Information Security CS 526 Lecture 29

1
Information Security CS 526Lecture 29

• Network Security

2
Internet Infrastructure
Backbone
ISP
ISP

• Local and interdomain routing
• TCP/IP for routing, connections
• BGP for routing announcements
• Domain Name System
• Find IP address from symbolic name

3
TCP Protocol Stack
Application protocol
Application
Application
TCP protocol
Transport
Transport
Network
IP
Network
IP protocol
IP protocol
Link
Network Access
Link
Data Link
Data Link
4
Protocols
5
Internet Protocol
IP

• Connectionless
• Unreliable
• Best effort
• Transfer datagram
• Header
• Data

6
IP Routing
Meg
Office gateway
Tom
121.42.33.12
132.14.11.1
ISP
132.14.11.51
121.42.33.1

• Internet routing uses numeric IP address
• Typical route uses several hops

7
IP Protocol Functions (Summary)

• Routing
• IP host knows location of router (gateway)
• IP gateway must know route to other networks
• Fragmentation and reassembly
• If max-packet-size less than the user-data-size
• Error reporting
• ICMP packet to source if packet is dropped

8
User Datagram Protocol

• IP provides routing
• IP address gets datagram to a specific machine
• UDP separates traffic by port
• Destination port number gets UDP datagram to
  particular application process, e.g.,
  128.3.23.353
• Source port number provides return address
• Minimal guarantees
• No acknowledgment
• No flow control
• No message continuation

9
Transmission Control Protocol

• Connection-oriented, preserves order
• Sender
• Break data into packets
• Attach packet numbers
• Receiver
• Acknowledge receipt lost packets are resent
• Reassemble packets in correct order

Book
Mail each page
Reassemble book
1
19
5
1
1
10
Internet Control Message Protocol

• Provides feedback about network operation
• Error reporting
• Reachability testing
• Congestion Control
• Example message types
• Destination unreachable
• Time-to-live exceeded
• Parameter problem
• Redirect to better gateway
• Echo/echo reply - reachability test
• Timestamp request/reply - measure transit delay

11
Address Resolution Protocol (ARP)

• Primarily used to translate IP addresses to
  Ethernet MAC addresses
• Also used for IP over other LAN technologies,
  e.g., FDDI, or IEEE 802.11
• Each host maintains a table of IP to MAC
  addresses
• Message types
• ARP request
• ARP reply
• ARP announcement

12
Some Security Problems

• ARP is not authenticated
• APR spoofing (or ARP poisoning)
• Network packets pass by untrusted hosts
• Eavesdropping, packet sniffing (e.g., ngrep)
• Session Hijacking Attacks
• TCP state can be easy to guess
• TCP spoofing attack

13
ARP Spoofing (ARP Poisoning)

• Send fake or 'spoofed', ARP messages to an
  Ethernet LAN.
• To have other machines associate IP addresses
  with the attackers MAC
• Defenses
• static ARP table
• detection Arpwatch, DHCP snooping
• Legitimate use
• redirect a user to a registration page before
  allow usage of the network

14
Packet Sniffing

• Promiscuous NIC reads all packets
• Read all unencrypted data (e.g., ngrep)
• ftp, telnet send passwords in clear!

Eve
Network
Alice
Bob
Prevention Encryption (IPSEC)
15
Tools for Network Sniffing

• tcpdump
• Windump
• Snort (network sniffer and network intrusion
  detection system)
• Wireshark (formerly Ethereal)
• history of lot of buffer overflow vulnerabilities
• Sniffiy
• Dsniff

16
Passive Sniffing and Active Sniffing on LAN

• Sniffing through a hub
• a hub forwards all traffic to all connected ports
• allows passive sniffing
• Active sniffing through a switch
• tool dsniff
• flooding attacks
• using ARP spoofing

17
Session Hijacking Attacks

• Host-based session hijacking
• if having root privilege, can read and write
  local terminal devices
• Network-based session hijacking
• often against TCP

18
Risks from Session Hijacking

• Inject data into an unencrypted server-to-server
  traffic, such as an e-mail exchange, DNS zone
  transfers, etc.
• Inject data into an unencrypted client-to-server
  traffic, such as ftp file downloads, http
  responses.
• IP addresses often used for preliminary checks on
  firewalls or at the service level.
• Hide origin of malicious attacks.
• Carry out MITM attacks on weak cryptographic
  protocols.
• often result in warnings to users that get
  ignored
• Denial of service attacks, such as resetting the
  connection.

19
TCP Session Hijacking

• Each TCP connection has an associated state
• Client IP and port number same for server
• Sequence numbers for client, server flows
• Problem
• Easy to guess state
• Port numbers are standard
• Sequence numbers often chosen in predictable way

20
IP Spoofing Attack
Server A

• A, B trusted connection
• Send packets with predictable seq numbers
• E impersonates B to A
• Opens connection to A to get initial seq number
• DoS Bs queue
• Sends packets to A that resemble Bs transmission
• E cannot receive, but may execute commands on A

E
B
Attack can be blocked if E is outside firewall.
21
TCP Sequence Numbers

• Need high degree of unpredictability
• If attacker knows initial seq and amount of
  traffic sent, can estimate likely current values
• Send a flood of packets with likely seq numbers
• Attacker can inject packets into existing
  connection
• Some implementations are vulnerable

22
DoS vulnerability

• Suppose attacker can guess seq. number for an
  existing connection
• Attacker can send Reset packet to close
  connection. Results in DoS.
• Naively, success prob. is 1/232 (32-bit seq.
  s).
• Most systems allow for a large window of
  acceptable seq. s
• Much higher success probability.
• Attack is most effective against long lived
  connections, e.g. BGP.

23
Cryptographic network protection

• Solutions above the transport layer
• Examples SSL and SSH
• Protect against session hijacking and injected
  data
• Do not protect against denial-of-service attacks
  caused by spoofed packets
• Solutions at network layer
• Use cryptographically random ISNs RFC 1948
• More generally IPsec
• Can protect against
• session hijacking and injection of data
• denial-of-service attacks using session resets

24
Summary

• ARP spoofing (ARP poisoning)
• fixed mapping, access control, or detection
• Eavesdropping
• Encryption, improved routing
• Session Hijacking
• Use less predictable sequence numbers

25
Categories of Denial-of-service Attacks
26
TCP Handshake
C
S
SYNC
Listening
Store data
SYNS, ACKC
Wait
ACKS
Connected
27
SYN Flooding
C
S
SYNC1
Listening
SYNC2
Store data
SYNC3
SYNC4
SYNC5
28
SYN Flooding

• Attacker sends many connection requests
• Spoofed source addresses
• Victim allocates resources for each request
• Connection requests exist until timeout
• Fixed bound on half-open connections
• Resources exhausted ? requests rejected
• No more effective than other channel
  capacity-based attack today

29
Smurf DoS Attack
1 ICMP Echo ReqSrc Dos Target Dest brdct addr
3 ICMP Echo ReplyDest Dos Target

• Send ping request to broadcast addr (ICMP Echo
  Req)
• Lots of responses
• Every host on target network generates a ping
  reply (ICMP Echo Reply) to victim
• Ping reply stream can overload victim

gateway
DoSTarget
DoSSource
Prevention reject external packets to broadcast
address
30
Distributed DoS (DDoS)
31
DDoS

• Example TFN2K tool
• UDP floods, SYN floods, ICMP floods, Smurf
• Cryptographic authentication for commands sent
  from client (handler) to zombie
• Use PING reply to communicate
• spoof source addresses of all communications
• makes tracing difficult

32
Hiding DDoS Attacks

• Reflection
• Find big sites with lots of resources, send
  packets with spoofed source address, response to
  victim
• PING gt PING response
• SYN gt SYN-ACK
• Pulsing zombie floods
• each zombie active briefly, then goes dormant
• zombies taking turns attacking
• making tracing difficult

33
Domain Name System
DNS

• Hierarchical Name Space

root
edu
uk
com
net
org
ca
stanford
cmu
mit
ucb
wisc
cs
ee
www
34
DNS Root Name Servers

• Hierarchical service
• Root name servers for top-level domains
• Authoritative name servers for subdomains
• Local name resolvers contact authoritative
  servers when they do not know a name

35
DNS Lookup Example
root edu DNS server
www.cs.stanford.edu
www.cs.stanford.edu
NS stanford.edu
stanford.edu DNS server
Local DNS resolver
NS cs.stanford.edu
Client
wwwIPaddr
cs.stanford.edu DNS server
36
Caching

• DNS responses are cached
• Quick response for repeated translations
• Useful for finding servers as well as addresses
• NS records for domains
• Negative results are cached
• Save time for nonexistent sites, e.g. misspelling
• Cached data periodically times out

37
Lookup using cached DNS server
root edu DNS server
ftp.cs.stanford.edu
stanford.edu DNS server
Local DNS recursive resolver
ftp.cs. stanford.edu
Client
ftpIPaddr
cs.stanford.edu DNS server
38
Inherent DNS Vulnerabilities

• Users/hosts typically trust the host-address
  mapping provided by DNS
• Obvious problems
• Interception of requests or compromise of DNS
  servers can result in incorrect or malicious
  responses
• Solution authenticated requests/responses

39
DNS cache poisoning

• DNS resource records (see RFC 1034)
• An A record supplies a host IP address
• A NS record supplies name server for domain
• Example
• www.evil.org NS ns.yahoo.com /delegate to yahoo
• ns.yahoo.com A 1.2.3.4 / address for
  yahoo
• Result
• If resolver looks up www.evil.org, then evil name
  server will give resolver address 1.2.3.4 for
  yahoo
• Lookup yahoo through cache goes to 1.2.3.4

40
Pharming

• DNS poisoning attack (less common than phishing)
• Change IP addresses to redirect URLs to
  fraudulent sites
• Potentially more dangerous than phishing attacks
• No email solicitation is required
• DNS poisoning attacks have occurred
• 2008, email driven-by pharming incidents in
  Mexico
• January 2005, the domain name for a large New
  York ISP, Panix, was hijacked to a site in
  Australia.
• In November 2004, Google and Amazon users were
  sent to Med Network Inc., an online pharmacy
• In March 2003, a group dubbed the "Freedom Cyber
  Force Militia" hijacked visitors to the
  Al-Jazeera Web site and presented them with the
  message "God Bless Our Troops"

41
Coming Attractions

• Network Security Tools