Network Attacks Review &Denial-of-Service (DoS)CS 161: Computer SecurityProf. Vern PaxsonTAs: Devdatta Akhawe, Mobin Javed& Matthias Vallentinhttp://inst.eecs.berkeley.edu/~cs161/February 15, 2011Goals For Today• Review the different classes ofnetwork attacks and how they relate tonetwork layering–Feedback requested: was this valuable?• Discuss Denial-of-Service (DoS):attacks on availability–Mostly network-based, but also OSBasic Types of Security Goals• Confidentiality:– No one can read our data / communicationunless we want them to• Integrity– No one can manipulate our data / processing/ communication unless we want them to• Availability– We can access our data / conduct ourprocessing / use our communicationcapabilities when we want toTypes of Security Goals, con’t• Attacks can subvert each type of goal– Confidentiality: eavesdropping / theft of information– Integrity: altering data, manipulating execution (e.g.,code injection)– Availability: denial-of-service• Attackers can also combine different types ofattacks towards an overarching goal– E.g. use eavesdropping (confidentiality) to construct aspoofing attack (integrity) that tells a server to drop animportant connection (availability)Network Attacks onConfidentialityApplicationTransport(Inter)NetworkLinkPhysical74321Nature of physical signalingcan allow eavesdropping bynearby attackersNetwork Attacks onConfidentialityApplicationTransport(Inter)NetworkLinkPhysical74321If they can eavesdrop,they see all of thisNetwork Attacks onConfidentialityApplicationTransport(Inter)NetworkLinkPhysical74321Some link layers (e.g., wiredEthernet) also allow attackersto receive subnet traffic sentw/ broadcast (such as DHCP)Network Attacks onConfidentialityApplicationTransport(Inter)NetworkLinkPhysical74321For broadcasts anattacker receives,they see all of thisNetwork Attacks onConfidentialityApplicationTransport(Inter)NetworkLinkPhysical74321Access to network devices(IP router; Ethernet switch)enables eavesdroppingbecause attacker is in theforwarding pathNetwork Attacks onConfidentialityApplicationTransport(Inter)NetworkLinkPhysical74321If an attacker is in theforwarding path, they seeall of layers 3/4/7 …… and perhaps layers 1 and 2too, depending on their locationNetwork Attacks onConfidentialityApplicationTransport(Inter)NetworkLinkPhysical74321Attackers can insert themselvesinto the forwarding path if theycan manipulate victims to sendtheir traffic through systemscontrolled by the attacker(E.g., DHCP spoofing to alter “gateway”, or DNScache poisoning to alter a server’s IP address)Network Attacks onConfidentialityApplicationTransport(Inter)NetworkLinkPhysical74321Again, once they are inthe forwarding path,they see all of thisNetwork Attacks on IntegrityApplicationTransport(Inter)NetworkLinkPhysical74321Access to ANY networkallows attacker to spoofpackets.Spoof = send packetsthat claim to be fromsomeone else.Network Attacks on IntegrityApplicationTransport(Inter)NetworkLinkPhysical74321Once they can spoof, theycan falsify any/all of thisNetwork Attacks on IntegrityApplicationTransport(Inter)NetworkLinkPhysical74321(… or if the NIC lacksprogrammability, then these)Network Attacks on IntegrityApplicationTransport(Inter)NetworkLinkPhysical74321Similarly, attackers whocan get themselves onthe forwarding path …can create or alterany/all of thisNetwork Attacks on IntegrityApplicationTransport(Inter)NetworkLinkPhysical74321Similarly, attackers whocan get themselves onthe forwarding path …can create or alterany/all of thisMan-in-the-Middle (MITM)CombiningEavesdropping with SpoofingApplicationTransport(Inter)NetworkLinkPhysical74321To fool a receiver into acceptingspoofed traffic, an attacker mustsupply correct Layer 2/3/4/7 values.The easiest way to do so is toeavesdrop in order to discover thecorrect values to use.Example: DHCP SpoofingApplicationTransport(Inter)NetworkLinkPhysical74321Attacker exploits linklayer’s broadcasting ofDHCP requests to knowwhen a client has aparticular pending requestExample: DHCP SpoofingApplicationTransport(Inter)NetworkLinkPhysical74321Attacker uses their directaccess to network to spoofa corresponding DHCPresponseApplicationTransport(Inter)NetworkLinkPhysical74321The fake DHCP responseincludes bogus “gateway”and/or DNS server valuesExample: DHCP SpoofingBlind SpoofingApplicationTransport(Inter)NetworkLinkPhysical74321To fool a receiver into acceptingspoofed traffic, an attacker mustsupply correct Layer 2/3/4/7 values.Another way to supply the correctvalues is to guess. Often requiresadditional information so “blind”guess has a prayer of being correctBlind SpoofingApplicationTransport(Inter)NetworkLinkPhysical74321Remote attackers that candeduce layer 3/4/7 values canmake receivers unwittinglyaccept unsolicited packets:blind spoofingExample: TCP Reset InjectionApplicationTransport(Inter)NetworkLinkPhysical74321Attacker who can determine aconnection’s IP addresses …… and TCP ports andsequence numbers …… can forge a TCP packetwith RST set that the receiverwill be fooled into acting uponExample: TCP Reset InjectionApplicationTransport(Inter)NetworkLinkPhysical74321Attacker who can determine aconnection’s IP addresses …… and TCP ports andsequence numbers …… can forge a TCP packetwith RST set that the receiverwill be fooled into acting uponExample: TCP Reset InjectionApplicationTransport(Inter)NetworkLinkPhysical74321Attacker who can determine aconnection’s IP addresses …… and TCP ports andsequence numbers …… can forge a TCP packetwith RST set that the receiverwill be fooled into acting uponViolating IntegrityWithout SpoofingApplicationTransport(Inter)NetworkLinkPhysical74321Depending on how an applicationprotocol works, an attacker candirectly manipulate its functioning…… without any need to spoof.Violating IntegrityWithout SpoofingApplicationTransport(Inter)NetworkLinkPhysical74321Our first example of DNScache poisoning just involvedan attacker manipulatinglayer-7 values.No spoofing required.Violating IntegrityWith Blind SpoofingApplicationTransport(Inter)NetworkLinkPhysical74321The Kaminsky attack, OTOH,repeatedly guesses the DNStransaction ID (layer 7), andsends traffic seemingly fromthe correct name server.Requires blind spoofing.Violating IntegrityWith Blind SpoofingApplicationTransport(Inter)NetworkLinkPhysical74321If we randomize the sourceport of our DNS requests,then attacker also has toguess a (16-bit) layer-4
View Full Document