Unwanted Network Traffic: Threats and Countermeasures CS 3251 Prof. Nick Feamster November 13, 2006
Mar 27, 2015
Unwanted Network Traffic:Threats and Countermeasures
CS 3251Prof. Nick FeamsterNovember 13, 2006
2
What is “Network Security”?
• Confidentiality: Preventing eavesdropping– E-commerce– Voice Over IP
• Integrity: Ensuring data unchanged in transit– Similar applications as above
• Anonymity: Cloaking identity of communicants
• Auditing: Finding out what happened later
• Unwanted traffic prevention
3
Some Questions
• What percentage of email traffic is spam?– About 85% as of Jan 2006 [maawg.org]
• Frequency of phishing attacks?– About 1,000 per day [antiphishing.org]
• Frequency of denial of service attacks?– About 4,000 per week, as of 2001 [caida.org]
• Country hosting most spam, phishing attacks?– United States
4
Unwanted Traffic Security Products
• Lots of spam• Fast detection• Changing techniques and
characteristicsIronport C600: Spam Filtering
Arbor Peakflow SP: Traffic Monitoring
• Large volumes of traffic• Fast detection• Changing techniques and
characteristics
5
Two Facets
• Host-based: Safeguarding Hosts– Protecting the end hosts from attack– Protecting hosts from generating unwanted traffic– A losing battle…
• Network-based: Safeguarding Pipes– Keeping bad traffic off of the network– Ultimate goal is often to protect hosts– Also, keeping the pipes clean
All about the network: Security increasingly depends on safeguarding the pipes.
6
Types of Unwanted Traffic
• Denial of Service• Spam• Phishing• Click Fraud• …
How is unwanted traffic generated?
7
Denial of Service: The Old Days
• Single-host “floods” the link or service• Can attack various resources
– Bandwidth– Number of open connections– Server computational power
Attacker Victim
SYN
TCP SYN Flood Attack TLS/SSL Connection Attack
VictimSYN
SYN
ClientHello
ClientHello
ClientHelloAttacker
Attacker exhausts resources without spending much of its own.
8
Characteristics
• Asymmetry– More expensive for the receiver to process than for
the attacker to send
• IP addresses can be spoofed– Difficult to trace
9
Restore Symmetry: TCP SYN cookies
• Client sends SYN w/ ACK number
• Server responds to Client with SYN-ACK cookie– sqn = f(src addr, src port, dest addr, dest port, rand)– Server does not save state
• Honest client responds with ACK(sqn)
• Server checks response
• If matches SYN-ACK, establishes connection
10
Mitigation: Traceback (2 Techniques)
• Hash-based traceback– State in routers
• Probabilistic packet marking– State in packets
V
R1 R2
R3
A R
RR7
R6R5
11
Technique du Jour: Distribution
• Distributed Denial of Service Attacks• Attacks on Yahoo, eBay, Amazon down for
several hours
Victim
SYN
SYN
SYN
“Command and Control”
12
Recurring Technique: Amplification
• Late 1990s: Smurf Attacks• June 2006:
DNS Reflection Attacks: Amplification + Distribution– Amplification: small queries, large responses– Use open recursive DNS servers
• Send a small amount of traffic to a host• Host replies to a large number of hosts
Main Idea
Examples
13
DNS Reflection Attacks of March ‘06
Attacker ZombieZombieZombie
C+C
Insert big TXT record
Innocent DNS Server Open Recursive DNS Servers(35k used in attack;
about 500k exist)
Queries spoofed from victim’s IP
Victim
Query, then cache
14
Distribution: Two Tasks
• Amassing an army of hosts– Need attack vectors– Millions of vulnerable hosts– The rise of Internet worms
15
History of the Internet Worm
• First worm: November 1988• Experiment gone awry
– $10M+ in damages
• Written by Cornell undergraduate, Robert Morris– Now a professor at MIT…
• 10% coverage (6,000 hosts)• Exploited 3 main vulnerabilities
– Sendmail, fingerd, rsh/rexec– Buffer overflow and password
16
The Spread of Internet WormsCode Red (July 2001): About 12 Hours
How to design a faster spreading worm?
17
Distribution: Two Tasks
• Amassing an army of hosts– Need attack vectors– Millions of vulnerable hosts
• Retaining control of the compromised hosts
18
Botnets
• Bots: Autonomous programs performing tasks• Plenty of “benign” bots
– e.g., weatherbug
• Botnets: group of bots – Typically carries malicious connotation– Large numbers of infected machines– Machines “enlisted” with infection vectors like worms (last
lecture)
• Available for simultaneous control by a master• Size: up to 350,000 nodes
– Trend: Towards smaller botnets. Why?
19
“Rallying” the Botnet
• Easy to combine worm, backdoor functionality• Problem: how to learn about successfully
infected machines?
• Options– Email– Hard-coded email address– IRC servers– Web search engines
20
Botnet Control
• Botnet master typically runs some IRC server on a well-known port (e.g., 6667)
• Infected machine contacts botnet with pre-programmed DNS name (e.g., big-bot.de)
• Dynamic DNS: allows controller to move about freely
Infected Machine
DynamicDNS
BotnetController
(IRC server)
21
From Attacks for Fun…
• Denial of service attacks– Attention getters
• Humble beginnings– Single-source– Many unsuccessful
• Burgeoning technology– Distribution (e.g., fast-spreading worms)– Controlling
22
"While a few years ago many people were much more focused on attacking the machine and attacking the broad-based activities that were going on online, now all of a sudden we've noticed a significant shift in both the type of attack and the motivation of the attack…
The attacks that we see today are more targeted and more silent and their objective is to create true financial harm as opposed to visibility for the attackers."
-- John Thomson, Symantec CEO, November 3, 2006
…to Attacks for Profit
23
Spam
• Unsolicited commercial email• About 85-90% of all email traffic today• Common spam filtering techniques
– Content-based filters: Look for words, etc. in the content of the mail that is characteristic of spam
– DNS-Based Blacklists: Maintain a blacklist of known bad IP addresses
• Upon receiving email, mail servers look up the sender’s IP address in a list
24
BGP Spectrum Agility
• Log IP addresses of SMTP relays• Join with BGP route advertisements seen at network
where spam trap is co-located.
A small club of persistent players appears to be using
this technique.
Common short-lived prefixes and ASes
61.0.0.0/8 4678 66.0.0.0/8 2156282.0.0.0/8 8717
~ 10 minutes
Somewhere between 1-10% of all spam (some clearly intentional,
others might be flapping)
25
Why Such Big Prefixes?
• Flexibility: Client IPs can be scattered throughout dark space within a large /8– Same sender usually returns with different IP
addresses
• Visibility: Route typically won’t be filtered (nice and short)
26
Phishing: How It Works
• Combination of social engineering, mass communication, and ephemeral Web servers
• URL links• Phishing links• Image links• “Click here” links
Attacker
Victim
Phishing SitesPhishing
SitesPhishing SitesPhishing
Sites
SpammerSpammer
Spammer
Methods
Phishemails
Sensitiveinformation
Short-lived!
27
Example Phishing Attack
Bogus Link
28
Targets of Phishing Attacks
• Mostly financial services (bank accounts, etc.)
• Occasionally retail services• Others, too!
Source: antiphishing.org
29
Design Questions
• Why is it so easy to send unwanted traffic?• Where to place functionality for stopping
unwanted traffic?– Edge vs. Core– Routers vs. Middleboxes
• What changes could we make to the current Internet architecture to detect and prevent unwanted traffic?– Naming – Addressing– Routing
30
If this was interesting…
• CS 7260 (Spring 2007)• Security-related topics
– Anomaly detection• Rule-based• Statistical
– Worms, botnets, spam– Network monitoring and mitigation– Routing protocol security
• Plenty of other topics– Network management, troubleshooting,
economics, etc.