SlideShare uma empresa Scribd logo

Lec21 22

Transferir como PPT, PDF
N
namish_maheshwari
1 de 21
Security - Systems Design Considerations
Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info Primary Issues: VLAN hopping Spanning Tree Protocol for L2 loop avoidance Primary Issues: No authentication on bridge PDUs Attacks: Cause link failure; pretend to be root of tree. Defense: Control participation in STP (switch level)
Layer 2 Design ARP for MAC <-- IP mapping Primary Issues: gARP messages for high availability Defense: VLANs, static ARP entries DHCP for IP allocation Issues: MAC Spoofing, rogue DHCP server allow/deny for specific ports to respond to DHCP requests
Layer 2 Design Wireless Networks – Medium Access Boundary is diffused (not hard) Intruders do not have to intercept wires – all messages are broadcast (in a shared medium) Unauthenticated access modes may cause problems Contention resolution – Fairness issues Easy to limit / eliminate availability
IP Addressing Design Subnetting Administrative / Physical separation Primary Issues: Access Control Defense: VLANs, Level 3 ACLs (Access Control Lists)
Ingress / Egress Filtering Private address traffic not seen outside. Incoming traffic only from outside world Filtering at edge or close to edge - not necessarily only at the firewall.
NAT Private addresses translated to public addresses Incoming traffic - reverse translation static, 1-1, many-1 avoid using NAT (many-1) for security
ICMP Design Issues ping messages essential for admin. - turning off is not a solution except in specific cases. Primary issue - Echo request/reply messages - variable length data field ping-of-death attacks, DoS attacks, buffer overflows covert channels (w/ software on host) Solutions: “Explicitly permit - implicitly deny” Permit ICMP echo request/reply messages w/ networks of necessity and for required users Deny all other echo messages
ICMP - Design Issues Other required ICMP messages (some types of ) Destination Unreachable messages TTL 0 messages needed by traceroute lCMP filtering ACLs for permitting specific messages (seen above) and for denying all others
Routing - Issues Possible attacks: Traffic Redirection Traffic sent to a black-hole Router DoS (Denial of Service) - Attack on Availability Routing protocol DoS Unauthorized router prefix origination
Routing - Issues Attack methods & possible solutions: Configuration modification of routers Secure routers - Device Hardening Rogue Router Introduction Add message authentication to routing protocol Use ACLs to block routing protocol message types from unwanted networks Spoofing / Modifying of routing messages Message authentication; TCP seq. #s help; Sending malformed or excess packets DoS mitigation for excess; no easy soln. for malformed packets
Router - Device Disable Unneeded Services hardening No DNS lookup for router no echo or fingering services no bootp service (if not needed) no source routing and directed broadcast no ICMP redirects Password Encryption Authentication Use hashed passwords Use secure protocols (say SSH) for line access Setup usernames and access controls
Routing Protocol - Message Auth. Passwords with routing update messages MD5 digest authentication with secret keying Protocol Specific: Avoid RIP v1. - has no auth. mechanism OSPF (widely userd for interior gateways) - supports keyed MD5 BGP (widely used for cross-domain routing) - supports keyed MD5 through TCP option
Routing - Issues Asymmetric Routing & State-Aware Security Asymetric traffic - different paths for request and return; per packet routing Can happen at switches, over the Internet or at ISP. Causes problems for state-aware security devices and mechanisms - Firewalls, IDS etc.
Routing - Issues Asymmetric Routing - Solutions Use Symmetric Routing hard to do and impractical Load balance per flow (rather than per packet) cannot avoid request-return asymmetry. Manipulate flows using NAT or routing Use state-sharing security devices - e.g exchange info. bet. firewalls significant traffic overhead Use stateless security features - e.g. ACLs works only for easy situations - simple traffic categorizations
Transport Protocol - Design Issues Denial Of Service attacks easy to launch and cannot be completely stopped. network flooding (consume bw) vs. transport flooding (consume host resources) Network Flooding Detection: thru’ Network Intrusion Detection, routers and firewalls (i.e. their log data) Stopping: often thru’ Service provider only; stops good as well as bad traffic
Transport Protocol - Design Issues Stopping Network Flooding Basic ACL: drop all traffic destined for an IP address; configure this throughout the ISP’s network. Black Hole Filtering: Propagate static routes to divert traffic to a black hole. Faster than basic ACL approach; much less CPU impact. Sinkhole Routing: Traffic diverted to a specific location so that it can be studied.
Transport Protocol - Design Issues Trace Back (DoS) Manual ACL trace back : create an ACL with broad permits that are made more specific as more information about attack is gained. Backscatter Trace back : combine black hole and sinkhole routing black hole routing results in ICMP unreachable messages use a chunk of unallocated IP addresses for internal routing within ISP to forward to a sinkhole. Tracebacks are useless if the attacker is spoofing a legitimately allocated address.
Transport Protocol - Design Issues DoS Mitigation QoS techniques - limit traffic by type (UDP 10 Mbps, ICMP 200Kbps etc.) ; use token system for traffic to limit it; application specific filtering (e.g. in ecommerce scenarios UDP traffic is needed) use a distributed design content delivery networks
Transport Protocol - Design Issues (back to) Denial Of Service attacks easy to launch and cannot be completely stopped. network flooding (consume bw) vs. transport flooding (consume host resources) Transport Flooding TCP SYN flooding - use a SYN packet (part of a 3-way handshake) but never respond to the acknowledgment; TCP is connection oriented : connections kept open for a time; connection queues overflow;
Transport Protocol - Design Issues SYN cookies host specific method of mitigating SYN flooding attacks; avoid storing SYN packets in queue; use challenge-response model for handshake. TCP intercept network-level protection for SYN floods intercept connection requests at an intermediate node which transparently forwards TCP packets to server; SYN packets are acked ASAP; if client does not respond use a backoff protocol; (e.g PIX firewalls)

Recomendados

Transport Layer
Transport LayerTransport Layer
Transport LayerDr Shashikant Athawale
 
L2 tp
L2 tpL2 tp
L2 tpRamya Chowdary
 
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comUnderstanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comRishabh Dangwal
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
HIGH SPEED NETWORKS
HIGH SPEED NETWORKSHIGH SPEED NETWORKS
HIGH SPEED NETWORKSKathirvel Ayyaswamy
 
High Speed Networks - Applications in Finance
High Speed Networks - Applications in FinanceHigh Speed Networks - Applications in Finance
High Speed Networks - Applications in FinanceOmar Bashir
 
Sigtran protocol
Sigtran protocolSigtran protocol
Sigtran protocolIsybel Harto
 
Qos Demo
Qos DemoQos Demo
Qos Demolove4upratik
 

Recomendados

Transport Layer
Transport LayerTransport Layer
Transport LayerDr Shashikant Athawale
 
L2 tp
L2 tpL2 tp
L2 tpRamya Chowdary
 
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comUnderstanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.com
Understanding DDOS Mitigation by Rishabh Dangwal - www.theprohack.comRishabh Dangwal
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
HIGH SPEED NETWORKS
HIGH SPEED NETWORKSHIGH SPEED NETWORKS
HIGH SPEED NETWORKSKathirvel Ayyaswamy
 
High Speed Networks - Applications in Finance
High Speed Networks - Applications in FinanceHigh Speed Networks - Applications in Finance
High Speed Networks - Applications in FinanceOmar Bashir
 
Sigtran protocol
Sigtran protocolSigtran protocol
Sigtran protocolIsybel Harto
 
Qos Demo
Qos DemoQos Demo
Qos Demolove4upratik
 
PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...
PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...
PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...PROIDEA
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
Traffic and Congestion Control in ATM Networks Chapter 13
Traffic and Congestion Control in ATM Networks Chapter 13Traffic and Congestion Control in ATM Networks Chapter 13
Traffic and Congestion Control in ATM Networks Chapter 13daniel ayalew
 
Datalink control(framing,protocols)
Datalink control(framing,protocols)Datalink control(framing,protocols)
Datalink control(framing,protocols)Hira Awan
 
Orascom-tehnical study final
Orascom-tehnical study finalOrascom-tehnical study final
Orascom-tehnical study finalSidy mohamed KOUTAM
 
HIGH SPEED NETWORKS
HIGH SPEED NETWORKSHIGH SPEED NETWORKS
HIGH SPEED NETWORKSKathirvel Ayyaswamy
 
High performance browser networking ch1,2,3
High performance browser networking ch1,2,3High performance browser networking ch1,2,3
High performance browser networking ch1,2,3Seung-Bum Lee
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control anuragjagetiya
 
IETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPIETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPVictor Pascual Ávila
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m Agus Awaludin
 
Interior Routing Protocols Chapter 15
Interior Routing Protocols Chapter 15Interior Routing Protocols Chapter 15
Interior Routing Protocols Chapter 15daniel ayalew
 
Protocol for QoS Support Chapter 18
Protocol for QoS Support Chapter 18Protocol for QoS Support Chapter 18
Protocol for QoS Support Chapter 18daniel ayalew
 
Pause frames an overview
Pause frames an overviewPause frames an overview
Pause frames an overviewMapYourTech
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisitedinbroker
 
RTCP
RTCPRTCP
RTCPvishwajeetkumar162
 
UAV Data Link Design for Dependable Real-Time Communications
UAV Data Link Design for Dependable Real-Time CommunicationsUAV Data Link Design for Dependable Real-Time Communications
UAV Data Link Design for Dependable Real-Time CommunicationsGerardo Pardo-Castellote
 
manet.ppt
manet.pptmanet.ppt
manet.pptjatinder42
 
Manet
ManetManet
ManetSolomon Degef
 
Manet
ManetManet
ManetSolomon Degef
 
Manet
ManetManet
ManetSrinivas Shivchran
 
6.Routing
6.Routing6.Routing
6.Routingphanleson
 

Mais conteúdo relacionado

Mais procurados

PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...
PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...
PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...PROIDEA
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
Traffic and Congestion Control in ATM Networks Chapter 13
Traffic and Congestion Control in ATM Networks Chapter 13Traffic and Congestion Control in ATM Networks Chapter 13
Traffic and Congestion Control in ATM Networks Chapter 13daniel ayalew
 
Datalink control(framing,protocols)
Datalink control(framing,protocols)Datalink control(framing,protocols)
Datalink control(framing,protocols)Hira Awan
 
High performance browser networking ch1,2,3
High performance browser networking ch1,2,3High performance browser networking ch1,2,3
High performance browser networking ch1,2,3Seung-Bum Lee
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control anuragjagetiya
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m Agus Awaludin
 
Interior Routing Protocols Chapter 15
Interior Routing Protocols Chapter 15Interior Routing Protocols Chapter 15
Interior Routing Protocols Chapter 15daniel ayalew
 
Protocol for QoS Support Chapter 18
Protocol for QoS Support Chapter 18Protocol for QoS Support Chapter 18
Protocol for QoS Support Chapter 18daniel ayalew
 
Pause frames an overview
Pause frames an overviewPause frames an overview
Pause frames an overviewMapYourTech
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisitedinbroker
 

Mais procurados (16)

PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...
PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...
PLNOG 17 - Marcin Aronowski - Technologie dostępowe dla IoT. Jak się w tym ws...
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
 
Traffic and Congestion Control in ATM Networks Chapter 13
Traffic and Congestion Control in ATM Networks Chapter 13Traffic and Congestion Control in ATM Networks Chapter 13
Traffic and Congestion Control in ATM Networks Chapter 13
 
Datalink control(framing,protocols)
Datalink control(framing,protocols)Datalink control(framing,protocols)
Datalink control(framing,protocols)
 
Orascom-tehnical study final
Orascom-tehnical study finalOrascom-tehnical study final
Orascom-tehnical study final
 
HIGH SPEED NETWORKS
HIGH SPEED NETWORKSHIGH SPEED NETWORKS
HIGH SPEED NETWORKS
 
High performance browser networking ch1,2,3
High performance browser networking ch1,2,3High performance browser networking ch1,2,3
High performance browser networking ch1,2,3
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control
 
IETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTPIETF 79 - Diameter Over SCTP
IETF 79 - Diameter Over SCTP
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m Dccp evaluation for sip signaling ict4 m
Dccp evaluation for sip signaling ict4 m
 
Interior Routing Protocols Chapter 15
Interior Routing Protocols Chapter 15Interior Routing Protocols Chapter 15
Interior Routing Protocols Chapter 15
 
Protocol for QoS Support Chapter 18
Protocol for QoS Support Chapter 18Protocol for QoS Support Chapter 18
Protocol for QoS Support Chapter 18
 
Pause frames an overview
Pause frames an overviewPause frames an overview
Pause frames an overview
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisited
 
RTCP
RTCPRTCP
RTCP
 

Semelhante a Lec21 22

UAV Data Link Design for Dependable Real-Time Communications
UAV Data Link Design for Dependable Real-Time CommunicationsUAV Data Link Design for Dependable Real-Time Communications
UAV Data Link Design for Dependable Real-Time CommunicationsGerardo Pardo-Castellote
 
Physical And Data Link Layers
Physical And Data Link LayersPhysical And Data Link Layers
Physical And Data Link Layerstmavroidis
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
Session 2 Tp 2
Session 2 Tp 2Session 2 Tp 2
Session 2 Tp 2githe26200
 
Presentacion qos-
Presentacion qos-Presentacion qos-
Presentacion qos-Javier H
 
Presentacion qos-
Presentacion qos-Presentacion qos-
Presentacion qos-Javier H
 
UDP Flood Attack.pptx
UDP Flood Attack.pptxUDP Flood Attack.pptx
UDP Flood Attack.pptxdawitTerefe5
 
Chapter 3 networking and internetworking
Chapter 3 networking and internetworkingChapter 3 networking and internetworking
Chapter 3 networking and internetworkingAbDul ThaYyal
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2samis
 

Semelhante a Lec21 22 (20)

UAV Data Link Design for Dependable Real-Time Communications
UAV Data Link Design for Dependable Real-Time CommunicationsUAV Data Link Design for Dependable Real-Time Communications
UAV Data Link Design for Dependable Real-Time Communications
 
manet.ppt
manet.pptmanet.ppt
manet.ppt
 
Manet
ManetManet
Manet
 
Manet
ManetManet
Manet
 
Manet
ManetManet
Manet
 
6.Routing
6.Routing6.Routing
6.Routing
 
Physical And Data Link Layers
Physical And Data Link LayersPhysical And Data Link Layers
Physical And Data Link Layers
 
Tcp
TcpTcp
Tcp
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
UnIT VIII manet
UnIT VIII manetUnIT VIII manet
UnIT VIII manet
 
Session 2 Tp 2
Session 2 Tp 2Session 2 Tp 2
Session 2 Tp 2
 
Presentacion qos-
Presentacion qos-Presentacion qos-
Presentacion qos-
 
Presentacion qos-
Presentacion qos-Presentacion qos-
Presentacion qos-
 
Presentacion qos-
Presentacion qos-Presentacion qos-
Presentacion qos-
 
Presentacion QoS.pptx
Presentacion QoS.pptxPresentacion QoS.pptx
Presentacion QoS.pptx
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
 
UDP Flood Attack.pptx
UDP Flood Attack.pptxUDP Flood Attack.pptx
UDP Flood Attack.pptx
 
Chapter 3 networking and internetworking
Chapter 3 networking and internetworkingChapter 3 networking and internetworking
Chapter 3 networking and internetworking
 
Tcp ip
Tcp ipTcp ip
Tcp ip
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 

Lec21 22

  • 1. Security - Systems Design Considerations
  • 2. Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info Primary Issues: VLAN hopping Spanning Tree Protocol for L2 loop avoidance Primary Issues: No authentication on bridge PDUs Attacks: Cause link failure; pretend to be root of tree. Defense: Control participation in STP (switch level)
  • 3. Layer 2 Design ARP for MAC <-- IP mapping Primary Issues: gARP messages for high availability Defense: VLANs, static ARP entries DHCP for IP allocation Issues: MAC Spoofing, rogue DHCP server allow/deny for specific ports to respond to DHCP requests
  • 4. Layer 2 Design Wireless Networks – Medium Access Boundary is diffused (not hard) Intruders do not have to intercept wires – all messages are broadcast (in a shared medium) Unauthenticated access modes may cause problems Contention resolution – Fairness issues Easy to limit / eliminate availability
  • 5. IP Addressing Design Subnetting Administrative / Physical separation Primary Issues: Access Control Defense: VLANs, Level 3 ACLs (Access Control Lists)
  • 6. Ingress / Egress Filtering Private address traffic not seen outside. Incoming traffic only from outside world Filtering at edge or close to edge - not necessarily only at the firewall.
  • 7. NAT Private addresses translated to public addresses Incoming traffic - reverse translation static, 1-1, many-1 avoid using NAT (many-1) for security
  • 8. ICMP Design Issues ping messages essential for admin. - turning off is not a solution except in specific cases. Primary issue - Echo request/reply messages - variable length data field ping-of-death attacks, DoS attacks, buffer overflows covert channels (w/ software on host) Solutions: “Explicitly permit - implicitly deny” Permit ICMP echo request/reply messages w/ networks of necessity and for required users Deny all other echo messages
  • 9. ICMP - Design Issues Other required ICMP messages (some types of ) Destination Unreachable messages TTL 0 messages needed by traceroute lCMP filtering ACLs for permitting specific messages (seen above) and for denying all others
  • 10. Routing - Issues Possible attacks: Traffic Redirection Traffic sent to a black-hole Router DoS (Denial of Service) - Attack on Availability Routing protocol DoS Unauthorized router prefix origination
  • 11. Routing - Issues Attack methods & possible solutions: Configuration modification of routers Secure routers - Device Hardening Rogue Router Introduction Add message authentication to routing protocol Use ACLs to block routing protocol message types from unwanted networks Spoofing / Modifying of routing messages Message authentication; TCP seq. #s help; Sending malformed or excess packets DoS mitigation for excess; no easy soln. for malformed packets
  • 12. Router - Device Disable Unneeded Services hardening No DNS lookup for router no echo or fingering services no bootp service (if not needed) no source routing and directed broadcast no ICMP redirects Password Encryption Authentication Use hashed passwords Use secure protocols (say SSH) for line access Setup usernames and access controls
  • 13. Routing Protocol - Message Auth. Passwords with routing update messages MD5 digest authentication with secret keying Protocol Specific: Avoid RIP v1. - has no auth. mechanism OSPF (widely userd for interior gateways) - supports keyed MD5 BGP (widely used for cross-domain routing) - supports keyed MD5 through TCP option
  • 14. Routing - Issues Asymmetric Routing & State-Aware Security Asymetric traffic - different paths for request and return; per packet routing Can happen at switches, over the Internet or at ISP. Causes problems for state-aware security devices and mechanisms - Firewalls, IDS etc.
  • 15. Routing - Issues Asymmetric Routing - Solutions Use Symmetric Routing hard to do and impractical Load balance per flow (rather than per packet) cannot avoid request-return asymmetry. Manipulate flows using NAT or routing Use state-sharing security devices - e.g exchange info. bet. firewalls significant traffic overhead Use stateless security features - e.g. ACLs works only for easy situations - simple traffic categorizations
  • 16. Transport Protocol - Design Issues Denial Of Service attacks easy to launch and cannot be completely stopped. network flooding (consume bw) vs. transport flooding (consume host resources) Network Flooding Detection: thru’ Network Intrusion Detection, routers and firewalls (i.e. their log data) Stopping: often thru’ Service provider only; stops good as well as bad traffic
  • 17. Transport Protocol - Design Issues Stopping Network Flooding Basic ACL: drop all traffic destined for an IP address; configure this throughout the ISP’s network. Black Hole Filtering: Propagate static routes to divert traffic to a black hole. Faster than basic ACL approach; much less CPU impact. Sinkhole Routing: Traffic diverted to a specific location so that it can be studied.
  • 18. Transport Protocol - Design Issues Trace Back (DoS) Manual ACL trace back : create an ACL with broad permits that are made more specific as more information about attack is gained. Backscatter Trace back : combine black hole and sinkhole routing black hole routing results in ICMP unreachable messages use a chunk of unallocated IP addresses for internal routing within ISP to forward to a sinkhole. Tracebacks are useless if the attacker is spoofing a legitimately allocated address.
  • 19. Transport Protocol - Design Issues DoS Mitigation QoS techniques - limit traffic by type (UDP 10 Mbps, ICMP 200Kbps etc.) ; use token system for traffic to limit it; application specific filtering (e.g. in ecommerce scenarios UDP traffic is needed) use a distributed design content delivery networks
  • 20. Transport Protocol - Design Issues (back to) Denial Of Service attacks easy to launch and cannot be completely stopped. network flooding (consume bw) vs. transport flooding (consume host resources) Transport Flooding TCP SYN flooding - use a SYN packet (part of a 3-way handshake) but never respond to the acknowledgment; TCP is connection oriented : connections kept open for a time; connection queues overflow;
  • 21. Transport Protocol - Design Issues SYN cookies host specific method of mitigating SYN flooding attacks; avoid storing SYN packets in queue; use challenge-response model for handshake. TCP intercept network-level protection for SYN floods intercept connection requests at an intermediate node which transparently forwards TCP packets to server; SYN packets are acked ASAP; if client does not respond use a backoff protocol; (e.g PIX firewalls)