COMP & NETWORK SEC
COMP & NETWORK SEC CIS 551
Popular in Course
Popular in Computer & Information Science
This 57 page Class Notes was uploaded by Jackson Will on Monday September 28, 2015. The Class Notes belongs to CIS 551 at University of Pennsylvania taught by Staff in Fall. Since its upload, it has received 22 views. For similar materials see /class/215417/cis-551-university-of-pennsylvania in Computer & Information Science at University of Pennsylvania.
Reviews for COMP & NETWORK SEC
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 09/28/15
CIS 551 TCOM 401 Computer and Network Security Spring 2009 Lecture 5 Announcements First project Due 6 Feb 2009 at 1159 pm httpwwwcisupenneducis551proiect1html Group project 2 or 3 students per group Send email to cis551seasupennedu with your group Plan for Today Worms amp Viruses Continued Start of Network Security 12909 CISTCOM 551 Worm Research Sources quotInside the Slammer Wormquot Moore Paxson Savage Shannon Staniford and Weaver quotHow to Own the Internet in Your Spare Time Staniford Paxson and Weaver quotThe Top Speed of Flash Worms Staniford Moore Paxson and Weaver quotInternet Quarantine Requirements for Containing Self Propagating Code Moore Shannon Voelker and Savage quotAutomated Worm Fingerprinting Singh Estan Varghese and Savage Links on the course web pages 12909 CISTCOM 551 Analysis Random Constant Spread Model IP address space 232 N size of the total vulnerable population St susceptiblenoninfected hosts at time t lt infectiveinfected hosts at timet 3 Contact likelihood st StN proportion of susceptible population it ltN proportion of infected population Note St lt N 12909 CISTCOM 551 Infection rate over time Change in infection rate is expressed as d a W 1 2 of infected hosts rate of contact quotkellhOOd that contacted hosts is susceptible Rewrite to obtain Integrate to get this closed form 3tT dl 39 1 39 e a 3 39t quot0 1 e3tT T integration constant 12909 CISTCOM 551 Exponential growth tapers off Example curve of t Here N 35 x 105 t which is it N 3 affects steepness of slope 5 X10 357 3 257 2 15 14 054 Oo 10o 200 3630 4630 5630 600 t secs 12909 CISTCOM 551 What can be done Reduce the number of infected hosts Treatment reduce t while t is still small eg shut downrepair infected hosts Reduce the contact rate Containment reduce rs while t is still small eg filter traffic Reactive Reduce the number of susceptible hosts Prevention reduce 80 Proactive eg use typesafe languages 12909 CISTCOM 551 7 Treatment Reduce of infected hosts Disinfect infected hosts Detect infection in realtime Develop specialized vaccine in realtime Distribute patch more quickly than worm can spread Antiworm CRCIean Bandwidth interference 12909 CISTCOM 551 Effects f quotatohinquot infeote hsts KermaokMoKendriok Model State transition susceptibl Ut it of removed from infectious population y removal rate x10 di du 1 H I3 H j Nm du a y it 4 I t 2 0 12909 CISTCOM 551 t 9 Containment Reduce contact rate 3 Oblivious defense Consume limited worm resources Throttle traffic to slow spread Possibly important capability but worm still spreads Targeted defense Detect and block worm 12909 CISTCOM 551 10 Design Space Design Issues for Reactive Defense Moore et al 03 Any reactive defense is defined by Reaction time how long to detect propagate information and activate response Containment strategy how malicious behavior is identified and stopped Deployment scenario who participates in the system Savage et aI evaluate the requirements for these parameters to build any effective system for worm propagation 12909 CISTCOM 551 11 Methodology Moore et al quotInternet Quarantinequot paper Simulate spread of worm across Internet topology infected hosts attempt to spread at a fixed rate probessec target selection is uniformly random over IPv4 space Simulation of defense system detects infection within reaction time subset of network nodes employ a containment strategy Evaluation metric of vulnerable hosts infected in 24 hours 100 runs of each set of parameters 95th percentile taken Systems must plan for reasonable situations not the average case Source data vulnerable hosts 359000 IP addresses of CodeRed v2 victims Internet topology AS routing topology derived from RouteViews 12909 CISTCOM 551 12 Initial Approach Universal Deployment Assume every host employs the containment strategy Two containment strategies they tested Address blacklisting block traffic from malicious source IP addresses reaction time is relative to each infected host Content filtering block traffic based on signature of content reaction time is from first infection How quickly does each strategy need to react How sensitive is reaction time to worm probe rate 12909 CISTCOM 551 13 Reaction times Address Blacklisting Content Filtering m i i m a w 3 w a so is W CL CL 5 a a w ii 3 w ill 8 m 7 E g N e E m 2n 3a m m Reaction time minutes i l 1 5 5 Reaction time hours To contain worms to 10 of vulnerable hosts after 24 hours of spreading at 10 probessec CodeRed Address blacklisting reaction time must be lt 25 minutes Content filtering reaction time must be lt 3 hours 12909 CISTCOM 551 14 Probe rate vs Reaction Time may Am 1m 2n min NH 1 min reaction time insec Content Filtering u in 1000 inn n probesfsecond Reaction times must be fast when probe rates get high 10 probessec reaction time must be lt hours 1000 probessec reaction time must be lt 2 minutes 12909 CISTCOM 551 Limited Network Deployment Depending on every host to implement containment is not feasible installation and administration costs system communication overhead A more realistic scenario is limited deployment in the network Customer Network firewalllike inbound filtering of traffic ISP Network traffic through border routers of large transit lSPs How effective are the deployment scenarios How sensitive is reaction time to worm probe rate under limited network deployment 12909 CISTCOM 551 16 Deployment Scenario Effectiveness Reaction time 2 hours CodeRed like Worm 5 mo i A L A r A 8 a e 8039 Customel ISP a so 2 g 40 a B a w I SQ 0 l a I squot w w w cg Content filtering firewalls Content filtering at exchange at edge of customer nets points in major lSPs 12909 CISTCOM 551 17 Reaction Time vs Probe Rate II Top 100 ISPs Filter lchy Hill 8h 4h39lt 139139 main Ionin Inin reaction time 2085C r IDSEC 1 sec l ICU I O probes second Above 60 probessec containment to 10 hosts within 24 hours is impossible even with instantaneous reaction 12909 CISTCOM 551 18 Summary Reactive Defense Reaction time required reaction times are a couple minutes or less far less for bandwidthlimited scanners Containment strategy content filtering is more effective than address blacklisting Deployment scenarios need nearly all customer networks to provide containment need at least top 40 lSPs provide containment 12909 CISTCOM 551 19 Mechanisms to Mitigate Malware Networklevel defenses Firewalls Intrusion Detection Systems Next several lectures networks amp network Content filtering security OSlevel defenses Access controls Authorization Softwarelevel defenses Type safe languages Program verification Software certification 12909 CISTCOM 551 20 Network Architecture General blueprints that guide the design and implementation of networks Goal to deal with the complex requirements of a network Use abstraction to separate concerns Identify the useful service Specify the interface Hide the implementation 12909 CISTCOM 551 21 Layenng A result of abstraction in network design A stack of services layers Hardware service at the bottom layer Higher level services are implemented by using services at lower levels Advantages AppIication Decompose problems Modular changes Error Contro I l l h l 12909 CISTCOM 551 22 Protocols A protocol is a specification of an interface between modules often on different machines Sometimes protocol is used to mean the implementation of the specification 12909 CISTCOM 551 23 Example Protocol Stack Application Programs Requestl Reply Channel Message Stream Channel HosttoHost Connectivity Hardware 12909 CISTCOM 551 Protocol Interfaces Service Interfaces Communicate up and down the stack Peer Interfaces Communicate to counterpart on another host Highlevel Ob ect Service interface 7 Highlevel Ob ect I Service Interface 7 Protocol Host1 V Protocol Peertopeer interface Host2 12909 CISTCOM 551 25 CIS 551 TCOM 401 Computer and Network Security Spring 2010 Lecture 8 Protocol Stack Revisited Application Presentation Session UDP and TCPIP So far 22510 CISTCOM 551 Applications vs Networks Application Requirements Network Characteristics Reliable Ordered SingleCopy Message Delivery Drops Duplicates and Reorders Messages Arbitrarily large messages Finite message size Flow Control by Receiver Arbitrary Delay Supports multiple applications per host 22510 CISTCOM 551 User Datagram Protocol UDP SrcPort DestPort Length Checksum IP Packet Data Minimalist transportlayer protocol Exposes lP packet functionality to application level Ports identify sendingreceiving process Demultiplexing information port host pair identifies a network process 22510 CISTCOM 551 UDP Endto End Model MuItiplexingDemultiplexing with Port number 22510 CISTCOM 551 5 Using Ports Client contacts Server at a wellknown port SMTP port 25 DNS port 53 POP3 port 110 Unix talk port 517 In Unix ports are listed in etcservices Sometimes Client and Server agree on a different port for subsequent communication Ports are an abstraction Implemented differently on different OS s Typically a message queue 22510 CISTCOM 551 Transmission Control Protocol TCP Most widely used protocol for reliable byte streams Reliable inorder delivery of a stream of bytes Full duplex pair of streams one in each direction Flow and congestion control mechanisms Like UDP supports ports Built on top of IP hence TCPIP designation 22510 CISTCOM 551 TCP Endto End Model Buffering trades delays for losseserrors p 22510 CISTCOM 551 Packet Format Flags Fields SYN FIN o 15 31 RESET PUSH URG SequenceNum ACK SrcPort DStPOl t Acknowledgment H O AdvertV nd Checksum UrgPtr Options variable 22510 CISTCOM 551 ThreeWay Handshake Active participant Passive participant client server 5 V N SeQUenCeNUm ACK A CknOWe dgment 3 1 22510 ClSTCOM 551 10 TCP State Transitions CLOSED Attive openSYN Pemive open Close LISTEN SYNSYN ACK SemiSYN SYNSYN ACK SYNRCVD SYNSENT ACK SYN ACKACK CloseFIN ESTABLISHED CloseFIN FINACK FINWAIT1 CLOSE WAIT FINACK 39 Clase FIN FINWAITZ CLOSING LASTACK ACK Timeout after two AC K FINACK segment lzfetimes TIMEWAIT CLOSED 22510 CISTCOM 551 11 TCP Receiver Maintains a buffer from which application reads Advertises lt buffer size as the window for sliding window Responds with Acknowledge and AdvertisedWindow on each send updates byte counts when data OK Application blocked until read OK 22510 CISTCOM 551 12 TCP Sender Maintains a buffer sending application is blocked until room in the buffer for its write Holds data until acknowledged by receiver as successfully received Implement window expansion and contraction note difference between flow and congestion control 22510 CISTCOM 551 13 TCP Flow amp Congestion Control Flow vs Congestion Control Flow control protects the recipient from being ovenvhelmed Congestion control protects the network from being ovenvhelmed TCP Congestion Control Additive Increase Multiplicative Decrease Slow Start Fast Retransmit and Fast Recovery 22510 ClSTCOM 551 14 Increase and Decrease A value CongestionWindow is used to control the number of unacknowledged transmissions This value is increased linearly until timeouts for ACKs are missed When timeouts occur CongestionWindow is decreased by half to reduce the pressure on the network quickly The strategy is called additive increase multiplicative decrease 22510 CISTCOM 551 15 Additive Increase z 22510 CISTCOM 551 TCP Sawtooth Pattern KB W Time 22510 CISTCOM 551 17 Slow Start Sending the entire window immediately could cause a trafficjam in the network Begin slowly by setting the congestion window to one packet When acknowledgements arrive double the congestion window Continue until ACKs do not arrive or flow control dominates 22510 CISTCOM 551 18 Slow Start A 9 quot30 We 9 w W 22510 CISTCOM 551 Network Vulnerabilities Anonymity Attacker is remote origin can be disguised Authentication Many points of attack Attacker only needs to find weakest link Attacker can mount attacks from many machines Shanng Many many users sharing resources Complexity Distributed systems are large and heterogeneous Unknown perimeter Unknown attack paths 22510 ClSTCOM 551 20 Syn Flood Attack Recall TCP s 3way handshake SYN SYNACK ACK Receiver must maintain a queue of partially open TCP connections Called SYNRECV connections Finite resource often small eg 20 entries Timeouts for queue entries are about 1 minute Attacker Floods a machine with SYN requests Never ACKs them Spoofs the sending address 22510 CISTCOM 551 21 Distributed Denial of Service Coordinate multiple subverted machines to attack Flood a server with bogus requests TCP SYN packet flood gt 600000 packets per second Detection amp Assessment 12800 attacks at 5000 hosts in 3 week period during 2001 IP Spoofing forged source IP address httpwwwcsucsdeduuserssavagepapersUsenixSecO1pdf Feb 6 2007 6 of 13 root servers suffered DDoS attack Oct 21 2002 9 of 13 root servers were swamped Prompted changes in the architecture Prevention Filtering Decentralized file storage 22510 CISTCOM 551 22 Kinds of Firewalls Personal firewalls Run at the end hosts eg Norton Windows etc Benefit has more applicationuser specific information Filter Based Operates by filtering based on packet headers Proxy based Operates at the level of the application eg HTTP web proxy 22510 ClSTCOM 551 23 Filtering Firewalls Filtering can take advantage of the following information from network and transport layer headers Source Destination Source Port Destination Port Flags eg ACK Protocol type eg UDP vs TCP Some firewalls keep state about open TCP connections Allows conditional filtering rules of the form if internal machine has established the TCP connection permit inbound reply packets 22510 ClSTCOM 551 25 Lapiservxce quot4 22 113 w impitypes ccnurnqquot cmn93 19216501 w optiuns 50L snack psnsy return 5m lugintcxfacu Sextixi scL skip an 0 1y scrub match 1n an scrub mDAdIJ t naerd nac an smug mm uscxgm gt 6chth natanchnz EtpproXy quot zdrauchoz ELp proXy 1dr pass an sans pinto top Lu port m gt 1270u1 pur an zdr an Sextixf prom cap from any to any pan rm gt Scampi LUch Haas block 1n pass out keep state anchuz itshpruxyl39 anuspas quack m lt 10 smst pass in on scxtili nct quto LCD from any to Hangs pun seepisaxvasss flags sSA kaap state pass in on smile nc i mm tap 5m any to Scampi yum rm Jags ssa synpme sLace pass in net pruto Acmp an amp mas icmp7typcs kcny state Pass in quick as sue Example pf rules from openbsdorg website Filter Example Action ourhost port theirhost port comment block BAD untrusted host allow GW 25 allow our SMTP port Apply rules from top to bottom with assumed default entry Action ourhost port theirhost port comment block default Bad entry intended to allow connections to SMTP from inside Action ourhost port theirhost port comment allow 25 connect to their SMTP This allows all connections from port 25 but an outside machine can run anything on its port 25 22510 ClSTCOM 551 28 Filter Example Continued Permit outgoing calls to port 25 Action src port dest port flags comment allow 123456 25 their SMTP allow 25 ACK their replies This filter doesn t protect against IP address spoofing The bad hosts can pretend to be one of the hosts with addresses 123456 22510 CISTCOM 551 29 When to Filter Firewall 22510 CISTCOM 551 30 On Input or Output Filtering on output can be more efficient since it can be combined with table lookup of the route However some information is lost at the output stage eg the physical input port on which the packet arrived Can be useful information to prevent address spoofing Filtering on input can protect the router itself 22510 CISTCOM 551 31 Principles for Firewall Configuration General principle Filter as early as possible Least Privilege Turn off everything that is unnecessary eg Web Servers should disable SMTP port 25 Failsafe Defaults By default should reject Note that this could cause usability problems Egress Filtering Filter outgoing packets too You know the valid IP addresses for machines internal to the network so drop those that aren t valid This can help prevent DoS attacks in the Internet 22510 CISTCOM 551 32 Example real firewall config script t t t t t FreeBSD Firewall configuration Singlemachine custom firewall setup Protects somewhat against the outside world t t t t t Set this to your ip address ipquot192100661quot setupoopback Allow anything outbound from this address fwcmd add allow all from ip to any out Deny anything outbound from other addresses fwcmd add deny log all from any to any out Allow inbound ftp ssh email tcpdns http https imap imaps pop3 pop3s fwcmd add allow top from any to ip 21 setup fwcmd add allow top from any to ip 22 setup fwcmd add allow top from any to ip 25 setup fwcmd add allow top from any to ip 53 setup fwcmd add allow top from any to ip 80 setup fwcmd add allow top from any to ip 443 setup 22510 CISTCOM 551 33 Proxybased Firewalls Firewall Internal TCPHTTP Proxy acts like both a client and a server Able to filter using applicationlevel info For example permit some URLs to be visible outside and prevent others from being visible Proxies can provide other services too Caching load balancing etc FTP and Telnet proxies are common too connection Local Web Server 22510 CISTCOM 551 34
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'