15-441 Computer Networking - PowerPoint PPT Presentation

About This Presentation
Title:

15-441 Computer Networking

Description:

15-441 Computer Networking Other Transport Issues, Attacks and Security Threats, Firewalls TCP Overview Revisited TCP modern loss recovery TCP options TCP ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 39
Provided by: Srinivasa1
Learn more at: http://www.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: 15-441 Computer Networking


1
15-441 Computer Networking
  • Other Transport Issues,
  • Attacks and Security Threats,
  • Firewalls

2
TCP Overview Revisited
  • TCP modern loss recovery
  • TCP options
  • TCP interactions
  • TCP modeling
  • Workload changes
  • TCP routers
  • TCP header compression

3
Queuing Disciplines
  • Each router must implement some queuing
    discipline
  • Queuing allocates both bandwidth and buffer
    space
  • Bandwidth which packet to serve (transmit) next
  • Buffer space which packet to drop next (when
    required)
  • Queuing also affects latency

4
Packet Drop Dimensions
Aggregation
Single class
Per-connection state
Class-based queuing
Drop position
Tail
Head
Random location
Overflow drop
Early drop
5
Typical Internet Queuing
  • FIFO drop-tail
  • Simplest choice
  • Used widely in the Internet
  • FIFO (first-in-first-out)
  • Implies single class of traffic
  • Drop-tail
  • Arriving packets get dropped when queue is full
    regardless of flow or importance
  • Important distinction
  • FIFO scheduling discipline
  • Drop-tail drop policy

6
FIFO Drop-tail Problems
  • Leaves responsibility of congestion control to
    edges (e.g., TCP)
  • Does not separate between different flows
  • No policing send more packets ? get more service
  • Synchronization end hosts react to same events

7
Active Queue Management
  • Design active router queue management to aid
    congestion control
  • Why?
  • Router has unified view of queuing behavior
  • Routers can distinguish between propagation and
    persistent queuing delays
  • Routers can decide on transient congestion, based
    on workload

8
Internet Problems
  • Full queues
  • Routers are forced to have have large queues to
    maintain high utilizations
  • TCP detects congestion from loss
  • Forces network to have long standing queues in
    steady-state
  • Lock-out problem
  • Drop-tail routers treat bursty traffic poorly
  • Traffic gets synchronized easily ? allows a few
    flows to monopolize the queue space

9
Design Objectives
  • Keep throughput high and delay low
  • Accommodate bursts
  • Queue size should reflect ability to accept
    bursts rather than steady-state queuing
  • Improve TCP performance with minimal hardware
    changes

10
Lock-out Problem
  • Random drop
  • Packet arriving when queue is full causes some
    random packet to be dropped
  • Drop front
  • On full queue, drop packet at head of queue
  • Random drop and drop front solve the lock-out
    problem but not the full-queues problem

11
Full Queues Problem
  • Drop packets before queue becomes full (early
    drop)
  • Intuition notify senders of incipient congestion
  • Example early random drop (ERD)
  • If qlen gt drop level, drop each new packet with
    fixed probability p
  • Does not control misbehaving users

12
Random Early Detection (RED)
  • Detect incipient congestion, allow bursts
  • Keep power (throughput/delay) high
  • Keep average queue size low
  • Assume hosts respond to lost packets
  • Avoid window synchronization
  • Randomly mark packets
  • Avoid bias against bursty traffic
  • Some protection against ill-behaved users

13
RED Algorithm
  • Maintain running average of queue length
  • If avg lt minth do nothing
  • Low queuing, send packets through
  • If avg gt maxth, drop packet
  • Protection from misbehaving sources
  • Else mark packet in a manner proportional to
    queue length
  • Notify sources of incipient congestion

14
RED Operation
Min thresh
Max thresh
Average Queue Length
P(drop)
1.0
maxP
minth
maxth
Avg queue length
15
Explicit Congestion Notification(ECN)
  • The goal is to provide explicit congestion
    notification to senders.
  • Complements the implicit feedback through packet
    drops
  • Bits 6-7 of the TOS bit form the ECN field.
  • The ECN-Capable Transport (ECT) bit is set by the
    sender to indicate that the end-points are
    ECN-capable
  • The Congestion Experience (CE) bit is set by the
    router to signal congestion
  • The ECN is received by the receiver, who is
    responsible for forwarding the information to the
    sender

DSCP
ECT /CE
V/HL
TOS
Length
ID
Flags/Offset
TTL
Prot.
H. Checksum
Source IP address
Destination IP address
Options..
16
ECN in TCP
  • Receiver signals congestion to the sender by
    setting the ECN-Echo flag in the TCP header.
  • Bit 9 in the reserved field of the TCP header
  • Handles asymmetric routes
  • ECN-Echo flag also used to negotiate ECN use

HL
ECE /CWR
Flags
Source Port
Dest. Port
Sequence Number
Acknowledgment
HL/Flags
Window
D. Checksum
Urgent Pointer
Options..
TCP
IP
17
Use of ECN with TCP
  • The TCP sender should respond to ECN feedback as
    if a single packet loss occurred.
  • Reduce the congestion window size
  • Send Congestion Window Reduced flag (Bit 8) to
    ack
  • So receiver knows to stop ECE bit
  • ECN and RED can leverage each other.
  • The router should set the CE bit if it would
    otherwise have dropped the packet (for a non-ECN
    enabled flow)
  • When RED is used, this happens before the queues
    fill up so ECN and RED combined can result in
    congestion notification without packet loss
  • Deployment seems quite practical.
  • Can be introduced one router at a time
  • Strong incentive for end-points to adopt ECN

18
Attacks and Security Threats
  • Packet Sniffing
  • IP Spoofing
  • TCP Connection Spoofing
  • Denial of Service

19
Packet Sniffing
  • broadcast media
  • promiscuous NIC reads all packets passing by
  • can read all unencrypted data (e.g. passwords)
  • e.g. C sniffs Bs packets
  • many protocols (ftp, telnet) send passwords in
    the clear!

C
A
B
20
IP Spoofing
  • can generate raw IP packets, putting any value
    into IP source address field
  • routers process IP packets based on destination
    address alone (not quite in reality)
  • receiver cant tell if source is spoofed
  • e.g. C pretends to be B

C
A
B
21
IP Spoofing
  • Many applications use IP address as a simple
    authentication method
  • Solution reverse path forwarding checks, better
    authentication
  • Fragmentation can consume memory resources at
    destination or otherwise trick destination/firewal
    ls
  • Solution disallow fragments

22
TCP Connection Spoofing
  • Each TCP connection has an agreed upon/negotiated
    set of associated state
  • Starting sequence numbers, port numbers
  • Knowing these parameters is sometimes used to
    provide some sense of security (in addition to
    3-way handshake)
  • Problem
  • Easy to guess these values
  • Listening ports s are well known and connecting
    port s are typically allocated sequentially
  • Starting sequence numbers are chosen in
    predictable way
  • Solution make sequence number selection more
    random

23
Sequence Number Guessing Attack
  • Attacker ? Victim SYN(ISNx), SRCTrusted Host
  • Victim ? Trusted Host SYN(ISNs), ACK(ISNx)
  • Attacker ? Victim ACK(ISNguess of s),
    SRCTrusted Host
  • Attacker ? Victim ACK(ISNguess of s),
    SRCTrusted Host, data rm -r /
  • Attacker must also make sure that Trusted Host
    does not respond to SYN ACK
  • Can repeat until guess is accurate

24
More TCP Attacks
  • TCP senders assume that receivers behave in
    certain ways (e.g. when they send acks, etc.)
  • Congestion control is typically done on a
    packet basis while the rest of TCP is based on
    bytes
  • Problem misbehaving receiver can trick sender
    into ignoring congestion control
  • Ack every byte in packet!
  • Send (one) extra duplicate ack
  • Ack before the data is received (needs some
    application level retransmission e.g. HTTP 1.1
    range requests)
  • Solutions
  • Make congestion control byte oriented
  • Add nonces to packets acks return nonce to
    truly indicate reception

25
Routing
  • (Strict) Source routing
  • Destinations are expected to reverse source route
    for replies
  • Problem Can force packets to be routed through
    convenient monitoring point
  • Solution Disallow source routing doesnt work
    well anyway!
  • Routing protocol
  • Malicious hosts may advertise routes into network
  • Problem Bogus routes may enable host to monitor
    traffic or deny service to others
  • Solutions
  • Use policy mechanisms to only accept routes from
    or to certain networks/entities
  • In link state routing, can use something like
    source routing to force packets onto valid route

26
ICMP
  • Reports errors and other conditions from network
    to end hosts
  • End hosts take actions to respond to error
  • Problem
  • An entity can easily forge a variety of ICMP
    error messages
  • Redirect informs end-hosts that it should be
    using different first hop route
  • Fragmentation can confuse path MTU discovery
  • Destination unreachable can cause transport
    connections to be dropped

27
DNS
  • Users/hosts typically trust the host-address
    mapping provided by DNS
  • Problems
  • Zone transfers can provide useful list of target
    hosts
  • Interception of requests or compromise of DNS
    servers can result in bogus responses
  • Solution authenticated requests/responses

28
Denial of Service
  • flood of maliciously generated packets swamp
    receiver
  • Distributed DOS (DDOS) multiple coordinated
    sources swamp receiver
  • e.g., C and remote host SYN-attack A

C
A
B
29
SYN Flooding Attack
  • Server responds with SYNACK keeps state about TCP
    half-open connection
  • Eventually server memory is exhausted with this
    state
  • Solution SYN cookies make the SYNACK contents
    purely a function of SYN contents, therefore, it
    can be recomputed on reception of next ACK
  • More recent attacks have used bandwidth floods
  • How do we stop these?

30
Bandwidth DOS Attacks
  • Possible solutions
  • Ingress filtering examine packets to identify
    bogus source addresses
  • Link testing how routers either explicitly
    identify which hops are involved in attack or use
    controlled flooding and a network map to perturb
    attack traffic
  • Logging log packets at key routers and
    post-process to identify attackers path
  • ICMP traceback sample occasional packets and
    copy path info into special ICMP messages
  • IP traceback

31
IP Traceback
  • Node append (record route) high computation and
    space overhead
  • Node sampling each router marks its IP address
    with some probability p
  • P(receiving mark from router d hops away) p(1
    p)d-1
  • p gt 0.5 prevents any attacker from inserting
    false router
  • Must infer distance by marking rate ? relatively
    slow
  • Doesnt work well with multiple routers at same
    distance ? I.e. multiple attackers

32
IP Traceback
  • Edge sampling
  • Solve node sampling problems by encoding edges
    distance from victim in messages
  • Start router sets start field with probability
    p and sets distance to 0
  • If distance is 0, router sets end field
  • All routers increment distance
  • As before, P(receiving mark from router d hops
    away) p(1 p)d-1
  • Multiple attackers can be identified since edge
    identifies splits in reverse path

33
Edge Sampling
  • Major problem need to add about 72bits (2
    address hop count) of info into packets
  • Solution
  • Encode edge as xor of nodes ? reduce 64 bits to
    32 bits
  • Ship only 8bits at a time and 3bits to indicate
    offset ? 32 bits to 11bits
  • Use only 5 bit for distance ? 8bits to 5bits
  • Use IP fragment field to store 16 bits
  • Some backward compatibility issues
  • Fragmentation is rare so not a big problem

34
Firewalls
  • Basic problem many network applications and
    protocols have security problems that are fixed
    over time
  • Difficult for users to keep up with changes and
    keep host secure
  • Solution
  • Administrators limit access to end hosts by using
    a firewall
  • Firewall and limited number of machines at site
    are kept up-to-date by administrators

35
Typical Firewall Topology
Internet
DMZ
Web server, email server, web proxy, etc
Firewall
Firewall
Intranet
36
Types of Firewalls
  • Proxy
  • End host connects to proxy and asks it to perform
    actions on its behalf
  • Policy determines if action is secure or insecure
  • Transport level relays (SOCKS)
  • Ask proxy to create, accept TCP (or UDP)
    connection
  • Cannot secure against insecure application
  • Application level relays (e.g. HTTP, FTP, telnet,
    etc.)
  • Ask proxy to perform application action (e.g.
    HTTP Get, FTP transfer)
  • Can use application action to determine security
  • Requires applications (or dynamically linked
    libraries) to be modified to use the proxy
  • Considered to be the most secure since it has
    most information to make decision

37
Types of Firewalls
  • Packet filters
  • Set of filters and associated actions that are
    used on a packet by packet basis
  • Filters specify fields, masks and values to match
    against packet contents, input and output
    interface
  • Actions are typically forward or discard
  • Such systems have difficulty with things like
    fragments and a variety of attacks
  • Typically a difficult balance between the access
    given and the ability to run applications
  • E.g. FTP often needs inbound connections on
    arbitrary port numbers either make it difficult
    to use FTP or limit its use

38
Types of Firewalls
  • Stateful packet filters
  • Typically allow richer parsing of each packet
    (variable length fields, application headers,
    etc.)
  • Actions can include the addition of new rules and
    the creation of state to process future packets
  • Often have to parse application payload to
    determine intent and determine security
    considerations
  • Rules can be based on packet contents and state
    created by past packets
  • Provides many of the security benefits of proxies
    but without having to modify applications
Write a Comment
User Comments (0)
About PowerShow.com