updates

content/CSE4303/CSE4303_L4.md

@@ -24,4 +24,119 @@ Connection-oriented, preserves order
    - Enables spoofing and session hijacking
 3. Denial of Service (DoS) vulnerabilities
 
+#### TCP SYN Flood I: low rate (DoS Bug)
 
+Low rate SYN flood defenses
+
+Correct Solution:
+
+Syncookies: remove state from server
+
+Small performance overhead
+
+Hijacking Existing TCP connection
+
+- A, B trusted connection
+ - Send packets with predictable seq numbers
+
+- E impersonates B to A
+- DoS B’s queue
+- Sends packets to A that
+resemble B’s transmission
+  - E cannot receive, but may
+execute commands on A
+
+## Routing Security
+
+Routing Protocols
+
+- ARP (addr resolution protocol): IP addr ⟶ eth addr
+Security issues: (local network attacks)
+  - Node A can confuse gateway into sending it traffic for Node B
+  - By proxying traffic, node A can read/inject packets
+into B’s session (e.g. WiFi networks)
+- OSPF: used for routing within an AS
+- BGP: routing between Autonomous Systems
+Security issues: unauthenticated route updates
+  - Anyone can cause entire Internet to send traffic
+for a victim IP to attacker’s address
+- Example: Youtube-Pakistan mishap (see DDoS lecture)
+  - Anyone can hijack route to victim
+
+### Security Issues
+
+- BGP path attestations are un-authenticated
+  - Anyone can inject advertisements for arbitrary routes
+  - Advertisement will propagate everywhere
+  - Used for DoS, spam, and eavesdropping (details in DDoS lecture)
+  - Often a result of human error
+
+Solutions:
+
+- RPKI: AS obtains a certificate (ROA) from regional authority (RIR) and attaches ROA to path advertisement.
+Advertisements without a valid ROA are ignored. Defends against a malicious AS
+- SBGP: sign every hop of a path advertisement
+
+### Domain Name System
+
+DNS Root Name Servers
+
+- Hierarchical service
+  - Root name servers for toplevel domains
+  - Authoritative name servers
+for subdomains
+  - Local name resolvers contact
+authoritative servers when
+they do not know a name
+
+#### DNS Lookup Example
+
+#### Caching
+
+- DNS responses are cached
+  - Quick response for repeated translations
+  - Note: NS records for domains also cached
+- DNS negative queries are cached
+  - Save time for nonexistent sites, e.g. misspelling
+- Cached data periodically times out
+  - Lifetime (TTL) of data controlled by owner of data
+  - TTL passed with every record
+
+DNS Packet
+
+- Query ID:
+  - 16 bit random value
+  - Links response to query
+
+#### Basic DNS Vulnerabilities
+
+- Users/hosts trust the host-address mapping
+provided by DNS:
+  - Used as basis for many security policies:
+Browser same origin policy, URL address bar
+- Obvious problems
+  - Interception of requests or compromise of DNS servers can
+result in incorrect or malicious responses
+- e.g.: malicious access point in a Cafe
+  - Solution   - authenticated requests/responses
+- Provided by DNSsec … but few use DNSsec
+
+### DNS cache poisoning (a la Kaminsky’08)
+
+![DNS_cache_poisoning.png](https://notenextra.trance-0.com/CSE4303/DNS_cache_poisoning.png)
+
+#### DNS poisoning attacks in the wild
+
+- January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.
+- In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy
+- In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
+
+### Summary
+
+- Core protocols not designed for security
+  - Eavesdropping, Packet injection, Route stealing, DNS poisoning
+  - Patched over time to prevent basic attacks
+- More secure variants exist :
+  - IP $\to$ IPsec
+  - DNS $\to$ DNSsec
+  - BGP $\to$ sBGPs