tcp/ip vulnerabilities
DESCRIPTION
TCP/IP Vulnerabilities. Outline. Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS. Internet design goals. Interconnection Failure resilience Multiple types of service Variety of networks Management of resources Cost-effective Low entry-cost - PowerPoint PPT PresentationTRANSCRIPT
TCP/IP Vulnerabilities
OutlineSecurity Vulnerabilities
Denial of Service
Worms
Countermeasures: Firewalls/IDS
Internet design goals1. Interconnection
2. Failure resilience
3. Multiple types of service
4. Variety of networks
5. Management of resources
6. Cost-effective
7. Low entry-cost
8. Accountability for resources
Where is security issues?
Why did they leave it out?Designed for simple connectivity
Network designed with implicit trustNo “bad” guys
Security may be provided at the edgeEncryptionAuthentication
Security VulnerabilitiesUnfortunately at every layer in the
protocol stack!
Network-layer attacks IP-level vulnerabilities Routing attacks
Transport-layer attacks TCP vulnerabilities
Application-layer attacks
Where do the problems come from?
Protocol-level vulnerabilities Implicit trust assumptions in design
Implementation vulnerabilitiesBoth on routers and end-hosts
Incomplete specificationsOften left to the imagination of programmers
IP-level vulnerabilitiesIP addresses are provided by the source
Spoofing attacks
Use of IP address for authenticationRemote command (rsh, rlogin) allows remote login
without explicit password authentication
Some known exploited IPARP SpoofingFragmentation Traffic amplification
Routing attacksDivert traffic to malicious nodes
Black-hole attackEavesdropping
Routing attacksNo authenticationsAnnounce lower cost route in Distance-Vector
BGP vulnerabilitiesPrefix hijacking
TCP-level attacksSYN-Flooding
Flood with incomplete connection to hold service resources
Session hijackSequence number guessingPretend to be a trusted host
Session TerminationForge packet to close a legitimate connection
Application VulnerabilitiesApplication Protocol Attack
SPAM
Phishing
etc.
OutlineSecurity Vulnerabilities
Denial of Service
Worms
Countermeasures: Firewalls/IDS
Denial of ServiceMake a service unusable by overloading the
server or network
Disrupt service by taking down hostse.g., ping-of-death
Consume host-level resourcese.g., SYN-floods
Consume network resourcese.g., UDP/ICMP floods
OutlineSecurity Vulnerabilities
Denial of Service
Worms
Countermeasures: Firewalls/IDS
Worm OverviewSelf-propagate through network
Typical Steps in Worm Propagation Probe host for vulnerable software Exploit the vulnerability Launches copy of itself on compromised host
Very fast spreading with short windows to react
The Case of Code-Red 1212thth July 2001 : Code-Red Worm (CRv1) began July 2001 : Code-Red Worm (CRv1) began
1919thth July 2001 : Code-Red Worm (CRv2) began July 2001 : Code-Red Worm (CRv2) began 359,104 hosts were compromised in approximately 24 hours359,104 hosts were compromised in approximately 24 hours
The total number of inactive hosts over time The number of newly inactive hosts per minute
http://www.caida.org/analysis/security/code-red/coderedv2_analysis.xml
Worm growth: Slow-start, Exponential phase, Slow decay
Code Red Spreads (I)July 19, Midnight – 159 hosts infectedJuly 19, Midnight – 159 hosts infected
Code Red Spreads (II)July 19, 11:40 am – 4,920 hosts infectedJuly 19, 11:40 am – 4,920 hosts infected
Code Red Spreads (III)July 20, Midnight – 341,015 hosts infectedJuly 20, Midnight – 341,015 hosts infected
Animation of Code Red Spreads
Animation SQL Slammer Spreads
OutlineSecurity, Vulnerabilities
Denial of Service
Worms
Countermeasures: Firewalls/IDS
Firewall A Firewall is a system or group of systems used to control A Firewall is a system or group of systems used to control
access between two networks using pre-configured rules or access between two networks using pre-configured rules or filtersfilters
How to filter?What to filter based on?
Packet Header FieldsIP source and destination addressesApplication port numbersICMP message types/ Protocol options etc.
Packet contents (payloads)
Some examplesBlock all packets from outside except for SMTP
servers
Block all traffic to/from a list of domains
Ingress filteringDrop all packets from outside with addresses inside
the network
Egress filteringDrop all packets from inside with addresses outside
the network
Typical Firewall Configuration• Internal hosts can access DMZ
and Internet
• External hosts can access DMZ only, not Intranet
• DMZ hosts can access Internet only
• Advantages?
• If a service gets compromised in DMZ it cannot affect internal hosts
InternetInternet
IntranetIntranet
DMZDMZ
XX
Sample Firewall Rule
Dst Port
Alow
Allow
Yes
Any
> 1023
22
TCP22
TCP> 1023
ExtIntOutSSH-2
IntExtInSSH-1
Dst Addr
ProtoAck Set?
ActionSrc PortSrc Addr
DirRule
Allow SSH from external hosts to internal hostsTwo rules
Inbound and outboundHow to know a packet is for SSH?
Inbound: src-port>1023, dst-port=22Outbound: src-port=22, dst-port>1023Protocol=TCP
Ack Set?
SYN
SYN/ACK
ACK
Client Server
Intrusion Detection IDS is an automated system intended to detect IDS is an automated system intended to detect
computer intrusionscomputer intrusions
To identify, preferably in real-time, unauthorized To identify, preferably in real-time, unauthorized use, misuse, and abuse of computer systemuse, misuse, and abuse of computer system
Basic IDS Architecture
Detector
System
Countermeasure
Database
Configuration
Audits
Alarm
Action
Detection MethodMisuse DetectionMisuse Detection
Looking for the attempts to exploit known vulnerabilities or Looking for the attempts to exploit known vulnerabilities or attack patternsattack patterns
Typically low false alarmsTypically low false alarms Difficult to gather all attack signaturesDifficult to gather all attack signatures
Anomaly DetectionAnomaly Detection Observing a deviation of normal behavior of system or user to Observing a deviation of normal behavior of system or user to
detect intrusionsdetect intrusions Can detect a new or unseen vulnerabilities or attack patternsCan detect a new or unseen vulnerabilities or attack patterns Typically a lot of false alarmsTypically a lot of false alarms
Audit Source LocationHost/IDSHost/IDS HostHost HostHost
IDSIDS HostHost HostHost
Host based IDSHost based IDS
Network based IDSNetwork based IDS
Next Generation FirewallLayer 7 Content InspectionLayer 7 Content Inspection
Integration of Firewall/IDS Integration of Firewall/IDS
SummarySecurity vulnerabilities are real!
Protocol or implementation or bad specs Poor programming practices At all layers in protocol stack
DoS/DDoS Resource utilization
Worm Exponential spread Scanning strategies
Firewall/IDS Counter-measures to protect hosts Fail-open vs. Fail-close?