MET TC670 B1 Computer Science Concepts in Telecommunication Systems

1
MET TC670 B1Computer Science Concepts in
Telecommunication Systems

• Fall 2003

2
Lecture 9, November 18, 2003

• Network Security Concepts
• Introduction to Network Security
• Routing Attacks
• DDoS and Traceback
• Intrusion Detection Systems
• Firewalls
• IP Security
• Web Security

3
Network Technologies

• Switching modes.
• Circuit switching.
• Packet switching - Ethernet, HIPPI, fiber
  channel, IP routing, frame relay, ATM, IP
  switching/tag switching.
• High-speed transmission media.
• SONET/SDH, WDM.
• Ubiquitous access media.
• xDSL/cable modem, IEEE802.11, LEOSs.
• We will study the common security issues.

4
The Internet
OSI of ISO
Internet Stack
5
Layered Store-and-forward
User A
User B
Application
Transport
Network
Link
6
Security Implications

• Vulnerabilities - from weak design, to
  feature-rich implementation, to compromised
  entity
• Heterogeneous networking technologies adds to
  security complexity
• Higher-speed communication puts more information
  at risk in given time period
• Easier to defend than to defend
• Ubiquitous access increases exposure to risks

7
The Good News

• Plenty of basic means for end-user protection -
  privacy, authentication, integrity
• Intensive RD effort on security solutions
  (government sponsored research private
  industry)
• Increasing public awareness of security issues
• New crops of security(-aware) researchers and
  engineers

8
The Bad News

• Information infrastructure as a whole is very
  vulnerable, which makes all critical national
  infrastructure vulnerable
• e.g., Denial-of-service attacks are particularly
  dangerous to the Internet infrastructure
• Serious lack of effective technologies, policies,
  and management framework

9
Security Threat Example - IP Spoofing
SRC source DST destination
IP Payload
IP Header
SRC 128.197.12.3 DST 130.207.7.237
Is it really from Boston University?
10
Similar to US Mail (or E-mail)
US mail maybe better in the sense that there is a
stamp put on the envelope at the location (e.g.,
town) of collection...
11
Routers Care only about Destination
src128.197.12.3 dst130.207.7.237
128.197.12.3
Rtr
Boston Univ.
130.207.xx.xx
Rtr
Georgia Tech
36.190.0.xx
Rtr
src128.197.12.3 dst130.207.7.237
Stanford
12
Why Should I Care?

• Attack packets with spoofed IP address help hide
  the attacking source.
• A smurf attack launched with your host IP address
  could bring your host and network to their knees.
• Higher protocol layers (e.g., TCP) help to
  protect applications from direct harm, but not
  enough.

13
Smurf Attack

• Generate ping stream (ICMP echo request) to a
  network broadcast address with a spoofed source
  IP set to a victim host
• Every host on the ping target network will
  generate a ping reply (ICMP echo reply) stream,
  all towards the victim host
• Amplified ping reply stream can easily overwhelm
  the victims network connection
• Fraggle and Pingpong exploit UDP in a similar way

14
Vulnerability

• A vulnerability (or security flaw) is a specific
  failure of the security controls.
• Using the failure to violate the site security
  exploiting the vulnerability the person who does
  this an attacker.
• It can be due to
• Lapses in design, implementation, and operation
  procedures.
• Even security algorithms/systems are not immune!
• We will go over some examples in this course.

15
Lecture 9, November 18, 2003

• Network Security Concepts
• Introduction to Network Security
• Routing Attacks
• DDoS and Traceback
• Intrusion Detection Systems
• Firewalls
• IP Security
• Web Security

16
Routing Infrastructure Security Issues

• What is routing involved?
• How is it typically done?
• Some attack examples

17
Routing Concept and Protocols

• Routing information
• Routing information exchange protocols
• RIP (Routing Information Protocol)
• OSPF (Open Shortest Path First Protocol)

18
Routing
Routers/ Switches
SRC
DST
I want to know the shortest path
So, the routers must exchange local information!
19
IP Routing

• Routing is based on network addresses
• Routers use forwarding table
• Destination, next hop, network interface, metric
• Table look-up for each packet
• Need to recognize address structure
• Routing information exchange allows computation
  of new routes, which is used to update the
  forwarding table

20
Routing Protocols Information Model
OSPF
RIPv2
BGP4
RIB
RIB
RIB
Forwarding Information Base
(Dest, NextHop, Routing Metrics)
FIB
FIB
Forwarding Algorithm
Forwarding Decision
NPDU Header (Network Protocol Data Unit)
21
Routing Information

• Link State I have these links to XYZ (routers or
  networks) their current status is (e.g.,
  delay)
• Distance Vector I can get to XYZ (networks) in m
  hops

22
Distance Vector
Every node sends its neighbor a vector the of
hops of reaching each other node.
B
A
C
23
Link State

A node sends to its neighbors the state of its
directly connected links up/down and costs. Each
node that receives the information forwards it to
all its neighbors.
24
Routing Protocols Operation Model

• Neighbor Acquisition
• Neighbor Reachability
• Routing Information Exchange
• Route Generation and Selection
• Neighbor Relationship Termination

25
Neighbor Acquisition
HELLO ?
I AM HERE!
26
Neighbor Reachability
ARE YOU ALIVE?
OF COURSE, I AM !
27
Routing Information
Hey, Here is the routing information I got so far
Hmm, some of them are obsolete, Here is my update
28
Route Generation and Selection
application Layer network Layer
29
Neighborhood Relationship Termination
Good Bye

See You Later
30
Routing Security

• Routing Information Exchange
• correctness of Routing Information Base
• Interface between RIB and FIB
• configuration, FIB update etc.
• Kernel-Level (IP) Packet Forwarding
• Is the packet forwarded according to the FIB?

31
RIP

• Routing information protocol is a simple distance
  vector protocol
• Initialization
• When the routing daemon is initialized, it sends
  requests through each network interface
• Neighboring routers will reply with routing table
  information
• Updates
• Routers advertise tables with neighbors
  periodically (30 seconds) or triggered by route
  changes.
• To prevent route oscillation, existing routes are
  retained until a new one is discovered with
  strictly lower cost
• Split-Horizon Update
• Routers do not advertise a route on an interface
  from which it learned of the route in the first
  place!

32
Properties of RIP

• Good news travels fast Bad news travels slowly
• Routing loop, routing inconsistency, and slow
  convergence
• Security
• Ripv2 provides simple password authentication
• Black hole routers possible

33
Route Convergence - good news
A 0
A 1
A 2
A 3
A 4
A 5
1
1
1
1
1
G5
G1
G2
G4
G3

• G1 happily advertises route to network A with
  distance 1
• G2-G5 quickly learns the good news and install
  the routes

34
Route Convergence bad news
A 0
A 3
A 2
A 3
A 4
A 5
8
1
1
1
1
G2
G3
G1
G5
G4

• G1s link to A goes down
• G1 learns a better route via G2
• Packets going to A through G2 will loop between
  G2 and G1
• G1 and G2 will find the cost of their routes to
  A slowly count to infinity
• Use a number, e.g., 16, to approximate infinity
• Split horizon only prevents loops involving two
  nodes

35
Black Hole
B
A 3 hops B 2 hops C 2 hops
A
You
Your Neighbor
C
A 0 hop B 0 hops

• C lies easily about routes to A B
• Your neighbor and you lock into the routes

36
Food for Thought

• RIP implicitly assumes every router is trusted
  and so are routing information packets
• Every router is entitled to tell others I have a
  short cut to Pluto that is just one hop
• Is it possible to prevent RIP black hole attacks?
• Is is possible to detect RIP black routers?

37
OSPF

• Link State routing protocol (RFC1583)
• Routers are organized in domains and areas
• Hello message for neighbor acquisition
• Link State information are flooded through the
  whole area
• A topology database is maintained by every router

38
Important LSA Fields

• Advertising router ID (originator)
• Advertised link or network ID
• Sequence number 0x80000001,0x7fffffff
• Age 0, 60 minutes

39
When to Originate a LSA?

• Upon link state changes, or
• Upon timer expiration

40
Questions to Ask

• How do you know one LSA is fresher than the
  other?
• An LSA originated by you will be received by
  every router will you receive the LSA originated
  by you?
• Will the sequence number wrap-around cause any
  problem? (i.e., 0x7fffffff)
• Age gt 1 hour

41
Sequence Old versus New LSAs
0x80000001
ATM
Next 0x80000002
Only accept LSAs with newer/larger Seq.
42
Sequence Self-stabilization
(1). 0x90001112
(2). router crashes.
(3). 0x80000001.
ATM
(5). 0x90001113
up
(4). 0x90001112 an old copy still exists!
43
Flushing via Premature Aging
Specified behavior when Seq wraps around
(1),(2),(3)
44
Attacking the Routing Infrastructure
Flooding
up
up
EVIL!
up
1. up gt down 2. not exist gt up
up
Impact varies depending on how critical the link
is to the world!
45
Attacking the Routing Infrastructure
Flooding
up
EVIL!
All the links can be attacked
up
Authentication, please come to the rescue!
46
Exchanging without LSA Signature?
If attackers can just change the content of LSAs
without being detected, the routers must use all
LSAs with care!
47
Fight-back Originator Reaction
Seq
ATM
(1) 0x90001112
(3) 0x90001114 fight-back
(2) 0x90001113 seq attack
48
Signature - How Critical?

• Observations
• Prolonged fight-back will not happen in real
  attacks
• Whats preventing the attacker from using
  LS_seqMaxSeq?
• Can you prevent false LSA without signature?
• Can you determine who did it after you realize
  that youve been fooled without signature?
• What needs to be signed by whom anyway?

49
OSPF Security Strength

• In most benign cases, if something goes wrong,
  the advertising router will detect it and try to
  correct it by generating new LSAs
• The attackers have to persistently inject bad
  LSAs in order for it to stick
• Self-Stabilization Protocols force the attackers
  to perform persistent attacks

50
Hit-and-Run vs. Persistent Attacks

• Hit-and-Run Attacks Hard to Detect/Isolate
• Inject one (or very few) bad packet but cause
  lasting damaging effect
• Persistent Attacks
• Attackers have to continuously inject attack
  packets in order to inflict significant damages
• OSPF type of Link State protocols are resilient
  to hit-and-run attacks

51
Secure Protocol/system Design?

• If we can force the attackers to launch
  persistent attacks, we have a better chance to
  detect and isolate the attack sources.
• OSPF flooding coupled with periodic LSA does a
  fairly good job because it is refreshing link
  state persistently!
• What other implications do flooding have on
  security?

52
Lecture 9, November 18, 2003

• Network Security Concepts
• Introduction to Network Security
• Routing Attacks
• DDoS and Traceback
• Intrusion Detection Systems
• Firewalls
• IP Security
• Web Security

53
Denial-of-Service (DoS) Attacks

• via Resource/bandwidth consumption

54
Distributed DoS (DDoS) Attacks
zombies
masters
attacker
victim
55
DDoS Common Steps

• Initiate a scan phase in which a large number of
  computers (100,000) on the internet are probed
  for known vulnerabilities.
• Exploit the vulnerabilities to compromised the
  computers to gain access.
• Install attack tools on each compromised host,
  and use the compromised hosts for further
  scanning/compromises.
• A subset of the compromised hosts with desired
  architecture/topology are chosen to form the
  attack network.
• Install attack and communication tools.
• Tell the masters to attack.

56
DDoS At Least 4 Versions

• Trinoo
• Attacker uses TCP Masters and zombies use UDP
  password authentication.
• TFN
• Attacker uses shell to invoke master Masters and
  zombies use ICMP echo reply.
• TFN2K
• A Combination of UDP, ICMP, and TCP.
• Stacheldraht
• Attacker uses encrypted TCP Masters and zombies
  use TCP and ICMP echo reply rcp used for
  auto-update.

57
DDoS Example Trinoo

• Scanning
• Buffer overflow bus in Solaris and Linux, e.g.,
  wu-ftpd, statd, amd, etc.
• A compromised node has a shell running as root
  and sends back confirmation.
• Installing attack program
• Use netcat (nc) to pipe a shell script to the
  shell (running as root) on the compromised host
• Attacker to master
• TCP Must provide password commands dos IP
  etc.
• Master to zombie
• UDP Command line includes password commands
  aaa pass IP rsz N, etc.

58
DDoS What to Do About It

• Not a whole lot!
• Prevention
• Detection
• Traceback

59
DDoS Prevention

• Authentication.
• Not feasible in practice.
• Ingress filtering on the routers.
• Traffic volume monitoring.
• Rate limit certain traffics, e.g., ICMP packets,
  SYN packets.
• Measure normal rates first!

60
DDoS Detection

• Surge in traffic volume
• Too much traffic to a particular destination
• Specific to current DDoS tools
• Control messages between attacker, masters, and
  zombies
• Footprints of attack programs running on
  masters and zombies
• What is after detection?
• Stop the flood

61
Traceback

• Why
• Stop the attacks
• Gather evidence for law enforcement
• Only to machines that directly generate the
  attack traffics
• For the real masters/attackers more forensic
  analysis necessary
• Difficulty
• Spoofed IP source addresses

62
Traceback Several Proposals

• Link Testing
• ICMP Traceback
• Probabilistic Marking

63
Link Testing Input Debugging

• Victim reports to upstream router, which installs
  debugging filter that reveals which upstream
  router originated the traffic.
• Repeat recursively until the the ISPs border
  is reached.
• The upstream ISP is contacted and repeats the
  process.
• Considerable management overhead.
• Relying on the availability and willingness of
  the network operators.

64
Link Testing Controlled Flooding

• Victim coerces selected hosts along the upstream
  route to iterative flood each incoming link of
  the router closest to the victim.
• Infer which link the attack comes from by
  observing the attack packet rate changes
• Router buffers are shared.
• Repeat recursively
• A form of DoS itself!
• Need to have a good network topology map.

65
ICMP Traceback

• For a very few packets (about 1 in 20,000), each
  router will send the destination a new ICMP
  packet that includes the contents of that packet
  and information about previous hop for that
  packet.
• The flood victim can use these ICMP packets to
  reconstruct the path back to the attacker.
• Net traffic increase at end point is about 0.1 -
  probably acceptable.
• Issues authentication (attacker can falsify the
  ICMP packets), loss of traceback packets, load
  and cooperation on routers.

66
Probabilistic Marking

• Basic idea
• Probabilistically mark packets with partial path
  information as they arrive at routers.
• Each marked packet represents a sample of its
  path.
• But flooding attacks comprise a large number of
  packets.
• By combing a modest number of these marked
  packets, the entire path can be reconstructed.

67
The Node Append Algorithm

• Marking procedure at router R
• For each packet w, append R to w.
• Path reconstruction procedure at victim
• For any packet w from attacker
• Extract (Ri, , Rj) from suffix of w.
• High overhead at router.
• Not enough space at packet.

68
The Node Sampling Algorithm

• Marking procedure at router R
• For each packet w,
• Roll the dice let x be a random number in
  0..1.
• if x lt p then write R to w.node.
• Path reconstruction procedure at victim
• For any packet w from attacker
• Let NodeTbl be a table of (node,count)
• z lookup w.node in NodeTbl
• if z is not nil then increment z.count else
  insert (w.node,1) in NodeTbl
• Sort NodeTbl by the count field
• Extract path (Ri, , Rj) from ordered node
  fields.

69
Lecture 9, November 18, 2003

• Network Security Concepts
• Introduction to Network Security
• Routing Attacks
• DDoS and Traceback
• Intrusion Detection Systems
• Firewalls
• IP Security
• Web Security

70
Definitions

• Intrusion
• A set of actions aimed to compromise the security
  goals, namely
• Integrity, confidentiality, or availability, of a
  computing and networking resource
• Intrusion detection
• The process of identifying and responding to
  intrusion activities

71
Why Is Intrusion Detection Necessary?
Security principles layered mechanisms
72
Elements of Intrusion Detection

• Primary assumptions
• System activities are observable
• Normal and intrusive activities have distinct
  evidence
• Components of intrusion detection systems
• From an algorithmic perspective
• Features - capture intrusion evidences
• Models - piece evidences together
• From a system architecture perspective
• Audit data processor, knowledge base, decision
  engine, alarm generation and responses

73
Components of Intrusion Detection System
system activities are observable
normal and intrusive activities have distinct
evidence
74
Intrusion Detection Approaches

• Modeling
• Features evidences extracted from audit data
• Analysis approach piecing the evidences together
• Misuse detection (a.k.a. signature-based)
• Anomaly detection (a.k.a. statistical-based)
• Deployment Network-based or Host-based
• Development and maintenance
• Hand-coding of expert knowledge
• Learning based on audit data

75
Misuse Detection
Example if (src_ip dst_ip src_port
dst_port) then land attack
Cant detect new attacks
76
Anomaly Detection
probable intrusion
activity measures
Relatively high false positive rate -
anomalies can just be new normal activities.
77
Monitoring Networks and Hosts
Network Packets
tcpdump
BSM
Operating System Events
78
Audit Data Preprocessing
tcpdump packet data
103541.5 A gt B . 5121024(512) ack 1 win
9216 103542.2 C gt D . ack 1073 win
16384 103545.6 E gt F . ack 2650 win 16225 ...
connection records
79
Host-based IDSs

• Using OS auditing mechanisms
• E.G., BSM on Solaris logs all direct or indirect
  events generated by a user
• strace for system calls made by a program
• Monitoring user activities
• E.G., Analyze shell commands
• Monitoring executions of system programs
• E.G., Analyze system calls made by sendmail

80
Network IDSs

• Deploying sensors at strategic locations
• E.G., Packet sniffing via tcpdump at routers
• Inspecting network traffic
• Watch for violations of protocols and unusual
  connection patterns
• Monitoring user activities
• Look into the data portions of the packets for
  malicious command sequences
• May be easily defeated by encryption
• Data portions and some header information can be
  encrypted
• Other problems

81
Architecture of Network IDS
Alerts/notifications
Policy script
Policy Script Interpreter
Event control
Event stream
Event Engine
tcpdump filters
Filtered packet stream
libpcap
Packet stream
Network
82
Firewall Versus Network IDS

• Firewall
• Active filtering
• Fail-close
• Network IDS
• Passive monitoring
• Fail-open

IDS
FW
83
Requirements of Network IDS

• High-speed, large volume monitoring
• No packet filter drops
• Real-time notification
• Mechanism separate from policy
• Extensible
• Broad detection coverage
• Economy in resource usage
• Resilience to stress
• Resilience to attacks upon the IDS itself!

84
Eluding Network IDS

• What the IDS sees may not be what the end system
  gets.
• Insertion and evasion attacks.
• IDS needs to perform full reassembly of packets.
• But there are still ambiguities in protocols and
  operating systems
• E.G. TTL, fragments.
• Need to normalize the packets.

85
Insertion Attack
IDS sees
End-System sees
C
K
A
T
T
A
X
Attackers data stream
A
K
T
X
C
A
T
86
Evasion Attack
IDS sees
End-System sees
A
C
K
T
T
Attackers data stream
K
T
T
A
A
C
87
DoS Attacks on Network IDS

• Resource exhaustion
• CPU resources
• Memory
• Network bandwidth
• Abusing reactive IDS
• False positives
• Nuisance attacks or error packets/connections

88
Lecture 9, November 18, 2003

• Network Security Concepts
• Introduction to Network Security
• Routing Attacks
• DDoS and Traceback
• Intrusion Detection Systems
• Firewalls
• IP Security
• Web Security

89
What Is A Firewall?

• Device that provides secure connectivity between
  networks (internal/external varying levels of
  trust)
• Used to implement and enforce a security policy
  for communication between networks

90
Firewalls

• From Websters Dictionary a wall constructed to
  prevent the spread of fire
• Internet firewalls are more the moat around a
  castle than a building firewall
• Controlled access point

91
Firewalls Can and Cannot

• Can
• Restrict incoming and outgoing traffic by IP
  address, ports, or users
• Block invalid packets
• Cannot
• Protect traffic that does not cross it
• routing around
• Internal traffic
• Protect when misconfigured

92
Filtering

• Packet filtering
• Access Control Lists
• Session filtering
• Dynamic Packet Filtering
• Stateful Inspection
• Smart packet filtering
• Context Based Access Control

93
Packet Filtering

• Properties
• Decisions made on a per-packet basis
• No state information saved
• Typical Configuration
• Ports gt 1024 left open
• If dynamic protocols are in use, entire ranges of
  ports must be allowed for the protocol to work.

94
Packet Filter
Applications
Applications
Presentations
Presentations
Sessions
Sessions
Transport
Transport
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
Router
95
Session Filtering

• Propoerties
• Packet decision made in the context of a
  connection
• If packet is a new connection, check against
  security policy
• If packet is part of an existing connection,
  match it up in the state table update table
• Typical Configuration
• All denied unless specifically allowed
• Dynamic protocols (FTP, H323, RealAudio, etc.)
  allowed only if supported

96
Session Filter

• Screens ALL attempts, Protects All applications
• Extracts maintains state information
• Makes an intelligent security / traffic decision

Applications
Applications
Applications
Presentations
Presentations
Presentations
Sessions
Sessions
Sessions
Transport
Transport
Transport
Network
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
97
Example FTP Transactions
FTP Client
FTP Server
20 Data
21 Command
5150
5151
? Client opens command channel to server tells
server second port number.
?
PORT 5151
?
? Server acknowleges.
?
OK
? Server opens data channel to clients second
port.
DATA CHANNEL
?
? Client Acknowledges.
TCP ACK
98
Example FTP Packet Filter
Format access-list ltrule numbergt ltpermitdenygt
ltprotocolgt ltSOURCE host with IP address anyIP
address and maskgt ltgteq port numbergt ltDEST
host with IP address anyIP address and maskgt
ltgteq port numbergt The following allows a
user to FTP (not passive FTP) from any IP
address to the FTP server (172.168.10.12)
access-list 100 permit tcp any gt 1023 host
172.168.10.12 eq 21 access-list 100 permit tcp
any gt 1023 host 172.168.10.12 eq 20 ! Allows
packets from any client to the FTP control and
data ports access-list 101 permit tcp host
172.168.10.12 eq 21 any gt 1023 access-list 101
permit tcp host 172.168.10.12 eq 20 any gt 1023
! Allows the FTP server to send packets back to
any IP address with TCP ports gt 1023 interface
Ethernet 0 access-list 100 in ! Apply the
first rule to inbound traffic access-list 101
out ! Apply the second rule to outbound
traffic !
99
Example FTP - Session Filter
100
Proxy Firewalls

• Relay for connections
• Client ? Proxy ? Server
• Two flavors
• Application level
• Circuit level

101
Application Layer GW/proxy

• Understands specific applications
• Limited proxies available
• Proxy impersonates both sides of connection
• Resource intensive
• process per connection
• HTTP proxies may cache web pages
• Clients configured for proxy communication
• Transparent Proxies

102
Application Layer GW/proxy

• More appropriate to TCP
• ICMP difficult
• Block all unless specifically allowed
• Must write a new proxy application to support new
  protocols
• Not trivial!

103
Application Layer GW/proxy
Telnet
HTTP
FTP
Applications
Applications
Applications
Presentations
Presentations
Presentations
Sessions
Sessions
Sessions
Transport
Transport
Transport
Network
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
Application Gateway
104
Circuit-Level Gateways

• Support more services than Application-level
  Gateway
• less control over data
• Hard to handle protocols like FTP
• Clients must be aware they are using a
  circuit-level proxy
• Protect against fragmentation problem

105
Example SOCKS

• Circuit level Gateway
• Support TCP
• SOCKS v5 supports UDP, earlier versions did not
• See http//www.socks.nec.com

106
Comparison (1)
Lower is better for security performance.
107
Comparison (2)
108
Comparison (3)
109
Lecture 9, November 18, 2003

• Network Security Concepts
• Introduction to Network Security
• Routing Attacks
• DDoS and Traceback
• Intrusion Detection Systems
• Firewalls
• IP Security
• Web Security

110
Lecture 9, November 18, 2003

• Network Security Concepts
• Introduction to Network Security
• Routing Attacks
• DDoS and Traceback
• Intrusion Detection Systems
• Firewalls
• IP Security
• Web Security