cnt 5410 computer and network security denial of service
play

CNT 5410 - Computer and Network Security: Denial of Service - PowerPoint PPT Presentation

Sep 08, 2023 •350 likes •623 views

CNT 5410 - Computer and Network Security: Denial of Service Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Mandate " The art of war teaches us to rely not on the likelihood of

  1. CNT 5410 - Computer and Network Security: Denial of Service Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

  2. Mandate • " The art of war teaches us to rely not on the likelihood of the enemy's coming, but on our own readiness to receive him; not rely on the chance of his not coming, but rather on the fact that we have made our position unassailable. " -- Sun Tzu, The Art of War Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 2

  3. Denial of Service • Intentional prevention of access to valued resource ‣ CPU, memory, disk (system resources) ‣ DNS, print queues, NIS (services) ‣ Web server, database, media server (applications) • This is an attack on availability ( fidelity ) • Note: launching DOS attacks is easy • Note: preventing DOS attacks is hard ‣ Mitigation the path most frequently traveled Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 3

  4. Canonical (common) DOS - Request Flood • Attack: request flooding ‣ Overwhelm some resource with legitimate requests ‣ e.g., web-server, phone system • Note: unintentional flood is called a flash crowd Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 4

  5. Example: SMURF Attacks • This is one of the deadliest and simplest of the DOS attacks (called a naturally amplified attack) • Send a large number PING packet networks on the broadcast IP addresses (e.g., 192.168.27.254) • Set the source packet IP address to be your victim • All hosts will reflexively respond to the ping at your victim • … and it will be crushed under the load. • Fraggle: UDP based SMURF Host Host Host Host Host adversary Broadcast victim Host Host Host Host Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 5

  6. Example: DNS Amplification Open Recursive DNS Server From: 10.0.01 To: 10.0.01 ~60 bytes >4000 bytes 192.168.1.1 10.0.0.1 • DNS Requests are small, but responses are large. • The above attack is a 70:1 ratio. • Ok, so an attacker might be able to send a few Mbps… is this really a problem? Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 6

  7. Distributed denial of service • DDOS: Network oriented attacks aimed at preventing access to network, host or service ‣ Saturate the target’s network with traffic ‣ Consume all network resources (e.g., SYN) ‣ Overload a service with requests • Use “expensive” requests (e.g., “sign this data”) ‣ Can be extremely costly (e.g, Amazon) • Result: service/host/network is unavailable • Frequently distributed via other attack • Note : IP is often hidden (spoofed) Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 7

  8. The canonical DDOS attack Internet LAN Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 8

  9. Why DDOS • What would motivate someone DDOS? ‣ An axe to grind … ‣ Curiosity (script kiddies) … ‣ Blackmail ‣ Information warfare … • Internet is an open system ... ‣ Packets not authenticated, probably can’t be Why are DDOS attacks possible? • Would not solve the problem just move it (firewall) ‣ Too many end-points can be remote controlled Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 9

  10. Why DDOS • What would motivate someone DDOS? ‣ An axe to grind … ‣ Curiosity (script kiddies) … ‣ Blackmail ‣ Information warfare … • Internet is an open system ... ‣ Packets not authenticated, probably can’t be • Would not solve the problem just move it (firewall) ‣ Too many end-points can be remote controlled Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 10

  11. Why is DDOS possible? (cont.) • Interdependence - services dependent on each other ‣ E.g., Web depends on TCP and DNS, which depends on routing and congestion control, … • Limited resources (or rather resource imbalances ) ‣ Many times it takes few resources on the client side to consume lots of resources on the server side ‣ E.g., SYN packets consume lots of internal resources • You tell me .. (as said by Mirkovic et al.) ‣ Intelligence and resources not co-located ‣ No accountability ‣ Control is distributed Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 11

  12. DDOS and the E2E argument • E2E ( very simplified version): We should design the network such that all the intelligence is at the edges . ‣ So that the network can be more robust and scalable ‣ Many think is the main reason why the Internet works • Downside: ‣ Also, no real ability to police the traffic/content ‣ So, many security solutions break this E2E by cracking open packets (e.g., application level firewalls) ‣ DDOS is real because of this … Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 12

  13. Q: An easy fix? • How do you solve distributed denial of service? Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 13

  14. Simple DDOS Mitigation • Ingress/Egress Filtering ‣ Helps spoofed sources, not much else • Better Security ‣ Limit availability of zombies, not feasible ‣ Prevent compromise, viruses, … • Quality of Service Guarantees (QOS) ‣ Pre- or dynamically allocate bandwidth ‣ E.g., diffserv, RSVP ‣ Helps where such things are available … • Content replication ‣ E.g,. CDS ‣ Useful for static content Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 14

  15. Reverse-Turing Tests • Turing test : measures whether a human can tell the difference between a human or computer (AI) • Reverse Turning tests : measures whether a user on the internet is a person, a bot, whatever? • CAPTCHA - C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part • contorted image humans can read, computers can’t • image processing pressing SOA, making these harder • Note: often used not just for DOS prevention, but for protecting “free” services (email accounts) Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 15

  16. CAPTCHA Limitations • Lots of varieties have been proposed. • Text, Audio, Video, and cats… • Only a small number have been adopted, largely due to usability purposes. • Automated techniques to solve virtually all of these defenses… • … and people willing to pay/trick 
 others to solve them… Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 16

  17. DOS Prevention - Puzzles • Make the solver present evidence of “work” done • If work is proven, then process request • Note: only useful if request processing significantly more work • Puzzle design • Must be hard to solve • Easy to Verify • Canonical Example • Puzzle: given all but k-bits of r and h(r), where h is a cryptographic hash function • Solution: Invert h(r) • Q: Assume you are given all but 20 bits, how hard would it be to solve the puzzle? Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 17

  18. Pushback • Initially, detect the DDOS ‣ Use local algorithm, ID-esque processing ‣ Flag the sources/types/links of DDOS traffic • Pushback on upstream routers ‣ Contact upstream routers using PB protocol ‣ Indicate some filtering rules (based on observed) • Repeat as necessary towards sources ‣ Eventually, all (enough) sources will be filtered • Q: What is the limitation here? R1 R1 R2 R2 R3 R3 R4 R4 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 18

  19. Traceback • Routers forward packet data to source • Include packets and previous hop … • At low frequency (1/20,000) … • Targets reconstruct path to source (IP unreliable) • Use per-hop data to look at • Statistics say that the path will be exposed • Enact standard • Add filters at routers along the path R1 R2 R3 R1 R2 R3 R4 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 19

  20. Overlays • Traffic is not delivered to a host... • It must pass through an overlay network first. 
 • Getting into the overlay is where the “magic” happens. • What does “Portcullis” do? • What else could be done? Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 20

  21. Network Isolation: VPNs • Idea: I want to create a collection of hosts that operate in a coordinated way ‣ E.g., a virtual security perimeter over physical network ‣ Hosts work as if they are isolated from malicious hosts • Solution: Virtual Private Networks ‣ Create virtual network topology over physical network ‣ Use communications security protocol suites to secure virtual links “tunneling” ‣ Manage networks as if they are physically separate ‣ Hosts can route traffic to regular networks ( split- tunneling ) Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 21

  22. VPN Example: RW/Telecommuter Internet LAN Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 22

  23. VPN Example: Hub and Spoke Internet LAN Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 23

  24. VPN Example: Mesh Internet LAN Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 24

Recommend

CS 5410 - Computer and Network Security: Cellular Network Security Professor Kevin Butler Fall

CS 5410 - Computer and Network Security: Cellular Network Security Professor Kevin Butler Fall

CS 5410 - Computer and Network Security: Cellular Network Security Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Reminders Poster showcase next Monday For final project: turn

533 views • 34 slides
CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Denial of Service Intentional prevention

663 views • 25 slides
Network Attacks Review & Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson

Network Attacks Review & Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson

Network Attacks Review & Denial-of-Service (DoS) CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 15, 2011 Goals For Today Review

825 views • 53 slides
Outline Malware and the network CSci 5271 Introduction to Computer Security Announcements

Outline Malware and the network CSci 5271 Introduction to Computer Security Announcements

Outline Malware and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and Denial of Service Stephen McCamant Denial of service and the network University of Minnesota, Computer Science &

526 views • 5 slides
Outline Malware and the network CSci 5271 Introduction to Computer Security Announcements

Outline Malware and the network CSci 5271 Introduction to Computer Security Announcements

Outline Malware and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and Denial of Service Stephen McCamant Denial of service and the network University of Minnesota, Computer Science &

168 views • 6 slides
CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Firewalls A firewall ... is a physical barrier inside a building or vehicle,

555 views • 23 slides
CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Locked Down Youre using all the techniques we will talk about over the

577 views • 19 slides
Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and anonymity combined lecture Anonymous communications techniques Stephen McCamant

665 views • 10 slides
Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016

Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016

Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016 Transport-Level Denial-of-Service Recall TCPs 3-way connection establishment handshake Goal: agree on initial sequence numbers Server Client

530 views • 40 slides
CNT 5410 - Computer and Network Security: Web Security Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Web Security Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Web Security Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Network vs. Web Security Southeastern Security for Enterprise and Infrastructure

710 views • 58 slides
Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner March 5, 2013 Attacks on

Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner March 5, 2013 Attacks on

Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner March 5, 2013 Attacks on Availability Denial-of-Service (DoS): preventing legitimate users from using a computing service We do though need to consider our threat model

1.09k views • 42 slides
Denial-of-Service, cont / Web Security CS 161: Computer Security Prof. Vern Paxson TAs:

Denial-of-Service, cont / Web Security CS 161: Computer Security Prof. Vern Paxson TAs:

Denial-of-Service, cont / Web Security CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 21, 2013 Goals For

1.02k views • 60 slides
ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch Duke University Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that

565 views • 28 slides
Computer and Information Security Fall 2019 Denial of Service Attacks Tyler Bletsch Duke

Computer and Information Security Fall 2019 Denial of Service Attacks Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2019 Denial of Service Attacks Tyler Bletsch Duke University Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that

314 views • 28 slides
CS 5410 - Computer and Network Security: Malware and Botnets Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Malware and Botnets Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Malware and Botnets Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Final Posters Final posters are your chance to show myself and your peers

730 views • 33 slides
CNT 5410 - Computer and Network Security: Privacy/Anonymity Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Privacy/Anonymity Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Privacy/Anonymity Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center When Confidentiality is Insufficient Southeastern Security for Enterprise and

582 views • 25 slides
Denial of Service Denial of Service An attack designed to disrupt or completely deny

Denial of Service Denial of Service An attack designed to disrupt or completely deny

1 Denial of Service Denial of Service An attack designed to disrupt or completely deny legitimate users access to network, servers, services, or other resources Two basic favors: Target resource starvation Network

430 views • 19 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer Security Announcements intermission Day 22: Malware and Denial of Service Stephen McCamant Denial of service and the network University of

684 views • 10 slides
Denial-of-Service (DoS) & Web Attacks CS 161: Computer Security Prof. Vern Paxson TAs:

Denial-of-Service (DoS) & Web Attacks CS 161: Computer Security Prof. Vern Paxson TAs:

Denial-of-Service (DoS) & Web Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 17, 2011 Goals For Today Continue our

902 views • 52 slides
Introduction to Computer Security Session 2.2 Denial of Service Prof. Nadim Kobeissi 2.2a

Introduction to Computer Security Session 2.2 Denial of Service Prof. Nadim Kobeissi 2.2a

CSCI-UA.9480 Introduction to Computer Security Session 2.2 Denial of Service Prof. Nadim Kobeissi 2.2a Defining Denial of Service 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi What is a Denial of Service attack? An

920 views • 23 slides
Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program Exploitation Buffer Overflows Memory Declaration Smashing The Stack TCP/IP Three Way Handshake Denial of Service SYN Flooding

403 views • 13 slides
CS 5410 - Computer and Network Security: Cloud Security Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Cloud Security Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Cloud Security Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Imagine Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

663 views • 24 slides
Denial-of-Service (DoS) CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs:

Denial-of-Service (DoS) CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs:

Denial-of-Service (DoS) CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 22, 2010 Announcements

644 views • 29 slides

More recommend