Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
c4888b796c1527c36be5781add6babbf4a4b32c3
NoteNextra-origin/content/CSE4303/CSE4303_L4.md
Trance-0 52e69f9340 updates
2026-01-27 11:58:32 -06:00

142 lines
4.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# CSE4303 Introduction to Computer Security (Lecture 4)
## Network attacks
### Examining the transport layer
#### Transmission Control Protocol (TCP)
Connection-oriented, preserves order
- Sender
- Break data into packets
- Attach packet numbers
- Receiver
- Acknowledge receipt; lost packets are resent
- Reassemble packets in correct order
#### Security Problems
1. Network packets pass by untrusted hosts
- Eavesdropping, packet sniffing
- Especially easy when attacker controls a machine close to victim (e.g. WiFi routers)
2. TCP state easily obtained by eavesdropping
- Enables spoofing and session hijacking
3. Denial of Service (DoS) vulnerabilities
#### TCP SYN Flood I: low rate (DoS Bug)
Low rate SYN flood defenses
Correct Solution:
Syncookies: remove state from server
Small performance overhead
Hijacking Existing TCP connection
- A, B trusted connection
- Send packets with predictable seq numbers
- E impersonates B to A
- DoS Bs queue
- Sends packets to A that
resemble Bs transmission
- E cannot receive, but may
execute commands on A
## Routing Security
Routing Protocols
- ARP (addr resolution protocol): IP addr ⟶ eth addr
Security issues: (local network attacks)
- Node A can confuse gateway into sending it traffic for Node B
- By proxying traffic, node A can read/inject packets
into Bs session (e.g. WiFi networks)
- OSPF: used for routing within an AS
- BGP: routing between Autonomous Systems
Security issues: unauthenticated route updates
- Anyone can cause entire Internet to send traffic
for a victim IP to attackers address
- Example: Youtube-Pakistan mishap (see DDoS lecture)
- Anyone can hijack route to victim
### Security Issues
- BGP path attestations are un-authenticated
- Anyone can inject advertisements for arbitrary routes
- Advertisement will propagate everywhere
- Used for DoS, spam, and eavesdropping (details in DDoS lecture)
- Often a result of human error
Solutions:
- RPKI: AS obtains a certificate (ROA) from regional authority (RIR) and attaches ROA to path advertisement.
Advertisements without a valid ROA are ignored. Defends against a malicious AS
- SBGP: sign every hop of a path advertisement
### Domain Name System
DNS Root Name Servers
- Hierarchical service
- Root name servers for toplevel domains
- Authoritative name servers
for subdomains
- Local name resolvers contact
authoritative servers when
they do not know a name
#### DNS Lookup Example
#### Caching
- DNS responses are cached
- Quick response for repeated translations
- Note: NS records for domains also cached
- DNS negative queries are cached
- Save time for nonexistent sites, e.g. misspelling
- Cached data periodically times out
- Lifetime (TTL) of data controlled by owner of data
- TTL passed with every record
DNS Packet
- Query ID:
- 16 bit random value
- Links response to query
#### Basic DNS Vulnerabilities
- Users/hosts trust the host-address mapping
provided by DNS:
- Used as basis for many security policies:
Browser same origin policy, URL address bar
- Obvious problems
- Interception of requests or compromise of DNS servers can
result in incorrect or malicious responses
- e.g.: malicious access point in a Cafe
- Solution - authenticated requests/responses
- Provided by DNSsec … but few use DNSsec
### DNS cache poisoning (a la Kaminsky08)
![DNS_cache_poisoning.png](https://notenextra.trance-0.com/CSE4303/DNS_cache_poisoning.png)
#### DNS poisoning attacks in the wild
- January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.
- In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy
- In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
### Summary
- Core protocols not designed for security
- Eavesdropping, Packet injection, Route stealing, DNS poisoning
- Patched over time to prevent basic attacks
- More secure variants exist :
- IP $\to$ IPsec
- DNS $\to$ DNSsec
- BGP $\to$ sBGPs
Reference in New Issue View Git Blame Copy Permalink