2. Data Formats
TCP Header
Application message - data
Application message
Transport (TCP, UDP) segment TCP data TCP data TCP data
Network (IP) packet
k t
IP TCP data
Link Layer
y frame ETH IP TCP data ETF
IP Header Link (Ethernet) Link (Ethernet)
Header Trailer
3. IP
Internet Protocol
Version Header Length
Connectionless Type of S i
T f Service
Unreliable Total Length
Identification
Best effort Flags Fragment Offset
Time to Live
Protocol
Notes: Header Checksum
src and dest ports Source Address of Originating Host
not parts of IP hdr
g
Destination Address of Target Host
Options
Padding
IP Data
4. Packet forging
Client is trusted to embed correct source IP
Easy to override using raw sockets
Libnet: a library for formatting raw packets with
arbitrary IP h d
bit headers
Anyone who owns their machine can send packets
with arbitrary source IP
⊠response will be sent back to forged source IP
Implications:
Anonymous DoS attacks;
y ;
Anonymous infection attacks
5. Basic Security Problems
1. Network packets pass by untrusted hosts
Eavesdropping, packet sniffing
Especially easy when attacker controls a
p y y
machine close to victim
2. TCP state can be easy to guess
Enables spoofing and session hijacking
3. Denial of Service (DoS) vulnerabilities
6. 1 Packet Sniffing
1.
Promiscuous NIC reads all packets
Read all unencrypted data (e.g., âwiresharkâ)
ftp, telnet (and POP, IMAP) send passwords in clear!
p, ( , ) p
Eve
Alice
Ali Network Bob
B b
Prevention: Encryption SSL (is it still secure??)
7. 2 Breaking SSL encryption
2.
Certificate used for encryption
8. 2 Breaking SSL encryption
2.
Certificate created by attacker and accepted
by victim (normally a user ignores warning)
attacker can-
Sniff the encrypted passwords
Decrypt the passwords
Countermeasures
C t
Untrusted certificate should never be accepted
All trusted certificates should be installed in the browser
9. Review: TCP Handshake
C S
SN ârandC
SYN: ANC â0 Listening
C
SNSârandS Store SNC , SNS
SYN/ACK: AN âSN
S C
Wait
SNâSNC+1
ACK: AN SN
ANâSNS
Established
10. 2 TCP Connection Spoofing
2.
Why random initial sequence numbers? (SNC , SNS )
y q (
Suppose init. sequence numbers are predictable
Attacker can create TCP session on behalf of forged source IP
Breaks IP-based authentication (e.g. SPF, /etc/hosts )
TCP SYN
srcIP=victim SYN/ACK
dstIP=victim Victim
ACK SN=server SNS
srcIP=victim Server
attacker
AN=predicted SNS
server thinks command
command is from victim IP addr
11. Example DoS vulnerability
Suppose attacker can guess seq. number for an
pp g q
existing connection:
Attacker can send Reset packet to
close connection. Results in DoS.
Naively, success prob. is 1/232 (32-bit seq. #âs).
Most systems allow for a large window of
acceptable seq. #âs
Much higher success probability.
12. TCP SYN Flood I: low rate
C S Single machine:
âą SYN Packets with
SYNC1 random source IP
d
SYNC2 addresses
âą Fills up backlog queue
SYNC3
on server
SYNC
C4 âą No further connections
possible
SYNC5
12
13. SYN Floods II: Massive flood
Command bot army to flood specific target: (DDoS)
y p g
20,000 bots can generate 2Gb/sec of SYNs (2003)
At web site:
Saturates network uplink or network router
p
Random source IP â
attack SYNs look the same as real SYNs
13
14. NIC as cpu
Attempt to connect to the victim machine, which
fails:
Sending a âmagicâ packet to the victim:
It worked! Now logged i as root:
k d l d in
14
15. NIC as cpu
PoC exists with Broadcom (Manufacturer of NICs)
We can remotely execute shell code on the NIC
Through shell code we can read/write data on main
hard drive
As shown we can login as root without even exploiting the
system
15
17. Routing Vulnerabilities
Common attack: advertise false routes
Causes traffic to go though compromised hosts
ARP (addr resolution protocol): IP addr -> eth addr
Node A can confuse gateway into sending it traffic for B
OSPF: used for routing within an AS
BGP: routing between ASs
Attacker can cause entire Internet to send traffic
for a victim IP to attackerâs address.
18. Issues
Security problems
Potential for disruptive attacks
BGP packets are un-authenticated
p
Attacker can advertise arbitrary routes
Advertisement will propagate everywhere
Used for DoS and spam
19. DoS via route hijacking
YouTube is 208.65.152.0/22 (includes 210 IP addr)
youtube.com
youtube com is 208 65 153 238 âŠ
208.65.153.238,
Feb. 2008:
Pakistan telecom advertised a BGP path for
208.65.153.0/24 (includes 28 IP addr)
Routing decisions use most specific prefix
The entire Internet now thinks
208.65.153.238
208 65 153 238 is in Pakistan
Outage resolved within two hours⊠but demonstrates huge DoS vuln. with no
solution!
March 2010:
1 ISP in US configured BGP route wrongly which led some users from US to be a
victim of the great firewall of china
These victims were redirected to some Chinese govt. Websites instead of legitimate
g g
sites
21. DNS
Domain Name System
Hierarchical Name Space
root
org net com edu uk ca
orkut yahoo google facebook
www mail
22. DNS Lookup Example
root & com
www.google.com
DNS server
google.com
Local DNS DNS server
Client
resolver
DNS record types (partial list):
- NS: name server (points to other server)
- A: address record (contains IP address)
- MX: address in charge of handling email
- TXT: generic text (e.g. used to distribute site public keys (DKIM)
23. Caching
DNS responses are cached
p
Quick response for repeated translations
Useful for finding servers as well as addresses
NS records for domains
DNS negative queries are cached
g q
Save time for nonexistent sites, e.g. misspelling
Cached data periodically times out
Lifetime (TTL) of data controlled by owner of data
TTL passed with every record
24. DNS cache poisoning
Victim machine visits attackerâs web site, downloads Javascript
Query: a.bank.com
user a.bank.com
a bank com local Q
QID=x1
ns.bank.com
ns bank com
browser DNS
resolver IPaddr
Random QID y1, y2, âŠ
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker wins if âj: x1 = yj attacker
response is cached and
attacker owns bank.com
25. Defenses
Increase Query ID size.
Q y How?
a. Randomize src port, additional 11 bits
p ,
Now attack takes several hours
b. Ask every DNS query twice:
Attacker has to guess QueryID correctly twice (32 bits)
Apparently DNS system cannot handle the load
26. Pharming
DNS poisoning attack (less common than phishing)
p g ( p g)
If user visits attackerâs site the cache of user can be poisoned
Change IP addresses to redirect URLs to fraudulent sites
Potentially more da ge ous t a p s g attac s
ote t a y o e dangerous than phishing attacks
No email solicitation is required
DNS poisoning attacks have occurred:
January 2005, the domain name for a large New York ISP,
Panix, was hijacked to a site in Australia.
In November 2004, Google and Amazon users were sent to
2004
Med Network Inc., an online pharmacy
In March 2003, a group dubbed the "Freedom Cyber Force
Militia" hijacked visitors to the Al-Jazeera Web site and
j
presented them with the message "God Bless Our Troops"
27. Spoofing
DNS spoofing attack
p g
Intercept the DNS query from the victim
Spoof the ip address of the real url
Se d o ged
Send forged DNS response with the attac e s ip
S espo se t t e attackerâs p
Victim thinks its legitimate as he accessed real url and gets
no warning
Can be used for phishing attacks where social engineering
p g g g
not possible
28. [DWFâ96, Râ01]
DNS Rebinding Attack
g
<iframe src="http://www.evil.com"> DNS-SEC cannot
stop this attack
www.evil.com?
ns.evil.com
171.64.7.115
171 64 7 115 TTL = 0
DNS server
Firew
192.168.0.100
wall
www.evil.com
web server
corporate
web server 171.64.7.115
192.168.0.100
Read permitted: it s the âsame origin
itâs same originâ
29. DNS Rebinding Defenses
Browser mitigation: DNS Pinning
Refuse to switch to a new IP
Interacts poorly with proxies, VPN, dynamic DNS, âŠ
p y p , , y ,
Not consistently implemented in any browser
Server-side defenses
Check Host header for unrecognized domains
Firewall defenses
External names canât resolve to internal addresses
Protects browsers inside the organization
30. Summary
Core protocols not designed for security
p g y
Eavesdropping, Packet injection, Route stealing,
DNS poisoning
Patched over time to prevent basic attacks
(e.g. random TCP SN)
More secure variants exist :
IP -> IPsec
DNS -> DNSsec
BGP -> SBGP