1 / 36

Network Security

Network Security. EE122 Section 12. Question 1. RST. RST. Data. B. ACK. SYN ACK. SYN. ACK. Data. A. time. A sends a RESET (RST) to B E.g., because application process on A crashed B does not ack the RST Thus, RST is not delivered reliably And: any data in flight is lost

inez-logan
Télécharger la présentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security EE122 Section 12

  2. Question 1

  3. RST RST Data B ACK SYN ACK SYN ACK Data A time • A sends a RESET (RST) to B • E.g., because application process on A crashed • B does not ack the RST • Thus, RST is not delivered reliably • And: any data in flight is lost • But: if B sends anything more, will elicit another RST Abrupt Termination

  4. Application layer • TLS/SSL encrypts all application layer data • … but does not encrypt the TCP header! End-to-end Security

  5. IP Header TCP Header Encrypted Content End-to-end Security TLS/SSL (Application Layer)

  6. Application layer • TLS/SSL encrypts all application layer data • … but does not encrypt the TCP header! • Transport layer • TCP sequence number defends against blind spoofing • … but not man-in-the-middle attacks • Network layer • IPsec encrypts the entire IP payload, including the TCP header End-to-end Security

  7. IP Header IP Header Encrypted IP Header TCP Header Encrypted TCP Header Encrypted Content Encrypted Content End-to-end Security TLS/SSL (Application Layer) IPsec (Network Layer)

  8. Need to know the sequence number Blind Spoofing

  9. Need to know the sequence number • How? Guess all 65536 numbers! • Alternatively, infer • first send a legitimate TCP SYN • Let’s say the receiver responds with sequence number A • Then spoof a TCP SYN assuming the receiver responds with A+1 • Defenses? Blind Spoofing

  10. Question 2

  11. 228.147.0.0/16

  12. Source IP: 228.147.0.1 • 228.147.0.0/16

  13. Source IP: 188.0.0.1 • Egress Filtering • 228.147.0.0/16

  14. Source IP: 123.456.8.8 • 228.147.0.0/16

  15. Source IP: 228.147.5.5 • Ingress Filtering • 228.147.0.0/16

  16. Source IP: 228.147.5.5 What’s missing? • Ingress Filtering • 228.147.0.0/16

  17. Receiver Attacker Source SYN SYNACK (seqno = y) ??? ACK (ackno = k?)

  18. Receiver Attacker Source … Confirmation Request ??? Confirmation Response • Defenses?

  19. Receiver Attacker Source … Confirmation Request (123) ??? Confirmation Response (456?) Nonce

  20. Question 3

  21. Web server X 1Gbps 100Mbps You Web server X can comfortably handle the load you generate

  22. Slave 1 Victim Master src = randomdst = victim Slave 2 Slave 3 Distributed Denial-of-Service (DDoS) Slave 4 Slaves send streams of traffic (perhaps spoofed) to victim Control traffic directs slaves at victim

  23. Cause one non-compromised host to attack another • E.g., host A sends TCP SYN with source V to server R • R sends reply to V Reflector (R) Attacker (A) SYN Internet SYNACK Reflectors Victim (V)

  24. Reflector 11 Reflector 10 Reflector 1 Reflector 8 Reflector 9 Reflector 3 Reflector 6 Reflector 2 Reflector 7 Reflector 5 Reflector 4 Slave 1 Slave 2 Victim Master Reply: src = reflectordst= victim Request: src = victim dst = reflector Slave 3 Diffuse DDoS: Reflector Attack Slave 4 Control traffic directs slaves at victim & reflectors Reflectors send streams of non-spoofed but unsolicited traffic to victim

  25. No good defense… • Solutions so far • Overprovision • Distribute service to multiple machines Mitigating DDOS

  26. Question 4

  27. Andrew Steve E(M, Stevepub)

  28. Andrew Steve E(M, Stevepub) Man-In-The-Middle

  29. Andrew Steve E(M’, Stevepub) Man-In-The-Middle

  30. Andrewpub??? Andrew Steve E(M, Stevepub) MAC(H(M), Andrewprivate)

  31. Andrew Steve E(M, Stevepub) MAC(H(M), Andrewprivate) E(Andrewpub, Stevepub)

  32. E(M, Stevepub) E(Andrewpub, Stevepub) Andrew Steve MAC(H(M), Andrewprivate) Man-In-The-Middle

  33. E(M’, Stevepub) E(MITMpub, Stevepub) Andrew Steve MAC(H(M’), MITMprivate) Man-In-The-Middle

More Related