Security problems with the Internet architecture.
Internet had been designed with following features in
mind:
■ scaling
■ heterogeneity
■ complexity at edges (end-to-end problem)
■ autonomy/flexibility
Security as a feature was not in the list. Why?
■ reasonable security mechanism would oppose
fundamental design principles/objectives
Some six hundred RFCs all avoid this issue. Vendors
would rather pack “new features” into their products
than mitigate potential security problems in them.
How big is the problem? Consult Honeynet project
(http://project.honeynet.org ). They found:
■ a random computer on Internet is scanned
roughly dozen times per day
■ expected life-expectancy of a RedHat6.2
server before being hacked is 72 hours
■ windows98 machine with standard file-sharing
was hacked 5 times in 4 days.
Should we care? These machines are often hacked by
a single hacker in a DDoS form (Distributed Denial
of Service)
Attacker
Control
Traffic
Master
Slave Slave Slave Slave
Victim
Architecture of bandwidth attack
Taxonomy of attacks:
A. DoS/DDoS attacks: Denial of Service and
Distributed DoS exhaust the resources of target
host (or to exhaust bandwidth of a particular
link). In Feb 2000, Yahoo, CNN, Amazon.com,
eBay, ..
A1. DoS/DDoS attacks are often launched by
flooding (as jamming a telephone line). Exhausts
resources of a server or its link bandwidth as by
this address spoofing & ping combination
Perpetrator gains control of slave machines.
Assume ping commands like
ping(source,destination)
Master instructs slavei to attack a target by
sending requests ping(target, slavei )
Other example. Smurf amplifier networks.
Perpetrator sends a
ping(target, network@broadcast_mode)
It is assumed that target machine is on the network
identified in the 2nd argument. Here the router
broadcasting it is limited by packet processing rate,
and not by bandwidth. Target address would be
flooded with simultaneous ping reports from all
hosts. Here Cisco routers come into focus.
What can be done to stop this?
Configure your operating system to prevent
the machine from responding to ICMP
packets sent to IP broadcast addresses
Routers must turn-off forwarding directed
broadcasts at all other ports.
Other DDoS attacks: Trinoo, TFN, Stacheldraht, etc.
Trinoo:
■ A Trojan program that affects Windows systems
through DDoS attacks. It copies a file service.exe to
Windows\System directory and it would be active all
the time once it is executed.
■ Anyone running Trinoo client program anywhere
can sneak into the computer without being noticed.
Intrusion-detection Issue
An intruder at time t is X ( t ) working to destabilize
the target system S ( t ). Typically, its activity is one
like the following:
port flooding
port probing
port walking
online password cracking attempt
Local anomaly in the network where
Intrusion
Intrusion occurs.
Therefore, perhaps
Null Hypothesis, H 0 :
intrusion event
Detection of anomalous event
Type II error: The null hypothesis H 0 is accepted
when no intrusion took place. False positive.
Inverse problem. Null hypothesis is not accepted and
an intrusion took place. Type I error.
The challenge: Intruder’s attack signature is not yet
established. How do you detect the intruder?
Our only observables at the system level are
information like these
% netstat –s
RAWIP
rawipInDatagrams = 23 rawipInErrors = 0
rawipInCksumErrs = 0 rawipOutDatagrams = 21
rawipOutErrors = 0
UDP
udpInDatagrams = 16132 udpInErrors = 0
udpOutDatagrams = 16163 udpOutErrors = 0
TCP
tcpRtoAlgorithm = 4 tcpRtoMin = 400
tcpRtoMax = 60000 tcpMaxConn = -1
tcpActiveOpens =158905 tcpPassiveOpens =293710
tcpAttemptFails = 56 tcpEstabResets = 5971
tcpCurrEstab = 17 tcpOutSegs = 11019883
tcpOutDataSegs =7924143 tcpOutDataBytes =1691751489
tcpRetransSegs = 83957 tcpRetransBytes =100068036
tcpOutAck =3095286 tcpOutAckDelayed =320811
They could be available via SNMP agent that
samples a host, or a router, or a switch to get the
standard MIB observables. Only from these
observations one must infer whether or not an
intrusion event had been launched at a time t .
Assumption. If X ( t ) = intrusion-event at time t,
S ( t , ) = intruded system at time t and at a stable
equilibrium such that
0
t tt
The system may move from one stable equilibrium
to another one by normal change in traffic patterns.
If X(t ) then either it would force S ( t , ) to move to
S ( t' , ) where is another equilibrium state, or it
would move to S ( t' , ) where is a transition state
or a state of unstable equilibrium.
X(t)
S ( t , e ) S ( t t , f )
S ( t' , )
System movements on
phase space.
In our case, we assume that every X ( t ) pushes a
system to an unstable state . After the system
spends some time in it, it would settle into some
stabe equilibrium state.
The system can be seen equivalent to a queuing
system as shown below:
To hosts To Network
Server Network
From Network
From hosts
Node interface to a
Network
Things to monitor:
■ ifOutOctets (Octet outflow volume at the interface)
■ ifInOctets (Octet inflow volume at the interface)
■ ifInDiscards (number of inbound packets dropped due to
buffer overflow) At the server buffer
Observables is ( t ) (ifOutOctets, ifInOctets, ifInDiscards)
Or, in general, it is posted in a parametric form like
( t ) ( 0 ( t ), 1 ( t ),... i ( t ))
d d n
from which we infer ( ( t ), ,..., n ) S ( t )
dt t dt
The equilibrium states are solutions of the equation
d
0
dt
implying a constant
This can also be seen equivalent to
cons tant N ( 0 , 2 )
where 2 is the variance of . We assume that at
equilibrium, the profile of any component in looks
like
1.96
1.96
Zero-mean plane
Sample distribution relative to
mean
In this context, intrusion event is defined to be
Defn. 1: A system S is intruded at a time within the
interval t0 t and t0 (the current time) if the state
vector at time t0 ( t0 ) | | . The tolerance factor
would be set by system administrator.
Defn. 2: In the vector form, if
k K k ( t 0 ) k | k k | ( t0 ) | |
where k is the k th variable monitored, the system has
an intruder at time t0 .