Security Part One Attacks and Countermeasures 15-441 With slides from: Debabrata Dash, Nick Feamster, Myas Sekar 15-411: F08 security
Security Part One: Attacks and Countermeasures 15-441 With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar 15-411: F08 security 1
Flashback. Internet design goals 1. Interconnection 2. Failure resilience 3. Multiple types of service 4. Variety of networks 5. Management of resources 6. Cost-effective 7. LoW entry-cost 8. Accountability for resources Where is security? 15-411: F08 security
Flashback .. Internet design goals 1. Interconnection 2. Failure resilience 3. Multiple types of service 4. Variety of networks 5. Management of resources 6. Cost-effective 7. Low entry-cost 8. Accountability for resources Where is security? 15-411: F08 security 2
Why did they leave it out? Designed for connectivity Network designed with implicit trust ◆ No bad"guys Can't security be provided at the edge? Encryption, Authentication etc End-to-end arguments in system design 15-411: F08 security
Why did they leave it out? • Designed for connectivity • Network designed with implicit trust No “bad” guys • Can’t security be provided at the edge? Encryption, Authentication etc End-to-end arguments in system design 15-411: F08 security 3
Security vulnerabilities At every laver in the protocol stack! ° Network-layer attacks IP-level vulnerabilities ◆ Routing attacks Transport-layer attacks ◆ TCP vulnerabilities Application-layer attacks 15-411: F08 security
Security Vulnerabilities • At every layer in the protocol stack! • Network-layer attacks IP-level vulnerabilities Routing attacks • Transport-layer attacks TCP vulnerabilities • Application-layer attacks 15-411: F08 security 4
IP-evel vulnerabilities iP addresses are provided by the source ◆ Spoofing attacks Using IP address for authentication + e.g., login with. rhosts Some features that have been exploited ◆ Fragmentation Broadcast for traffic amplification 15-411: F08 security
IP-level vulnerabilities • IP addresses are provided by the source Spoofing attacks • Using IP address for authentication e.g., login with .rhosts • Some “features” that have been exploited Fragmentation Broadcast for traffic amplification 15-411: F08 security 5