Cri$cal

Infrastructure Security:
The Emerging Smart Grid

Cyber Security Lecture 4:
Network Vulnerabili$es & Mi$ga$ons
Carl Hauser & Adam Hahn

Overview
Network AHacks
DoS
Spoong

Mi$ga$ons
Cryptographic Protocols
Firewalls
Intrusion Detec$on

Overview
Network AHacks
DoS
Spoong

Mi$ga$ons
Cryptographic Protocols
Firewalls
Intrusion Detec$on

Denial of Server (DoS) AHacks

Deni$on

DoS is an ac$on that prevents or impairs the authorized use of network systems, or
applica$ons by exhaus$ng resources such as central processing unit (CPU), memory,
bandwidth, and disk space

Techniques

Malformed packet

malformed packet that triggers some soWware vulnerability/weakness causing a system crash

Flooding

overwhelming system resources (e.g., network bandwidth, CPU speed)

Protocol-based

Manipulate protocol state (e.g., TCP Reset)

Other DoS Types

DDoS Distributed DoS

Reec$on/Amplica$on
Non-malicious slashdoHed, ash crowd

Flooding
Goal: Overload the capacity of the network/system
Network consume resources (e.g., bandwidth)
System exhaust systems ability to process data

Types

ICMP Flood

ICMP Echo Request messages - oWen ltered

ICMP Des$na$on Unreachable - not as commonly ltered

UDP Flood

send large UDP packets to some system (e.g., DNS)

UDP connec$onless so no TCP handshake overhead

HTTP Flood

sending legi$mate HTTP GET/POST messages to web server

Flooding - Con$nued
TCP Syn Flood
How

AHacker sends large number of TCP Syn packets to server

Server creates half-open connec$on and sends Syn-Ack
Client doesnt send Ack to open connec$on

Result

AHack exhausts nite list of half-open connec$ons allowed by

opera$ng system

Defense

AWer server send Syn-Ack, removes entry from Syn queue

Stores Syn cookies which encodes IP addresses/ports, sequence
numbers
Prevents exhaus$on of Syn queue

Old aHack method, but may s$ll be a vulnerability on legacy

control system devices

Malformed Packet
Causes soWware or opera$ng system to crash
Usually result of soWware vulnerability/error

Example
Ping of Death
ICMP ping packet > 216 bytes violates protocols
Caused buer overow/crashing of older Windows/Unix
systems

Teardrop
Targets incorrect reassembly of fragmented IP packets
Overlapping fragments caused opera$ng system to crash

Reec$on
Reec$on
How

AHack system spoofs IP address of intermediate system

Intermediate system responds to target system
Vic$m thinks aHack originates from intermediate system, not aHacker

Why

AHack less likely to be iden$ed

AHack bandwidth can be amplied

Example protocols:

TCP handshake
UDP (DNS, NTP, SNMP)

aHacker doesnt have to set up sessions!

Reec$on Example: TCP

Normal TCP Handshake

Normal TCP Handshake

TCP Syn spoong

Spoofed Syn causes server to con$nually send

Syn-Acks to target system

DDoS
Distributed DoS

U$lize large number of aHacking systems

Improves amount trac sent by aHack
More dicult to prevent

Cant lter single system

Dicult to dieren$ate aHack from normal trac

Control

Centralized

Single aHack has control over large number of systems (e.g., botnet)
Example: hHp://blog.cloudare.com/65gbps-ddos-no-problem/

Distributed

AHacks launched by individual par$es (e.g., Anonymous)

OWen u$lize botnets to perform the DDOS
Example:

hHp://bits.blogs.ny$mes.com/2012/11/15/anonymous-aHacks-israeli-web-sites/

More DDoS Examples

65 GB DoS aHack
hHp://blog.cloudare.com/65gbps-ddos-no-
problem/
65,000 systems with 1Mbps link (upstream)

Amplica$on
Assuming 60 byte request, 512 byte response
~7617 systems required for the DoS aHack

Overview
Network AHacks
DoS
Spoong

Mi$ga$ons
Cryptographic Protocols
Firewalls
Intrusion Detec$on

IP Spoong
IP developed without authen$ca$on capabili$es
(1970s)
Source address can be spoofed so receiver thinks
sender was someone else
S$ll seen frequently (usually with DoS aHacks)

Security Mechanisms:
Routers may lter packets with incorrect source IP
addresses
IPsec provide authen$ca$on of IP packets
IPv6 default support for IPsec

ARP Spoong
Recall
ARP Address Resolu$on Protocol
Know the IP address, but not the MAC (link address)
of a system

Problem ARP messages arent authen$cated

AHack can create malicious ARP Response claiming to
be the systems with the requested IP
Generally a race between aHacker and actual target

Security Mechanisms:
Sta$c arp tables on hosts/network switches

ARP Spoong
Normal ARP

ARP R

e q: w h

o is 1.
2.3.4

is
.2.3.4 5
1
:
p
4:5
Res
ARP 1:22:33:4
1
00:

Source

D st M

ac= 0

Spoofed ARP
q: w h o
ARP Re

0:11:2

is 1.2.3.4

ARP Resp:
1.2.3.4 is
11:11:11:11:1
1:11:11

Attacker

Dst M

11:11
11:11:
:
1
1
:
1
:1
ac= 11

2:33:4

4:55

Destination
IP: 1.2.3.4
MAC: 00:11:22:33:44:55

AR P R

e q: w h

o is 1.
2.3.4

is
.2.3.4 6
1
:
p
Res
55:6
ARP 22:33:44:
:
00:11

Destination
IP: 1.2.3.4
MAC: 00:11:22:33:44:55

Other Spoong
TCP stateful connec$on

Has sequence & acknowledgement numbers

Packets with incorrect sequence numbers will be rejected
Inside current Receive Window

Sequence number (232 bit number)

Randomized Ini$al Sequence Numbers (ISNs) to prevent a users from guess
the number
Not helpful if the aHacker can view your TCP session and obtain current sequence
numbers

BGP Boarder Gateway Protocol

Malicious system can adver$se false rou$ng paths to hijack trac

Examples

hHp://www.cnet.com/news/how-pakistan-knocked-youtube-oine-and-how-to-make-
sure-it-never-happens-again
hHp://www.bgpmon.net/chinese-isp-hijacked-10-of-the-internet/
hHp://www.bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-
providers/
hHp://www.bgpmon.net/the-canadian-bitcoin-hijack/

DNS Spoong

Originally DNS didnt have any authen$ca$on

AHackers could spoof DNS response to get a user to visit a dierent system
If MITM aHack
Simply manipulate DNS response

If Spoong only (i.e. no ability to see current trac)

DNS request unique 16 bit Query ID

If response Query ID != request Query ID -> disregard response
Before ~2008 Query ID was sequen$al

AHacker could guess future query IDs and inject spoofed DNS responses

Examples

China manipulated DNS records for sites

hHp://www.computerworld.com/ar$cle/2516831/security0/china-s-great-rewall-spreads-
overseas.html

Turkey manipulated DNS to block TwiHer

hHp://www.theguardian.com/world/2014/mar/21/turkey-blocks-twiHer-prime-minister

Security Mechanisms

Randomize DNS Query ID

Spoofed DNS response must also have correct Dst. Port
DNSSEC

DNS Spoong
DNS
HTTP

Local Network

1
8

10

Local Name
Server

2
3
5

Internet

Root Name
Server

.Com Name
Server

RandomSite.com
Name Server

aHacker.com

www.RandomSite.com


RandomSite Network

Overview
Network AHacks
DoS
Spoong

Mi$ga$ons
Cryptographic Protocols
Firewalls
Intrusion Detec$on

Security Protocols
Necessary to
communicate
securely across
untrusted network

Provide integrity,
conden$ality,
authen$city of
communica$ons
Based on previously
discussed
cryptographic
mechanisms

TCP/IP Stack

Security Protocols

Applica$on
(HTTP,DNS)

HTTPS/
DNSSEC
TLS

Transport
(TCP/UDP)

Transport
(TCP/UDP)

Internet
(IP)

Internet

Network
(Ethernet)

Network

Unsecure

(IPSEC)

(802.1x)

Secure

Transport Layer Security (TLS)

TLS
Previous Secure Sockets Layer (SSL)
Originally designed to support secure HTTP
(HTTPS)
Runs over TCP
Datagram TLS TLS equivalent for UDP
Currently used to secure many other protocols

Provides:
Authen$ca$on/Integrity uses MACs
Conden$ality encryp$on of messages

TLS/SSL Versions
Older

SSL 1.0-2.0 well known security vulnerabili$es

SSL 3.0 weak key genera$on

Government Approved (based on NIST SP 800-52

rev 1)
TLS 1.0 not signicantly dierent than SSLv3

Only when dealing with business/public (not govt only

comm.)
Browser Exploit Against SSL/TLS (BEAST) vulnerability

TLS 1.1 xes some issues with CBC mode, other xes
TLS 1.2 specify SHA-2 (256,512 bit) hash func$ons

TLS Protocol Stack

Type: Handshake
Stateful connec$on
Handshake used to communicate/agree on
various parameters
TLS/SSL versions
Ciphers
Cer$cates
Pre-master secret
Master secret
Session ID

TLS
Handshake

Proposes
1) version,
2) ciphers,
3) session ID,
4) random number

Species:
1) version,
2) cipher,
3) random number
Server cer$cate

Public key parameters

Client cer$cate
(op$onal)
Premaster secret

Change cipher suite

(encrypted in future)

Change cipher suite

(encrypted in future)

TLS Ciphers
Cipher contains set of crypto algorithms
necessary to perform following func$ons:
Key exchange algorithm
E.g. RSA, Die Hellman, ECDH

Bulk encryp$on algorithm

Stream(RC4, etc.), Block(3DES, DES, AES, etc.)

Data Integrity/Auth.
MAC algorithms, HMAC with (MD5, SHA1, SHA256)

IPsec

IPsec
Commonly used to build secure VPNs

Host to host, network to network, host to network

Encryp$on and authen$ca$on at the network layer

Func$ons

Security Associa$ons

algorithms and parameters used in encryp$on

Authen$ca$on Header (AH) Deprecated

connec$onless authen$ca$on and integrity

Encapsulated Security Payload (ESP)

Provides conden$ality, authen$ca$on, integrity

Benets
Provide conden$ality, integrity,
authen$ca$on of all IP packets (routable
trac)
Transparent to users

Can move crypto processing oWen moved to

network routers/devices rather than the
system

Security Associa$ons
One way rela$onship between sender and receiver
about security protocol parameters
Algorithms and keys used to protect the communica$on
Need two SAs for two way communica$on

Includes
Security Parameter Index (SPI)
iden$er for the SA

IP des$na$on address
des$na$on endpoint of the SA

Crypto algorithms/keys

SA establishment relies on ISAKMP protocol

ESP Modes - Examples

External Hosts

External Hosts

Unsecure Connec$on
IPsec (Tunnel)
IPsec (Transport)

Trusted Network A

Trusted Network B

TLS vs IPsec
Connec$on
Establishment
IPSec pre-established
Security Associa$ons
to agree on ciphers, etc.
Addi$onal overhead

TLS u$lizes handshake

to nego$ate between
client/server
Vulnerable to MitM
downgrade aHacks

Trust Establishment
IPSec pre-established
during SA
TLS based on
trusted cer$cate
authority
pre-shared cer$cates

IEC 62351
Data and communica$ons security standard for
power systems
Provides standard for
IEC 62351-9 Key management
X509 cer$cates for devices
Group Domain of Interpreta$on (GDOI)
Symmetric key management
Based on trusted key server

TLS for message encryp$on

RSA based digital signatures for message
authen$ca$on
hHp://iectc57.ucaiug.org/wg15public/Public%20Documents/White%20Paper%20on%20Security%20Standards%20in%20IEC%20TC57.pdf

Overview
Network AHacks
DoS
Spoong
Tampering

Mi$ga$ons
Cryptographic Protocols
Firewalls
Intrusion Detec$on

Firewalls
Why?
Separate more cri$cal/less cri$cal networks
Restrict Internet trac to systems

Enforce desired trac ows/security policies

How? Single system that all trac must pass through

Enforces rules on all trac
Ingress data coming in to network
Egress - data leaving network

Firewall Types
Internet Transport Applica$on

TCP/IP Stack
HTTP

DNP

DNS
TCP

UDP
IP

ICMP

Network/Link

Firewall Types
Packet Filtering
Stateful inspec$on

Applica$on-Layer proxy

Operate a dierent layers in the

TCP/IP stack

Packet Filtering
Internet Transport Applica$on

TCP/IP Stack
HTTP

DNP

DNS

Generally operate at the Network/Internet/Transport

layers
Congura$on includes
Default Policy for trac that doesnt match rule
Discard/Drop prohibit the packet
Forward/Accept allow the packet

Rules to match packets

TCP

UDP

Packet matching informa$on

IP

ICMP

Ac$on

Network/Link

Source/Des$na$on IP
Source/Des$na$on Port
Protocol (e.g., TCP/UDP)
Accept/Deny

Called Stateful Inspec$on if aware of TCP

connec$ons

Packet Filtering Example Rules

Only allow control trac to DNP slave (IP:1.2.3.4, TCP 20000)

External IP range of external systems

Remember: source ports for TCP connec$ons usually use ephemeral
ports range (high number)

Rule DirecLon Src Addr

Src Port

Dst Addr

Dst Port Prot

Conn State

AcLon

In

External

----

1.2.3.4

20000

TCP

New, Established

Permit

Out

1.2.3.4

20000

External

----

TCP

Established

Permit

Both

Any

Any

Any

Any

Any

New, Established

Deny

Applica$on Firewall
Internet Transport Applica$on

TCP/IP Stack
HTTP

DNP

DNS
TCP

UDP
IP

ICMP

Network/Link

Designed specically for

applica$on layer protocol
Example:
Web Applica$on rewalls
SCADA applica$on ltering
DNP3 - Objects
IEC 61850 Goose messages

Overview
Network AHacks
DoS
Spoong
Tampering

Mi$ga$ons
Cryptographic Protocols
Firewalls
Intrusion Detec$on

Intrusion Detec$on

Intrusion Detec$on System (IDS)

Components

Iden$es aHacker aHempts to gain unauthorized access to networks or systems

Sensors collect data (e.g., network packets, log les, system calls)
Analyzer receives input from sensors and analyzes it for

IDS Categories
Sensor Types

Host-based (HIDS) sensors collect data from hosts for

malicious processes, network stack ac$vity, modied les, etc.
Network-based (NIDS) sensors collect data from network
Hybrid combine informa$on from both network and hosts

Analysis Types

Signature-based use set of know aHack paHerns that are

compared with current sensor data (e.g., Snort)
Anomaly based compare current data to collec$on of past
data, assumes devia$on from past paHerns (or anomalies) are
aHacks
Specica$on-based create specica$on of known, correct
system opera$on.

Anomaly-based Detec$on
Overview:

Develop model of normal behavior and compare incoming events

Approaches

Sta$s$cal model or machine learning approach to categorizing trac

as normal or malicious

Strength

Can detect new/unknown aHacks!!!

Weakness

Many benign anomalies (e.g., network recongura$on, system

upgrades, new programs)
Excessive False Posi$ves (Base Rate Fallacy)
AHacks that are not anomalies?

Basic Detec$on Theory

ANack IdenLed

1.0

True
Posi$ve

Yes

ANack
Present

False
Posi$ve

No

True Posi$ve

Yes No
False
Nega$ve
True
Nega$ve

0.0
0.0

False Posi$ve

IDS requires small

False posi$ves

wastes money/resources inves$ga$ng non-aHack

False nega$ves

missed aHack results in viola$on of security policy

Base Rate Fallacy

Small number of intrusions, vs large number of non-malicious trac

Accurate IDS will s$ll raise large number of false posi$ves

IDS performance can be represented by a receiver opera$ng

characteris$cs (ROC) curve

1.0

Signature-based Detec$on
Overview:

maintain collec$on of known paHerns of malicious data,

compare incoming network trac to paHerns

Strength

Low False Posi$ve rate (if rules created correctly)

Weakness

Cant detect novel (0-day) aHacks, detec$on only works

when it has previous

Example:

Snort IDS

Snort IDS
Open- source Signature based IDS
Modes

Passive only detect aHacks

Inline can block packets
Intrusion preven$on

Architecture
Decoder

decode protocol layers, structure packet for analysis

Detec$on Engine

analyzes packet vs set of rules

Logger/Alerter

perform necessary response

Snort Rules
Ac$on: what do to when you iden$fy a packet

Examples: alert, log, pass, drop, reject, ac$vate, etc

Protocol, Port, IP Address, Direc$on

Example: tcp any any -> 192.168.1.0/24 111

Op$ons

General informa$on without impact on detec$on

Examples: msg, ref(URL), classtype, priority

Payload specify packet payload informa$on

Example: content, oset, pcre, hHp_header,

Non-payload specify non-payload data

Example: Hl, seq, ack,

Post-detec$on specify rules for aWer rule operates

Example: resp, react, session

More info here (hHp://manual.snort.org/node27.html)