Security Physical Layer Do S and DDo S
- Slides: 31
Security Physical Layer, Do. S and DDo. S - RF FINGERPRINTING - DENIAL of SERVICE
Technopedia says : Radio frequency fingerprinting is a process that identifies the device or signaler from which a radio transmission originated by looking at the properties of its transmission, including specific radio frequencies. Each signal originator has its own specific "fingerprint" based on the location and configuration of its transmitted signals.
RF Fingerprinting Biasa digunakan oleh operator seluler untuk mencegah cloning ponsel Sebuah cloning ponsel memiliki identitas numeric equipment yang sama tapi berbeda radio frequency fingerprinting Setiap transmitter (cellphone) hanya memiliki 1 jenis radio transmitter, ini sangat sulit ditiru Pertama kali cellphone dihidupkan, cellphone akan memiliki “signature” yang berisi variasi-variasi nilai komponen selama proses pembuatan. -> “call sign” Sangat mudah dideteksi kalau ada cellphone yang berbeda “callsign” dan transmitter-nya (RF Fingerprinting) Hal ini menjadikan teknik ini digunakan untuk militer.
Do. S
Do. S
Do. S Impact
DDo. S
DDo. S
Do. S Syimptoms
Do. S Technique
SYN Flood (1)
SYN Flood (2)
A classic SYN flood example MS Blaster worm (2003) Infected machines at noon on Aug 16 th: SYN flood on port 80 to windowsupdate. com 50 SYN packets every second. each packet is 40 bytes. Spoofed source IP: a. b. X. Y where X, Y random. MS solution: new name: windowsupdate. microsoft. com 28
SYN Floods II: Massive flood (e. g Bet. Cris. com) Command bot army to flood specific target: (DDo. S) 20, 000 bots can generate 2 Gb/sec of SYNs (2003) At web site: Saturates network uplink or network router Random source IP ⇒ attack SYNs look the same as real SYNs What to do ? ? ? 29
Mitigation Sample
Prolexic / Cloud. Flare Idea: only forward established TCP connections to site Lots-of-SYNs Lots-of-SYN/ACKs Few ACKs Prolexic Proxy Forward to site Web site 31
Other junk packets Attack Packet Victim Response Rate: attk/day TCP SYN to open port TCP SYN/ACK TCP SYN to closed port TCP RST TCP ACK or TCP DATA TCP RST No response TCP NULL TCP RST ICMP ECHO Request ICMP ECHO Response 50 UDP to closed port ICMP Port unreachable 387 [ATLAS 2013] Proxy must keep floods of these away from web site 773 32
Stronger attacks: TCP con flood Command bot army to: Complete TCP connection to web site Send short HTTP HEAD request Repeat Will bypass SYN flood protection proxy … but: Attacker can no longer use random source IPs. Reveals location of bot zombies Proxy can now block or rate-limit bots. 33
A real-world example: Git. Hub (3/2015) popular server Javascript-based DDo. S: honest end user github. com inject image. Flood. js function imgflood() { var TARGET = 'victim-website. com/index. php? ’ var rand = Math. floor(Math. random() * 1000) var pic = new Image() pic. src = 'http: //'+TARGET+rand+'=val' } set. Interval(imgflood, 10) Would HTTPS prevent this DDo. S? 34
1. CAPTCHAs Idea: verify that connection is from a human Applies to application layer DDo. S [Killbots ’ 05] During attack: generate CAPTCHAs and process request only if valid solution Present one CAPTCHA per source IP address. 37
38 2. Source identification Goal: identify packet source Ultimate goal: block attack at the source
1. Ingress filtering Big problem: (RFC 2827, 3704) DDo. S with spoofed source IPs ISP Internet Ingress filtering policy: ISP only forwards packets with legitimate source IP (see also SAVE protocol) 39
Implementation problems ALL ISPs must do this. Requires global trust. If 10% of ISPs do not implement ⇒ no defense No incentive for deployment 2014: 25% of Auto. Systems are fully spoofable (spoofer. cmand. org) 13% of announced IP address space is spoofable Recall: 309 Gbps attack used only 3 networks (3/2013)
2. Traceback [Savage et al. ’ 00] Goal: Given set of attack packets Determine path to source How: change routers to record info in packets Assumptions: Most routers remain uncompromised Attacker sends many packets Route from attacker to victim remains relatively stable 41
Simple method Write path into network packet Each router adds its own IP address to packet Victim reads path from packet Problem: n Requires space in packet w Path can be long w No extra fields in current IP format n Changes to packet format too much to expect 42
Take home message: Denial of Service attacks are real. Must be considered at design time. Sad truth: Internet is ill-equipped to handle DDo. S attacks Commercial solutions: Cloud. Flare, Prolexic Many good proposals for core redesign. 43
- Secure socket layer and transport layer security
- Secure socket layer and transport layer security
- Secure socket layer and transport layer security
- Secure socket layer and transport layer security
- Privatesecurity
- Ddo security
- Pigmented layer and neural layer
- Pathway of food from mouth to anus
- Presentation layer functions
- Layer 2 e layer 3
- Layer-by-layer assembly
- Layer 2 vs layer 3 bitstream
- Pgp osi layer
- Wireless transport layer security
- Multiplexed transport layer security
- Multiplexed transport layer security
- Portlev
- Wireless security in cryptography
- Integrity in e commerce
- Classic ethernet physical layer
- What is the purpose of the osi physical layer?
- Osi reference model diagram
- Functions of physical layer
- Physical architecture layer design
- Physical architecture layer design
- Physical layer transmission media
- Physical architecture layer design
- The basic unit of a physical network (osi layer 1) is the:
- Fungsi layer physical
- Physical layer coding violations
- Characteristics of physical layer
- Physical layer encoding