# CSE4303 Introduction to Computer Security (Lecture 4) ## Network attacks ### Examining the transport layer #### Transmission Control Protocol (TCP) Connection-oriented, preserves order - Sender - Break data into packets - Attach packet numbers - Receiver - Acknowledge receipt; lost packets are resent - Reassemble packets in correct order #### Security Problems 1. Network packets pass by untrusted hosts - Eavesdropping, packet sniffing - Especially easy when attacker controls a machine close to victim (e.g. WiFi routers) 2. TCP state easily obtained by eavesdropping - Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities #### TCP SYN Flood I: low rate (DoS Bug) Low rate SYN flood defenses Correct Solution: Syncookies: remove state from server Small performance overhead Hijacking Existing TCP connection - A, B trusted connection - Send packets with predictable seq numbers - E impersonates B to A - DoS B’s queue - Sends packets to A that resemble B’s transmission - E cannot receive, but may execute commands on A ## Routing Security Routing Protocols - ARP (addr resolution protocol): IP addr ⟶ eth addr Security issues: (local network attacks) - Node A can confuse gateway into sending it traffic for Node B - By proxying traffic, node A can read/inject packets into B’s session (e.g. WiFi networks) - OSPF: used for routing within an AS - BGP: routing between Autonomous Systems Security issues: unauthenticated route updates - Anyone can cause entire Internet to send traffic for a victim IP to attacker’s address - Example: Youtube-Pakistan mishap (see DDoS lecture) - Anyone can hijack route to victim ### Security Issues - BGP path attestations are un-authenticated - Anyone can inject advertisements for arbitrary routes - Advertisement will propagate everywhere - Used for DoS, spam, and eavesdropping (details in DDoS lecture) - Often a result of human error Solutions: - RPKI: AS obtains a certificate (ROA) from regional authority (RIR) and attaches ROA to path advertisement. Advertisements without a valid ROA are ignored. Defends against a malicious AS - SBGP: sign every hop of a path advertisement ### Domain Name System DNS Root Name Servers - Hierarchical service - Root name servers for toplevel domains - Authoritative name servers for subdomains - Local name resolvers contact authoritative servers when they do not know a name #### DNS Lookup Example #### Caching - DNS responses are cached - Quick response for repeated translations - Note: NS records for domains also cached - DNS negative queries are cached - Save time for nonexistent sites, e.g. misspelling - Cached data periodically times out - Lifetime (TTL) of data controlled by owner of data - TTL passed with every record DNS Packet - Query ID: - 16 bit random value - Links response to query #### Basic DNS Vulnerabilities - Users/hosts trust the host-address mapping provided by DNS: - Used as basis for many security policies: Browser same origin policy, URL address bar - Obvious problems - Interception of requests or compromise of DNS servers can result in incorrect or malicious responses - e.g.: malicious access point in a Cafe - Solution - authenticated requests/responses - Provided by DNSsec … but few use DNSsec ### DNS cache poisoning (a la Kaminsky’08) ![DNS_cache_poisoning.png](https://notenextra.trance-0.com/CSE4303/DNS_cache_poisoning.png) #### DNS poisoning attacks in the wild - January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. - In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy - In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops" ### Summary - Core protocols not designed for security - Eavesdropping, Packet injection, Route stealing, DNS poisoning - Patched over time to prevent basic attacks - More secure variants exist : - IP $\to$ IPsec - DNS $\to$ DNSsec - BGP $\to$ sBGPs