defending(computer(networks( lecture’11:’firewalls/ddos’ ·...
TRANSCRIPT
![Page 1: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/1.jpg)
Defending Computer Networks Lecture 11: Firewalls/DDOS
Stuart Staniford Adjunct Professor of Computer Science
![Page 2: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/2.jpg)
Latest News
![Page 3: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/3.jpg)
More News
![Page 4: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/4.jpg)
More News
![Page 5: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/5.jpg)
Dark forces had a busy week…
![Page 6: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/6.jpg)
Logis@cs
• HW1 regrade: – “Basically, if their shell code work under gdb, they will get 10 points full bonus and if they men@oned prinJ vulnerability but not actually exploit it, then will be award 5 points.”
• Go through Quiz1 solu@ons
![Page 7: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/7.jpg)
Main Goals for Today
• Firewall Demo redux. • Network address transla@on (NAT) • Distributed Denial of Service. • Maybe start NIDS.
![Page 8: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/8.jpg)
Establish Central Control
IP Address
Port
![Page 9: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/9.jpg)
Or…
Internet
Internal
Firewall
DMZ
Firewall Firewall
Firewall
Firewall
Enclave Enclave
Enclave
Enclave
![Page 10: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/10.jpg)
Firewall Basic Concept
Rules Rules
(This is Netgate M1N1Wall – low-‐cost, low-‐power open source firewall using FreeBSD/pfSense. Runs on AMD Geode cpu.)
![Page 11: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/11.jpg)
Typical Firewall Rule
• Block in on LAN from 192.168.1.0/24 port any to 0.0.0.0/0 port 53 – Any packets coming from LAN to port 53 will be dropped. • Effect of rule in isola@on • Could be part of strategy to force clients to use only officially sanc@oned DNS servers
![Page 12: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/12.jpg)
Firewall Demo Wiring Diagram
Netgate Firewall Mac Mini (DMZ)
Laptop
OPT1
LAN
WAN
10.0.0.0/24
198.168.1.0/24
10.1.0.0/16
![Page 13: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/13.jpg)
Tour of a Firewall GUI
• Dashboard – Let’s check basic setup
• Check IP addresses on laptop match • Dashboard • Routes correct • Make sure we can ping Mac Mini from firewall • Check arp table • Make sure we can ping Mac Mini from LAN network.
– Unplug the WAN wire first • Have a quick look at state table
![Page 14: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/14.jpg)
Firewall Rules • Inspect the Rules • Nmap through the firewall from WAN – Unplug LAN wire – sudo nmap -‐Pn -‐n -‐sS –T5 10.0.0.2 – Replug LAN wire
• Change a rule • Nmap through the firewall and see we can no longer see ports
• Inspect the state table in the fw • Add a new rule from scratch to allow ssh – See how the nmap result changes
![Page 15: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/15.jpg)
Network Address Transla@on (NAT)
• RFC 1918 – 10.0.0.0/8 – 172.16.0.0/12 – 192.168.0.0/16
• These addresses are not “routable” • They will not be delivered across the Internet – Not allowed on there, technically.
• Need a special translator device at boundary – “NAT box” = Network Address Transla@on – Converts them to internet routable addresses
![Page 16: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/16.jpg)
NAT Opera@on
Internal 192.168.0.0/16
NAT
Internet 0.0.0.0/0
Small number of publically routable addresses here
![Page 17: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/17.jpg)
Basic Setup of a DDOS Botnet
Internet
Vic@m
Bot Bot Bot Bot Bot
C&C
Illustra@ve only: prac@cal aoacks will have many more bots
![Page 18: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/18.jpg)
Reflec@on Aoacks
Internet
Vic@m
Reflector Bot Bot
C&C
Illustra@ve only: prac@cal aoacks will have many more bots/reflectors
Reflector
Reflector
Reflector
Reflector
Reflector
Reflector
Reflector
![Page 19: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/19.jpg)
What Will Work as a Reflector?
• Any TCP host (send SA or R in response to S) • ICMP (eg echo response to echo request) • DNS – especially with recursion – Issue on campus recently – Let’s look at this in more detail
![Page 20: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/20.jpg)
Domain Name Service
• Global Internet service to map names to IP addresses.
• Part of core TCP/IP suite of protocols – RFC 882 (1983) updated by RFC 1034 (1987) – Replaced manually maintained “hosts.txt” of all Internet connected computer’s IP addresses.
• Let’s do it – unplug from fw demo – Turn on wireless – dig [email protected]
![Page 21: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/21.jpg)
The DNS Hierarchical Name Tree
![Page 22: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/22.jpg)
How a DNS Query Works
Credit: hop://securitytnt.com/dns-‐amplifica@on-‐aoack/
![Page 23: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/23.jpg)
DDOS Defense: Content Distribu@on
Internet
Vic@m
Bot Bot Bot Bot Bot
C&C
Copy Copy Copy Copy Copy
![Page 24: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/24.jpg)
DDOS Defense: Distributed Scrubbing
Internet
Vic@m
Bot Bot Bot Bot Bot
C&C
Scrub Scrub Scrub Scrub Scrub
![Page 25: Defending(Computer(Networks( Lecture’11:’Firewalls/DDOS’ · Defending(Computer(Networks(Lecture’11:’Firewalls/DDOS’ StuartStaniford(AdjunctProfessor(of(Computer(Science](https://reader034.vdocuments.us/reader034/viewer/2022042213/5eb70e72d5b0d73ba5316f42/html5/thumbnails/25.jpg)
Egress Filtering
• Can have many purposes, but in DDOS case: – Don’t let spoofed packets out of our network – Let’s check the rules on our demo firewall setup