3) Infrastructure Level Threats and Vulnerabilities

IEC 312 – Distributed
System Security
Dr. E.Silambarasan
Assistant Professor
Department of CSE - Cyber Security
Indian Institute of Information Technology, Kottayam
Module 1
• Introduction- Background, Distributed Systems, Distributed Systems Security, Common Security
Issues and Technologies
• Host-Level Threats and Vulnerabilities- Background, Malware, Eavesdropping, Job Faults, Resource
Starvation, Privilege Escalation, Injection Attacks.
• Infrastructure-Level Threats and Vulnerabilities- Introduction, Network- Level Threats and
Vulnerabilities, Grid Computing Threats and Vulnerabilities, Storage Threats and Vulnerabilities,
Overview of Infrastructure Threats and Vulnerabilities.
Infrastructure Level Threats and Vulnerabilities
• Infrastructure: elements that support the basic functioning of IT systems, like the networking
infrastructure, the middleware, and the storage infrastructure.
• Securing the IT infrastructure is being identified as critical by different government agencies, as
attacks may have serious consequences on the security and the economic vitality of a society.
• Our way of life depends on secure and safe operations of critical systems that depend on cyberspace.
• Network Level Threats and Vulnerabilities:
• The most critical component of the IT infrastructure is the networking infrastructure.
• The networking infrastructure has seen huge growth over the last few years, especially with the advent of
wireless technologies.
• The importance of securing the network has grown rapidly in recent years due to the series of attacks that
shut down some of the world’s most high-profile Web sites, like Yahoo! and Amazon.
• Securing the networking infrastructure is clearly the need of the hour and different components of the
networking infrastructure, like the routers, servers, wireless devices, and so on, need to be protected for
sustained IT security.
Network Level Threats and Vulnerabilities:
• Denial-of-Service attack
• One of the most dangerous network-level threats is the denial-of-service (DoS) attack. These attacks have
a simple objective, to deny service to the service consumers.
• In DoS attacks, the packets are routed correctly but the destination and the network become the targets of
the attackers.
• DoS attacks are very easy to generate and are very difficult to detect, and hence they are attractive
weapons for hackers.
• In a typical DoS attack, the attacker node spoofs its IP address and uses multiple intermediate nodes to
overwhelm other nodes with traffic.
• DoS attacks are typically used to take important servers out of action for a few hours, resulting in DoS for
all users. They can also be used to disrupt the services of the intermediate routers.
• Generally, DoS attacks can be categorized into two main types: (i) ordinary and (ii) distributed.
• In an ordinary network-based DoS attack, an attacker uses a tool to send packets to the target system.
• These packets are designed to disable or overwhelm the target system, often forcing a reboot.
• Often, the source address of these packets is spoofed, making it difficult to locate the real source of the
attack.
• In the distributed denial-of-service (DDoS) attack, there might still be a single attacker, but the effect of
the attack is greatly multiplied by the use of attack servers known as ‘agents’.
• Distributed Denial-of-Service (DDoS) attack
• One of the deadliest forms of DoS attack is when the attackers are distributed in nature. Such an
attack is called a DDoS attack.
• According to the computer incident advisory capability (CIAC), the first DDoS attacks occurred in
the summer of 1999. In February 2000, one of the first major DDoS attacks was waged against
yahoo.com.
• Another DDoS attack occurred on October 20, 2002 against the 13 root servers that provide the
domain name system (DNS) service to Internet users around the world.
• Most of these attacks target a particular network protocol, like the Transfer Control Protocol
(TCP), User Datagram Protocol (UDP), and so on.
• SYN Flood attack
• The most popular DDoS attack is the synchronize (SYN) flood attack.
• This type of attack targets the TCP to create service denial.
• The TCP protocol includes a three-way handshake between the sender and the receiver before
data packets are sent.
• SYN Flood attack
• The attacker instructs the zombies (systems previously compromised by the attacker for this
purpose) to send bogus TCP SYN requests to a victim server in order to tie up the server’s
processor resources, and hence prevent the server from responding to legitimate requests.
• PUSH+ACK attacks
• The attacker again uses the properties of the TCP protocol to target victims.
• In the TCP protocol, packets that are sent to a destination are buffered within the TCP stack and
when the stack is full, the packets get sent on to the receiving system.
• However, the sender can request the receiving system to unload the contents of the buffer before
the buffer becomes full by sending a packet with the PUSH bit set to one.
• PUSH is a one-bit flag within the TCP header.
• The TCP stores incoming data in large blocks for passage onto the receiving system in order to
minimize the processing overhead required by the receiving system each time it must unload a
nonempty buffer.
• Smurf attacks:
• The attacker sends packets to a network amplifier (a system supporting broadcast addressing),
with the return address spoofed to the victim’s IP address.
• The attacking packets are typically ICMP ECHO REQUESTs, which are packets (similar to a ‘ping’)
that request the receiver to generate an ICMP ECHO REPLY packet.
• The amplifier sends the ICMP ECHO REQUEST packets to all of the systems within the broadcast
address range, and each of these systems will return an ICMP ECHO REPLY to the target victim’s IP
address.
• This type of attack amplifies the original packet tens or hundreds of times.
• DNS attack
• The DNS is a distributed, hierarchical, global directory that translates machine/domain names to
numeric IP addresses.
• Due to its ability to map human memorable names to numerical addresses, its distributed nature
and its robustness, the DNS has evolved into a critical component of the Internet.
• Therefore, an attack on the DNS infrastructure has the potential to affect a large portion of the
Internet.
• Attacks of this type have illustrated the lack of authenticity and integrity of the data held within the
DNS, as well as in the protocols that use host names as an access control mechanism.
• Impact of Hacking:
• DoS
• Masquerading
• Information leakage
• Domain hijacking
• DNS attack
• Types of Hacking
• Cache poisoning
• If a DNS server is made to cache bogus information, the attacker can redirect traffic intended
for a legitimate site to a site under the attacker’s control.
• Server compromising
• Attackers can compromise a DNS server, thus giving them the ability to modify the data
served to the users – Cache poisoning or DoS attack on some other server.
• Spoofing
• Attacker masquerades as a DNS server and feeds the client wrong and/or potentially
malicious information.
• Routing attack
• Routing tables are used to route packets over any network, especially the Internet.
• Routing protocols like distance vector, link state, and path vector protocols have been designed to
create routing tables through the exchange of routing packets.
• Routing table ‘poisoning’ is a type of attack on the routing protocols where the routing updates are
maliciously modified, resulting in the creation of incorrect routing tables.
• Impacts of Routing Table poisoning
• Suboptimal routing:
• With the emergence of the Internet as a means of supporting soft real-time applications,
optimality in routing assumes significant importance.
• Routing table poisoning attacks can result in suboptimal routing, which can affect real-time
applications.
• Similarly in Grid – QoS Violation
• Routing attack
• Impacts of Routing Table poisoning
• Congestion:
• Routing table poisoning can lead to artificial congestion if packets are forwarded to only certain
portions of the network.
• Partition
• This can become a significant problem since hosts residing in one partition will be unable to
communicate with hosts residing in another
• Overwhelmed host:
• If a router sends updates that result in the concentration of packets into one or more selected
servers, the servers can be taken out of service because of the huge amounts of traffic.
• Looping:
• The creation of triangle routing, caused due to packet mistreatment attacks, can also be simulated
through improper updates of the routing table.
• Loops thus formed may result in packets getting dropped and hence in lowering of the overall
network throughput.
• Access to data
• Attackers may gain illegal access to data through the routing table poisoning attack. This may lead to
the attackers snooping packets.
• Routing attack
• Different routing protocols
• Distance vector:
• The nodes in the network create a vector of the shortest path distances to all the other nodes in
the network.
• This distance vector information is exchanged between the nodes.
• After receiving the distance vector information from its neighbors, each node calculates its own
distance vector.
• No node has the full topology information and each depends on its neighbors for creating its
routing tables.
• The count-to-infinity problem, can result from not having the full topology information.
• Example: Routing Information Protocol (RIP)
• Routing attack
• Different routing protocols
• Link State:
• Each node sends its connectivity information to all the other nodes in the network.
• Based on the information received from the other nodes, each node computes the shortest
path tree by applying the Bellman-Ford algorithm.
• As a result, link state protocols are inherently robust.
• Example: Open Shortest Path Forwarding (OSPF)
• Path Vector:
• Each node sends the full shortest path information of all the nodes in the network to its
neighbors.
• Example: Border Gateway Protocol(BGP)
• Routing attack
• Routing table poisoning can be broadly categorized into (i) link and (ii) router attacks.
• Link attacks – Interruption
• If an attacker stops a routing update from propagating, the victim may still be able to obtain
the information from other sources.
• Link attack – modification/fabrication
• Routing information packets can be modified/fabricated by an attacker who has access to a
link in the network.
• Link attacks – replication
• Routing table poisoning can also take the form of replication of old messages, where a
malicious attacker gets hold of routing updates and replays them later.
• Routing attack
• Router attacks – Link state
• A router can be compromised, making it malicious in nature.
• Hence, a malicious router can send incorrect updates about its neighbors, or remain silent if
the link state of the neighbor has actually changed.
• A router attack can be proactive or inactive in nature.
• Proactive router attack, the malicious router can add a pretend link, delete an already
existing link, or change the cost of a link proactively.
• Inactive router attack, the router ignores a change in the link state of its neighbors.
• Router attacks – Distance vector
• Routers can send wrong and potentially dangerous updates regarding any nodes in the
network since the nodes do not have the full network topology.
• If a malicious router creates a wrong distance vector and sends it to all its neighbors, the
neighbors accept the update since there is no way to validate it.
• As the router itself is malicious, standard techniques like digital signatures do not work.
• Wireless Security Vulnerabilities
• Network technologies are slowly moving in the wireless direction as more and more transactions
take place using mobile systems.
• However, even with the growth of wireless technologies, enterprises are slow in going fully mobile.
Other than operational issues, security concerns are their primary reason.
• Traffic Analysis:
• One of the simplest attacks that can be employed against a wireless network is to analyze the
traffic in terms of the number and size of the packets transmitted.
• This attack is very difficult to detect as the attacker is in promiscuous mode and
• hence mostly hidden from any detection techniques.
• In addition to getting the information that there is a certain amount of wireless activity in the
region, the attacker can learn the location of the access point in the area.
• Also, the attacker may be able to obtain information about the type of protocol used.
• Eavesdropping:
• The attacker is assumed to be passive, getting information about the data transmitting
• through the wireless channel.
• In addition to the payload, source, and destination information can be obtained, which can be used
for spoofing attacks.
• Spoofing:
• The attacker changes the destination IP address of the packet to the IP address of a host they control.
In the case of a modified packet, the authentic receiving node will request a resend of the packet and
so the attack will not be apparent.
• Another approach is to resend the packet with the modified header. Since the receiver judges
whether a packet is valid, the resend should not cause any response from the access point or access
controller, which kindly decrypts the packet before sending it to the attack receiver, thus violating
the confidentiality of the communication.
• The attacker can inject known traffic into the network in order to decrypt future packets in the
wireless network. This type of attack can be useful in detecting the session key of the communicating
parties.
• Stricter measures of encryption like changing the session keys and using stronger security protocols
are needed to prevent this attack from taking place.
• Unauthorized access:
• The attacker can launch additional attacks or just enjoy free network use.
• Due to the physical properties of WLANs, the attacker will always have access to the wireless
component of the network.
• In some wireless security architectures, this will also grant the attacker access to the wired
component of the network.
• In other architectures, the attacker must use some technique like MAC address spoofing to gain
access to the wired component
• Replay attack
• The attacker saves the current conversation or session, to be replayed at a later time.
• Even if the current conversation is encrypted, replaying the packets at a later time will confuse the
recipient and create some other dangerous after-effects.
• Nonce or timestamps are generally used to prevent this type of attack from taking place.
• However, if the attacker is able to selectively modify the contents of the packets, this type of solution
does not work.
• Man-in-the-Middle attack:
• The attacker can sneak into the middle of the conversation by gaining access to header information
and spoofing the header information to deceive the recipient.
• An ARP poison attack is one manifestation of a man-in-the-middle attack.
• The attacker sends a forged ARP reply message that changes the mapping of the IP address to the
given MAC address.
• The MAC address is not changed, just the mapping.
• Once the cache has been modified, the attacker can act as a man-in-the-middle between any two
hosts in the broadcast domain.
• The more mechanisms the attacker will have to subvert when re-establishing the connection with
both the target and the access point.
• If authentication is in place, the attacker must defeat the authentication mechanism to establish new
connections between themself and the target and themself and the access point.
• If encryption is in use, the attacker must also subvert the encryption to either read or modify the
message contents.
• Session Hijacking
• This attack against the integrity of a session.
• The attacker takes an authorized and authenticated session away from its proper owner.
• The target knows that it no longer has access to the session but may not be aware that the
session has been taken over by an attacker.
• The target may attribute the session loss to a normal malfunction of the WLAN.
• Once a valid session has been owned, the attacker may use the session for whatever purposes
they want and maintain the session for an extended time.
• This attack occurs in real time but can continue long after the victim thinks the session is over.
• To successfully execute session hijacking, the attacker must accomplish two tasks.
• Session Hijacking
• The attacker must masquerade as the target of the wireless network.
• This includes crafting the higher-level packets to maintain the session, using any persistent
authentication tokens, and employing any protective encryption.
• The attacker must stop the target from continuing the session.
• The attacker normally will use a sequence of spoofed disassociate packets to keep the target
out of the session
Grid Computing Threats and Vulnerabilities:
• Recently, the high-computing industries like finance, life sciences, energy, automobiles, rendering, and
so on have been showing a great amount of interest in the potential of connecting standalone and silo-
based clusters into a department and sometimes enterprise-wide grid system.
• Grid computing is currently in the middle of evolving standards, inheriting and customizing from those
developed in the high-performance, distributed, and, recently, web-services communities.
• Due to the lack of consistent and widely-used standards, several enterprises are concerned about the
implementation of an enterprise-level grid system, though the potential of such a system is well
understood.
• The biggest concerns are the security aspects of the grid.
• The grid security issues can be grouped into three main categories: architecture-related issues,
infrastructure-related issues, and management-related issues.
• Architecture-related issues
• Information Security
• Security related to the information exchanged between different hosts or between hosts and
users.
• Unauthorized Access
• Grid security requirements should contain authentication mechanisms at the entry
points.
• Different authentication mechanisms should be supported. It is possible to have
different authentication mechanisms for different sites within a grid.
• The security protocol should be flexible and scalable to handle all the different
requirements and provide a seamless interface to the user.
• Also, there is a need for management and sharing of context.
• Confidentiality
• The confidentiality requirements should include point-to-point transport as well as store
and forward mechanisms.
• Similar to the authentication mechanisms, there may be a need to define, store, and share
security contexts across different entities.
• Integrity
• Grid security mechanisms should include message integrity, which means that any
change made to the messages or documents can be identified by the receiver.
• Single Sign-on
• In a grid environment, there may be instances where requests have to travel through
multiple security domains.
• There is a need for a single sign-on facility in the grid infrastructure.
• Delegation Vulnerabilities
• There may be a need for services to perform actions on a user’s behalf.
• Example: A computational job may require accessing a database many numbers of times.
• When dealing with delegation of authority from one entity to another, care should be
taken so that the authority transferred through delegation is scoped only to the task(s)
intended and a limited lifetime, to minimize misuse.
• Authorization
• Like any resource-sharing system, grid systems require resource-specific and system-specific
authorizations.
• It is particularly important for systems where the resources are shared between multiple
departments or organizations, and department-wide resource usage patterns are predefined.
• Each department can internally have a user-specific resource authorization as well.
• Scalability issues - Based on the number of users and amount of grid dynamism
• Security issues – Compromise at two levels: User level and System Level
• Revocation issues – If the user allows access later come to know he compromised then
denied to access
• Inter-operability issues - Different authorization systems may be used by different parties
or virtual organizations and the important issue here is that of inter-operability of these
different authorization systems.
• Service Level Security
• Service is ‘the occupation or function of serving’ or ‘the work performed by one that serves’.
• Service should always contain four basic components:
(1) A service provider or one who is providing the service to users.
(2) A set of service consumers who access the service provided by the service provider.
(3) A service infrastructure on which the service is provided.
(4) A set of service publishers which publish the type and nature of service provided.
• Example: Banking Services
• Attackers: Compromising the service infrastructure or the service publisher will have the
greatest effect.
• Service Level Security
• Different categories of Threats
• QoS Violation -A company may end up losing a lot of money if service level agreements
(SLAs) are not met. Example: Pizza eater (late coming of pizza boy,so delivery free.)
• Unauthorized access – Traditional problems of authentication and authorization.
• DoS Attack
• Infrastructure-related issues
• The grid infrastructure consists of the grid nodes and the communication network.
• Host-level security issues: Data protection and Job starvation
• Network security issues assume significant importance, mainly due to the heterogeneity and high-
speed requirements of many grid applications.
• Grid Network issues
• When grids move to the enterprises, several interesting and critical challenges will be
witnessed.
• Another big challenge is integration with firewall technologies. Most of enterprises employ
firewalls and packet filtering, and efforts will need to be taken to solve the problem of easy
integration with these.
• Infrastructure-related issues
• Grid Network issues
• Globus and Firewall
• Globus is open-source grid software that addresses the most challenging problems in
distributed resource sharing.
• Management-related issues
• Credential Management(CM)
• Management of credentials becomes very important in a grid context as there are multiple
different systems, which require varied credentials to access them.
• CM systems store and manage the credentials for a variety of systems and users can access them
according to their needs.
• This mandates that the CM system should provide secure transmission of credentials and secure
storage of credentials, and should cater to different types of systems and mechanisms.
• Different characteristics that a CM system requires:
• Initiation – Password-based, certificate-based, and so on
• Secure Storage
• Accessibility
• Renewal
• Translation
• Delegation
• Control
• Revocation
• Management-related issues
• Trust Management
• Trust is a complicated concept, and the ability to generate, understand and build relationships based on trust varies
from individual to individual, situation to situation, society to society and environment to environment.
• Trust Management System (TMS) lifecycle,
• Trust creation phase – Policy-based or reputation based,
• trust functions: objective or subjective, transaction-based or opinion-based, complete or
localized, and threshold-based or rank-based.
• Trust negotiation phase - begins when a new entity or node joins the system.
• At the heart of the trust negotiation lie the policies and the policy language acceptable to both parties.
• Request – Key establishment phase – Session key
• Policy Exchange
• Credential exchange
• Trust Management phase
• Trust computation
• Trust distribution
• Trust storage
• Trust update

3) Infrastructure Level Threats and Vulnerabilities

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3) Infrastructure Level Threats and Vulnerabilities

Uploaded by

Copyright:

Available Formats

IEC 312 – Distributed

You might also like