Presentation is loading. Please wait.

Presentation is loading. Please wait.

TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.

Published byBranden Stone Modified over 9 years ago

Similar presentations

Presentation on theme: "TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS."— Presentation transcript:

1 TCP/IP Vulnerabilities

2 Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS

3 Internet design goals 1. Interconnection 2. Failure resilience 3. Multiple types of service 4. Variety of networks 5. Management of resources 6. Cost-effective 7. Low entry-cost 8. Accountability for resources Where is security issues?

4 Why did they leave it out? Designed for simple connectivity Network designed with implicit trust No “bad” guys Security may be provided at the edge Encryption Authentication

5 Security Vulnerabilities Unfortunately at every layer in the protocol stack! Network-layer attacks IP-level vulnerabilities Routing attacks Transport-layer attacks TCP vulnerabilities Application-layer attacks

6 Where do the problems come from? Protocol-level vulnerabilities Implicit trust assumptions in design Implementation vulnerabilities Both on routers and end-hosts Incomplete specifications Often left to the imagination of programmers

7 IP-level vulnerabilities IP addresses are provided by the source Spoofing attacks Use of IP address for authentication Remote command (rsh, rlogin) allows remote login without explicit password authentication Some known exploited IP ARP Spoofing Fragmentation Traffic amplification

8 Routing attacks Divert traffic to malicious nodes Black-hole attack Eavesdropping Routing attacks No authentications Announce lower cost route in Distance-Vector BGP vulnerabilities Prefix hijacking

9 TCP-level attacks SYN-Flooding Flood with incomplete connection to hold service resources Session hijack Sequence number guessing Pretend to be a trusted host Session Termination Forge packet to close a legitimate connection

10 Application Vulnerabilities Application Protocol Attack SPAM Phishing etc.

11 Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS

12 Denial of Service Make a service unusable by overloading the server or network Disrupt service by taking down hosts e.g., ping-of-death Consume host-level resources e.g., SYN-floods Consume network resources e.g., UDP/ICMP floods

13 Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS

14 Worm Overview Self-propagate through network Typical Steps in Worm Propagation Probe host for vulnerable software Exploit the vulnerability Launches copy of itself on compromised host Very fast spreading with short windows to react

15 The Case of Code-Red 12 th July 2001 : Code-Red Worm (CRv1) began 12 th July 2001 : Code-Red Worm (CRv1) began 19 th July 2001 : Code-Red Worm (CRv2) began 19 th July 2001 : Code-Red Worm (CRv2) began 359,104 hosts were compromised in approximately 24 hours 359,104 hosts were compromised in approximately 24 hours The total number of inactive hosts over timeThe number of newly inactive hosts per minute http:// www.caida.org/analysis/security/code-red/coderedv2_analysis.xml Worm growth: Slow-start, Exponential phase, Slow decay

16 Code Red Spreads (I) July 19, Midnight – 159 hosts infected

17 Code Red Spreads (II) July 19, 11:40 am – 4,920 hosts infected

18 Code Red Spreads (III) July 20, Midnight – 341,015 hosts infected

19 Animation of Code Red Spreads

20 Animation SQL Slammer Spreads

21 Outline Security, Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS

22 Firewall A Firewall is a system or group of systems used to control access between two networks using pre-configured rules or filters A Firewall is a system or group of systems used to control access between two networks using pre-configured rules or filters

23 How to filter? What to filter based on? Packet Header Fields IP source and destination addresses Application port numbers ICMP message types/ Protocol options etc. Packet contents (payloads)

24 Some examples Block all packets from outside except for SMTP servers Block all traffic to/from a list of domains Ingress filtering Drop all packets from outside with addresses inside the network Egress filtering Drop all packets from inside with addresses outside the network

25 Typical Firewall Configuration Internal hosts can access DMZ and Internet External hosts can access DMZ only, not Intranet DMZ hosts can access Internet only Advantages? If a service gets compromised in DMZ it cannot affect internal hosts Internet Intranet DMZ X X

26 Sample Firewall Rule Dst Port Alow Allow Yes Any > 1023 22 TCP22 TCP> 1023 ExtIntOutSSH-2 IntExtInSSH-1 Dst Addr Proto Ack Set? Action Src Port Src Addr DirRule Allow SSH from external hosts to internal hosts Two rules Inbound and outbound How to know a packet is for SSH? Inbound: src-port>1023, dst-port=22 Outbound: src-port=22, dst-port>1023 Protocol=TCP Ack Set? SYN SYN/ACK ACK ClientServer

27 Intrusion Detection IDS is an automated system intended to detect computer intrusions IDS is an automated system intended to detect computer intrusions To identify, preferably in real-time, unauthorized use, misuse, and abuse of computer system To identify, preferably in real-time, unauthorized use, misuse, and abuse of computer system

28 Basic IDS Architecture

29 Detection Method Misuse Detection Misuse Detection Looking for the attempts to exploit known vulnerabilities or attack patterns Looking for the attempts to exploit known vulnerabilities or attack patterns Typically low false alarms Typically low false alarms Difficult to gather all attack signatures Difficult to gather all attack signatures Anomaly Detection Anomaly Detection Observing a deviation of normal behavior of system or user to detect intrusions Observing a deviation of normal behavior of system or user to detect intrusions Can detect a new or unseen vulnerabilities or attack patterns Can detect a new or unseen vulnerabilities or attack patterns Typically a lot of false alarms Typically a lot of false alarms

30 Audit Source Location Host/IDSHost Host IDSHost Host Host based IDS Network based IDS

31 Next Generation Firewall Layer 7 Content Inspection Layer 7 Content Inspection Integration of Firewall/IDS Integration of Firewall/IDS

32 Summary Security vulnerabilities are real! Protocol or implementation or bad specs Poor programming practices At all layers in protocol stack DoS/DDoS Resource utilization Worm Exponential spread Scanning strategies Firewall/IDS Counter-measures to protect hosts Fail-open vs. Fail-close?

Download ppt "TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Security Part Two: Attacks and Countermeasures. Flashback: Internet design goals 1.Interconnection 2.Failure resilience 3.Multiple types of service 4.Variety.

Security Part Two: Attacks and Countermeasures. Flashback: Internet design goals 1.Interconnection 2.Failure resilience 3.Multiple types of service 4.Variety.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Security Part One: Network Attacks and Countermeasures Xin Zhang.

Security Part One: Network Attacks and Countermeasures Xin Zhang.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Introduction to Network Security

Introduction to Network Security
Firewalls: General Principles & Configuration (in Linux)

Firewalls: General Principles & Configuration (in Linux)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
G53SEC 1 Network Security Hijacking, flooding, spoofing and some honey.

G53SEC 1 Network Security Hijacking, flooding, spoofing and some honey.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google