Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)"— Presentation transcript:

1 Security Robert Grimm New York University

2 Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)  But, the Internet adds/amplifies several threats  (Distributed) Denial of service attacks  Viruses  Worms  For today, we are looking at  How to identify origin of denial of service attacks (or how to find those evil-doers)  How to build better worms (don’t try this at home…)

3 IP Traceback In General  Assumptions  Goal  Transformations  Strategies

4 IP Traceback Assumptions  Packets may be addressed to more than one host  Duplicate packets may exist in the network  Routers may be subverted (though, not often)  Attackers may be aware of being traced  Routing behavior may be unstable  Packet size should not grow b/c of tracing  End hosts may be resource constrained  Traceback is an infrequent operation

5 IP Traceback Goal  Identify source of any packet  Ingress point to traceback-enabled network  Actual host or network  Compromised router(s)  Consequently, we are really looking for path!

6 IP Traceback Transformations  Even under normal operation, packets are not constant  Trivial transformations  Time-to-live  Checksum  Packet encapsulation  Packet fragmentation, NAT, IP-over-IP, IPsec  Packet generation  ICMP Echo Request  ICMP Echo Response  Multicast

7 IP Traceback Strategies  Link testing  Flood candidate network links and watch for variations  Auditing/logging  End-host based  Mark packets in network  Store and analyze on endhosts  Infrastructure based  Store packets in network  Analyze in network  Single-Packet IP Traceback  Infrastructure based logging (with some clever twists…)

8 Single-Packet IP Traceback  Basic idea: Log bloom-filtered packet digests  Why digests?  0.00092% collision rate for 28-byte prefix  Need additional state for fragmentation, NAT, ICMP, IP-in-IP, IPsec  Why bloom-filtered?

9 Bloom-Filters and Hash Functions  Need family of hash functions  Each function uniformly distributes hashes  “Good dog!” Ummm “Good hash function!”  Collisions in one function are independent of collisions in other functions  Known as universal hash families  Functions are efficient to compute  We are targeting routers, after all

10 Source Path Isolation Engine (SPIE)  Per router data generation agent  Generates digests and stores them in time-stamped tables  Per region SPIE collection and reduction agent  Generates attack graphs for region  Per network SPIE traceback manager  Accepts and authenticates requests  Collects and coalesces per region attack graphs

11 Traceback Processing  Provide packet, victim, time  Packet to reproduce digest  Victim to identify starting point  Time to identify table  Complication: Transformations  Use transform lookup tables  Map digest to irrecoverable packet data  Typically processed on control and not fast path  Rely on transformations being infrequent

12 Single-Packet IP Traceback Analysis  False positives  Based on analysis and simulation  Time and memory utilization  Goal: collect 1 minute worth of digests  0.5% of total link capacity  Four OC-3 (155.52 Mbps) links: 23MB  32 OC-192 (9.952 Gbps) links: 12 GB  One 16 Mb SRAM for current table  Backed by additional SDRAM

13 Single-Packet IP Traceback Discussion  Deployment  Vulnerabilities  Denial of service  Flow amplification  Information leakage  Transformations

14 And Now for Something Completely Different… Yeah, Right …

15 Worms, Worms, Worms  Install payload on as many machines as possible and then…  Launch distributed denial of service attacks  Access sensitive information (financial, medical, …)  Corrupt information 30 minutes of Sapphire Code Red I, II, Nimda

16 Analysis of Code Red I  Attacks Microsoft IIS web servers  Launches 99 threads, trying to compromise servers at random IP addresses  Version 1 has bug in random number generator  Fixed seed  Linear spread  Version 2  Fixes bug  Does not deface web sites  Launches DDOS attack against IP address of www.whitehouse.gov www.whitehouse.gov

17 Random Constant Spread Model (RCS)  N: # of vulnerable machines  K: initial compromise rate  T: time of incident  a: proportion of compromised machines

18 Better Worms Practice  Code Red II  Same vulnerability, different payload (root backdoor)  Localized scanning strategy favoring local machines  Nimda  Combines several techniques into one worm  Microsoft IIS web servers  Email attachments  Network shares  Web pages  Backdoors left behind by Code Red II and “sadmind”

19 Better Worms Theory: Hit-List Scanning  Helps with “getting off the ground”  Collect list of potentially vulnerable machines, start with them, splitting list between worm copies  Stealthy scans  Distributed scans  DNS searches  Spiders  Public surveys  Just listen (think peer-to-peer networks)

20 Better Worms Theory: Permutation Scanning  Avoid repeatedly probing same machine  Start scanning machines after your own address, using a common pseudo random permutation  Still looks like a random scan!  Stop scanning when several machines already infected  Optionally, use new permutation after some waiting time  As optimization, split permutation into ranges

21 Better Worms Theory: Simulation of Spread  “Warhol worm”  Uses hit-list and permutation scanning Calibration Closeup Comparison

22 Better Worms Theory: Alternatives to Hit-Lists  Topological scanning  Use local information  Peers, email addresses, URLs  Flash worms  Create exhaustive list of all vulnerable hosts  Distribute list  By dividing list repeatedly  Storing chunks on well-connected servers  Spread may initially be limited by size of list  Start across high-bandwidth links

23 Better Worms Back to Reality: Sapphire  We don’t necessarily need all these techniques  Microsoft SQL Server + one 404-byte UDP packet are good enough!!!  Even though random number generator is broken  Even though port is atypical and thus easily blocked

24 More Bad News: Stealth Worms  Quickly spreading worms are easily detected  Alternatively, spread real sloooooooooooowly  Almost no peculiar communication patterns  Strategy  Pair of exploits E(server) and E(client) for popular web server and client  Hmmm, which company comes to mind…  Alternatively, target peer-to-peer systems  Only need one exploit as all machines run the same software

25 Stealth Worms Why Attack Peer-to-Peer Systems?  Interconnect to many peers  Often transfer large files  Less likely to be monitored  Typically run on less secure user machines  Transfer “grey” content  Are pretty popular  KaZaA: 9 to 30 million users…

26 What to Do? Cyber-center for Disease Control!  Identify outbreaks  Rapidly analyze pathogens  Fight infections  Anticipate new vectors  Proactively devise detectors  Resist future threats

27 What Do You Think?

Download ppt "Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)"

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.

Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
DDos Distributed Denial of Service Attacks by Mark Schuchter.

DDos Distributed Denial of Service Attacks by Mark Schuchter.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Similar presentations

Ads by Google