Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

1
Advanced Research Issues In Security Securing
Key Internet TechnologiesCS 236On-Line MS
ProgramNetworks and Systems Security Peter
Reiher

2
Outline

• Routing security
• DNS security

3
Routing Security

• Routing protocols control how packets flow
  through the Internet
• If they arent protected, attackers can alter
  packet flows at their whim
• Most routing protocols were not built with
  security in mind

4
Routing Protocol Security Threats

• Threats to routing data secrecy
• Usually not critical
• Threats to routing protocol integrity
• Very important, since tampering with routing
  integrity can be bad
• Threats to routing protocol availability
• Potential to disrupt Internet service

5
What Could Really Go Wrong?

• Packets could be routed through an attacker
• Packets could be dropped
• Routing loops, blackhole routing, etc.
• Some users service could be degraded
• The Internets overall effectiveness could be
  degraded
• Slow response to failures
• Total overload of some links
• Many types of defenses against other attacks
  presume correct routing

6
Where Does the Threat Occur?

• At routers, mostly
• Most routers are well-protected
• But . . .
• Several vulnerabilities have been found in
  routers
• Also, should we always trust those running
  routers?

7
Different Types of Routing Protocols

• Link state
• Tell everyone the state of your links
• Distance vector
• Tell nodes how far away things are
• Path vector
• Tell nodes the complete path between various
  points
• On demand protocols
• Figure out routing once you know you two nodes
  need to communicate

8
Popular Routing Protocols

• BGP
• Path vector protocol used in core Internet
  routing
• Arguably most important protocol to secure
• RIP
• Distance vector protocol for small networks
• OSPF
• ISIS
• Ad hoc routing protocols

9
Fundamental Operations To Be Protected

• One router tells another router something about
  routing
• A path, a distance, contents of local routing
  table, etc.
• A router updates its routing information
• A router gathers information to decide on routing

10
Protecting BGP

• BGP is probably the most important protocol to
  protect
• Handles basic Internet routing
• Works at autonomous system (AS) level
• Rather than router level

11
BGP Issues

• BGP is spoken (mostly) between routers in
  autonomous systems
• On direct network links to their partner
• Over TCP sessions that are established with known
  partners
• Isnt that enough to give reasonable security?

12
A Recent Counterexample

• Pakistan became upset with YouTube over posting
  of blasphemous video
• Responded by injecting a BGP update that sent all
  traffic to YouTube to a site in Pakistan
• Which probably dropped it all
• Rendered YouTube unavailable worldwide (well,
  2/3s of world)

13
How Did This Happen?

• Pakistan injected a BGP update advertising a path
  to YouTube
• Which they had no right to do
• It got automatically propagated by BGP
• Everyone knows YouTube isnt in Pakistan
• But the routing protocol didnt
• Security required to prevent other future
  incidents

14
A Side Issues on This Story

• Much thinking about Internet predicated on
  assumption that major players play by the rules
• Pakistan didnt
• Not desirable to base Internets security on this
  assumption
• Though sometimes not many other choices

15
Basic BGP Security Issue

A
B
C
D
E
1.2.3.
What do we need to protect?
F
G
A wants to tell everyone how to get to 1.2.3.
16
Well, What Could Go Wrong?

A
B
C
D
E
What if A doesnt own 1.2.3.?
What if router D alters the path?
F
G
What if router A isnt authorized to advertise
1.2.3.?
17
How Do We Solve These Problems?

• Advertising routers must prove ownership and
  right to advertise
• Paths must be signed by routers on them
• Must avoid cut-and-paste attacks
• And replay attacks

18
S-BGP

• A protocol designed to solve most of the routing
  security issues for BGP
• Intended to be workable with existing BGP
  protocol
• Key idea is to tie updates to those who are
  allowed to make them
• And to those who build them

19
Some S-BGP Constraints

• Cant change BGP protocol
• Or packet format
• Cant have messages larger than max BGP size
• Must be deployable in reasonable way

20
An S-BGP Example

A
B
C
D
E
1.2.3.
A can provide a certificate proving ownership
F
G
How can B know that A should advertise 1.2.3.?
21
Securing BGP Updates

A
B
C
D
E
1.2.3.
What are these signatures actually attesting to?
F
G
A wants to tell everyone how to get to 1.2.3.
22
Who Needs To Prove What?

• A needs to prove (to B-E) that he owns the prefix
• B needs to prove (to C-E) that A wants the prefix
  path to go through B
• C needs to prove (to D-E) the same
• D needs to prove (to E) the same

23
So What Does A Sign?

• A clearly must provide proof he owns the prefix
• He also must prove he originated the update
• And only A can prove that he intended the path to
  go through B
• So he has to sign for all of that

24
Address Attestations in S-BGP

• These are used to prove ownership of IP prefix
  spaces
• IP prefix owner provides attestation that a
  particular AS can originate its BGP updates
• That AS includes attestation in updates

25
Route Attestations

• To prove that path for a prefix should go through
  an AS
• The previous AS on the path makes this
  attestation
• E.g., B attests that C is the next AS hop

26
How Are These Signatures Done?

• Via public key cryptography
• Certificates issued by proper authorities
• ICANN at the top
• Hierarchical below ICANN
• Certificates not carried with updates
• Otherwise, messages would be too big
• Off-line delivery method proposed

27
S-BGP and IPSec

• S-BGP generates the attestations itself
• But it uses IPSec to deliver the BGP messages
• Doing so prevents injections of replayed messages
• Also helps with some TCP-based attacks
• E.g., SYN floods

28
Protecting Other Styles of Protocols

• Generally, how do you know you should believe
  another router?
• About distance to some address space
• About reachability to some address space
• About other characteristics of a path
• About what other nodes have told you

29
How Routing Protocols Pass Information

• Some protocols pass full information
• E.g., BGP
• So they can pass signed information
• Others pass summary information
• E.g., RIP
• They use other updates to create new summaries
• How can we be sure they did so properly?

30
Who Are You Worried About?

• Random attackers?
• Generally solvable by encrypting/authenticating
  routing updates
• Misbehaving insiders?
• A much harder problem
• Theyre supposed to make decisions
• How do you know theyre lying?

31
A Sample Problem
1
2
3
1

B
C
D
E
0
A
H
1.2.3.
0
F
G
How can H tell someone lied?
1
2
Assume a distance vector protocol
How can H tell that E lied?
32
Types of Attacks on Distance Vector Routing
Protocols

• Blackhole attacks
• Claim short route to target
• Claim longer distance
• To avoid traffic going through you
• Inject routing loops
• Which cause traffic to be dropped
• Inject lots of routing updates
• Generally for denial of service

33
How To Secure a Distance Vector Protocol?

• Cant just sign the hop count
• Not tied to the path
• Instead, sign a length and a second-to-last
  router identity
• By iterating, you can verify path length

34
An Example

B
C
D
E
A
H
1.2.3.
F
G
H needs to build a routing table entry for 1.2.3.
Should show hop count of 3 via G, 5 via E
35
One Way to Do It
B
C
D
E
A
H
F
G
H directly verifies that its one hop to E
Now we can trust its five hops to A
H gets signed info that D is 2 hops through E
Then we iterate
36
Who Does the Signing?

• The destination
• A in the example
• It only signs the unchanging part
• Not the hop count
• But an update eventually reaches H that was
  signed by A

37
What About That Hop Count?

• E could lie about the hop count
• But he cant lie that A is next to B
• Nor that B next to C, nor C next to D, nor D next
  to E
• Unless other nodes collude, E cant claim to be
  closer to A than he is

38
What If Someone Lies?
B
C
D
E
A
H
F
G
Theres limited scope for effective lies
E cant claim to be closer to A
Since E cant produce a routing update signed by
A that substantiates that
39
A Difficulty

• This approach relies on a PKI
• H must be able to check the various signatures
• Breaks down if someone doesnt sign
• Thats a hole in the network, from the
  verification point of view
• Consider, in example, what happens if C doesnt
  sign

40
What If C Doesnt Sign?
B
C
D
E
A
H
C
3
D
F
G
A message coming through D tells us that its
three hops to C
But how can he be sure D is next to C?
But H cant verify that
Other than trusting D . . .
H knows C is next to B
And that B is next to A
41
Whats the Problem?
B
C
D
E
A
H
C
3
D
F
G
For this graph, no problem
But how about for this one?