NETWORK SECURITY EE122 Section 12

QUESTION 1

SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g., because application process on A crashed  B does not ack the RST  Thus, RST is not delivered reliably  And: any data in flight is lost  But: if B sends anything more, will elicit another RST

END-TO-END SECURITY  Application layer  TLS/SSL encrypts all application layer data  … but does not encrypt the TCP header!

END-TO-END SECURITY Encrypted Content TCP Header IP Header TLS/SSL (Application Layer)

END-TO-END SECURITY  Application layer  TLS/SSL encrypts all application layer data  … but does not encrypt the TCP header!  Transport layer  TCP sequence number defends against blind spoofing  … but not man-in-the-middle attacks  Network layer  IPsec encrypts the entire IP payload, including the TCP header

END-TO-END SECURITY Encrypted Content TCP Header IP Header Encrypted IP Header IP Header Encrypted Content Encrypted TCP Header TLS/SSL (Application Layer) IPsec (Network Layer)

BLIND SPOOFING  Need to know the sequence number

BLIND SPOOFING  Need to know the sequence number  How? Guess all numbers!  Alternatively, infer  first send a legitimate TCP SYN  Let’s say the receiver responds with sequence number A  Then spoof a TCP SYN assuming the receiver responds with A+1  Defenses?

QUESTION 2

/16

Source IP:

/16 Source IP: Egress Filtering

/16 Source IP:

/16 Source IP: Ingress Filtering

/16 Source IP: Ingress Filtering What’s missing?

Receiver Attacker SYN SYNACK (seqno = y) Source ??? ACK (ackno = k?)

Receiver Attacker … Confirmation Request Source ??? Confirmation Response Defenses?

Receiver Attacker … Confirmation Request (123) Source ??? Confirmation Response (456?) Nonce

QUESTION 3

You Web server X 100Mbps 1Gbps Web server X can comfortably handle the load you generate

DISTRIBUTED DENIAL-OF-SERVICE (DDOS) MasterSlave 1 Slave 3 Slave 4 Slave 2 Victim Control traffic directs slaves at victim src = random dst = victim Slaves send streams of traffic (perhaps spoofed) to victim

Reflector (R) Internet Attacker (A) Victim (V) SYN SYNACK REFLECTORS  Cause one non-compromised host to attack another  E.g., host A sends TCP SYN with source V to server R  R sends reply to V

DIFFUSE DDOS: REFLECTOR ATTACK MasterSlave 1 Slave 3 Slave 4 Slave 2Victim Control traffic directs slaves at victim & reflectors Request: src = victim dst = reflector Reflectors send streams of non-spoofed but unsolicited traffic to victim Reflector 1Reflector 9Reflector 4Reflector 2Reflector 3Reflector 5Reflector 6Reflector 7Reflector 11Reflector 8Reflector 10 Reply: src = reflector dst = victim

MITIGATING DDOS  No good defense…  Solutions so far  Overprovision  Distribute service to multiple machines

QUESTION 4

AndrewSteve E(M, Steve pub )

AndrewSteve E(M, Steve pub ) Man-In-The- Middle

AndrewSteve Man-In-The- Middle E(M’, Steve pub )

AndrewSteve E(M, Steve pub ) MAC(H(M), Andrew private ) Andrew pub ???

AndrewSteve E(M, Steve pub ) MAC(H(M), Andrew private ) E(Andrew pub, Steve pub )

AndrewSteve Man-In-The- Middle MAC(H(M), Andrew private ) E(Andrew pub, Steve pub ) E(M, Steve pub )

AndrewSteve Man-In-The- Middle MAC(H(M’), MITM private ) E(MITM pub, Steve pub ) E(M’, Steve pub )