1 / 29

Internet infrastructure

Internet infrastructure. Infrastructure Security. User expectations Reliable service Reliable endpoints – although we know of spoofing and phishing Partial expectations – “good” route (not through malicious nodes), confidentiality, integrity

kare
Download Presentation

Internet infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet infrastructure

  2. Infrastructure Security • User expectations • Reliable service • Reliable endpoints – although we know of spoofing and phishing • Partial expectations – “good” route (not through malicious nodes), confidentiality, integrity • Implied expectations: temporary data, blending with the crowd • Unreliable endpoints or routes facilitate attacks on confidentiality and integrity • Routes through malicious nodes = MITM

  3. Some Infrastructure Features • Networks • LAN • AS (ISP network) • Inter AS connections, • Routers • Application level servers (e.g. web, mail,…) • Protocols • ARP • DNS • Routing protocols

  4. ARP

  5. ARP • Resolves IP address to link-layer address • Simple request-reply protocol • Packet includes MAC and IP addresses for sender and target. • If target MAC is unknown send request for target IP and broadcast MAC (all 0xF) • Response includes MAC address • Requester stores MAC-IP mapping in ARP table • Any node in LAN requires at least one ARP request to connect to Internet

  6. ARP Spoofing / Poisoning • ARP is stateless – requests are not connected too replies in a session • Implementations update ARP tables in response to ARP replies (even if entries are still valid) • ARP spoofing – send ARP reply with attacker’s MAC and spoofed (usually gateway) IP • Result – poisoned ARP tables • Legitimate use – force registration to receive full network access, e.g. in hotels

  7. Countermeasures • Static ARP tables • Update ARP entries only after timeout • Update ARP entries only after sending request (Linux) • Check unusual ARP behavior, e.g. large number of packets • Upgrade to protocol with cryptographic protection (SEND is a secure version of NDP over IPv6) • Example of IPsec problem – chicken and egg with IP addresses in IKE

  8. Attack on Behavior Analysis* • Assume node disregards “abnormal” ARP activity, e.g. • If MAC x sends many ARP replies with IP y then node assumes that MAC x is not IP y • Attack: • Attacker spoofs gateway MAC (in Ethernet and ARP headers) • Attacker mimics “bad” behavior for gateway • Node disregards gateway • Attacker sends single reply with its own MAC and gateway IP

  9. DNS

  10. DNS Architecture • Objective – map name to IP address • Domain – e.g. *.bgu.ac.il. *cse.bgu.ac.il could be a sub-domain or separate domain • DNS client (resolver) • Records: A (IP address), NS (name server), MX (mail server) etc. • Name server – • Authoritative • Recursive • Hierarchy

  11. Server Hierarchy • 13 root name servers • Named by letters A,…,M • Responsible for root domain (empty string) • Name limited by 512 byte size of DNS packet over UDP without fragmentation • All root servers are clusters • Some are geographically distributed by anycast • Top Level Domain Servers • 20 GTLD (global/generic) – e.g. responsible for .net, .com etc. • ~250 Country code TLD

  12. DNS Query • Triggered by application • Local DNS server may • Be authoritative • Cache recently seen record • Send query to root name server • Queries follow recursive path to authoritative name server • Answered queries populate cache. • Each entry in cache has TTL (set by administrator)

  13. Cache Poisoning and Defenses • Cache poisoning – fill name server’s cache with mapping of domains to attacker’s IP • Defense: • Response destination port matches request source port • Response Question ID (QID), 16 bits, must match • Bailiwick checking – response is for lower domain in hierarchy, NS for ac.il not accepted for bank.co.il • Weaknesses in “old” implementations – QID incremented by 1 for each query, source port does not change, bad replies are simply dropped

  14. DNS poisoning • Attacker sets up name server for attacker domain. • Attacker gets target name server to send DNS request to its own server learning QID • Directly • Open web page and users will ask for it • Attacker sends query through target name server for some domain, e.g. bank.co.il • Attacker floods name server with forged replies, guessing source port and QID. • If attacker reply arrives before real reply, the cache is poisoned.

  15. Countermeasures • Randomize QID • Refresh source port • Will have negative impact on performance • Monitor for flood situation • Will have negative impact on performance

  16. Kaminsky Attack (2008) • Send request for name that doesn’t exist in a real domain • Send flood of forged replies as in previous attacks • Each reply forges name server of domain • Set very long TTL • Same idea could work for GTLD servers (i.e. .com) but not for root servers • Mitigation – randomize source port, currently Windows has 2500 source ports for DNS – 2500*216 possibilities

  17. DNSSEC • Objectives for DNS traffic • Origin authentication • Integrity protection • Authenticated denial of existence • Method: PKI with certificate for every DNS server anchored (root CA) by root DNS. • PKI is chain of: • DNSKEY – public keys for signature verification • DS – Delegation Signer, includes hash of keys • Parent DNSKEY signs DS. Each DS includes hashes of public keys used for self signing the child DNSKEY and for signing zone data

  18. DNSSEC (cont.) • DNSKEY often includes • ZSK – Zone Signing Keys – validating zone data • KSK – Key Signing Keys – Validating other keys • Resolver is configured with root public key • May be configured with additional anchors • Resolver uses DNS to collect DNSKEY and DS records from root to key signing the requested zone • Zone data is signed in RRSIG records

  19. Denial of existence • Attackers goal: • Spoof “does not exist” • To solve problem, DNS servers that comply with DNSSEC store NSEC records • Names appear in canonical form • NSEC - signed “next existing” name • Result: signed ranges of non-existent names • Query for name that doesn’t exist is answered with signed range that “covers” this name

  20. Zone Enumeration in DNSSEC • Zone enumeration – obtain all addresses in domain • Creators of DNSSEC did not consider this to be a threat • Most organizations consider this secret • Attacker enumerates zone by • Querying random name • Receiving range • Deducing that names in range bounds exist • Iterating

  21. Mitigation of Zone Enumeration • Online approach (currently RFC 4470) • Name server signs “does not exist” online • Name server constructs small (and ever-decreasing range to sign) • NSEC3 approach (currently RFC 5155) • Same idea as NSEC, but use hashed name (cryptographic hash) instead of name • Range does not reveal names • Common names may still be found by dictionary attack • NSEC3 uses several hash functions with a counter on the number of iterated uses of the hash, increasing attacker dictionaries.

  22. DoS Attacks • October 2002 • One hour • All 13 root name servers simultaneously • About 900 Mbps total • ICMP flood, SYN flood, fragment flood • No server crashed, some queries were lost • February 2007 • 24 hours • 4 root servers, 3 .info servers • Botnet of ~5000 hosts mostly in Korea • Flood of DNS queries • Two name servers lost up to 90% of the queries

  23. BGP

  24. Border Gateway Protocol • One of the standard suite of Internet routing protocols • Is the most common inter-domain routing protocol • Connects different AS, often different service providers • Tens of thousand of different AS • Attackers want to break integrity • MITM • Block access to sites • Use rare IP addresses for e.g. spam • Several prominent incidents led to outage or redirection of large part of Internet

  25. IP blocks and AS numbers

  26. BGP route advertisements

  27. False route

  28. More specific route

  29. Additional problems • Manipulation of BGP attributes • Prepending – adding the same AS multiple times to a route, causing it to be longer • BGP runs over TCP – vulnerable to various TCP issues • Solutions – deployed solutions include route filtering and route registries, nothing strong

More Related