John Mitchell
Outline
u Basic Networking (FMU) u Network attacks
Attack host networking protocols
SYN flooding, TCP Spoofing,
This lecture is about the way things work now and how they are not perfect. Next lecture some security improvements (still not perfect).
Internet Infrastructure
ISP Backbone ISP
Application Transport
Network Link
IP
Network Access
IP
Data Formats
TCP Header Application Transport (TCP, UDP) Network (IP) Link Layer message segment packet frame TCP Application message - data
Internet Protocol
u Connectionless
Unreliable Best effort
TCP data Version Header Length Type of Service Total Length Identification Fragment Offset Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options
data
TCP IP TCP
u Transfer datagram
Header Data
Flags
IP Header
Padding IP Data
IP Routing
Meg
Source 121.42.33.12 Destination 132.14.11.51 5 Sequence 132.14.11.1
121.42.33.12
ISP
121.42.33.1
132.14.11.51
IP Address
u Internet routing uses numeric IP address u Typical route uses several hops
Three different address formats: Class A, Class B, Class C (not important for this course)
Router b l1 c l2 A 171.64.78.56
u Error reporting
IP reports discards to source
Link2 (l2)
Router
UDP
TCP
Receiver
Acknowledge receipt; lost packets are resent Reassemble packets in correct order Book Mail each page
1 19 1 5 1
Reassemble book
FTP
SMTP
Data transfer
Specify file names to send or receive Can also ask for list of file names, other functions
ICMP
Packet Sniffing
u Promiscuous NIC reads all packets
Read all unencrypted data ftp, telnet send passwords in clear! Eve
Smurf Attack
u Choose victim
Flood victim with packets from many sources
TCP Handshake
C SYNC SYNS, ACKC S Listening Store data
SYN Flooding
C SYNC1 SYNC2 SYNC3 SYNC4 SYNC5 Connected S Listening Store data
Wait ACKS
SYN Flooding
u Attacker sends many connection requests
Spoofed source addresses
u Problem
Easy to guess state
Port numbers are standard Sequence numbers often chosen in predictable way
IP Spoofing Attack
u A, B trusted connection
A Send packets with predictable seq numbers
u E impersonates B to A
E Opens connection to A to get initial seq number SYN-floods Bs queue Sends packets to A that resemble Bs transmission E cannot receive, but may execute commands on A
Destination
Competition
Source A Destination
Source B
Destination
Solutions
Add nonces ACKs return nonce to prove reception
See: Savage et al., TCP Congestion Control with a Misbehaving Receiver
ICMP
u Reports errors and other conditions from network to hosts u Hosts take actions to respond to error u Problem
An entity can easily forge a variety of ICMP error messages
Redirect informs end-hosts that it should be using different first hop route Fragmentation can confuse path MTU discovery Destination unreachable can cause transport connections to be dropped
Prevention
u Eavesdropping
Encryption, improved routing (Next lecture: IPSEC)
u Smurf
Turn off ping? Authenticated IP addresses?
u SYN Flooding
Cookies Random deletion
u IP spoofing
Use less predictable sequence numbers
[Bernstein, Schenk]
Random Deletion
SYNC Half-open sessions
171.64.82.03 232.61.28.05 168.44.14.21 121.49.16.22 132.24.14.28
HP/UX version 11.00 by applying TRANSPORT patch PHNE_22397 IRIX 6.5.3 and above by using the tcpiss_md5 tunable kernel parameter, which by default is off
Cryptographic protection
u Solutions above the transport layer
Examples: SSL and SSH Protect against session hijacking and injected data Do not protect against denial-of-service attacks caused by spoofed packets
Routing Vulnerabilities
u Source routing attack
Can direct response through compromised host
u Defenses
Gateway rejects external packets claiming to be local Reject pre-authorized connections if source routing info present Only accept source route if trusted gateways listed in source routing info
Interdomain Routing
earthlink.net Stanford.edu
Autonomous System
connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain)
10
BGP overview
u Iterative path announcement
Path announcements grow from destination to source Subject to policy (transit, peering) Packets flow in reverse direction
Transit
u Protocol specification Transit: ISP sells access Peering: reciprocal connectivity BGP protocol: routing announcements for both
Announcements can be shortest path Nodes allowed to use other policies
E.g., cold-potato routing by smaller peer
BGP example
1
234 27 34 265
[D. Wetherall]
3
65 27 327
Issues
u BGP convergence problems
Protocol allows policy flexibility Some legal policies prevent convergence Even shortest-path policy converges slowly
4
5 4
8
7265 7
7234 234
2
7 265 234
265 4 3265 27
6
5
627 6234
u Security problems
Potential for disruptive attacks
11
Attack Model
u BGP can be attacked in various ways
Eavesdrop communication links between routers Tamper with BGP software Tamper with router management data en route Tamper with router management servers
DNS
wisc
12
www.cs.stanford.edu
Client
Caching
u DNS responses are cached
Quick response for repeated translations Other queries may reuse some parts of lookup
NS records for domains
ftp.cs.stanford.edu
Client
ftp .cs
ftp =IP ad dr
. st an for d
.ed
13
Bellovin/Mockapetris Attack
u Trust relationships use symbolic addresses
/etc/hosts.equiv contains friend.stanford.edu
Reverse DNS
u Given numeric IP address, find symbolic addr u To find 222.33.44.3,
Query 44.33.222.in-addr.arpa Get list of symbolic addresses, e.g.,
1 2 3 4 IN IN IN IN PTR PTR PTR PTR server.small.com boss.small.com ws1.small.com ws2.small.com
u Attack
Spoof reverse DNS to make host trust attacker
14
Attack
u Gain control of DNS service for domain u Select target machine in domain u Find trust relationships
SNMP, finger can help find active sessions, etc. Example: target trusts host1
u Connect
Attempt rlogin from compromised machine Target contacts reverse DNS server with IP addr Use modified reverse DNS to say addr is host1 Target allows rlogin
15