Categories
Reading Unit - DoS Research

FIT5108 – DoS Reading Unit Part 3

This week I will start a detailed review of each of the attack methods introduced in Week 1’s post. I will start with on of the oldest DoS attacks, the Ping of Death.

I incorrectly listed this under ICMP attacks in a previous post, the ping of death actually exploits the process of IP packet reassembly.

The disassembly and reassembly process of data communication

We can see above that after being received via the communication medium (ie: cat6 cable), the ethernet packets are unwrapped and we find an IP packets. The maximum size of an IP packet according to the standard specification (http://tools.ietf.org/html/rfc791) is 65,535 bytes. The maximum size of a standard ethernet frame (http://standards.ieee.org/about/get/802/802.3.html) is 1500 bytes. So this means that IP packets must be split across multiple Ethernet frames and the receiver must reassemble them. To keep track of reassembly the IP fragments have an fragment offset field.

The fragment offset says, “I start with the 1000th byte of the complete IP packet, put me after the 999th byte. Now considering the fact that the ethenet protocol allows frames of upto 1500bytes, the IP protocol would not allow an IP fragment to say I am the 65,000th byte put me there. As above the maximum IP packet is 65,535 bytes. However, the IP protocol actually allows an IP fragment to say I am the 65,528th byte!

So, if an attacker send an IP packet that was the allowable size of  65,535 bytes, it will be broken up into Ethernet frames (Ethernet is the most common Datalink protocol). A ping of death occurs when the attacker modifies the the last IP fragment to I am the 65,528th byte but add more that 8 bytes of subsequent data. The receiver will now try to reassemble an IP packet that exceeds 65,535 byte limit.

Due to the fact that data communications and packet assembly must be very fast in older operating systems there were no checks done to ensure the reassembled IP packet did not exceed the memory allocated for it. This would result in a buffer overflow and the crash or bugging of the system.

On any post 1998 systems a check is completed to ensure the sum of Fragment Offset and Total Length field on an IP fragment do not exceed 65,535 bytes. This is obviously an old, now mostly non-exploitable attack but it is worth reviewing to see the type of exploits that have existed in the past as they will provide some insight into future vulnerabilities.

A program written in C by Bill Fenner implementing a ping of death using ICMP can be found here: http://insecure.org/sploits/ping-o-death.html.

Any program implementing a ping of death attack must be able to inject modified packets/frames to a network interface. This is also required in a number of other DoS attacks so I will look at doing a basic script in Python using the PyCap Library: http://pycap.sourceforge.net/. Although it does require Python 2.3 :(.

Categories
IT Research Methods

FIT5185 – IT Research Methods Week 3

Experiments was the topic of week 3’s lecture presented by David Arnott. We started with a classification of scientific investigation:

  • Descriptive studies
  • Correlation studies
  • Experiments

Importantly the anchor of these investigations is the research question.

Terms and concepts was the next sub-section:

  •  Subject (Participant by law in Aus where people are subjects) – The target of your experimentation
  • Variables (Independent variables, Dependent variables, Intermediate variables, Extraneous variables), these are self explanatory via dictionary definitions.
  • Variance/Factor  models – Aims to predict outcome from adjustment of predictor (independent?) variables, in an atomic time frame. That is my loose interpretation.
  • Process model -Aims to explain how outcomes develop over time (The difference between variance and process models appears to be moot and I feel somewhat irrelevant).
  • Groups -> experimentation group, control group -> ensuring group equivalence.
  • Hypothesis – Prediction about the effect of independent variable manipulation on dependent variables. One tailed, two tailed,  null hypothesis.
  • Significance – the difference between two descriptive statistics, to an extend which cannot be chance.
  • Reliability – Can the research method be replicated by another researcher
  • Internal Validity – How much is the manipulation of the independent variable responsible for the results in the dependent variable.
  • External validity – Can the results be generalized to entities outside of the experiment
  • Construct validity – extend to which the measures used in the experiment actually measure the construct?

Experimental Design followed:

  • Between-subject design vs Within-subject design -> are subjects manipulated in the same or differing ways.
  • After-only vs Before-after design -> testing of dependent variables at which stages..
  • Statistical tests must reflect the experimental design:

 

Statistical test to reflect the experimental design - Source week 3 lecture notes

When creating an experimental design it seems like a good idea just to make a check list.

The coffee/caffeine example covered next seemed a bit odd as it made the assumption that coffee caffeine are the same things. I recall same type assumption was made in regards to THC and marijuana which was later found to be fundamentally flawed. I did not understand the Decision support system example at all so was not really able to extrapolate much understanding from the two examples covered.

Categories
Advanced Network Security

FIT5037 – Advanced Network Security Week 2

Miller-Rabin Python Implementation (slow but readable):

http://mchost/sourcecode/Miller-Rabin.py

As with my other subjects for week 2 I was absent for Adv. Network Security so this will be a summary of the lecture notes and reading materials. The title for this weeks lecture was ‘Adv. Cryptology, RSA and its implementation’. Considering the extensive assignment we completed last semester on PGP/GPG and it’s utilization of the RSA public key system, this will most likely be somewhat of a revision. I wrote a summary of the RSA system in that assignment which is will paraphrase below:

Generating Public and Private Keys (RSA):

Step 1: Generate two prime numbers
n = pq (let’s make p = 5 and q = 7)
5 * 7 = 35
n = 35
Step 2: Calculate the totient of n
φ(n) = (p – 1)(q – 1), φ is Euler's totient function
(5 - 1)(7 - 1)
φ(n) = 24
Step 3: Choose an integer, e, that is between 1 and φ(n) and co-prime with φ(n)
1 ,2 , 3 and 4 are not co-prime, however 5 is.
Let e = 5.
(e, n), (5, 35) is the public key.
Step 4: Using the public key and p*q (n), find the private key, d by finding the modular multiplicative inverse of e (mod(φ(n))
    d = e^–1 mod φ(n)
    d = 5^-1 mod φ(24)
Apply the Extended Euclidean algorithm (see http://mchost/sourcecode/eea.py)
    d = 29
public key = (5, 35)
private key = (29, 35)
 The encryption process for RSA is as follows:
    plaintext message = m, public key = (e, n)
    m^e mod(n) = cypher-text

The decryption process follows as:
    cypher-text message = c, private key = (d, n)
    c^d mod(n) = plaintext message

Signing of documents can be done, ideally using a hash function, a private key and a trusted certificate for the public key:
plaintext message = m, public key = (e, n), private key = (d, n)
hashFunction(m)^d mod(n) = signature
A recipient can confirm the signature with the following process:
    signature^e mod (n) = hashFunction(m)

The lecture notes explain these processes with much more correct mathematical notation, however this is the easiest way for me to express the process.

Also discussed in the lecture was a topic generating and tesing prime numbers. I did not complete strong analysis of ths process in the past semester. The Miller-Rabin test was introduced here. As per usual I find the easiest way to get my head around mathematical algorithms is not reviewing the mathematical proof/concept but by writing a script implementing the algorithm: http://mchost/sourcecode/Miller-Rabin.py

Categories
IT Research Methods

FIT5185 – IT Research Methods Week 2

Unfortunately I was absent for week 2 of IT Research Methods and the lecture delivered by Prof. David Arnott. The lecture was focussed on the initial stages to any research project, literature review.

  • Thematic Analysis – Qualitative in nature, classifying papers according to themes that are relevant to your research project.
  • Bibliographic Analysis – Quantitative in nature, using citation and/or content analysis. (rarely used in IT research)

A question posed at the start of the lecture; what is scientific evidence? Journal and conference papers along with websites, blogs, book and trade magazines were listed as possibilities. Before reading through the lecture I feel that any of these mediums could qualify as scientific evidence. Peer reviewed academics articles would however present a much more filtered source with blogs and websites most likely containing much more refutable contentions. It seems unwise to completely discount a source of information purely on the ground that it is a blog or website though.

The notes go on to present a rating system for journals, A, B and C, the A listers being:

  • Decision Support Systems
  • European Journal of Information Systems
  • Information and Management
  • Information Systems Journal
  • Information Systems Research
  • Journal of Information Technology
  • Journal of Management Information Systems
  • Journal of the Association for Information Systems
  • MIS Quarterly

The aim of a literature review can be summarized as:

  • Synthesis of articles
  • Define and understand relevant controversies
  • Based on critical review (note notes or observations)
  • Reads like an essay (but can use tables)

It seems that the thematic method of literature review is the avenue we will be encouraged to follow, which seems quite reasonable. Thematic review can be author and/or topic centric. Author centric review would only be appropriate in very limited niche topics where the published articles are by a limited number of researchers. When taking on topic centric review, creating a table with concept categorization for articles is recommended:

conceptMatrix
Webster & Watson Concept Matrix - Source week 2 lecture notes

Some questions are presented at the close of the lecture (which I imagine were answered in the lecture):

  • How long should a lit review be?
  • How many papers should be reviewed?
  • What tense should be used?
  • Which citation methodology? APA/Harvard?

I will have to follow up on these in the coming tutorial.

Finally there was a youtube video listed in the review materials for the week which included some good points:

  • What is the purpose of a literature review?
  1. Summarized what has been researched before
  2. Highlights the research gaps that you will aim to fill
  3. Why it is necessary to fill those gaps
  4. Set the scope of your research
  • Scope and length? – Does it need to be everything you know? No, the current state of the theory. Length requires discussion wit supervisor, but consider this is a summary of current research. Summary of existing knowledge, review of current research.
    Look for flaws, disagreement among researchers.
  • Sources – Refereed international journals, Books/Chapters, national journals, conference papers, non-refereed articles.
  • Review of instruments – What are you using to gather data to support your hypothesis, are they an acceptable source, why?

 

Basic Framework:

  1. Introduction
  2. Broader Communication Issues
  3. Likely Causes (Attack methods/motivations/scenarios)
  4. Mitigation Methods
  5. Summary of literature
  6. Research aims

Make a check list for evaluating articles!

Categories
Reading Unit - DoS Research

FIT5108 – DoS Reading Unit Part 2

This week’ summary will be a review of 2 papers from my reading pack: http://mchost/sourcecode/DoS/DoS%20Docs/JournalandBook/

Adaptive Defense Against Various Network Attacks, 2006, Zou, C., Duffield, N., Townsley, D., Gong W., IEEE.

Summary:

The method discussed in the paper was not focused on improving the current malicious packet identification methods but to increase the efficiency of their application by modifying their adjustable parameters based on the current and recent network conditions. One example was drawn via the Hop Count Filtering [HFC] method for mitigation of DDoS attacks through the assumption that attackers do not know the real hop-length from spoofed sources to their target. The effectiveness of this particular mitigation method is not paramount to the contention but rather the fact the HCF has adjustable parameters in its filtration. By adjusting the ‘strictness’ of the HCF using a simple, low overhead, low computational cost method, the authors were able to significantly improve the performance of the HCF.

Note that performance was based on a curve whereby the costs of false positive and false negatives were arbitrarily defined.

Relevance to thoughts in intelligent systems in network security and DDoS mitigation:

  • Computational cost is almost always relevant
  • Network overhead is always relevant
  • The utility, or cost/reward heuristic for the adaptive system must be provided to the system
  • Parameter management of multiple non-adaptive mitigation or defense systems can be done by single adaptive service which monitor network conditions and established the probability a current attack and the severity.
  • The proposed systems does not use any intelligent systems in the actual identification of malicious packets, perhaps this is due to the computational cost.
  • Adaptive systems can be used to achieve cost minimization for security services.

A Distributed Throttling Approach for Handling High Bandwidth Aggregate, 2007, Wei Tan, C., Chiu, D-M., Lui, J., Yau, D., IEEE.

Summary:

This article approach the breakdown of network communication in the case of flash crowds and DDoS attack which both cause high network aggregates sourced from distributed source to a single location. The authors propose what I would describe as a layered router throttling approach. Throughout the article the term ‘dropped traffic’ is used as to describe the effect of router throttling. The article provides some background on the router throttling strategy but I am somewhat confused over the dropping of traffic ones a certain bandwidth level is exceeded. Does this mean that all incoming packets will be dropped regardless of the existence of tcp session? Does it means that existing sessions will remain alive until they time out? I will need to do some further reading on the router throttling mitigation method. A key requirement of this strategy is having a number of routers in the preceding network hops subscribed to the method. See below:

throttlingapproach
Drawn from the paper, this is a deisrible router structure

The paper goes on to propose a number of algorithms and lightweight communication between routers and evidence that by dropping traffic the distributed throttling method can keep target servers alive. Although this solution would undeniably be effective in keeping a server alive, it drops traffic based on the traffic level of the router it approaches. I feel that there is a very bad worst case scenario where the probability of packet being dropped would have a very low correlation to whether or not it is malicious. The lack of header/packet inspection does have very good computational efficiency however.

  • This solution could be consider somewhat of a benchmark that intelligent mitigation methods would need to improve on, the indiscriminate dropping of packets will result in DoS for users approaching the server via routes that the DDoS approach. Keeping a server alive is probably the primary goal of DoS mitigation but service availability should stand right next to that goal.
  • If this defense strategy was widespread it appears to have numerour vulnerabilities that attackers would sureley exploit. Attackers could test thrasholds for tripping packet dropping and possibly launch attacks that deny serverhere is a  to specific regions with less cost than an attack on a service that was not protected by distributed router throttling.
  • I get a sense that this strategy could work on a macro sense perhaps piggy backing on border routing protocols, however the ‘dumb’ nature of throttling seems a very limiting factor. I will obvously need to investigate the router throttling methods more as with my current understanding this solution seems sub-optimal.

 

 

Categories
Advanced Network Security

FIT5037 – Advanced Network Security Week 1

Week 1 of Adv network security to be lectured by Dr Phu Dung Le provided an introduction to the topics covered in the unit:

  • Modern computing and network security
  • Ellicptic curve public key encryption
  • Design and implementation of RSA and ECC
  • Intrusion detection systems
  • Network and distributed software security
  • Advance wireless security
  • Large computer security systems
  • Security, load balancing and network performance
  • Main research in security

The lecture broke off in to some very interesting discussion over information retrieval from encrypted data sources. The example provided seems like a one of case but this problem will become increasing relevant with the rise of cloud computing.  For example, as large companies such as Sony find strong efficiency and financial motivators to outsource their data storage to cloud providers, encryption of that data is paramount. With a large, off site, encrypted data sources there are issue with the efficient retrieval of data and the point of decryption. For example:

  • If searching for similar images given and initial image, how can this be accomplished without downloading and decrypting the entire database?
  • When retrieving data, at what point does decryption occur, if at the client then all the incoming data will fly straight past firewall, intrusion detection systems and anti-virus software.

A paper proposing a solution where:

an encryption scheme where each authorised user in the system has his own keys to encrypt and decrypt data. The scheme supports keyword search which enables the server to return only the encrypted data that satisfies an encrypted query without decrypting it.

http://mchost/sourcecode/papers/Sharedandsearchableencrypteddataforuntrustedservers.pdf

The problem of like image recognition is still not easily addressable using this solution. Although it could be argued that categorization schema could work effectively. I wonder at plausibility of using unsupervised neural networks in conjunction with the hash algorithm to provide a method not dependent on designer imposed categorization. Imagine the network would need to be infinitely complex to follow hashing however…

The tutorial introduced Snort (a leading intrusion detection system) – http://www.snort.org/

Installing and making a basic configuration for snort was the task.  I am not a big fan of the red hat linux distro that we have access to in the tutorials so I complete the install of snort 2.9.0.5 along with snort report 1.3.1 on my home gateway. I used the latest dynamic rules from

The tutorial I followed loosely for the install can be view:  http://www.symmetrixtech.com/articles/001-snortinstallguide.pdf (*note that following the instructions blindly will result in disaster).

It was also mentioned in the lecture that we would be investigating the RSA in comparison to Elliptic curve cryptology [ECC]. I had no idea what ECC was, a good video I found providing a brief explanation:

Categories
IT Research Methods

FIT5185 – IT Research Methods Week 1

Week 1 of IT research methods was a lecture by Dr Jose Kuzic on the nature of research.  The lecture bounced between subjective opinions from experience in research and a a framework for conducting research questions.

  • Formulating Questions
  • Literature Analysis
  • Case Studies
  • Surveys
  • Qualitative data analysis
  • Quantitative data analysis
  • Communication research

Also introduced were some research paradigms:

  • Scientific research (positivist)
  • Applied research (practical)
  • Social research (interpretive)

I feel that being aware of these paradigms is valuable but self imposing mutual exclusivity or black and white generalization would be counter productive (ie: oh well that’s just a positivist view/ I can’t do that I am doing applied research). A more pragmatic approach of using whatever the best method for reaching outcomes to a posed question regardless of paradigm would be required for good research.

inductiveDeduction
Induction and deduction in science (source: week 1 lecture notes)

Details of Assignment 1 and 2 were also made available on moodle this week. Assignment 1, a literature review and presentation seems like it will be an enjoyable assignment that will allow some synergy with other subjects.

 

Categories
Reading Unit - DoS Research

FIT5108 – DoS Reading Unit Part 1

I am undertaking a reading unit this semester focused on Denial of Service [DoS] attacks and their mitigation. As there are no subjects dedicated to this field a reading unit was the best option. The aims of the unit will be:

  1. Study system vulnerabilities and existing DoS attacks
  2. Propose a new method to mitigate one of the DoS attacks

I have not investigated DoS attacks on anything other than an introductory level prior to this so my blog notes will start from that point. With this in mind the best beginning is in definitions. Most of this introductory post will glean resources from wikipedia’s DoS page http://en.wikipedia.org/wiki/Denial-of-service_attack, see their reference list for further reading.

Denial of Service Attack:  To slow network performance or unavailability of services (web services). Issues can spread to network branches surrounding the targeted system. In some cases entire geographical regions can be prevented from accessing the external network.

DoS attacks can also be characterized where and attacker explicitly attempts to prevent legitimate users from accessing specific services. There are two major classifications:

  • Attacks which crash a server
  • Attacks which flood a server
DoS_Attack
Stachledraht DDoS attack, source: Wikipedia

There are five categories that DoS attacks can be placed:

  1. Consumption of computation resources (ie: HTTP-GET DDoS flood attack, http://teamxpc.com/forum/topic/155918-http-get-dos-attack-paper/)
  2. Disruption of configuration information  (ie: DNS Poisoning attack, http://www.spamstopshere.com/blog/2008/08/07/recent-dns-poisoning-exploit-used-for-dos-attacks/)
  3. Disruption of state information (ie: Resetting of TCP Sessions, http://kerneltrap.org/node/3072 , http://en.wikipedia.org/wiki/TCP_reset_attack)
  4. Disruption of physical network components (ie: physical access to servers, phlashing attack/PDoS, http://hackaday.com/2008/05/20/phlashing-denial-of-service-attack-the-new-hype/)
  5. Obstructing communication media (ie: replay attacks on wifi, http://www.aircrack-ng.org/doku.php?id=simple_wep_crack&DokuWiki=9a77f3d58e7c5e4adc840b60b1a2197e, cable cuts, http://www.guardian.co.uk/world/2011/apr/06/georgian-woman-cuts-web-access)

Some examples of known DoS attacks:

 

Some additional reading on DoS attack definitions:

http://www.garage4hackers.com/showthread.php?251-DOS-Attacks

Categories
Network security

FIT5044 – Network Security Week 11 + Review

The final week of new topics for Network Security covered Security for Large Computer Systems. This post will also contain a short review of the FIT5044 subject. The first point to consider when implementing large scale security solutions is the fast moving nature of computer security in addition to the difficulty in change associated with large business networks. Increased integration, particularly with  the availability of inter-organization or publicly available services adds difficulty considering the mutually exclusive nature of security and convenience.

Network Security topics for large organizations
source: Week 11 Lecture notes FIT5044

As can be seen there are a large number of areas were security must be actively enforce on a large network.

IDS systems to investigate:

Snort (http://www.snort.org)

Cisco IDS (http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml)

Subject Review:

FIT5044Network Security was my favorite subject of the MIT course thus far. It contains very interesting subject material and introduces students to topics they must independently investigate to gain proper understanding (I think all post graduate subject should subscribe to this). It is proposed that the subject should be a good addition for non-IT students however I imagine this would be quite challenging without some fundamental IT background. I recommend this subject to anyone in the MIT course.

Categories
Natural computation for intell. sys.

FIT5167 – Natural Computation Week 11 + Review

Let post as I forgot to publish,  the last week of new topics in Natural computation covered Recurrent networks for time series forecasting. The alternatives for structuring and feeding back previous time series are the main points of difference between methodologies.

Elman Networks:

elman network
source: Week 11 lecture notes FIT5167

Jordan Networks:

jordan networks
source: Week 11 lecture notes FIT5167

Fully recurrent:

Fully Recurrent Time series forcasting network
source: Week 11 Lecture notes FIT5167

These network operate very similarly to standard MultiLayer perceptrons. Self organizing maps have been proposed as one possible method for selecting input variables. Genetic algorithms were also noted as an alternative input selector.

Review of this unit:

I found the FIT5167 to be a very thought provoking subject, with excellent resource provided by the subject lecturer, Grace Rumantir. The best part of the subject was the assignments where we got some very useful practical experience  constructing neural networks. With the statistical analysis that NNs allow, the skills learned in the subject can be applied to a very wide range of problems. I would recommend this subject to anyone studying MIT at Monash even if their major is not Intelligent Systems.