Post

Network Security

Posted Updated
By Filippo Visconti 4 min read

Now Network properties are successfully verified. But, are users reaching the correct website? Or… do they even reach the website? shutup

It’s likely due to a network attack that is causing failures! Network attacks are very common nowadays and they’re affecting many critical Internet services.

In this chapter, we will cover three important aspects in network security:

  1. Modelling network systems
  2. Finding network threats
  3. Addressing network threats

Modelling

We need to identify what the system consists of.

  • What are the nodes? Identifying components of interest
  • What are the connectivities? Indicate the protocols between nodes
  • What are the trust boundaries? Define who controls what

Example

The nodes:shutupshutup
The connectivities:shutupshutup
The trust boundaries:shutupshutup

Tips

A few tips when modelling networked systems:

  • Try to model all components
    • Simplification is often needed for complex systems though
  • Try to model the entire stack of protocols
    • Threats may happen “cross-layer”
  • Try to model different levels of trust boundaries
    • Different components usually don’t have the same privilege shutup

Finding threats

  • STRIDE
  • PASTA
  • VAST
  • SQUARE

We will try to find threats with the STRIDE methodology

STRIDE

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of Service
  • Elevation of Privilege

Let’s assume no threats within AS30 shutup

Spoofing threats

Can BGP messages sent to AS30 be spoofed with AS10’s router address?

Hint: BGP messages are sent over TCP!

YES! TCP sequence number attack!

May not be a concern nowadays though

Tampering threats

Can BGP messages sent to AS30 be added/modified/removed/replayed? shutup

YES! By MitM attackers

Getting in the middle is difficult in practice

Repudiation threats

Claiming you were not responsible for something.

Can AS20 propagate a fake path (e.g., [10 20]) to AS30 and deny it?

YES! The path may actually exist! Repudiation usually appears in post-mortem.

Information disclosure threats

Exposing information to unauthorized people.

Can AS20 learn the business relationship between A10 and AS30? shutup YES! But Relationship inference may be imperfect.

Denial of Service threats

Absorbing resources needed to provide service.

Can AS20 launch denial-of-service attacks against AS30’s router? shutup

YES! By flooding BGP messages! Or in many other ways.

Elevation of Privilege threats

Allowing someone to do something without authorization.

Can AS20 advertise prefixes belong to AS10?

YES! Prefix ownership is not verified!

BGP hijacks are very common nowadays

Tips

  • Start with external entities outside of trust boundaries
    • More controlled = Less dangerous
  • Include (seemingly) uninterested threats
    • More comprehensive = Less dangerous
  • Focus on feasible threats
    • Less practical = Less dangerous

Mitigations

To address an identified network threat, we first decide the desired action.

  • Mitigation
    • Make it harder to take advantage of a threat
    • e.g., RPKI to mitigate BGP hijacks
  • Elimination
    • Remove exploited features
    • e.g., no BGP messages = no hijack (naively)
    • Also damage benign use cases
  • Transferring
    • Let someone else handle the risk
    • e.g., let firewall filter excessive messages
    • Risks are not transferable
  • Accepting
    • Ignore the impractical threats
      • e.g., DoS by physically destroying routers
    • Risks are underestimated

Mitigation is usually the best option.

Mitigation techniques against threats found by applying STRIDE

ProblemSolution
SpoofingAuthentication (IPSec, DNSSEC, PKIs)
TamperingIntegrity
RepudiationLogging
Information DisclosureConfidentiality (encryption)
Denial of ServiceAvailability (filters, throttling)
Elevation of PrivilegesAuthorization (access control)

Tips

  • Validate that threats are addressed
    • Perform a QA process to confirm
  • Try to predict adversary’s moves against mitigations
    • Involve economic advantages in arms races
  • Update model in an iterative process
    • New mitigation components may change the model

DDoS Attacks

DDoS attacks:

  • use different sources (e.g., botnets) of traffic
  • exhaust network resources (e.g., devices, links)
  • affect many (if not all) networked systems

Common DDoS attack types

TypeUnitDescription
VolumetricbpsSending massive traffic to create congestion e.g., DNS amplification
ProtocolppsExploiting weaknesses of the network protocols e.g., SYN flood
ApplicationrpsExploiting weaknesses of targeted applications e.g., HTTP flood

DDoS attacks always become more threatening In 2023, Google mitigated $398$ Mrps. shutup shutup

Pulse-wave DDoS attacks

A naïve DDoS defense: shutup

Challenges:

  1. Short pulses: controller may not react in time
  2. Unknown attack vectors: unsupervision leads to misclassification

ACC-Turbo’s solutions:

  1. infer attacks in the data plane
  2. de-prioritize (not drop) clustered traffic

ACC-Turbo’s design

shutup

Clustering packets

Map each arriving packet to the closest cluster

  1. Represent packets by points in the header spaceshutup
  2. Represent clusters using registers/bloom filtersshutup
  3. Use Manhattan distance for easy implementationshutup

Controlling clustered packets

De-prioritizing malicious clusters via scheduling.

shutup

  • Exact cluster statistics
    • e.g., rate, size from data plane
  • Assess clusters
    • e.g., small clusters with higher rate are more malicious
  • Synthesize scheduling policy
    • Deprioritize most malicious clusters

Results

ACC-Turbo mitigates pulse-wave DDoS attacks effectively: shutup

adv-comm-net, lecture-notes
Networks Routing Network-security
This post is licensed under CC BY 4.0 by the author.