TCP/IP Vulnerabilities

OutlineSecurity Vulnerabilities

Denial of Service

Worms

Countermeasures: Firewalls/IDS

Internet design goals1. Interconnection

2. Failure resilience

3. Multiple types of service

4. Variety of networks

5. Management of resources

6. Cost-effective

7. Low entry-cost

8. Accountability for resources

Where is security issues?

Why did they leave it out?Designed for simple connectivity

Network designed with implicit trustNo “bad” guys

Security may be provided at the edgeEncryptionAuthentication

Security VulnerabilitiesUnfortunately at every layer in the

protocol stack!

Network-layer attacks IP-level vulnerabilities Routing attacks

Transport-layer attacks TCP vulnerabilities

Application-layer attacks

Where do the problems come from?

Protocol-level vulnerabilities Implicit trust assumptions in design

Implementation vulnerabilitiesBoth on routers and end-hosts

Incomplete specificationsOften left to the imagination of programmers

IP-level vulnerabilitiesIP addresses are provided by the source

Spoofing attacks

Use of IP address for authenticationRemote command (rsh, rlogin) allows remote login

without explicit password authentication

Some known exploited IPARP SpoofingFragmentation Traffic amplification

Routing attacksDivert traffic to malicious nodes

Black-hole attackEavesdropping

Routing attacksNo authenticationsAnnounce lower cost route in Distance-Vector

BGP vulnerabilitiesPrefix hijacking

TCP-level attacksSYN-Flooding

Flood with incomplete connection to hold service resources

Session hijackSequence number guessingPretend to be a trusted host

Session TerminationForge packet to close a legitimate connection

Application VulnerabilitiesApplication Protocol Attack

SPAM

Phishing

etc.

OutlineSecurity Vulnerabilities

Denial of Service

Worms

Countermeasures: Firewalls/IDS

Denial of ServiceMake a service unusable by overloading the

server or network

Disrupt service by taking down hostse.g., ping-of-death

Consume host-level resourcese.g., SYN-floods

Consume network resourcese.g., UDP/ICMP floods

OutlineSecurity Vulnerabilities

Denial of Service

Worms

Countermeasures: Firewalls/IDS

Worm OverviewSelf-propagate through network

Typical Steps in Worm Propagation Probe host for vulnerable software Exploit the vulnerability Launches copy of itself on compromised host

Very fast spreading with short windows to react

The Case of Code-Red 1212thth July 2001 : Code-Red Worm (CRv1) began July 2001 : Code-Red Worm (CRv1) began

1919thth July 2001 : Code-Red Worm (CRv2) began July 2001 : Code-Red Worm (CRv2) began 359,104 hosts were compromised in approximately 24 hours359,104 hosts were compromised in approximately 24 hours

The total number of inactive hosts over time The number of newly inactive hosts per minute

http://www.caida.org/analysis/security/code-red/coderedv2_analysis.xml

Worm growth: Slow-start, Exponential phase, Slow decay

Code Red Spreads (I)July 19, Midnight – 159 hosts infectedJuly 19, Midnight – 159 hosts infected

Code Red Spreads (II)July 19, 11:40 am – 4,920 hosts infectedJuly 19, 11:40 am – 4,920 hosts infected

Code Red Spreads (III)July 20, Midnight – 341,015 hosts infectedJuly 20, Midnight – 341,015 hosts infected

Animation of Code Red Spreads

Animation SQL Slammer Spreads

OutlineSecurity, Vulnerabilities

Denial of Service

Worms

Countermeasures: Firewalls/IDS

Firewall A Firewall is a system or group of systems used to control A Firewall is a system or group of systems used to control

access between two networks using pre-configured rules or access between two networks using pre-configured rules or filtersfilters

How to filter?What to filter based on?

Packet Header FieldsIP source and destination addressesApplication port numbersICMP message types/ Protocol options etc.

Packet contents (payloads)

Some examplesBlock all packets from outside except for SMTP

servers

Block all traffic to/from a list of domains

Ingress filteringDrop all packets from outside with addresses inside

the network

Egress filteringDrop all packets from inside with addresses outside

the network

Typical Firewall Configuration• Internal hosts can access DMZ

and Internet

• External hosts can access DMZ only, not Intranet

• DMZ hosts can access Internet only

• Advantages?

• If a service gets compromised in DMZ it cannot affect internal hosts

InternetInternet

IntranetIntranet

DMZDMZ

XX

Sample Firewall Rule

Dst Port

Alow

Allow

Yes

Any

> 1023

22

TCP22

TCP> 1023

ExtIntOutSSH-2

IntExtInSSH-1

Dst Addr

ProtoAck Set?

ActionSrc PortSrc Addr

DirRule

Allow SSH from external hosts to internal hostsTwo rules

Inbound and outboundHow to know a packet is for SSH?

Inbound: src-port>1023, dst-port=22Outbound: src-port=22, dst-port>1023Protocol=TCP

Ack Set?

SYN

SYN/ACK

ACK

Client Server

Intrusion Detection IDS is an automated system intended to detect IDS is an automated system intended to detect

computer intrusionscomputer intrusions

To identify, preferably in real-time, unauthorized To identify, preferably in real-time, unauthorized use, misuse, and abuse of computer systemuse, misuse, and abuse of computer system

Basic IDS Architecture

Detector

System

Countermeasure

Database

Configuration

Audits

Alarm

Action

Detection MethodMisuse DetectionMisuse Detection

Looking for the attempts to exploit known vulnerabilities or Looking for the attempts to exploit known vulnerabilities or attack patternsattack patterns

Typically low false alarmsTypically low false alarms Difficult to gather all attack signaturesDifficult to gather all attack signatures

Anomaly DetectionAnomaly Detection Observing a deviation of normal behavior of system or user to Observing a deviation of normal behavior of system or user to

detect intrusionsdetect intrusions Can detect a new or unseen vulnerabilities or attack patternsCan detect a new or unseen vulnerabilities or attack patterns Typically a lot of false alarmsTypically a lot of false alarms

Audit Source LocationHost/IDSHost/IDS HostHost HostHost

IDSIDS HostHost HostHost

Host based IDSHost based IDS

Network based IDSNetwork based IDS

Next Generation FirewallLayer 7 Content InspectionLayer 7 Content Inspection

Integration of Firewall/IDS Integration of Firewall/IDS

SummarySecurity vulnerabilities are real!

Protocol or implementation or bad specs Poor programming practices At all layers in protocol stack

DoS/DDoS Resource utilization

Worm Exponential spread Scanning strategies

Firewall/IDS Counter-measures to protect hosts Fail-open vs. Fail-close?