SlideShare ist ein Scribd-Unternehmen logo

Network and DNS Vulnerabilities

‱
‱
n|u - The Open Security Community
n|u - The Open Security Community

A compilation of attack vectors of the network including TCP/IP stack, Routing algorithms and DNS

Technologie
1 von 30
Downloaden Sie, um offline zu lesen
n|u Network and DNS Vulnerabilities V l biliti Presented by: Harsimran Walia
Data Formats TCP Header Application message - data Application message Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet k t IP TCP data Link Layer y frame ETH IP TCP data ETF IP Header Link (Ethernet) Link (Ethernet) Header Trailer
IP Internet Protocol Version Header Length Connectionless Type of S i T f Service Unreliable Total Length Identification Best effort Flags Fragment Offset Time to Live Protocol Notes: Header Checksum src and dest ports Source Address of Originating Host not parts of IP hdr g Destination Address of Target Host Options Padding IP Data
Packet forging Client is trusted to embed correct source IP Easy to override using raw sockets Libnet: a library for formatting raw packets with arbitrary IP h d bit headers Anyone who owns their machine can send packets with arbitrary source IP 
 response will be sent back to forged source IP Implications: Anonymous DoS attacks; y ; Anonymous infection attacks
Basic Security Problems 1. Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a p y y machine close to victim 2. TCP state can be easy to guess Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities
1 Packet Sniffing 1. Promiscuous NIC reads all packets Read all unencrypted data (e.g., “wireshark”) ftp, telnet (and POP, IMAP) send passwords in clear! p, ( , ) p Eve Alice Ali Network Bob B b Prevention: Encryption SSL (is it still secure??)
2 Breaking SSL encryption 2. Certificate used for encryption
2 Breaking SSL encryption 2. Certificate created by attacker and accepted by victim (normally a user ignores warning) attacker can- Sniff the encrypted passwords Decrypt the passwords Countermeasures C t Untrusted certificate should never be accepted All trusted certificates should be installed in the browser
Review: TCP Handshake C S SN ←randC SYN: ANC ←0 Listening C SNS←randS Store SNC , SNS SYN/ACK: AN ←SN S C Wait SN←SNC+1 ACK: AN SN AN←SNS Established
2 TCP Connection Spoofing 2. Why random initial sequence numbers? (SNC , SNS ) y q ( Suppose init. sequence numbers are predictable Attacker can create TCP session on behalf of forged source IP Breaks IP-based authentication (e.g. SPF, /etc/hosts ) TCP SYN srcIP=victim SYN/ACK dstIP=victim Victim ACK SN=server SNS srcIP=victim Server attacker AN=predicted SNS server thinks command command is from victim IP addr
Example DoS vulnerability Suppose attacker can guess seq. number for an pp g q existing connection: Attacker can send Reset packet to close connection. Results in DoS. Naively, success prob. is 1/232 (32-bit seq. #’s). Most systems allow for a large window of acceptable seq. #’s Much higher success probability.
TCP SYN Flood I: low rate C S Single machine: ‱ SYN Packets with SYNC1 random source IP d SYNC2 addresses ‱ Fills up backlog queue SYNC3 on server SYNC C4 ‱ No further connections possible SYNC5 12
SYN Floods II: Massive flood Command bot army to flood specific target: (DDoS) y p g 20,000 bots can generate 2Gb/sec of SYNs (2003) At web site: Saturates network uplink or network router p Random source IP ⇒ attack SYNs look the same as real SYNs 13
NIC as cpu Attempt to connect to the victim machine, which fails: Sending a ‘magic’ packet to the victim: It worked! Now logged i as root: k d l d in 14
NIC as cpu PoC exists with Broadcom (Manufacturer of NICs) We can remotely execute shell code on the NIC Through shell code we can read/write data on main hard drive As shown we can login as root without even exploiting the system 15
Routing Vulnerabilities
Routing Vulnerabilities Common attack: advertise false routes Causes traffic to go though compromised hosts ARP (addr resolution protocol): IP addr -> eth addr Node A can confuse gateway into sending it traffic for B OSPF: used for routing within an AS BGP: routing between ASs Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.
Issues Security problems Potential for disruptive attacks BGP packets are un-authenticated p Attacker can advertise arbitrary routes Advertisement will propagate everywhere Used for DoS and spam
DoS via route hijacking YouTube is 208.65.152.0/22 (includes 210 IP addr) youtube.com youtube com is 208 65 153 238 
 208.65.153.238, Feb. 2008: Pakistan telecom advertised a BGP path for 208.65.153.0/24 (includes 28 IP addr) Routing decisions use most specific prefix The entire Internet now thinks 208.65.153.238 208 65 153 238 is in Pakistan Outage resolved within two hours
 but demonstrates huge DoS vuln. with no solution! March 2010: 1 ISP in US configured BGP route wrongly which led some users from US to be a victim of the great firewall of china These victims were redirected to some Chinese govt. Websites instead of legitimate g g sites
Domain Name System
DNS Domain Name System Hierarchical Name Space root org net com edu uk ca orkut yahoo google facebook www mail
DNS Lookup Example root & com www.google.com DNS server google.com Local DNS DNS server Client resolver DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM)
Caching DNS responses are cached p Quick response for repeated translations Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached g q Save time for nonexistent sites, e.g. misspelling Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record
DNS cache poisoning Victim machine visits attacker’s web site, downloads Javascript Query: a.bank.com user a.bank.com a bank com local Q QID=x1 ns.bank.com ns bank com browser DNS resolver IPaddr Random QID y1, y2, 
 NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if ∃j: x1 = yj attacker response is cached and attacker owns bank.com
Defenses Increase Query ID size. Q y How? a. Randomize src port, additional 11 bits p , Now attack takes several hours b. Ask every DNS query twice: Attacker has to guess QueryID correctly twice (32 bits) Apparently DNS system cannot handle the load
Pharming DNS poisoning attack (less common than phishing) p g ( p g) If user visits attacker’s site the cache of user can be poisoned Change IP addresses to redirect URLs to fraudulent sites Potentially more da ge ous t a p s g attac s ote t a y o e dangerous than phishing attacks No email solicitation is required DNS poisoning attacks have occurred: January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent to 2004 Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and j presented them with the message "God Bless Our Troops"
Spoofing DNS spoofing attack p g Intercept the DNS query from the victim Spoof the ip address of the real url Se d o ged Send forged DNS response with the attac e s ip S espo se t t e attacker’s p Victim thinks its legitimate as he accessed real url and gets no warning Can be used for phishing attacks where social engineering p g g g not possible
[DWF’96, R’01] DNS Rebinding Attack g <iframe src="http://www.evil.com"> DNS-SEC cannot stop this attack www.evil.com? ns.evil.com 171.64.7.115 171 64 7 115 TTL = 0 DNS server Firew 192.168.0.100 wall www.evil.com web server corporate web server 171.64.7.115 192.168.0.100 Read permitted: it s the “same origin it’s same origin”
DNS Rebinding Defenses Browser mitigation: DNS Pinning Refuse to switch to a new IP Interacts poorly with proxies, VPN, dynamic DNS, 
 p y p , , y , Not consistently implemented in any browser Server-side defenses Check Host header for unrecognized domains Firewall defenses External names can’t resolve to internal addresses Protects browsers inside the organization
Summary Core protocols not designed for security p g y Eavesdropping, Packet injection, Route stealing, DNS poisoning Patched over time to prevent basic attacks (e.g. random TCP SN) More secure variants exist : IP -> IPsec DNS -> DNSsec BGP -> SBGP

Empfohlen

08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
pantu_1961
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
network security
network securitynetwork security
network security
Srinivasa Rao
 
Tcp ip
Tcp ipTcp ip
Tcp ip
Akshay Nagpurkar
 
internet applications
internet applications internet applications
internet applications
Srinivasa Rao
 
Peer-to-Peer Application Recognition Based on Signaling Activity
Peer-to-Peer Application Recognition Based on Signaling ActivityPeer-to-Peer Application Recognition Based on Signaling Activity
Peer-to-Peer Application Recognition Based on Signaling Activity
Academia Sinica
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
Raul Bernardino, BSc MSc
 

Empfohlen

08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
pantu_1961
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
network security
network securitynetwork security
network security
Srinivasa Rao
 
Tcp ip
Tcp ipTcp ip
Tcp ip
Akshay Nagpurkar
 
internet applications
internet applications internet applications
internet applications
Srinivasa Rao
 
Peer-to-Peer Application Recognition Based on Signaling Activity
Peer-to-Peer Application Recognition Based on Signaling ActivityPeer-to-Peer Application Recognition Based on Signaling Activity
Peer-to-Peer Application Recognition Based on Signaling Activity
Academia Sinica
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
Raul Bernardino, BSc MSc
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
Sukh Sandhu
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
David Sweigert
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dns
Culverton Blessy
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORK
prakash m
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
Videoguy
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
An analysis of the skype peer to-peer
An analysis of the skype peer to-peerAn analysis of the skype peer to-peer
An analysis of the skype peer to-peer
xiaoran815
 
Himanshupptx
HimanshupptxHimanshupptx
Himanshupptx
Himanshu Chaurishiya
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
phanleson
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
Ozkan E
 
An experimental study of the skype peer to-peer vo ip system
An experimental study of the skype peer to-peer vo ip systemAn experimental study of the skype peer to-peer vo ip system
An experimental study of the skype peer to-peer vo ip system
xiaoran815
 
Bluetooth mobileip
Bluetooth mobileipBluetooth mobileip
Bluetooth mobileip
ramlakshmiram
 
Common Dos and DDoS
Common Dos and DDoSCommon Dos and DDoS
Common Dos and DDoS
Jayesh Patel
 
Content aware p2 p video streaming with lowlatency
Content aware p2 p video streaming with lowlatencyContent aware p2 p video streaming with lowlatency
Content aware p2 p video streaming with lowlatency
xiaoran815
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
Siena Perry
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1
HamesKellor
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
Olivier Bonaventure
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
Sukh Sandhu
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORK
prakash m
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
Videoguy
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Bluetooth mobileip
Bluetooth mobileipBluetooth mobileip
Bluetooth mobileip
ramlakshmiram
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 

Was ist angesagt? (20)

Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dns
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORK
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
An analysis of the skype peer to-peer
An analysis of the skype peer to-peerAn analysis of the skype peer to-peer
An analysis of the skype peer to-peer
 
Himanshupptx
HimanshupptxHimanshupptx
Himanshupptx
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
An experimental study of the skype peer to-peer vo ip system
An experimental study of the skype peer to-peer vo ip systemAn experimental study of the skype peer to-peer vo ip system
An experimental study of the skype peer to-peer vo ip system
 
Bluetooth mobileip
Bluetooth mobileipBluetooth mobileip
Bluetooth mobileip
 
Common Dos and DDoS
Common Dos and DDoSCommon Dos and DDoS
Common Dos and DDoS
 
Content aware p2 p video streaming with lowlatency
Content aware p2 p video streaming with lowlatencyContent aware p2 p video streaming with lowlatency
Content aware p2 p video streaming with lowlatency
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1
 

Ähnlich wie Network and DNS Vulnerabilities

Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
Olivier Bonaventure
 
ip spoofing
ip spoofingip spoofing
ip spoofing
vipin soni
 

Ähnlich wie Network and DNS Vulnerabilities (20)

Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
 
TCPIP
TCPIPTCPIP
TCPIP
 
ip spoofing
ip spoofingip spoofing
ip spoofing
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisited
 
Day-3 PowerPoint
Day-3 PowerPointDay-3 PowerPoint
Day-3 PowerPoint
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networks
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)
Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)
Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Lync 2010 deep dive edge
Lync 2010 deep dive edgeLync 2010 deep dive edge
Lync 2010 deep dive edge
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Dos ddos
Dos ddosDos ddos
Dos ddos
 
IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
 
Client server
Client serverClient server
Client server
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environment
 
Sockets
SocketsSockets
Sockets
 
Sockets
SocketsSockets
Sockets
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 

Mehr von n|u - The Open Security Community

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

KĂŒrzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĂșjo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

KĂŒrzlich hochgeladen (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Network and DNS Vulnerabilities

  • 1. n|u Network and DNS Vulnerabilities V l biliti Presented by: Harsimran Walia
  • 2. Data Formats TCP Header Application message - data Application message Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet k t IP TCP data Link Layer y frame ETH IP TCP data ETF IP Header Link (Ethernet) Link (Ethernet) Header Trailer
  • 3. IP Internet Protocol Version Header Length Connectionless Type of S i T f Service Unreliable Total Length Identification Best effort Flags Fragment Offset Time to Live Protocol Notes: Header Checksum src and dest ports Source Address of Originating Host not parts of IP hdr g Destination Address of Target Host Options Padding IP Data
  • 4. Packet forging Client is trusted to embed correct source IP Easy to override using raw sockets Libnet: a library for formatting raw packets with arbitrary IP h d bit headers Anyone who owns their machine can send packets with arbitrary source IP 
 response will be sent back to forged source IP Implications: Anonymous DoS attacks; y ; Anonymous infection attacks
  • 5. Basic Security Problems 1. Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a p y y machine close to victim 2. TCP state can be easy to guess Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities
  • 6. 1 Packet Sniffing 1. Promiscuous NIC reads all packets Read all unencrypted data (e.g., “wireshark”) ftp, telnet (and POP, IMAP) send passwords in clear! p, ( , ) p Eve Alice Ali Network Bob B b Prevention: Encryption SSL (is it still secure??)
  • 7. 2 Breaking SSL encryption 2. Certificate used for encryption
  • 8. 2 Breaking SSL encryption 2. Certificate created by attacker and accepted by victim (normally a user ignores warning) attacker can- Sniff the encrypted passwords Decrypt the passwords Countermeasures C t Untrusted certificate should never be accepted All trusted certificates should be installed in the browser
  • 9. Review: TCP Handshake C S SN ←randC SYN: ANC ←0 Listening C SNS←randS Store SNC , SNS SYN/ACK: AN ←SN S C Wait SN←SNC+1 ACK: AN SN AN←SNS Established
  • 10. 2 TCP Connection Spoofing 2. Why random initial sequence numbers? (SNC , SNS ) y q ( Suppose init. sequence numbers are predictable Attacker can create TCP session on behalf of forged source IP Breaks IP-based authentication (e.g. SPF, /etc/hosts ) TCP SYN srcIP=victim SYN/ACK dstIP=victim Victim ACK SN=server SNS srcIP=victim Server attacker AN=predicted SNS server thinks command command is from victim IP addr
  • 11. Example DoS vulnerability Suppose attacker can guess seq. number for an pp g q existing connection: Attacker can send Reset packet to close connection. Results in DoS. Naively, success prob. is 1/232 (32-bit seq. #’s). Most systems allow for a large window of acceptable seq. #’s Much higher success probability.
  • 12. TCP SYN Flood I: low rate C S Single machine: ‱ SYN Packets with SYNC1 random source IP d SYNC2 addresses ‱ Fills up backlog queue SYNC3 on server SYNC C4 ‱ No further connections possible SYNC5 12
  • 13. SYN Floods II: Massive flood Command bot army to flood specific target: (DDoS) y p g 20,000 bots can generate 2Gb/sec of SYNs (2003) At web site: Saturates network uplink or network router p Random source IP ⇒ attack SYNs look the same as real SYNs 13
  • 14. NIC as cpu Attempt to connect to the victim machine, which fails: Sending a ‘magic’ packet to the victim: It worked! Now logged i as root: k d l d in 14
  • 15. NIC as cpu PoC exists with Broadcom (Manufacturer of NICs) We can remotely execute shell code on the NIC Through shell code we can read/write data on main hard drive As shown we can login as root without even exploiting the system 15
  • 17. Routing Vulnerabilities Common attack: advertise false routes Causes traffic to go though compromised hosts ARP (addr resolution protocol): IP addr -> eth addr Node A can confuse gateway into sending it traffic for B OSPF: used for routing within an AS BGP: routing between ASs Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.
  • 18. Issues Security problems Potential for disruptive attacks BGP packets are un-authenticated p Attacker can advertise arbitrary routes Advertisement will propagate everywhere Used for DoS and spam
  • 19. DoS via route hijacking YouTube is 208.65.152.0/22 (includes 210 IP addr) youtube.com youtube com is 208 65 153 238 
 208.65.153.238, Feb. 2008: Pakistan telecom advertised a BGP path for 208.65.153.0/24 (includes 28 IP addr) Routing decisions use most specific prefix The entire Internet now thinks 208.65.153.238 208 65 153 238 is in Pakistan Outage resolved within two hours
 but demonstrates huge DoS vuln. with no solution! March 2010: 1 ISP in US configured BGP route wrongly which led some users from US to be a victim of the great firewall of china These victims were redirected to some Chinese govt. Websites instead of legitimate g g sites
  • 21. DNS Domain Name System Hierarchical Name Space root org net com edu uk ca orkut yahoo google facebook www mail
  • 22. DNS Lookup Example root & com www.google.com DNS server google.com Local DNS DNS server Client resolver DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM)
  • 23. Caching DNS responses are cached p Quick response for repeated translations Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached g q Save time for nonexistent sites, e.g. misspelling Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record
  • 24. DNS cache poisoning Victim machine visits attacker’s web site, downloads Javascript Query: a.bank.com user a.bank.com a bank com local Q QID=x1 ns.bank.com ns bank com browser DNS resolver IPaddr Random QID y1, y2, 
 NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if ∃j: x1 = yj attacker response is cached and attacker owns bank.com
  • 25. Defenses Increase Query ID size. Q y How? a. Randomize src port, additional 11 bits p , Now attack takes several hours b. Ask every DNS query twice: Attacker has to guess QueryID correctly twice (32 bits) Apparently DNS system cannot handle the load
  • 26. Pharming DNS poisoning attack (less common than phishing) p g ( p g) If user visits attacker’s site the cache of user can be poisoned Change IP addresses to redirect URLs to fraudulent sites Potentially more da ge ous t a p s g attac s ote t a y o e dangerous than phishing attacks No email solicitation is required DNS poisoning attacks have occurred: January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent to 2004 Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and j presented them with the message "God Bless Our Troops"
  • 27. Spoofing DNS spoofing attack p g Intercept the DNS query from the victim Spoof the ip address of the real url Se d o ged Send forged DNS response with the attac e s ip S espo se t t e attacker’s p Victim thinks its legitimate as he accessed real url and gets no warning Can be used for phishing attacks where social engineering p g g g not possible
  • 28. [DWF’96, R’01] DNS Rebinding Attack g <iframe src="http://www.evil.com"> DNS-SEC cannot stop this attack www.evil.com? ns.evil.com 171.64.7.115 171 64 7 115 TTL = 0 DNS server Firew 192.168.0.100 wall www.evil.com web server corporate web server 171.64.7.115 192.168.0.100 Read permitted: it s the “same origin it’s same origin”
  • 29. DNS Rebinding Defenses Browser mitigation: DNS Pinning Refuse to switch to a new IP Interacts poorly with proxies, VPN, dynamic DNS, 
 p y p , , y , Not consistently implemented in any browser Server-side defenses Check Host header for unrecognized domains Firewall defenses External names can’t resolve to internal addresses Protects browsers inside the organization
  • 30. Summary Core protocols not designed for security p g y Eavesdropping, Packet injection, Route stealing, DNS poisoning Patched over time to prevent basic attacks (e.g. random TCP SN) More secure variants exist : IP -> IPsec DNS -> DNSsec BGP -> SBGP