replaces the Address Resolution Protocol (ARP) cache on a switch with a forged mapping.

• It causes traffic to be redirected from the correct target to a target of the attacker’s choice.

• Allows an attacker to sniff the data flowing to a local area network. The traffic is then modified.

39

“Man-in-the-middle” Attack

• Adds a third party destination into the communications stream without the legitimate recipients being aware.

• The third party can extract passwords and confidential data.

40

Switch Hijacking Attack

• The switch will inject illegitimate connections that will pretend to be authentic.

• The added connections will take over control without the recipients being aware.

41

Spanning Tree Attack

• Allows the connection of multiple switches for LAN redundancy or as of spare links to form automatic backup paths.

• If the Spanning Tree Protocol (STP) is corrupted, communications will be re-routed to illegitimate links.

42

The Root Claim Attack

• Bogus bridge protocols are used to designate the attacker’s station as the new root bridge.

• Once in control a variety of malicious attacks can be launched by the attacker, including the sniffing of all messages for sensitive information and for passwords.

43

Forcing Eternal Root Election Attack

• Makes the network unstable by tampering with the Spanning Tree Protocol (STP) routing algorithm to keep searching for the root switch, without ever finding it.

• The network will be always in the root selection process, which will make the network unstable and potentially disabled.

44


Network Routers

45

Juniper T4000 router-240 GBPS per slot

46

Internet Routers That Connect ISPs to Backbone Nets

47

Border Gateway Attacks

• The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It maintains tables of networks that can be reached from routers.

• BGP makes routing decisions based on path availability, network policies and operating rules.

• The Border Gateway protocol does not assure data integrity and does not provide source authentication.

• BGP can be tampered with by making changes to the router software.

48

Principal Attack Scenarios on Internet Routers

• Promiscuous Mode Corruption• Router Table Attacks• Router Information Attacks• Shortest Path Attacks• Border Gateway Attacks• Border Gateway Poisoning

49

Corruption of Internet Routing Tables

• The rapid growth and fragmentation of Internet routing tables is the major threats to the integrity of Internet transmissions.

• Destination addresses are chosen by “routing tables”. If these routing tables get incorrect information, misrouting will occur.

• Routers tell packets of data which way to go. When an e-mail is sent from one private network to another, the router “decides” which packets should travel within the corporate private network and which should not.

http://pstrassmann.blogspot.com/2010/12/corruption-of-internet-routing-tables.html 50

Promiscuous Mode Corruption

• The router masquerade as a “super-user” with software control privileges. Many router operating systems make “super-user” privileges available for maintenance or for software updating reasons.

• The attacker uses the vendor instructions to acquire “super user” status.

• A promiscuous computer can monitor traffic to and from other computers on the Internet.

51

Router Table Attacks

• The content of a routing table update is continually modified to reflect changes in the configuration of the surrounding networks. An attacker will create messages that look legitimate and can be then inserted into the routing table.

• An attacker creates messages that look legitimate and can be then inserted into the routing table so that transactions can be redirected.

• Attacks on the routing table updates represent a high risk in the absence of a strong authentication mechanism. Password are insufficient for protecting military grade routers.

52

Router Poisoning Attacks

• Router poisoning is a method used to direct the formation of routing loops within networks.

• A “hop” count will indicate to other routers that a route is no longer reachable and should be removed from their respective routing tables.

• The desired destination for the packets will cease to function.

53

Shortest Path Attacks

• Each router passes the status of its links to its neighbors who in turn forward this information to other routers in the network.

• As result of such passing each router has the link information for all other routers and eventually has the picture of the entire network topology.

• In a compromised table the calculated shortest paths will be incorrect and the shortest paths will be purged.

54

Black Hole Attack

• By making use of router vulnerabilities, various kinds of attacks can be launched to compromise the routing through software changes.

• A special case is the “Black Hole” attack where the router directs a packet to a network where packets enter but do not come out.


Domain Servers

56

What Are the DNS Servers?

• The Domain Name System (DNS) is a globally distributed service that is foundational to the way people use the Internet.

• DNS uses a hierarchical name structure, and different levels in the hierarchy are each separated with a dot ( . )

• Computers use the DNS hierarchy to translate human readable names like <www.amazon.com> into the IP addresses like 192.0.2.1 that INTERNET can use to route transactions to one another.

57

Principal Attack Scenarios on Domain Name System (DNS)

• Address Starvation Attack • Attacks Using Rogue Servers• Attacks Using Bogus Default Gateway• DNS Database with Malicious Records• DNS Spoofing With a Sniffer• DNS Flooding Attack• Spoofed Responses to a DNS Server• Buffer Overflow Attack• Denial of Service Attack

58


Network Control

59

NOC Control Display

60

Seats Reserved for Countermeasure Specialists

61

Challenge

• How to automate monitoring, control and security tasks performed by >50,000 personnel now attending to computers at >500 server farms?

• How to migrate to a highly automated environment?

62

The Purpose of a Network Operations Center (NOC)

• To manage an automated network environment.• To function as the first line of defense for security.• To operate information warfare countermeasures.• To shift computing workloads to and from:

– Locked down internal production operations;– Test and Pre-production environments;– Internal “clouds” for legacy applications;– External “clouds” for fall back and added assets.

63

The NOC Becomes the Key to Net-Centricity

• Manages the migration from a device centric world to a customer centric world.

• Enables connecting from anywhere, by any means.• Offers access privileges only to authorized persons.• Allows purchasing of computer processing power

independent of circuit technology.• Makes it possible to associate computing services

according to a person’s roles or location.

64

Concept of Operations for Network Operations Center

65

• Network Operations Center (NOC) manages massively distributed virtual computers.

• The scale of NOC dictates the scope of information security safeguards.

• NOCs should be geographically distributed and redundant.

• The staffing of NOCs can offer huge economies of scale, depending on the capitalization of the staff.

• The NOC should include countermeasures as the first line of defence in the case of information warfare.

65

Security & Control Managed from the NOC

• Offers visibility into all machine resources and processes.

• Monitors and controls the execution of all applications.

• Set up traps for viruses, rootkits and malware before they can infect a system.

6666

Security Architecture Managed from the NOC

• Delivers a private network that is completely isolated from the public Internet except through a small number of controlled access gateways.

• Offers instant visibility of 100% of every network component (such as cabling, routers, switches, servers and end user appliances);

• Provides uninterrupted, redundant real-time monitoring of each transaction that is processed anywhere on the entire network;

• Offers instant switching of communications as well as of all computing assets to fall-back facilities to deliver.

6767

Example of NOC Operations

• NOCs account for every Internet Protocol (IP) address in the system, which includes all authorized desktops, laptops, smart-phones and RFIDs.

• Assuming insider attack, all network incidents, whether human or automatic, shall be followed up and documented for attack pattern analysis.

• Forensic and artificial intelligence methods will be applied to analyse attack patterns in the perpetual transactions library.

• Keeps inventories of LAN and WAN for identification of alternative paths under failure conditions.

6868

The Purpose of a Network Operations Center (NOC)

• To manage an automated network environment.• To function as the first line of defense for security.• To operate information warfare countermeasures.• To shift computing workloads to and from:

– Locked down internal production operations;– Test and Pre-production environments;– Internal “clouds” for legacy applications;– External “clouds” for fall back and added assets.

6969

Ultimate Purpose: NOCs Manage Connecting of the Clouds

• Extends Virtual Infrastructure beyond single data center • Uses secondary Data Center site for testing and overflow• Leverages geographically distributed resources • Rents resources from Service providers for capacity • Maintains IT Service Service Levels

Virtual Infrastructure

Resource Cloud

Test and Development Data Center

Primary Data Center

Virtual Infrastructure

7070

Software Defined Networks (SDN)

• SDN allows direct access to and manipulation of network devices such as switches and routers, both physical and virtual. It is the absence of an open interface to these devices that has led to the characterization of today’s networking devices as monolithic, closed, and mainframe-like. Protocol like SDN is needed to move network control out of the individual switches to centralized control software.

• SDN control software can control any SDN-enabled network device from any vendor, including switches, routers, and virtual switches. Rather than having to manage groups of devices from individual vendors, IT will be now able to use SDN-based orchestration and management tools to quickly deploy, configure, and update devices across the entire network.

71

The Future: Virtual Networks

72


Performance Metrics

73

NOCs Obtain Independent Uptime and Latency Metrics

7474

From the NOC Monitoring & Control Every Server Possible

7575

NOC Software Enables Diagnosis of the Status of Servers

7676

Utilization of Servers Monitored and Controlled from NOC

7777

Visibility of Virtual Machines at the NOC

7878

79

VISA Credit Card Case

• >1.3 billion Visa cards in circulation;

• Accepted at >24 million input sources, >160 countries;

• >50,000 decision rules for interoperability;

• Interoperability in >50 languages;

• Cash access at >one million ATMs;

• Capable of processing >6,200 transactions a second;

• Global response time <0.25 seconds;

• Interoperable with >21,000 financial institutions;

• Global Systems Integration Staff of 200;

Amazon Global Network of Private Servers

• Ashburn, VA • Dallas/Fort Worth, TX• Los Angeles, CA• Miami, FL• New York, NY• Newark, NJ• Palo Alto, CA• Seattle, WA• St. Louis, MO

• Amsterdam• Dublin• Frankfurt• London

• Hong Kong• Tokyo• Singapore

80

AKAMAI, a Telecomm Infrastructure Manager

• Manages 35,000 servers.• Servers hosted with Internet Service Providers (ISP)• NOC has 12 operating staff.• Most of the Akamai intellectual capital is in their NOC.• 99.98% uptime for “End-to-End” connections.

– Performance is inclusive of server failures, connectivity failures and network downtime, measured on a 24/7 basis.

• Akamai has $800M in revenues.

81


The Global Information Grid (GIG)

82

Origin of the Global Information Grid (GIG)

• In September 1992, Defense Management Report Decisions (DMRD) expanded DISA's role.

• DMRD 918 created the Defense Information Infrastructure (DII), now known as the Global Information Grid. At the same the Defense Information Systems Network was created to consolidate 122 DoD networks.

• DISA plans, designs, constructs, and analyzes the effectiveness of the U.S. military's cyberspace.

• DISA establishes the technological standards that make the GIG secure and reliable.

83

Large Internet Firms Offer Direct Links to Speed Connections_

84

26 Routers169 POP Switches

A 2004 Evaluation by the Government Accountability Office

• The most critical challenge ahead for DOD is making the GIG a reality.

• DOD has taken steps to define its vision and objectives for the GIG on paper.

• DoD is making heavy investments ($21 billion over 6 years) the GIG as well as on systems that dependent on the GIG.

• It is not known how DOD will meet GIG objectives.

85

SOURCE: GAO-04-858. 2004

DoD Policies on Building and Operating the GIG

86

GIG as the Cornerstone of Information Superiority

• GIG is the enabler of net-centric warfare.• The GIG makes up a secure, reliable network for

communications satellites, next-generation radios and military installations-based networks with expanded bandwidth.

• Increased budgetary pressures are starting to modify the term GIG.

• New concepts are emerging such as Cyberspace Operations which are revising what was the original version of GIG.

87

Questions

[email protected]

88

Required Reading

– The Internet’s Vulnerabilities Are Built Into Its Infrastructure, Paul A. Strassmann, November 2009

• http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Template.asp?articleid=2109&zoneid=32

– Network-Centric Systems Need Standards and Metrics, Paul A. Strassmann, July 2009

• http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Template.asp?articleid=2004&zoneid=32

– Can DoD Manage the Delivery of GIG Objectives?• http://pstrassmann.blogspot.com/2011/08/can-dod-manage-deliv

ery-of-gig.html

– Why the GIG Warrants Top Priority• http://pstrassmann.blogspot.com/2011/03/how-secure-is-virtual-

network.html

89

http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Template.asp?articleid=2109&zoneid=32




http://pstrassmann.blogspot.com/2011/08/can-dod-manage-delivery-of-gig.html

http://pstrassmann.blogspot.com/2011/08/can-dod-manage-delivery-of-gig.html

http://pstrassmann.blogspot.com/2011/03/how-secure-is-virtual-network.html

http://pstrassmann.blogspot.com/2011/03/how-secure-is-virtual-network.html

Class Assignment

• Write a >200 word analysis of one of the topics in the required reading list :

• Analysis to include:– Discussion of favorable and unfavorable views about the issue– Your personal summary conclusion and recommendations

90

Technology

Afcea 4 internet networks