Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Insecurity in existing network protocols

advertisement 
Network Protocols and
Vulnerabilities
Outline
u Basic Networking (FMU)
u Network attacks
• Attack host networking protocols
– SYN flooding, TCP Spoofing, …
• Attack network infrastructure
John Mitchell
– Routing
– Domain Name System
This lecture is about the way things work now and how they are
not perfect. Next lecture – some security improvements (still not
perfect).
Internet Infrastructure
ISP
Backbone
TCP Protocol Stack
ISP
Application
Application protocol
TCP protocol
Transport
u Local and interdomain routing
• TCP/IP for routing, connections
• BGP for routing announcements
Network
Link
IP protocol
Data
Link
Application
Transport
IP
IP protocol
Network
Network
Access
Data
Link
Link
u Domain Name System
• Find IP address
1
IP
Data Formats
Internet Protocol
u Connectionless
TCP Header
Application
Transport (TCP, UDP)
segment
Network (IP)
packet
Link Layer
frame
• Unreliable
• Best effort
Application message - data
message
TCP
data
TCP
data
IP TCP
data
ETH IP TCP
data
TCP
data
u Transfer datagram
• Header
• Data
Version
Header Length
Type of Service
Total Length
Identification
Flags
Fragment Offset
Time to Live
Protocol
Header Checksum
Source Address of Originating Host
Destination Address of Target Host
ETF
Options
IP Header
Link (Ethernet)
Header
Link (Ethernet)
Trailer
Padding
IP Data
IP Routing
Two-level Address Hierarchy
Meg
Packet
121.42.33.12
u Addresses divided into two parts
Office gateway
Source 121.42.33.12
Destination 132.14.11.51
5
Sequence
Tom
132.14.11.1
ISP
• First: the domain (network) of the host
• Second: address of host within domain
Network Number (Prefix)
132.14.11.51
121.42.33.1
u Internet routing uses numeric IP address
u Typical route uses several hops
Host Number
IP Address
Three different address formats: Class A, Class B, Class C
(not important for this course)
2
Simple Routing Example
IP Protocol Functions (Summary)
u Routing
• IP host knows location of router (gateway)
• IP gateway must know route to other networks
Router
Router
Link1 (l1)
B
171.66.191.22
b l1
c l2
Link2 (l2)
A
171.64.78.56
• IP reports discards to source
u Fragmentation and reassembly
Router
Routing table tells
how to get to subnet
(not individual host)
u Error reporting
• If packets smaller than the user data
C
171.64.82.12
UDP
TCP
User Datagram Protocol
u IP provides routing
• IP address gets datagram to a specific machine
Transmission Control Protocol
u Connection-oriented, preserves order
• Sender
– Break data into packets
– Attach packet numbers
u UDP separates traffic by port
• Destination port number gets UDP datagram to
particular application process, e.g., 128.3.23.3, 53
• Source port number provides return address
u Minimal guarantees (… mice and elephants)
• No acknowledgment
• No flow control
• No message continuation
• Receiver
– Acknowledge receipt; lost packets are resent
– Reassemble packets in correct order
Book
Mail each page
Reassemble book
1
19
1
5
1
3
FTP
File Transfer Protocol
u FTP uses TCP to transfer files
u Steps in FTP
• Login connection
– User connects to remote computer
– Specifies name and password
• Data transfer
– Specify file names to send or receive
– Can also ask for list of file names, other functions
SMTP
Simple Mail Transfer Protocol
u Protocol for transferring mail on Internet
u Three associated standards
• Protocol used to send mail using TCP
– HELO, EHLO, … messages
• Format for mail messages
– Set of header fields and their interpretation
To: <address>
From: <address>
– Methods for including data other than plain text
• Routing mail using the Domain Name System
ICMP
Internet Control Message Protocol
u Provides feedback about network operation
• Error reporting
• Reachability testing
• Congestion Control
u Example message types
•
•
•
•
•
•
Destination unreachable
Time exceeded
Parameter problem
Redirect to better gateway
Echo/echo reply - reachability test
Timestamp request/reply - measure transit delay
Basic Security Problems
u Network packets pass by untrusted hosts
• Eavesdropping, packet sniffing
u IP addresses are public
• Smurf
u TCP connection requires state
• SYN flooding attack
u TCP state easy to guess
• TCP spoofing attack
4
Packet Sniffing
Smurf Attack
u Promiscuous NIC reads all packets
u Choose victim
• Read all unencrypted data
• ftp, telnet send passwords in clear!
• Flood victim with packets from many sources
u Generate ping stream (ICMP Echo Req)
• Network broadcast address with a spoofed source
IP set to a victim host
Eve
u Wait for responses
Alice
Network
Bob
• Every host on target network will generate a ping
reply (ICMP Echo Reply) to victim
• Ping reply stream can overload victim
Sweet Hall attack installed sniffer on local machine
TCP Handshake
C
SYN Flooding
C
S
SYNC
Listening
SYNS, ACKC
Store data
Wait
ACKS
S
SYNC1
SYNC2
SYNC3
Listening
Store data
SYNC4
SYNC5
Connected
5
SYN Flooding
TCP Connection Spoofing
u Attacker sends many connection requests
• Spoofed source addresses
u Victim allocates resources for each request
• Connection requests exist until timeout
• Fixed bound on half-open connections
u Resources exhausted fi requests rejected
IP Spoofing Attack
u A, B trusted connection
• Send packets with
predictable seq numbers
A
u E impersonates B to A
E
B
• Opens connection to A to get
initial seq number
• SYN-floods B’s queue
• Sends packets to A that
resemble B’s transmission
• E cannot receive, but may
execute commands on A
u Each TCP connection has an associated state
• Sequence number, port number
u Problem
• Easy to guess state
– Port numbers are standard
– Sequence numbers often chosen in predictable way
TCP Congestion Control
Source
Destination
u If packets are lost, assume congestion
• Reduce transmission rate by half, repeat
• If loss stops, increase rate very slowly
Design assumes routers blindly obey this policy
Attack can be blocked if E is outside firewall.
6
Competition
Source A
TCP Attack on Congestion Control
Destination
u Misbehaving receiver can trick sender into
ignoring congestion control
• Receiver: duplicate ACK indicates gap
Source B
Destination
u Amiable Alice yields to boisterous Bob
• Alice and Bob both experience packet loss
• Alice backs off
• Bob disobeys protocol, gets better results
– Packets within seq number range assumed lost
– Sender executes fast retransmit algorithm
• Malicious receiver can
– Send duplicate ACK
– ACK before data is received
• needs some application level retransmission – e.g.
HTTP 1.1 range requests … See RFC 2581
• Solutions
– Add nonces – ACKs return nonce to prove reception
See: Savage et al., TCP Congestion Control with a Misbehaving Receiver
ICMP
u Reports errors and other conditions from
network to hosts
u Hosts take actions to respond to error
u Problem
• An entity can easily forge a variety of ICMP error
messages
– Redirect – informs end-hosts that it should be using
different first hop route
– Fragmentation – can confuse path MTU discovery
– Destination unreachable – can cause transport
connections to be dropped
Prevention
u Eavesdropping
• Encryption, improved routing (Next lecture: IPSEC)
u Smurf
• Turn off ping? Authenticated IP addresses?
u SYN Flooding
• Cookies
• Random deletion
u IP spoofing
• Use less predictable sequence numbers
7
Protection against SYN Attacks
[Bernstein, Schenk]
u Client sends SYN
u Server responds to Client with SYN-ACK cookie
• sqn = f(src addr, src port, dest addr, dest port, rand)
• Server does not save state
u Honest client responds with ACK(sqn)
u Server checks response
• If matches SYN-ACK, establishes connection
Random Deletion
SYNC
Half-open sessions
171.64.82.03
232.61.28.05
168.44.14.21
121.49.16.22
132.24.14.28
u If queue is full, delete random entry
• Legitimate connections have chance to complete
• Fake addresses eventually deleted
Easy to implement, some improvement
TCP Sequence Numbers
u Need high degree of unpredictability
• If attacker knows TCP/IP initial sequence number
and amount of traffic sent,
• Then attacker may know set of likely values
• Can send a flood of packets with likely sequence
numbers; one correct packet will be accepted
• The larger the available bandwidth, the larger the
possible guess
Status of sequence generators
u Reported to be safe from practical attacks
• Cisco IOS, OpenBSD 2.8-current, FreeBSD 4.3RELEASE, AIX, HP/UX 11i, Linux Kernels after 1996
• Solaris 2.6 if strong initial sequence numbers has
been turned on.
– Set TCP_STRONG_ISS to 2 in /etc/default/inetinit.
• HP/UX version 11.00 by applying TRANSPORT
patch PHNE_22397
• IRIX 6.5.3 and above by using the tcpiss_md5
tunable kernel parameter, which by default is off
8
Cryptographic protection
u Solutions above the transport layer
• Examples: SSL and SSH
• Protect against session hijacking and injected data
• Do not protect against denial-of-service attacks
caused by spoofed packets
u Solutions at network layer
• IPSec
• Can protect against
Routing Vulnerabilities
u Source routing attack
• Can direct response through compromised host
u Routing Information Protocol (RIP)
• Direct client traffic through compromised host
u Exterior gateway protocols
• Advertise false routes
• Send traffic through compromised hosts
– session hijacking and injection of data
– denial-of-service attacks using session resets
Source Routing Attacks
u Attack
• Destination host may use reverse of source route
provided in TCP open request to return traffic
– Modify the source address of a packet
– Route traffic through machine controlled by attacker
u Defenses
• Gateway rejects external packets claiming to be local
• Reject pre-authorized connections if source routing
info present
• Only accept source route if trusted gateways listed
in source routing info
Routing Table Update Protocols
u Interior Gateway Protocols: IGPs
• distance vector type - each gateway keeps track of
its distance to all destinations
– Gateway-to-Gateway: GGP
– Routing Information Protocol: RIP
u Exterior Gateway Protocol: EGP
• used for communication between different
autonomous systems
9
Routing Information Protocol (RIP)
u Attack
Routing Information Protocol (RIP)
u Defense
• Intruder sends bogus routing information to a
target and each of the gateways along the route
– Impersonates an unused host
• Diverts traffic for that host to the intruder’s machine
– Impersonates a used host
• All traffic to that host routed to the intruder’s
machine
• Intruder inspects packets & resends to host w/
source routing
• Allows capturing of unencrypted passwords, data, etc
• Paranoid gateway
– Filters packets based on source and/or destination
addresses
• Don’t accept new routes to local networks
– Interferes with fault-tolerance but detects intrusion
attempts
• Authenticate RIP packets
– Difficult in a broadcast protocol
– Only allows for authentication of prior sender
Interdomain Routing
earthlink.net
Stanford.edu
Exterior
Gateway
Protocol
Interior
Gateway
Protocol
Autonomous
System
connected group of one or
more Internet Protocol
prefixes under a single
routing policy (aka domain)
10
Transit and Peering
BGP overview
Peering
u Iterative path announcement
Peering
• Path announcements grow from destination to
source
• Subject to policy (transit, peering)
• Packets flow in reverse direction
Transit
u Protocol specification
Transit: ISP sells access
Peering: reciprocal connectivity
BGP protocol: routing announcements for both
BGP example
1
234
8
7265
7
7234
234
7
[D. Wetherall]
27
34
265
2
327
3
u Transit: 2 provides transit for 7
65
27
6
5
5
4
627
6234
5
– E.g., “cold-potato routing” by smaller peer
• Not obligated to use path you announce
Issues
u BGP convergence problems
4
265 4 3265
27
7
265 234
• Announcements can be shortest path
• Nodes allowed to use other policies
• Protocol allows policy flexibility
• Some legal policies prevent convergence
• Even shortest-path policy converges slowly
u Incentive for dishonesty
• ISP pays for some routes, others free
u Security problems
• Potential for disruptive attacks
• 7 reaches and is reached via 2
u Peering: 4 and 5 peer
• exchange customer traffic
11
The BGP Security Problem
u BGP is critical for interdomain routing
Attack Model
u BGP can be attacked in various ways
• Benign configuration errors wreak havoc
• Highly vulnerable to human errors, attacks
•
•
•
•
u Little authentication, integrity
• At best, BGP uses point-to-point keyed MAC, with
no automated key management
Eavesdrop communication links between routers
Tamper with BGP software
Tamper with router management data en route
Tamper with router management servers
u Countermeasures add new concerns
• Compromise of secret/private keying material in
the routers or in the management infrastructure
BGP Security Requirements [Kent]
u Verification of address space “ownership”
u Authentication of Autonomous Systems (AS)
u Router authentication and authorization
(relative to an AS)
u Route and address advertisement
authorization
u Route withdrawal authorization
u Integrity and authenticity of all BGP traffic
on the wire
u Timeliness of BGP traffic
DNS
Domain Name System
u Hierarchical Name Space
root
org
wisc
edu
net
com
stanford
ucb
cs
uk
cmu
ca
mit
ece
www
12
DNS Root Name Servers
u Root name servers
u Local name servers
contact root servers
when they cannot
resolve a name
DNS Lookup Example
www.cs.stanford.edu
Client
Caching
Local
DNS server
root & edu
DNS server
du
rd.e
tanfo
.cs.s
www
.edu
d
r
fo
stan
NS
NS cs.stanfo
rd.edu
stanford.edu
DNS server
ww
w=
IPa
dd
r
cs.stanford.edu
DNS server
Subsequent Lookup Example
u DNS responses are cached
• Quick response for repeated translations
• Other queries may reuse some parts of lookup
– NS records for domains
u DNS negative queries are cached
• Don’t have to repeat past mistakes
• E.g. misspellings, search strings in resolv.conf
u Cached data periodically times out
• Lifetime (TTL) of data controlled by owner of data
• TTL passed with every record
root & edu
DNS server
ftp.cs.stanford.edu
Client
Local
DNS server
ftp
.cs
. st
an
for
d
ftp
=IP
ad
dr
.ed
stanford.edu
DNS server
u
cs.stanford.edu
DNS server
13
DNS Implementation Vulnerabilities
u Reverse query buffer overrun in BIND
• gain root access
• abort DNS service
u MS DNS for NT 4.0
• crashes on certain input
Inherent DNS Vulnerabilities
u Users/hosts typically trust the host-address
mapping provided by DNS
u Problems
• Zone transfers can provide list of target hosts
• Forge messages by intercepting requests or
compromising of DNS servers
Solution – authenticated requests/responses
Bellovin/Mockapetris Attack
u Trust relationships use symbolic addresses
Reverse DNS
u Given numeric IP address, find symbolic addr
• /etc/hosts.equiv contains friend.stanford.edu
u Requests come with numeric source address
• Use reverse DNS to find symbolic name
• Decide access based on /etc/hosts.equiv, …
u Attack
• Spoof reverse DNS to make host trust attacker
u To find 222.33.44.3,
• Query 44.33.222.in-addr.arpa
• Get list of symbolic addresses, e.g.,
1
2
3
4
IN
IN
IN
IN
PTR
PTR
PTR
PTR
server.small.com
boss.small.com
ws1.small.com
ws2.small.com
14
Attack
u Gain control of DNS service for domain
u Select target machine in domain
u Find trust relationships
• SNMP, finger can help find active sessions, etc.
• Example: target trusts host1
u Connect
•
•
•
•
Attempt rlogin from compromised machine
Target contacts reverse DNS server with IP addr
Use modified reverse DNS to say addr is host1
Target allows rlogin
Defenses against this attack
u Double-check reverse DNS
• Modify rlogind, rshd to query DNS server
• See if symbolic addr maps to numeric addr
u Use another service besides DNS
• Network Information Service (NIS, or YP)
• Only works if attacker cannot control NIS …
u Authenticate entries in DNS tables
• Relies on some form of PKI?
• Next lecture …
15
Related documents
REFERENCE MODELS FOR COMPUTER NETWORKS
REFERENCE MODELS FOR COMPUTER NETWORKS
上課要求(Network Requirement)
上課要求(Network Requirement)
ECE 562
ECE 562
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Sample Test #2 Fall 2010
Sample Test #2 Fall 2010
Exercise #4 - UNCW/CSB Application Server Landing Page
Exercise #4 - UNCW/CSB Application Server Landing Page
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
networking
networking
Matching game to review for Exam II
Matching game to review for Exam II
Download
advertisement