Anda di halaman 1dari 15

Network Protocols and Vulnerabilities

John Mitchell

Outline
u Basic Networking (FMU) u Network attacks
Attack host networking protocols
SYN flooding, TCP Spoofing,

Attack network infrastructure


Routing Domain Name System

This lecture is about the way things work now and how they are not perfect. Next lecture some security improvements (still not perfect).

Internet Infrastructure
ISP Backbone ISP

TCP Protocol Stack


Application protocol TCP protocol
IP protocol Data Link

Application Transport

Application Transport Network Link

u Local and interdomain routing


TCP/IP for routing, connections BGP for routing announcements

Network Link

IP
Network Access

IP protocol Data Link

u Domain Name System


Find IP address

IP

Data Formats
TCP Header Application Transport (TCP, UDP) Network (IP) Link Layer message segment packet frame TCP Application message - data

Internet Protocol
u Connectionless
Unreliable Best effort
TCP data Version Header Length Type of Service Total Length Identification Fragment Offset Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options

data

TCP IP TCP

data data data

u Transfer datagram
Header Data

Flags

ETH IP TCP Link (Ethernet) Header

ETF Link (Ethernet) Trailer

IP Header

Padding IP Data

IP Routing
Meg
Source 121.42.33.12 Destination 132.14.11.51 5 Sequence 132.14.11.1

Two-level Address Hierarchy


Packet Office gateway Tom

u Addresses divided into two parts


First: the domain (network) of the host Second: address of host within domain
Network Number (Prefix) Host Number

121.42.33.12

ISP
121.42.33.1

132.14.11.51

IP Address

u Internet routing uses numeric IP address u Typical route uses several hops

Three different address formats: Class A, Class B, Class C (not important for this course)

Simple Routing Example


Router Link1 (l1)

IP Protocol Functions (Summary)


u Routing
IP host knows location of router (gateway) IP gateway must know route to other networks
B 171.66.191.22

Router b l1 c l2 A 171.64.78.56

u Error reporting
IP reports discards to source

Link2 (l2)

Router

u Fragmentation and reassembly


If packets smaller than the user data
C 171.64.82.12

Routing table tells how to get to subnet (not individual host)

UDP

TCP

User Datagram Protocol


u IP provides routing
IP address gets datagram to a specific machine

Transmission Control Protocol


u Connection-oriented, preserves order
Sender
Break data into packets Attach packet numbers

u UDP separates traffic by port


Destination port number gets UDP datagram to particular application process, e.g., 128.3.23.3, 53 Source port number provides return address

Receiver
Acknowledge receipt; lost packets are resent Reassemble packets in correct order Book Mail each page
1 19 1 5 1

u Minimal guarantees ( mice and elephants)


No acknowledgment No flow control No message continuation

Reassemble book

FTP

File Transfer Protocol


u FTP uses TCP to transfer files u Steps in FTP
Login connection
User connects to remote computer Specifies name and password

SMTP

Simple Mail Transfer Protocol


u Protocol for transferring mail on Internet u Three associated standards
Protocol used to send mail using TCP
HELO, EHLO, messages

Data transfer
Specify file names to send or receive Can also ask for list of file names, other functions

Format for mail messages


Set of header fields and their interpretation To: <address> From: <address> Methods for including data other than plain text

Routing mail using the Domain Name System

ICMP

Internet Control Message Protocol


u Provides feedback about network operation
Error reporting Reachability testing Congestion Control

Basic Security Problems


u Network packets pass by untrusted hosts
Eavesdropping, packet sniffing

u IP addresses are public


Smurf

u Example message types


Destination unreachable Time exceeded Parameter problem Redirect to better gateway Echo/echo reply - reachability test Timestamp request/reply - measure transit delay

u TCP connection requires state


SYN flooding attack

u TCP state easy to guess


TCP spoofing attack

Packet Sniffing
u Promiscuous NIC reads all packets
Read all unencrypted data ftp, telnet send passwords in clear! Eve

Smurf Attack
u Choose victim
Flood victim with packets from many sources

u Generate ping stream (ICMP Echo Req)


Network broadcast address with a spoofed source IP set to a victim host

u Wait for responses


Alice Network Bob Every host on target network will generate a ping reply (ICMP Echo Reply) to victim Ping reply stream can overload victim

Sweet Hall attack installed sniffer on local machine

TCP Handshake
C SYNC SYNS, ACKC S Listening Store data

SYN Flooding
C SYNC1 SYNC2 SYNC3 SYNC4 SYNC5 Connected S Listening Store data

Wait ACKS

SYN Flooding
u Attacker sends many connection requests
Spoofed source addresses

TCP Connection Spoofing


u Each TCP connection has an associated state
Sequence number, port number

u Victim allocates resources for each request


Connection requests exist until timeout Fixed bound on half-open connections

u Problem
Easy to guess state
Port numbers are standard Sequence numbers often chosen in predictable way

u Resources exhausted requests rejected

IP Spoofing Attack
u A, B trusted connection
A Send packets with predictable seq numbers

TCP Congestion Control


Source

u E impersonates B to A
E Opens connection to A to get initial seq number SYN-floods Bs queue Sends packets to A that resemble Bs transmission E cannot receive, but may execute commands on A

Destination

u If packets are lost, assume congestion


Reduce transmission rate by half, repeat If loss stops, increase rate very slowly Design assumes routers blindly obey this policy

Attack can be blocked if E is outside firewall.

Competition
Source A Destination

TCP Attack on Congestion Control


u Misbehaving receiver can trick sender into ignoring congestion control
Receiver: duplicate ACK indicates gap
Packets within seq number range assumed lost Sender executes fast retransmit algorithm

Source B

Destination

Malicious receiver can


Send duplicate ACK ACK before data is received needs some application level retransmission e.g. HTTP 1.1 range requests See RFC 2581

u Amiable Alice yields to boisterous Bob


Alice and Bob both experience packet loss Alice backs off Bob disobeys protocol, gets better results

Solutions
Add nonces ACKs return nonce to prove reception
See: Savage et al., TCP Congestion Control with a Misbehaving Receiver

ICMP
u Reports errors and other conditions from network to hosts u Hosts take actions to respond to error u Problem
An entity can easily forge a variety of ICMP error messages
Redirect informs end-hosts that it should be using different first hop route Fragmentation can confuse path MTU discovery Destination unreachable can cause transport connections to be dropped

Prevention
u Eavesdropping
Encryption, improved routing (Next lecture: IPSEC)

u Smurf
Turn off ping? Authenticated IP addresses?

u SYN Flooding
Cookies Random deletion

u IP spoofing
Use less predictable sequence numbers

Protection against SYN Attacks

[Bernstein, Schenk]

Random Deletion
SYNC Half-open sessions
171.64.82.03 232.61.28.05 168.44.14.21 121.49.16.22 132.24.14.28

u Client sends SYN u Server responds to Client with SYN-ACK cookie


sqn = f(src addr, src port, dest addr, dest port, rand) Server does not save state

u Honest client responds with ACK(sqn) u Server checks response


If matches SYN-ACK, establishes connection

u If queue is full, delete random entry


Legitimate connections have chance to complete Fake addresses eventually deleted Easy to implement, some improvement

TCP Sequence Numbers


u Need high degree of unpredictability
If attacker knows TCP/IP initial sequence number and amount of traffic sent, Then attacker may know set of likely values Can send a flood of packets with likely sequence numbers; one correct packet will be accepted The larger the available bandwidth, the larger the possible guess

Status of sequence generators


u Reported to be safe from practical attacks
Cisco IOS, OpenBSD 2.8-current, FreeBSD 4.3RELEASE, AIX, HP/UX 11i, Linux Kernels after 1996 Solaris 2.6 if strong initial sequence numbers has been turned on.
Set TCP_STRONG_ISS to 2 in /etc/default/inetinit.

HP/UX version 11.00 by applying TRANSPORT patch PHNE_22397 IRIX 6.5.3 and above by using the tcpiss_md5 tunable kernel parameter, which by default is off

Cryptographic protection
u Solutions above the transport layer
Examples: SSL and SSH Protect against session hijacking and injected data Do not protect against denial-of-service attacks caused by spoofed packets

Routing Vulnerabilities
u Source routing attack
Can direct response through compromised host

u Routing Information Protocol (RIP)


Direct client traffic through compromised host

u Solutions at network layer


IPSec Can protect against
session hijacking and injection of data denial-of-service attacks using session resets

u Exterior gateway protocols


Advertise false routes Send traffic through compromised hosts

Source Routing Attacks


u Attack
Destination host may use reverse of source route provided in TCP open request to return traffic
Modify the source address of a packet Route traffic through machine controlled by attacker

Routing Table Update Protocols


u Interior Gateway Protocols: IGPs
distance vector type - each gateway keeps track of its distance to all destinations
Gateway-to-Gateway: GGP Routing Information Protocol: RIP

u Defenses
Gateway rejects external packets claiming to be local Reject pre-authorized connections if source routing info present Only accept source route if trusted gateways listed in source routing info

u Exterior Gateway Protocol: EGP


used for communication between different autonomous systems

Routing Information Protocol (RIP)


u Attack
Intruder sends bogus routing information to a target and each of the gateways along the route
Impersonates an unused host Diverts traffic for that host to the intruders machine Impersonates a used host All traffic to that host routed to the intruders machine Intruder inspects packets & resends to host w/ source routing Allows capturing of unencrypted passwords, data, etc

Routing Information Protocol (RIP)


u Defense
Paranoid gateway
Filters packets based on source and/or destination addresses

Dont accept new routes to local networks


Interferes with fault-tolerance but detects intrusion attempts

Authenticate RIP packets


Difficult in a broadcast protocol Only allows for authentication of prior sender

Interdomain Routing
earthlink.net Stanford.edu

Exterior Gateway Protocol Interior Gateway Protocol

Autonomous System
connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain)

10

Transit and Peering


Peering Peering

BGP overview
u Iterative path announcement
Path announcements grow from destination to source Subject to policy (transit, peering) Packets flow in reverse direction

Transit

u Protocol specification Transit: ISP sells access Peering: reciprocal connectivity BGP protocol: routing announcements for both
Announcements can be shortest path Nodes allowed to use other policies
E.g., cold-potato routing by smaller peer

Not obligated to use path you announce

BGP example
1
234 27 34 265

[D. Wetherall]
3
65 27 327

Issues
u BGP convergence problems
Protocol allows policy flexibility Some legal policies prevent convergence Even shortest-path policy converges slowly

4
5 4

8
7265 7

7234 234

2
7 265 234

265 4 3265 27

6
5

627 6234

u Incentive for dishonesty


ISP pays for some routes, others free

u Security problems
Potential for disruptive attacks

u Transit: 2 provides transit for 7


7 reaches and is reached via 2

u Peering: 4 and 5 peer


exchange customer traffic

11

The BGP Security Problem


u BGP is critical for interdomain routing
Benign configuration errors wreak havoc Highly vulnerable to human errors, attacks

Attack Model
u BGP can be attacked in various ways
Eavesdrop communication links between routers Tamper with BGP software Tamper with router management data en route Tamper with router management servers

u Little authentication, integrity


At best, BGP uses point-to-point keyed MAC, with no automated key management

u Countermeasures add new concerns


Compromise of secret/private keying material in the routers or in the management infrastructure

BGP Security Requirements [Kent]


u Verification of address space ownership u Authentication of Autonomous Systems (AS) u Router authentication and authorization (relative to an AS) u Route and address advertisement authorization u Route withdrawal authorization u Integrity and authenticity of all BGP traffic on the wire u Timeliness of BGP traffic

DNS

Domain Name System


u Hierarchical Name Space
root org net ucb cs www edu stanford ece com uk cmu ca mit

wisc

12

DNS Root Name Servers


u Root name servers u Local name servers contact root servers when they cannot resolve a name

DNS Lookup Example

www.cs.stanford.edu

du rd.e tanfo .cs.s du www rd.e fo stan NS


NS cs.stanfo rd.edu
ww w= IPa dd r

root & edu DNS server

Client

Local DNS server

stanford.edu DNS server cs.stanford.edu DNS server

Caching
u DNS responses are cached
Quick response for repeated translations Other queries may reuse some parts of lookup
NS records for domains

Subsequent Lookup Example

u DNS negative queries are cached


Dont have to repeat past mistakes E.g. misspellings, search strings in resolv.conf

ftp.cs.stanford.edu

root & edu DNS server

u Cached data periodically times out


Lifetime (TTL) of data controlled by owner of data TTL passed with every record

Client

Local DNS server

ftp .cs

ftp =IP ad dr

. st an for d

.ed

stanford.edu DNS server


u

cs.stanford.edu DNS server

13

DNS Implementation Vulnerabilities


u Reverse query buffer overrun in BIND
gain root access abort DNS service

Inherent DNS Vulnerabilities


u Users/hosts typically trust the host-address mapping provided by DNS u Problems
Zone transfers can provide list of target hosts Forge messages by intercepting requests or compromising of DNS servers Solution authenticated requests/responses

u MS DNS for NT 4.0


crashes on certain input

Bellovin/Mockapetris Attack
u Trust relationships use symbolic addresses
/etc/hosts.equiv contains friend.stanford.edu

Reverse DNS
u Given numeric IP address, find symbolic addr u To find 222.33.44.3,
Query 44.33.222.in-addr.arpa Get list of symbolic addresses, e.g.,
1 2 3 4 IN IN IN IN PTR PTR PTR PTR server.small.com boss.small.com ws1.small.com ws2.small.com

u Requests come with numeric source address


Use reverse DNS to find symbolic name Decide access based on /etc/hosts.equiv,

u Attack
Spoof reverse DNS to make host trust attacker

14

Attack
u Gain control of DNS service for domain u Select target machine in domain u Find trust relationships
SNMP, finger can help find active sessions, etc. Example: target trusts host1

Defenses against this attack


u Double-check reverse DNS
Modify rlogind, rshd to query DNS server See if symbolic addr maps to numeric addr

u Use another service besides DNS


Network Information Service (NIS, or YP) Only works if attacker cannot control NIS

u Connect
Attempt rlogin from compromised machine Target contacts reverse DNS server with IP addr Use modified reverse DNS to say addr is host1 Target allows rlogin

u Authenticate entries in DNS tables


Relies on some form of PKI? Next lecture

15

Anda mungkin juga menyukai