Network Protocols and Vulnerabilities CS 155Spring 2009Dan BonehOutlineBasic Networking: How things work now plus some problemsSome network attacksAttacking host-to-host datagram protocolsAttacking host-to-host datagram protocols TCP Spoofing, … Attacking network infrastructure Routing Domain Name SystemBackboneISPISPInternet InfrastructureLocal and interdomain routing TCP/IP for routing, connections BGP for routing announcementsDomain Name System Find IP address from symbolic name (www.cs.stanford.edu)TCP Protocol StackApplicationTransportApplication protocolTCP protocolApplicationTransportTransportNetworkLinkIP protocolData LinkIPNetwork AccessIP protocolData LinkTransportNetworkLinkData FormatsApplicationTransport (TCP, UDP)Application message - dataTCPdataTCPdataTCPdataTCP Headersegment messageTransport (TCP, UDP)Network (IP)Link LayerTCPdataTCPdataTCPdatadataTCPIPIP HeaderdataTCPIPETH ETFLink (Ethernet)HeaderLink (Ethernet)Trailersegment packetframeInternet ProtocolConnectionless Unreliable Best effortIPVersion Header LengthType of ServiceTotal LengthIdentificationFlagsTime to LiveProtocolFragment OffsetNotes: src and dest portsnot parts of IP hdrTime to LiveProtocolHeader ChecksumSource Address of Originating HostDestination Address of Target HostOptionsPaddingIP DataIP RoutingMegTomOffice gateway121.42.33.12132.14.11.51SourceDestinationPacket121.42.33.12132.14.11.1Internet routing uses numeric IP addressTypical route uses several hopsISP121.42.33.1132.14.11.51132.14.11.1IP Protocol Functions (Summary)Routing IP host knows location of router (gateway) IP gateway must know route to other networksFragmentation and reassemblyFragmentation and reassembly If max-packet-size less than the user-data-sizeError reporting ICMP packet to source if packet is droppedTTL field: decremented after every hop Packet dropped f TTL=0. Prevents infinite loops.Problem: no src IP authenticationClient is trusted to embed correct source IP Easy to override using raw sockets Libnet: a library for formatting raw packets with arbitrary IP headers⇒ Anyone who owns their machine can send packets with arbitrary source IP … response will be sent back to forged source IP Implications: (solutions in DDoS lecture) Anonymous DoS attacks; Anonymous infection attacks (e.g. slammer worm)User Datagram ProtocolUnreliable transport on top of IP: No acknowledgment No congenstion control No message continuationUDPTransmission Control ProtocolConnection-oriented, preserves order Sender Break data into packets Attach packet numbersReceiverTCPReceiver Acknowledge receipt; lost packets are resent Reassemble packets in correct orderBook Mail each page Reassemble book19511 1TCP HeaderSource PortDest portSource PortDest portSEQ NumberACK NumberOther stuffURGPSRACKPSHSYNFINTCP HeaderReview: TCP HandshakeCSSYN:SYN/ACK:ListeningStore SNC , SNSSNC←randCANC←0SNS←randSSYN/ACK:ACK:Store SNC , SNSWaitEstablishedSNS←randSANS←SNCSN←SNC+1AN←SNSReceived packets with SN too far out of window are droppedBasic Security Problems1. Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a machine close to victim2. TCP state can be easy to guess Enables spoofing and session hijacking3. Denial of Service (DoS) vulnerabilities DDoS lecture1. Packet SniffingPromiscuous NIC reads all packets Read all unencrypted data (e.g., “wireshark”) ftp, telnet (and POP, IMAP) send passwords in clear!EveAlice BobEveNetworkPrevention: Encryption (next lecture: IPSEC)Sweet Hall attack installed sniffer on local machine2. TCP Connection SpoofingWhy random initial sequence numbers? (SNC , SNS )Suppose init. sequence numbers are predictable Attacker can create TCP session on behalf of forged source IPBreaks IP-based authentication (e.g. SPF, /etc/hosts )Breaks IP-based authentication (e.g. SPF, /etc/hosts )VictimServerSYN/ACKdstIP=victimSN=server SNSACKsrcIP=victimAN=predicted SNScommandserver thinks command is from victim IP addrattackerTCP SYNsrcIP=victimExample DoS vulnerability [Watson’04]Suppose attacker can guess seq. number for an existing connection: Attacker can send Reset packet to close connection. Results in DoS.Naively, success prob. is 1/232(32-bit seq. #’s).Naively, success prob. is 1/232(32-bit seq. #’s). Most systems allow for a large window of acceptable seq. #’s Much higher success probability.Attack is most effective against long lived connections, e.g. BGPRandom initial TCP SNsUnpredictable SNs prevent basic packet injection … but attacker can inject packets after eavesdropping to obtain current SNMost TCP stacks now generate random SNsMost TCP stacks now generate random SNs Random generator should be unpredictable GPR’06: Linux RNG for generating SNs is predictable Attacker repeatedly connects to server Obtains sequence of SNs Can predict next SN Attacker can now do TCP spoofing (create TCP session with forged source IP)Routing VulnerabilitiesRouting VulnerabilitiesCommon attack: advertise false routes Causes traffic to go though compromised hostsARP (addr resolution protocol): IP addr -> eth addr Node A can confuse gateway into sending it traffic for B By proxying traffic, attacker A can easily inject packets into B’s session (e.g. WiFi networks)OSPF: used for routing within an ASBGP: routing between ASs Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address. Example: Youtube mishap (see DDoS lecture)Interdomain RoutingBGPearthlink.netStanford.educonnected group of one or more Internet Protocol prefixes under a single routing policy (aka domain)OSPFBGPAutonomous SystemBGP overviewIterative path announcement Path announcements grow from destination to source Packets flow in reverse directionProtocol specification Announcements can be shortest path Not obligated to use announced pathBGP example [D. Wetherall]3 418 22 72 72 73 2 72 6 52 6 53 2 6 57 2 6 56 55Transit: 2 provides transit for 7Algorithm seems to work OK in practice BGP is does not respond well to frequent node outages657772 76 2 72 6 57 2 6 55IssuesSecurity problems Potential for disruptive attacks BGP packets are un-authenticated Attacker can advertise arbitrary routesAdvertisement
View Full Document
Unlocking...