Download Security Challenges in the Early Design of the Internet and Current Threats - Prof. Saumen and more Study notes Computer Science in PDF only on Docsity!
Security problems with the Internet architecture. Internet had been designed with following features in mind: ■ scaling ■ heterogeneity ■ complexity at edges (end-to-end problem) ■ autonomy/flexibility Security as a feature was not in the list. Why? ■ reasonable security mechanism would oppose fundamental design principles/objectives Some six hundred RFCs all avoid this issue. Vendors would rather pack “new features” into their products than mitigate potential security problems in them. How big is the problem? Consult Honeynet project (http://project.honeynet.org ). They found: ■ a random computer on Internet is scanned roughly dozen times per day ■ expected life-expectancy of a RedHat6. server before being hacked is 72 hours
■ windows98 machine with standard file-sharing was hacked 5 times in 4 days. Should we care? These machines are often hacked by a single hacker in a DDoS form (Distributed Denial of Service) Architecture of bandwidth attack Taxonomy of attacks : A. DoS/DDoS attacks: Denial of Service and Distributed DoS exhaust the resources of target host (or to exhaust bandwidth of a particular link). In Feb 2000, Yahoo, CNN, Amazon.com, eBay, .. Attacker Master Slave Slave Slave Slave Victim Control Traffic
What can be done to stop this? Configure your operating system to prevent the machine from responding to ICMP packets sent to IP broadcast addresses Routers must turn-off forwarding directed broadcasts at all other ports. Other DDoS attacks: Trinoo, TFN, Stacheldraht, etc.
Trinoo: ■ A Trojan program that affects Windows systems through DDoS attacks. It copies a file service.exe to Windows\System directory and it would be active all the time once it is executed. ■ Anyone running Trinoo client program anywhere can sneak into the computer without being noticed. Intrusion-detection Issue An intruder at time t is X^ (t) working to destabilize the target system S^ (t). Typically, its activity is one like the following: port flooding port probing port walking online password cracking attempt Intrusion ^ Local anomaly in the network where Intrusion occurs. Therefore, perhaps Null Hypothesis, H^^0 :
tcpOutAck =3095286 tcpOutAckDelayed = They could be available via SNMP agent that samples a host, or a router, or a switch to get the standard MIB observables. Only from these observations one must infer whether or not an intrusion event had been launched at a time t^. Assumption. If X^ (^ t ) = intrusion-event at time t, S ( t , ) = intruded system at time t and at a stable equilibrium^ ^ such that 0 t (^) t t The system may move from one stable equilibrium to another one by normal change in traffic patterns. If X^ (^ t ) then either it would force S^ ( t ,^ ) to move to S ( t ', ) where (^) is another equilibrium state, or it would move to S^ ( t ',^ ) where^ ^ is a transition state or a state of unstable equilibrium.
In our case, we assume that every X^ (^ t ) pushes a system to an unstable state^ ^. After the system spends some time in it, it would settle into some stabe equilibrium state. The system can be seen equivalent to a queuing system as shown below: Things to monitor: S ( t , e ) X(t) S ( t t , f ) System movements on phase space. S ( t ', ) Server Network From Network To hosts To Network From hosts Node interface to a Network
In this context, intrusion event is defined to be Defn. 1 : A system S is intruded at a time within the interval t^0 ^ t and t^0 (the current time) if the state vector at time t^0^ ^ ( t^0 ) ^ ^ ^ | ^ |. The tolerance factor^ would be set by system administrator. Defn. 2 : In the vector form, if k K (^) k ( t 0 ) k | k k | ( t 0 ) | | where ^ k is the k^ th variable monitored, the system has an intruder at time t^0. 1. 96 Zero-mean plane Sample distribution relative to mean 1. 96
