CSE 524: Lecture 17

About This Presentation

Title:

CSE 524: Lecture 17

Description:

Hacking the stack: Network protocol attacks. C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. ... S. Bellovin, M. Leech, T. Taylor, 'ICMP Traceback Messages' ... – PowerPoint PPT presentation

Number of Views:84

Avg rating:3.0/5.0

Slides: 91

Provided by: wuch

Category:

more less

Transcript and Presenter's Notes

Title: CSE 524: Lecture 17

1
CSE 524 Lecture 17

Network security issues

2
Administrative

Programming assignment due Monday 12/1
Arrange with TA
Final project due 12/10

3
Optional material

Hacking the stack Network protocol attacks
Hacking TCP
Hacking routing
Hacking ICMP
Hacking DNS
Reflector attacks
Analyzing attacks
Estimating DoS activity
Tracing the source of attacks
Traceback via traffic injection
Traceback via packet marking
Traceback via logging
Intrusion detection and response
Network IDS
Attacking the detectors

4
Hacking the stack Network protocol attacks

C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A.
Sundaram, D. Zamboni, "Analysis of a Denial of
Service Attack on TCP"
S. Bellovin, "Security Problems in the TCP/IP
Protocol Suite"
S. Bellovin, "Defending against sequence number
attacks"
S. Bellovin, "Packets Found on an Internet"
R. Morris, "A Weakness in the 4.2BSD Unix TCP/IP
Software
B. Cheswick, S. Bellovin, A DNS Filter and
Switch for Packet-filtering Gateways.
S. Savage, N. Cardwell, D. Wetherall, T.
Anderson, TCP Congestion Control with a
Misbehaving Receiver.

5
Hacking TCP SYN Flooding

Attacker sends many connection requests w/
spoofed source addresses to victim
Victim allocates resources for each request
Finite half-open connection requests supported
Connection requests exist for TIMEOUT period
Once resources exhausted, all other requests
rejected

Normal connection est.
Syn Flooding attack
6
Hacking TCP SYN Flooding Defenses

System Configuration Improvements
Reduce timeout period
Increase length of backlog queue to support more
connections
Disable non-essential services to make a smaller
target
Router Configuration Improvements
Configure router external interfaces to block
packets with source addresses from internal
network
Configure router internal interfaces to block
packets to outside that have source addresses
from outside the internal network
TCP SYN cookies
Make handshake stateless on server end
Server makes ISN a function of a secret nonce it
keeps and pieces of the SYN connection ID
Only create TCB and establish connection upon
verifying clients ACK

7
Hacking TCP SYN Flooding Defenses

Firewall as a Relay
Firewall answers on behalf of Destination
Once connection established, firewall predicts
seq and establishes 2nd connection to
Destination
Disadvantage Adds delay for every packet

8
Hacking TCP SYN Flooding Defenses

Firewall as a Semi-transparent Gateway
Forges the 3rd handshake (ack) from the client to
the destination
This moves connection out of backlog queue,
freeing resources
If this is attack, no real ack will happen
Destination will send RST packet terminating
connection
If this is actual connection request the eventual
ack will be ignored as a duplicate
Disadvantages
Large illegitimate open connections if system
under attack
Must very carefully choose timeout periods

9
Hacking TCP SYN Flooding Defenses
Attack w/ semi-transparent gateway
Legit connection w/ semi-transparent gateway
10
Hacking TCP SYN Flooding Defenses

Active Monitor
Program that promiscuously monitors and injects
network traffic to/from machines it is protecting
Monitors net for SYN packets not acknowledged
after a certain period of time
If it detects problems with a half-open
connection it can
Send RST packets to the sender to release
destination resources
Complete the TCP connections by sending the ACK
message
Similar to Semi-Transparent gateways

11
Hacking TCP Congestion control tricks

ACK Division
Receiver can acknowledge segments multiple times
(up to bytes acks)
Leads Sender to grow cwnd faster than normal.
Solution to ACK Division
Modify congestion control to guarantee
segment-level granularity
Only increment MSS when a valid ACK arrives for
the entire segment.

Bunch of acks
Burst 1 RTT later
12
Hacking TCP Congestion control tricks

Duplicate Ack Spoofing
Receiver sends multiple acks/sequence
no way to tell what segment is being acked
Causes sender to enter fast-recovery mode and
inflate cwnd
Solution to Duplicate Ack Spoofing
Add new fields to TCP headers.
nonce nonce-reply random values sent with
segments and replies
Only increment cwnd for ACKs with previously
unseen nonces

Burst of dup acks
Sender enters Fast Recovery and bursts 1 RTT later
13
Hacking TCP Congestion control tricks

Optimistic ACKing
Send acks for segments not yet received
Decrease perceived RTT, affecting CW growth.

Segment acks
Segs arrive
14
Hacking TCP Congestion control tricks

Solution to optimistic acking Cumulative Nonce
Sender sends random number (nonce) with each
packet
Segment size slightly randomized
Receiver sends cumulative sum of nonces
if receiver detects loss, it sends back the last
nonce it received
Why cumulative?
Requires modifications to stack

15
Hacking routing RIP attacks

Attack
Intruder sends bogus routing information to a
target and each of the gateways along the route
Impersonates an unused host
Diverts traffic for that host to the intruders
machine
Impersonates a used host
All traffic to that host routed to the intruders
machine
Intruder inspects packets resends to host w/
source routing
Allows capturing of unencrypted passwords, data,
etc

16
Hacking routing RIP attacks

Defenses
Paranoid gateway
Filters packets based on source and/or
destination addresses
Dont accept new routes to local networks
Messes with fault-tolerance but detects intrusion
attempts
Authenticate RIP packets
Difficult in a broadcast protocol
Only allows for authentication of prior sender
and doesnt address information from a deceived
gateway upstream

17
Hacking ICMP

Attack
Targeted Denial of Service (DoS)
Attacker sends ICMP Redirect message to give a
bogus route
Attacker sends Destination Unreachable or TTL
exceeded messages to reset existing connections
Attacker sends fraudulent Subnet Mask Reply
messages
Blocks communication with target
Defenses
Verify ICMP packet contains a plausible sequence
Dont modify Global Route Table due to ICMP
Redirect messages
Disallow ICMP Redirects?
Check to see if multiple ICMPs from a host agree

18
Hacking DNS

DNS Domain Name System
BSD r
rlogin, rcp, rsh use address based authentication
(reverse lookup)
The problem
No authentication
Responses can contain entries that should not be
trusted but are
Responses are cached
Attacks
Inject bogus DNS responses
Attach additional bogus entries in valid DNS
responses (especially for internal names)

Firewall

Application
Remote Name Server (?)
Local Name Server (Trusted)
Resolver
19
Hacking DNS

Solution DNS Proxy
Filter
Drop malformed packets
Verify
Does the answer, really answer the query made?
Was the answer received from the appropriate
server?
Proxy performs checks on the answers from outside
DNS servers
Located within the firewall on a trusted host
Intercepts DNS queries, filters, modifies and
forwards in appropriate direction

20
Hacking the stack Reflector attacks

A reflector is any IP host that will return a
packet or more if sent a packet.
Reflector cannot easily locate the slave because
of IP spoofing.
Examples
Web servers return SYN ACKS or RSTs in response
to SYN or other TCP packets.
DNS servers return query replies in response to
query requests.
Routers return ICMP Time Exceeded or Host
Unreachable messages in response to particular
IP packets.

21
(No Transcript)
22
Hacking the stack ICMP reflectors

ICMP echo, timestamp, address mask, router
solicitation, information request/reply.
ICMP echo is widely used.
Smurf attacks
ICMP source quench, unreachable, time exceeded,
parameter problem, and redirect.
Important ICMP messages
Host unreachable.
Time exceeded.
Need fragmentation.

23
Hacking the stack TCP reflectors

TCP stack can be made to reflect via
SYN ACK by sending an initial SYN.
Filtering leads to no-remote access.
RST by sending a FIN.
Filtering RST results in clogging of stale
connections state

24
Hacking the stack TCP reflectors

Predictable TCP sequence numbers
If reflector stack has guessable TCP sequence
numbers, its a DISASTER for the victim.
Attacker can drive the Reflector TCP state
machine, making it send ACKs, data segments.
Attack can be amplified by transmitting large
items and exploiting ACK splitting techniques.

25
Hacking the stack TCP for Transactions (T/TCP)
reflectors

Spoof initial SYN packet with acceptable seq. no.
Make an expensive request.
Factors that limit the T/TCP attack
T/TCP server will begin in slow start.
Unless the servers stack has predictable seq.
no.
Amenable to stateless packet filtering.
T/TCP is not widely deployed.

26
Hacking the stack UDP reflectors

UDP
Application-specific
Quake Qstat
Counter-strike clients
DNS

27
Hacking the stack DNS reflectors

DNS
Reflector sending DNS reply in response to a
spoofed DNS request.
Victim can configure its local DNS servers so as
to filter out unknown DNS server responses.
If the victim is a name server
Attacker can query a large number of DNS servers
which in turn recursively query the Victim.
Victim server gets bombarded due to multiple
queries.
DNS queries neednt even be spoofed.
Send valid queries to a large set of known DNS
servers
Arbitrary names not just the ones responsible for
Caching at the reflector server doesnt help.
Solution Provide filtering in name servers so as
to serve recursive queries from local addresses,
coupled with ingress filtering.

28
Hacking the stack SNMP reflectors

SNMP (UDP-based request/reply)
Sites that fail to block off-site access to SNMP
provide a large number of reflectors.
SNMP attack is sourced at port 161.
Filtering out the external SNMP messages leads to
major problem for service providers.
Configure the filter to receive SNMP messages
from interested hosts.

29
Hacking the stack HTTP reflectors

HTTP proxies
HTTP proxy caches provide a way that an HTTP
client can manipulate a proxy server into
initiating a connection to a victim web server.
HTTP proxy servers act as reflectors for the DDOS
attacks.
HTTP - Limitations
Proxies can be configured to serve a restricted
set of clients.
There are not enough proxy caches to constitute a
large pool of possible reflectors.
Connection between slave and the reflector cannot
be spoofed unless the reflecting proxy has
predictable sequence numbers. Logging helps in
identifying the slaves location.
Definitely a major threat if servers running on
stacks with predictable sequence numbers are
widely deployed.

30
Hacking the stack FTP reflectors

See previous lecture on server-to-server transfers

31
Hacking the stack Gnutella

Gnutella attack
Provides a push facility that instructs the
server to connect to a given IP address and port
in order to deliver the Gnutella item.
Gnutella connection to the IP host is separated
from the initial client making it impossible to
trace back to the slave.
Fix
Modify the protocol to include path information
with push directives
Gnutella could be a major problem for DDOS
reflector attacks.

32
(No Transcript)
33
Analyzing attacks

D. Moore, G. Voelker, S. Savage Inferring
Internet Denial-of-Service Activity

34
Analyzing attacks Backscatter

Attackers spoof source address randomly
Small frequent packets. (packet/sec bottleneck)
e.g. TCP SYN -gt victim allocate data structure
for arriving packets (for unmatched to existing
connections)
Victims, in turn, respond to attack packets
Remotely controlled Zombies for DDoS
Unsolicited responses (backscatter) equally
distributed across IP space
Received backscatter is evidence of an attacker
elsewhere

35
From caida page
36
From caida page
37
Analyzing attacks Backscatter

Backscatter analysis provides quantitative data
for a global view on DoS activity using local
monitoring
Videos
Traffic Characterisation (How Data Gathered)
http//www.caida.org/outreach/resources/animations
/passive_monitoring/traffic_char.mpg (1min12s)
TCP Port Analysis
http//www.caida.org/outreach/resources/animations
/passive_monitoring/tcp_port_analysis.mpg
(2min15s)
Backscatter
http//www.caida.org/outreach/resources/animations
/passive_monitoring/backscatter.mpg (1min26)

38
Analyzing attacks Assumptions

Address Uniformity
Reliable delivery
Backscatter not lost
Backscatter hypothesis
Unsolicited packets represent backscatter
In fact any server can send
Reflector attack may not be detected
Not random IP-forgery
Some attacks (e.g. TCP-RST) doesnt produce
backscatter.

39
(No Transcript)
40
Analyzing attacks Backscatter platform
41
Analyzing attacks Results

13000 attacks in 3 weeks
5000 victim IP addresses on 2000 domains
200 million backscatter packets
256 lt Real attack packets
Most attacks short, some longer persistent ones
Mostly TCP (90-94)
Some large ICMP storms (43 of all packets)
Attacks cover most ports, but HTTP and IRC
singled out
How serious is this?
500 packets enough to overwhelm server
38-46 of attacks (unif.-all)
14000 packets enough to overwhelm firewall
0.3-2.4 of attacks (unif.-all)

42
Analyzing attacks Victim characterization

Entire spectrum of sites and businesses
Yahoo!, Amazon, CNN, etc.
Small attacks from personal vendettas
10-20 targeted towards home machines
Attacks on infrastructure
5 directed towards routers and root DNS servers

43
Traceback

H. Burch, B. Cheswick, "Tracing Anonymous Packets
to Their Approximate Source
S. Bellovin, M. Leech, T. Taylor, "ICMP Traceback
Messages"
A. Mankin, D. Massey, C. Wu, S. Wu, L. Zhang, "On
Design and Evaluation of "Intention-Driven" ICMP
Traceback
A. Snoeren, C. Partridge, L. Sanchez, C. Jones,
F. Tchakountio, S. Kent and W. Strayer,
Hash-Based IP Traceback

44
Traceback Motivation

DoS attacks
IP spoofing
No one checks source IP address to drop spoofed
packets
TCP SYN floods, Smurf (ICMP echo to broadcast
addresses)
Difficult to get the help of upstream ISP
Lack skill
Lack resources (might be 6pm on Friday)
In a different country (speak different language,
etc)
Require automatic way of identifying where the
traffic is coming from without human intervention

45
Traceback Problem

Goal
Given set of packets
Determine path
Assumptions
Most routers remain uncompromised
Attacker sends many packets
Route from attacker to victim remains relatively
stable

A4
A5
A1
A2
A3
R6
R7
R8
R9
R10
R12
V
46
Traceback schemes

Record Route
Traffic injection
ICMP Trace (ITRACE)
Probabilistic packet marking
Logging and query
Source Path Isolation Engine (SPIE)
Reverse ITRACE
Subverting Traceback schemes

47
Traceback Record Route

Record path
Each router adds IP address to packet
Victim reads path from packet

Problem
Requires space in packet
Path can be long
No extra fields in current IP format
Changes to packet format are not practical

48
Traceback Traffic injection

Create a map of routes from victim to every
network
Burst TCP/UDP packets to each and see if you are
affected
TCP/UDP chargen service
Generates continuous data to anyone who connects
to service
If DoS stream perturbed, you have a candidate
Problems
Finding open chargen service
Asymmetric routing
Must generate sufficient load to perturb stream
especially when there are multiple attacking
hosts
Easy to thwart
Vary source of attack by altering frequency of
packets
Attack from many sources
Still cant turn attackers offMust notify
upstream ISP to stop

49
Traceback Leverage volume of attack (Part 1)

Many packets
DDoS involves many packets on same path
Have routers periodically send message to victim
Each router sends message to Victim for every X
packets it forwards to victim

A4
A5
A1
A2
A3
R6
R7
R8
R9
R10
R12
V
50
Traceback ICMP trace

ICMP traceback messages
Routers periodically issue traceback ICMP
messages to destination
Send 1 message for every 20000 packets forwarded
to destination
0.1 overhead
Similar to RouteRecord, collects intermediate
hops along the way to destination
Over time, leaves a trail of where packets are
being sourced from
Problems
Skilled attacker spoofing traceback messages to
conceal the real source of attack
Requires some signature and trust management
Skilled attacker uses zombies to flood each other
along with victim to reduce the amount of
traceback messages sent
Background noise
Only want traceback messages from far away

51
Traceback Leverage volume of attack (Part 2)

Many packets
DDoS involves many packets on same path
Store one link in each packet
Probabilistically store your own address or edge
in packet using unused IP header fields (IP
identifier)
lt 0.25 of traffic fragmented
Fixed space regardless of path length

A4
A5
A1
A2
A3
R6
R7
R8
R9
R10
R12
V
52
Traceback IP traceback w/ edge sampling

Data fields
Edge start and end IP addresses
Distance number of hops since edge stored
Marking procedure for router R
with probability p
write R into start address
write 0 into distance field
else
if distance 0 write R into end field
increment distance field

53
Traceback IP traceback w/ edge sampling

Packet received
R1 receives packet from source or another router
Packet contains space for start, end, distance

R1
R2
R3
54
Traceback IP traceback w/ edge sampling

Begin writing edge
R1 chooses to write start of edge
Sets distance to 0

R1
R2
R3
55
Traceback IP traceback w/ edge sampling

Finish writing edge
R2 chooses not to overwrite edge
Distance is 0
Write end of edge, increment distance to 1

R1
R2
R3
56
Traceback IP traceback w/ edge sampling

Increment distance
R3 chooses not to overwrite edge
Distance gt0
Increment distance to 2

R1
R2
R3
57
Traceback IP traceback w/ edge sampling Path
reconstruction

Extract identifiers from attack packets
Build graph rooted at victim
Each (start,end,distance) tuple is an edge
Eliminate edges with inconsistent distance
Traverse edges from root to find attack paths
packets needed to reconstruct path
E(X) lt
where p is marking probability, d is length of
path

ln(d) p(1-p)d-1
Optimal p is 1/d can vary probability by
distance
58
Traceback IP traceback w/ node sampling

Less data than edge sampling
Each router writes own address with probability p
Infer order by number of packets
Router at distance d has probability p(1-p)d of
showing up in marked packet

p
1-p
1-p
1-p
R
V
d

Problems
Need many packets to infer path order
Does not work well if many paths

59
Traceback Reduce Space Requirement

IP identifier is 16 bits
Distance, node addresses, larger
Solution
Break into chunks
XOR edge IP addresses
Store edge as start end
Work backwards to get path
(start end) end start
Sample attack path

b c
c d
d
a b
a
b
c
d
V
60
Traceback Where to store the info?

Identification field
Used for fragmentation
Fragmentation is rare
16 bits
Store edge in 16 bits?
Break into chunks
Store start end

Identification
offset
distance
edge chunk
0 2 3 7 8 15
61
Traceback IP traceback convergence time
62
Traceback IP traceback w/ edge sampling

Benefits
Practical algorithm for tracing anonymous attacks
Can reduce per-packet space overhead (at a cost)
Potential encoding into current IP packet header
Weaknesses
Path validation/authentication
Robustness in highly distributed attacks
Both addressed nicely in SongPerrig00
Compatibility issues (IPsec AH, IPv6)
Origin laundering (reflectors, tunnels, etc)

63
Traceback Hash-based logging
R
R
A
R
R
R
R
R7
R4
R6
R5
R
R3
R1
R2
V
64
Traceback Logging

Each forwarding decision is recorded
Traceback request queries upstream routers to ask
if the router forwarded a particular packet
Difficulties
Attack path reconstruction is difficult
Packet may be transformed as it moves through the
network
Full packet storage is problematic
Memory requirements are prohibitive at high line
speeds (OC-192 is 10Mpkt/sec)
Extensive packet logs are a privacy risk
Traffic repositories may aid eavesdroppers

65
Traceback Logging

Compute packet digest
Compute hash(p)
Invariant fields of p only
28 bytes hash input, 0.00092 WAN collision rate
Fixed sized hash output, n-bits
Store in Bloom filter (more later)
Compute k independent digests
Increased robustness
Reduced collisions, reduced false positive rate
Flush filter every time interval, t

66
Traceback Hash-based loggingHash-input
(Invariant Content)
Total Length
Ver
TOS
HLen
Identification
Fragment Offset
M F
D F
Checksum
TTL
Protocol
28 bytes
Source Address
Destination Address
Options
First 8 bytes of Payload
Remainder of Payload
67
Traceback Bloom filter
NL virtual bins out of LN actual bins
68
Traceback Reverse ITRACE

R-ITRACE routers send ICMP messages to the source
of the just-processed packet rather than its
destination (unlike ITRACE).
Routers on the path between slave and the
reflector will send ICMP messages to Victim to
enable trace back to the slaves.
Efficacy does not depend on Nr but only on Ns.

69
Traceback Subversion via reflectors

Major advantage to attackers
Protection from trace back mechanisms.
Traceback mechanisms fail since they cannot trace
back directly to slave
Reflector operator must be involved
Administratively cumbersome.
Source Path Isolation Engine (SPIE) helps.
Note reflectors need not serve as amplifiers.
Non-spoofed reflector attacks will expose the
slave to quick traceback.

70
Traceback Defense against Reflectors

Prevent spoofing source address by ubiquitous
deployment of ingress filtering.
Application level reflectors such as recursive
DNS queries or HTTP proxy requests can still be
used.
Disadvantage Not feasible.
Heavy-duty filtering at victim or at reflector
Disadvantage Requires widespread deployment of
filtering.

71
Traceback Defense against Reflectors

Deploy traceback mechanisms that incorporate the
reflector end-host software itself in the scheme,
allowing traceback through the reflector back to
the slave.
Disadvantage Enormous deployment difficulties.
Intrusion Detection Systems (IDS) monitor a
sites network for active slaves.
Disadvantage Requires widespread deployment of
security technology.

72
Traceback Other solutions

Ingress filtering
Block outgoing packets without appropriate source
address
Backbone filtering
Use knowledge of BGP to guess if packets source
address could have possibly originated from a
particular direction
Routing instability makes this hard
Lack of resources at routers makes this hard

73
Intrusion Detection Systems

T. Ptacek, T. Newsham, Insertion, Evasion and
Denial of Service Eluding Network Intrusion
Detection (Jan 98)
B. Sanford, IP Fragmentation and fragrouter
(Dec 00)
S. Patton, W. Yurcik, D. Doss, An Achilles Heel
in Signature-based IDS Squealing False Positives
in SNORT (01)
G. Malan, D. Watson, F. Jahanian, P. Howell,
"Transport and Application Protocol Scrubbing"
M. Handley, V. Paxson, C. Kreibich, Network
Intrusion Detection Evasion, Traffic
Normalization and End - End semantics (01)

74
IDS

Introduction to IDS
Some popular IDSs
Problems with IDSs
Insertion, evasion, denial-of-service
IP Fragmentation fragrouter
Squealing in SNORT
Counter-measures
Protocol scrubbing
Traffic normalization

75
IDS What do they do?

Detect intrusion attempt or a threat potential
possibility of a deliberate unauthorized attempt
to access/manipulate information, or render a
system unreliable or unusable.
Types of IDS
Host-based
Network IDS
Example IDSs
ISS RealSecure, WheelGroup NetRanger, Network
Flight Recorder, Snort

76
IDS Principles

Passive monitoring
Signature Analysis
Need for reliable ID
accuracy false positives and false negatives
fail-open if an attacker disables the IDS,
entire network is still accessible
forensic value of information

77
IDS Fundamental problems

Deployed on a different box and/or different
network
Protocol implementation ambiguities
Different protocol stacks have different behavior
NIDS could see a different stream of packets than
host
Inaccuracies
False positives
incorrectly identify an intrusion when none has
occurred
False negatives
incorrectly fail to identify an intrusion that
has actually occurred

78
IDS Attacks

Insertion
IDS thinks packets are valid end system rejects
these
Evasion
end system accepts packets that IDS rejects
Denial of Service
resource exhaustion
Examples

79
IDS Popular problems/attacks

TCP/IP Options fields
TCB Creation/Teardown
TCP Stream Reassembly
IP Fragmentation
overlapping fragments

80
IDS IP Fragmentation

Allows IP traffic over different network media
with different max packet sizes
IP stacks do not handle reassembly well
can lead to DOS (teardrop, jolt2)
Fragrouter
NIDS testing tool
accepts IP packets routed from another system
fragments these packets according to various
schemes

81
IDS Popular problems/attacks

Resource Exhaustion
CPU, Memory, Network Bandwidth
Abusing reactive IDS
attack to generate false positives
IDS shuts down valid connections, blocks valid
traffic etc.
Results in IDS triggering a DOS

82
IDS False positives

Abuse by generating loads of false positives
Squealing Noise made by pigs during periods of
distemperment
Boy cried wolf too many times
additionally, boy may not recognize the wolf when
it actually appears!
Example using Snort
open-source, free, lightweight NIDS

83
IDS Attacking Snort

Limitation is not in correctly identifying
attacks, but in the ability to suppress false
positives
PCP
Tool for generating false positives
packet writing and argument parsing

84
IDS Squeal attack types