Post on 15-Dec-2015
NETWORK SECURITYEE122 Section 12
QUESTION 1
SY
N
SY
N A
CK
AC
KD
ata
RS
T
AC
K
timeA
B
Data R
ST
ABRUPT TERMINATION
A sends a RESET (RST) to B E.g., because application process on A crashed
B does not ack the RST
Thus, RST is not delivered reliably
And: any data in flight is lost
But: if B sends anything more, will elicit another RST
END-TO-END SECURITY
Application layer TLS/SSL encrypts all application layer data
… but does not encrypt the TCP header!
END-TO-END SECURITY
Encrypted Content
TCP Header
IP Header
TLS/SSL(Application Layer)
END-TO-END SECURITY
Application layer TLS/SSL encrypts all application layer data
… but does not encrypt the TCP header!
Transport layer TCP sequence number defends against blind spoofing
… but not man-in-the-middle attacks
Network layer IPsec encrypts the entire IP payload, including the TCP header
END-TO-END SECURITY
Encrypted Content
TCP Header
IP Header
Encrypted IP Header
IP Header
Encrypted Content
Encrypted TCP Header
TLS/SSL(Application Layer) IPsec
(Network Layer)
BLIND SPOOFING
Need to know the sequence number
BLIND SPOOFING
Need to know the sequence number How? Guess all 65536 numbers!
Alternatively, infer first send a legitimate TCP SYN
Let’s say the receiver responds with sequence number A
Then spoof a TCP SYN assuming the receiver responds with A+1
Defenses?
QUESTION 2
228.147.0.0/16
228.147.0.0/16
Source IP: 228.147.0.1
228.147.0.0/16
Source IP: 188.0.0.1
Egress Filtering
228.147.0.0/16
Source IP: 123.456.8.8
228.147.0.0/16
Source IP: 228.147.5.5
Ingress Filtering
228.147.0.0/16
Source IP: 228.147.5.5
Ingress Filtering
What’s missing?
Receiver Attacker
SYN
SYNACK (seqno = y)
Source
???ACK (ackno = k?)
Receiver Attacker
…
Confirmation Request
Source
???
Confirmation Response
Defenses?
Receiver Attacker
…
Confirmation Request (123)
Source
???
Confirmation Response (456?)
Nonce
QUESTION 3
You
Web server X
100Mbps1Gbps
Web server X can comfortably handle
the load you generate
DISTRIBUTED DENIAL-OF-SERVICE (DDOS)
Master
Slave 1
Slave 3
Slave 4
Slave 2
Victim
Control traffic directs slaves at victim
src = randomdst = victim
Slaves send streams of traffic (perhaps spoofed) to victim
Reflector (R)
Internet
Attacker (A)
Victim (V)
SYN
SYNACK
REFLECTORS
Cause one non-compromised host to attack another E.g., host A sends TCP SYN with source V to server R R sends reply to V
DIFFUSE DDOS: REFLECTOR ATTACK
Master
Slave 1
Slave 3
Slave 4
Slave 2
Victim
Control traffic directs slaves at victim & reflectors
Request: src = victim dst = reflector
Reflectors send streams of non-spoofed but unsolicited traffic to victim
Reflector 1
Reflector 9
Reflector 4
Reflector 2
Reflector 3
Reflector 5
Reflector 6
Reflector 7
Reflector 11Reflector 8
Reflector 10
Reply: src = reflector dst = victim
MITIGATING DDOS
No good defense…
Solutions so far Overprovision
Distribute service to multiple machines
QUESTION 4
Andrew SteveE(M, Stevepub)
Andrew SteveE(M, Stevepub)
Man-In-The-Middle
Andrew Steve
Man-In-The-Middle
E(M’, Stevepub)
Andrew SteveE(M, Stevepub)
MAC(H(M), Andrewprivate)
Andrewpub???
Andrew SteveE(M, Stevepub)
MAC(H(M), Andrewprivate)
E(Andrewpub, Stevepub)
Andrew Steve
Man-In-The-Middle
MAC(H(M), Andrewprivate)
E(Andrewpub, Stevepub)
E(M, Stevepub)
Andrew Steve
Man-In-The-Middle
MAC(H(M’), MITMprivate)
E(MITMpub, Stevepub)
E(M’, Stevepub)