Final Introduction Web Security, DDoS, others

1
Final Introduction ----Web Security, DDoS, others

• Cliff C. Zou
• CAP6133
• 04/07/08

2
Web-based Security Challenge

• Trend all/most applications move to the WWW
  platform
• Database, remote configuration, email, data
  hosting, video/music on demand, e-commerce
• Complicated applications require interactive web
  browsers
• Browsers support downloadable execute, plug-in.
• ActiveX, Java script, flash player,
• Many users have no idea of the security of
  downloadable plug-ins.

3
Web-based Attacks

• Phishing
• Fake website, collect user account info.
• Usually correlated with Spam, Botnets
• Spyware
• Secretly installation in form of plug-in.
• Come with free software/games.
• Worm
• Exploit browsers vulnerability
• E.g., Nimda

4
Crawler-based Security Defense

• Central idea
• Honeypot
• Use VM with vulnerable browser to connect to
  suspicious web server
• Trick malcode to install on VMs browser
• Analyze, and then, restart a clean VM for next
  round
• Automatic, active crawling
• Actively find web server and connect
• Automatically execute simple user interaction
• For download, install activeX, java script,
  plug-ins.

5
Distributed Denial of Service (DDoS) Attack

• Send large amount of traffic to a server so that
  the server has no resource to serve normal users
• Attacking format
• Consume target memory/CPU resource
• SYN flood (backscatter paper presented before)
• Database query
• Congest target Internet connection
• Many sources attack traffic overwhelm target link
• Very hard to defend

6
Why hard to defined DDoS attack?

• Internet IP protocol has no built-in security
• No authentication of source IP
• SYN flood with faked source IP
• However, IP is true after connection is setup
• Servers are supposed to accept unsolicited
  service requests
• Lack of collaboration ways among Internet
  community
• How can you ask an ISP in another country to
  block certain traffic for you?

7
DDoS Defenses

• Increase servers capacity
• Cluster of machine, Multi-CPUs, larger Internet
  access
• Use Internet web caching service
• E.g., Akamai
• Defense Methods (many in research stage)
• SYN cookies (http//en.wikipedia.org/wiki/SYN_cook
  ies)
• SOS
• IP traceback

8
SYN Cookies

• SYN flood attack
• Fill up servers SYN queue
• Property attacker does not respond to SYN/ACK
  from victim.
• Defense
• Fact normal client responds to SYN/ACK
• Remove initial SYN queue
• Server encode info in TCP seq. number
• Use it to reconstruct the initial SYN

9
DoS spoofed attack defense IP traceback

• Suppose a victim can call ISPs upstream to block
  certain traffic
• SYN flood which traffic to block?
• IP traceback
• Find out the real attacking host for SYN flood
• Based on large amount of attacking packets
• Need a little help from routers (packet marking)

10
SOS Secure Overlay Service

• Central Idea
• Use many TCP connection respondent machines
• Only setup connections relay to server
• Identity of server is secrete

11
Security Patch Issue

• Fix vulnerability faster by automatic patching ?
  XP
• Problem
• Patches are not reliable
• Crash, disrupt to running applications
• Many patches require reboot
• Not realistic for important servers

12
Shield

• Central Idea
• Non-disruptive, temporary defense before patch
• Vulnerability-specific, exploit-generic
• When known vulnerability, analyze it and develop
  this shield filter on the vulnerable port
• E.g., an overflow of strcpy(), filter any input
  longer than the defined size