Uploaded bypantu_1961
47 views

08 tcp-dns

This document discusses several network protocols and vulnerabilities. It begins with an overview of basic networking concepts like TCP/IP and routing. It then examines specific attacks like TCP spoofing and DNS poisoning. The document analyzes how protocols like IP, TCP, BGP, and DNS work and identifies security issues like a lack of authentication, predictable sequence numbers, and cache poisoning attacks. Defenses are discussed but many core protocols were not initially designed with security in mind.

Download to read offline
Network Protocols and Vulnerabilities Dan Boneh CS 155 Spring 2010
Outline !   Basic Networking:   How things work now plus some problems !   Some network attacks   Attacking host-to-host datagram protocols   TCP Spoofing, …   Attacking network infrastructure   Routing   Domain Name System
Backbone ISP ISP Internet Infrastructure !   Local and interdomain routing   TCP/IP for routing, connections   BGP for routing announcements !   Domain Name System   Find IP address from symbolic name (www.cs.stanford.edu)
TCP Protocol Stack Application Transport Network Link Application protocol TCP protocol IP protocol Data Link IP Network Access IP protocol Data Link Application Transport Network Link
Data Formats Application Transport (TCP, UDP) Network (IP) Link Layer Application message - data TCP data TCP data TCP data TCP Header dataTCPIP IP Header dataTCPIPETH ETF Link (Ethernet) Header Link (Ethernet) Trailer segment packet frame message
Internet Protocol !  Connectionless   Unreliable   Best effort !  Notes:   src and dest ports not parts of IP hdr IP Version Header Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset
IP Routing !  Internet routing uses numeric IP address !  Typical route uses several hops Meg Tom ISP Office gateway 121.42.33.12 132.14.11.51 Source Destination Packet 121.42.33.12 121.42.33.1 132.14.11.51 132.14.11.1
IP Protocol Functions (Summary) !   Routing   IP host knows location of router (gateway)   IP gateway must know route to other networks !   Fragmentation and reassembly   If max-packet-size less than the user-data-size !   Error reporting   ICMP packet to source if packet is dropped !   TTL field: decremented after every hop   Packet dropped f TTL=0. Prevents infinite loops.
Problem: no src IP authentication !   Client is trusted to embed correct source IP   Easy to override using raw sockets   Libnet: a library for formatting raw packets with arbitrary IP headers !   Anyone who owns their machine can send packets with arbitrary source IP   … response will be sent back to forged source IP   Implications: (solutions in DDoS lecture)   Anonymous DoS attacks;   Anonymous infection attacks (e.g. slammer worm)
User Datagram Protocol !  Unreliable transport on top of IP:   No acknowledgment   No congenstion control   No message continuation UDP
Transmission Control Protocol !  Connection-oriented, preserves order   Sender   Break data into packets   Attach packet numbers   Receiver   Acknowledge receipt; lost packets are resent   Reassemble packets in correct order TCP Book Mail each page Reassemble book 19 5 1 1 1
TCP Header Source Port Dest port SEQ Number ACK Number Other stuff U R G P S R A C K P S H S Y N F I N TCP Header
Review: TCP Handshake C S SYN: SYN/ACK: ACK: Listening Store SNC , SNS Wait Established SNC←randC ANC←0 SNS←randS ANS←SNC SN←SNC+1 AN←SNS Received packets with SN too far out of window are dropped
Basic Security Problems 1. Network packets pass by untrusted hosts   Eavesdropping, packet sniffing   Especially easy when attacker controls a machine close to victim 2. TCP state can be easy to guess   Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities   DDoS lecture
1. Packet Sniffing !  Promiscuous NIC reads all packets   Read all unencrypted data (e.g., “wireshark”)   ftp, telnet (and POP, IMAP) send passwords in clear! Alice Bob Eve Network Prevention: Encryption (next lecture: IPSEC) Sweet Hall attack installed sniffer on local machine
2. TCP Connection Spoofing !   Why random initial sequence numbers? (SNC , SNS ) !   Suppose init. sequence numbers are predictable   Attacker can create TCP session on behalf of forged source IP   Breaks IP-based authentication (e.g. SPF, /etc/hosts ) Victim Server SYN/ACK dstIP=victim SN=server SNS ACK srcIP=victim AN=predicted SNS command server thinks command is from victim IP addr attacker TCP SYN srcIP=victim
Example DoS vulnerability [Watson’04] !  Suppose attacker can guess seq. number for an existing connection:   Attacker can send Reset packet to close connection. Results in DoS.   Naively, success prob. is 1/232 (32-bit seq. #’s).   Most systems allow for a large window of acceptable seq. #’s   Much higher success probability. !  Attack is most effective against long lived connections, e.g. BGP
Random initial TCP SNs !   Unpredictable SNs prevent basic packet injection   … but attacker can inject packets after eavesdropping to obtain current SN !   Most TCP stacks now generate random SNs   Random generator should be unpredictable   GPR’06: Linux RNG for generating SNs is predictable   Attacker repeatedly connects to server   Obtains sequence of SNs   Can predict next SN   Attacker can now do TCP spoofing (create TCP session with forged source IP)
Routing Vulnerabilities
Routing Vulnerabilities !  Common attack: advertise false routes   Causes traffic to go though compromised hosts !   ARP (addr resolution protocol): IP addr -> eth addr   Node A can confuse gateway into sending it traffic for B   By proxying traffic, attacker A can easily inject packets into B’s session (e.g. WiFi networks) !   OSPF: used for routing within an AS !   BGP: routing between ASs   Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.   Example: Youtube mishap (see DDoS lecture)
Interdomain Routing connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain) OSPF BGP Autonomous System earthlink.net Stanford.edu
BGP overview !  Iterative path announcement   Path announcements grow from destination to source   Packets flow in reverse direction !  Protocol specification   Announcements can be shortest path   Not obligated to use announced path
BGP example [D. Wetherall] !   Transit: 2 provides transit for 7 !   Algorithm seems to work OK in practice   BGP is does not respond well to frequent node outages 3 4 6 5 7 1 8 2 7 7 2 7 2 7 2 7 3 2 7 6 2 7 2 6 52 6 5 2 6 5 3 2 6 5 7 2 6 5 6 5 5 5
Issues !  Security problems   Potential for disruptive attacks   BGP packets are un-authenticated   Attacker can advertise arbitrary routes   Advertisement will propagate everywhere   Used for DoS and spam (detailed example in DDoS lecture) !  Incentive for dishonesty   ISP pays for some routes, others free
Domain Name System
Domain Name System !  Hierarchical Name Space root edunetorg ukcom ca wisc ucb stanford cmu mit cs ee www DNS
DNS Root Name Servers !   Hierarchical service   Root name servers for top-level domains   Authoritative name servers for subdomains   Local name resolvers contact authoritative servers when they do not know a name
DNS Lookup Example Client Local DNS resolver root & edu DNS server stanford.edu DNS server www.cs.stanford.edu NS stanford.eduwww.cs.stanford.edu NS cs.stanford.edu cs.stanford.edu DNS server DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM) )
Caching !   DNS responses are cached   Quick response for repeated translations   Useful for finding servers as well as addresses   NS records for domains !   DNS negative queries are cached   Save time for nonexistent sites, e.g. misspelling !   Cached data periodically times out   Lifetime (TTL) of data controlled by owner of data   TTL passed with every record
DNS Packet !   Query ID:   16 bit random value   Links response to query (from Steve Friedl)
Resolver to NS request
Response to resolver Response contains IP addr of next NS server (called “glue”) Response ignored if unrecognized QueryID
Authoritative response to resolver final answer bailiwick checking: response is cached if it is within the same domain of query (i.e. a.com cannot set NS for b.com)
Basic DNS Vulnerabilities !   Users/hosts trust the host-address mapping provided by DNS:   Used as basis for many security policies: Browser same origin policy, URL address bar !   Obvious problems   Interception of requests or compromise of DNS servers can result in incorrect or malicious responses   e.g.: hijack BGP route to spoof DNS   Solution – authenticated requests/responses   Provided by DNSsec … but no one uses DNSsec
DNS cache poisoning (a la Kaminsky’08) !   Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: a.bank.com a.bank.com QID=x1 attackerattacker wins if ∃j: x1 = yj response is cached and attacker owns bank.com ns.bank.com IPaddr 256 responses: Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP
If at first you don’t succeed … !   Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: b.bank.com b.bank.com QID=x2 attacker 256 responses: Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if ∃j: x2 = yj response is cached and attacker owns bank.com ns.bank.com IPaddr success after ≈ 256 tries (few minutes)
Defenses !   Increase Query ID size. How? a. Randomize src port, additional 11 bits Now attack takes several hours b. Ask every DNS query twice:   Attacker has to guess QueryID correctly twice (32 bits)   Apparently DNS system cannot handle the load
Pharming !   DNS poisoning attack (less common than phishing)   Change IP addresses to redirect URLs to fraudulent sites   Potentially more dangerous than phishing attacks   No email solicitation is required !   DNS poisoning attacks have occurred:   January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.   In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy   In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
DNS Rebinding Attack Read permitted: it’s the “same origin” Firewall www.evil.com web server ns.evil.com DNS server 171.64.7.115 www.evil.com? corporate web server 171.64.7.115 TTL = 0 <iframe src="http://www.evil.com"> 192.168.0.100 192.168.0.100 [DWF’96, R’01] DNS-SEC cannot stop this attack
DNS Rebinding Defenses !  Browser mitigation: DNS Pinning   Refuse to switch to a new IP   Interacts poorly with proxies, VPN, dynamic DNS, …   Not consistently implemented in any browser !  Server-side defenses   Check Host header for unrecognized domains   Authenticate users with something other than IP !  Firewall defenses   External names can’t resolve to internal addresses   Protects browsers inside the organization
Summary !   Core protocols not designed for security   Eavesdropping, Packet injection, Route stealing, DNS poisoning   Patched over time to prevent basic attacks (e.g. random TCP SN) !   More secure variants exist (next lecture) : IP -> IPsec DNS -> DNSsec BGP -> SBGP

More Related Content

DOCX
Type of DDoS attacks with hping3 example
byHimani Singh
 
PPT
12 tcp-dns
byCulverton Blessy
 
PDF
Network and DNS Vulnerabilities
byn|u - The Open Security Community
 
PDF
CMIT 321 QUIZ 1
byHamesKellor
 
PPT
5.Dns Rpc Nfs 2
byphanleson
 
PPT
5.Dns Rpc Nfs
byphanleson
 
PDF
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
byFelipe Prado
 
PDF
Derevolutionizing OS Fingerprinting: The cat and mouse game
byJaime Sánchez
 
Type of DDoS attacks with hping3 example
byHimani Singh
 
12 tcp-dns
byCulverton Blessy
 
Network and DNS Vulnerabilities
byn|u - The Open Security Community
 
CMIT 321 QUIZ 1
byHamesKellor
 
5.Dns Rpc Nfs 2
byphanleson
 
5.Dns Rpc Nfs
byphanleson
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
byFelipe Prado
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
byJaime Sánchez
 

What's hot

PDF
Ddos and mitigation methods.pptx
byOzkan E
 
PPTX
Hiding in plain sight
byRob Gillen
 
DOCX
CEH v9 cheat sheet notes Certified Ethical Hacker
byDavid Sweigert
 
PDF
CEHv7 Question Collection
byManish Luintel
 
DOCX
Backtrack Manual Part3
byNutan Kumar Panda
 
TXT
Copy of a simple tcp spoofing attack
byVishal Gurujuwada
 
PPTX
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
bySiena Perry
 
PPT
Module 3 Scanning
byleminhvuong
 
PDF
From Kernel Space to User Heaven #NDH2k13
byJaime Sánchez
 
DOCX
Certified Ethical Hacker quick test prep cheat sheet
byDavid Sweigert
 
PPT
Best!
bygofortution
 
PPTX
Wireshark, Tcpdump and Network Performance tools
bySachidananda Sahu
 
PDF
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
byPROIDEA
 
PPT
Mobile Security - Wireless hacking
byphanleson
 
PPT
network security
bySrinivasa Rao
 
PPTX
Network Traffic Search using Apache HBase
byEvans Ye
 
PDF
Security problems in TCP/IP
bySukh Sandhu
 
PPTX
Ddos and mitigation methods.pptx (1)
bybtpsec
 
PPTX
Part 5 : Sharing resources, security principles and protocols
byOlivier Bonaventure
 
DOCX
Breaking ssl
byVinayak Raghuvamshi
 
Ddos and mitigation methods.pptx
byOzkan E
 
Hiding in plain sight
byRob Gillen
 
CEH v9 cheat sheet notes Certified Ethical Hacker
byDavid Sweigert
 
CEHv7 Question Collection
byManish Luintel
 
Backtrack Manual Part3
byNutan Kumar Panda
 
Copy of a simple tcp spoofing attack
byVishal Gurujuwada
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
bySiena Perry
 
Module 3 Scanning
byleminhvuong
 
From Kernel Space to User Heaven #NDH2k13
byJaime Sánchez
 
Certified Ethical Hacker quick test prep cheat sheet
byDavid Sweigert
 
Best!
bygofortution
 
Wireshark, Tcpdump and Network Performance tools
bySachidananda Sahu
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
byPROIDEA
 
Mobile Security - Wireless hacking
byphanleson
 
network security
bySrinivasa Rao
 
Network Traffic Search using Apache HBase
byEvans Ye
 
Security problems in TCP/IP
bySukh Sandhu
 
Ddos and mitigation methods.pptx (1)
bybtpsec
 
Part 5 : Sharing resources, security principles and protocols
byOlivier Bonaventure
 
Breaking ssl
byVinayak Raghuvamshi
 

Similar to 08 tcp-dns

PPT
Vulnerabilities in IP Protocols
bybabak danyal
 
PDF
Computer network (2)
byNYversity
 
PDF
vulnerabilities in IP.pdf
byMuhammadSufyanAbbasi1
 
PPT
network-security_for cybersecurity_experts
byabacusgtuc
 
PPTX
The Network Protocol Stack Revisited
byinbroker
 
PPSX
Network security
bysyed mehdi raza
 
PPTX
DNS Security Issues NES 554 for DNS Security
byAliAlwesabi
 
PPT
security
byahmad amiruddin
 
PPT
Lecture7-8-Network Protocls attack in cyber.ppt
byMuhammadSaleemKhan26
 
PPT
Dns protocol design attacks and security
byMichael Earls
 
PPTX
Network tunneling techniques
byinbroker
 
PPT
introduction to security
byahmad amiruddin
 
PPT
Network Security fundamentals
byTariq kanher
 
PPTX
Security in network
byDaNang University of Technology
 
PPTX
Oss web application and network security
byRishabh Mehan
 
PDF
Bgp security 2
byManju Devaraj
 
PPTX
501 ch 3 network technologies tools
bygocybersec
 
ODP
There and back again
byJon Spriggs
 
PPT
Network security
byShaikh Muhammed
 
PPT
Lec21 security
byNarayan Suthar
 
Vulnerabilities in IP Protocols
bybabak danyal
 
Computer network (2)
byNYversity
 
vulnerabilities in IP.pdf
byMuhammadSufyanAbbasi1
 
network-security_for cybersecurity_experts
byabacusgtuc
 
The Network Protocol Stack Revisited
byinbroker
 
Network security
bysyed mehdi raza
 
DNS Security Issues NES 554 for DNS Security
byAliAlwesabi
 
security
byahmad amiruddin
 
Lecture7-8-Network Protocls attack in cyber.ppt
byMuhammadSaleemKhan26
 
Dns protocol design attacks and security
byMichael Earls
 
Network tunneling techniques
byinbroker
 
introduction to security
byahmad amiruddin
 
Network Security fundamentals
byTariq kanher
 
Security in network
byDaNang University of Technology
 
Oss web application and network security
byRishabh Mehan
 
Bgp security 2
byManju Devaraj
 
501 ch 3 network technologies tools
bygocybersec
 
There and back again
byJon Spriggs
 
Network security
byShaikh Muhammed
 
Lec21 security
byNarayan Suthar
 

Recently uploaded

PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Save administrator time with the automated remediation capabilities of Red Ha...
byPrincipled Technologies
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PDF
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
WebXR in Android and Linux with OpenXR
byIgalia
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
MathML Core in WebKit
byIgalia
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Save administrator time with the automated remediation capabilities of Red Ha...
byPrincipled Technologies
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 

08 tcp-dns

  • 1.
  • 2.
    Outline !   BasicNetworking:   How things work now plus some problems !   Some network attacks   Attacking host-to-host datagram protocols   TCP Spoofing, …   Attacking network infrastructure   Routing   Domain Name System
  • 3.
    Backbone ISP ISP Internet Infrastructure !  Local and interdomain routing   TCP/IP for routing, connections   BGP for routing announcements !   Domain Name System   Find IP address from symbolic name (www.cs.stanford.edu)
  • 4.
    TCP Protocol Stack Application Transport Network Link Applicationprotocol TCP protocol IP protocol Data Link IP Network Access IP protocol Data Link Application Transport Network Link
  • 5.
    Data Formats Application Transport (TCP,UDP) Network (IP) Link Layer Application message - data TCP data TCP data TCP data TCP Header dataTCPIP IP Header dataTCPIPETH ETF Link (Ethernet) Header Link (Ethernet) Trailer segment packet frame message
  • 6.
    Internet Protocol !  Connectionless  Unreliable   Best effort !  Notes:   src and dest ports not parts of IP hdr IP Version Header Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset
  • 7.
    IP Routing !  Internetrouting uses numeric IP address !  Typical route uses several hops Meg Tom ISP Office gateway 121.42.33.12 132.14.11.51 Source Destination Packet 121.42.33.12 121.42.33.1 132.14.11.51 132.14.11.1
  • 8.
    IP Protocol Functions(Summary) !   Routing   IP host knows location of router (gateway)   IP gateway must know route to other networks !   Fragmentation and reassembly   If max-packet-size less than the user-data-size !   Error reporting   ICMP packet to source if packet is dropped !   TTL field: decremented after every hop   Packet dropped f TTL=0. Prevents infinite loops.
  • 9.
    Problem: no srcIP authentication !   Client is trusted to embed correct source IP   Easy to override using raw sockets   Libnet: a library for formatting raw packets with arbitrary IP headers !   Anyone who owns their machine can send packets with arbitrary source IP   … response will be sent back to forged source IP   Implications: (solutions in DDoS lecture)   Anonymous DoS attacks;   Anonymous infection attacks (e.g. slammer worm)
  • 10.
    User Datagram Protocol ! Unreliable transport on top of IP:   No acknowledgment   No congenstion control   No message continuation UDP
  • 11.
    Transmission Control Protocol ! Connection-oriented, preserves order   Sender   Break data into packets   Attach packet numbers   Receiver   Acknowledge receipt; lost packets are resent   Reassemble packets in correct order TCP Book Mail each page Reassemble book 19 5 1 1 1
  • 12.
    TCP Header Source PortDest port SEQ Number ACK Number Other stuff U R G P S R A C K P S H S Y N F I N TCP Header
  • 13.
    Review: TCP Handshake CS SYN: SYN/ACK: ACK: Listening Store SNC , SNS Wait Established SNC←randC ANC←0 SNS←randS ANS←SNC SN←SNC+1 AN←SNS Received packets with SN too far out of window are dropped
  • 14.
    Basic Security Problems 1.Network packets pass by untrusted hosts   Eavesdropping, packet sniffing   Especially easy when attacker controls a machine close to victim 2. TCP state can be easy to guess   Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities   DDoS lecture
  • 15.
    1. Packet Sniffing ! Promiscuous NIC reads all packets   Read all unencrypted data (e.g., “wireshark”)   ftp, telnet (and POP, IMAP) send passwords in clear! Alice Bob Eve Network Prevention: Encryption (next lecture: IPSEC) Sweet Hall attack installed sniffer on local machine
  • 16.
    2. TCP ConnectionSpoofing !   Why random initial sequence numbers? (SNC , SNS ) !   Suppose init. sequence numbers are predictable   Attacker can create TCP session on behalf of forged source IP   Breaks IP-based authentication (e.g. SPF, /etc/hosts ) Victim Server SYN/ACK dstIP=victim SN=server SNS ACK srcIP=victim AN=predicted SNS command server thinks command is from victim IP addr attacker TCP SYN srcIP=victim
  • 17.
    Example DoS vulnerability[Watson’04] !  Suppose attacker can guess seq. number for an existing connection:   Attacker can send Reset packet to close connection. Results in DoS.   Naively, success prob. is 1/232 (32-bit seq. #’s).   Most systems allow for a large window of acceptable seq. #’s   Much higher success probability. !  Attack is most effective against long lived connections, e.g. BGP
  • 18.
    Random initial TCPSNs !   Unpredictable SNs prevent basic packet injection   … but attacker can inject packets after eavesdropping to obtain current SN !   Most TCP stacks now generate random SNs   Random generator should be unpredictable   GPR’06: Linux RNG for generating SNs is predictable   Attacker repeatedly connects to server   Obtains sequence of SNs   Can predict next SN   Attacker can now do TCP spoofing (create TCP session with forged source IP)
  • 19.
  • 20.
    Routing Vulnerabilities !  Commonattack: advertise false routes   Causes traffic to go though compromised hosts !   ARP (addr resolution protocol): IP addr -> eth addr   Node A can confuse gateway into sending it traffic for B   By proxying traffic, attacker A can easily inject packets into B’s session (e.g. WiFi networks) !   OSPF: used for routing within an AS !   BGP: routing between ASs   Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.   Example: Youtube mishap (see DDoS lecture)
  • 21.
    Interdomain Routing connected groupof one or more Internet Protocol prefixes under a single routing policy (aka domain) OSPF BGP Autonomous System earthlink.net Stanford.edu
  • 22.
    BGP overview !  Iterativepath announcement   Path announcements grow from destination to source   Packets flow in reverse direction !  Protocol specification   Announcements can be shortest path   Not obligated to use announced path
  • 23.
    BGP example [D.Wetherall] !   Transit: 2 provides transit for 7 !   Algorithm seems to work OK in practice   BGP is does not respond well to frequent node outages 3 4 6 5 7 1 8 2 7 7 2 7 2 7 2 7 3 2 7 6 2 7 2 6 52 6 5 2 6 5 3 2 6 5 7 2 6 5 6 5 5 5
  • 24.
    Issues !  Security problems  Potential for disruptive attacks   BGP packets are un-authenticated   Attacker can advertise arbitrary routes   Advertisement will propagate everywhere   Used for DoS and spam (detailed example in DDoS lecture) !  Incentive for dishonesty   ISP pays for some routes, others free
  • 25.
  • 26.
    Domain Name System ! Hierarchical Name Space root edunetorg ukcom ca wisc ucb stanford cmu mit cs ee www DNS
  • 27.
    DNS Root NameServers !   Hierarchical service   Root name servers for top-level domains   Authoritative name servers for subdomains   Local name resolvers contact authoritative servers when they do not know a name
  • 28.
    DNS Lookup Example Client LocalDNS resolver root & edu DNS server stanford.edu DNS server www.cs.stanford.edu NS stanford.eduwww.cs.stanford.edu NS cs.stanford.edu cs.stanford.edu DNS server DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM) )
  • 29.
    Caching !   DNSresponses are cached   Quick response for repeated translations   Useful for finding servers as well as addresses   NS records for domains !   DNS negative queries are cached   Save time for nonexistent sites, e.g. misspelling !   Cached data periodically times out   Lifetime (TTL) of data controlled by owner of data   TTL passed with every record
  • 30.
    DNS Packet !  Query ID:   16 bit random value   Links response to query (from Steve Friedl)
  • 31.
  • 32.
    Response to resolver Responsecontains IP addr of next NS server (called “glue”) Response ignored if unrecognized QueryID
  • 33.
    Authoritative response toresolver final answer bailiwick checking: response is cached if it is within the same domain of query (i.e. a.com cannot set NS for b.com)
  • 34.
    Basic DNS Vulnerabilities !  Users/hosts trust the host-address mapping provided by DNS:   Used as basis for many security policies: Browser same origin policy, URL address bar !   Obvious problems   Interception of requests or compromise of DNS servers can result in incorrect or malicious responses   e.g.: hijack BGP route to spoof DNS   Solution – authenticated requests/responses   Provided by DNSsec … but no one uses DNSsec
  • 35.
    DNS cache poisoning(a la Kaminsky’08) !   Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: a.bank.com a.bank.com QID=x1 attackerattacker wins if ∃j: x1 = yj response is cached and attacker owns bank.com ns.bank.com IPaddr 256 responses: Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP
  • 36.
    If at firstyou don’t succeed … !   Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: b.bank.com b.bank.com QID=x2 attacker 256 responses: Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if ∃j: x2 = yj response is cached and attacker owns bank.com ns.bank.com IPaddr success after ≈ 256 tries (few minutes)
  • 37.
    Defenses !   IncreaseQuery ID size. How? a. Randomize src port, additional 11 bits Now attack takes several hours b. Ask every DNS query twice:   Attacker has to guess QueryID correctly twice (32 bits)   Apparently DNS system cannot handle the load
  • 38.
    Pharming !   DNSpoisoning attack (less common than phishing)   Change IP addresses to redirect URLs to fraudulent sites   Potentially more dangerous than phishing attacks   No email solicitation is required !   DNS poisoning attacks have occurred:   January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.   In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy   In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
  • 39.
    DNS Rebinding Attack Readpermitted: it’s the “same origin” Firewall www.evil.com web server ns.evil.com DNS server 171.64.7.115 www.evil.com? corporate web server 171.64.7.115 TTL = 0 <iframe src="http://www.evil.com"> 192.168.0.100 192.168.0.100 [DWF’96, R’01] DNS-SEC cannot stop this attack
  • 40.
    DNS Rebinding Defenses ! Browser mitigation: DNS Pinning   Refuse to switch to a new IP   Interacts poorly with proxies, VPN, dynamic DNS, …   Not consistently implemented in any browser !  Server-side defenses   Check Host header for unrecognized domains   Authenticate users with something other than IP !  Firewall defenses   External names can’t resolve to internal addresses   Protects browsers inside the organization
  • 41.
    Summary !   Coreprotocols not designed for security   Eavesdropping, Packet injection, Route stealing, DNS poisoning   Patched over time to prevent basic attacks (e.g. random TCP SN) !   More secure variants exist (next lecture) : IP -> IPsec DNS -> DNSsec BGP -> SBGP