Introduction to Computer Systems 15-213/18-243, spring 2009

Network securityComputer Security 2014 Ymir VigfussonSome slides borrowed from Amir Masoumzadehs INFSCI 1075, Dan Boneh@Stanford, CSAPP@CMU

#Networking primerThe Internet is a series of tubes

Dark clouds are Autonomous Systems (AS)

Backbone routers use the BGP protocol

Messages are exchanged using TCP/IP

BackboneISP

ISP

#

Networking primer: IPWhat we care about the most in the course#Networking primer: LayersThe end-to-end principleNo need to understand application logic in a network except at end hosts. Cleaner design.ApplicationTransportNetworkLinkApplication protocolTCP protocolIP protocolData LinkIPNetwork AccessIP protocolData LinkApplicationTransportNetworkLink#Networking primer: LayersImplementation of different layersApplicationTransport (TCP, UDP)Network (IP)Link LayerApplication message - dataTCPdataTCPdataTCPdataTCP HeaderdataTCPIPIP HeaderdataTCPIPETHETFLink (Ethernet) HeaderLink (Ethernet) Trailersegment packetframemessage#Networking primer: Layering&RoutingprotocolsoftwareclientLAN1adapterHost Adata(1)dataPHETH1(4)dataPHETH2(6)data(8)dataPHETH2(5)LAN2 frameprotocolsoftwareLAN1adapterLAN2adapterRouterdataPH(3)ETH1dataPHETH1(2)internet packetLAN1 frame(7)dataPHETH2protocolsoftwareserverLAN2adapterHost BPH: Internet packet header (IP + TCP)FH: LAN frame header#

Address resolution protocolLink layer (Layer 2) uses MAC addresses for namingNetwork layer (Layer 3) uses IP addresses insteadHow do we translate between these on a LAN?Answer: ARP is a simple protocol for precisely that

#ARP poisoningWhat could possibly go wrong?

After a response, contents ARP reply is temporarily cached by those who heard itEven if nobody requested it (fixed in some OSes)

#ARP poisoningARP has no authentication, fully trustingHackers exploit it to:Snoop on traffic (sniff) to learn about passwordsPretend to be someone else (spoof) to get more accessRedirect traffic (man-in-the-middle) to hijack sessions

#Networking primer: TCP

Source PortDest portSEQ NumberACK NumberOther stuffURGPSRACKPSHSYNFINTCP Header#TCP handshakeA regular TCP 3-way handshakeClient sends SYN packet with random client seq. numberServer responds with SYNACK and both server and client seq. number (the latter incremented by one)Client sends ACK

Credit: Amir Masoumzadeh#TCP spoofingCan forge TCP packets as appearing to have been sent from another IP addressCan open up a connection, but need to guess seq. numbBlinded: Attacker does not see responses Victim may send RST packets on spurious connectionLimited damage attackers can do here, especially if a connection is requiredUnblinded: You can snoop packets coming backNSA has (had?) unique capabilities to do thisStatus todayBackbones have some protections: they filter packets that definitely are in the wrong place (ingress/egress filtering)#TCP SYN FloodsTCP is statefulFor every incoming SYN, we send SYNACK and maintain partial connection state while we wait for ACKWhat if an attacker send tons of SYN packets?

How can we defend ourselves?

Idea: SYN Cookies (DJ Bernstein)Encode state in server seq. numbertimestamp | MSS | hash(IPs,ports)Server can both verify that cookie was created by it earlier, and recover state

#Regular TCP scanHackers want to know what ports are openPossibly compromise services running on ports (e.g. Apache running on port 80)Complete TCP handshake for all common ports

Accurate, but not stealthyAppears in all logs

Credit: Amir Masoumzadeh#Variants of TCP scansCan set various flags in the packet for stealthURG, ACK, PSH, RST, SYN, FINX-Mas scan: set all the flags! RST means port is closedNull scan: set no flags. RST means port is closedTCP ACK: An RST packet back means port is openWindow scan: Send ACK. 0 window iff closed (some OSes)

#TCP idle scanIdle scan covert scanning!Spoofs packets from a zombie to the targetChecks if the IP ID counter has increased in follow-up packets to zombieIf increased, port must be open on target!

#OS fingerprintingDifferent OSes implement underspecified parts in TCP/IP stack differentlyE.g. Linux differs from BSD (now in OS X and Windows)

Can prod machines, infer what vendor and OS version is running on a given IP addressCan be more passive by observing regular trafficTCP SYN cookies, time-to-live values, TCP window sizes, OOB,...

Important once you have access inside an organizationTherefore IDS/IPS software tend to recognize attempts

#DNS

Credit: Amir Masoumzadeh#

DNS primer (Domain Name Service)Customers dont remember 1-800-432-1000

Customers certainly wont remember 213.167.142.130Same goes for IPs of all websites

DNS was invented in 1984 to allow names to be associated with IP addressesNames given hierarchically (domains)

#

DNS primerDNS servers are given authority for subtrees

#DNS resolverSo how does a client actually use DNS?Program calls gethostbyname(syndis.is)gethostbyname parses /etc/resolv.conf

A packet is sent to 130.2.34.50 asking about the domain

nameserver 130.2.34.50

nameserver 8.8.8.8#DNS resolver[UDP Src 130.2.13.37][UDP Dst 130.2.34.50]Yo, whats syndis.is ?DNS Client130.2.13.37130.2.34.50Local DNS [UDP Src 130.2.34.50][UDP Dst 130.2.13.37]Hey, its 4.3.2.1.[Transaction ID 64153]

#DNS resolver, recursive query[UDP Src 130.2.13.37][UDP Dst 130.2.34.50]Yo, whats syndis.is ?DNS Client130.2.13.37130.2.34.50Local DNS [UDP Src 130.2.34.50][UDP Dst 130.2.13.37]Hey, its 4.3.2.1.[UDP Src 8.8.8.8][UDP Dst 130.2.34.50]Hey, its 4.3.2.1.8.8.8.8Upstream DNS [Transaction ID 64153][UDP Src 130.2.34.50][UDP Dst 8.8.8.8]Yo, whats syndis.is ?

#DNS resolver

Hax0r t1me10:54:12.423228 130.2.34.50.33748 > 66.218.71.63.53:21345 [1au]A? www.syndis.is. (42) (DF)10:54:21.313293 130.2.34.50.33748 > 216.239.38.10.53:53735 [1au] A? www.google.com. (43) (DF)10:54:27.182852 130.2.34.50.33748 > 149.174.213.7.53:19315 [1au] A? www.ru.is. (45) (DF) 10:54:43.252461 130.2.34.50.33748> 66.35.250.11.53:43129 [1au] A? www.9gag.com. (42) (DF)Whats wrong?130.2.34.50Local DNS #DNS resolver[UDP Src 31.3.3.7][UDP Dst 130.2.34.50]Yo, whats syndis.is ?

Hax0r t1meDNS Client130.2.13.37

[UDP Src 31.3.3.7][UDP Dst 130.2.34.50]Yo, whats syndis.is ?[UDP Src 31.3.3.7][UDP Dst 130.2.34.50]Yo, whats syndis.is ?31.3.3.7130.2.34.50Local DNS [UDP Src 130.2.34.50][ID 64153][UDP Dst 8.8.8.8]Yo, whats syndis.is ?[UDP Src 130.2.34.50][ID 23172][UDP Dst 8.8.8.8]Yo, whats syndis.is ?[UDP Src 130.2.34.50][ID 59774][UDP Dst 8.8.8.8]Yo, whats syndis.is ?[UDP Src 8.8.8.8][ID 12345][UDP Dst 130.2.34.50]Hey, its 66.66.66.66...[UDP Src 8.8.8.8][ID 12346][UDP Dst 130.2.34.50]Hey, its 66.66.66.66...[UDP Src 8.8.8.8][ID 12347][UDP Dst 130.2.34.50]Hey, its 66.66.66.66...

#DNS attack summarizedTransaction IDs are 16 bits

We trigger N recursive queries at local DNSEach query has a random transaction ID

We spoof N responses back to local DNSEach response has a random transaction ID

We succeed if some response matches some query

How likely is this to happen?#The Birthday Paradox23 people in a roomHow likely that two people share the same birthday?

Roughly:

Answer: 50.7%!#DNS attack analyzed

#DNS attack overviewDNS Cache is poisonedDNS Clients may be redirected to malicious sites.I can haz your credit cardSeveral fixes availableTTLThe DNS Kaminsky attack in 2008 showed how this didnt workRandomize UDP source ports as well (like in djbdns)DNSSecDNSCurve ala djbdnsDNS 0x20

Birthday attacks happen in other crypto!#Demo!Helgi and Ptur have prepared a demo of an attackGoal: Show how a hacker can steal passwords

A key tool being used:

#Optional lab: Blackjack! (+5%)

#