ECE 683 Computer Network Design - PowerPoint PPT Presentation

Loading...

PPT – ECE 683 Computer Network Design PowerPoint presentation | free to view - id: 1d4ec9-MjczY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

ECE 683 Computer Network Design

Description:

Public Key Infrastructure ... bind a subject to a public key. ... Bump In The Stack (BITS) Link. Security. Network. App2. Link. Network. Link. Network. Link ... – PowerPoint PPT presentation

Number of Views:1065
Avg rating:3.0/5.0
Slides: 161
Provided by: david341
Category:
Tags: ece | bump | computer | design | key | network

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ECE 683 Computer Network Design


1
ECE 683 Computer Network Design Analysis
  • Note 12 Review of Advanced Network Techniques
    and Attacks

2
Future Internet
Future Internet
3
Roadmap
  • Public Key Infrastructure (PKI)
  • Security and network layers
  • Sample attacks on the Internet
  • Distributed Denial-of-Service Attacks (DDoS)
  • Spyware
  • Spam
  • Worm
  • Emerging networks
  • Peer-to-Peer (P2P) networks
  • WLANs
  • Mobile ad hoc networks (MANETs)
  • Wireless sensor networks (WSNs)
  • Wireless mesh networks (WMNs)
  • Vehicular networks
  • RFID networks

4
Public Key Infrastructure
  • Mutual authentication of participants in a
    transaction requires a system of identities
  • Principals are identified by public keys
  • These keys can be used for authentication, but
    only if spoofing is prevented
  • A Public Key Infrastructure (PKI) provides a
    basis for establishing trust

5
PKI Systems
  • Three Philosophies
  • Hierarchy
  • ITU X.509 (DAP, PKIX)
  • DNS
  • Web of Trust
  • PGP
  • Ad hoc
  • SSH
  • Most research studies

6
X.509 Certificates
X.509 certificates bind a subject to a public
key. This binding is signed by a Certificate
Authority (CA).
Subject Name
Subject Public Key
CA Name
CA Signature
7
Chaining
8
Certificate Management
  • Distribution How to find a certificate
  • Certificate accompanying signature or as part of
    a protocol
  • Directory service
  • DAP
  • LDAP
  • DNS
  • Email
  • Cut and paste from web pages
  • Revocation Terminate certificates before their
    expiration time.
  • How does the relying party know that the
    certificate has been revoked?
  • Many CRL distribution strategies proposed
  • Mitre report for NIST suggests certificate
    revocation will be the largest maintenance cost
    for PKIs

9
Adoption of PKI
  • Problems
  • Revocation
  • User ability to deal with keys
  • Registration (challenge for all authentication
    techniques)
  • Weak business model
  • Areas of Progress
  • SSL
  • Authenticode
  • SSH
  • Smart cards for government employees
  • Web services

10
Challenges for Network Security
  • Sharing
  • Complexity
  • Scale
  • Unknown perimeter
  • Anonymity
  • Unknown paths

11
Internet Layers
  • Physical
  • Link
  • Network
  • Transport
  • Application

12
Security at Layers
  • Physical
  • Locked doors
  • Spread spectrum
  • Tempest
  • Link
  • WEP
  • GSM
  • Network
  • Firewalls
  • IPSec
  • Transport
  • SSL and TLS
  • Application
  • S/MIME
  • XMLDSIG and WS security
  • Access control systems for web pages, databases,
    and file systems

13
Network Layer Security
HTTP
FTP
SMTP
TCP
IP/IPSec
14
Transport Layer Security
HTTP
FTP
SMTP
SSL or TLS
TCP
IP
15
Application Layer Security
PGP
SET
S/MIME
SMTP
HTTP
Kerberos
TCP
UDP
IP
16
Division of Labor in the Internet
Hosts
Routers
Networks
17
TCP/IP Protocol Stack
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Physical
Physical
Physical
Physical
18
Communication Processing Flow
App2
App1
App2
App1
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Link
Link
Physical
Physical
Phys
Phys
Phys
Phys
19
Typical Patchwork
App2
App1
App2
App1
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Link
Link
Physical
Physical
Phys
Phys
Phys
Phys
20
SOHO to Enterprise Example
Home
Internet
Office
C
AP
VPN
S
Three levels of Authentication and Encryption!
21
Physical Layer Protection Issues
  • Hide signal
  • Spread spectrum
  • Emission security
  • Radio emissions (Tempest)
  • Power emissions

22
Encapsulation
Link Layer Frame
Link
Link
IP
TCP
Application
Network Layer Header
Transport Layer Header
Application Layer Payload
23
One Hop Link Layer Encryption
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Link
Link
24
Link Layer Encryption
Encrypted
Link
Link
IP
TCP
Application
25
End-to-End Network Security
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
26
Network Layer Transport Mode
Link
Link
IP
TCP
Application
Encrypted
Link
Link
IP
TCP
Application
Hdr
Tlr
27
VPN Gateway
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
28
Network Layer Tunnel Mode
Link
Link
IP
TCP
Application
Encrypted
Link
Link
New IP
TCP
Application
Hdr
IP
Tlr
29
Layer 3 Implementation Options
  • Location
  • Host
  • Network
  • Style
  • Integrated
  • Modular (for tunnel mode)

30
Bump In The Stack (BITS)
App2
App1
App2
App1
Transport
Network
Transport
Security
Network
Network
Net Sec
Link
Link
Link
Link
31
Bump In The Wire (BITW)
App2
App1
App2
App1
Security
Security
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
32
Integrated on Host
App2
App1
App2
App1
Transport
Transport
Net Sec
Net Sec
Network
Network
Link
Link
Link
Link
33
Integrated on Router
App2
App1
App2
App1
Transport
Transport
Network
Network
Net Sec
Net Sec
Link
Link
Link
Link
34
Network Security Location Options
Application
Application
End-to-End Transport
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
Application
Application
Transport
Transport
Voluntary Tunnel
Network
Network
Network
Network
Link
Link
Link
Link
Application
Application
Transport
Transport
Involuntary Tunnel
Network
Network
Network
Network
Link
Link
Link
Link
35
Transport Layer Security
Host
Host
Router
Router
Application
Application
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
36
Transport Layer Encryption
Link
Link
IP
TCP
Application
Encrypted
Link
Link
IP
TCP
Application
RH
Link
IP
TCP
App
Link
37
Message Processing Sequence
App2
App1
App2
App1
App2 Sec
App2 Sec
Transport
Transport
Network
Network
Network
Network
Link
Link
Link
Link
38
Application Layer Security
Encrypted
Link
Link
IP
TCP
Application
Key ID
39
Link Layer Security
  • Advantages
  • Transparent to applications
  • Hardware solution possible
  • Can address especially vulnerable links (viz.
    wireless).
  • Disadvantages
  • Hop-by-hop protection causes multiple
    applications of crypto operations
  • May not provide end to end security.

40
Network Layer Security
  • Advantages
  • Transparent to applications
  • Amenable to hardware
  • Flexible.
  • Disadvantages
  • Adds complexity for routing, MTUs, NATs
  • Flexibility introduces policy management and
    compatibility challenges.

41
Transport Layer Security
  • Advantages
  • Transparent to applications and may be packaged
    with applications
  • Exposing TCP enables compression and QoS
    classification.
  • Disadvantages
  • Probably implemented in software
  • Exposing TCP risks DoS.

42
Application Layer Security
  • Advantages
  • Customized to application
  • Requires no special protocol stack (transparent
    to networking).
  • Disadvantages
  • Hard to share between applications

43
Roadmap
  • Public Key Infrastructure (PKI)
  • Security and network layers
  • Sample attacks on the Internet
  • Distributed Denial of Service Attacks (DDoS)
  • Spyware
  • Spam
  • Worm
  • Emerging networks
  • Peer-to-Peer (P2P) networks
  • WLANs
  • Mobile ad hoc networks (MANETs)
  • Wireless sensor networks (WSNs)
  • Wireless mesh networks (WMNs)
  • Vehicular networks

44
DDoS Attacks
  • Goal
  • Prevent a network site from doing its normal
    business
  • Method
  • Overwhelm the site with attack traffic
  • Response
  • Lack of defense mechanism on the current Internet

45
Why Are These Attacks Made?
  • Generally to annoy
  • Sometimes for extortion
  • If directed at the infrastructure, might cripple
    parts of the Internet
  • So who wants to do that …?

46
Attack Methods
  • Pure flooding
  • Of network connection
  • Or of upstream network
  • Overwhelm some other resources
  • SYN flood
  • CPU resources
  • Memory resources
  • Application-level resources
  • Direct or reflection

47
Why Distributed
  • Targets are often highly provisioned servers
  • A single machine usually cannot overwhelm such a
    server
  • So harness multiple machines to do so
  • Power of many is greater than power of a few
  • Also makes defenses harder

48
Yahoo Attack
  • Occurred in February 2000
  • Resulted in intermittent outages for nearly three
    hours
  • Attacker caught and successfully prosecuted
  • Other companies (eBay, CNN, Microsoft) attacked
    in the same way at around the same time

49
DDoS Attack on DNS Root Servers
  • Concerted ping flood attack on all 13 of the DNS
    root servers in October 2002
  • Successfully halted operations on 9 of them
  • Lasted for 1 hour
  • Turned itself off, was not defeated
  • Did not cause major impact on the Internet
  • DNS uses caching aggressively

50
What Makes DDoS Defenses Difficult?
  • High availability of compromised machines
  • At least tens of thousands of zombie machines out
    there
  • Internet was designed to deliver traffic
  • Regardless of its value
  • Internet resources are limited
  • IP spoofing allows easy hiding
  • Distributed nature makes legal approaches hard
  • Attackers can choose all aspects of his attack
    packets
  • Can be a lot like good ones

51
Basic Defense Approaches
  • Overprovisioning
  • Dynamic increases in provisioning
  • Hiding
  • Tracking attackers
  • Legal approaches
  • Reducing volume of attack

52
Overprovisioning
  • Be able to handle more traffic than attackers can
    generate
  • Works pretty well for Microsoft and Google
  • Not a suitable solution for Mom and Pop Internet
    stores

53
Dynamic Increases in Provisioning
  • As attack volume increases, increase your
    resources
  • Dynamically replicate servers
  • Obtain more bandwidth
  • Not always feasible
  • Probably expensive
  • Might be easy for attackers to outpace you

54
Hiding
  • Dont let most people know where your server is
  • If they cant find it, they cant overwhelm it
  • Possible to direct your traffic through other
    sites first
  • Can they be overwhelmed …?
  • Not feasible for sites that serve everyone

55
Tracking Attackers
  • Almost trivial without IP spoofing
  • With IP spoofing, more challenging
  • Big issue
  • Once youve found them, what do you do?
  • Not clear tracking actually does much good
  • Loads of fun for algorithmic designers, though

56
Legal Approaches
  • Sick the FBI on attackers and throw them in jail
  • Usually hard to do
  • FBI might not be interested in small fry
  • Slow, at best
  • Very hard in international situations
  • Generally only feasible if extortion is involved
  • By following the money

57
Reducing the Volume of Traffic
  • Addresses the core problem
  • Too much traffic coming in, so get rid of some of
    it
  • Vital to separate the sheep from the goats
  • Unless you have good discrimination techniques,
    not much help
  • Most DDoS defense proposals are variants of this

58
Approaches to Reducing the Volume
  • Give preference to your friends
  • Require proof of work from submitters
  • Detect difference between good and bad traffic
  • Drop the bad
  • Easier said than done

59
Roadmap
  • Public Key Infrastructure (PKI)
  • Security and network layers
  • Sample attacks on the Internet
  • Distributed Denial of Service Attacks (DDoS)
  • Spyware
  • Spam
  • Worm
  • Emerging networks
  • Peer-to-Peer (P2P) networks
  • WLANs
  • Mobile ad hoc networks (MANETs)
  • Wireless sensor networks (WSNs)
  • Wireless mesh networks (WMNs)
  • Vehicular networks

60
Different Types of Spyware
  • Spyware
  • Adware
  • Embedded Programs
  • Trojan Horse
  • Browser Hijackers
  • Dialers
  • Malware

61
Why Do People Make Spyware?
  • Profit
  • A challenge
  • Malice
  • Boredom
  • Business

62
How Do I Know If Ive Got Spyware?
  • Computer is running slower than normal
  • Popups (on or off the internet)
  • New toolbars
  • Home page changes
  • Search results look different
  • Error messages when accessing the web

63
What Does Spyware Look Like?
64
What Does Spyware Look Like?
65
What Does Spyware Look Like?
66
What Does Spyware Look Like?
67
What Does Spyware Look Like?
68
What Does Spyware Look Like?
69
What Does Spyware Look Like?
70
What Does Spyware Look Like?
71
What Does Spyware Look Like?
72
What Does Spyware Look Like?
73
What Does Spyware Look Like?
74
How Do I Get Rid of Spyware?
  • Use a legitimate spyware removal program
  • Use Spybot Search and Destroy in combination with
    Microsoft Antispyware (now called Defender)
  • Ad-aware is a good program and is free for home
    use but is no longer free for educational use

75
How Do I Prevent Spyware?
  • Be conscious of what you are clicking
    on/downloading
  • Some pop-ups have what appears to be a close
    button, but will actually try to install spyware
    when you click on it. Always look for the
    topmost right red X.
  • Remember that things on the internet are rarely
    free. Free Screensavers etc. generally contain
    ads or worse that pay the programmer for their
    time.

76
The Least Wanted List
  • Weatherbug (GAIN or Claria)
  • Hotbar
  • 180 Search Assistant
  • MyWebSearch
  • Popular Screensavers
  • Comet Cursors
  • A Better Internet (Aurora)
  • Kazaa / Morpheus
  • GameSpy Arcade
  • WhenUSave
  • New.Net
  • Starware Toolbar
  • MySearch
  • Begin2Search
  • 180Solutions
  • Zango
  • CoolWebSearch
  • DyFuCA
  • BonzaiBuddy
  • BargainBuddy
  • Dashbar
  • Gator
  • WeatherScope
  • Best Offers Network
  • Precision Time
  • FunWeb

77
Phishing
  • Most commonly an Email stating your account
    Information needs updating
  • Watch for URLs that are numeric or different
    from the link you clicked on
  • Best thing to do is to type in the URL and check
    your account directly without following any links
    in the Email
  • Many legitimate emails no longer contain a link
    (Paypal)

78
Phishing Examples
79
Phishing Examples
80
Phishing Examples
81
Phishing Examples
82
Phishing Examples
83
Phishing Examples
84
How Secure Do You Need to Be?
  • Be Prudent not Paranoid
  • Did you initiate the action?
  • Why is this free?
  • Is the source trustworthy?
  • When in doubt Google it

85
Safer Alternatives
  • Download.com All programs are adware/spyware
    free
  • Freesaver.com Screensavers from this site are
    safe DO NOT click on ads
  • Cleansoftware.org

86
The Bottom Line
  • It is safe to install these programs
  • Microsoft AntiSpyware (Defender)
  • Spybot Search Destroy
  • SpywareBlaster
  • SpywareGuard
  • If you are running a different Spyware program
    contact your Technology Specialist to make sure
    it is not a rogue

87
Roadmap
  • Public Key Infrastructure (PKI)
  • Security and network layers
  • Sample attacks on the Internet
  • Distributed Denial of Service Attacks (DDoS)
  • Spyware
  • Spam
  • Worm
  • Emerging networks
  • Peer-to-Peer (P2P) networks
  • Mobile ad hoc networks (MANETs)
  • Wireless sensor networks (WSNs)
  • Wireless mesh networks (WMNs)
  • Vehicular networks

88
Examples of Spams
  • E-mail (UBE)
  • Advertisement
  • Phishing

From Thrifty Health-Insurance ltTyra_at_noticeoption.
comgtMailed-By noticeoption.comReply-To Thrifty
Health-Insurance ltTyra_at_noticeoption.comgt To
richard.sia_at_gmail.com Date May 10, 2006 930
PM Subject No obligation Health Insurance
Quotes Great health insurance quotes. Get a
quote from us and let local agents compete for
your business.  Health insurance is more
affordable than you think. Health Plans Dental
Plans Prescription Plans Vision Plans and
more Check out the lowest rates in the
industry. http//www.cuffseetotal.com/healthy27/
This email is a commercial message. ………….
89
How Worse Is the Situation?
  • 30-40 mail traffic are spam
  • End-user
  • Waste time reading junk (may fall in trap)
  • 1 billion productivity lost per year
  • System operator
  • Increased running cost

90
Why People Spam?
  • Economic incentive
  • Effectiveness sent x (1-Pfiltered) x Pread x
    Pclickthrough
  • Business strategy?

91
How Spammer Collect E-mails
  • UseNet
  • Web pages
  • Registration forms
  • Dictionary attacks

92
Defense Mechanisms
  • Authentication
  • Challenge/response system
  • DNSxL
  • Check-sum based filtering
  • Statistical filtering
  • Micro-payment
  • Spam poisoning
  • A brand new architecture

93
Authentication
  • Avoid forged sender address
  • SMTP AUTH
  • Verify sender is a legitimate user
  • Sender Policy Framework (SPF)
  • Verify senders IP corresponds to the domain

94
Challenge/Response System
  • Work together with white list
  • Only sender in the contact list can get through
  • If not, a challenge is posted to the sender
  • Ensure sender is a human instead of a program

95
DNSxL
  • Block list
  • A list of IP/domain observed to be sending out
    spam consistently
  • use DNS to distribute the list
  • Similar to reverse DNS lookup
  • White list
  • Similar idea but work in the other way

96
Checksum Based Filtering
  • Collaborative filtering
  • Distributed Checksum Clearinghouse (DCC)
  • Vipuls Razor
  • Brightmail
  • A checksum is computed for a spam reported
  • The list is consistently updated and distributed

97
Statistical Filtering
  • 2-class text classification problem
  • Words, phrases
  • Training samples
  • Adaptive

98
Statistical Filtering
  • False positive

99
Payment
  • Increase the cost of spammers
  • Micro-payment / e-cash
  • Computational payment
  • HashCash (SHA-1)
  • X-Hashcash 120060408adam_at_cypherspace.org1QTj
    aYd7niiQA/scePa
  • Takes 1 second to generate
  • Takes 1 microsecond to verify (both on 1GHz
    machine)
  • CAMRAM

100
Spam Poisoning
  • Expose e-mail address in human-readable format
  • user_at_exampleREMOVETHIS.com
  • Generate fake e-mail dynamically by CGI script
  • Create e-mail addresses to harvest spam e-mails
    (similar to honeypot)

101
New Architecture
  • Internet Mail 2000
  • Pull based
  • Senders ISP responsible for storing e-mails
  • Receiver gets a notification only
  • A global deployment is unlikely anytime in the
    near future

102
How Spammers Responsd?
  • Append random string at the end of each spam
    e-mail
  • Improve spambot to filter characters used in spam
    poisoning
  • Use worms to infect e-mail client programs
  • Analyze users e-mail pattern

103
Roadmap
  • Public Key Infrastructure (PKI)
  • Security and network layers
  • Sample attacks on the Internet
  • Distributed Denial of Service Attacks (DDoS)
  • Spyware
  • Spam
  • Worm
  • Emerging networks
  • Peer-to-Peer (P2P) networks
  • Wireless LANs
  • Mobile ad hoc networks (MANETs)
  • Wireless sensor networks (WSNs)
  • Wireless mesh networks (WMNs)
  • Vehicular networks

104
What Is A Worm?
  • Self-replicating/self-propagating programs
  • Spread from system to system without user
    interaction
  • Finds vulnerabilities in systems and uses them to
    spread
  • Spread via network
  • Different from virus which requires user
    interaction

105
Danger?
  • Take over systems
  • Access sensitive information
  • Passwords, credit card numbers, patient records,
    emails
  • Disrupts system functions
  • Government, nuclear power plants, hospitals
  • DDoS attack
  • Bandwidth saturation

106
Code Red (CRv1)
  • July 13th, 2001
  • Exploit Microsoft IIS vulnerabilities
  • Each infected system scans random 32bit IP
    addresses to attack
  • Bug in the random generator resulting linear
    spread

107
Code Red I (CRv2)
  • July 19th, 2001
  • Same as CRv1 but with random generator bug fix
  • DDoS payload targeting IP address of
    www.whitehouse.gov
  • Bug in the code made it die for date gt 20th of
    the month

108
Code Red II
  • August 4th, 2001
  • Not related to Code Red (just comment says Code
    Red)
  • Exploit buffer overflow in MS IIS web server
  • Installed remote root backdoor which can be used
    for anything

109
Nimda
  • September 18th, 2001
  • Multiple method of spreading
  • MS IIS vulnerability
  • Email
  • Copying over network shares
  • Webpage infection
  • Scan backdoor left by Code Red II
  • From no probing to 100 probes/sec in just 30
    minutes

110
Sapphire/Slammer/SQLSlammer
  • January 25th, 2003
  • Exploit MS SQL Server buffer overflow
  • Fastest spreading worm
  • Peak rate of 55million scans/sec after just 3 min
  • Rate slowed down because bandwidth saturation
  • No malicious payload, just saturated bandwidth
    causing many servers out of connection

111
Slammer effect before and after 30
minutes What if Slammer had malicious payload?
112
Used Techniques
  • Random scanning
  • Code Red, Code Red I
  • Localized scanning
  • Code Red II
  • Machines in the same network are more likely to
    run the same software
  • Multi-vector
  • Nimda
  • Several methods of spreading

113
Possible Techniques 1
  • Hit-list scanning
  • First 10k infection is the hardest
  • Use a list of 1050k vulnerable machines
  • Several methods to generate the list
  • Stealthy scan random scan taking several months
  • Distributed scan using already compromised hosts
  • DNS search already known servers such as
    mail/web servers
  • Just listening P2P networks advertise their
    servers, previous worms advertised many servers

114
Possible Techniques 2
  • Permutation scanning
  • Random scan probes same host multiple times
  • Permutation of IP addresses
  • When an infected host is found, start from random
    point in the permutation
  • Self-coordinated, comprehensive scanning
  • Very high infection rate

115
Possible Techniques 3
  • Warhol Worm
  • Hit-list and permutation scanning combined
  • Start off quickly and high infection rate
  • Simulation shows 99.99 of 300k hosts infected in
    less than 15 min.
  • Many other techniques
  • Topological scanning use info from the infected
    machine to
  • spread machines in the same subnet
  • Flash worm using high band width with
    compressed hit-list
  • Stealth worms web servers to clients, P2P

116
Dealing with worm threat
  • Prevention
  • Prevent vulnerability by Secure coding practices
  • Patching software
  • Heterogeneity of network
  • Treatment
  • Patching after breakout
  • Virus scanning
  • Containment

117
Containment
  • Incoming
  • Black list
  • Signature based detection
  • Identify scanning characteristics of worms
  • Outgoing
  • TCP connection threshold
  • Use worm signature for outbound traffic

118
Detection Signature Based
  • Attack Signature
  • A description which represents a particular
    attack or action
  • Eg, a classic antivirus signature
  • Vulnerability Signature
  • A description of the class of vulnerable systems
  • Eg, Windows XP, SP2, not patched since
    10/1/2004
  • A description of how to exploit a particular
    vulnerability
  • Behavioral Signatures
  • A behavior necessary for a class of worms (E.G.
    Scanning)
  • A behavior common to many implementations
    (half-open connections)

119
Detection Runtime Analysis
  • Mark all the data from unsafe source and derived
    data to be dirty
  • Any execution attempts are signaled as possible
    threat
  • Generate Self-Certifying Allerts and distribute
    to peers using overlay peers only run overlay
    code so less susceptible to attacks
  • Each host verifies alert in a VM and if the
    vulnerability is found, generates filter
  • Multiple filters to prevent false positive
  • Generic filter disjunction of multiple specific
    conditions
  • Specific filter more stringent conditions

120
Thoughts
  • Detection
  • Polymorphic worms
  • Obfuscation, encryption
  • False positive
  • Attacker generates suspicious traffic with byte
    strings that are common in normal traffic
  • Signature generation time
  • Dynamic taint analysis expensive or low
    coverage and resource-hungry

121
Thoughts
  • Distribution/deployment
  • Pervasive P2P collaboration
  • E2E detection and distribution
  • Secure communication
  • Overlay?
  • Intrusion detection systems?
  • Honeypots, honeyfarms?

122
Remarks
  • Future worms will be more aggressive
  • Need automatic detection mechanisms
  • No global answer, need to apply all the
    techniques
  • Network level detections have limitations because
    of limited/no knowledge of software
    vulnerabilities
  • E2E detection, secure P2P distribution of worm
    information

123
Roadmap
  • Public Key Infrastructure (PKI)
  • Security and network layers
  • Sample attacks on the Internet
  • Distributed Denial of Service Attacks (DDoS)
  • Spyware
  • Spam
  • Worm
  • Emerging networks
  • Peer-to-Peer (P2P) networks
  • WLANs
  • Mobile ad hoc networks (MANETs)
  • Wireless sensor networks (WSNs)
  • Wireless mesh networks (WMNs)
  • Vehicular networks

124
What Is Peer-to-Peer?
  • Each node potentially has the same responsibility
  • Every node is designed to provide some service
    that helps other nodes in the network to get
    service
  • Resource Sharing can be in different ways
  • CPU cycles SETI_at_Home
  • Storage space Napster, Gnutella, Freenet…

125
First-Generation P2P Systems
  • Napster, Gnutella, Freenet…
  • Intended for large scale sharing of data files
  • Lack Self-organization
  • Reliable content location was not guaranteed

126
Second-Generation P2P systems
  • Pastry, Tapestry, Chord, CAN…
  • They provide a load balanced, fault-tolerant
    distributed hash table, in which items can be
    inserted and looked up in a bounded number of
    forwarding hops
  • They form a self-organizing overlay network
  • They guarantee a definite answer to a query in a
    bounded number of network hops

127
Napster
  • Storage
  • Connect to Napster server
  • Upload your list of files (push) to server.
  • Retrieval
  • Give server keywords to search the full list
    with.
  • Select best of correct answers. (pings)
  • Centralized server
  • Single logical point of failure, potential for
    congestion
  • No security
  • Passwords in plain text, no authentication, no
    anonymity

128
Napster How it works?(1)
File list is uploaded
1.
napster.com
users
129
Napster How it works?(2)
User requests search at server.
2.
napster.com
Request and results
user
130
Napster How it works?(3)
User pings hosts that apparently have
data. Looks for best transfer rate.
3.
napster.com
pings
pings
user
131
Napster How it works?(4)
User retrieves file
4.
napster.com
Retrieves file
user
132
Gnutella
  • Fully decentralized method of searching for files
  • Each application instance serves to
  • store selected files
  • route queries (file searches) from and to its
    neighboring peers
  • respond to queries (serve file) if file stored
    locally
  • How it works searching by flooding
  • If you dont have the file you want, query
    neighbors
  • If they dont have it, they contact their
    neighbors, for a maximum hop count of TTL
  • Requests are flooded, but there is no tree
    structure

133
Pastry
  • Pastry
  • Completely decentralized, scalable, and
    self-organizing it automatically adapts to the
    arrival, departure and failure of nodes
  • Seeks to minimize the distance messages travel,
    according to a scalar proximity metric like the
    number of IP routing hops
  • In a Pastry network,
  • Each node has a unique id, nodeId
  • Presented with a message a key, Pastry node
    efficiently routes the message to the node with a
    nodeId that is numerically closest to the key

134
Pastry NodeId
  • Leaf set stores numerically closest nodeIds.
  • Routing table
  • Common prefix with 10233102-next digit-rest of
    NodeId
  • Neighborhood set Stores closest nodes according
    to proximity metric

135
Routing Rules
  • Prefix matching
  • Incrementally routing digital by digital

8F4B
8957
Msg to 8954
8954
6789
8909
734B
  • Maximum hops logb(N)

136
Pastry Routing
  • Given a message, Check
  • forward the message to a node in the routing
    table whose nodeId shares with the key a prefix
    that is at least one digit (or b bits) longer
    than the prefix that the key shares with the
    current nodes id
  • If no such node can be found, forward to a node
    whose nodeId shares a prefix with the key as long
    as the current node, but is numerically closer to
    the key than the current nodes id
  • If no appropriate node exists, then the current
    node or its immediate neighbor is the messages
    final destination

137
Chord Lookup Mechanism
Node 6 finger table X Successor 7 0
7,0) 0 0 0,2) 2 4 2,6)
1 know that 5 is 0s closest predecessor, so send
request to 6 6 has 0 in its finger table 0
replies to 1
138
Security Issues
  • Routing attack
  • Incorrect lookup routing
  • An individual malicious node could forward
    lookups to an incorrect or non-existent node.
  • A malicious node might also simply declare
    (incorrectly) that a random node is the node
    responsible for a key.
  • Incorrect routing updates
  • A malicious node could corrupt the routing tables
    of other nodes by sending them incorrect updates.
  • Partition
  • A set of malicious nodes has formed a parallel
    network, running the same protocols as the real,
    legitimate network

139
Security Issues
  • Storage and retrieval attack
  • A malicious node could join and participate in
    the lookup protocol correctly, but deny the
    existence of data it was responsible for
  • Miscellaneous attacks
  • Overload of Targeted Nodes
  • Rapid Joins and Leaves
  • A malicious node could trick the system into
    rebalancing unnecessarily causing excess data
    transfers and control traffic.

140
Solutions
  • Secure nodeId assignment
  • The simplest design to perform secure nodeId
    assignments is to have a centralized authority
    that produces cryptographic nodeId certificates
  • Robust routing primitives
  • Attempt multiple, redundant routes from the
    source to the destination.
  • e.g, In Pastry, send the message from the source
    node to all of its neighbors in the p2p overlay.
  • Use random query to detect false routing updates
    and partition attack

141
Solutions
  • Ejecting misbehaving nodes remove a malicious
    node from the overlay
  • Need proof when one node accuses another of
    cheating
  • Proof may be generated at the application layer
  • Proof could be generated at the routing layer
  • However, a node is simply dropping messages with
    some probability or is pretending that perfectly
    valid nodes do not exist such behavior could
    also be explained by failures in the underlying
    Internet fabric

142
Wireless LANs
  • Ubiquitous broadband Internet access
  • High speed
  • 802.11b 11 Mb/s, 802.11a/g 54 Mb/s, 802.11n
    540 Mb/s
  • Low deployment costs
  • Small coverage (up to 300m for 802.11)

143
Medium Access Control (MAC)
  • Coordinate channel access to maximize throughput
  • Reduce collision
  • Minimize the idle intervals

A
B
144
IEEE 802.11 Distributed Coordinate Function (DCF)
MAC Protocol
  • Carrier sense multiple access with collision
    avoidance (CSMA/CA)
  • Carrier sensing
  • Physical Carrier Sensing
  • Virtual Carrier Sensing
  • Interframe Spacing (IFS)
  • Short IFS (SIFS) lt DCF IFS (DIFS)
  • Binary Exponential Backoff
  • Randomly chosen from 0, CW
  • CW doubles in case of collision

Request to send
DATA
RTS
DATA
CTS
ACK
Acknowledge
Clear to send
time
145
Security Issues of 802.11 WLANs
  • Mutual authentication between the AP and users
  • Traffic encryption
  • The infamous insecurity of WEP (Wired Equivalent
    Privacy)
  • Selfish users
  • Gain an advantage over other users by not
    following the protocol operations, e.g., using a
    fixed, very small backoff value
  • DoS attacks on the AP
  • …

146
Mobile Ad Hoc Networks
147
Wireless Sensor Networks
148
Wireless Mesh Networks
  • Ubiquitous broadband Internet access

Cellular networks
  • Wide area coverage (km range)
  • Low speed
  • W-CDMA 384 kb/s 2 Mb/s
  • CDMA2000 144 kb/s 2.4 Mb/s
  • High deployment costs

149
Wireless Mesh Networks
  • Ubiquitous broadband Internet access
  • High speed
  • 802.11b 11 Mb/s, 802.11a/g 54 Mb/s, 802.11n
    540 Mb/s
  • Low deployment costs
  • Small coverage (up to 300m for 802.11)

150
Wireless Mesh Networks
A unique marriage between the ubiquitous coverage
of wide-area cellular networks with the ease and
high-speed of WLANs
151
Vehicular Networks
152
Vehicular Networks
153
Applications of Vehicular Networks
  • Congestion detection
  • Vehicle platooning
  • Road hazard warning
  • Collision alert
  • Stoplight assistant
  • Toll collection
  • Deceleration warning
  • Emergency vehicle warning
  • Border clearance
  • Traction updates
  • Flat tire warning
  • Merge assistance

154
RFID networks
http//www.youtube.com/watch?v_xNhL39uD7I
  • RFID Radio Frequency IDentification.
  • An ADC (Automated Data Collection) technology
    that
  • uses radio-frequency waves to transfer data
    between a reader and a movable item to identify,
    categorize, track..
  • Is fast and does not require physical sight or
    contact between reader/scanner and the tagged
    item.
  • Performs the operation using low cost components.
  • Attempts to provide unique identification and
    backend integration that allows for wide range of
    applications.
  • Other ADC technologies Bar codes, OCR.

155
A typical RFID system
backoffice database(s)
  • Transponder/tag
  • active / passive
  • 1 bit 64 kB (EEPROM/SRAM)
  • controller / CPU
  • read-only / read-write
  • Reader
  • LF / UHF
  • Communication range
  • Coupling

156
Applications (1)
  • Home
  • Neighbourhood garbage depots
  • Tactile user interfaces
  • real gaming (cf GPS based stuff)
  • Work
  • Alcatel Rijswijk
  • linking laptops to owners
  • Fun / Shopping
  • Metro store
  • Prada
  • Legoland kidspotter
  • Apenheul (crowd performance)
  • Madesjki Smart Stadium (crowd control)

157
Applications (2)
  • Infotainment
  • Tagged billboards
  • Science museum LA
  • City tours
  • Travel
  • KLM baggage handling
  • OV chipcard (vs London Oyster card)
  • Biometric passport
  • Healthcare

158
Current RFID systems unsafe
  • No authentication
  • No friend/foe distinction
  • No access control
  • Rogue reader can link to tag
  • Rogue tag can mess up reader
  • No encryption
  • Eavesdropping possible
  • Predictable responses
  • Traffic analysis, linkability
  • No GUI…
  • … and distance not enforced by tag

159
RFID Risks Consumers
  • User profiling
  • Possible robbery target
  • Possible street-marketing target
  • Personalised loyalty/discounts
  • Refuse/grant access to shop/building
  • Even for tags without serial no
  • Loss of location privacy
  • By tracking same user profile
  • Fake transactions / Identity theft
  • No protection by privacy laws…

160
RFID Risks Companies
  • Corporate espionage
  • Scanning competitors inventory (or customer base)
  • Eavesdropping tags
  • Querying tags
  • Unauthorised access
  • Fake RFIDs
  • Derived/competing services
  • Using competitors installed base
  • Denial of service attacks
  • Supply chain failure
  • Jamming signals
  • Fake RFIDs
About PowerShow.com