Department of Computer Science

decisioncrunchΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

70 εμφανίσεις

Professor Yashar Ganjali

Department of Computer Science

University of Toronto


yganjali@cs.toronto.edu

http://www.cs.toronto.edu/~yganjali

Announcements


Final project


Intermediate report


Due:
Fri. Nov. 16
th
, 5PM


In class presentations


Wed. Nov. 21
st


We already have 6 teams


Wed. Nov. 28
th


15 minute presentation


Assignment
3


Due:

Fri. Nov. 16
th



Email your solutions to me, or bring to my office (BA 5238)



Volunteer for lecture notes?


Last chance!


SII199
-

Computer Networks and Society

2

University of Toronto


Fall 2012

SII199
-

Computer Networks and Society

University of Toronto


Fall 2012

The Story …


Introduction to computer networks


The science of networks



Computer networks and healthcare


Computer networks and business


Computer networks and entertainment


Cloud computing /storage


Phishing, spam, and fraud in the Internet


Privacy in online social networks



This week
: computer networks and security

3

The Problem


Computer networks create interconnectivity


We have seen many examples of good uses



Same connectivity can be used for evil


It is easier to


Access someone’s private information


Spread malicious code


Gain control of somebody’s machine






SII199
-

Computer Networks and Society

4

University of Toronto


Fall 2012

Viruses, Trojan Horses, and Worms


Viruses


Small pieces of malicious software


Usually piggyback on real programs


Or documents: PDF files, spreadsheets, …


Reproduce by attaching to other programs


Worms


Replicates itself using security
holes


Using computer networks


Without human interaction


Trojan Horses


A program that claims
and appears
to be useful (say a game)


… but in reality can be damaging (e.g. delete files)


Can create backdoors for attackers


Do not replicate


SII199
-

Computer Networks and Society

5

University of Toronto


Fall 2012

Life Just Before Slammer

SII199
-

Computer Networks and Society

6

University of Toronto


Fall 2012

SII199
-

Computer Networks and Society

7

University of Toronto


Fall 2012

Life Just After Slammer

A Lesson in Economy


Slammer used an extremely lightweight attack


Entire worm fit in a single packet! (376 bytes)


When scanning, worm could “fire and forget”.


Stateless!


Worm infected 75,000+ hosts in 10 minutes (despite
broken random number generator).


At its peak, doubled every 8.5 seconds.


Progress limited by the Internet’s carrying capacity

(= 55 million scans/sec)

SII199
-

Computer Networks and Society

8

University of Toronto


Fall 2012

Why Security?


First victim at 12:45 am


By 1:15 am, transcontinental links starting to fail


300,000 access points downed in Portugal


All cell and Internet in Korea failed (27 million people)


5 root name servers were knocked offline


911 didn’t respond (Seattle)


Flights canceled

SII199
-

Computer Networks and Society

9

University of Toronto


Fall 2012

Witty Worm

SII199
-

Computer Networks and Society

10

University of Toronto


Fall 2012

Witty Worm


Cont’d



Attacks firewalls and security products (ISS)


First to use vulnerabilities in security software


ISS announced a vulnerability


B
uffer overflow problem


Attack in just
one day!


Attack started from a small number of compromised
machines


In 30 minutes
12,000 infected machines


90 Gb/s

of traffic

SII199
-

Computer Networks and Society

11

University of Toronto


Fall 2012

Network Telescope


Large piece of globally announced network addresses


No legitimate hosts (almost)


Inbound traffic is almost always anomalous


1/256th of the all addresses (IPv4 space)


One packet in every 256 packets if unbiased random
generators used.


Provides global view of the spread of Internet worms.

SII199
-

Computer Networks and Society

12

University of Toronto


Fall 2012

Today


Network Security Goals


Security vs. Internet Design


Attacks


Defenses


SII199
-

Computer Networks and Society

13

University of Toronto


Fall 2012

Network Security Goals


Availability


Everyone can reach all network resources all the time


Protection


Protect users from interactions they don’t want


Authenticity


Know who you are speaking with


Data Integrity


Protect data en
-
route


Privacy


Protect private data

SII199
-

Computer Networks and Society

14

University of Toronto


Fall 2012

SII199
-

Computer Networks and Society

15

University of Toronto


Fall 2012

Today


Network Security Goals


Security vs. Internet Design


Attacks


Defenses

Internet Design


Destination routing


Packet based (statistical multiplexing)


Global addressing (IP addresses)


Simple to join (as infrastructure)


Power in end hosts (end
-
to
-
end argument)

SII199
-

Computer Networks and Society

16

University of Toronto


Fall 2012

SII199
-

Computer Networks and Society

17

University of Toronto


Fall 2012

Internet Design vs. Security


Destination routing


Makes Internet routers simpler


How
do we know where packets are coming from?


Packet
based (statistical multiplexing)


Global addressing (IP addresses)


Simple to join (as infrastructure)


Power in end
hosts

SII199
-

Computer Networks and Society

18

University of Toronto


Fall 2012

Internet Design vs. Security


Destination Routing


Packet Based (statistical multiplexing)


Simple + Efficient


Difficult resource bound per
-
communication


How to keep someone from hogging?

(remember, we can’t rely on source addresses)


Global Addressing (IP addresses)


Simple to
join (as infrastructure)


Power in End Hosts

SII199
-

Computer Networks and Society

19

University of Toronto


Fall 2012

Internet Design vs. Security


Destination routing


Packet based (statistical multiplexing)


Global Addressing (IP addresses)


Very democratic


Even people who don’t necessarily want to be talked to


“every psychopath is your next door neighbor”


Dan Geer


Simple to join (as infrastructure)


Power in end
hosts

SII199
-

Computer Networks and Society

20

University of Toronto


Fall 2012

Internet Design vs. Security


Destination routing


Packet based (statistical multiplexing)


Global addressing (IP addresses)


Simple to join (as infrastructure)


Very democratic


Misbehaving routers can do very bad things


No model of trust between routers


Power in End
Hosts

SII199
-

Computer Networks and Society

21

University of Toronto


Fall 2012

Internet Design vs. Security


Destination routing


Packet based (statistical multiplexing)


Global addressing (IP addresses)


Simple to join (as infrastructure)


Power in end
-
hosts


Decouple
hosts and infrastructure = innovation at the edge!


Giving power to least trusted actors


How to guarantee good behavior?


Today


Network Security Goals


Security vs. Internet Design


Attacks


Defenses

SII199
-

Computer Networks and Society

22

University of Toronto


Fall 2012

Denial of Service (
DoS
) Attacks


Send many requests to a server


Make the requests look legitimate



Exhaust some of the resources


Processing (CPU)


Bandwidth (uplink/downlink)


Memory




SII199
-

Computer Networks and Society

23

University of Toronto


Fall 2012

DoS: Via Resource Exhaustion

SII199
-

Computer Networks and Society

24

University of Toronto


Fall 2012

Downlink

bandwidth

Uplink

bandwidth

Memory

(e.g. TCP TCB

exhaustion)

CPU

User
-
time

Distributed DoS (DDoS)


Attacker compromises multiple hosts


Installs malicious program to do her biding

(bots)


Bots flood (or otherwise attack) victims on command;
Attack is coordinated


Bot
-
networks of 80k to 100k have been seen in the
wild


Aggregate bandwidth > 20Gbps (probably more)

SII199
-

Computer Networks and Society

25

University of Toronto


Fall 2012

SII199
-

Computer Networks and Society

26

University of Toronto


Fall 2012

Today


Network Security Goals


Security vs. Internet Design


Attacks


Defenses

Firewalls


What is a firewall?


Device
designed to permit or deny network transmissions


E.g. traffic entering or leaving your home network


Works based on
a set of
rules


Used
to protect networks from unauthorized
access


While
permitting legitimate communications to pass.



Can be done in the network (e.g. network perimeter) or
at the host



Configuration is not straight forward


Requires knowledge of the network

SII199
-

Computer Networks and Society

27

University of Toronto


Fall 2012

How Can We Prevent Network Attacks?


Without changing current Internet’s design





What if we can change everything?


Clean slate design



SII199
-

Computer Networks and Society

28

University of Toronto


Fall 2012

Final Comments


Internet not designed for security


Many, many attacks


Defense is very difficult


Attackers are smart
; broken
network aids them!



The impact can be sever


As we rely more on computer networks over time



Time for new designs/principles?




SII199
-

Computer Networks and Society

29

University of Toronto


Fall 2012