Internet Security

Outline

• What’s the problem?• How prevalent are security attacks?• Denial of Service attacks• Spoofing• Network applications exposures• Prevention• Detection• Follow up• Top 12 recommendations

Problems

• Complexity of systems– Patchwork of untrustworthy parts– Even mature subsystems (Unix, Windows, Word)

poorly understood– All systems have errors (buffer overflows,

unchecked input, inadequate testing …)– Humans are part of the system– Rapid change & introduction of new parts changes

environment (active content, streaming content)

• Security is in tension with ease of use and friendliness, so unpopular

Network Vulnerabilities

• ARP cache flooding

• DHCP spoofing

• DNS cannot be trusted

• Little IP address authentication

• Integrity checks are minimal

• Denial of service attacks are easy to stage

• Security not part of original network design

• Changing things (to improve security) breaks compatibility

DoS flood attacks

• Flooding to provide Denial of Service (DoS):– DoS attacks deny resources of a remote host or

networks that would otherwise be used by legitimate users

– Flooding attacks overwhelm victim’s CPU, memory or network resources by sending large numbers of spurious requests.

• Difficult to tell “good” requests from “bad” so hard to defend against

• To load network attacker sends small packets as fast as possible since most devices are limited by packet processing rate and not bandwidth

SYN floods

• Attacker loads victim’s cpu by sending stream of TCP SYN packets to a listening TCP port– For each SYN packet victim must search

through existing connections & if no match allocate a new data structure for connection

– Number of connections may be limited in victim’s host, so host can be overwhelmed

– Victim also re-sends SYN/ACK until time limit

Distributed Attacks

• More powerful attacks leverage multiple hosts to send the SYNs– i.e. attacker compromises many hosts, installs a

small attack daemon (bots) on each• Compromises via buffer overflows, 1 year old

patchable web server Unicode bug, poorly written CGI scripts, etc.

– Attack can then be coordinated from multiple hosts focusing on a single victim host

IP spoofing

• To conceal identity, thus forestalling an effective response, attackers forge (“spoof”) the IP source address of each packet they send– Often select the IP address at random

– Attack appears to be coming from a third party

– Also can reflect attacks through innocent third parties

• Protection:– Dynamic size for connection table

– Decrease timeout for partial connections

– Prevent spoofing across routers

ICMP

• RFC 792, & clarified in RFCs 1122, 1256, 1349, 1812

• Smurf:– Spoof source address– Uses broadcast address to get amplification

• i.e. every host on subnet responds to same source

– e.g. can provoke host unreachable, ttl exceeded

• Don’t allow ICMP to go to broadcast address• Rate limit or block most ICMPs

– BUT lose ping & traceroute, watch out for MTU discover

UDP Security

• Services can often be spoofed as the source of a request

• The connectionless nature makes it hard for firewalls to protect– direction of connection not easily determined– must examine packet contents in application

dependent fashion

ARP

• First host to respond to ARP broadcast wins– Thus a “bad guy” can respond quickly and

poison the recipient’s cache• E.g. “bad guy” can pretend to be router

• No fix.

Dynamic Host Configuration Protocol

• DHCP built on UDP, ports 67/68 (see RFC 2131)– Client is dynamically assigned (leased) an IP configuration

(IP address, gateway, DNS server, domain name etc.)– Server controls allocation of addresses– Client must renew periodically– Can greatly increase ease of configuration flexibility &

decrease maintenance

• BUT– single client (using spoofed addresses) may use up all

available IP addresses– Does not prevent someone using unassigned address– Rogue machine can respond & claim to be router, DNS &

hence intercept all traffic

Domain Name Service DNS

• Built on UDP, port 53 (see RFC 1591):– Maps host names to IP addresses & back

– Hierarchical structure - no server for all hosts

– All domains have authoritative name server

– Root name servers maintain server list for all subdomains

– Once translated, mapping is cached

• ICANN administers top level domains• Example, get IP address of www.sun.com:

• Check local cache

• Query “.com” nameserver, get referral to “ns.sun.com”

• Query ns.sun.com

• Cache result & return IP address

DNS insecurity

• 21 Jan 2001: Yahoo.com & Microsoft.com traffic redirected. A faulty DNS table appears to be to blame for redirecting traffic to MyDomains.com

• Systems may change and the cache is wrong• Cache may be poisoned by an “attacker”• No authorization for change requests• Attacker can administratively change

“authoritative nameserver” and there are few checks to prevent it

SNMPv1

• Built on UDP

• Community name is passed as clear text

Telnet RFC 854

• Built on TCP– sends passwords in clear text– often target of sniffers collecting passowrds– session unencrypted - session may be hijacked

• Use ssh instead– not all hosts (e.g. some network devices) support ssh

Prevention

• Need defense in depth. • Firewalls, filtering router ACLs• Vulnerability scans

– Look for hosts with OS at a level that can be compromised– Look for ports/applications that should not be open– ISS, freeware from www.nessus.org

• Don’t overprotect– Waste of resources (direct cost)– Reduced functionality (indirect cost)

• Don’t leave backdoor open– Think like an attacker or find someone who can

Filters

• Simple filtering done by Access Control Lists (ACLs) in routers– Filter to deny access to dangerous stuff– Or Deny all and allow access to approved stuff– Filters based on header information

• Source/destination address/port

• Protocol

– Rules apply interface & direction

Firewalls

• Specialized for filtering without routing duties• Usually easier to configure, have auditing, logging,

auditing• Can use for privacy to hide internal network addresses• Many firewalls can maintain state, i.e. maintain virtual

sessions for UDP and close port when connection closes

• Some firewalls can look inside data in packets to discover application (e.g. to disallow ActiveX controls)

• With all the extra function there can be performance issues for high speed networks.

Detection

• Host based intrusion detection: instrument OS, applications, e.g. tripwire (look at what has changed), web page defacement detection

• Network based intrusion detection– Passively sniff on packets and look at flows.– Look for list suspicious ports/protocols being accessed, when, by whom,

for how long/much. Keep logs going back months• Possible inappropriate use: IRC, Gnutella, Napster …• Remote control: BackOrifice, subseven, netbus …• dDoS: tfn, trinoo …

– Look for attack signatures, may look in packet contents & compare bits with known patterns

– Look for scan signatures like seq of ports, or seq of hosts– Can provide pre-knowledge of signatures of known attacks

• Needs constant updates– Can look for abnormal behavior– Netflow, ISS, freeware from www.snort.org

Notification & follow up

• After discovering, have to alert someone by pager, email– Have to worry about false positives

• Need a clear procedure in place for dealing with intrusions

• Have to notify management• May have to take down & re-install OS etc.• May have to cut off from Internet while clean up• May have to field questions from funding agency,

press, law enforcement agencies• Have to do a post-mortem & improve processes• All of the above are painful, want to avoid if possible.

Requirements

• Make sure the firewall/ACLs are installed, working & maintained

• Security patches – current & installed in timely manner

• Remove use of clear text passwords (telnet => ssh, email, FTP…)

• Change default vendor passwords

• Regularly test security systems & processes