1

Network Protocols andVulnerabilities

John Mitchell

Outline

u Basic Networking (FMU)u Network attacks

• Attack host networking protocols– SYN flooding, TCP Spoofing, …

• Attack network infrastructure– Routing– Domain Name System

This lecture is about the way things work now and how they arenot perfect. Next lecture – some security improvements (still notperfect).

BackboneISP

ISP

Internet Infrastructure

u Local and interdomain routing• TCP/IP for routing, connections• BGP for routing announcements

u Domain Name System• Find IP address

TCP Protocol Stack

Application

Transport

Network

Link

Application protocol

TCP protocol

IP protocol

DataLink

IP

NetworkAccess

IP protocol

DataLink

Application

Transport

Network

Link

2

Data Formats

Application

Transport (TCP, UDP)

Network (IP)

Link Layer

Application message - data

TCP data TCP data TCP data

TCP Header

dataTCPIP

IP Header

dataTCPIPETH ETF

Link (Ethernet) Header

Link (Ethernet) Trailer

segment

packet

frame

message

Internet Protocol

u Connectionless• Unreliable• Best effort

u Transfer datagram• Header• Data

IP

Version Header LengthType of Service

Total LengthIdentification

Flags

Time to LiveProtocol

Header Checksum

Source Address of Originating Host

Destination Address of Target Host

Options

Padding

IP Data

Fragment Offset

IP Routing

u Internet routing uses numeric IP addressu Typical route uses several hops

Meg

Tom

ISP

Office gateway

121.42.33.12132.14.11.51

5

SourceDestinationSequence

Packet

121.42.33.12

121.42.33.1

132.14.11.51

132.14.11.1

Two-level Address Hierarchy

u Addresses divided into two parts• First: the domain (network) of the host• Second: address of host within domain

Network Number (Prefix) Host Number

IP Address

Three different address formats: Class A, Class B, Class C(not important for this course)

3

Simple Routing Example

Link1 (l1)

Link2 (l2)A

B

C

b l1l2c

Routing table tellshow to get to subnet(not individual host)

Router

Router

Router 171.64.78.56

171.66.191.22

171.64.82.12

IP Protocol Functions (Summary)

u Routing• IP host knows location of router (gateway)• IP gateway must know route to other networks

u Error reporting• IP reports discards to source

u Fragmentation and reassembly• If packets smaller than the user data

User Datagram Protocol

u IP provides routing• IP address gets datagram to a specific machine

u UDP separates traffic by port• Destination port number gets UDP datagram to

particular application process, e.g., 128.3.23.3, 53• Source port number provides return address

u Minimal guarantees (… mice and elephants)• No acknowledgment• No flow control• No message continuation

UDP

Transmission Control Protocol

u Connection-oriented, preserves order• Sender

– Break data into packets– Attach packet numbers

• Receiver– Acknowledge receipt; lost packets are resent– Reassemble packets in correct order

TCP

Book Mail each page Reassemble book

19

5

1

1 1

4

File Transfer Protocol

u FTP uses TCP to transfer filesu Steps in FTP

• Login connection– User connects to remote computer– Specifies name and password

• Data transfer– Specify file names to send or receive– Can also ask for list of file names, other functions

FTP

Simple Mail Transfer Protocol

u Protocol for transferring mail on Internetu Three associated standards

• Protocol used to send mail using TCP– HELO, EHLO, … messages

• Format for mail messages– Set of header fields and their interpretation

To: <address> From: <address>

– Methods for including data other than plain text

• Routing mail using the Domain Name System

SMTP

Internet Control Message Protocol

u Provides feedback about network operation• Error reporting• Reachability testing• Congestion Control

u Example message types• Destination unreachable• Time exceeded• Parameter problem• Redirect to better gateway• Echo/echo reply - reachability test• Timestamp request/reply - measure transit delay

ICMP

Basic Security Problems

u Network packets pass by untrusted hosts• Eavesdropping, packet sniffing

u IP addresses are public• Smurf

u TCP connection requires state• SYN flooding attack

u TCP state easy to guess• TCP spoofing attack

5

Packet Sniffing

u Promiscuous NIC reads all packets• Read all unencrypted data• ftp, telnet send passwords in clear!

Sweet Hall attack installed sniffer on local machine

Alice Bob

Eve

Network

Smurf Attack

u Choose victim• Flood victim with packets from many sources

u Generate ping stream (ICMP Echo Req)• Network broadcast address with a spoofed source

IP set to a victim host

u Wait for responses• Every host on target network will generate a ping

reply (ICMP Echo Reply) to victim• Ping reply stream can overload victim

TCP Handshake

C S

SYNC

SYNS, ACKC

ACKS

Listening

Store data

Wait

Connected

SYN Flooding

C S

SYNC1 Listening

Store dataSYNC2

SYNC3

SYNC4

SYNC5

6

SYN Flooding

u Attacker sends many connection requests• Spoofed source addresses

u Victim allocates resources for each request• Connection requests exist until timeout• Fixed bound on half-open connections

u Resources exhausted fi requests rejected

TCP Connection Spoofing

u Each TCP connection has an associated state• Sequence number, port number

u Problem• Easy to guess state

– Port numbers are standard– Sequence numbers often chosen in predictable way

IP Spoofing Attack

u A, B trusted connection• Send packets with

predictable seq numbers

u E impersonates B to A• Opens connection to A to get

initial seq number• SYN-floods B’s queue• Sends packets to A that

resemble B’s transmission• E cannot receive, but may

execute commands on A

A

B

E

Attack can be blocked if E is outside firewall.

TCP Congestion Control

u If packets are lost, assume congestion• Reduce transmission rate by half, repeat• If loss stops, increase rate very slowly

Design assumes routers blindly obey this policy

Source

Destination

7

Competition

u Amiable Alice yields to boisterous Bob• Alice and Bob both experience packet loss• Alice backs off• Bob disobeys protocol, gets better results

Source A

Source B

Destination

Destination

TCP Attack on Congestion Control

u Misbehaving receiver can trick sender intoignoring congestion control• Receiver: duplicate ACK indicates gap

– Packets within seq number range assumed lost– Sender executes fast retransmit algorithm

• Malicious receiver can– Send duplicate ACK– ACK before data is received

• needs some application level retransmission – e.g.HTTP 1.1 range requests … See RFC 2581

• Solutions– Add nonces – ACKs return nonce to prove reception

See: Savage et al., TCP Congestion Control with a Misbehaving Receiver

ICMP

u Reports errors and other conditions fromnetwork to hosts

u Hosts take actions to respond to erroru Problem

• An entity can easily forge a variety of ICMP errormessages

– Redirect – informs end-hosts that it should be usingdifferent first hop route

– Fragmentation – can confuse path MTU discovery– Destination unreachable – can cause transport

connections to be dropped

Prevention

u Eavesdropping• Encryption, improved routing (Next lecture: IPSEC)

u Smurf• Turn off ping? Authenticated IP addresses?

u SYN Flooding• Cookies• Random deletion

u IP spoofing• Use less predictable sequence numbers

8

Protection against SYN Attacks

u Client sends SYNu Server responds to Client with SYN-ACK cookie

• sqn = f(src addr, src port, dest addr, dest port, rand)• Server does not save state

u Honest client responds with ACK(sqn)u Server checks response

• If matches SYN-ACK, establishes connection

[Bernstein, Schenk]Random Deletion

u If queue is full, delete random entry• Legitimate connections have chance to complete• Fake addresses eventually deleted Easy to implement, some improvement

171.64.82.03

232.61.28.05

168.44.14.21

121.49.16.22

132.24.14.28

SYNCHalf-open sessions

TCP Sequence Numbers

u Need high degree of unpredictability• If attacker knows TCP/IP initial sequence number

and amount of traffic sent,• Then attacker may know set of likely values• Can send a flood of packets with likely sequence

numbers; one correct packet will be accepted• The larger the available bandwidth, the larger the

possible guess

Status of sequence generators

u Reported to be safe from practical attacks• Cisco IOS, OpenBSD 2.8-current, FreeBSD 4.3-

RELEASE, AIX, HP/UX 11i, Linux Kernels after 1996• Solaris 2.6 if strong initial sequence numbers has

been turned on.– Set TCP_STRONG_ISS to 2 in /etc/default/inetinit.

• HP/UX version 11.00 by applying TRANSPORTpatch PHNE_22397

• IRIX 6.5.3 and above by using the tcpiss_md5tunable kernel parameter, which by default is off

9

Cryptographic protection

u Solutions above the transport layer• Examples: SSL and SSH• Protect against session hijacking and injected data• Do not protect against denial-of-service attacks

caused by spoofed packets

u Solutions at network layer• IPSec• Can protect against

– session hijacking and injection of data– denial-of-service attacks using session resets

Routing Vulnerabilities

u Source routing attack• Can direct response through compromised host

u Routing Information Protocol (RIP)• Direct client traffic through compromised host

u Exterior gateway protocols• Advertise false routes• Send traffic through compromised hosts

Source Routing Attacks

u Attack• Destination host may use reverse of source route

provided in TCP open request to return traffic– Modify the source address of a packet– Route traffic through machine controlled by attacker

u Defenses• Gateway rejects external packets claiming to be local• Reject pre-authorized connections if source routing

info present• Only accept source route if trusted gateways listed

in source routing info

Routing Table Update Protocols

u Interior Gateway Protocols: IGPs• distance vector type - each gateway keeps track of

its distance to all destinations– Gateway-to-Gateway: GGP– Routing Information Protocol: RIP

u Exterior Gateway Protocol: EGP• used for communication between different

autonomous systems

10

Routing Information Protocol (RIP)

u Attack• Intruder sends bogus routing information to a

target and each of the gateways along the route– Impersonates an unused host

• Diverts traffic for that host to the intruder’s machine– Impersonates a used host

• All traffic to that host routed to the intruder’smachine

• Intruder inspects packets & resends to host w/source routing

• Allows capturing of unencrypted passwords, data, etc

Routing Information Protocol (RIP)

u Defense• Paranoid gateway

– Filters packets based on source and/or destinationaddresses

• Don’t accept new routes to local networks– Interferes with fault-tolerance but detects intrusion

attempts

• Authenticate RIP packets– Difficult in a broadcast protocol– Only allows for authentication of prior sender

Interdomain Routing

connected group of one ormore Internet Protocolprefixes under a singlerouting policy (aka domain)

InteriorGatewayProtocol

ExteriorGatewayProtocol

AutonomousSystem

earthlink.net Stanford.edu

11

Transit and Peering

Transit: ISP sells access

Peering: reciprocal connectivity

BGP protocol: routing announcements for both

Peering Peering

Transit

BGP overview

u Iterative path announcement• Path announcements grow from destination to

source• Subject to policy (transit, peering)• Packets flow in reverse direction

u Protocol specification• Announcements can be shortest path• Nodes allowed to use other policies

– E.g., “cold-potato routing” by smaller peer

• Not obligated to use path you announce

BGP example [D. Wetherall]

u Transit: 2 provides transit for 7• 7 reaches and is reached via 2

u Peering: 4 and 5 peer• exchange customer traffic

3 4

6 57

1

8 2

77

2 7

2 7

2 7

3 2 7

6 2 7

2 6 52 6 5

2 6 5

3 2 6 5

7 2 6 56 5

5

5

4

43 4

6 2 3 4

7 2 3 4

2 3 4

2 3 42 3 4

Issues

u BGP convergence problems• Protocol allows policy flexibility• Some legal policies prevent convergence• Even shortest-path policy converges slowly

u Incentive for dishonesty• ISP pays for some routes, others free

u Security problems• Potential for disruptive attacks

12

The BGP Security Problem

u BGP is critical for interdomain routing• Benign configuration errors wreak havoc• Highly vulnerable to human errors, attacks

u Little authentication, integrity• At best, BGP uses point-to-point keyed MAC, with

no automated key management

Attack Model

u BGP can be attacked in various ways• Eavesdrop communication links between routers• Tamper with BGP software• Tamper with router management data en route• Tamper with router management servers

u Countermeasures add new concerns• Compromise of secret/private keying material in

the routers or in the management infrastructure

BGP Security Requirements [Kent]

u Verification of address space “ownership”u Authentication of Autonomous Systems (AS)u Router authentication and authorization

(relative to an AS)u Route and address advertisement

authorizationu Route withdrawal authorizationu Integrity and authenticity of all BGP traffic

on the wireu Timeliness of BGP traffic

Domain Name System

u Hierarchical Name Space

root

edunetorg ukcom ca

wisc ucb stanford cmu mit

cs ece

www

DNS

13

DNS Root Name Servers

u Root name serversu Local name servers

contact root serverswhen they cannotresolve a name

DNS Lookup Example

ClientLocal

DNS server

root & edu DNS server

stanford.edu DNS server

www.cs.stanford.edu

NS stanford.eduwww.cs.stanford.edu

NS cs.stanford.edu

www=IPaddrcs.stanford.edu

DNS server

Caching

u DNS responses are cached• Quick response for repeated translations• Other queries may reuse some parts of lookup

– NS records for domains

u DNS negative queries are cached• Don’t have to repeat past mistakes• E.g. misspellings, search strings in resolv.conf

u Cached data periodically times out• Lifetime (TTL) of data controlled by owner of data• TTL passed with every record

Subsequent Lookup Example

ClientLocal

DNS server

root & edu DNS server

stanford.edu DNS server

cs.stanford.eduDNS server

ftp.cs.stanford.edu

ftp=IPaddr

ftp.cs. stanford.edu

14

DNS Implementation Vulnerabilities

u Reverse query buffer overrun in BIND• gain root access• abort DNS service

u MS DNS for NT 4.0• crashes on certain input

Inherent DNS Vulnerabilities

u Users/hosts typically trust the host-addressmapping provided by DNS

u Problems• Zone transfers can provide list of target hosts• Forge messages by intercepting requests or

compromising of DNS servers

Solution – authenticated requests/responses

Bellovin/Mockapetris Attack

u Trust relationships use symbolic addresses• /etc/hosts.equiv contains friend.stanford.edu

u Requests come with numeric source address• Use reverse DNS to find symbolic name• Decide access based on /etc/hosts.equiv, …

u Attack• Spoof reverse DNS to make host trust attacker

Reverse DNS

u Given numeric IP address, find symbolic addr

u To find 222.33.44.3,• Query 44.33.222.in-addr.arpa• Get list of symbolic addresses, e.g.,

1 IN PTR server.small.com2 IN PTR boss.small.com3 IN PTR ws1.small.com4 IN PTR ws2.small.com

15

Attack

u Gain control of DNS service for domainu Select target machine in domainu Find trust relationships

• SNMP, finger can help find active sessions, etc.• Example: target trusts host1

u Connect• Attempt rlogin from compromised machine• Target contacts reverse DNS server with IP addr• Use modified reverse DNS to say addr is host1• Target allows rlogin

Defenses against this attack

u Double-check reverse DNS• Modify rlogind, rshd to query DNS server• See if symbolic addr maps to numeric addr

u Use another service besides DNS• Network Information Service (NIS, or YP)• Only works if attacker cannot control NIS …

u Authenticate entries in DNS tables• Relies on some form of PKI?• Next lecture …