Tracking and Tracing Cyber-Attacks

Slides:

Advertisements

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

Advertisements

Security Issues In Mobile IP

Secure Mobile IP Communication

IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

IPv6 Network Security.

FIREWALLS Chapter 11.

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Computer Security and Penetration Testing

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

Chapter 5 Network Security Protocols in Practice Part I

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

Routing Security in Ad Hoc Networks

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University

Introduction to IPv6 NSS Wing,BSNL Mobile Services, Ernakulam 1.

7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

TCP/IP Protocols Contains Five Layers

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

Karlstad University IP security Ge Zhang

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

Distributed Denial of Service Attacks

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.

Internet Security and Firewall Design Chapter 32.

By Rod Lykins.  Brief DDoS Introduction  Packet Marking Overview  Other DDoS Defense Mechanisms.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

K. Salah1 Security Protocols in the Internet IPSec.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.

Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.

Securing Access to Data Using IPsec Josh Jones Cosc352.

Security Data Transmission and Authentication Lesson 9.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

IPSec Detailed Description and VPN

Chapter 5 Network Security Protocols in Practice Part I

Chapter 18 IP Security  IP Security (IPSec)

IT443 – Network Security Administration Instructor: Bo Sheng

Computer Data Security & Privacy

Defending Against DDoS

Defending Against DDoS

Security Protocols in the Internet

DDoS Attack and Its Defense

ITIS 6167/8167: Network and Information Security

Computer Networks Protocols

Presentation transcript:

Tracking and Tracing Cyber-Attacks Howard F. Lipson, Ph.D. CERT® Coordination Center

Outline Problem with Internet Security Shortfalls in the Current Internet Environment Near-Term Solutions Long-Term Solutions Next-Generation Internet Protocol

Problem with Internet Security (1)

Problem with Internet Security (2)

Shortfalls in the Current Internet Environment (1) The Internet was never designed for tracking and tracing user behavior. Functionality and performance are focused. The Internet was not designed to resist highly untrustworthy users. Only external attack is considered. A packet’s source address is untrustworthy, which severely hinders tracking IP-spoofed and intermediate nodes techniques are used.

Shortfalls in the Current Internet Environment (2) The current threat environment far exceeds the Internet’s design parameters. There are more high-stake Internet applications. The expertise of the average system administrator continues to decline. Attacks often cross multiple administrative, jurisdictional, and national boundaries.

Shortfalls in the Current Internet Environment (3) High-speed traffic hinders tracking. Tunnels impede tracking. Hackers destroy logs and other audit data. Anonymizers protect privacy by impeding tracking The ability to link specific users to specific IP addresses is being lost. Purely defensive approaches will fail, so deterrence through tracking and tracing is crucial.

Near-Term Solutions (1) Hop-by-Hop IP Traceback victim attacker Or edge router ISP security broker Labor-intensive For tracing large packet flows with spoofed source addresses DDoS attacks are extremely difficult to trace via this process

Near-Term Solutions (2) CenterTrack Optimizing the Hop-by-Hop IP traceback Steps Create an overlay network (IP tunneling) In the event of a DoS attacks, the ISP diverts the flow of attack packets from the existing ISP network onto overlay tracking network The attack packets can now be easily traced back, hop-by-hop, through the overlay network

Near-Term Solutions (3) Ingress Filtering or Egress Filtering Network Ingress Filtering Discard all packets that contain source IP addresses that do not match the valid range of the customer’s known IP addresses. Network egress Filtering Corporate network administrator IETF Internet Best current Practices for the Internet Community

Near-Term Solutions (4) Backscatter Traceback Steps The attack is reported to an ISP The ISP configures all its router to reject all packets destined for the victim Rejected packets are “returned to sender” The ISP configures all of its router to blackhole many of the ICMP error packet with illegitimate destination IP address Analysis by the blackhole machine quickly traces the attack to one or more routers at the outermost boundary of the ISP’s network The ISP removes the filter blocking the victim’s IP address from all router except those serving as the entry points for the DDoS attack The ISP asks neighboring ISPs, upstream of the attack, to continue the trace

Near-Term Solutions (5) Probabilistic Approaches ICMP Traceback ICMP traceback message Probabilistic Packet Marking IP header

Near-Term Solutions (6) Single-Packet IP Traceback In theory Keeping a log at each router in the Internet Tamper-proof Fully-authenticated Technical infeasibility Storage Privacy Hash-Based IP Traceback Packet digests Reduce storage requirement to 0.5% of the link capacity per unit of time and help privacy Issues Computational resources Transformation information (Fragmentation, tunneling) corresponding to the packet digests is store in a transformation lookup table

Long-Term Solutions (1) Issues of Next-Generation Internet Protocol Next-generation Internet protocols will be required to deal with trust not on a binary basis. Entry-point anonymity refer the in ability to link an Internet IP address to any human actor or organization. Can next-generation protocols be designed so as to increase the cost to the attacker and decrease the cost to the defender? Supporting vigilant resource consumption. Supporting marketplace negotiation of trust versus privacy trade-offs (trust broker). Next-generation Internet protocols must allow for variable levels of trust under various attack states (situation-sensitive). Sufficient header space for tracking information.

Long-Term Solutions (2) Emerging Next-Generation Security Protocols Internet Protocol Security (IPSec) Characteristics AH (Authentication Header) ESP (Encapsulating Security Payload) IKE (Internet Key Exchange) Shortfalls Vigilant resource consumption Fine-grained authentication of trust Situation-sensitive Internet Protocol Version 6 (IPv6) IP address is 128 bits long. IPSec built in. Flexible header structure Address space is enormous