Lesson 9: Internet Security Flashcards
What are the four properties of secure communications?
- Confidentiality: ensure that the message that is sent from the sender to the receiver is only available to the two parties; encryption.
- Integrity: ensure the message has not been somehow modified while in transit from the sender to the receiver; integrity check measures.
- Authentication: ensure that the two parties are who they say they are; verification/authentication measures.
- Availability: ensure that multiple aspects of the communication channel are functioning appropriately and we can cope with possible failures such as power outages, hardware failures, or attacks that aim to render the system unavailable (e.g. DDoS).
How does Round Robin DNS (RRDNS) work? (high-level summary, three steps)
Used to distribute the load of incoming requests to several servers at a single physical location.
- Respond to DNS request with list of DNS A records.
- Cycle through the records in a round robin manner.
- Choose a record using desired strategy (choose first record each time, choose closest record in terms of network proximity, etc.).
How does DNS-based content delivery work?
Used by CDNs, the load is distributed across multiple servers at a single location and across the world. When accessing the name service using the DNS, the CDN computes the “nearest edge server” and returns its IP address to the DNS client (nearest edge is computed through techniques based on topology and current link characteristics). Results in the content being moved “closer” to the DNS client, increasing responsiveness and availability.
CDNs can react quickly to changes in link characteristics as their TTL is lower than that in RRDNS.
How do Fast-Flux Service Networks work?
Fast-Flux Service Networks (FFSN) are used as attack/scam method.
Is an extension of RRDNS and CDN based on rapid change in DNS answers with a TTL lower than RRDNS and CDNs. In FFSN after the TTL expires, it returns a different set of A records from a larger set of compromised machines. The compromised machines act as proxies between the incoming request and control node/mothership, forming a resilient, robust one-hop overlay network.
Summarize at a high-level what Finding Rouge Networks (FIRE).
A system that monitors the Internet for rogue networks.
What are Rogue Networks?
Networks whose main purpose is malicious activity (phishing, hosting spam pages, hosting pirated software, etc.).
What are the three main data sources used by Finding Rogue Networks (FIRE) to identify hosts within Rogue Networks?
- Botnet Command & Control Providers: several botnets still rely on centralized command and control (C&C), so bot-master would prefer to host their C&C on networks where it is unlikely to be taken down; the two main types of botnets this system considers are IRC-based botnets and HTTP-based botnets.
- Drive-By-Download Hosting Providers: a method of malware installation without interaction with the user, it commonly occurs when the victim visits a webpage that contains an exploit for their venerable browser.
- Phish Housing Providers: this data source contains URLs of servers that host phishing pages, these usually mimic authentic sites to steal login credentials, credit card numbers, and other personal information; these pages are hosted on compromised servers and usually are up only for a short period of time.
What is the design of ASwatch?
The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network.
Uses information exclusively from the control plane.
Aims to detect malicious networks that are likely run by cyberactors, or “bulletproof,” as they are called, rather than networks that may be badly abused.
Describe the two phases of ASwatch.
- Training Phase: the system learns control-plane behavior typical of both types of ASes, the system is given a list of known malicious and legitimate of Ases. It then tracks the behavior of these ASes over time to track their business relationships with other ASes and their BGP update and withdrawal patterns. ASwatch then computes the statistical features of each ASes. There are three main groups of features:
a. Reviewing Activity
b. IP Space Fragmentation and Churn
c. BGP Routing Dynamics - Operational Phase: given an unknown AS, it then calculates the features for this AS, then uses the model to assign a reputation score to the AS; if the system assigns the AS a low reputation score for several days in a row (indicating consistent suspicious behavior) it identifies it as malicious.
What are the three classes of features used to determine the likelihood of a security breach within an organization?
- Mismanagement Symptoms: if there are misconfigurations in an organization’s network, it indicates that there may not be policies in place to prevent such attacks or may not have the technological capabilities to detect these failures, which increases the likelihood of a breach. The features used are the following:
a. Open Recursive Resolvers - misconfigured open DNS resolvers.
b. DNS Source Port Randomization - many servers still do not implement this.
c. BGP Misconfiguration - short-lived routes can cause unnecessary updates to the global routing table.
d. Untrusted HTTPS Certificates - can detect the validity of a certificate by TLS handshake.
e. Open SMTP Mail Relays - servers should filter messages so that only those in the same domain can send mails/messages. - Malicious Activities
- Security Incident Reports
