1 / 12

Final Introduction ---- Web Security, DDoS, others

Explore the trends in web-based security challenges, including DDoS attacks, phishing, spyware, and worms. Learn about defense methods like honeypots, SYN cookies, IP traceback, and secure overlay services.

beatty
Download Presentation

Final Introduction ---- Web Security, DDoS, others

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Final Introduction ----Web Security, DDoS, others Cliff C. Zou CAP6133 04/07/08

  2. Web-based Security Challenge • Trend: all/most applications move to the WWW platform • Database, remote configuration, email, data hosting, video/music on demand, e-commerce… • Complicated applications require interactive web browsers • Browsers support downloadable execute, plug-in. • ActiveX, Java script, flash player, … • Many users have no idea of the security of downloadable plug-ins.

  3. Web-based Attacks • Phishing • Fake website, collect user account info. • Usually correlated with Spam, Botnets • Spyware • Secretly installation in form of plug-in. • Come with free software/games. • Worm • Exploit browser’s vulnerability • E.g., Nimda

  4. Crawler-based Security Defense • Central idea: • Honeypot • Use VM with vulnerable browser to connect to suspicious web server • Trick malcode to install on VM’s browser • Analyze, and then, restart a clean VM for next round • Automatic, active crawling • Actively find web server and connect • Automatically execute simple user interaction • For download, install activeX, java script, plug-ins.

  5. Distributed Denial of Service (DDoS) Attack • Send large amount of traffic to a server so that the server has no resource to serve normal users • Attacking format: • Consume target memory/CPU resource • SYN flood (backscatter paper presented before) • Database query… • Congest target Internet connection • Many sources attack traffic overwhelm target link • Very hard to defend

  6. Why hard to defined DDoS attack? • Internet IP protocol has no built-in security • No authentication of source IP • SYN flood with faked source IP • However, IP is true after connection is setup • Servers are supposed to accept unsolicited service requests • Lack of collaboration ways among Internet community • How can you ask an ISP in another country to block certain traffic for you?

  7. DDoS Defenses • Increase servers capacity • Cluster of machine, Multi-CPUs, larger Internet access • Use Internet web caching service • E.g., Akamai • Defense Methods (many in research stage) • SYN cookies (http://en.wikipedia.org/wiki/SYN_cookies) • SOS • IP traceback

  8. SYN Cookies • SYN flood attack • Fill up server’s SYN queue • Property: attacker does not respond to SYN/ACK from victim. • Defense • Fact: normal client responds to SYN/ACK • Remove initial SYN queue • Server encode info in TCP seq. number • Use it to reconstruct the initial SYN

  9. DoS spoofed attack defense: IP traceback • Suppose a victim can call ISPs upstream to block certain traffic • SYN flood: which traffic to block? • IP traceback: • Find out the real attacking host for SYN flood • Based on large amount of attacking packets • Need a little help from routers (packet marking)

  10. SOS: Secure Overlay Service • Central Idea: • Use many TCP connection respondent machines • Only setup connections relay to server • Identity of server is secrete

  11. Security Patch Issue • Fix vulnerability faster by automatic patching  XP • Problem: • Patches are not reliable • Crash, disrupt to running applications • Many patches require reboot • Not realistic for important servers

  12. Shield • Central Idea: • Non-disruptive, temporary defense before patch • Vulnerability-specific, exploit-generic • When known vulnerability, analyze it and develop this shield filter on the vulnerable port • E.g., an overflow of strcpy(), filter any input longer than the defined size

More Related