Professor Yashar Ganjali
Department of Computer Science
University of Toronto
yganjali@cs.toronto.edu
http://www.cs.toronto.edu/~yganjali
Announcements
Final project
Intermediate report
Due:
Fri. Nov. 16
th
, 5PM
In class presentations
Wed. Nov. 21
st
We already have 6 teams
Wed. Nov. 28
th
15 minute presentation
Assignment
3
Due:
Fri. Nov. 16
th
Email your solutions to me, or bring to my office (BA 5238)
Volunteer for lecture notes?
Last chance!
SII199
-
Computer Networks and Society
2
University of Toronto
–
Fall 2012
SII199
-
Computer Networks and Society
University of Toronto
–
Fall 2012
The Story …
•
Introduction to computer networks
•
The science of networks
•
Computer networks and healthcare
•
Computer networks and business
•
Computer networks and entertainment
•
Cloud computing /storage
•
Phishing, spam, and fraud in the Internet
•
Privacy in online social networks
•
This week
: computer networks and security
3
The Problem
Computer networks create interconnectivity
We have seen many examples of good uses
Same connectivity can be used for evil
It is easier to
Access someone’s private information
Spread malicious code
Gain control of somebody’s machine
…
SII199
-
Computer Networks and Society
4
University of Toronto
–
Fall 2012
Viruses, Trojan Horses, and Worms
Viruses
Small pieces of malicious software
Usually piggyback on real programs
Or documents: PDF files, spreadsheets, …
Reproduce by attaching to other programs
Worms
Replicates itself using security
holes
Using computer networks
Without human interaction
Trojan Horses
A program that claims
and appears
to be useful (say a game)
… but in reality can be damaging (e.g. delete files)
Can create backdoors for attackers
Do not replicate
SII199
-
Computer Networks and Society
5
University of Toronto
–
Fall 2012
Life Just Before Slammer
SII199
-
Computer Networks and Society
6
University of Toronto
–
Fall 2012
SII199
-
Computer Networks and Society
7
University of Toronto
–
Fall 2012
Life Just After Slammer
A Lesson in Economy
Slammer used an extremely lightweight attack
Entire worm fit in a single packet! (376 bytes)
When scanning, worm could “fire and forget”.
Stateless!
Worm infected 75,000+ hosts in 10 minutes (despite
broken random number generator).
At its peak, doubled every 8.5 seconds.
Progress limited by the Internet’s carrying capacity
(= 55 million scans/sec)
SII199
-
Computer Networks and Society
8
University of Toronto
–
Fall 2012
Why Security?
First victim at 12:45 am
By 1:15 am, transcontinental links starting to fail
300,000 access points downed in Portugal
All cell and Internet in Korea failed (27 million people)
5 root name servers were knocked offline
911 didn’t respond (Seattle)
Flights canceled
SII199
-
Computer Networks and Society
9
University of Toronto
–
Fall 2012
Witty Worm
SII199
-
Computer Networks and Society
10
University of Toronto
–
Fall 2012
Witty Worm
–
Cont’d
Attacks firewalls and security products (ISS)
First to use vulnerabilities in security software
ISS announced a vulnerability
B
uffer overflow problem
Attack in just
one day!
Attack started from a small number of compromised
machines
In 30 minutes
12,000 infected machines
90 Gb/s
of traffic
SII199
-
Computer Networks and Society
11
University of Toronto
–
Fall 2012
Network Telescope
Large piece of globally announced network addresses
No legitimate hosts (almost)
Inbound traffic is almost always anomalous
1/256th of the all addresses (IPv4 space)
One packet in every 256 packets if unbiased random
generators used.
Provides global view of the spread of Internet worms.
SII199
-
Computer Networks and Society
12
University of Toronto
–
Fall 2012
Today
Network Security Goals
Security vs. Internet Design
Attacks
Defenses
SII199
-
Computer Networks and Society
13
University of Toronto
–
Fall 2012
Network Security Goals
Availability
Everyone can reach all network resources all the time
Protection
Protect users from interactions they don’t want
Authenticity
Know who you are speaking with
Data Integrity
Protect data en
-
route
Privacy
Protect private data
SII199
-
Computer Networks and Society
14
University of Toronto
–
Fall 2012
SII199
-
Computer Networks and Society
15
University of Toronto
–
Fall 2012
Today
Network Security Goals
Security vs. Internet Design
Attacks
Defenses
Internet Design
Destination routing
Packet based (statistical multiplexing)
Global addressing (IP addresses)
Simple to join (as infrastructure)
Power in end hosts (end
-
to
-
end argument)
SII199
-
Computer Networks and Society
16
University of Toronto
–
Fall 2012
SII199
-
Computer Networks and Society
17
University of Toronto
–
Fall 2012
Internet Design vs. Security
Destination routing
Makes Internet routers simpler
How
do we know where packets are coming from?
Packet
based (statistical multiplexing)
Global addressing (IP addresses)
Simple to join (as infrastructure)
Power in end
hosts
SII199
-
Computer Networks and Society
18
University of Toronto
–
Fall 2012
Internet Design vs. Security
Destination Routing
Packet Based (statistical multiplexing)
Simple + Efficient
Difficult resource bound per
-
communication
How to keep someone from hogging?
(remember, we can’t rely on source addresses)
Global Addressing (IP addresses)
Simple to
join (as infrastructure)
Power in End Hosts
SII199
-
Computer Networks and Society
19
University of Toronto
–
Fall 2012
Internet Design vs. Security
Destination routing
Packet based (statistical multiplexing)
Global Addressing (IP addresses)
Very democratic
Even people who don’t necessarily want to be talked to
“every psychopath is your next door neighbor”
–
Dan Geer
Simple to join (as infrastructure)
Power in end
hosts
SII199
-
Computer Networks and Society
20
University of Toronto
–
Fall 2012
Internet Design vs. Security
Destination routing
Packet based (statistical multiplexing)
Global addressing (IP addresses)
Simple to join (as infrastructure)
Very democratic
Misbehaving routers can do very bad things
No model of trust between routers
Power in End
Hosts
SII199
-
Computer Networks and Society
21
University of Toronto
–
Fall 2012
Internet Design vs. Security
Destination routing
Packet based (statistical multiplexing)
Global addressing (IP addresses)
Simple to join (as infrastructure)
Power in end
-
hosts
Decouple
hosts and infrastructure = innovation at the edge!
Giving power to least trusted actors
How to guarantee good behavior?
Today
Network Security Goals
Security vs. Internet Design
Attacks
Defenses
SII199
-
Computer Networks and Society
22
University of Toronto
–
Fall 2012
Denial of Service (
DoS
) Attacks
Send many requests to a server
Make the requests look legitimate
Exhaust some of the resources
Processing (CPU)
Bandwidth (uplink/downlink)
Memory
…
SII199
-
Computer Networks and Society
23
University of Toronto
–
Fall 2012
DoS: Via Resource Exhaustion
SII199
-
Computer Networks and Society
24
University of Toronto
–
Fall 2012
Downlink
bandwidth
Uplink
bandwidth
Memory
(e.g. TCP TCB
exhaustion)
CPU
User
-
time
Distributed DoS (DDoS)
Attacker compromises multiple hosts
Installs malicious program to do her biding
(bots)
Bots flood (or otherwise attack) victims on command;
Attack is coordinated
Bot
-
networks of 80k to 100k have been seen in the
wild
Aggregate bandwidth > 20Gbps (probably more)
SII199
-
Computer Networks and Society
25
University of Toronto
–
Fall 2012
SII199
-
Computer Networks and Society
26
University of Toronto
–
Fall 2012
Today
Network Security Goals
Security vs. Internet Design
Attacks
Defenses
Firewalls
What is a firewall?
Device
designed to permit or deny network transmissions
E.g. traffic entering or leaving your home network
Works based on
a set of
rules
Used
to protect networks from unauthorized
access
While
permitting legitimate communications to pass.
Can be done in the network (e.g. network perimeter) or
at the host
Configuration is not straight forward
Requires knowledge of the network
SII199
-
Computer Networks and Society
27
University of Toronto
–
Fall 2012
How Can We Prevent Network Attacks?
Without changing current Internet’s design
What if we can change everything?
Clean slate design
SII199
-
Computer Networks and Society
28
University of Toronto
–
Fall 2012
Final Comments
Internet not designed for security
Many, many attacks
Defense is very difficult
Attackers are smart
; broken
network aids them!
The impact can be sever
As we rely more on computer networks over time
Time for new designs/principles?
SII199
-
Computer Networks and Society
29
University of Toronto
–
Fall 2012
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο