View
4.609
Download
1
Tags:
Embed Size (px)
DESCRIPTION
A compilation of attack vectors of the network including TCP/IP stack, Routing algorithms and DNS
Citation preview
n|u
Network and DNS V l bilitiVulnerabilities
Presented by:
Harsimran Walia
Data FormatsData Formats
ApplicationApplication message - data
TCP Header
message
Transport (TCP, UDP) TCP data TCP data TCP datasegment
k tNetwork (IP)
Link Layer
dataTCPIP
dataTCPIPETH ETF
packet
framey
IP Header Link (Ethernet)Header
Link (Ethernet)TrailerHeader Trailer
Internet ProtocolIP
Internet Protocol
Connectionless Version Header LengthT f S iConnectionless
UnreliableBest effort
Type of ServiceTotal LengthIdentification
Flags Fragment Offset
Notes:
Flags
Time to LiveProtocol
Header Checksum
Fragment Offset
src and dest portsnot parts of IP hdr
Source Address of Originating Host
Destination Address of Target Hostg
Options
Padding
IP Data
Packet forgingPacket forging
Client is trusted to embed correct source IPEasy to override using raw socketsLibnet: a library for formatting raw packets with
bit IP h darbitrary IP headers
Anyone who owns their machine can send packets with arbitrary source IP
… response will be sent back to forged source IP
Implications:Anonymous DoS attacks; y ;Anonymous infection attacks
Basic Security ProblemsBasic Security Problems
1. Network packets pass by untrusted hosts1. Network packets pass by untrusted hostsEavesdropping, packet sniffingEspecially easy when attacker controls a p y ymachine close to victim
2. TCP state can be easy to guessEnables spoofing and session hijacking
3. Denial of Service (DoS) vulnerabilities
1 Packet Sniffing1. Packet Sniffing
Promiscuous NIC reads all packetsPromiscuous NIC reads all packetsRead all unencrypted data (e.g., “wireshark”)ftp, telnet (and POP, IMAP) send passwords in clear!p, ( , ) p
Eve
Ali B bNetworkAlice BobNetwork
Prevention: Encryption SSL (is it still secure??)
2 Breaking SSL encryption2. Breaking SSL encryption
Certificate used for encryptionCertificate used for encryption
2 Breaking SSL encryption2. Breaking SSL encryption
Certificate created by attacker and acceptedCertificate created by attacker and accepted by victim (normally a user ignores warning) attacker can-
Sniff the encrypted passwordsDecrypt the passwords
C tCountermeasuresUntrusted certificate should never be accepted
All trusted certificates should be installed in the browserAll trusted certificates should be installed in the browser
Review: TCP HandshakeReview: TCP HandshakeC S
SYN: ListeningSNC←randCANC←0
SYN/ACK: Store SNC , SNSSNS←randSANS←SNC
ACK:Wait
SN←SNC+1AN SNACK:
Established
AN←SNS
2 TCP Connection Spoofing2. TCP Connection Spoofing
Why random initial sequence numbers? (SNC , SNS )y q ( C , S )
Suppose init. sequence numbers are predictableAttacker can create TCP session on behalf of forged source IPAttacker can create TCP session on behalf of forged source IP
Breaks IP-based authentication (e.g. SPF, /etc/hosts )
TCP SYN
VictimSYN/ACKdstIP=victim
ACK
TCP SYNsrcIP=victim
ServerSN=server SNS
ACKsrcIP=victimAN=predicted SNS
attacker
commandserver thinks command is from victim IP addr
Example DoS vulnerabilityExample DoS vulnerability
Suppose attacker can guess seq. number for an pp g qexisting connection:
Attacker can send Reset packet to close connection. Results in DoS.Naively, success prob. is 1/232 (32-bit seq. #’s).Most systems allow for a large window ofMost systems allow for a large window of acceptable seq. #’s
Much higher success probability.
TCP SYN Flood I: low rate TCP SYN Flood I: low rate
C SC
SYN
S Single machine:
• SYN Packets withdSYNC1
SYNC2
random source IPaddresses
Fills up backlog queueSYNC3
SYNC
• Fills up backlog queueon server
• No further connectionsSYNC4
SYNC5
• No further connectionspossible
12
SYN Floods II: Massive flood
Command bot army to flood specific target: (DDoS)y p g
20,000 bots can generate 2Gb/sec of SYNs (2003)
At web site:Saturates network uplink or network routerp
Random source IP ⇒attack SYNs look the same as real SYNs
13
NIC as cpu
Attempt to connect to the victim machine, which fails:
Sending a ‘magic’ packet to the victim:
k d l d iIt worked! Now logged in as root:
14
NIC as cpu
PoC exists with Broadcom (Manufacturer of NICs)
We can remotely execute shell code on the NIC
Through shell code we can read/write data on main
hard drive
As shown we can login as root without even exploiting the systemsystem
15
Routing Vulnerabilities
Routing VulnerabilitiesRouting Vulnerabilities
Common attack: advertise false routesCommon attack: advertise false routesCauses traffic to go though compromised hosts
ARP (addr resolution protocol): IP addr -> eth addrNode A can confuse gateway into sending it traffic for B
OSPF: used for routing within an AS
BGP: routing between ASsAttacker can cause entire Internet to send traffic for a victim IP to attacker’s address.
IssuesIssues
Security problemsSecurity problemsPotential for disruptive attacksBGP packets are un-authenticatedp
Attacker can advertise arbitrary routesAdvertisement will propagate everywhereUsed for DoS and spamUsed for DoS and spam
DoS via route hijacking
YouTube is 208.65.152.0/22 (includes 210 IP addr)youtube com is 208 65 153 238 youtube.com is 208.65.153.238, …
Feb. 2008:Pakistan telecom advertised a BGP path forPakistan telecom advertised a BGP path for
208.65.153.0/24 (includes 28 IP addr)Routing decisions use most specific prefixThe entire Internet now thinks
208 65 153 238 is in Pakistan208.65.153.238 is in PakistanOutage resolved within two hours… but demonstrates huge DoS vuln. with no
solution!
March 2010:1 ISP in US configured BGP route wrongly which led some users from US to be a victim of the great firewall of chinaThese victims were redirected to some Chinese govt. Websites instead of legitimate g gsites
Domain Name System
Domain Name SystemDNS
Domain Name System
Hierarchical Name SpaceHierarchical Name Space
root
comnetorg ukedu ca
orkut yahoo google facebook
www mail
DNS Lookup ExampleDNS Lookup Example
root & comroot & com DNS serverwww.google.com
Client Local DNS resolver
google.comDNS server
DNS record types (partial list):DNS record types (partial list):- NS: name server (points to other server)- A: address record (contains IP address)- MX: address in charge of handling emailMX: address in charge of handling email- TXT: generic text (e.g. used to distribute site public keys (DKIM)
CachingCaching
DNS responses are cached pQuick response for repeated translationsUseful for finding servers as well as addresses
NS records for domainsNS records for domains
DNS negative queries are cachedg qSave time for nonexistent sites, e.g. misspelling
Cached data periodically times outLifetime (TTL) of data controlled by owner of dataTTL passed with every recordTTL passed with every record
DNS cache poisoningDNS cache poisoning
Victim machine visits attacker’s web site, downloads Javascript
user localQuery:a bank com
a.bank.comQID=x1 ns bank comuser
browser DNSresolver
a.bank.com Q 1 ns.bank.com
IPaddr
Random QID y1, y2, …
attackerattacker wins if ∃j: x1 = yjresponse is cached and
NS bank.com=ns.bank.comA ns.bank.com=attackerIP
response is cached andattacker owns bank.com
DefensesDefenses
Increase Query ID size. How?Q y
a. Randomize src port, additional 11 bitsp ,
Now attack takes several hours
b. Ask every DNS query twice:Attacker has to guess QueryID correctly twice (32 bits)
Apparently DNS system cannot handle the load
PharmingPharming
DNS poisoning attack (less common than phishing)p g ( p g)If user visits attacker’s site the cache of user can be poisonedChange IP addresses to redirect URLs to fraudulent sitesPotentially more dangerous than phishing attacksote t a y o e da ge ous t a p s g attac sNo email solicitation is required
DNS poisoning attacks have occurred:DNS poisoning attacks have occurred:January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004 Google and Amazon users were sent toIn November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacyIn March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and jpresented them with the message "God Bless Our Troops"
SpoofingSpoofing
DNS spoofing attack p gIntercept the DNS query from the victimSpoof the ip address of the real urlSend forged DNS response with the attacker’s ipSe d o ged S espo se t t e attac e s pVictim thinks its legitimate as he accessed real url and gets no warningCan be used for phishing attacks where social engineering p g g gnot possible
DNS Rebinding Attack[DWF’96, R’01]
g<iframe src="http://www.evil.com"> DNS-SEC cannot
ns.evil.comwww.evil.com?
171 64 7 115 TTL = 0
stop this attack
Firew
DNS server171.64.7.115 TTL = 0
192.168.0.100
wall www.evil.com
web servercorporate
Read permitted: it’s the “same origin”
171.64.7.115corporate
web server192.168.0.100
Read permitted: it s the same origin
DNS Rebinding DefensesDNS Rebinding Defenses
Browser mitigation: DNS PinningBrowser mitigation: DNS PinningRefuse to switch to a new IPInteracts poorly with proxies, VPN, dynamic DNS, …p y p , , y ,Not consistently implemented in any browser
Server-side defensesCheck Host header for unrecognized domains
Firewall defensesExternal names can’t resolve to internal addressesProtects browsers inside the organization
SummarySummary
Core protocols not designed for securityp g yEavesdropping, Packet injection, Route stealing, DNS poisoning
Patched over time to prevent basic attacksPatched over time to prevent basic attacks(e.g. random TCP SN)
More secure variants exist : IP -> IPsecDNS -> DNSsecBGP -> SBGP