Network Attacks Part 2 CS 161 Computer Security Prof Vern Paxson TAs Devdatta Akhawe Mobin Javed Matthias Vallentin http inst eecs berkeley edu cs161 February 8 2011 1 Game Plan Reminder Homework 1 due tomorrow night 9 59PM Goal for today more network attacks Clarifications regarding TCP attacks DHCP protocol for bootstrapping Internet access DNS protocol for mapping hostnames to IP addresses TCP cheating on fairness time permitting 2 Blind Spoofing Attacker s Viewpoint Attacker Attacker can spoof this Client 1 2 3 4 But can t see this Server 5 6 7 8 SYN Seq Num x SYN ACK x k c A y S eqNum ACK A c 1 Each host tells its Initial Sequence Number ISN to the other host Spec says to pick based on local clock k y 1 So how do they know what to put here How Do We Fix This Use A Random ISN Hmm any way for the attacker to know this Sure make a non spoofed connection first and see what server used for ISN y then 3 Internet Bootstrapping DHCP New host doesn t have an IP address yet So host doesn t know what source address to use Host doesn t know who to ask for an IP address So host doesn t know what destination address to use Solution shout to discover server that can help Broadcast a server discovery message layer 2 Server s sends a reply offering an address host host host DHCP server 4 Dynamic Host Configuration Protocol DHC P d is b ro a new client D cove dcas t o ff P C H DHC D er P req b ro a dcas r uest t AC P C H DHCP server offer message includes IP address DNS server gateway router and how long client can have these lease time K 5 Dynamic Host Configuration Protocol DHC P d is b ro a new client D cove dcas t o ff P C H DHC Threats D er P req b ro a dcas r uest t AC P C H DHCP server offer message includes IP address DNS server gateway router and how long client can have these lease time K 6 Dynamic Host Configuration Protocol DHC P d is b ro a new client D dcas D er P req b ro a dcas r t o ff P C H DHC Attacker on same subnet can hear new host s DHCP request cove uest t AC P C H DHCP server offer message includes IP address DNS server gateway router and how long client can have these lease time K 7 Dynamic Host Configuration Protocol DHC P d is b ro a new client D cove dcas t o ff P C H DHC D er P req b ro a dcas r uest t AC P C H K DHCP server offer message includes IP address DNS server gateway router and how long client can have these lease time Attacker can race the actual server if they win replace DNS server and or gateway router 8 DHCP Threats Substitute a fake DNS server Redirect any of a host s lookups to a machine of attacker s choice Substitute a fake gateway Intercept all of a host s off subnet traffic o even if not preceded by a DNS lookup Relay contents back and forth between host and remote server o Modify however attacker chooses An invisible Man In The Middle MITM Victim host has no way of knowing it s happening o Can t necessarily alarm on peculiarity of receiving multiple DHCP replies since that can happen benignly How can we fix this Hard 9 DNS Lookups via a Resolver root DNS server Host at xyz poly edu wants IP address for gaia cs umass edu 2 3 4 local DNS server resolver TLD DNS server edu 5 dns poly edu Caching heavily used to minimize lookups 1 8 7 6 authoritative DNS server umass edu cs umass edu dns cs umass edu requesting host xyz poly edu gaia cs umass edu 10 DNS Protocol DNS protocol query and reply messages both with same message format Mainly uses UDP transport rather than TCP Message header Identification 16 bit for query reply to query uses same Replies can include Authority name server responsible for answer and Additional info client is likely to look up soon anyway Replies have a Time To Live in seconds for caching 16 bits 16 bits Identification Flags Questions Answer RRs Authority RRs Additional RRs Questions variable of resource records Answers variable of resource records Authority variable of resource records Additional information variable of resource records 11 DNS Threats DNS path critical for just about everything we do Maps hostnames IP addresses Design only scales if we can minimize lookup traffic o 1 way to do so caching o 2 way to do so return not only answers to queries but additional info that will likely be needed shortly What if attacker eavesdrops on our DNS queries Then similar to DHCP can redirect us w misinformation Consider attackers who can t eavesdrop but still aim to manipulate us via how protocols function Directly interacting w DNS dig program on Unix Allows querying of DNS system Dumps each field in DNS responses 12 dig eecs mit edu A Use Unix dig utility to look up DNS address A for hostname eecs mit edu DiG 9 6 0 APPLE P2 eecs mit edu a global options cmd Got answer HEADER opcode QUERY status NOERROR id 19901 flags qr rd ra QUERY 1 ANSWER 1 AUTHORITY 3 ADDITIONAL 3 QUESTION SECTION eecs mit edu IN A ANSWER SECTION eecs mit edu 21600 IN A 18 62 1 6 AUTHORITY SECTION mit edu mit edu mit edu 11088 11088 11088 IN IN IN NS NS NS BITSY mit edu W20NS mit edu STRAWB mit edu ADDITIONAL SECTION STRAWB mit edu BITSY mit edu W20NS mit edu 126738 166408 126738 IN IN IN A A A 18 71 0 151 18 72 0 3 18 70 0 160 13 dig eecs mit edu A DiG 9 6 0 APPLE P2 eecs mit edu a global options cmd Got answer HEADER opcode QUERY status NOERROR id 19901 flags qr rd ra QUERY 1 ANSWER 1 AUTHORITY 3 ADDITIONAL 3 QUESTION SECTION eecs mit edu IN These areA just comments from dig itself with details of the request response ANSWER SECTION eecs mit edu 21600 IN A 18 62 1 6 AUTHORITY SECTION mit edu mit edu mit edu 11088 11088 11088 IN IN IN NS NS NS BITSY mit edu W20NS mit edu STRAWB mit edu ADDITIONAL SECTION STRAWB mit edu BITSY mit edu W20NS mit edu 126738 166408 126738 IN IN IN A A A 18 71 0 151 18 72 0 3 18 70 0 160 14 dig eecs mit edu A DiG 9 6 0 APPLE P2 eecs mit edu a global options cmd Got answer HEADER opcode QUERY status NOERROR id 19901 flags qr rd ra QUERY 1 ANSWER 1 AUTHORITY 3 ADDITIONAL 3 QUESTION SECTION eecs mit edu IN A Transaction identifier ANSWER SECTION eecs mit …
View Full Document
Unlocking...