Embed Size (px)
Citation preview
CSCD 434Network SecuritySpring 2014
Lecture 4BGP, DNS Vulnerabilities
1
Overview
• Network Protocols are not secure– Not designed to be secure in first place
• Looked at TCP/IP – Spoofed packets, hijacked sessions, DoS
attacks and more
• Other Network Protocols – BGP and DNS– Attacks violate fundamental way
protocols work
Motivation
• Why do we try to protect protocols?– DNS must function name resolver– BGP ties the Internet together– Critical to functionality of global
communication– Entire world is dependent on correctly
functioning Internet– Critical infrastructure, Power grid, water,
Emergency systems, Banks, Transportation, medical, entertainment and WOW!!!
BGP Overview
Overview of BGP Internet does not run without BGP, as it is glue that
holds its various parts together When an end user wants to communicate to an IP
address, its ISP consults a BGP table - which contains a list of known routers - for the best route to destination
A cost metric is then associated with path to each router so that the best available route is chosen
BGP’s main function is thus to exchange network reachability information with others in order to track networks through which traffic would have to pass to reach final destination
6
BGP Operations (Simplified)
Establish session on TCP port 179
Exchange all active routes
Exchange incremental updates
AS1
AS2
While connection is ALIVE exchangeroute UPDATE messages
BGP session
7
Four Types of BGP Messages
• Open : Establish a peering session.
• Keep Alive : Handshake at regular intervals.
• Notification : Shuts down a peering session.
• Update : Announcing new routes or withdrawing previously announced routes.
8
ASPATH Attribute
AS7018135.207.0.0/16AS Path = 6341
AS 1239Sprint
AS 1755Ebone
AT&T
AS 3549Global Crossing
135.207.0.0/16AS Path = 7018 6341
135.207.0.0/16AS Path = 3549 7018 6341
AS 6341
135.207.0.0/16
AT&T Research
Prefix Originated
AS 12654RIPE NCCRIS project
AS 1129Global Access
135.207.0.0/16AS Path = 7018 6341
135.207.0.0/16AS Path = 1239 7018 6341
135.207.0.0/16AS Path = 1755 1239 7018 6341
135.207.0.0/16AS Path = 1129 1755 1239 7018 6341
More BGP Details
• Uses TCP as its transport protocol– This guarantees transport reliability– Eliminates complexity related to
designing reliability into protocol itself– BGP data enclosed within TCP packets
• Then, TCP used for acknowledgment, sequencing, and retransmission
• After setting up BGP session and exchanging initial routes
• BGP peers trade incremental routing and notification updates
9
BGP Security Problems Infrastructure built on top of BGP is thus highly
vulnerable to a variety of malicious attacks Due to lack of secure means of authenticating
legitimacy of BGP control traffic, plus TCP session it is built on, which has its own set of vulnerabilities
No way to guarantee that a BGP-speaking router uses AS number it was allocated or that it holds the address space it advertises
Most of BGP’s security problems stem from an uncertainty about the relationship between IP prefixes and ASNs and use of TCP as its underlying transport protocol
Border Gateway Protocol
• Attacker Goals– Why attack BGP? What advantages?
Border Gateway Protocol
• Attacker Goals– Why attack BGP? What advantages?– Black Hole
• Drop traffic, make a prefix unreachable• Attract traffic to a router then drop it
– Redirection• Traffic flowing to a particular network forced
to take different path, may cause link to collapse
BGP • Why attack continued
–Eavesdrop or Modify• Pass data through link to eavesdrop or
modify data
–Instability• Cause route dampening, connection outages
– Routes that change too frequently get penalized
Called “Route Flapping” leads to Route dampening - routes assigned a less
preferred status
• Cause increased BGP traffic and cause route convergence delays
BGP
• How to attack BGP?– Provide wrong information
• Connections that don't really exist• Reroute traffic through compromised routes• Provide contradictory or confusing
information
– Provide more frequent information• Advertise routes more often• Destabilize routing tables
– Example follows ...
Historical Theory
1998, Peiter “Mudge” Zatko, noted computer security expert, testified in Congress that he could bring down Internet in 30 minutes using a BGP attack
– Plus, demonstrated how BGP could be used to eavesdrop on traffic it coordinates
Using BGP, anyone with control over BGP router could advertise any address block using a more specific set of IP addresses causing it to be the most preferred route
YouTube Gets DoS’d
• Feb. 2008, Pakistan government bans YouTube - blasphemous content
• Nobody from Pakistan can get to YouTube
• PCCW,• One of the largest communications
providers for Pakistan and China, was supposed to just block Pakistani users … Yet blocked all users from YouTube,
• Not just the Pakistani ones ...
YouTube Gets DoS’d
• Result ... all BGP speaking routers on the Internet believe Pakistan Telecom provides best connectivity to YouTube
• A complete denial of service (DoS),– Intentional or not!!!
BGP Routing Details• BGP rules state that longer routes are more
specific and preferred, more bits for network portion
• So, YouTube, owns IP space – 208.65.153.0/24, – 208.65.152.0/24 and – 208.65.154.0/23,
• YouTube announces single aggregated BGP route for
/24 prefixes, announced as 208.65.152.0/22
208.65.152.0/22 via AS 36561 (YouTube)
208.65.153.0/24 via AS 17557 (Pakistan Telecom)18
Review of Supernetting from CSCD330http://www.2000trainers.com/cisco-ccna-05/ccna-
classless-cidr-supernetting/
• Want to aggregate 8 network addresses between 131.0.0.0/16 and 131.7.0.0 /16
• So, range can now be designated as 131.0.0.0/13 This value aggregates all addresses between 131.0.0.1 and 131.7.255.254
Hijacked YouTube Visuals
• RIPE NCC has tools that monitor BGP routes– RIPE is regional Internet registry for
Europe, Middle East and Central Asia
• http://www.ripe.net/news/study-youtube-hijacking.html
• Actual animation of the entire event complete with music!!!!
20
More BGP Problems
Similar BGP problem revealed atBlackhat 2008 • Anyone with a BGP router ...• ISPs, large corporations, governments,• Could intercept data headed to a target IP
address or group of addresses
• Attack intercepts only traffic headed to target addresses, not from them
21
Blackhat 2008Tony" Kapela andAlex Pilosov
2008 Demo at Blackhat
• Tony Kapela and Alex Pilosov• Man-in-the-middle attack demonstrated at Defcon 2008
– Redirected traffic bound for Defcon to a system they controlled in New York and then routed it back to Las Vegas
– Good analysis of this attack at– While BGP eavesdropping has long been a
known weakness but no one was known to have intentionally exploited it until this proof of concept
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf
2008 Demo at Blackhat
• What did they discover about BGP?• Pilosov's innovation
– Forward the intercepted data to actual destination, so that no outage occurs
– AS path prepending causes selected BGP routers to reject their deceptive advertisement
• Longer routes are less preferred and will be rejected
– Use these AS's to forward stolen data to its rightful recipients
– Using the way protocol is supposed to work to subvert it !!!
BGP MITM Attack
AS prepend for AS10
2008 Demo at Blackhat
• What could you do with this attack?• Corporate espionage,• Nation-state spying or • Intelligence agencies looking to mine Internet
data• Don't need cooperation of ISP's ...
BGP Vulnerabilities
Recap ... vulnerabilities that allow these types of attacks to happen– Lack of authentication of BGP updates
• Are they coming from “trusted” routers?
– Updates sent in the clear– Updates themselves can be bogus
• By accident or deliberate can poison the routing tables
Memo on BGP Security Vulnerabilities Analysishttp://www.ietf.org/rfc/rfc4272.txt
Current BGP Attacks
2013 Renesys, Provides Internet Intelligence February 2013, we observed sequence of events, lasting
from few minutes to several hours in duration, in which global traffic was redirected to Belarusian ISP GlobalOneBel
These redirections took place on an almost daily basis throughout February
Affected countries included the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran
Another set of traffic hijack incidents took traffic to Iceland
http://www.renesys.com/2013/11/mitm-internet-hijacking/
BGP Fixes
• Countermeasures–TCP connection hijack protection
• MD5 hash signature• Insure that BGP messages have source address of legitimate peering BGP speaker
• Absolutely, identify BGP router
BGP Fixes
• Route Filtering– Used to enforce business relationships
between AS's– Create Access Control Lists (ACL's) of
prefixes for sending/receiving updates– Egress filters allow control of announced
routes to peers– Ingress filters check incoming routes for
validity• Make sure origin AS of route owns prefix
BGP Fixes
• Route Filtering continued– What's the Problem ?
• Hard to keep Internet routing registries current
• ISP's trust that their peer routers sending correct information
• Also, in practice filtering is against dynamic nature of Internet
• Policies change often, structure of AS's not tree
• AS's have multiple connections, difficult to apply strict filters
One Fix, SBGP
• SBGP – Secure BGP– Extension to BGP – Protect BGP from malicious or mistaken
updates– Adds authorization and authentication
• Attribute added to BGP updates to ensure updates valid
• Route messages secured with IPSec
– Based on PKI cryptography http://www.net-tech.bbn.com/sbgp/sbgp-index.html
SBGP
• SBGP – Secure BGP– Adds Address Attestation (AA)
• Verify origin AS is authorized to advertise a particular address block
• Verify AS owns that address block
– Adds Route Attestation (RA)• Authorize neighbor AS's to propagate route
contained in an update
SBGP• SBGP
– More details• Uses PKI to authorize AA's and RA's• Private keys stored in S-BGP speakers• Public keys made available by hierarchical
PKI infrastructure
• Any problems with this?
Problems with SBGP
– Need to have hierarchical PKI in place and trusted by all ISP's
– Crytography intensive and part of huge overhead when BGP router reboots
– Routers may need large memory 20 MB to store public keys
– Routers can't always sign routes if routes have been aggregated
• Routes will have come from multiple sources
Problems with SBGP• Have prevented SBGP from being
deployed• Alternative methods have been suggested
– CISCO proposed soBGP – Secure Origin BGP– Lightweight alternative to SBGP– Uses existing trust relationships to validate
certificates - “Web of Trust”– IRV – Companion protocol to BGP
• Uses IRV servers, • Updates are verified by each AS IRV server in AS-
PATH
Domain Name System (DNS)
DNS Overview• Domain Name System
– Hierarchical system of name servers for resolving IP addresses to human readable names
www.yahoo.com from 209.131.36.158
– Designed in 1980's along with TCP/IP– Was and is implemented as open source
software• BIND – Berkeley Internet Name Domain
– Has had many discovered flaws– Current version is BIND version 9
Domain Name System
Hierarchical Name Space root
edunetorg ukcom ca
wisc ucb EWU cmu mit
cslabs
DNS Root Name Servers
Hierarchical service Root name servers for
top-level domains Authoritative name
servers for subdomains
Specified when you register your domain
Local name resolvers contact authoritative servers when they do not know a name http://www.root-
servers.org/
DNS Lookup Example
ClientLocal DNS resolver
root & edu DNS server
EWU.edu DNS server
cslabs.ewu.edu
NS EWU.educslabs.ewu.edu
EWU.educslabs4.ewu.edu=IPaddr
cslabs.ewu.eduDNS serverYour Operating
System
Caching
DNS responses are cached Quick response for repeated queries
DNS negative queries are cached Save time for nonexistent sites, e.g. misspelling
Cached data periodically times out Lifetime (TTL) of data controlled by owner of data
TTL passed with every record, must refresh if expires
Lookup Using cached DNS Server
ClientLocal
DNS recursiveresolver
root & edu DNS server
ewu.edu DNS server
cslabs.ewu.eduDNS server
penguin.ewu.edu
penguin=IPaddr
penguin.ewu.edu
Domain Name System• Attacker Motivation• Why subvert DNS?
– Direct users to fraudulent web sites• Gain user information, banking and identity
– Do a DoS against a specific company – Direct users to iffy web sites
• Porn! Porn! Porn!
– China performs DNS cache poisoning as part of their content filtering - Great Firewall of China!!!
http://chinadigitaltimes.net/china/Internet-control/
DNS Attacks In General
• Several Attacks against DNS– Attack Bind software
• Overflow buffers to crash software• Escalate privilege, gain root access
– Intercept packets and change information• Inject wrong information into Nameserver
caches• Known as Cache poisoning ... more on this later
– Denial of Service against Nameservers• Self explanatory ...
DNS Attacks Rebinding• 2007 – Stanford Researchers discovered a flaw in
way DNS resolved by browsers• Scripts on web pages, can access another web site,
if same origin policy .. web browser security– Must have same domain, same protocol and
same hostname– Example:http://www.securebits.org:8080 and
http://www.securebits.org:8080/somefolder/ – Will be allowed but – http://undiscriminating and
https://www.securebits.org will not be allowedReference for Same Origin Policy• http://www.w3.org/Security/wiki/Same_Origin_Policy
DNS Attacks Rebinding• Stanford URL
http://crypto.stanford.edu/dns/
• Attacker exploits same origin policy as follows1. Builds website under his/her control,
Controls DNS server that resolves queries for that website
2. Victim accesses website for first time, DNS server gives out the correct IP address
3. Later, attacker rebinds hostname of website with a false IP address Allows access into an internal network
DNS Attacks RebindingEx.: Victim visits www.example.com
– Attacker's nameserver resolves it to65.54.43.32 (correct IP)• Victim downloads webpages including a script• A short TTL of the DNS record (2 secs) has been set• Requires victim's browser to access DNS again to
resolve www.example.com before running script• Now, www.example.com is rebound to 10.10.10.8
which is an internal IP address on victim's network, of a printer, router or other configurable device
• Attacker will have identified the IP ahead of time• Allows bypass of firewall to run script
DNS Attacks Rebinding• Results
– Can capture internal data, sensitive information on internal network machines of an enterprise
– Subverting typical way browser security is supposed to run by preventing scripts from executing from two separate domains
• Solutions– IP pinning - browser uses one IP address for
entire session in spite of the DNS record TTL– DNS resolvers
• Do not allow external names to resolve to internal addresses
Nice Reference for this Rebinding Attack
http://capec.mitre.org/data/definitions/275.html
DNS Attacks Cache Poisoning• DNS server generally serves the Domain’s own
customers
• Cache poisoning attack– Server does not correctly validate DNS responses to have come from an authoritative source– Not required to !!!
– Attacker exploits flaw in DNS software that can make it accept incorrect information– Server will end up caching incorrect entries locally and later serve them to users
DNS Attacks Cache Poisoning• Slides courtesy of
http://www.networkworld.com/slideshows/2008/102008-dns-and-cache-poisoning.html?nwwpkg=nws
1.User inputs www.bigbank.com2. If domain isn't cached, server consults with Authoritative DNS server.3. Address cached and forwarded to end user, who is then connected.
DNS Attacks Cache Poisoning
1. Attacker figures out when a domain entry will expire on a caching server using readily available tools2. Attacker "races" legitimate DNS server, trying to get caching server to accept a fake response.3. In order to be accepted fake response must match query parameters of actual response
DNS Attacks Cache Poisoning
52
1. Attacker gets DNS to accept fake response (matches query parameters): “www.bigbank.com Is at 6.7.8.9 (an address controlled by the attacker)”
2. DNS Server responds to user queries with fake address.
DNS Attacks Cache Poisoning
53
Pharming
This kind of attack is often classified as a pharming attack
• First, users think they are at a familiar site, but they aren't
• Unlike phishing where user spots a suspicious URL, this case URL is legitimate
• Browser resolves address of domain automatically
54
Pharming Scale
• Scale of Problem• Hundreds or even thousands of users can be
redirected if an attacker successfully inserts a single fake entry into a caching server
• Scale amplified by popularity of domain being requested– Maybe www.yahoo.com ….
• Even a moderately experienced hacker can cause a lot of trouble, obtaining passwords and other valuable information
55
Pharming• DNS poisoning attacks have occurred
– January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia
– In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy
– In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site
• Presented them with the message "God Bless Our Troops"
Inherent DNS Vulnerabilities
• Users/hosts typically trust the host-address mapping provided by DNS
• No way for a host to authorize the use of its name for a given address
• No way to authenticate the entities providing the updated information
• Are they really nameservers?
• Text is sent in the clear – both request and reply
• Easy to eavesdrop or modify
DNS Defenses - DNSSEC http://www.dnssec-deployment.org/
• DNS Security (DNSSEC) to the rescue!• Adds data authentication and integrity
protection to DNS protocol• Inclusion of public keys and the use of
digital signatures to DNS information
• Not the complete answer• Significant drawbacks to using DNSSEC
Overview of DNSSEC• A zone administrator "digitally signs" a Resource
Record Set (RRSet)– Publishes this digital signature, along with zone
administrator's public key
– DNSSEC client can retrieve RRset digital signature, then check this signature using public key against locally calculated hash value of the RRset
– And, Validate zone administrator's public key to insure its a valid key
– If all these checks succeed ...
– Client has some confidence that DNS response was authentic
Requires Hierarchy of Trust• To start securely resolving DNSSEC,• Root key must be anchored in resolver at
your local computer or nameserver– Only when resolver knows and trusts zone
key can it validate signatures belonging to that zone
• Because of chain of trust, resolver has to carry only a few zone keys to be able to validate DNSSEC data on Internet
Problems DNSSEC
• Many Nameservers not running DNSSEC– Need to have most of them running it to
be valid• Trust issues with keys and distributions of
keys– PKI is complex and there are problems
with it for such a huge system as DNS• A lot of resistance to change when
fundamental protocol involved
References
DNSSechttp://www.dnssec.net/
DNS for Rocket Scientistshttp://www.zytrax.com/books/dns/
BGP Paper on Security http://tuftsdev.github.io/DefenseOfTheDarkArts/students_works/final_project/drichard.pdf
China Telecom and BGPhttp://www.infoworld.com/d/security-central/china-
telecom-debacle-exposes-internets-biggest-vulnerability-804
Summary
• Common vulnerabilities for Internet protocols– Lack of authentication– Cleartext transmission of information– Can't protect integrity of information– Can't prevent Denial of Service
• Costs to implement fixes, is serious pushback from IPS's and vendors
• Right now, attacks will likely continue
63
End
64
