SlideShare ist ein Scribd-Unternehmen logo

12 tcp-dns

Als PPT, PDF herunterladen
Culverton Blessy
Culverton Blessy
1 von 53
Network Protocols and Vulnerabilities John Mitchell CS 155 Spring 2008
Outline Basic Networking Network attacks  Attacking host-to-host datagram protocols  SYN flooding, TCP Spoofing, …  Attacking network infrastructure  Routing  Domain Name System This lecture is about the way things work now and how they are not perfect. Next lecture – some security improvements (still not perfect)
Backbone ISP ISP Internet Infrastructure Local and interdomain routing  TCP/IP for routing, connections  BGP for routing announcements Domain Name System  Find IP address from symbolic name (www.cs.stanford.edu)
TCP Protocol Stack Application Transport Network Link Application protocol TCP protocol IP protocol Data Link IP Network Access IP protocol Data Link Application Transport Network Link
Data Formats Application Transport (TCP, UDP) Network (IP) Link Layer Application message - data TCP data TCP data TCP data TCP Header dataTCPIP IP Header dataTCPIPETH ETF Link (Ethernet) Header Link (Ethernet) Trailer segment packet frame message
Internet Protocol Connectionless  Unreliable  Best effort Transfer datagram  Header  Data IP Version Header Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset
IP Routing Internet routing uses numeric IP address Typical route uses several hops Meg Tom ISP Office gateway 121.42.33.12 132.14.11.51 Source Destination Packet 121.42.33.12 121.42.33.1 132.14.11.51 132.14.11.1
IP Protocol Functions (Summary) Routing  IP host knows location of router (gateway)  IP gateway must know route to other networks Fragmentation and reassembly  If max-packet-size less than the user-data-size Error reporting  ICMP packet to source if packet is dropped
User Datagram Protocol IP provides routing  IP address gets datagram to a specific machine UDP separates traffic by port  Destination port number gets UDP datagram to particular application process, e.g., 128.3.23.3, 53  Source port number provides return address Minimal guarantees  No acknowledgment  No flow control  No message continuation UDP
Transmission Control Protocol Connection-oriented, preserves order  Sender  Break data into packets  Attach packet numbers  Receiver  Acknowledge receipt; lost packets are resent  Reassemble packets in correct order TCP Book Mail each page Reassemble book 19 5 1 1 1
Internet Control Message Protocol Provides feedback about network operation  Error reporting  Reachability testing  Congestion Control Example message types  Destination unreachable  Time-to-live exceeded  Parameter problem  Redirect to better gateway  Echo/echo reply - reachability test  Timestamp request/reply - measure transit delay ICMP
Basic Security Problems Network packets pass by untrusted hosts  Eavesdropping, packet sniffing (e.g., “ngrep”) IP addresses are public  Smurf TCP connection requires state  SYN flooding attack TCP state can be easy to guess  TCP spoofing attack
Packet Sniffing Promiscuous NIC reads all packets  Read all unencrypted data (e.g., “ngrep”)  ftp, telnet send passwords in clear! Alice Bob Eve Network Prevention: Encryption, improved routing (Another lecture: IPSEC) Sweet Hall attack installed sniffer on local machine
Smurf DoS Attack Send ping request to broadcast addr (ICMP Echo Req) Lots of responses:  Every host on target network generates a ping reply (ICMP Echo Reply) to victim  Ping reply stream can overload victim Prevention: reject external packets to broadcast address gatewayDoS Source DoS Target 1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target
TCP Handshake C S SYNC SYNS, ACKC+1 ACKS+1 Listening Store data Wait Connected
SYN Flooding C S SYNC1 Listening Store data SYNC2 SYNC3 SYNC4 SYNC5
SYN Flooding Attacker sends many connection requests  Spoofed source addresses Victim allocates resources for each request  Connection requests exist until timeout  Fixed bound on half-open connections Resources exhausted requests rejected
Protection against SYN Attacks Client sends SYN Server responds to Client with SYN-ACK cookie  sqn = f(src addr, src port, dest addr, dest port, rand)  Normal TCP response but server does not save state Honest client responds with ACK(sqn) Server checks response  If matches SYN-ACK, establishes connection  “rand” is top 5 bits of 32-bit time counter  Server checks client response against recent values See http://cr.yp.to/syncookies.html [Bernstein, Schenk]
TCP Connection Spoofing Each TCP connection has an associated state  Client IP and port number; same for server  Sequence numbers for client, server flows Problem  Easy to guess state  Port numbers are standard  Sequence numbers often chosen in predictable way
IP Spoofing Attack A, B trusted connection  Send packets with predictable seq numbers E impersonates B to A  Opens connection to A to get initial seq number  SYN-floods B’s queue  Sends packets to A that resemble B’s transmission  E cannot receive, but may execute commands on A Server A B E Attack can be blocked if E is outside firewall.
TCP Sequence Numbers Need high degree of unpredictability  If attacker knows initial seq # and amount of traffic sent, can estimate likely current values  Send a flood of packets with likely seq numbers  Attacker can inject packets into existing connection Some implementations are vulnerable
Recent DoS vulnerability [Watson’04] Suppose attacker can guess seq. number for an existing connection:  Attacker can send Reset packet to close connection. Results in DoS.  Naively, success prob. is 1/232 (32-bit seq. #’s).  Most systems allow for a large window of acceptable seq. #’s  Much higher success probability. Attack is most effective against long lived connections, e.g. BGP.
Cryptographic network protection Solutions above the transport layer  Examples: SSL and SSH  Protect against session hijacking and injected data  Do not protect against denial-of-service attacks caused by spoofed packets Solutions at network layer  Use cryptographically random ISNs [RFC 1948]  More generally: IPsec  Can protect against  session hijacking and injection of data  denial-of-service attacks using session resets
Wireless Threats Passive Eavesdropping/Traffic Analysis  Easy, most wireless NICs have promiscuous mode Message Injection/Active Eavesdropping  Easy, some techniques to gen. any packet with common NIC Message Deletion and Interception  Possible, interfere packet reception with directional antennas Masquerading and Malicious AP  Easy, MAC address forgeable and s/w available (HostAP) Session Hijacking Man-in-the-Middle Denial-of-Service: cost related evaluation
Evolution of Wireless Security 802.11 (Wired Equivalent Protocol)  Authentication: Open system (SSID) and Shared Key  Authorization: some vendors use MAC address filtering  Confidentiality/Integrity: RC4 + CRC WPA: Wi-Fi Protected Access  Authentication: 802.1X  Confidentiality/Integrity: TKIP  Reuse legacy hardware, still problematic IEEE 802.11i (Ratified 2004 ): WPA2  Mutual authentication  Data confidentiality and integrity: CCMP  Key management  Availability
What Went Wrong With WEP No Key Management  Long Lived keys  Fix: Use 802.1X ( Standard for user, device authentication ) Crypto Issues RC4 cipher stream  Key size: 40 bit keys  Initialization Vector too small:24 bit  Integrity Check Value based on CRC-32  Authentication messages can be forged
Authentica -tion Server (RADIUS) No Key Authenticator UnAuth/UnAssoc 802.1X Blocked No Key Supplicant UnAuth/UnAssoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X Blocked No Key Authenticator Auth/Assoc 802.1X Blocked No Key Authentica -tion Server (RADIUS) No Key 802.11 Association EAP/802.1X/RADIUS Authentication Supplicant Auth/Assoc 802.1X Blocked MSK Authenticator Auth/Assoc 802.1X Blocked No Key Authentica -tion Server (RADIUS) MSK MSK Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK Authentica -tion Server (RADIUS) No Key 4-Way Handshake Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica -tion Server (RADIUS) No Key Group Key Handshake Supplicant Auth/Assoc 802.1X UnBlocked New GTK Authenticator Auth/Assoc 802.1X UnBlocked New GTK Authentica -tion Server (RADIUS) No Key IEEE 802.11i - WPA2 Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica -tion Server (RADIUS) No Key
Security issues in development of 802.11i ATTACKS SOLUTIONS security rollback supplicant manually choose security; authenticator restrict pre-RSNA to only insensitive data. reflection attack each participant plays the role of either authenti- cator or supplicant; if both, use different PMKs. attack on Michael countermeasures cease connections for a specific time instead of re-key and deauthentication; update TSC before MIC and after FCS, ICV are validated. RSN IE poisoning Authenticate Beacon and Probe Response frame; Confirm RSN IE in an earlier stage; Relax the condition of RSN IE confirmation. 4-way handshake blocking adopt random-drop queue, not so effective; authenticate Message 1, packet format modified; re-use supplicant nonce, eliminate memory DoS.
TCP Congestion Control If packets are lost, assume congestion  Reduce transmission rate by half, repeat  If loss stops, increase rate very slowly Design assumes routers blindly obey this policy Source Destination
Competition Amiable Alice yields to boisterous Bob  Alice and Bob both experience packet loss  Alice backs off  Bob disobeys protocol, gets better results Source A Source B Destination Destination
Routing Vulnerabilities Source routing  Sender can specify source routing  Can direct response through compromised host Routing Information Protocol (RIP)  Direct client traffic through compromised host Exterior gateway protocols  Advertise false routes  Send traffic through compromised hosts
Source Routing Attacks Attack  Destination host may use reverse of source route provided in TCP open request to return traffic  Modify the source address of a packet  Route traffic through machine controlled by attacker Defenses  Only accept source route if trusted gateways listed in source routing info  Gateway rejects external packets claiming to be local  Reject pre-authorized connections if source routing info present
Routing Table Update Protocols Interior Gateway Protocols: IGPs  distance vector type - each gateway keeps track of its distance to all destinations  Gateway-to-Gateway: GGP  Routing Information Protocol: RIP Exterior Gateway Protocol: EGP  used for communication between different autonomous systems
Interdomain Routing connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain) Interior Gateway Protocol Exterior Gateway Protocol Autonomous System earthlink.net Stanford.edu
BGP overview Iterative path announcement  Path announcements grow from destination to source  Packets flow in reverse direction Protocol specification  Announcements can be shortest path  Nodes allowed to use other policies  E.g., “cold-potato routing” by smaller peer  Not obligated to use path you announce
BGP example [D. Wetherall] Transit: 2 provides transit for 7 Algorithm seems to work OK in practice  BGP is does not respond well to frequent node outages 3 4 6 5 7 1 8 2 7 7 2 7 2 7 2 7 3 2 7 6 2 7 2 6 52 6 5 2 6 5 3 2 6 5 7 2 6 5 6 5 5 5
Issues Security problems  Potential for disruptive attacks  BGP packets are un-authenticated Incentive for dishonesty  ISP pays for some routes, others free
Atlanta St. Louis San Francisco Denver Cambridge Washington, D.C. Orlando Chicago Seattle Los Angeles Detroit Houston New York Phoenix San Diego Austin Philadelphia Dallas 2 Kansas City BGP Route Instability Good route from San Francisco to Cambridge, MA
Atlanta St. Louis San Francisco Denver Cambridge Washington, D.C. Orlando Chicago Seattle Los Angeles Detroit Houston New York Phoenix San Diego Austin Philadelphia Dallas 2 Kansas City BGP Route Instability If Denver-Chicago goes down, route cancellation propagates to SF
Atlanta St. Louis San Francisco Denver Cambridge Washington, D.C. Orlando Chicago Seattle Los Angeles Detroit Houston New York Phoenix San Diego Austin Philadelphia Dallas 2 Kansas City BGP Route Instability SF chooses next best route, which may include Denver-Chicago along a longer path Route cancellation message through Seattle has not reached SF because this route to SF is longer
Domain Name System Hierarchical Name Space root edunetorg ukcom ca wisc ucb stanford cmu mit cs ee www DNS
DNS Root Name Servers Hierarchical service  Root name servers for top-level domains  Authoritative name servers for subdomains  Local name resolvers contact authoritative servers when they do not know a name
DNS Lookup Example Client Local DNS resolver root & edu DNS server stanford.edu DNS server www.cs.stanford.edu cs.stanford.edu DNS server
Caching DNS responses are cached  Quick response for repeated translations  Useful for finding servers as well as addresses  NS records for domains DNS negative queries are cached  Save time for nonexistent sites, e.g. misspelling Cached data periodically times out  Lifetime (TTL) of data controlled by owner of data  TTL passed with every record Some funny stuff allowed by RFC  Discuss cache poisoning in a few slides
Lookup using cached DNS server Client Local DNS recursive resolver root & edu DNS server stanford.edu DNS server cs.stanford.edu DNS server ftp.cs.stanford.edu
DNS Implementation Vulnerabilities DNS implementations have had same kinds of vulnerabilities as other software  Reverse query buffer overrun in BIND Releases 4.9 (4.9.7 prior) and Releases 8 (8.1.2 prior)  gain root access  abort DNS service  MS DNS for NT 4.0 (service pack 3 and prior)  crashes on chargen stream  telnet ntbox 19 | telnet ntbox 53 Moral  Better software quality is important  Defense in depth!
Inherent DNS Vulnerabilities Users/hosts typically trust the host-address mapping provided by DNS Obvious problems  Interception of requests or compromise of DNS servers can result in incorrect or malicious responses  Solution – authenticated requests/responses Some funny stuff allowed by RFC  Name server may delegate name to another NS (this is OK)  If name is delegated, may also supply IP addr (this is trouble)
DNS cache poisoning DNS resource records (see RFC 1034)  An “A” record supplies a host IP address  A “NS” record supplies name server for domain Example  www.evil.org NS ns.yahoo.com /delegate to yahoo  ns.yahoo.com A 1.2.3.4 / address for yahoo Result  If resolver looks up www.evil.org, then evil name server will give resolver address 1.2.3.4 for yahoo  Lookup for yahoo through cache goes to 1.2.3.4
Pharming DNS poisoning attack (less common than phishing)  Change IP addresses to redirect URLs to fraudulent sites  Potentially more dangerous than phishing attacks  No email solicitation is required DNS poisoning attacks have occurred:  January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.  In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy  In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
DNS Rebinding Attack Read permitted: it’s the “same origin” Firewall www.evil.com web server ns.evil.com DNS server 171.64.7.115 www.evil.com? corporate web server 171.64.7.115 TTL = 0 <iframe src="http://www.evil.com"> 192.168.0.100 192.168.0.100 [DWF’96, R’01] DNS-SEC cannot stop this attack
DNS Rebinding Defenses Browser mitigation: DNS Pinning  Refuse to switch to a new IP  Interacts poorly with proxies, VPN, dynamic DNS, …  Not consistently implemented in any browser Server-side defenses  Check Host header for unrecognized domains  Authenticate users with something other than IP Firewall defenses  External names can’t resolve to internal addresses  Protects browsers inside the organization
Summary (I) Eavesdropping  Encryption, improved routing Smurf  Drop external packets to brdcst address SYN Flooding  SYN Cookies IP spoofing  Use less predictable sequence numbers
Summary (II) Source routing attacks  Additional info in packets, tighter control over routing Interdomain routing  Authenticate routing announcements  Many other issues DNS attacks  Cache poisoning  Pharming  Rebinding

Empfohlen

Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
Sukh Sandhu
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
phanleson
 
Firewalls
FirewallsFirewalls
Firewalls
hemantag
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
pantu_1961
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
phanleson
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeley
joebeone
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 

Empfohlen

Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
Sukh Sandhu
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
phanleson
 
Firewalls
FirewallsFirewalls
Firewalls
hemantag
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
pantu_1961
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
phanleson
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeley
joebeone
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 
Best!
Best!Best!
Best!
gofortution
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
Manish Luintel
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
David Sweigert
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
Roushan Jha
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
Networking lab
Networking labNetworking lab
Networking lab
Ragu Ram
 
Chapter 01 - Overview
Chapter 01 - OverviewChapter 01 - Overview
Chapter 01 - Overview
phanleson
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
Mukesh Chaudhari
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
phanleson
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEthical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Eric Vanderburg
 
Scanning
ScanningScanning
Scanning
Ashok kumar sandhyala
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Security
prachi67
 
Aircrack
AircrackAircrack
Aircrack
Nithin Sathees
 
Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Wireshark tcp - 2110165028
Wireshark tcp - 2110165028
Nanda Afif
 
Wireshark tcp
Wireshark tcpWireshark tcp
Wireshark tcp
Yasin Abdullah
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
Viren Rao
 
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...
ijsptm
 
Lab manual cn-2012-13
Lab manual cn-2012-13Lab manual cn-2012-13
Lab manual cn-2012-13
Sasi Kala
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
Yash Kotak
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
AlmaOraevi
 

Weitere ähnliche Inhalte

Was ist angesagt?

Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 
Chapter 01 - Overview
Chapter 01 - OverviewChapter 01 - Overview
Chapter 01 - Overview
phanleson
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...
ijsptm
 
Lab manual cn-2012-13
Lab manual cn-2012-13Lab manual cn-2012-13
Lab manual cn-2012-13
Sasi Kala
 

Was ist angesagt? (20)

Best!
Best!Best!
Best!
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
Networking lab
Networking labNetworking lab
Networking lab
 
Chapter 01 - Overview
Chapter 01 - OverviewChapter 01 - Overview
Chapter 01 - Overview
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEthical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
 
Scanning
ScanningScanning
Scanning
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Security
 
Aircrack
AircrackAircrack
Aircrack
 
Wireshark tcp - 2110165028
Wireshark tcp - 2110165028Wireshark tcp - 2110165028
Wireshark tcp - 2110165028
 
Wireshark tcp
Wireshark tcpWireshark tcp
Wireshark tcp
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
 
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...
 
Lab manual cn-2012-13
Lab manual cn-2012-13Lab manual cn-2012-13
Lab manual cn-2012-13
 

Ähnlich wie 12 tcp-dns

Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programming
elliando dias
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
NYversity
 
Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network security
Rishabh Mehan
 
16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)
Jeff Green
 

Ähnlich wie 12 tcp-dns (20)

security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Firewall
FirewallFirewall
Firewall
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisited
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Wi Fi
Wi FiWi Fi
Wi Fi
 
Unit 8 Java
Unit 8 JavaUnit 8 Java
Unit 8 Java
 
Application Layer and Socket Programming
Application Layer and Socket ProgrammingApplication Layer and Socket Programming
Application Layer and Socket Programming
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network security
 
More on Tcp/Ip
More on Tcp/IpMore on Tcp/Ip
More on Tcp/Ip
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 
Web Security
Web SecurityWeb Security
Web Security
 
Week8 lec1-bscs1
Week8 lec1-bscs1Week8 lec1-bscs1
Week8 lec1-bscs1
 
Unit-4 networking basics in java
Unit-4 networking basics in javaUnit-4 networking basics in java
Unit-4 networking basics in java
 
Ip security
Ip security Ip security
Ip security
 
16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)
 
TCPIP
TCPIPTCPIP
TCPIP
 
Osi model
Osi modelOsi model
Osi model
 
Ip Sec
Ip SecIp Sec
Ip Sec
 

12 tcp-dns

  • 1. Network Protocols and Vulnerabilities John Mitchell CS 155 Spring 2008
  • 2. Outline Basic Networking Network attacks  Attacking host-to-host datagram protocols  SYN flooding, TCP Spoofing, …  Attacking network infrastructure  Routing  Domain Name System This lecture is about the way things work now and how they are not perfect. Next lecture – some security improvements (still not perfect)
  • 3. Backbone ISP ISP Internet Infrastructure Local and interdomain routing  TCP/IP for routing, connections  BGP for routing announcements Domain Name System  Find IP address from symbolic name (www.cs.stanford.edu)
  • 4. TCP Protocol Stack Application Transport Network Link Application protocol TCP protocol IP protocol Data Link IP Network Access IP protocol Data Link Application Transport Network Link
  • 5. Data Formats Application Transport (TCP, UDP) Network (IP) Link Layer Application message - data TCP data TCP data TCP data TCP Header dataTCPIP IP Header dataTCPIPETH ETF Link (Ethernet) Header Link (Ethernet) Trailer segment packet frame message
  • 6. Internet Protocol Connectionless  Unreliable  Best effort Transfer datagram  Header  Data IP Version Header Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset
  • 7. IP Routing Internet routing uses numeric IP address Typical route uses several hops Meg Tom ISP Office gateway 121.42.33.12 132.14.11.51 Source Destination Packet 121.42.33.12 121.42.33.1 132.14.11.51 132.14.11.1
  • 8. IP Protocol Functions (Summary) Routing  IP host knows location of router (gateway)  IP gateway must know route to other networks Fragmentation and reassembly  If max-packet-size less than the user-data-size Error reporting  ICMP packet to source if packet is dropped
  • 9. User Datagram Protocol IP provides routing  IP address gets datagram to a specific machine UDP separates traffic by port  Destination port number gets UDP datagram to particular application process, e.g., 128.3.23.3, 53  Source port number provides return address Minimal guarantees  No acknowledgment  No flow control  No message continuation UDP
  • 10. Transmission Control Protocol Connection-oriented, preserves order  Sender  Break data into packets  Attach packet numbers  Receiver  Acknowledge receipt; lost packets are resent  Reassemble packets in correct order TCP Book Mail each page Reassemble book 19 5 1 1 1
  • 11. Internet Control Message Protocol Provides feedback about network operation  Error reporting  Reachability testing  Congestion Control Example message types  Destination unreachable  Time-to-live exceeded  Parameter problem  Redirect to better gateway  Echo/echo reply - reachability test  Timestamp request/reply - measure transit delay ICMP
  • 12. Basic Security Problems Network packets pass by untrusted hosts  Eavesdropping, packet sniffing (e.g., “ngrep”) IP addresses are public  Smurf TCP connection requires state  SYN flooding attack TCP state can be easy to guess  TCP spoofing attack
  • 13. Packet Sniffing Promiscuous NIC reads all packets  Read all unencrypted data (e.g., “ngrep”)  ftp, telnet send passwords in clear! Alice Bob Eve Network Prevention: Encryption, improved routing (Another lecture: IPSEC) Sweet Hall attack installed sniffer on local machine
  • 14. Smurf DoS Attack Send ping request to broadcast addr (ICMP Echo Req) Lots of responses:  Every host on target network generates a ping reply (ICMP Echo Reply) to victim  Ping reply stream can overload victim Prevention: reject external packets to broadcast address gatewayDoS Source DoS Target 1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target
  • 15. TCP Handshake C S SYNC SYNS, ACKC+1 ACKS+1 Listening Store data Wait Connected
  • 16. SYN Flooding C S SYNC1 Listening Store data SYNC2 SYNC3 SYNC4 SYNC5
  • 17. SYN Flooding Attacker sends many connection requests  Spoofed source addresses Victim allocates resources for each request  Connection requests exist until timeout  Fixed bound on half-open connections Resources exhausted requests rejected
  • 18. Protection against SYN Attacks Client sends SYN Server responds to Client with SYN-ACK cookie  sqn = f(src addr, src port, dest addr, dest port, rand)  Normal TCP response but server does not save state Honest client responds with ACK(sqn) Server checks response  If matches SYN-ACK, establishes connection  “rand” is top 5 bits of 32-bit time counter  Server checks client response against recent values See http://cr.yp.to/syncookies.html [Bernstein, Schenk]
  • 19. TCP Connection Spoofing Each TCP connection has an associated state  Client IP and port number; same for server  Sequence numbers for client, server flows Problem  Easy to guess state  Port numbers are standard  Sequence numbers often chosen in predictable way
  • 20. IP Spoofing Attack A, B trusted connection  Send packets with predictable seq numbers E impersonates B to A  Opens connection to A to get initial seq number  SYN-floods B’s queue  Sends packets to A that resemble B’s transmission  E cannot receive, but may execute commands on A Server A B E Attack can be blocked if E is outside firewall.
  • 21. TCP Sequence Numbers Need high degree of unpredictability  If attacker knows initial seq # and amount of traffic sent, can estimate likely current values  Send a flood of packets with likely seq numbers  Attacker can inject packets into existing connection Some implementations are vulnerable
  • 22. Recent DoS vulnerability [Watson’04] Suppose attacker can guess seq. number for an existing connection:  Attacker can send Reset packet to close connection. Results in DoS.  Naively, success prob. is 1/232 (32-bit seq. #’s).  Most systems allow for a large window of acceptable seq. #’s  Much higher success probability. Attack is most effective against long lived connections, e.g. BGP.
  • 23. Cryptographic network protection Solutions above the transport layer  Examples: SSL and SSH  Protect against session hijacking and injected data  Do not protect against denial-of-service attacks caused by spoofed packets Solutions at network layer  Use cryptographically random ISNs [RFC 1948]  More generally: IPsec  Can protect against  session hijacking and injection of data  denial-of-service attacks using session resets
  • 24. Wireless Threats Passive Eavesdropping/Traffic Analysis  Easy, most wireless NICs have promiscuous mode Message Injection/Active Eavesdropping  Easy, some techniques to gen. any packet with common NIC Message Deletion and Interception  Possible, interfere packet reception with directional antennas Masquerading and Malicious AP  Easy, MAC address forgeable and s/w available (HostAP) Session Hijacking Man-in-the-Middle Denial-of-Service: cost related evaluation
  • 25. Evolution of Wireless Security 802.11 (Wired Equivalent Protocol)  Authentication: Open system (SSID) and Shared Key  Authorization: some vendors use MAC address filtering  Confidentiality/Integrity: RC4 + CRC WPA: Wi-Fi Protected Access  Authentication: 802.1X  Confidentiality/Integrity: TKIP  Reuse legacy hardware, still problematic IEEE 802.11i (Ratified 2004 ): WPA2  Mutual authentication  Data confidentiality and integrity: CCMP  Key management  Availability
  • 26. What Went Wrong With WEP No Key Management  Long Lived keys  Fix: Use 802.1X ( Standard for user, device authentication ) Crypto Issues RC4 cipher stream  Key size: 40 bit keys  Initialization Vector too small:24 bit  Integrity Check Value based on CRC-32  Authentication messages can be forged
  • 27. Authentica -tion Server (RADIUS) No Key Authenticator UnAuth/UnAssoc 802.1X Blocked No Key Supplicant UnAuth/UnAssoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X Blocked No Key Authenticator Auth/Assoc 802.1X Blocked No Key Authentica -tion Server (RADIUS) No Key 802.11 Association EAP/802.1X/RADIUS Authentication Supplicant Auth/Assoc 802.1X Blocked MSK Authenticator Auth/Assoc 802.1X Blocked No Key Authentica -tion Server (RADIUS) MSK MSK Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK Authentica -tion Server (RADIUS) No Key 4-Way Handshake Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica -tion Server (RADIUS) No Key Group Key Handshake Supplicant Auth/Assoc 802.1X UnBlocked New GTK Authenticator Auth/Assoc 802.1X UnBlocked New GTK Authentica -tion Server (RADIUS) No Key IEEE 802.11i - WPA2 Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica -tion Server (RADIUS) No Key
  • 28. Security issues in development of 802.11i ATTACKS SOLUTIONS security rollback supplicant manually choose security; authenticator restrict pre-RSNA to only insensitive data. reflection attack each participant plays the role of either authenti- cator or supplicant; if both, use different PMKs. attack on Michael countermeasures cease connections for a specific time instead of re-key and deauthentication; update TSC before MIC and after FCS, ICV are validated. RSN IE poisoning Authenticate Beacon and Probe Response frame; Confirm RSN IE in an earlier stage; Relax the condition of RSN IE confirmation. 4-way handshake blocking adopt random-drop queue, not so effective; authenticate Message 1, packet format modified; re-use supplicant nonce, eliminate memory DoS.
  • 29. TCP Congestion Control If packets are lost, assume congestion  Reduce transmission rate by half, repeat  If loss stops, increase rate very slowly Design assumes routers blindly obey this policy Source Destination
  • 30. Competition Amiable Alice yields to boisterous Bob  Alice and Bob both experience packet loss  Alice backs off  Bob disobeys protocol, gets better results Source A Source B Destination Destination
  • 31. Routing Vulnerabilities Source routing  Sender can specify source routing  Can direct response through compromised host Routing Information Protocol (RIP)  Direct client traffic through compromised host Exterior gateway protocols  Advertise false routes  Send traffic through compromised hosts
  • 32. Source Routing Attacks Attack  Destination host may use reverse of source route provided in TCP open request to return traffic  Modify the source address of a packet  Route traffic through machine controlled by attacker Defenses  Only accept source route if trusted gateways listed in source routing info  Gateway rejects external packets claiming to be local  Reject pre-authorized connections if source routing info present
  • 33. Routing Table Update Protocols Interior Gateway Protocols: IGPs  distance vector type - each gateway keeps track of its distance to all destinations  Gateway-to-Gateway: GGP  Routing Information Protocol: RIP Exterior Gateway Protocol: EGP  used for communication between different autonomous systems
  • 34. Interdomain Routing connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain) Interior Gateway Protocol Exterior Gateway Protocol Autonomous System earthlink.net Stanford.edu
  • 35. BGP overview Iterative path announcement  Path announcements grow from destination to source  Packets flow in reverse direction Protocol specification  Announcements can be shortest path  Nodes allowed to use other policies  E.g., “cold-potato routing” by smaller peer  Not obligated to use path you announce
  • 36. BGP example [D. Wetherall] Transit: 2 provides transit for 7 Algorithm seems to work OK in practice  BGP is does not respond well to frequent node outages 3 4 6 5 7 1 8 2 7 7 2 7 2 7 2 7 3 2 7 6 2 7 2 6 52 6 5 2 6 5 3 2 6 5 7 2 6 5 6 5 5 5
  • 37. Issues Security problems  Potential for disruptive attacks  BGP packets are un-authenticated Incentive for dishonesty  ISP pays for some routes, others free
  • 38. Atlanta St. Louis San Francisco Denver Cambridge Washington, D.C. Orlando Chicago Seattle Los Angeles Detroit Houston New York Phoenix San Diego Austin Philadelphia Dallas 2 Kansas City BGP Route Instability Good route from San Francisco to Cambridge, MA
  • 39. Atlanta St. Louis San Francisco Denver Cambridge Washington, D.C. Orlando Chicago Seattle Los Angeles Detroit Houston New York Phoenix San Diego Austin Philadelphia Dallas 2 Kansas City BGP Route Instability If Denver-Chicago goes down, route cancellation propagates to SF
  • 40. Atlanta St. Louis San Francisco Denver Cambridge Washington, D.C. Orlando Chicago Seattle Los Angeles Detroit Houston New York Phoenix San Diego Austin Philadelphia Dallas 2 Kansas City BGP Route Instability SF chooses next best route, which may include Denver-Chicago along a longer path Route cancellation message through Seattle has not reached SF because this route to SF is longer
  • 41. Domain Name System Hierarchical Name Space root edunetorg ukcom ca wisc ucb stanford cmu mit cs ee www DNS
  • 42. DNS Root Name Servers Hierarchical service  Root name servers for top-level domains  Authoritative name servers for subdomains  Local name resolvers contact authoritative servers when they do not know a name
  • 43. DNS Lookup Example Client Local DNS resolver root & edu DNS server stanford.edu DNS server www.cs.stanford.edu cs.stanford.edu DNS server
  • 44. Caching DNS responses are cached  Quick response for repeated translations  Useful for finding servers as well as addresses  NS records for domains DNS negative queries are cached  Save time for nonexistent sites, e.g. misspelling Cached data periodically times out  Lifetime (TTL) of data controlled by owner of data  TTL passed with every record Some funny stuff allowed by RFC  Discuss cache poisoning in a few slides
  • 45. Lookup using cached DNS server Client Local DNS recursive resolver root & edu DNS server stanford.edu DNS server cs.stanford.edu DNS server ftp.cs.stanford.edu
  • 46. DNS Implementation Vulnerabilities DNS implementations have had same kinds of vulnerabilities as other software  Reverse query buffer overrun in BIND Releases 4.9 (4.9.7 prior) and Releases 8 (8.1.2 prior)  gain root access  abort DNS service  MS DNS for NT 4.0 (service pack 3 and prior)  crashes on chargen stream  telnet ntbox 19 | telnet ntbox 53 Moral  Better software quality is important  Defense in depth!
  • 47. Inherent DNS Vulnerabilities Users/hosts typically trust the host-address mapping provided by DNS Obvious problems  Interception of requests or compromise of DNS servers can result in incorrect or malicious responses  Solution – authenticated requests/responses Some funny stuff allowed by RFC  Name server may delegate name to another NS (this is OK)  If name is delegated, may also supply IP addr (this is trouble)
  • 48. DNS cache poisoning DNS resource records (see RFC 1034)  An “A” record supplies a host IP address  A “NS” record supplies name server for domain Example  www.evil.org NS ns.yahoo.com /delegate to yahoo  ns.yahoo.com A 1.2.3.4 / address for yahoo Result  If resolver looks up www.evil.org, then evil name server will give resolver address 1.2.3.4 for yahoo  Lookup for yahoo through cache goes to 1.2.3.4
  • 49. Pharming DNS poisoning attack (less common than phishing)  Change IP addresses to redirect URLs to fraudulent sites  Potentially more dangerous than phishing attacks  No email solicitation is required DNS poisoning attacks have occurred:  January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.  In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy  In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
  • 50. DNS Rebinding Attack Read permitted: it’s the “same origin” Firewall www.evil.com web server ns.evil.com DNS server 171.64.7.115 www.evil.com? corporate web server 171.64.7.115 TTL = 0 <iframe src="http://www.evil.com"> 192.168.0.100 192.168.0.100 [DWF’96, R’01] DNS-SEC cannot stop this attack
  • 51. DNS Rebinding Defenses Browser mitigation: DNS Pinning  Refuse to switch to a new IP  Interacts poorly with proxies, VPN, dynamic DNS, …  Not consistently implemented in any browser Server-side defenses  Check Host header for unrecognized domains  Authenticate users with something other than IP Firewall defenses  External names can’t resolve to internal addresses  Protects browsers inside the organization
  • 52. Summary (I) Eavesdropping  Encryption, improved routing Smurf  Drop external packets to brdcst address SYN Flooding  SYN Cookies IP spoofing  Use less predictable sequence numbers
  • 53. Summary (II) Source routing attacks  Additional info in packets, tighter control over routing Interdomain routing  Authenticate routing announcements  Many other issues DNS attacks  Cache poisoning  Pharming  Rebinding