Network Security Lecture 1: Introduction Attacks and Risks

NetworkSecurity

Lecture 1:

Introduction

Attacks and Risks

Prof. Reuven Aviv

Faculty of Information Technology

King Mongkut’s University Of Technology, North Bangkok

[email protected]

Prelude

11 August 2003

The Worm MSBlast Attack

What happened? How?

11.8.2003: MSBlast DDoS Attack

attackerTargets Targets

Windows.update.com

victim

MSBlast last step: IP Spoofing & SYN Flood

1. Target knows that host XX not working 2. target Starts establishes a TCP connection

with Victim, spoofing its IP address to XX

XX Victim

Target (2) S

YN(src=

XX)(3) SYN(Src = T, Dest = XX)

(1)

MSBlast: The infection process Ensure you run again when Windows Starts

how? HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Wi

ndows auto update” = MBLASTER.EXE

Scan addresses for Targets with open port 135 Send buffer overflow packet to Target, port 135

Target waits for commands on port 4444 Command Target: download copy of MSBlaster Command Target: run the copy Target repeats contacts other target, restarts

MSBlast: Summary of used techniques

Denial of Service Attack, using SYN flood

IP Spoofing

Scanning (Addresses, ports)

Application Layer Attack (Buffer Overflow)

Side effect: attacked computers were shutdown

Course objectives

Recognize the internal working of security

protocols and systems, their design

considerations, and the way they are employed in

organizations and in the Internet.

Have deep understanding of application level

attacks and defense mechanism against them

Able to learn and master security topics now

being researched

Course Components

Lectures: Active Discussions 15%

2-3 Problem Sets (individual submission) 15%

Attack Code Analysis Report (Team of 2) 15%

Research Project (Team of 2) 15%

Term Test (Open Books) 15%

Final Exam (Open Books) 15%

Class Discussions 1. Attacks, Risks, Defense 2. Buffer Overflow Attack 3 - 4 Classic & Public key Cryptography 5. X.509 Public Key Infrastructure (PKI) 6. Strong Password Authentication Protocols 7. Web Security using SSL/TLS 8. Kerberos Authentication System 9. IP Security (IPSec) 10. Electronic Mail Security with PGP 11. OS Security – SE Linux 12. Firewall Design 13-14. Multi-layer security

Team Assignments

Attack Code Analysis Report (Team of 2) 15%

Analyzing buffer overflow attack

Problems for attacker & solutions

Problems for the defender & solutions

Research Project (Team of 2) 15%

Topic selected by team

Written report & presentation of sub-topic

READ POLICY OF AUTHENTICITY

1. Network Insecurity

2. Security Services

Appendix: Preview of next lectures

Lecture 1: Attacks, Mitigation Services

1. Network Insecurity

The need for security

The Internet is constantly changing the way we

live and conduct business.

hackers pose an increasing threat to the Internet

resources with several different types of attacks

why attacks are easier today?

The need for security

Attacks: more prolific and easier to implement. More vulnerable devices. Easier to share knowledge on a global scale. Easier developing hacking applications Easy-to-use hack applications are distributed

to the masses. Internet Protocols are insecure.

Examples? Why Internet Protocols are insecure?

insecurity of Internet protocols

Examples of lack of security in Internet Protocols

IP: No check if source addresses are true

TCP: No check for intentional delay of packets

Security was not designed into the specification

of the Internet Protocols

Nobody predicted its wide spread use

insecurity of Internet protocols

Most IP implementations are inherently

insecure.

Various attacks are possible

Give some types of attacks you

heard

1. Sniffer attacks

application capturing network packets.

some data is cleartext (Telnet, FTP, SMTP)

sensitive information: usernames passwords

how these are mitigated?

1. Sniffer attacks: Mitigation

Strong Authentication with one-time passwords

(OTPs).

a PIN & OTP created by Hw/Sw Token card

Antisniffer: detect changes in the response time

of hosts

Cryptography—The most effective method

Copied info is then useless.

Used by IPSec, SSL, SSH.

2. IP Spoofing Attack

Use a trusted forged IP address to attack

injection of malicious packets

Mitigation by Filtering (Router, Firewall)

deny traffic with “illegal”source address in both

directions

ISP checks addresses of inbound data

Enforce Authentication of sender. why? how?

3. Denial of Service (DOS) Attacks

Making a service unavailable for normal use

flooding the network – TCP SYN, ICMP

DOS attacks exploit weakness in the overall

architecture of the network

E.g. waiting for a connection to be opened

E.g. error/congestion notifications procedures

via ICMPWhat is ICMP?

icmp echo request

icmp echo reply

ping

victim

icmp echo request to a broadcast address: “from” victim

attacker

icmp echo reply from all hosts to victim

Simple DOS attack: SMURF

What can we do to mitigate DOS?

3. Denial of Service (DOS) Attacks: Mitigation

Require authentication - If hackers cannot mask

their identities, they might not attack.

Anti-DoS features limit the amount of half-open

connections that a system allows open at any

given time. Done at edge routers

Traffic rate limiting –

collaborating with the ISP to reduce unusual

traffic What are password attacks?

4. Password attacks repeated attempts to identify a user account /

password. E.g. during login

Tool: nat

4. Password attacks: Reducing/Elimination

Limit number of password guessingsend hashed password over the netuse One Time Password Enforce strong passwords:

by education By password cracking or strength-assessing

software

Authenticate user/process not by password

Use certificate/ticket based cryptographic

authentication

5. Man in the middle attack

Hacker accesses network packets how?

Packets can be copied, destructed, delayed,

reordered

Packets can be replayed, with forged sender or

contents

What are the damages?

5. Man in the middle attack: damages

theft / change / insertion of information

Session hijacking to gain access to a network

By forging identities (IP addresses and ports)

denial of service (by replaying)

impersonate one or both communicating parties

How to mitigate MIM attacks?

5. Mitigating M.I.M attacks: Cryptography

Copies of encrypted data: meaningless

Destructing, replaying & reordering eliminated

by sequence numbers, timestamps or nonces in

the cryptographic envelopes of the data

Forging sender and or data is eliminating by

authentication (signatures)

6. Application Layer attacks

Exploit weaknesses in servers (RPC, HTTP…)

Enforce remote server to invoke a certain

program

Send “buffer overflow”: replaces server by shell

Via ports that are allowed through a firewall

Shell with same permissions as the server

Shell waiting for commands

Buffer Overflow: Overflowing the stack on victim

Sending buffer overflow to remote IIS

IIS now waits on port 2002 for commands

Taking full control of Victim

How to mitigate application layer attacks?

6. Application Layer attacks: Mitigation

Firewall: Close ports

Proper system administration – patches, log

files…

intrusion detection systems (IDSs) – HIDs/NIDs

Identifying patterns of SysCalls/stream of

packets

Create alarms

7. Network Reconnaissance Attacks

First step of any attack: Analyze target network

1. DNS queries: owner, addresses, topology

2. Ping sweeps: live hosts.

3. Port-scanning: list of services running

4. examine servers: version, fixes, bugs

PRTIAL DEFENCE

Filter packets, identify scans

Use IDS to identify signature of reconnaisance

scans

Ping: Is Target running?

Tool: Sam Spade

Port Scanning: Which ports are active?

Tool: SuperScan

8. Malicious Code

Worms, Viruses, Backdoors, ...

Run by itself, by a “host program” or waiting to

be connected. Creating Damages

Mitigation:

antivirus software

Download signed software from developers

certified by acceptable Certificate Authorities

Attacks Scenarios

Reconnaissance

Application Layer Attack

DOS Attack

Trust Exploit Attack

Packet Sniffing

Password Attack

Un Authorized Access

Man in the Middle

Malicious Code

2. Security Services

What types of services do we need?

Complexities of Security

Requirements are simple: Confidentiality, Authentication, integrity,

non-repudiation what are these? Algorithms are non-intuitive

Due to hostile actions and countermeasures! Where the algorithms are to be used?

Workstations? Routers? Possession of secret information essential

how to create, distribute and protect secrets?

Security Services: Confidentiality

Keeping private data private

protection from passive attacks

part of or all the information flow

Service provision. how?

End stations encrypt and decrypt data

Intermediate routers encrypt and decrypt data

Security Services: Authentication

protection from masquerading/impersonation

assure that messages are really from the entity

that claimed to send it

Service provision examples: how?

Sender: transmit a “certificate” to the receiver

an authentication server transmits a “proof of

identity” ticket to the sender that will present it to

the receiver (Kerberos)

Security Services: Integrity

protection from data modification attack

Service provision examples:

how?

The sender attaches to the message a secret

“Message digest”

like parity or CRC

Security Services: Non Repudiation

Protection from possible future denial of

responsibility for sending previous message

Service provision example: how?

Sender adds to the message a “signature”, that

depends on a secret known only to the sender

In court, sender cannot deny his signature

his “certificate” proves that he knows the

secret, and the Certificate Authority testifies

that it issued only one certificate, to sender

Models for Information Security 1

Secure information on transit Use trusted parties (Certificate Authority)

Models for network security 2 Secure the Gate Use trusted parties (the ISP)

Summary

Internet is is where our life is

The Internet is not safe

Major Risks are theft of proprietary Info and Fi

nancial Fraud

We need secure communication in a hostile envi

ronment

Key ingredient of secure communication is crypt

ography

3. Preview of next lectures

2. Application Layer Attacks: Overflowing the stack

3. Conventional Encryption

Transformation: permutations & substitutions

4. Authentication by Digital signature Alice: Create H - Hash function of Message M

Create E: Encrypt H with her private keySend M and E. E is the “signature of Alice”

Bob: Create H – Hash function of Message M Decrypt E with public key of Alice get H’Compare H with H’ . If OK signature verified

Alice Bob

5. X.509 Certificate Algorithm used to sign this

certificate (by the CA) and its parameters

Name of Certificate Authority (CA) issuing this certificate

Name of holder (subject) of this certificate

Public Key of subject

Signature of issuer: hash of other fields, encrypted with the CA private key

7. Web SecurityUses Secure Socket Layer

(SSL/TLS)Layer above TCP

1. SSL session is establishedCryptographic algorithms

negotiatedCertificates presentedShared master key is

establishedSession keys derived

2. Secured data transmission

a

8. Kerberos AuthenticationSystem

9. IP Security General mechanism in the internet,

implemented in firewalls/routers

11. OS Security (SE Linux Architecture)

Object Managers observe access requests from processessend consultation requests to Security Server

gets decisions, enforce access

12. Firewall Systems Traffic from Internet to Bastion host: allowed Traffic from bastion to the Internet: allowed Everything else: denied

13. – 14. Multi-Layer Defense Corporate Internet Module

5

43

2 1

13. – 14. Multi-Layer Defense:VPN & Remote Access Module

1

12

2

2

3

4