1 final introduction ---- web security, ddos, others cliff c. zou cap6133 04/07/08
Post on 12-Jan-2016
221 Views
Preview:
TRANSCRIPT
1
Final Introduction ----Web Security, DDoS, others
Cliff C. ZouCAP613304/07/08
2
Web-based Security Challenge
Trend: all/most applications move to the WWW platform Database, remote configuration, email, data
hosting, video/music on demand, e-commerce… Complicated applications require interactive
web browsers Browsers support downloadable execute, plug-
in. ActiveX, Java script, flash player, …
Many users have no idea of the security of downloadable plug-ins.
3
Web-based Attacks
Phishing Fake website, collect user account info. Usually correlated with Spam, Botnets
Spyware Secretly installation in form of plug-in. Come with free software/games.
Worm Exploit browser’s vulnerability E.g., Nimda
4
Crawler-based Security Defense
Central idea: Honeypot
Use VM with vulnerable browser to connect to suspicious web server
Trick malcode to install on VM’s browser Analyze, and then, restart a clean VM for next
round Automatic, active crawling
Actively find web server and connect Automatically execute simple user interaction
For download, install activeX, java script, plug-ins.
5
Distributed Denial of Service (DDoS) Attack
Send large amount of traffic to a server so that the server has no resource to serve normal users
Attacking format: Consume target memory/CPU resource
SYN flood (backscatter paper presented before) Database query…
Congest target Internet connection Many sources attack traffic overwhelm target link Very hard to defend
6
Why hard to defined DDoS attack?
Internet IP protocol has no built-in security No authentication of source IP
SYN flood with faked source IP However, IP is true after connection is setup
Servers are supposed to accept unsolicited service requests
Lack of collaboration ways among Internet community How can you ask an ISP in another country to
block certain traffic for you?
7
DDoS Defenses
Increase servers capacity Cluster of machine, Multi-CPUs, larger
Internet access Use Internet web caching service
E.g., Akamai Defense Methods (many in research
stage) SYN cookies (http://en.wikipedia.org/wiki/SYN_cookies)
SOS IP traceback
8
SYN Cookies
SYN flood attack Fill up server’s SYN queue Property: attacker does not respond to
SYN/ACK from victim. Defense
Fact: normal client responds to SYN/ACK Remove initial SYN queue Server encode info in TCP seq. number
Use it to reconstruct the initial SYN
9
DoS spoofed attack defense: IP traceback
Suppose a victim can call ISPs upstream to block certain traffic
SYN flood: which traffic to block? IP traceback:
Find out the real attacking host for SYN flood Based on large amount of attacking packets Need a little help from routers (packet
marking)
10
SOS: Secure Overlay Service
Central Idea: Use many TCP connection respondent machines Only setup connections relay to server Identity of server is secrete
11
Security Patch Issue
Fix vulnerability faster by automatic patching XP
Problem: Patches are not reliable
Crash, disrupt to running applications Many patches require reboot
Not realistic for important servers
12
Shield
Central Idea: Non-disruptive, temporary defense before
patch Vulnerability-specific, exploit-generic
When known vulnerability, analyze it and develop this shield filter on the vulnerable port
E.g., an overflow of strcpy(), filter any input longer than the defined size
top related