Presentation is loading. Please wait.

Presentation is loading. Please wait.

NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,

Published byCaitlin Mannering Modified over 9 years ago

Similar presentations

Presentation on theme: "NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,"— Presentation transcript:

1 NETWORK SECURITY EE122 Section 12

2 QUESTION 1

3 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g., because application process on A crashed  B does not ack the RST  Thus, RST is not delivered reliably  And: any data in flight is lost  But: if B sends anything more, will elicit another RST

4 END-TO-END SECURITY  Application layer  TLS/SSL encrypts all application layer data  … but does not encrypt the TCP header!

5 END-TO-END SECURITY Encrypted Content TCP Header IP Header TLS/SSL (Application Layer)

6 END-TO-END SECURITY  Application layer  TLS/SSL encrypts all application layer data  … but does not encrypt the TCP header!  Transport layer  TCP sequence number defends against blind spoofing  … but not man-in-the-middle attacks  Network layer  IPsec encrypts the entire IP payload, including the TCP header

7 END-TO-END SECURITY Encrypted Content TCP Header IP Header Encrypted IP Header IP Header Encrypted Content Encrypted TCP Header TLS/SSL (Application Layer) IPsec (Network Layer)

8 BLIND SPOOFING  Need to know the sequence number

9

10

11

12 BLIND SPOOFING  Need to know the sequence number  How? Guess all 65536 numbers!  Alternatively, infer  first send a legitimate TCP SYN  Let’s say the receiver responds with sequence number A  Then spoof a TCP SYN assuming the receiver responds with A+1  Defenses?

13 QUESTION 2

14 228.147.0.0/16

15 Source IP: 228.147.0.1

16 228.147.0.0/16 Source IP: 188.0.0.1 Egress Filtering

17 228.147.0.0/16 Source IP: 123.456.8.8

18 228.147.0.0/16 Source IP: 228.147.5.5 Ingress Filtering

19 228.147.0.0/16 Source IP: 228.147.5.5 Ingress Filtering What’s missing?

20 Receiver Attacker SYN SYNACK (seqno = y) Source ??? ACK (ackno = k?)

21 Receiver Attacker … Confirmation Request Source ??? Confirmation Response Defenses?

22 Receiver Attacker … Confirmation Request (123) Source ??? Confirmation Response (456?) Nonce

23 QUESTION 3

24 You Web server X 100Mbps 1Gbps Web server X can comfortably handle the load you generate

25 DISTRIBUTED DENIAL-OF-SERVICE (DDOS) MasterSlave 1 Slave 3 Slave 4 Slave 2 Victim Control traffic directs slaves at victim src = random dst = victim Slaves send streams of traffic (perhaps spoofed) to victim

26 Reflector (R) Internet Attacker (A) Victim (V) SYN SYNACK REFLECTORS  Cause one non-compromised host to attack another  E.g., host A sends TCP SYN with source V to server R  R sends reply to V

27 DIFFUSE DDOS: REFLECTOR ATTACK MasterSlave 1 Slave 3 Slave 4 Slave 2Victim Control traffic directs slaves at victim & reflectors Request: src = victim dst = reflector Reflectors send streams of non-spoofed but unsolicited traffic to victim Reflector 1Reflector 9Reflector 4Reflector 2Reflector 3Reflector 5Reflector 6Reflector 7Reflector 11Reflector 8Reflector 10 Reply: src = reflector dst = victim

28 MITIGATING DDOS  No good defense…  Solutions so far  Overprovision  Distribute service to multiple machines

29 QUESTION 4

30 AndrewSteve E(M, Steve pub )

31 AndrewSteve E(M, Steve pub ) Man-In-The- Middle

32 AndrewSteve Man-In-The- Middle E(M’, Steve pub )

33 AndrewSteve E(M, Steve pub ) MAC(H(M), Andrew private ) Andrew pub ???

34 AndrewSteve E(M, Steve pub ) MAC(H(M), Andrew private ) E(Andrew pub, Steve pub )

35 AndrewSteve Man-In-The- Middle MAC(H(M), Andrew private ) E(Andrew pub, Steve pub ) E(M, Steve pub )

36 AndrewSteve Man-In-The- Middle MAC(H(M’), MITM private ) E(MITM pub, Steve pub ) E(M’, Steve pub )

Download ppt "NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.

TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.

Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

Similar presentations

Ads by Google