Download - 15-446 Networked Systems Practicum
![Page 1: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/1.jpg)
15-446 Networked Systems Practicum
Lecture 13 – IP Weaknesses
1
![Page 2: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/2.jpg)
2
Overview
• Security holes
• Firewalls
• TCP receiver attacks
![Page 3: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/3.jpg)
3
Flashback .. Internet design goals
1. Interconnection2. Failure resilience3. Multiple types of service4. Variety of networks5. Management of resources6. Cost-effective7. Low entry-cost8. Accountability for resources
Where is security?
![Page 4: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/4.jpg)
4
Why did they leave it out?
• Designed for connectivity
• Network designed with implicit trust• No “bad” guys
• Can’t security be provided at the edge?• Encryption, Authentication etc• End-to-end arguments in system design
![Page 5: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/5.jpg)
5
Security Vulnerabilities
• At every layer in the protocol stack!
• Network-layer attacks• IP-level vulnerabilities• Routing attacks
• Transport-layer attacks• TCP vulnerabilities
• Application-layer attacks
![Page 6: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/6.jpg)
6
IP-level vulnerabilities
• IP addresses are provided by the source• Spoofing attacks
• Using IP address for authentication• e.g., login with .rhosts
• Some “features” that have been exploited• Fragmentation • Broadcast for traffic amplification
![Page 7: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/7.jpg)
7
Security Flaws in IP
• The IP addresses are filled in by the originating host• Address spoofing
• Using source address for authentication• r-utilities (rlogin, rsh, rhosts etc..)
InternetInternet
2.1.1.1 C
1.1.1.1 1.1.1.2A B
1.1.1.3 S
•Can A claim it is B to the server S?
•ARP Spoofing
•Can C claim it is B to the server S?
•Source Routing
![Page 8: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/8.jpg)
8
ARP Spoofing
• Attacker uses ARP protocol to associate MAC address of attacker with another host's IP address
• E.g. become the default gateway:• Forward packets to real gateway (interception)• Alter packets and forward (man-in-the-middle attack)• Use non-existant MAC address or just drop packets
(denial of service attack)
• ARP Spoofing used in hotel & airport networks to direct new hosts to register before getting "connected"
![Page 9: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/9.jpg)
9
Source Routing
• ARP spoofing cannot redirect packets to another network
• We have studied routing protocols: routers do all the work, so if you spoof an IP source address, replies go to the spoofed host
• An option in IP is to provide a route in the packet: source routing.
• Equivalent to tunneling.• Attack: spoof the host IP address and
specify a source route back to the attacker.
![Page 10: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/10.jpg)
ICMP
• Reports errors and other conditions from network to end hosts
• End hosts take actions to respond to error• No authentication
• Problem• An entity can easily forge a variety of ICMP error messages
• Redirect – informs end-hosts that it should be using different first hop route
• Fragmentation – can confuse path MTU discovery• Destination unreachable – can cause transport connections to be
dropped• Many more…
• http://www.sans.org/rr/whitepapers/threats/477.php
10
![Page 11: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/11.jpg)
11
ICMP Redirect
• ICMP Redirect message: tell a host to use a different gateway on the same network (saves a hop for future packets)
Host A
"Good" GatewayAttacker
Spoof an ICMP Redirect message from "Good" Gateway to redirect traffic through Attacker TCP packets
![Page 12: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/12.jpg)
12
Smurf Attack
Attacking System
InternetInternet
Broadcast Enabled Network
Broadcast Enabled Network
Victim System
Ping request to a broadcast addresswith source = victim'sIP address
Ping request to broadcast addresswith source = victim'sIP address
Ping reply from every host
Replies directedto victim
![Page 13: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/13.jpg)
13
Routing
• Source routing• Destinations are expected to reverse source
route for replies• Problem – Can force packets to be routed
through convenient monitoring point • Solution – Disallow source routing – doesn’t work
well anyway!
![Page 14: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/14.jpg)
14
Routing
• Routing protocol• Malicious hosts may advertise routes into
network• Problem – Bogus routes may enable host to
monitor traffic or deny service to others• Solutions
• Use policy mechanisms to only accept routes from or to certain networks/entities
• In link state routing, can use something like source routing to force packets onto valid route
• Routing registries and certificates
![Page 15: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/15.jpg)
15
Routing attacks
• Divert traffic to malicious nodes• Black-hole• Eavesdropping
• How to implement routing attacks?• Distance-Vector: Announce low-cost routes• Link-state: Dropping links from topology
• BGP vulnerabilities• Prefix-hijacking• Path alteration
• In early 2008, at least eight US Universities had their traffic diverted to Indonesia for about 90 minutes one morning in an attack kept mostly quiet by those involved. Also, in February 2008, a large portion of YouTube's address space was redirected to Pakistan when the PTA decided to block access to the site from inside the country, but accidentally blackholed the route in the global BGP table.
![Page 16: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/16.jpg)
16
DNS
• Users/hosts typically trust the host-address mapping provided by DNS
• Problems • Zone transfers can provide useful list of target
hosts• Interception of requests or comprise of DNS
servers can result in bogus responses• Solution – authenticated requests/responses
![Page 17: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/17.jpg)
17
Basic IP
• End hosts create IP packets and routers process them purely based on destination address alone (not quite in reality)
• Problem – End host may lie about other fields and not affect delivery• Source address – host may trick destination into
believing that packet is from trusted source• Many applications use IP address as a simple authentication
method• Solution – reverse path forwarding checks, better authentication
• Fragmentation – can consume memory resources or otherwise trick destination/firewalls• Solution – disallow fragments
![Page 18: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/18.jpg)
18
Bandwidth DOS Attacks
• Possible solutions• Ingress filtering – examine packets to identify bogus
source addresses• Link testing – how routers either explicitly identify which
hops are involved in attack or use controlled flooding and a network map to perturb attack traffic
• Logging – log packets at key routers and post-process to identify attacker’s path
• ICMP traceback – sample occasional packets and copy path info into special ICMP messages
• IP traceback
![Page 19: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/19.jpg)
19
TCP-level attacks
• SYN-Floods• Implementations create state at servers before
connection is fully established
• Session hijack• Pretend to be a trusted host• Sequence number guessing
• Session resets• Close a legitimate connection
![Page 20: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/20.jpg)
20
SYN Flooding
• Objective of attack: make a service unusable, usually by overloading the server or network
• Example: SYN flooding attack• Send SYN packets with bogus source address• Server responds with SYNACK keeps state about TCP
half-open connection• Eventually server memory is exhausted with this state
• Solution: SYN cookies – make the SYNACK contents purely a function of SYN contents, therefore, it can be recomputed on reception of next ACK
![Page 21: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/21.jpg)
22
TCP
• Each TCP connection has an agreed upon/negotiated set of associated state• Starting sequence numbers, port numbers• Knowing these parameters is sometimes used to
provide some sense of security
• Problem• Easy to guess these values
• Listening ports #’s are well known and connecting port #’s are typically allocated sequentially
• Starting sequence number are chosen in predictable way
• Solution – make sequence number selection more random
![Page 22: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/22.jpg)
23
An Example
Shimomura (S) Trusted (T)
Mitnick
Finger
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
Showmount -eSYN
![Page 23: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/23.jpg)
24
Shimomura (S) Trusted (T)
Mitnick
An Example
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• SYN flood T
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
• T won’t respond to packets
Syn flood
X
![Page 24: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/24.jpg)
25
Shimomura (S) Trusted (T)
Mitnick
An Example
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• SYN flood T
• Send SYN to S spoofing as T
• Send ACK to S with a guessed number
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
• T won’t respond to packets
• S assumes that it has a session with T
XSYN
SYN|ACK
ACK
![Page 25: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/25.jpg)
26
Shimomura (S) Trusted (T)
Mitnick
An Example
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• SYN flood T
• Send SYN to S spoofing as T
• Send ACK to S with a guessed number
• Send “echo + + > ~/.rhosts”
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
• T won’t respond to packets
• S assumes that it has a session with T
• Give permission to anyone from anywhere
X++ > rhosts
![Page 26: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/26.jpg)
27
TCP Layer Attacks
• TCP Session Poisoning• Send RST packet
• Will tear down connection
• Do you have to guess the exact sequence number?• Anywhere in window is fine• For 64k window it takes 64k packets to reset• About 15 seconds for a T1
![Page 27: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/27.jpg)
28
TCP
• TCP senders assume that receivers behave in certain ways (e.g. when they send acks, etc.)• Congestion control is typically done on a “packet” basis while the
rest of TCP is based on bytes
• Problem – misbehaving receiver can trick sender into ignoring congestion control• Ack every byte in packet!• Send extra duplicate acks• Ack before the data is received (needs some application level
retransmission – e.g. HTTP 1.1 range requests)• Solutions
• Make congestion control byte oriented
• Add nonces to packets – acks return nonce to truly indicate reception
![Page 28: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/28.jpg)
29
Where do the problems come from?
• Protocol-level vulnerabilities• Implicit trust assumptions in design
• Implementation vulnerabilities• Both on routers and end-hosts
• Incomplete specifications• Often left to the imagination of programmers
![Page 29: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/29.jpg)
30
Overview
• Security holes
• Firewalls
• TCP receiver attacks
![Page 30: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/30.jpg)
Introduction
• TCP end-to-end congestion control mechanism implicitly rely on decent endpoints to decide proper data rate.
• But misbehaving senders can send data more quickly, forcing competing traffic to be delayed or discarded. Interestingly, receivers can do the same, too!
• Note that # of receivers is extremely large (all Internet users) and has both the incentive (faster download) and opportunity (open source OSes) to exploit this vulnerability.
31
![Page 31: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/31.jpg)
Quick Review of TCP Congestion Control
• Connection-oriented, reliable, ordered, • byte-stream protocol with explicit flow control• Divides data into SMSS (Sender Maximum
Segment Size), and labels with sequence #s to guarantee ordering and reliability
• When a host receives in-sequence segment, it sends an ACK, if an out-of-sequence segment is received, it sends next expected sequence #
• If no ACK received within a timeout, sender transmits again
32
![Page 32: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/32.jpg)
TCP Congestion Control Algorithms
• Both Slow Start and Congestion Avoidance controls sending rate by manipulating a congestion window (cwnd)
• Slow Start:• Quickly increase and decrease cwnd to roughly
approximate the bottleneck capacity (exponential)
• Congestion Avoidance:• Fine tuning. Increase cwnd more slowly to probe
additional bandwidth that may become available. (linear)
33
![Page 33: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/33.jpg)
Vulnerabilities
• Three types of attack:• ACK division• DupACK spoofing• Optimistic ACKing
• In addition to DoS attacks, these techniques can be used to enhance attacker’s throughput at the expense of behaving clients.
34
![Page 34: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/34.jpg)
Attack #1: ACK Division
• RFC 2581 (most recent TCP congestion control specification at the time of this paper) states
• During slow start, TCP increments cwnd by at most SMSS bytes for each ACK received that acknowledges new data
• …• During congestion avoidance, cwnd is incremented by
one full-sized segment per RTT (round trip time)
• The discord between the byte granularity of error control and the segment granularity of congestion control leads to vulnerability.
35
![Page 35: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/35.jpg)
Attack #1: ACK Division
• The Attack:• When you receive a data segment with N bytes• Divide corresponding ACK into M pieces, where
M N• Each separate ACK covers one of M distinct
pieces of received data
36
![Page 36: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/36.jpg)
Attack #1: ACK Division
• Each ACK is valid since it covers data that was sent and previously unacknowledged
• This leads the sender to grow cwnd M times faster than usual
• Receiver can control this rate of growth, maximum M = N
• As seen in the example, after one RTT, cwnd = 4, instead of the expected value of 2
37
Sample time line for ACK division attack.
![Page 37: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/37.jpg)
Attack #2: DupACK Spoofing
• TCP uses two algorithms, fast retransmit and fast recovery, to decrease the effects of packet loss
• Quoted from RFC 2581• Set cwnd to ssthresh plus 3*SMSS. This artificially
“inflates” the congestion window by the number of segments (3) that have left the network and which the receiver has buffered.
…• For each additional duplicate ACK received, increment
cwnd by SMSS. This artificially inflates the cwnd in order to reflect the additional segment that has left the network.
38
![Page 38: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/38.jpg)
Attack #2: DupACK Spoofing
• Two problems with this approach
• Byte vs. segment granularity problem
• TCP requires exact duplicate ACKs, therefore it’s impossible to understand which data segment they correspond to.• There’s no way to differentiate a valid duplicate ACK
with a spoofed one
39
![Page 39: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/39.jpg)
Attack #2: DupACK Spoofing
• The Attack
• When you receive a data segment, send lots of ACKs for the last sequence # received (at a start of a connection, this would be for the SYN segment)
40
![Page 40: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/40.jpg)
Attack #2: DupACK Spoofing
• The first four ACKs for the same sequence # cause the sender to retransmit the first segment.
• However, cwnd is increased by SMSS for each additional duplicate, for a total of 4 segments
• Since duplicate ACKs are indistinguishable, this attack is also valid.
41
Sample time line for DupACK attack.
![Page 41: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/41.jpg)
Attack #3: Optimistic ACKing
• Since TCP’s cwnd growth is a function of RTT (exponential during slow start, linear during congestion avoidance), sender-receiver pairs with shorter RTT will transfer data more quickly
• Hence, it’s possible for a receiver to emulate a shorter RTT by sending ACKs optimistically for data it has not received yet
42
![Page 42: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/42.jpg)
Attack #3: Optimistic ACKing
• The Attack:• When you receive a data segment, send lots of ACKs
anticipating data that will be sent by the sender
• This attack does not preserve end-to-end reliability, e.g. if a packet is lost, it’s unrecoverable• However, new features in HTTP-1.1 allows receivers to
request particular byte ranges• So, data is gathered on one connection and lost
segments are then collected selectively with application layer re-transmissions
43
![Page 43: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/43.jpg)
Attack #3: Optimistic ACKing
• What makes Optimistic ACKing more dangerous• After reaching to bottleneck rate, a receiver
sends ACKs in spite of losses• By concealing losses, it eliminates the only
congestion signal available to sender• A malicious attacker can conceal all losses and
leads the sender to increase cwnd indefinitely
44
![Page 44: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/44.jpg)
Attack #3: Optimistic ACKing
• Since senders generally send full-sized segments, it’s easy for a receiver to guess the correct sequence # to use in ACKs, but this accuracy is not mandatory
• If an ACK arrives for the data that has not yet been sent, this is generally ignored by sender – allowing the receiver to be more aggressive
45
Sample time line for Optimistic ACKing attack.
![Page 45: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/45.jpg)
Solution to ACK Division
• Ambiguity about how ACKs should be interpreted – violation of 2nd principle
• Two obvious solutions• Increment cwnd only proportional to the amount
of data ACKed• Increment cwnd by one SMSS only when a
valid ACK arrives covering the entire data segment sent• This technique is being used by Linux 2.2.x
46
![Page 46: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/46.jpg)
Solution: Cumulative Nonce
• Sender sends random number (nonce) with each packet
• Receiver sends cumulative sum of nonces
• if receiver detects loss, it sends back the last nonce it received
• Why cumulative?
47
![Page 47: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/47.jpg)
48
Overview
• Security holes
• Firewalls
• TCP receiver attacks
![Page 48: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/48.jpg)
49
Firewalls
• Basic problem – many network applications and protocols have security problems that are fixed over time• Difficult for users to keep up with changes and
keep host secure• Solution
• Administrators limit access to end hosts by using a firewall
• Firewall and limited number of machines at site are kept up-to-date by administrators
![Page 49: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/49.jpg)
50
Firewalls (contd…)
• Firewall inspects traffic through it• Allows traffic specified in the policy• Drops everything else• Two Types
• Packet Filters, Proxies
InternetInternet
Internal NetworkFirewall
![Page 50: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/50.jpg)
51
Typical Firewall Configuration
• Internal hosts can access DMZ and Internet
• External hosts can access DMZ only, not Intranet
• DMZ hosts can access Internet only
• Advantages?
• If a service gets compromised in DMZ it cannot affect internal hosts
InternetInternet
IntranetIntranet
DMZDMZ
XX
![Page 51: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/51.jpg)
52
Types of Firewalls
• Proxy• End host connects to proxy and asks it to perform actions on its
behalf• Policy determines if action is secure or insecure
• Transport level relays (SOCKS)• Ask proxy to create, accept TCP (or UDP) connection
• Cannot secure against insecure application
• Application level relays (e.g. HTTP, FTP, telnet, etc.)• Ask proxy to perform application action (e.g. HTTP Get, FTP transfer)
• Can use application action to determine security
• Requires applications (or dynamically linked libraries) to be modified to use the proxy
• Considered to be the most secure since it has most information to make decision
![Page 52: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/52.jpg)
54
Types of Firewalls:Packet Filters
• Selectively passes packets from one network interface to another
• Usually done within a router between external and internal network
• What/How to filter?• Packet Header Fields
• IP source and destination addresses• Application port numbers• ICMP message types/ Protocol options etc.
• Packet contents (payloads)
![Page 53: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/53.jpg)
Packet Filters: Possible Actions
• Allow the packet to go through
• Drop the packet (Notify Sender/Drop Silently)
• Alter the packet (NAT?)
• Log information about the packet
55
![Page 54: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/54.jpg)
56
Some examples
• Block all packets from outside except for SMTP servers
• Block all traffic to/from a list of domains
• Ingress filtering• Drop pkt from outside with addresses inside the network
• Egress filtering• Drop pkt from inside with addresses outside the network
![Page 55: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/55.jpg)
57
Firewall implementation
• Stateless packet filtering firewall
• Rule (Condition, Action)
• Rules are processed in top-down order• If a condition satisfied – action is taken
![Page 56: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/56.jpg)
Sample Firewall Rule
58
Dst Port
Alow
Allow
Yes
Any
> 1023
22
TCP22
TCP> 1023
ExtIntOutSSH-2
IntExtInSSH-1
Dst Addr Proto Ack Set? ActionSrc PortSrc Addr
DirRule
Allow SSH from external hosts to internal hostsTwo rules
Inbound and outbound
How to know a packet is for SSH?Inbound: src-port>1023, dst-port=22Outbound: src-port=22, dst-port>1023Protocol=TCP
Ack Set?Problems?
SYN
SYN/ACK
ACK
Client Server
![Page 57: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/57.jpg)
Default Firewall Rules
• Egress Filtering• Outbound traffic from external address Drop
• Benefits?
• Ingress Filtering• Inbound Traffic from internal address Drop
• Benefits?
• Default Deny• Why?
59
Any DenyAnyAnyAnyAnyAnyAny
Any
Dst Port
Any DenyAnyAnyIntAnyIntInIngress
DenyAnyAnyExtAnyExtOutEgress
Dst Addr
ProtoAck Set?
ActionSrc Port
Src Addr
DirRule
Default
![Page 58: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/58.jpg)
60
Packet Filters
• Advantages• Transparent to application/user
• Simple packet filters can be efficient
• Disadvantages• Usually fail open
• Very hard to configure the rules
• May only have coarse-grained information? • Does port 22 always mean SSH?
• Who is the user accessing the SSH?
![Page 59: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/59.jpg)
61
Types of Firewalls
• Stateful packet filters• Typically allow richer parsing of each packet (variable
length fields, application headers, etc.)• Actions can include the addition of new rules and the
creation of state to process future packets• Often have to parse application payload to determine “intent”
and determine security considerations
• Rules can be based on packet contents and state created by past packets
• Provides many of the security benefits of proxies but without having to modify applications
![Page 60: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/60.jpg)
62
Proxy Firewall
• Data Available• Application level information• User information
• Advantages?• Better policy enforcement• Better logging• Fail closed
• Disadvantages?• Doesn’t perform as well• One proxy for each application• Client modification
![Page 61: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/61.jpg)
63
Intrusion Detection Systems
• Firewalls allow traffic only to legitimate hosts and services
• Traffic to the legitimate hosts/services can have attacks
• Solution?• Intrusion Detection Systems• Monitor data and behavior• Report when identify attacks
![Page 62: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/62.jpg)
64
Classes of IDS
• What type of analysis?• Signature-based• Anomaly-based
• Where is it operating?• Network-based• Host-based
![Page 63: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/63.jpg)
Signature-based IDS
• Characteristics• Uses known pattern matching
to signify attack
• Advantages?• Widely available• Fairly fast• Easy to implement• Easy to update
• Disadvantages?• Cannot detect attacks for which it has no signature
65
![Page 64: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/64.jpg)
Anomaly-based IDS
• Characteristics• Uses statistical model or machine learning engine to characterize
normal usage behaviors• Recognizes departures from normal as potential intrusions
• Advantages?• Can detect attempts to exploit new and unforeseen vulnerabilities• Can recognize authorized usage that falls outside the normal
pattern
• Disadvantages?• Generally slower, more resource intensive compared to signature-
based IDS• Greater complexity, difficult to configure• Higher percentages of false alerts
66
![Page 65: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/65.jpg)
Network-based IDS
• Characteristics• NIDS examine raw packets in the network passively and triggers
alerts
• Advantages?• Easy deployment• Unobtrusive• Difficult to evade if done at low level of network operation
• Disadvantages?• Different hosts process packets differently• NIDS needs to create traffic seen at the end host• Need to have the complete network topology and complete host
behavior
67
![Page 66: 15-446 Networked Systems Practicum](https://reader036.vdocuments.site/reader036/viewer/2022070403/56813985550346895da11a02/html5/thumbnails/66.jpg)
68
Host-based IDS
• Characteristics• Runs on single host• Can analyze audit-trails, logs, integrity of files and
directories, etc.
• Advantages
• More accurate than NIDS
• Less volume of traffic so less overhead
• Disadvantages• Deployment is expensive• What happens when host get compromised?