Firewalls
- protect inside from outside
- have certain rules to protect
Stateful Firewalls
- directory of UDP TCP connection
- connection states:
- > NEW: packet starts new connection/stream
- > ESTABLISHED: packet is associated to existing connection
- > RELATED: packet starts new connection associated to existing one
action src sport dst dport state
allow $INSIDE * * 80443 NEW -> allows new connections
allow * * * * ESTABLISHED -> allow established going out
DMZ Networks
- separate internal from external network
- DMZ (Demilitarized Zone) accessible from outside
internet
↓
external firewall
↓
lan switch -> web server, mail, dns
↓
internal firewall
↓
lan switch -> database, workstation etc
Denial-of-Service targets
CPU -> overload target with complex calculations
RAM -> consume all of memory for processing requests
Bandwidth -> exhaust network bandwidth
Distributed Denial-of-Service (DDoS)
- with a botnet
- multiple attacks traffic
ICMP/UDP Floods
- target bandwidth
- send a lot of repeated requests
- only works when BW_att»_space; BW_target
SYN Floods: attack and defence
- tries to attack TCP stack
- SYN opens TCP connection half way
- > exhaust memory by 1000s open time
solve: SYN cookies -> cookie has an ACK so needs to wait for attacker
Reflection Attacks
- set source IP to items ip address
- reflectors will then send to target
Amplification Attacks
- use reflector idea
- then use some protocol that needs a bigger response from server
HTTP Flood
- flood server with fetching data
- very low effort for attacker
Slowloris
- HTTP attack
- send an incomplete request
- send time after time more information
R.U.D.Y.
- HTTP attack
- send POST ans specify large content
- slowly send parameters
Compression bombs as HTTP
- HTTP support compression
- when arrives zip bomb
Water Torture Attack
- DNS based attack
- overload authoritie name server with queries
Upstream filters
- DoS defence
- high ISPs blacklist
Anti-Spoofing
- DoS defence
- block spoofed traffic
Detect & Block - DoS
- Detect and block DoS attacks
- Firewalls
- traffic analysis
- etc.
Traffic Shaping
- Rate limiting; just allow maximum
- CAPTCHAs
- Reputation-based blocking
DNS: Name Resolution
me -> . (root): IP of syssec.mmci.uni-saarland.de
. (root) -> me: NS .de is at 194.0.0.53
me -> de.: IP of syssec.mmci.uni-saarland.de
de. -> me: NS uni-saarland.de is at 134.96.7.7
me ->:IP of syssec.mmci.uni-saarland.de?
uni-saarland.de. -> me:NS mmci.uni-saarland.de is at 139.19.1.1
me ->:IP of syssec.mmci.uni-saarland.de?
mmci.uni-saarland.de. -> me:IP of syssec.mmci.uni-saarland.de is 139.19.86.150
DNS Recursive Resolvers vs. Authoritative NS
RR A NS
serve DNS clients Server recursive resolver
Resolve any domain only replies domains that are in its zone
iterate query denies recursive domains
DNS Cache Poisoning
- Inject attacker-specified RRs(Recursive resolver) to cache
- can redirect, disable
DNS Cache Snooping
- Did a client recently visit domain X
- Attacker probes resolver for cached entries
- can find website out
DNSSEC
- DNSSEC signs resource record
- DNSSEC RRSIG contains signature for set of RRs
- Resolver verifies signature (RRSIG RR)
- Resolver verifies public key (DNSKEY RR)
DNSSEC criticism
- give to governing country power
- DNS size bigger -> DDoS
- not end to end security
