n|u

Network and DNS V l bilitiVulnerabilities

Presented by:

Harsimran Walia

Data FormatsData Formats

ApplicationApplication message - data

TCP Header

message

Transport (TCP, UDP) TCP data TCP data TCP datasegment

k tNetwork (IP)

Link Layer

dataTCPIP

dataTCPIPETH ETF

packet

framey

IP Header Link (Ethernet)Header

Link (Ethernet)TrailerHeader Trailer

Internet ProtocolIP

Internet Protocol

Connectionless Version Header LengthT f S iConnectionless

UnreliableBest effort

Type of ServiceTotal LengthIdentification

Flags Fragment Offset

Notes:

Flags

Time to LiveProtocol

Header Checksum

Fragment Offset

src and dest portsnot parts of IP hdr

Source Address of Originating Host

Destination Address of Target Hostg

Options

Padding

IP Data

Packet forgingPacket forging

Client is trusted to embed correct source IPEasy to override using raw socketsLibnet: a library for formatting raw packets with

bit IP h darbitrary IP headers

Anyone who owns their machine can send packets with arbitrary source IP

… response will be sent back to forged source IP

Implications:Anonymous DoS attacks; y ;Anonymous infection attacks

Basic Security ProblemsBasic Security Problems

1. Network packets pass by untrusted hosts1. Network packets pass by untrusted hostsEavesdropping, packet sniffingEspecially easy when attacker controls a p y ymachine close to victim

2. TCP state can be easy to guessEnables spoofing and session hijacking

3. Denial of Service (DoS) vulnerabilities

1 Packet Sniffing1. Packet Sniffing

Promiscuous NIC reads all packetsPromiscuous NIC reads all packetsRead all unencrypted data (e.g., “wireshark”)ftp, telnet (and POP, IMAP) send passwords in clear!p, ( , ) p

Eve

Ali B bNetworkAlice BobNetwork

Prevention: Encryption SSL (is it still secure??)

2 Breaking SSL encryption2. Breaking SSL encryption

Certificate used for encryptionCertificate used for encryption

2 Breaking SSL encryption2. Breaking SSL encryption

Certificate created by attacker and acceptedCertificate created by attacker and accepted by victim (normally a user ignores warning) attacker can-

Sniff the encrypted passwordsDecrypt the passwords

C tCountermeasuresUntrusted certificate should never be accepted

All trusted certificates should be installed in the browserAll trusted certificates should be installed in the browser

Review: TCP HandshakeReview: TCP HandshakeC S

SYN: ListeningSNC←randCANC←0

SYN/ACK: Store SNC , SNSSNS←randSANS←SNC

ACK:Wait

SN←SNC+1AN SNACK:

Established

AN←SNS

2 TCP Connection Spoofing2. TCP Connection Spoofing

Why random initial sequence numbers? (SNC , SNS )y q ( C , S )

Suppose init. sequence numbers are predictableAttacker can create TCP session on behalf of forged source IPAttacker can create TCP session on behalf of forged source IP

Breaks IP-based authentication (e.g. SPF, /etc/hosts )

TCP SYN

VictimSYN/ACKdstIP=victim

ACK

TCP SYNsrcIP=victim

ServerSN=server SNS

ACKsrcIP=victimAN=predicted SNS

attacker

commandserver thinks command is from victim IP addr

Example DoS vulnerabilityExample DoS vulnerability

Suppose attacker can guess seq. number for an pp g qexisting connection:

Attacker can send Reset packet to close connection. Results in DoS.Naively, success prob. is 1/232 (32-bit seq. #’s).Most systems allow for a large window ofMost systems allow for a large window of acceptable seq. #’s

Much higher success probability.

TCP SYN Flood I: low rate TCP SYN Flood I: low rate

C SC

SYN

S Single machine:

• SYN Packets withdSYNC1

SYNC2

random source IPaddresses

Fills up backlog queueSYNC3

SYNC

• Fills up backlog queueon server

• No further connectionsSYNC4

SYNC5

• No further connectionspossible

12

SYN Floods II: Massive flood

Command bot army to flood specific target: (DDoS)y p g

20,000 bots can generate 2Gb/sec of SYNs (2003)

At web site:Saturates network uplink or network routerp

Random source IP ⇒attack SYNs look the same as real SYNs

13

NIC as cpu

Attempt to connect to the victim machine, which fails:

Sending a ‘magic’ packet to the victim:

k d l d iIt worked! Now logged in as root:

14

NIC as cpu

PoC exists with Broadcom (Manufacturer of NICs)

We can remotely execute shell code on the NIC

Through shell code we can read/write data on main

hard drive

As shown we can login as root without even exploiting the systemsystem

15

Routing Vulnerabilities

Routing VulnerabilitiesRouting Vulnerabilities

Common attack: advertise false routesCommon attack: advertise false routesCauses traffic to go though compromised hosts

ARP (addr resolution protocol): IP addr -> eth addrNode A can confuse gateway into sending it traffic for B

OSPF: used for routing within an AS

BGP: routing between ASsAttacker can cause entire Internet to send traffic for a victim IP to attacker’s address.

IssuesIssues

Security problemsSecurity problemsPotential for disruptive attacksBGP packets are un-authenticatedp

Attacker can advertise arbitrary routesAdvertisement will propagate everywhereUsed for DoS and spamUsed for DoS and spam

DoS via route hijacking

YouTube is 208.65.152.0/22 (includes 210 IP addr)youtube com is 208 65 153 238 youtube.com is 208.65.153.238, …

Feb. 2008:Pakistan telecom advertised a BGP path forPakistan telecom advertised a BGP path for

208.65.153.0/24 (includes 28 IP addr)Routing decisions use most specific prefixThe entire Internet now thinks

208 65 153 238 is in Pakistan208.65.153.238 is in PakistanOutage resolved within two hours… but demonstrates huge DoS vuln. with no

solution!

March 2010:1 ISP in US configured BGP route wrongly which led some users from US to be a victim of the great firewall of chinaThese victims were redirected to some Chinese govt. Websites instead of legitimate g gsites

Domain Name System

Domain Name SystemDNS

Domain Name System

Hierarchical Name SpaceHierarchical Name Space

root

comnetorg ukedu ca

orkut yahoo google facebook

www mail

DNS Lookup ExampleDNS Lookup Example

root & comroot & com DNS serverwww.google.com

Client Local DNS resolver

google.comDNS server

DNS record types (partial list):DNS record types (partial list):- NS: name server (points to other server)- A: address record (contains IP address)- MX: address in charge of handling emailMX: address in charge of handling email- TXT: generic text (e.g. used to distribute site public keys (DKIM)

CachingCaching

DNS responses are cached pQuick response for repeated translationsUseful for finding servers as well as addresses

NS records for domainsNS records for domains

DNS negative queries are cachedg qSave time for nonexistent sites, e.g. misspelling

Cached data periodically times outLifetime (TTL) of data controlled by owner of dataTTL passed with every recordTTL passed with every record

DNS cache poisoningDNS cache poisoning

Victim machine visits attacker’s web site, downloads Javascript

user localQuery:a bank com

a.bank.comQID=x1 ns bank comuser

browser DNSresolver

a.bank.com Q 1 ns.bank.com

IPaddr

Random QID y1, y2, …

attackerattacker wins if ∃j: x1 = yjresponse is cached and

NS bank.com=ns.bank.comA ns.bank.com=attackerIP

response is cached andattacker owns bank.com

DefensesDefenses

Increase Query ID size. How?Q y

a. Randomize src port, additional 11 bitsp ,

Now attack takes several hours

b. Ask every DNS query twice:Attacker has to guess QueryID correctly twice (32 bits)

Apparently DNS system cannot handle the load

PharmingPharming

DNS poisoning attack (less common than phishing)p g ( p g)If user visits attacker’s site the cache of user can be poisonedChange IP addresses to redirect URLs to fraudulent sitesPotentially more dangerous than phishing attacksote t a y o e da ge ous t a p s g attac sNo email solicitation is required

DNS poisoning attacks have occurred:DNS poisoning attacks have occurred:January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004 Google and Amazon users were sent toIn November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacyIn March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and jpresented them with the message "God Bless Our Troops"

SpoofingSpoofing

DNS spoofing attack p gIntercept the DNS query from the victimSpoof the ip address of the real urlSend forged DNS response with the attacker’s ipSe d o ged S espo se t t e attac e s pVictim thinks its legitimate as he accessed real url and gets no warningCan be used for phishing attacks where social engineering p g g gnot possible

DNS Rebinding Attack[DWF’96, R’01]

g<iframe src="http://www.evil.com"> DNS-SEC cannot

ns.evil.comwww.evil.com?

171 64 7 115 TTL = 0

stop this attack

Firew

DNS server171.64.7.115 TTL = 0

192.168.0.100

wall www.evil.com

web servercorporate

Read permitted: it’s the “same origin”

171.64.7.115corporate

web server192.168.0.100

Read permitted: it s the same origin

DNS Rebinding DefensesDNS Rebinding Defenses

Browser mitigation: DNS PinningBrowser mitigation: DNS PinningRefuse to switch to a new IPInteracts poorly with proxies, VPN, dynamic DNS, …p y p , , y ,Not consistently implemented in any browser

Server-side defensesCheck Host header for unrecognized domains

Firewall defensesExternal names can’t resolve to internal addressesProtects browsers inside the organization

SummarySummary

Core protocols not designed for securityp g yEavesdropping, Packet injection, Route stealing, DNS poisoning

Patched over time to prevent basic attacksPatched over time to prevent basic attacks(e.g. random TCP SN)

More secure variants exist : IP -> IPsecDNS -> DNSsecBGP -> SBGP