Denial-of-Service (DoS) Attacks Network Systems Security Mort Anvari A Security Problem in Network     An adversary that has access to a network can insert new messages, modify current messages, or replay old messages in the network These inserted, modified, and replayed messages can go undetected until they cause severe damage to network The physical location of the adversary in network may never be determined Example: denial-of-service attacks 10/5/2004 Denial-of-Service (DoS) Attacks   Aimed to deny normal service provided by the target computer Communication-stopping attacks   ARP spoofing attack Resource-exhausting attacks   Smurf attack SYN attack 10/5/2004 Ping Protocol   Allow any computer to check whether any other computer in the Internet is up Any computer x can send a “ping” message to any computer y which replies by sending back a “pong” message (thus x knows y is up)   In ping message: In pong message: src = xand src = yand dst = y dst = x ping(x, y) x y pong(y, x) 10/5/2004 Broadcast Ping Protocol   If in ping message dst = “all”, a copy of ping is broadcast to every computer Each computer replies by sending back a pong, and x is flooded with pong messages   In ping message: In pong message: src = xand src = yand pong(y´,x) dst = “all” dst = x y´ ping(x,all) x y pong(y, x) 10/5/2004 Smurf Attack   An adversary pretends to be x and broadcasts a ping message where src = x and dst = “all” Thus, x is flooded with pong messages that it has not requested: denial-of-service attack at x a ping(x,all) y´ pong(y´,x) x y pong(y, x) 10/5/2004 Countering Smurf Attack  Make each router check the src of each received message and discard the message if the src is suspicious src=x shouldn’t come to me a ping(x, all) R1 R2 R3 y´ x 10/5/2004 y Clever Smurf Attack   An adversary inserts a ping(x, all) message between routers R2 and R3 R3 thinks the message was forwarded by R2 and so accepts the message a R1 R2 R3 y´ ping(x, all) x 10/5/2004 y Countering Clever Smurf Attack    When R3 receives a message, R3 needs to determine whether message was indeed sent by R2, or was modified or replayed by an adversary between R3 and R2 If use IPSec, will need to set up SA’s between each pair of adjacent routers: too expensive Our solution: use hop integrity protocol between each pair of adjacent routers 10/5/2004 Hop Integrity   Let p, q be routers connected to same subnetwork Detection of Message Modification:   when q receives a message m supposedly from p, q can check that m was not modified after sent Detection of Message Replay:  when q receives a message m supposedly from p, q can check that m was not a replay of an old message 10/5/2004 10 Mobile IP   A mobile computer c can visit a foreign network F other than its home network H Msgs destined for c will be received by its home agent (HA) and forwarded to its foreign agent (FA) m m c F foreign agent (FA) 10/5/2004 home agent (HA) m Internet H 28 Problem with Mobile IP   Mobile computer c can send a msg thru FA However, this msg may be filtered out by next router q because its source address is “strange” m c q ? home agent (HA) m F foreign agent (FA) 10/5/2004 Internet H 29 Mobile IP with Hop Integrity   With integrity check d added to msg m, q can check that m was indeed forwarded by FA Thus, q ignores strange source of msg m and forwards m toward its ultimate destination m d c q m d home agent (HA) m d F foreign agent (FA) 10/5/2004 Internet H 30 Multicast   Multicast msgs are forwarded through a spanning tree from root to every multicast destination If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability 10/5/2004 31 Multicast   Multicast msgs are forwarded through a spanning tree from root to every multicast destination If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability 10/5/2004 32 Multicast   Multicast msgs are forwarded through a spanning tree from root to every multicast destination If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability 10/5/2004 33 Multicast   Multicast msgs are forwarded through a spanning tree from root to every multicast destination If a destination receives a multicast msg, then each destination receives a copy of same msg with high probability 10/5/2004 34 Security Problem with Multicast  If adversary inserts or modifies a multicast msg between two routers in middle of tree, then only a small fraction of multicast destinations receive the inserted or modified msg 10/5/2004 35 Multicast with Hop Integrity  With hop integrity, an inserted or modified multicast message will be detected and discarded at its first hop in the spanning tree 10/5/2004 36 Routing Information Protocol (RIP)    Every 30 seconds, RIP process in router R’ sends its routing table in a response msg to RIP process in each adjacent R R updates its routing table when it receives a response msg from any adjacent R’ Security problem RIP R  R RIP UDP IP 10/5/2004 IP 37 RIP with Hop Integrity  With hop integrity, the response msgs are protected against message modification, insertion, and replay RIP R  R RIP UDP Secret Update IP Integrity Check 10/5/2004 Secret Update IP Integrity Check 38 Security of Routing Protocols  Hop integrity can also provide uniform protection (against message modification, insertion, and replay) for other routing protocols    OSPF protocols (Hello, Exchange, Flood) RSVP Better than custom security mechanisms that have been proposed for some protocols 10/5/2004 39 Implementation of Hop Integrity     Implementation of hop integrity protocols in Linux kernel Add integrity check digest and soft sequence number to IP options in IP header Compatible with legacy routers Flexibility of deployment 10/5/2004 40 Related Works  Ingress filtering [RFC2827]:   Secure routing [Che97, MB96, SMG97]:   Not needed if hop integrity is installed Traceback [BLT01, SWK+01, SPS+01]:   Completes hop integrity Cannot prevent denial-of-service attacks, but can detect some of them IPsec [KA98a]:  Has goals other than dealing with denial-ofservice attacks 10/5/2004 41 Next Class    Security in transport layer SSL and TLS Application of SSL/TLS in Web security 10/5/2004 42 ...A Security Problem in Network     An adversary that has access to a network can insert new messages, modify current messages, or replay old messages in the network These inserted,... Applications Applications Transport Transport qe pe secrets Network Network integrity check layer pw or Subnetwork ps secrets qw or qs Subnetwork 10/5/2004 13 Component of Hop Integrity Protocols... multicast  Security of routing protocols 10/5/2004 27 Mobile IP   A mobile computer c can visit a foreign network F other than its home network H Msgs destined for c will be received by its home