Network Attacks Review Denial of Service DoS CS 161 Computer Security Prof Vern Paxson TAs Devdatta Akhawe Mobin Javed Matthias Vallentin http inst eecs berkeley edu cs161 February 15 2011 Goals For Today Review the different classes of network attacks and how they relate to network layering Feedback requested was this valuable Discuss Denial of Service DoS attacks on availability Mostly network based but also OS Basic Types of Security Goals Confidentiality No one can read our data communication unless we want them to Integrity No one can manipulate our data processing communication unless we want them to Availability We can access our data conduct our processing use our communication capabilities when we want to Types of Security Goals con t Attacks can subvert each type of goal Confidentiality eavesdropping theft of information Integrity altering data manipulating execution e g code injection Availability denial of service Attackers can also combine different types of attacks towards an overarching goal E g use eavesdropping confidentiality to construct a spoofing attack integrity that tells a server to drop an important connection availability Network Attacks on Confidentiality 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Nature of physical signaling can allow eavesdropping by nearby attackers Network Attacks on Confidentiality 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical If they can eavesdrop they see all of this Network Attacks on Confidentiality 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Some link layers e g wired Ethernet also allow attackers to receive subnet traffic sent w broadcast such as DHCP Network Attacks on Confidentiality 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical For broadcasts an attacker receives they see all of this Network Attacks on Confidentiality 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Access to network devices IP router Ethernet switch enables eavesdropping because attacker is in the forwarding path Network Attacks on Confidentiality 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical If an attacker is in the forwarding path they see all of layers 3 4 7 and perhaps layers 1 and 2 too depending on their location Network Attacks on Confidentiality 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Attackers can insert themselves into the forwarding path if they can manipulate victims to send their traffic through systems controlled by the attacker E g DHCP spoofing to alter gateway or DNS cache poisoning to alter a server s IP address Network Attacks on Confidentiality 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Again once they are in the forwarding path they see all of this Network Attacks on Integrity 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Access to ANY network allows attacker to spoof packets Spoof send packets that claim to be from someone else Network Attacks on Integrity 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Once they can spoof they can falsify any all of this Network Attacks on Integrity 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical or if the NIC lacks programmability then these Network Attacks on Integrity 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Similarly attackers who can get themselves on the forwarding path can create or alter any all of this Network Attacks on Integrity 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Similarly attackers who can get themselves on the forwarding path can create or alter any all of this Man in the Middle MITM Combining Eavesdropping with Spoofing 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical To fool a receiver into accepting spoofed traffic an attacker must supply correct Layer 2 3 4 7 values The easiest way to do so is to eavesdrop in order to discover the correct values to use Example DHCP Spoofing 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Attacker exploits link layer s broadcasting of DHCP requests to know when a client has a particular pending request Example DHCP Spoofing 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Attacker uses their direct access to network to spoof a corresponding DHCP response Example DHCP Spoofing 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical The fake DHCP response includes bogus gateway and or DNS server values Blind Spoofing 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical To fool a receiver into accepting spoofed traffic an attacker must supply correct Layer 2 3 4 7 values Another way to supply the correct values is to guess Often requires additional information so blind guess has a prayer of being correct Blind Spoofing 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Remote attackers that can deduce layer 3 4 7 values can make receivers unwittingly accept unsolicited packets blind spoofing Example TCP Reset Injection 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Attacker who can determine a connection s IP addresses and TCP ports and sequence numbers can forge a TCP packet with RST set that the receiver will be fooled into acting upon Example TCP Reset Injection 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Attacker who can determine a connection s IP addresses and TCP ports and sequence numbers can forge a TCP packet with RST set that the receiver will be fooled into acting upon Example TCP Reset Injection 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Attacker who can determine a connection s IP addresses and TCP ports and sequence numbers can forge a TCP packet with RST set that the receiver will be fooled into acting upon Violating Integrity Without Spoofing 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Depending on how an application protocol works an attacker can directly manipulate its functioning without any need to spoof Violating Integrity Without Spoofing 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Our first example of DNS cache poisoning just involved an attacker manipulating layer 7 values No spoofing required Violating Integrity With Blind Spoofing 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical The Kaminsky attack OTOH repeatedly guesses the DNS transaction ID layer 7 and sends traffic seemingly from the correct name server Requires blind spoofing Violating Integrity With Blind Spoofing 7
View Full Document
Unlocking...