Deficiencies in Networks

Deficiencies in Networks Anonymity

Lack of Access Control Anything can be forged

Shared medium Crowded Unpredictable

Complexity Difficult to comprehend

Difficult to do right

Large Network

Implication of Those Deficiencies

Criminals have found the Internet FTC Report 2007

• $1.2 billion in fraud• 1/3 Identity Theft• 64% initiated through Net

Border Protection• $200 Million IP theft

Stealth Worms• Outbreaks rare since 2004• Botnets growing to huge size• Increase in spam• DOS to Georgia

Actual Fraud Complaints 05-07

Confiscated IP

Introduction 1-7

Network Security The field of network security is about:

how bad guys can attack computer networks how we can defend networks against attacks how to design architectures that are immune

to attacks Internet not originally designed with

(much) security in mind original vision: “a group of mutually trusting

users attached to a transparent network” Internet protocol designers playing “catch-

up” Security considerations in all layers!

Introduction 1-8

Bad guys can put malware into hosts via Internet Malware can get in host from a virus, worm, or

trojan horse.

Spyware malware can record keystrokes, web sites visited, upload info to collection site.

Infected host can be enrolled in a botnet, used for spam and DDoS attacks.

Malware is often self-replicating: from an infected host, seeks entry into other hosts

Introduction 1-9

Bad guys can put malware into hosts via Internet Trojan horse

Hidden part of some otherwise useful software

Today often on a Web page (Active-X, plugin)

Virus infection by receiving

object (e.g., e-mail attachment), actively executing

self-replicating: propagate itself to other hosts, users

Worm: infection by passively

receiving object that gets itself executed

self- replicating: propagates to other hosts, usersSapphire Worm: aggregate scans/sec

in first 5 minutes of outbreak (CAIDA, UWisc data)

Viruses

Code

Init

Executed by user or app Inserts into code

In empty regions of app Redirects app start instructions

Effect Mischief Spyware

Spread Locally As used

Trojans

Already Exists in Code Does not propagate Effect

Mischief Spyware Anything

Worms

Self Replicating Exploit vulnerabilities Effect

Cause High Net Traffic Mischief/Spyware

Spread Over Networks Actively

Polymorphic

Code Red Propagation

Sapphire Worm Propagation

Backdoor

Adding illicit access to a host Remotely

• Creating a server• Adding User with remote access

Locally• Bury alternative access in code

Hybrid Bugs

Bugs are people too!

What about Anti-virus?

Can only match known signatures Fine if there is a match Not so fine if there isn’t

• Zero-day attack– (a bit presumptuous term)

• Unknown attack Some bugs disable anti-virus

Introduction 1-18

Bad guys can attack servers and network infrastructure

Denial of service (DoS): attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic

1. select target

2. break into hosts around the network (see botnet)

3. send packets toward target from compromised hosts

target

Denial of Service

Denial of Service Typically one source Utilizes weaknesses in App or Proto to bring

services down Distributed Denial of Service

Many hosts attacking a small network Indistinguishable from certain network

phenomena (Flash Crowds).

Syn Flood

TCP Session

TCP Session

TCP Session

TCP Session

TCP Session

TCP Session

TCP Session

Server

SYN

Ping of Death (POD)

Feed the target more than he can handle

Host Chokes

Introduction 1-23

The bad guys can sniff packetsPacket sniffing:

broadcast media (shared Ethernet, wireless) promiscuous network interface reads/records all packets

(e.g., including passwords!) passing by

A

B

C

src:B dest:A payload

Wireshark software used for end-of-chapter labs is a (free) packet-sniffer

Introduction 1-25

The bad guys can use false source addresses IP spoofing: send packet with false source

addressA

B

C

src:B dest:A payload

Introduction 1-26

The bad guys can record and playback

record-and-playback: sniff sensitive info (e.g., password), and use later password holder is that user from system point of

view

A

B

C

src:B dest:A user: B; password: foo

Introduction 1-27

Network Security more throughout this course chapter 8: focus on security crypographic techniques: obvious uses

and not so obvious uses

Sources

Federal Trade Commission, Consumer Fraud and Identity Theft Complaint Data: January-December 2007, 2008.

Department of Justice, Report to the President and Congress on Coordination of Intellectual Property Enforcement and Protection, January 2008