1 05-Security

Previous: 04-NetworkData.html

• Add Cahoot for the first several lectures on this page:

1.1 Audio-recording

• Password for the Vimeo videos is in Zulip chat.
  • Part 1 2022-04-08
    • https://vimeo.com/700482494
    • https://vimeo.com/700482820
  • Part 2 2022-04-11
    • https://vimeo.com/700483073
    • https://vimeo.com/700483248
  • Part 3 2022-04-15
    • https://vimeo.com/700483510
    • https://vimeo.com/700483690
  • Part 4 2022-04-18
    • https://vimeo.com/708013815
    • https://vimeo.com/708013920
• Tip: If anyone want to speed up the lecture videos a little, inspect the page, go to the browser console, and paste this in: document.querySelector('video').playbackRate = 1.2

1.2 Opening thoughts

Side-channels are the most common attacks!

1.3 IDS and firewall Introduction

• https://en.wikipedia.org/wiki/Firewall_(computing)

1.3.1 Firewalls

• Internet connectivity is essential, but it creates a threat.
• Firewall is a means of protecting LANs
• Inserted between the premises network and the Internet to establish a controlled link
• Can be a single computer system, or a set of two or more systems working together
• Used as a perimeter defense
• Single choke point to impose security and auditing
• Insulates the internal systems from external networks

1.3.2 Design requirements

• All traffic from inside to outside, and vice-versa, should pass through the firewall
  • Is this a questionable assumption?
• Only authorized traffic as defined by the local security policy should be allowed to pass
• The firewall itself should be immune to penetration or compromise

1.3.3 Firewall characteristics

1.3.3.1 Firewall Access Policy

• A critical component in the planning and implementation of a firewall is specifying a suitable access policy
• This lists the types of traffic authorized to pass through the firewall
• Includes address ranges, protocols, applications, and content types
• This policy should be developed from the organization’s information security risk assessment and policy
• Should be developed from a broad specification of which traffic types the organization needs to support
• Then refined to detail the filter elements which can then be implemented within an appropriate firewall topology

1.3.3.2 Firewalls can filter by

• IP address and protocol values:
  • This type of filtering is used by packet filter and stateful inspection firewalls.
  • Typically used to limit access to specific services
• Application protocol:
  • This type of filtering is used by an application-level gateway that relays and monitors the exchange of information for specific application protocols
• User ID:
  • Typically for inside users who identify themselves using some form of secure authentication technology
• Network activity:
  • Controls access based on considerations such as the time or request, rate of requests, or other activity patterns
• Arbitrary packet data:
  • A firewall or IPS/IDS could potential act on any un-encrypted data in the packets passing through.

1.3.3.3 Capabilities

• Defines a single choke point
• Provides a location for monitoring security events
• Convenient platform for several Internet ether functions that are not security related (e.g., NAT, logging, etc.)
• Can serve as the platform for IPSec-based VPNs.

1.3.3.4 Limitations

• Cannot protect against attacks bypassing firewall, or passing through the firewall in encrypted form.
• May not protect against internal threats.
• Some examples of problems
  • Improperly secured wireless LAN can be accessed from outside the organization
  • Laptop, PDA, or portable storage device may be infected outside the corporate network then used internally
• Any other limitations?

1.4 Types of firewall

1.4.1 Packet filtering firewall (a) above

• Applies rules to each incoming and outgoing IP packet
• Typically a list of rules based on matches in the IP or TCP header
• Forwards or discards the packet based on rules match
• Filtering rules are based on information contained in a network packet
  • Source IP address
  • Destination IP address
  • Source and destination transport-level address
  • IP protocol field
  • Interface (e.g., eth0, lo, etc.)
• Two default policies:
  1. Discard
     • prohibit unless expressly permitted
     • More conservative, controlled, visible to users
  2. Forward
     • permit unless expressly prohibited
     • Easier to manage and use but less secure

Packet filtering firewall stores tables of rules (chains)

1. Inbound mail from an external source is allowed (port 25 is for SMTP incoming).
2. This rule is intended to allow a response to an inbound SMTP connection.
3. Outbound mail to an external source is allowed.
4. This rule is intended to allow a response to an inbound SMTP connection.
5. This is an explicit statement of the default policy. All rule sets include this rule implicitly as the last rule.

1.4.1.1 Advantages

• Simplicity
• Typically transparent to users and are very fast

1.4.1.2 Weaknesses

• Cannot prevent attacks that employ application specific vulnerabilities or functions
• Limited logging functionality
• Do not support advanced user authentication
• Vulnerable to attacks on TCP/IP protocol bugs, IP spoofing, etc
• Improper configuration can lead to breaches
• Others?

1.4.2 Stateful inspection firewall (c) below

A TCP packet tries to get past the firewall on the way to the bar.
Firewall says “hey, you’re out of order”.

* Statefulness tightens rules for TCP traffic by creating a directory of outbound TCP connections.
* There is an entry for each currently established connection.
* Packet filter allows incoming traffic to high numbered ports only for those packets that fit the profile of one of the entries in this directory.
* Reviews packet information, but also records information about TCP connections
* Keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number

Ask:
* Does this remind you of any other protocol/service we have talked about recently?
* What about incoming UDP?

Stateful Inspection Firewall needs to keep a dynamically changing table of connections:

Table of outgoing connections determines which incoming connections are allowed.

1.4.3 Application layer firewall / proxy (b) below

Application level gateways can be:

Network based (e.g., big brother your employees to the extreme)

• Also called an application proxy
• Acts as a relay of application-level traffic
• User contacts gateway using a TCP/IP application
• User is authenticated
• Gateway contacts application on remote host and relays TCP segments between server and user
• Must have proxy code for each application
• May restrict application features supported

Host based (e.g., don’t trust your own applications, privacy firewall)

• Function by determining whether a process should accept any given connection.
• A host-based application firewall can monitor any application input, output, and/or system service calls made from, to, or by an application.
• This is done by examining information passed through system calls instead of or in addition to a network stack.
• AppArmon or SELinux can do this
• https://github.com/evilsocket/opensnitch (a decent/interesting Linux implementation of this idea)
  • Note: there are a couple older attempts at this idea, but the above seems to be the cleanest on Linux

Note: In my opinion, one very cool project would be making an open-snitch/little-snitch/zone-alarm like firewall out of SELinux.

1.4.4 Circuit level proxy firewall (d) below

1.4.4.1 Circuit-Level Gateway/Proxy

• Sets up two TCP connections
  1. one between itself and a TCP user on an inner host and
  2. one on an outside host
• Relays TCP segments from one connection to the other without examining contents
• Security function consists of determining which connections will be allowed
• Typically used when inside users are trusted
• May use application-level gateway inbound and circuit-level gateway outbound
• Lower overheads

A kind of:
https://en.wikipedia.org/wiki/Proxy_server

1.4.4.1.1 SOCKS5

https://en.wikipedia.org/wiki/SOCKS

• Designed to provide a framework for client-server applications in TCP/UDP domains to conveniently and securely use the services of a network firewall.
• Client application contacts SOCKS server, authenticates, sends relay request.
• Server evaluates and either establishes or denies the connection.
• SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

Another example:
Tor sets up a SOCKS proxy that does not require authentication for applications running on localhost
Those applications may send data to the socks proxy, and have that data relayed through the Tor network.
You can re-configured your regular browser or any other application with SOCKS settings to run through the Tor browser’s Tor process in this way.

https://en.wikipedia.org/wiki/Tor_network

• A Tor user’s SOCKS-aware applications can be configured to direct their network traffic through a Tor instance’s SOCKS interface, which is listening on TCP port 9050 (for standalone Tor) or 9150 (for Tor Browser bundle) at localhost.
• Tor periodically creates virtual circuits through the Tor network through which it can multiplex and onion-route that traffic to its destination.
• Once inside a Tor network, the traffic is sent from router to router along the circuit, ultimately reaching an exit node at which point the cleartext packet is available and is forwarded on to its original destination.
• Viewed from the destination, the traffic appears to originate at the Tor exit node.
• A Tor non-exit relay with a maximum output of 239.69 kbit/s
• Tor’s application independence sets it apart from most other anonymity networks: it works at the Transmission Control Protocol (TCP) stream level.
• Applications whose traffic is commonly anonymized using Tor include Internet Relay Chat (IRC), instant messaging, and World Wide Web browsing.

demo in class

sudo dnf install tor
sudo systemctl enable tor
sudo systemctl start tor
# route firefox settings through socks/9050 with DNS too

Another fun example (check out in class):
https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters/

1.5 Firewall location and configuration

• Can be either a:
  • dedicated computer (bastion host) or
  • individual computer (host-based).
• Many network locations.

1.5.1 Bastion hosts

• System identified as a critical strong point in the network’s security
• Serves as a platform for an application-level or circuit-level gateway
• Runs secure O/S, only essential services (often a *BSD OS)
• May require user authentication to access proxy or host
• Each proxy can restrict features or hosts accessed
• Each proxy is small, simple, and checked for security
• Each proxy is independent and non-privileged
• Limited disk use, hence read-only code

1.5.2 Host-based firewalls

• Used to secure an individual host
• Available in operating systems, or can be provided as an add-on package
• Filter and restrict packet flows
• Common location is a server, or important resource

1.5.3 Personal firewall

• Controls traffic between a personal computer or workstation and the Internet or enterprise network
• For both home or corporate use
• Typically is a software module on a personal computer
• Can be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interface
• Typically less complex than server-based or stand-alone firewalls, but also more capable of fine-grained filtering.
• Primary role is to deny unauthorized remote access
• May also monitor outgoing traffic to detect and block worms and malware activity (or just block unnecessary outgoing traffic)
• Stealth mode hides the system on the Internet by dropping unsolicited communication packets, making it appear as though the system is not present.
  • This is overrated, imo, and tends to break stuff.
• UDP packets can be blocked, restricting network traffic to TCP packets only for open ports.

1.5.3.1 netfilter and iptables

https://en.wikipedia.org/wiki/Netfilter
https://www.netfilter.org/

• stateless packet filtering (IPv4 and IPv6)
• stateful packet filtering (IPv4 and IPv6)
• build internet firewalls based on stateless and stateful packet filtering
• deploy highly available stateless and stateful firewall clusters
• use NAT and masquerading for sharing internet access if you don’t have enough public IP addresses
• use NAT to implement transparent proxies
• aid the tc and iproute2 systems used to build sophisticated QoS and policy routers
• do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header
• Much more to come later (below)

1.5.4 Locations

Firewall locations and demilitarized zone (DMZ)

IPSec based VPN

Distributed firewall locations

1.5.5 Firewall Topologies

• Host-resident firewall:
  • Includes personal firewall software and firewall software on servers
• Screening router:
  • Single router between internal and external networks with stateless or full packet filtering
• Single bastion inline:
  • Single firewall device between an internal and external router
• Single bastion T:
  • Has a third network interface on bastion to a DMZ where externally visible servers are placed
• Double bastion inline:
  • DMZ is sandwiched between bastion firewalls
• Double bastion T:
  • DMZ is on a separate network interface on the bastion firewall
• Distributed firewall:
  • Used by large businesses and government organizations

1.6 Linux standard firewall: IPtables

• Retire iptables stuff here in lieu of nft or switch to openbsd/pf instead?

https://en.wikipedia.org/wiki/Iptables
https://en.wikipedia.org/wiki/Netfilter

• Iptables is the userspace module, the bit that you, the user, interact with at the command line to enter firewall rules into predefined tables.
• Netfilter is a kernel module, built into the kernel, that actually does the filtering.
• There are many GUI front-ends for iptables that allow users to add or define rules based on a point and click user interface.
  • These often lack the flexibility of using the command line interface and limit the users understanding of what’s really happening.

Note: I’ve had numerous students say that this section of the class helped them pass an interview or even make it through an internship, learning IPTables that is.

1.6.1 IPtables, netfilter, kernel networking

IPtables and netfilter

User-space:

• Iptables resides in what we call the user-space, this is your interface to the firewall for setting up your firewall rules.
• The same applies to ip6tables, nft, etc.

Kernel:

• netfilter, the framework which iptables configures.
• Netfilter implements a series of ‘hooks’ that inspect packets in the protocol stack, such as IPv4.
• These hooks allow for kernel modules to interact with them.
• Iptables has a huge list of kernel modules used for its firewalling capabilities.
• We have everything from tcp and udp to pkttype (Packet Type).
• In fact if you want to see a list of iptables kernel modules, type:
  sudo cat /proc/net/ip_tables_matches

Hardware / interfaces:

• Network adapters; eth0, eth1, etc.
• Netfilter uses prerouting and postrouting to and from the network stack to inspect packets sent and received on each interface.

Where in OS?

• Packet inspection is done at the kernel layer with netfilter
• All the firewall rules and tools to manage the firewall reside in the user-space.

1.6.2 Architecture

IPtables and netfilter

IPtables and netfilter

IPtables and netfilter

IPtables and netfilter

IPtables and netfilter

IPtables and netfilter

IPtables and netfilter

IPtables and netfilter

1.6.2.1 Chains in tables

As a packet triggers a netfilter hook, the associated chains will be processed as they are listed in the table above from top-to-bottom, with rules processed from top to bottom.

1.6.2.2 Tables

filter table is one of the most widely used tables in iptables.
The filter table is used to make decisions about whether to let a packet continue to its intended destination or to deny its request.
In firewall parlance, this is known as “filtering” packets.
This table provides the bulk of functionality that people think of when discussing firewalls.

nat table is used to implement network address translation rules.
As packets enter the network stack, rules in this table will determine whether and how to modify the packet’s source or destination addresses in order to impact the way that the packet and any response traffic are routed.

mangle table is used to alter the IP headers of the packet in various ways.
You can adjust the TTL (Time to Live) value of a packet, either lengthening or shortening the number of valid network hops the packet can sustain.

The iptables firewall is stateful, meaning that packets are evaluated in regards to their relation to previous packets.
The connection tracking features built on top of the netfilter framework allow iptables to view packets as part of an ongoing connection or session instead of as a stream of discrete, unrelated packets.
The connection tracking logic is usually applied very soon after the packet hits the network interface.
The raw table has a very narrowly defined function.
Its only purpose is to provide a mechanism for marking packets in order to opt-out of connection tracking.

The security table is used to set internal SELinux security context marks on packets
This affects how SELinux or other systems that can interpret SELinux security contexts handle the packets.
These marks can be applied on a per-packet or per-connection basis.

Chains in tables

1.6.2.3 Chains rely on kernel hooks

Netfilter Kernel Hooks

• 5 netfilter hooks that programs can register with.

• As packets progress through the stack, they will trigger the kernel modules that have registered with these hooks.

• Hooks that a packet will trigger depends on whether the packet is incoming or outgoing, the packet’s destination, and whether the packet was dropped or rejected at a previous point.

• NF_IP_PRE_ROUTING:

  • will be triggered by any incoming traffic very soon after entering the network stack.
  • Is processed before any routing decisions have been made regarding where to send the packet.

• NF_IP_LOCAL_IN:

  • is triggered after an incoming packet has been routed if the packet is destined for the local system.

• NF_IP_FORWARD:

  • is triggered after an incoming packet has been routed if the packet is to be forwarded to another host.

• NF_IP_LOCAL_OUT:

  • is triggered by any locally created outbound traffic as soon it hits the network stack.

• NF_IP_POST_ROUTING:

  • is triggered by any outgoing or forwarded traffic after routing has taken place and just before being put out on the wire.

1.6.2.4 Chains

As you can see, the names of the built-in chains mirror the names of the netfilter hooks they are associated with:

• PREROUTING: Triggered by the NF_IP_PRE_ROUTING hook.
• INPUT: Triggered by the NF_IP_LOCAL_IN hook.
• FORWARD: Triggered by the NF_IP_FORWARD hook.
• OUTPUT: Triggered by the NF_IP_LOCAL_OUT hook.
• POSTROUTING: Triggered by the NF_IP_POST_ROUTING hook.

1.6.2.5 Rules

Rules in chains

Rules are also processed in order, often with a catch-all at the end.

1.6.2.6 Traversal order

Chain Traversal Order Assuming that the server knows how to route a packet and that the firewall rules permit its transmission, the following flows represent the paths that will be traversed in different situations:

• Incoming packets destined for the local system:
  PREROUTING -> INPUT

• Incoming packets destined to another host:
  PREROUTING -> FORWARD -> POSTROUTING

• Locally generated packets:
  OUTPUT -> POSTROUTING

IPtables and netfilter flow

Targets (another chain to send to) A target is the action that are triggered when a packet meets the matching criteria of a rule.
Targets are generally divided into two categories:

• Terminating targets:
  • Terminating targets perform an action which terminates evaluation within the chain and returns control to the netfilter hook.
  • Depending on the return value provided, the hook might drop the packet or allow the packet to continue to the next stage of processing.
• Non-terminating targets:
  • Non-terminating targets perform an action and continue evaluation within the chain.
  • Although each chain must eventually pass back a final terminating decision, any number of non-terminating targets can be executed beforehand.
• Common are ACCEPT, DROP, REJECT, LOG, etc

1.7 Stateful connection tracking

1.7.1 TCP connections

TCP state tracking: connection

For a stateful firewall:

TCP state tracking: closing

TCP state tracking: client sub-connection

TCP state tracking: server sub-connection

1.7.2 UDP “connection” tracking

UDP state tracking: “connection”

Watches inverted port numbers.

State Explanation: NEW

• The NEW state tells us that the packet is the first packet that we see.
• This means that the first packet that the conntrack module sees, within a specific connection, will be matched.
• For example, if we see a SYN packet and it is the first packet in a connection that we see, it will match.
• However, the packet may as well not be a SYN packet and still be considered NEW.
• This may lead to certain problems in some instances, but it may also be extremely helpful when we need to pick up lost connections from other firewalls, or when a connection has already timed out, but in reality is not closed.

State Explanation: ESTABLISHED

• The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets.
• ESTABLISHED connections are fairly easy to understand.
• The only requirement to get into an ESTABLISHED state is that one host sends a packet, and that it later on gets a reply from the other host.
• The NEW state will upon receipt of the reply packet to or through the firewall change to the ESTABLISHED state.
• ICMP reply messages can also be considered as ESTABLISHED, if we created a packet that in turn generated the reply ICMP message.

State Explanation: RELATED

• The RELATED state is one of the more tricky states.
• A connection is considered RELATED when it is related to another already ESTABLISHED connection.
• What this means, is that for a connection to be considered as RELATED, we must first have a connection that is considered ESTABLISHED.
• The ESTABLISHED connection will then spawn a connection outside of the main connection.
• The newly spawned connection will then be considered RELATED, if the conntrack module is able to understand that it is RELATED.
• Some good examples of connections that can be considered as RELATED are the FTP-data connections that are considered RELATED to the FTP control port, and the DCC connections issued through IRC.
• This could be used to allow ICMP error messages, FTP transfers and DCC’s to work properly through the firewall.
• Do note that most TCP protocols and some UDP protocols that rely on this mechanism are quite complex and send connection information within the payload of the TCP or UDP data segments, and hence require special helper modules to be correctly understood.

State Explanation: INVALID

• The INVALID state means that the packet can’t be identified or that it does not have any state.
• This may be due to several reasons, such as the system running out of memory or ICMP error messages that do not respond to any known connections.
• Generally, it is a good idea to DROP everything in this state.

State Explanation: UNTRACKED

• This is the UNTRACKED state.
• In brief, if a packet is marked within the raw table with the NOTRACK target, then that packet will show up as UNTRACKED in the state machine.
• This also means that all RELATED connections will not be seen, so some caution must be taken when dealing with the UNTRACKED connections since the state machine will not be able to see related ICMP messages et cetera.

05-Security/FW_demo.sh

Note:

#!/bin/bash

# Read:
# man iptables
# man iptables-extensions
# sudo iptables -m conntrack -h

########## INFO AND DISPLAY
# list of common ports in
cat /etc/services

# Run: netstat -lntu
#    -l  prints only listening sockets
#    -n  shows port number
#    -t  enables listing of tcp ports
#    -u  enables listing of udp ports
sudo netstat -lntu

# To display existing IPtables rules
echo before
echo | sudo iptables -L -v
echo | sudo iptables -S

# If you are running Fedora: https://fedoraproject.org/wiki/FirewallD
#sudo dnf install iptables-services
#sudo systemctl mask firewalld.service
#sudo systemctl enable iptables.service
#sudo systemctl enable ip6tables.service
#sudo systemctl stop firewalld.service
#sudo systemctl start iptables.service
#sudo systemctl start ip6tables.service

# STEP 0: clear all old rultes
sudo iptables -F # (--flush or -F)
sudo iptables -F -t mangle
sudo iptables -F -t nat

sudo iptables -X # (--delete-chain or -X)
sudo iptables -X -t mangle
sudo iptables -X -t nat

# STEP 1: set default policies for each chain, using (--policy or -P)
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP

# STEP 2: Add new rules to each chain (INPUT, FORWARD, OUTPUT) using this syntax:

# sudo iptables -A  -i <interface> -p <protocol (tcp/udp)> -s <source> --dport <port no.>  -j <target>

########## INPUT CHAIN

# As network traffic generally needs to be two-way,
# incoming and outgoing to work properly,
# it is typical to create a firewall rule that allows established and related incoming traffic,
# so that the server will allow return traffic to outgoing connections initiated by the server itself.
# This command will allow that:
#old syntax: sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT

# Local traffic accepted
sudo iptables -A INPUT -i lo -j ACCEPT

# Simple version of SSH incoming OK, stateless
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# SSH incoming OK, stateful
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate NEW, ESTABLISHED -j ACCEPT

# Accept packets from trusted IP addresses
sudo iptables -A INPUT -s 192.168.0.4 -j ACCEPT               # change the IP address as appropriate
sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT            # using standard slash notation
sudo iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT # or using a subnet mask

# To block network connections that originate from a specific IP address,
# 15.15.15.51 for example, run this command:
sudo iptables -A INPUT -s 15.15.15.51 -j DROP

# Accept tcp packets on destination port 6881 (bittorrent)
sudo iptables -A INPUT -p tcp --dport 6881 -j ACCEPT

# Some network traffic packets get marked as invalid.
# Sometimes it can be useful to log this type of packet but often it is fine to drop them.
# Do so with this command:
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# To allow all incoming HTTPS (port 443) connections run these commands:
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Default catch-all in case you did not have a secure default policy
sudo iptables -A INPUT -j REJECT

########## FORWARD CHAIN

# Assuming eth0 is your external network,
# and eth1 is your internal network,
# this will allow your internal to access the external:
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

sudo iptables -A FORWARD -j REJECT

########## OUTPUT CHAIN
sudo iptables -A OUTPUT -o lo -j ACCEPT

# HTTPS port allowed out, but not HTTP port
sudo iptables -A OUTPUT -p tcp --dport https -j ACCEPT
# sudo iptables -A OUTPUT -p tcp --dport http -j ACCEPT

# DNS allowed out on 53
sudo iptables -A OUTPUT -p udp --dport domain -j ACCEPT

# Output SSH allowed.
# You may want to allow outgoing traffic of all established connections,
# which are typically the response to legitimate incoming connections.
# This command will allow that:
sudo iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Block a particular website (e.g., facebook):
# host -t a www.facebook.com says ip is:
sudo iptables -A OUTPUT -d 157.240.2.35 -j DROP

# Final catch-all in case you did not have a secure default policy
sudo iptables -A OUTPUT -j REJECT

# Note: this line assumes Fedora, and Debian is different.
# The rest above should be cross-distro
sudo service iptables save

echo after
echo | sudo iptables -L -v
echo | sudo iptables -S

++++++++++++++++++++++++++++ Cahoot-05-1

++++++++++++++++++++++++++++ Cahoot-05-2

Notes:

• IPtables and netfilter are the dominant firewall technology in the Linux world, but there are some other contenders:
  https://en.wikipedia.org/wiki/Nftables
• nftables is set to replace much of netfilter (it is indeed nicer)
• The syntax is a bit different
• nftables is configured via the user-space utility nft, while netfilter is configured via the utilities iptables, ip6tables, arptables and ebtables frameworks.
• The phase-out of netfilter is slow.

https://en.wikipedia.org/wiki/PF_(firewall)
BSD based firewall that you may encounter,
particularly given the dominance of BSD-based firewall distributions like pfSense and OPNSense.

1.8 IPS/IDS Intrusion Prevention/Dection Systems

• Also known as Intrusion Detection and Prevention System (IDPS)
• Is an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity
• Can be host-based, network-based, or distributed/hybrid
• Can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior can block traffic as a firewall does, but makes use of the types of algorithms developed for IDSs to determine when to do so

1.8.1 Classes of Intruders

• Individuals or members of an organized crime group with a goal of financial reward
• Their activities may include:
  • Identity theft
  • Theft of financial credentials
  • Corporate espionage
  • Data theft
  • Data ransoming
• Typically meet in underground forums to trade tips and data and coordinate attacks

1.8.1.1 Intruders - Activists

• Are either individuals, usually working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes
• Also know as hacktivists
• Skill level is often low
• Aim of their attacks is often to promote and publicize their cause typically through:
  • Website defacement
  • Denial of service attacks
  • Theft and distribution of data that results in negative publicity or compromise of their targets

1.8.1.2 Intruders - State-Sponsored Organizations

• Groups of hackers sponsored by governments to conduct espionage or sabotage activities
• Also known as Advanced Persistent Threats (APTs) due to the covert nature and persistence over extended periods involved with any attacks in this class
• Widespread nature and scope of these activities by a wide range of countries from China to the USA, UK, and their intelligence allies

1.8.1.3 Intruders - Others

• Include classic hackers or crackers who are motivated by technical challenge or by peer-group esteem and reputation
• Many of those responsible for discovering new categories of buffer overflow vulnerabilities could be regarded as members of this class
• Given the wide availability of attack toolkits, there is a pool of “hobby hackers” using them to explore system and network security

1.8.2 Intruder skill levels

1.8.2.1 Intruder Skill Levels - Apprentice

• Hackers with minimal technical skill who primarily use existing attack toolkits
• They likely comprise the largest number of attackers, including many criminal and activist attackers
• Given their use of existing known tools, these attackers are the easiest to defend against
• Also known as “script-kiddies” due to their use of existing scripts (tools)

1.8.2.2 Intruder Skill Levels - Journeyman

• Hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities
• They may be able to locate new vulnerabilities to exploit that are similar to some already known
• Hackers with such skills are likely found in all intruder classes
• Adapt tools for use by others

1.8.2.3 Intruder Skill Levels - Master

• Hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities
• Write new powerful attack toolkits
• Some of the better known classical hackers are of this level
• Some are employed by state-sponsored organizations
• Defending against these attacks is of the highest difficulty

1.8.3 Examples of Intrusion

• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information, without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password
• Using an unattended, logged-in workstation without permission

1.8.4 Intruder Behavior

• Target acquisition and information gathering
• Initial access
• Privilege escalation
• Information gathering and system exploit
• Maintaining access
• Covering tracks

1.8.4.1 Target Acquisition and Information Gathering

• Explore corporate website for information on corporate structure, personnel, key systems, as well as details of specific web server and OS used.
• Gather information on target network using DNS lookup tools such as dig, host, and others; and query WHOIS database.
• Map network for accessible services using tools such as NMAP.
• Send query email to customer service contact, review response for information on mail client, server, and OS used, and also details of person responding.
• Identify potentially vulnerable services, e.g., vulnerable web CMS.

1.8.4.2 Initial Access

• Brute force (guess) a user’s web content management system (CMS) password.
• Exploit vulnerability in web CMS plugin to gain system access.
• Send spear-phishing email with link to web browser exploit to key people.

1.8.4.3 Privilege Escalation

• Scan system for applications with local exploit.
• Exploit any vulnerable application to gain elevated privileges.
• Install sniffers to capture administrator passwords.
• Use captured administrator password to access privileged information.

1.8.4.4 Information Gathering or System Exploit

• Scan files for desired information.
• Transfer large numbers of documents to external repository.
• Use guessed or captured passwords to access other servers on network.

1.8.4.5 Maintaining Access

• Install remote administration tool or rootkit with backdoor for later access.
• Use administrator password to later access network.
• Modify or disable anti-virus or IDS programs running on system.

1.8.4.6 Covering Tracks

• Use rootkit to hide files installed on system.
• Edit logfiles to remove entries generated during the intrusion.

1.8.5 Intrusion detection

1.8.5.1 Definitions

Security Intrusion:
A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

Intrusion Detection:
A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

1.8.5.2 Intrusion Detection System (IDS)

• Sensors - collect data
• Analyzers - determine if intrusion has occurred
• User interface - view output or control system behavior

1.8.5.2.1 Host-based IDS (HIDS)

• Monitors the characteristics of a single host for suspicious activity

1.8.5.2.2 Network-based IDS (NIDS)

• Monitors network traffic and analyzes network, transport, and application protocols to identify suspicious activity

1.8.5.2.3 Distributed or hybrid IDS

Combines information from a number of sensors, often both host and network based, in a central analyzer that is able to better identify and respond to intrusion activity

Discrimination between normal an intruder behavior

1.8.5.3 IDS requirements

• Run continually with minimal human supervision.
• Be fault tolerant in the sense that it must be able to recover from system crashes and reinitializations.
• Resist subversion. The IDS must be able to monitor itself and detect if it has been modified by an attacker.
• Impose a minimal overhead on the system where it is running.
• Be able to be configured according to the security policies of the system that is being monitored.
• Be able to adapt to changes in system and user behavior over time.
• Be able to scale to monitor a large number of hosts.
• Provide graceful degradation of service in the sense that if some components of the IDS stop working for any reason, the rest of them should be affected as little as possible.
• Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without having to restart it.

1.8.5.4 Analysis Approaches

1. Anomaly detection

• Involves the collection of data relating to the behavior of legitimate users over a period of time
• Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder

2. Signature/Heuristic detection

• Uses a set of known malicious data patterns or attack rules that are compared with current behavior
• Can only identify known attacks for which it has patterns or rules

1.8.5.4.1 1. Anomaly based detection

Statistical
Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.

Knowledge based
Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.

Machine learning
Approaches automatically determine a suitable classification model from the training data using data mining techniques: Bayesian networks, Markov models, Neural Networks, Fuzzy logic, Genetic algorithms, Clustering, and Reinforcement learning.

1.8.5.4.2 2. Signature or heuristic based detection

Signature approaches

• Match a large collection of known patterns of malicious data against data stored on a system or in transit over a network
• The signatures need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data
• Widely used in anti-virus products, network traffic scanning proxies, and in NIDS

Rule-based heuristic identification

• Involves the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses
• Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage
• Typically rules used are specific
• SNORT is an example of a rule-based NIDS

++++++++++++++++++++ Cahoot-05-3

1.8.6 Host-based intrusion detection (HIDS)

• Adds a specialized layer of security software to vulnerable or sensitive systems
• Can use either anomaly or signature and heuristic approaches
• Monitors activity to detect suspicious behavior
• Primary purpose is to detect intrusions, log suspicious events, and send alerts
• Can detect both external and internal intrusions

1.8.6.1 Data sources and sensors

• Collects data
• Common data sources include:
  • System call traces
  • Audit (log file) records
  • File integrity checksums
  • Registry access

1.8.6.2 Anomaly based detection

• The majority of work on anomaly-based HIDS has been done on UNIX and Linux systems, given the ease of gathering suitable data for this work.
• System calls are the means by which programs access core kernel functions, providing a wide range of interactions with the low-level operating system functions.
• Hence they provide detailed information on process activity that can be used to classify it as normal or anomalous.
• While using system call traces provides arguably the richest information source for a HIDS, it does impose a moderate load on the monitored system to gather and classify this data.

1.8.6.3 Signature or heuristic based detection

• Anti-virus (A/V), more correctly viewed as anti-malware, products.
• Very commonly used on Windows systems, and also incorporated into mail and web application proxies on firewalls and in network based IDSs.
• They use either a database of file signatures, which are patterns of data found in known malicious software, or heuristic rules that characterize known malicious behavior.
• Quite efficient at detecting known malware, however they are not capable of detecting zero-day attacks that do not correspond to the known signatures or heuristic rules.

1.8.6.4 Distributed HIDS

Three main components:

1. Host agent module:
   • An audit collection module operating as a background process on a monitored system.
   • Its purpose is to collect data on security-­related events on the host and transmit these to the central manager.
2. LAN monitor agent module:
   • Operates in the same fashion as a host agent module except that it analyzes LAN traffic and reports the results to the central manager.
3. Central manager module:
   • Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion.

Agent architecture

1.8.7 Network-based NIDS

• Monitors traffic at selected points on a network
• Examines traffic packet by packet in real or close to real time
• May examine network, transport, and/or application-level protocol activity
• Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface
• Analysis of traffic patterns may be done at the sensor, the management server or a combination of the two

1.8.7.1 Types of network sensors

Sensor types: inline and passive

• An inline ­sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. One way to achieve an inline sensor is to combine NIDS sensor logic with another network device, such as a firewall or a LAN switch.
• A passive sensor monitors a copy of network traffic; the actual traffic does not pass through the device. From the point of view of traffic flow, the passive sensor is more efficient than the inline sensor, because it does not add an extra handling step that contributes to packet delay.

Passive NIDS sensor

1.8.7.2 Sensor locations

Sensor deployment locations

1.8.7.3 Intrusion detection techniques

Attacks suitable for signature detection

• Application layer reconnaissance and attacks
• Transport layer reconnaissance and attacks
• Network layer reconnaissance and attacks
• Unexpected application services
• Policy violations

Attacks suitable for anomaly detection

• Denial-of-service (DoS) attacks
• Scanning
• Worms

Stateful Protocol Analysis (SPA)

• Subset of anomaly detection that compares observed network traffic against predetermined universal vendor supplied profiles of benign protocol traffic
• This distinguishes it from anomaly techniques trained with organization specific traffic protocols
• Understands and tracks network, transport, and application protocol states to ensure they progress as expected
• A key disadvantage is the high resource use it requires

1.8.7.4 Logging alerts

Typical information logged by a NIDS sensor includes:

• Time-stamp
• Connection or session ID
• Event or alert type
• Rating
• Network, transport, and application layer protocols
• Source and destination IP addresses
• Source and destination TCP or UDP ports, or ICMP types and codes
• Number of bytes transmitted over the connection
• Decoded payload data, such as application requests and responses
• State-related information

1.8.8 Distributed or hybrid HIDS

• Does not rely solely on perimeter defense mechanisms, such as firewalls, or on individual host-based defenses.
• Instead, each end host and each ­network device (e.g., routers) is considered to be a potential sensor and may have the sensor ­software module installed.
• Sensors in this distributed configuration can exchange information to corroborate the state of the network (i.e., whether an attack is under way).
  

1.8.9 ID data standards

IETF Intrusion Detection Working Group
Purpose is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to management systems that may need to interact with them.

General message exchange framework

1.8.9.0.1 General message exchange framework

• Data source:
  • Common data sources include network packets, operating system ­audit logs, application audit logs, and system-generated checksum data.
• Sensor:
  • Collects data from the data source. The sensor forwards events to the analyzer.
• Analyzer:
  • The ID component or process that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.
• Administrator:
  • The human with overall responsibility for setting the ­security policy of the organization, and, thus, for decisions about deploying and ­configuring the IDS.
• Manager:
  • Management functions typically include sensor configuration, analyzer configuration, event notification management, data consolidation, and reporting.
• Operator:
  • The human operator often monitors the output of the IDS and initiates or recommends further action.

1.9 Example IDS/IPS: Snort

• Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)
• Real-time traffic analysis and packet logging on IP networks, protocol analysis, content searching and matching.
• Detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans.
• Three main modes
  1. Sniffer mode, read network packets and display them on the console.
  2. Packet logger mode, log packets to the disk.
  3. Intrusion detection mode, monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.

++++++++++++++++++ Cahoot-05-4

1.10 Other firewalls, and firewall and router distributions

Check these out in class, sort tables by license:

• https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions
• https://en.wikipedia.org/wiki/Comparison_of_firewalls

1.10.1 pf (a firewall) and pfSense (a production OS)

pf is the openbsd firewall

• https://www.openbsd.org/faq/pf/index.html
• https://en.wikipedia.org/wiki/PF_(firewall)

pfSense is a firewall distribution

• https://www.pfsense.org/
• https://en.wikipedia.org/wiki/PfSense
• https://www.pfsense.org/download/ (community edition available as iso)
• pfSense is an open source firewall/router computer software distribution based on FreeBSD.
• It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network.
• It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.
• IDS/IPS systems like SNORT are well-integrated into the platform

OPNsense is a fork of pfSense

• https://docs.opnsense.org/history/thefork.html
• https://en.wikipedia.org/wiki/OPNsense
• https://opnsense.org/

More info on how to set up pfSense and Snort in ra05-Firewall-IPS

1.11 Honeypots

https://en.wikipedia.org/wiki/Honeypot_(computing)
(show this link)

• A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.
• Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site, but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, who are then blocked.
• This is similar to police sting operations, colloquially known as “baiting” a suspect.
• Decoy systems designed to:
  • Lure a potential attacker away from critical systems
  • Collect information about the attacker’s activity
  • Encourage the attacker to stay on the system long enough for administrators to respond
• Systems are filled with fabricated information that a legitimate user of the system wouldn’t access
• Resources that have no production value
• Incoming communication is most likely a probe, scan, or attack
• Initiated outbound communication suggests that the system has probably been compromised

1.11.1 Honeypot types

Most are server honeypots, but some are clients.

1.11.1.1 Pure honeypots

• are full-fledged production systems.
• The activities of the attacker are monitored by using a bug tap that has been installed on the honeypot’s link to the network.
• No other software needs to be installed.
• Even though a pure honeypot is useful, stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.

1.11.1.2 Low interaction honeypot

• Consists of a software package that emulates particular IT services or systems well enough to
• provide a realistic initial interaction, but does not execute a full version of those services or systems
• Provides a less realistic target
• Often sufficient for use as a component of a distributed IDS to warn of imminent attack

1.11.1.3 High interaction honeypot

• A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers
• Is a more realistic target that may occupy an attacker for an extended period
• However, it requires significantly more resources
• If compromised could be used to initiate attacks on other systems

1.11.1.4 Client honeypot

https://en.wikipedia.org/wiki/Client_honeypot

• Client Honeypots are active security devices in search of malicious servers that attack clients.
• The client honeypot poses as a client and interacts with the server to examine whether an attack has occurred.
• Often the focus of client honeypots is on web browsers, but any client that interacts with servers can be part of a client honeypot (for example ftp, ssh, email, etc.).

1.11.2 Applications

• Legal
• Research
• Spam
• Defensive (varied)
• Academic (lol)
• Others?

1.11.3 Honeypot locations

1.11.4 Example honeypots and demos

• https://github.com/paralax/awesome-honeypots
• https://www.pressreader.com/australia/maximum-pc/20181024/283154314646552
• https://github.com/thinkst/opencanary

1.11.4.1 Attack maps

Some derived from honeypots, others from actual attack, network, and malware statistics

• https://norse-corp.com/map/
  • https://www.digitalattackmap.com/
  • https://cybermap.kaspersky.com/
  • https://threatmap.checkpoint.com/ThreatPortal/livemap.html
  • https://threatmap.fortiguard.com/
  • https://www.akamai.com/es/es/resources/visualizing-akamai/real-time-web-monitor.jsp?tab=attacks&theme=dark
  • https://map.lookingglasscyber.com/
  • https://threatbutt.com/map/
  • https://talosintelligence.com/fullpage_maps/pulse
  • https://www.sophos.com/en-us/threat-center/threat-monitoring/threatdashboard.aspx
  • https://www.fireeye.com/cyber-map/threat-map.html

“When you go after honey with a balloon, the great thing is to not let the bees know you’re coming.”
- Winnie the Pooh

+++++++++++++++++ Cahoot-05-5

2 DoS (Denial of Service)

3 Definitions

Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as:
“An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.”

• A network-based attack
• The scale of network DDoS attacks has continued to rise over recent years, by 2016 exceeding a terabit per second!
• A common attack, which is often easy to execute, and hard to fully prevent
• DDoS extortion: Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid

Categories of resources that could be attacked:

Network bandwidth

• Dependent on the capacity of the network links connecting a server to the Internet
• For most organizations this is their connection to their Internet Service Provider (ISP)
• Overwhelm any legitimate traffic, denying legitimate users access to the server

System resources

• Aims to overload or crash the network handling software
• Include temporary buffers used to hold arriving packets, tables of open connections, etc

Application resources

• Typically involves a number of valid requests, which intentionally consume significant resources (e.g., database query), thus limiting the ability of the server to respond to requests from other users

Varieties of end users as both attackers and victims

4 DoS Attacks

https://en.wikipedia.org/wiki/Denial-of-service_attack

4.1 Classic DoS Attacks

• Aim of this attack is to overwhelm the capacity of the network connection to the target organization
• Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases
• Example: Flooding ping command: use the large company’s web server to target the medium-sized company with a lower-capacity network connection with a flooding ping command directed at the Web server in the target company.
  • Source of the attack is clearly identified unless a spoofed address is used, enabling the sender to be DoS’ed back, the sender’s identity to be known, and to more easily halt the attack.

4.2 Source Address Spoofing

• Use forged source addresses
  • Usually via the raw socket interface on operating systems
  • Makes attacking systems harder to identify
• Attacker generates large volumes of packets that have the target system as the destination address, but use randomly selected, usually different, source addresses
• ICMP echo response packets, generated in response to those packets reaching the target system, would no longer be reflected back to the source system, but are scattered across the Internet to all the various forged source addresses, as Back-scatter traffic.
  • To study this, one can advertise routes to unused IP addresses to monitor attack traffic.
• Finding the attacker requires network engineers to specifically query flow log information from their routers

4.3 SYN spoofing

TCP 3-way handshake: SYN, SYN-ACK, ACK

• Reminder, TCP is connection oriented, and keeps a table of all connections with the server
• Common DoS attack target
• Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them
• Legitimate users are denied access to the server
• Classified as an attack on system resources, specifically the network handling code in the operating system
• Attacker generates a number of SYN connection request packets with forged source addresses.
• Better if spoofed source addresses do not correspond to real IP addresses, since a real computer might respond with a RST (reset) packet to cancel this unknown connection request

TCP SYN Spoofing Attack

SYN spoofing versus classic flooding

• The actual volume of SYN traffic can be comparatively low, nowhere near the maximum capacity of the link to the server.
• It simply has to be high enough to keep the known TCP connections table filled.
• Unlike the flooding attack, this means the attacker does not need access to a high-volume network connection.

5 Flooding attacks

• Classified based on network protocol used
• Intent is to overload the network capacity on some link to a server
• Virtually any type of network packet can be used

5.1 ICMP

Flooding Attacks: ICMP
Note: ICMP is the topic up next.

ICMP flood

• E.g., ping flood using ICMP echo request packets
• Traditionally network administrators allow such packets into their networks because ping is a useful network diagnostic tool
• More recently, block packets to pass through their firewalls.
• So, attackers use other ICMP packet types that are needed correct operation of TCP/IP
• Filtering some of these critical ICMP packet types would degrade or break normal TCP/IP network behavior.
• ICMP destination unreachable and time exceeded packets are examples of such critical packet types.
• Further, because these packets include part of some notional erroneous packet that supposedly caused the error being reported, they can be made comparatively large, increasing their effectiveness in flooding the link.

5.2 UDP

Flooding Attacks: UDP

UDP flood

• For example, some servers and routers have diagnostic echo services running
• Uses UDP packets directed to some port number on the target system
• Spoofed source addresses are normally used if the attack is generated using a single source system, for the same reasons as with ICMP flood attacks.
• If multiple systems are used for the attack, often the real addresses of the compromised, zombie, systems are used.
• When multiple systems are used, the consequences of both the reflected flow of packets and the ability to identify the attacker are reduced.

5.3 TCP

Flooding Attacks: TCP

TCP SYN flood

• Sends TCP packets to the target system
• Total volume of packets is the aim of the attack rather than the system code
• Effect similar to the SYN spoofing attack, but, it is the total volume of packets that is the aim of the attack rather than the system code.
• Check out python code (showed before)!

6 DDoS

Singe versus multiple attackers

• All of these flooding attack variants are limited in the total volume of traffic that can be generated if just a single system is used to launch the attack, which is also easy to trace
• By using multiple systems, the attacker can scale up the volume of attack scale
• By directing the attack through intermediaries, the attacker is further distanced from the target and significantly harder to locate and identify.
• Indirect attack types that utilize multiple systems include:
  • Distributed denial-of-service attacks
  • Reflector attacks
  • Amplifier attacks

Distributed Denial of Service DDoS Attacks

• Use of multiple systems to generate attacks
• Attacker uses a flaw in operating system or in a common application to gain access and installs their program on it (zombie)
• Large collections of such systems under the control of one attacker’s control can be created, forming a botnet

6.1 Handlers

Attacker can use handlers for efficiency and stealth

7 Application-based bandwidth attack

• An application layer DDoS attack is done mainly for specific targeted purposes, including disrupting transactions and access to databases.
• It requires less resources and often accompanies network layer attacks.
• For example, large or costly database queries could keep a server busy.

7.1 SIP

DoS on a SIP server

7.2 HTTP

7.2.1 HTTP Flood

Hypertext Transfer Protocol (HTTP) Attacks

HTTP flood

• Bombards Web servers with HTTP requests
• Consumes considerable resources
• Spidering: Bots starting from a given HTTP link and following all links on the provided Web site recursively

7.2.2 Slowloris

Hypertext Transfer Protocol (HTTP) Attacks

Slowloris

• HTTP specs state a blank line indicates the end of request headers and the beginning of the payload, if any.
• Once the entire request is received, the Web server may then respond by sending the object.
• Slowloris sends an incomplete request that does not include the terminating newline sequence.
• Then, send additional header lines to keep the connection alive, but never send terminating newline sequence.
• Web server keeps the connection open, expecting more information to complete the request.
• Eventually consumes Web server’s connection capacity
• Utilizes legitimate HTTP traffic, not malformed or buggy
• Existing intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recognize Slowloris
• Can you easily program a bot to perform this attack?

8 Reflection Attacks

• Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system
• When intermediary responds, the response is sent to the target
• “Reflects” the attack off the intermediary (reflector)
• Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary
• The basic defense against these attacks is blocking spoofed-source packets

Reflection using TCP SYN

• A variant of reflection attack uses TCP SYN packets and exploits the normal three-way handshake used to establish a TCP connection.
• The attacker sends a number of SYN packets with spoofed source addresses to the chosen intermediaries.
• In turn the intermediaries respond with a SYN-ACK packet to the spoofed source address, which is actually the target system.
• The attacker uses this attack with a number of intermediaries, to avoid detection and bandwidth constraints.
• The aim is to generate high enough volumes of packets to flood the link to the target system.
• The target system will respond with a RST packet for any that get through, but by then the attack has already succeeded in overwhelming the target’s network link.

DNS reflection attack exploits recursive DNS:

• Normal on left
• Attack on right
• (port 7 is echo)
  

9 Amplification attack

• Like reflection, also involve sending a packet with a spoofed source address for the target system to intermediaries.
• However, intermediary amplifies either the number or size of the attackers messages
• Example: Send a ping flood to the broadcast address on a large sub-network, with the source address spoofed as the victim’s

Broadcast to intermediaries who performs reflection attack

DNS Amplification Attacks

• Example: Use packets directed at a legitimate DNS server as the intermediary system, with the source address spoofed as the victim’s
• Attacker creates a series of DNS requests containing the spoofed source address of the target system
• Exploit DNS behavior to convert a small request to a much larger response of a big DNS resource record (amplification)
• Target is flooded with larger responses
• Basic defense against this attack is to prevent the use of spoofed source addresses

10 Denial-of-service as a service

• Some vendors provide so-called “booter” or “stresser” services, which have simple web-based front ends, and accept payment over the web.
• Marketed and promoted as stress-testing tools, they can be used to perform unauthorized denial-of-service attacks, and allow technically unsophisticated attackers access to sophisticated attack tools without the need for the attacker to understand their use.

11 DoS Defenses

• These attacks cannot be prevented entirely
• High traffic volumes may be legitimate
• High publicity about a specific site
  • Activity on a very popular site
  • Described as slashdotted, flash crowd, or flash event
• Four areas of defense
  • Attack prevention and preemption:
    Before the attack, coming up next slides
  • Attack detection and filtering:
    During the attack, coming up next class
  • Attack source trace-back and identification:
    During and after the attack, coming up this semester
  • Attack reaction:
    After the attack, briefly discuss today

11.1 Dos Prevention

• Block spoofed source addresses on routers as close to source as possible (i.e., ISP block addresses outgoing that they don’t own)
• Filters may be used to ensure path back to the claimed source address is the one being used by the current packet
  • Filters must be applied to traffic before it leaves the ISP’s network or at the point of entry to their network
• Use modified TCP connection handling code
  • SYN cookie: encrypt in a cookie to send to client, what would have been stored it TCP connection table, and legitimate client responds with an ACK packet containing the incremented sequence number and cookie, which allows the server to then continue the connection
  • Drop an entry for an incomplete connection from the TCP connections table when it overflows
• Block IP directed broadcasts
• Block suspicious services and combinations
• Manage application attacks with a captchas to distinguish legitimate human requests
• Good general system security practices
• Use mirrored and replicated servers when high-performance and reliability is required
• Antispoofing, directed broadcast, and rate limiting filters should be implemented
• Ideally have network monitors and IDS to detect and notify abnormal traffic patterns

11.2 Responding to DoS Attacks

Good Incident Response Plan, example:

• Details on how to contact technical personal for ISP
• Needed to impose traffic filtering upstream
• Details of how to respond to the attack

1. Identify type of attack
   • Capture and analyze packets
   • Design filters to block attack traffic upstream
   • Or identify and correct system/application bug
2. Have ISP trace packet flow back to source
   • May be difficult and time consuming
   • Necessary if planning legal action
3. Implement contingency plan
   • Switch to alternate backup servers
   • Commission new servers at a new site with new addresses
4. Update incident response plan
   • Analyze the attack and the response for future handling

12 TLS

(Transport Layer Security)

• Move to transport/application layer?
• Include SSL wireshark lab here.

IntroNetworks:
http://intronetworks.cs.luc.edu/current2/uhtml/publickey.html#tls

Computer-Networking:
https://www.computer-networking.info/2nd/html/protocols/tls.html

13 Introduction

What is Transport Layer Security?

• Probably the Internet’s most important security protocol
• Designed over 20 years ago by Netscape for Web transactions (Back then, called Secure Sockets Layer)
• But used for just about everything you can think of: (HTTP, SSL-VPNs, E-mail, Voice/video, IoT, etc)
• Maintained by the Internet Engineering Task Force
• Now at version 1.2

13.1 Timeline

13.2 Purpose

A Secure Channel:

• Client connects to a known server (e.g., it has the domain name)
• Server is (almost) always authenticated as part of TLS
• Client may or may not be authenticated by TLS; often authenticated by the application, e.g., with a password
• After setup, data is encrypted and authenticated, though what “authenticated” means to the server is fuzzy

13.3 Network stack

TLS is actually application layer

However, it can behave like a transport layer service

13.4 Protection?

Just wrap your socket:

#!/usr/bin/python3
# -*- coding: utf-8 -*-

import ssl
import base64
import socket

cc = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)
cc.connect(("smtp.gmail.com", 587))

cc.send("helo tester.com\r\n")
cc.send("starttls\r\n")

scc = ssl.wrap_socket(cc)
scc.send("auth login\r\n")

scc.send(base64.b64encode("username") + "\r\n")
scc.send(base64.b64encode("password") + "\r\n")

14 Protocols

TLS Structure

Handshake protocol

• Establish shared keys (typically using public key cryptography)
• Negotiate algorithms, modes, parameters
• Authenticate one or both sides

Record protocol

• Carry individual messages
• Protected under symmetric keys

14.1 Overview

TLS protocol stack

14.2 Handshake protocol

High level overview

Pseudo TLS handshake

During the handshake phase, Bob needs to

• establish a TCP connection with Alice,
• verify that Alice is really Alice, and
• send Alice a master secret key, which will be used by both Alice and Bob to generate all the symmetric keys they need for the SSL session.
• because the certificate has been certified by a CA, Bob knows for sure that the public key in the certificate belongs to Alice.
• Bob then generates a Master Secret (MS) (which will only be used for this SSL session), encrypts the MS with Alice’s public key to create the Encyrpted Master Secret (EMS), and sends the EMS to Alice.
• Alice decrypts the EMS with her private key to get the MS.
• After this phase, both Bob and Alice (and no one else) know the master secret for this SSL session.

TLS handshake

RSA handshake

K_s is server’s public key

TLS handshake details

• SSL does not mandate that Alice and Bob use a specific symmetric key algorithm, a specific public-key algorithm, or a specific MAC.
• Instead, SSL allows Alice and Bob to agree on the cryptographic algorithms at the beginning of the SSL session, during the handshake phase.
• During the handshake phase, Alice and Bob send nonces to each other, which are used in the creation of the session keys:
  • E_B = session encryption key for data sent from Bob to Alice
  • M_B = session MAC key for data sent from Bob to Alice
  • E_A = session encryption key for data sent from Alice to Bob
  • M_A = session MAC key for data sent from Alice to Bob

The steps of the real SSL handshake are as follows:

1. The client sends a list of cryptographic algorithms it supports, along with a client nonce.
2. From the list, the server chooses a symmetric algorithm (for example, AES), a public key algorithm (for example, RSA with a specific key length), and a MAC algorithm. It sends back to the client its choices, as well as a certificate and a server nonce.
3. The client verifies the certificate, extracts the server’s public key, generates a Pre-Master Secret (PMS), encrypts the PMS with the server’s public key, and sends the encrypted PMS to the server.
4. Using the same key derivation function (as specified by the SSL standard), the client and server independently compute the Master Secret (MS) from the PMS and nonces. The MS is then sliced up to generate the two encryption and two MAC keys. Furthermore, when the chosen symmetric cipher employs CBC (such as 3DES or AES), then two Initialization Vectors (IVs)—one for each side of the connection—are also obtained from the MS. Henceforth, all messages sent between client and server are encrypted and authenticated (with the MAC).
5. The client sends a MAC of all the handshake messages.
6. The server sends a MAC of all the handshake messages.

The last two steps protect the handshake from tampering.

Timing and computational cost

14.2.1 Cipher options

Many options for public key method (handshake, key exchange, authentication)

Many options and for private key choice (data transmission)

Many options for integrity as well (data transmission validity)

14.3 TLS Record

protocol: data transmission itself

Application layer, but acts like transport

14.4 Heartbeat protocol

Serves two purposes

• First, it assures the sender that the recipient is still alive, even though there may not have been any activity over the underlying TCP connection for a while.  
• Second, the heartbeat generates activity across the connection during idle periods, which avoids closure by a firewall that does not tolerate idle connections.

14.5 Alert protocol

• warning(1) or fatal(2) to convey the severity
• If the level is fatal, TLS immediately terminates the connection. Other connections on the same ­session may continue, but no new connections on this session may be established.

14.6 Change Cipher Spec protocol

Purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection.

15 Perfect forward secure?

What happens if the server’s private key is stolen, hacked, or subpoenaed?

15.1 DH

Diffie-Hellman-Merkle to the rescue

Diffie-Hellman Key Exchange Algorithm

Diffie-Hellman Key Exchange

Why DH?
And what about authentication??

15.2 Classic vs. DH

RSA

DH

15.3 How?

To make your server perfect forward secure, if you are using python:

SSLContext.set_ciphers(DHE-RSA)

Options include:

DiffieHellman key exchange-based PFSs
(DHE-RSA, DHE-DSA) and

Elliptic curve DiffieHellman-based PFSs
(ECDHE-RSA, ECDHE-ECDSA)

15.4 UDP / SSL

Examples:

15.4.1 VOIP / ZRTP

15.4.2 OpenVPN

https://openvpn.net/community-resources/openvpn-cryptographic-layer/

15.5 IPSec

04-NetworkData.html

Next: 06-NetworkControl.html