1 / 31

TCP/IP Vulnerabilities

Explore vulnerabilities in TCP/IP design & ways to mitigate risks. Learn about denial of service attacks, worms, firewall configurations, and security best practices.

cliffordpope
Download Presentation

TCP/IP Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TCP/IP Vulnerabilities

  2. Internet design goals • Interconnection • Failure resilience • Multiple types of service • Variety of networks • Management of resources • Cost-effective • Low entry-cost • Accountability for resources Where is security issues?

  3. Why did they leave it out? • Designed for simple connectivity • Network designed with implicit trust • No “bad” guys • Security may be provided at the edge • Encryption • Authentication

  4. Security Vulnerabilities • Unfortunately at every layer in the protocol stack! • Network-layer attacks • IP-level vulnerabilities • Routing attacks • Transport-layer attacks • TCP vulnerabilities • Application-layer attacks

  5. Where do the problems come from? • Protocol-level vulnerabilities • Implicit trust assumptions in design • Implementation vulnerabilities • Both on routers and end-hosts • Incomplete specifications • Often left to the imagination of programmers

  6. IP-level vulnerabilities • IP addresses are provided by the source • Spoofing attacks • Use of IP address for authentication • Remote command (rsh, rlogin) allows remote login without explicit password authentication • Some known exploited IP • Fragmentation • Traffic amplification

  7. Routing attacks • Divert traffic to malicious nodes • Black-hole attack • Eavesdropping • Routing attacks • No authentications • Announce lower cost route in Distance-Vector • BGP vulnerabilities • Prefix hijacking

  8. TCP-level attacks • SYN-Flooding • Flood with incomplete connection to hold service resources • Session hijack • Sequence number guessing • Pretend to be a trusted host • Session Termination • Forge packet to close a legitimate connection

  9. Application Vulnerabilities • Application Protocol Attack • SPAM • Phishing • etc.

  10. Outline • Security Vulnerabilities • Denial of Service • Worms • Countermeasures: Firewalls/IDS

  11. Denial of Service • Make a service unusable by overloading the server or network • Disrupt service by taking down hosts • e.g., ping-of-death • Consume host-level resources • e.g., SYN-floods • Consume network resources • e.g., UDP/ICMP floods

  12. Outline • Security Vulnerabilities • Denial of Service • Worms • Countermeasures: Firewalls/IDS

  13. Worm Overview • Self-propagate through network • Typical Steps in Worm Propagation • Probe host for vulnerable software • Exploit the vulnerability • Launches copy of itself on compromised host • Very fast spreading with short windows to react

  14. Worm • Not attached but spreads by itself • Exploit system vulnerability like buffer overflow or flawed protocol • Consume system resources • Modify system configurations • Typical Steps in Worm Propagation • Probe host for vulnerable software • Exploit the vulnerability • Launches copy of itself on compromised host

  15. The Case of Code-Red • 12th July 2001 : Code-Red Worm (CRv1) began • 19th July 2001 : Code-Red Worm (CRv2) began • 359,104 hosts were compromised in approximately 24 hours The total number of inactive hosts over time The number of newly inactive hosts per minute http://www.caida.org/analysis/security/code-red/coderedv2_analysis.xml Worm growth: Slow-start, Exponential phase, Slow decay

  16. Code Red Spreads (I) July 19, Midnight – 159 hosts infected

  17. Code Red Spreads (II) July 19, 11:40 am – 4,920 hosts infected

  18. Code Red Spreads (III) July 20, Midnight – 341,015 hosts infected

  19. Animation of Code Red Spreads

  20. Animation SQL Slammer Spreads

  21. Outline • Security, Vulnerabilities • Denial of Service • Worms • Countermeasures: Firewalls/IDS

  22. Firewall • A Firewall is a system or group of systems used to control access between two networks using pre-configured rules or filters

  23. How to filter? • What to filter based on? • Packet Header Fields • IP source and destination addresses • Application port numbers • ICMP message types/ Protocol options etc. • Packet contents (payloads)

  24. Some examples • Block all packets from outside except for SMTP servers • Block all traffic to/from a list of domains • Ingress filtering • Drop all packets from outside with addresses inside the network • Egress filtering • Drop all packets from inside with addresses outside the network

  25. Typical Firewall Configuration Internet • Internal hosts can access DMZ and Internet • External hosts can access DMZ only, not Intranet • DMZ hosts can access Internet only • Advantages? • If a service gets compromised in DMZ it cannot affect internal hosts DMZ X X Intranet

  26. Client Server SYN SYN/ACK ACK SSH-1 In Ext > 1023 Int 22 TCP Any Allow SSH-2 Out Int 22 Ext > 1023 TCP Yes Alow Sample Firewall Rule • Allow SSH from external hosts to internal hosts • Two rules • Inbound and outbound • How to know a packet is for SSH? • Inbound: src-port>1023, dst-port=22 • Outbound: src-port=22, dst-port>1023 • Protocol=TCP • Ack Set? Rule Dir Src Addr Src Port Dst Addr Dst Port Proto Ack Set? Action

  27. Intrusion Detection • IDS is an automated system intended to detect computer intrusions • To identify, preferably in real-time, unauthorized use, misuse, and abuse of computer system

  28. Basic IDS Architecture

  29. Detection Method • Misuse Detection • Looking for the attempts to exploit known vulnerabilities or attack patterns • Typically low false alarms • Difficult to gather all attack signatures • Anomaly Detection • Observing a deviation of normal behavior of system or user to detect intrusions • Can detect a new or unseen vulnerabilities or attack patterns • Typically a lot of false alarms

  30. Audit Source Location Host/IDS Host Host Host based IDS IDS Host Host Network based IDS

  31. Summary • Security vulnerabilities are real! • Protocol or implementation or bad specs • Poor programming practices • At all layers in protocol stack • DoS/DDoS • Resource utilization • Worm • Exponential spread • Scanning strategies • Firewall/IDS • Counter-measures to protect hosts • Fail-open vs. Fail-close?

More Related