Post on 07-Feb-2018
transcript
1
Network Protocols andVulnerabilities
John Mitchell
Outline
u Basic Networking (FMU)u Network attacks
• Attack host networking protocols– SYN flooding, TCP Spoofing, …
• Attack network infrastructure– Routing– Domain Name System
This lecture is about the way things work now and how they arenot perfect. Next lecture – some security improvements (still notperfect).
BackboneISP
ISP
Internet Infrastructure
u Local and interdomain routing• TCP/IP for routing, connections• BGP for routing announcements
u Domain Name System• Find IP address
TCP Protocol Stack
Application
Transport
Network
Link
Application protocol
TCP protocol
IP protocol
DataLink
IP
NetworkAccess
IP protocol
DataLink
Application
Transport
Network
Link
2
Data Formats
Application
Transport (TCP, UDP)
Network (IP)
Link Layer
Application message - data
TCP data TCP data TCP data
TCP Header
dataTCPIP
IP Header
dataTCPIPETH ETF
Link (Ethernet) Header
Link (Ethernet) Trailer
segment
packet
frame
message
Internet Protocol
u Connectionless• Unreliable• Best effort
u Transfer datagram• Header• Data
IP
Version Header LengthType of Service
Total LengthIdentification
Flags
Time to LiveProtocol
Header Checksum
Source Address of Originating Host
Destination Address of Target Host
Options
Padding
IP Data
Fragment Offset
IP Routing
u Internet routing uses numeric IP addressu Typical route uses several hops
Meg
Tom
ISP
Office gateway
121.42.33.12132.14.11.51
5
SourceDestinationSequence
Packet
121.42.33.12
121.42.33.1
132.14.11.51
132.14.11.1
Two-level Address Hierarchy
u Addresses divided into two parts• First: the domain (network) of the host• Second: address of host within domain
Network Number (Prefix) Host Number
IP Address
Three different address formats: Class A, Class B, Class C(not important for this course)
3
Simple Routing Example
Link1 (l1)
Link2 (l2)A
B
C
b l1l2c
Routing table tellshow to get to subnet(not individual host)
Router
Router
Router 171.64.78.56
171.66.191.22
171.64.82.12
IP Protocol Functions (Summary)
u Routing• IP host knows location of router (gateway)• IP gateway must know route to other networks
u Error reporting• IP reports discards to source
u Fragmentation and reassembly• If packets smaller than the user data
User Datagram Protocol
u IP provides routing• IP address gets datagram to a specific machine
u UDP separates traffic by port• Destination port number gets UDP datagram to
particular application process, e.g., 128.3.23.3, 53• Source port number provides return address
u Minimal guarantees (… mice and elephants)• No acknowledgment• No flow control• No message continuation
UDP
Transmission Control Protocol
u Connection-oriented, preserves order• Sender
– Break data into packets– Attach packet numbers
• Receiver– Acknowledge receipt; lost packets are resent– Reassemble packets in correct order
TCP
Book Mail each page Reassemble book
19
5
1
1 1
4
File Transfer Protocol
u FTP uses TCP to transfer filesu Steps in FTP
• Login connection– User connects to remote computer– Specifies name and password
• Data transfer– Specify file names to send or receive– Can also ask for list of file names, other functions
FTP
Simple Mail Transfer Protocol
u Protocol for transferring mail on Internetu Three associated standards
• Protocol used to send mail using TCP– HELO, EHLO, … messages
• Format for mail messages– Set of header fields and their interpretation
To: <address> From: <address>
– Methods for including data other than plain text
• Routing mail using the Domain Name System
SMTP
Internet Control Message Protocol
u Provides feedback about network operation• Error reporting• Reachability testing• Congestion Control
u Example message types• Destination unreachable• Time exceeded• Parameter problem• Redirect to better gateway• Echo/echo reply - reachability test• Timestamp request/reply - measure transit delay
ICMP
Basic Security Problems
u Network packets pass by untrusted hosts• Eavesdropping, packet sniffing
u IP addresses are public• Smurf
u TCP connection requires state• SYN flooding attack
u TCP state easy to guess• TCP spoofing attack
5
Packet Sniffing
u Promiscuous NIC reads all packets• Read all unencrypted data• ftp, telnet send passwords in clear!
Sweet Hall attack installed sniffer on local machine
Alice Bob
Eve
Network
Smurf Attack
u Choose victim• Flood victim with packets from many sources
u Generate ping stream (ICMP Echo Req)• Network broadcast address with a spoofed source
IP set to a victim host
u Wait for responses• Every host on target network will generate a ping
reply (ICMP Echo Reply) to victim• Ping reply stream can overload victim
TCP Handshake
C S
SYNC
SYNS, ACKC
ACKS
Listening
Store data
Wait
Connected
SYN Flooding
C S
SYNC1 Listening
Store dataSYNC2
SYNC3
SYNC4
SYNC5
6
SYN Flooding
u Attacker sends many connection requests• Spoofed source addresses
u Victim allocates resources for each request• Connection requests exist until timeout• Fixed bound on half-open connections
u Resources exhausted fi requests rejected
TCP Connection Spoofing
u Each TCP connection has an associated state• Sequence number, port number
u Problem• Easy to guess state
– Port numbers are standard– Sequence numbers often chosen in predictable way
IP Spoofing Attack
u A, B trusted connection• Send packets with
predictable seq numbers
u E impersonates B to A• Opens connection to A to get
initial seq number• SYN-floods B’s queue• Sends packets to A that
resemble B’s transmission• E cannot receive, but may
execute commands on A
A
B
E
Attack can be blocked if E is outside firewall.
TCP Congestion Control
u If packets are lost, assume congestion• Reduce transmission rate by half, repeat• If loss stops, increase rate very slowly
Design assumes routers blindly obey this policy
Source
Destination
7
Competition
u Amiable Alice yields to boisterous Bob• Alice and Bob both experience packet loss• Alice backs off• Bob disobeys protocol, gets better results
Source A
Source B
Destination
Destination
TCP Attack on Congestion Control
u Misbehaving receiver can trick sender intoignoring congestion control• Receiver: duplicate ACK indicates gap
– Packets within seq number range assumed lost– Sender executes fast retransmit algorithm
• Malicious receiver can– Send duplicate ACK– ACK before data is received
• needs some application level retransmission – e.g.HTTP 1.1 range requests … See RFC 2581
• Solutions– Add nonces – ACKs return nonce to prove reception
See: Savage et al., TCP Congestion Control with a Misbehaving Receiver
ICMP
u Reports errors and other conditions fromnetwork to hosts
u Hosts take actions to respond to erroru Problem
• An entity can easily forge a variety of ICMP errormessages
– Redirect – informs end-hosts that it should be usingdifferent first hop route
– Fragmentation – can confuse path MTU discovery– Destination unreachable – can cause transport
connections to be dropped
Prevention
u Eavesdropping• Encryption, improved routing (Next lecture: IPSEC)
u Smurf• Turn off ping? Authenticated IP addresses?
u SYN Flooding• Cookies• Random deletion
u IP spoofing• Use less predictable sequence numbers
8
Protection against SYN Attacks
u Client sends SYNu Server responds to Client with SYN-ACK cookie
• sqn = f(src addr, src port, dest addr, dest port, rand)• Server does not save state
u Honest client responds with ACK(sqn)u Server checks response
• If matches SYN-ACK, establishes connection
[Bernstein, Schenk]Random Deletion
u If queue is full, delete random entry• Legitimate connections have chance to complete• Fake addresses eventually deleted Easy to implement, some improvement
171.64.82.03
232.61.28.05
168.44.14.21
121.49.16.22
132.24.14.28
SYNCHalf-open sessions
TCP Sequence Numbers
u Need high degree of unpredictability• If attacker knows TCP/IP initial sequence number
and amount of traffic sent,• Then attacker may know set of likely values• Can send a flood of packets with likely sequence
numbers; one correct packet will be accepted• The larger the available bandwidth, the larger the
possible guess
Status of sequence generators
u Reported to be safe from practical attacks• Cisco IOS, OpenBSD 2.8-current, FreeBSD 4.3-
RELEASE, AIX, HP/UX 11i, Linux Kernels after 1996• Solaris 2.6 if strong initial sequence numbers has
been turned on.– Set TCP_STRONG_ISS to 2 in /etc/default/inetinit.
• HP/UX version 11.00 by applying TRANSPORTpatch PHNE_22397
• IRIX 6.5.3 and above by using the tcpiss_md5tunable kernel parameter, which by default is off
9
Cryptographic protection
u Solutions above the transport layer• Examples: SSL and SSH• Protect against session hijacking and injected data• Do not protect against denial-of-service attacks
caused by spoofed packets
u Solutions at network layer• IPSec• Can protect against
– session hijacking and injection of data– denial-of-service attacks using session resets
Routing Vulnerabilities
u Source routing attack• Can direct response through compromised host
u Routing Information Protocol (RIP)• Direct client traffic through compromised host
u Exterior gateway protocols• Advertise false routes• Send traffic through compromised hosts
Source Routing Attacks
u Attack• Destination host may use reverse of source route
provided in TCP open request to return traffic– Modify the source address of a packet– Route traffic through machine controlled by attacker
u Defenses• Gateway rejects external packets claiming to be local• Reject pre-authorized connections if source routing
info present• Only accept source route if trusted gateways listed
in source routing info
Routing Table Update Protocols
u Interior Gateway Protocols: IGPs• distance vector type - each gateway keeps track of
its distance to all destinations– Gateway-to-Gateway: GGP– Routing Information Protocol: RIP
u Exterior Gateway Protocol: EGP• used for communication between different
autonomous systems
10
Routing Information Protocol (RIP)
u Attack• Intruder sends bogus routing information to a
target and each of the gateways along the route– Impersonates an unused host
• Diverts traffic for that host to the intruder’s machine– Impersonates a used host
• All traffic to that host routed to the intruder’smachine
• Intruder inspects packets & resends to host w/source routing
• Allows capturing of unencrypted passwords, data, etc
Routing Information Protocol (RIP)
u Defense• Paranoid gateway
– Filters packets based on source and/or destinationaddresses
• Don’t accept new routes to local networks– Interferes with fault-tolerance but detects intrusion
attempts
• Authenticate RIP packets– Difficult in a broadcast protocol– Only allows for authentication of prior sender
Interdomain Routing
connected group of one ormore Internet Protocolprefixes under a singlerouting policy (aka domain)
InteriorGatewayProtocol
ExteriorGatewayProtocol
AutonomousSystem
earthlink.net Stanford.edu
11
Transit and Peering
Transit: ISP sells access
Peering: reciprocal connectivity
BGP protocol: routing announcements for both
Peering Peering
Transit
BGP overview
u Iterative path announcement• Path announcements grow from destination to
source• Subject to policy (transit, peering)• Packets flow in reverse direction
u Protocol specification• Announcements can be shortest path• Nodes allowed to use other policies
– E.g., “cold-potato routing” by smaller peer
• Not obligated to use path you announce
BGP example [D. Wetherall]
u Transit: 2 provides transit for 7• 7 reaches and is reached via 2
u Peering: 4 and 5 peer• exchange customer traffic
3 4
6 57
1
8 2
77
2 7
2 7
2 7
3 2 7
6 2 7
2 6 52 6 5
2 6 5
3 2 6 5
7 2 6 56 5
5
5
4
43 4
6 2 3 4
7 2 3 4
2 3 4
2 3 42 3 4
Issues
u BGP convergence problems• Protocol allows policy flexibility• Some legal policies prevent convergence• Even shortest-path policy converges slowly
u Incentive for dishonesty• ISP pays for some routes, others free
u Security problems• Potential for disruptive attacks
12
The BGP Security Problem
u BGP is critical for interdomain routing• Benign configuration errors wreak havoc• Highly vulnerable to human errors, attacks
u Little authentication, integrity• At best, BGP uses point-to-point keyed MAC, with
no automated key management
Attack Model
u BGP can be attacked in various ways• Eavesdrop communication links between routers• Tamper with BGP software• Tamper with router management data en route• Tamper with router management servers
u Countermeasures add new concerns• Compromise of secret/private keying material in
the routers or in the management infrastructure
BGP Security Requirements [Kent]
u Verification of address space “ownership”u Authentication of Autonomous Systems (AS)u Router authentication and authorization
(relative to an AS)u Route and address advertisement
authorizationu Route withdrawal authorizationu Integrity and authenticity of all BGP traffic
on the wireu Timeliness of BGP traffic
Domain Name System
u Hierarchical Name Space
root
edunetorg ukcom ca
wisc ucb stanford cmu mit
cs ece
www
DNS
13
DNS Root Name Servers
u Root name serversu Local name servers
contact root serverswhen they cannotresolve a name
DNS Lookup Example
ClientLocal
DNS server
root & edu DNS server
stanford.edu DNS server
www.cs.stanford.edu
NS stanford.eduwww.cs.stanford.edu
NS cs.stanford.edu
www=IPaddrcs.stanford.edu
DNS server
Caching
u DNS responses are cached• Quick response for repeated translations• Other queries may reuse some parts of lookup
– NS records for domains
u DNS negative queries are cached• Don’t have to repeat past mistakes• E.g. misspellings, search strings in resolv.conf
u Cached data periodically times out• Lifetime (TTL) of data controlled by owner of data• TTL passed with every record
Subsequent Lookup Example
ClientLocal
DNS server
root & edu DNS server
stanford.edu DNS server
cs.stanford.eduDNS server
ftp.cs.stanford.edu
ftp=IPaddr
ftp.cs. stanford.edu
14
DNS Implementation Vulnerabilities
u Reverse query buffer overrun in BIND• gain root access• abort DNS service
u MS DNS for NT 4.0• crashes on certain input
Inherent DNS Vulnerabilities
u Users/hosts typically trust the host-addressmapping provided by DNS
u Problems• Zone transfers can provide list of target hosts• Forge messages by intercepting requests or
compromising of DNS servers
Solution – authenticated requests/responses
Bellovin/Mockapetris Attack
u Trust relationships use symbolic addresses• /etc/hosts.equiv contains friend.stanford.edu
u Requests come with numeric source address• Use reverse DNS to find symbolic name• Decide access based on /etc/hosts.equiv, …
u Attack• Spoof reverse DNS to make host trust attacker
Reverse DNS
u Given numeric IP address, find symbolic addr
u To find 222.33.44.3,• Query 44.33.222.in-addr.arpa• Get list of symbolic addresses, e.g.,
1 IN PTR server.small.com2 IN PTR boss.small.com3 IN PTR ws1.small.com4 IN PTR ws2.small.com
15
Attack
u Gain control of DNS service for domainu Select target machine in domainu Find trust relationships
• SNMP, finger can help find active sessions, etc.• Example: target trusts host1
u Connect• Attempt rlogin from compromised machine• Target contacts reverse DNS server with IP addr• Use modified reverse DNS to say addr is host1• Target allows rlogin
Defenses against this attack
u Double-check reverse DNS• Modify rlogind, rshd to query DNS server• See if symbolic addr maps to numeric addr
u Use another service besides DNS• Network Information Service (NIS, or YP)• Only works if attacker cannot control NIS …
u Authenticate entries in DNS tables• Relies on some form of PKI?• Next lecture …