4.1 KiB
4.1 KiB
CSE4303 Introduction to Computer Security (Lecture 4)
Network attacks
Examining the transport layer
Transmission Control Protocol (TCP)
Connection-oriented, preserves order
- Sender
- Break data into packets
- Attach packet numbers
- Receiver
- Acknowledge receipt; lost packets are resent
- Reassemble packets in correct order
Security Problems
- Network packets pass by untrusted hosts
- Eavesdropping, packet sniffing
- Especially easy when attacker controls a machine close to victim (e.g. WiFi routers)
- TCP state easily obtained by eavesdropping
- Enables spoofing and session hijacking
- Denial of Service (DoS) vulnerabilities
TCP SYN Flood I: low rate (DoS Bug)
Low rate SYN flood defenses
Correct Solution:
Syncookies: remove state from server
Small performance overhead
Hijacking Existing TCP connection
-
A, B trusted connection
-
Send packets with predictable seq numbers
-
E impersonates B to A
-
DoS B’s queue
-
Sends packets to A that resemble B’s transmission
- E cannot receive, but may execute commands on A
Routing Security
Routing Protocols
- ARP (addr resolution protocol): IP addr ⟶ eth addr
Security issues: (local network attacks)
- Node A can confuse gateway into sending it traffic for Node B
- By proxying traffic, node A can read/inject packets into B’s session (e.g. WiFi networks)
- OSPF: used for routing within an AS
- BGP: routing between Autonomous Systems
Security issues: unauthenticated route updates
- Anyone can cause entire Internet to send traffic for a victim IP to attacker’s address
- Example: Youtube-Pakistan mishap (see DDoS lecture)
- Anyone can hijack route to victim
Security Issues
- BGP path attestations are un-authenticated
- Anyone can inject advertisements for arbitrary routes
- Advertisement will propagate everywhere
- Used for DoS, spam, and eavesdropping (details in DDoS lecture)
- Often a result of human error
Solutions:
- RPKI: AS obtains a certificate (ROA) from regional authority (RIR) and attaches ROA to path advertisement. Advertisements without a valid ROA are ignored. Defends against a malicious AS
- SBGP: sign every hop of a path advertisement
Domain Name System
DNS Root Name Servers
- Hierarchical service
- Root name servers for toplevel domains
- Authoritative name servers for subdomains
- Local name resolvers contact authoritative servers when they do not know a name
DNS Lookup Example
Caching
- DNS responses are cached
- Quick response for repeated translations
- Note: NS records for domains also cached
- DNS negative queries are cached
- Save time for nonexistent sites, e.g. misspelling
- Cached data periodically times out
- Lifetime (TTL) of data controlled by owner of data
- TTL passed with every record
DNS Packet
- Query ID:
- 16 bit random value
- Links response to query
Basic DNS Vulnerabilities
- Users/hosts trust the host-address mapping
provided by DNS:
- Used as basis for many security policies: Browser same origin policy, URL address bar
- Obvious problems
- Interception of requests or compromise of DNS servers can result in incorrect or malicious responses
- e.g.: malicious access point in a Cafe
- Solution - authenticated requests/responses
- Provided by DNSsec … but few use DNSsec
DNS cache poisoning (a la Kaminsky’08)
DNS poisoning attacks in the wild
- January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.
- In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy
- In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
Summary
- Core protocols not designed for security
- Eavesdropping, Packet injection, Route stealing, DNS poisoning
- Patched over time to prevent basic attacks
- More secure variants exist :
- IP
\toIPsec - DNS
\toDNSsec - BGP
\tosBGPs
- IP