1Network Attacks, Part 2CS 161: Computer SecurityProf. Vern PaxsonTAs: Devdatta Akhawe, Mobin Javed& Matthias Vallentinhttp://inst.eecs.berkeley.edu/~cs161/February 8, 20112Game Plan• Reminder: Homework #1 due tomorrownight, 9:59PM• Goal for today: more network attacks– (Clarifications regarding TCP attacks)– DHCP: protocol for bootstrapping Internetaccess– DNS: protocol for mapping hostnames to IPaddresses– TCP: cheating on “fairness” (time permitting)3Blind Spoofing: Attackerʼs ViewpointClient? (1.2.3.4)Server (5.6.7.8)SYN, SeqNum = xSYN + ACK, SeqNum = y, Ack = x + 1ACK, Ack = y + 1Each host tells its InitialSequence Number (ISN)to the other host.(Spec says to pick based onlocal clock)Attacker canspoof thisBut can’tsee thisSo how do theyknow what toput here?Hmm, any wayfor the attackerto know this?Sure - make a non-spoofedconnection first, and see whatserver used for ISN y then!How Do We Fix This?Use A Random ISNAttacker4Internet Bootstrapping: DHCP• New host doesn’t have an IP address yet– So, host doesn’t know what source address to use• Host doesn’t know who to ask for an IP address– So, host doesn’t know what destination address to use• Solution: shout to “discover” server that can help– Broadcast a server-discovery message (layer 2)– Server(s) sends a reply offering an addresshosthost host...DHCP server5Dynamic Host Configuration ProtocolnewclientDHCP serverDHCP discover(broadcast)DHCP offerDHCP ACKDHCP request(broadcast)“offer” messageincludes IP address,DNS server, “gatewayrouter”, and how longclient can have these(“lease” time)6Dynamic Host Configuration ProtocolnewclientDHCP serverDHCP discover(broadcast)DHCP offerDHCP requestDHCP ACK(broadcast)“offer” messageincludes IP address,DNS server, “gatewayrouter”, and how longclient can have these(“lease” time)Threats?7Dynamic Host Configuration ProtocolnewclientDHCP serverDHCP discover(broadcast)DHCP offerDHCP requestDHCP ACK(broadcast)“offer” messageincludes IP address,DNS server, “gatewayrouter”, and how longclient can have these(“lease” time)Attacker on samesubnet can hearnew host’sDHCP request8Dynamic Host Configuration ProtocolnewclientDHCP serverDHCP discover(broadcast)DHCP offerDHCP requestDHCP ACK(broadcast)“offer” messageincludes IP address,DNS server, “gatewayrouter”, and how longclient can have these(“lease” time)Attacker can race the actualserver; if they win, replace DNSserver and/or gateway router9• Substitute a fake DNS server– Redirect any of a host’s lookups to a machine ofattacker’s choice• Substitute a fake “gateway”– Intercept all of a host’s off-subnet traffico (even if not preceded by a DNS lookup)– Relay contents back and forth between host andremote servero Modify however attacker chooses• An invisible Man In The Middle (MITM)– Victim host has no way of knowing it’s happeningo (Can’t necessarily alarm on peculiarity of receiving multipleDHCP replies, since that can happen benignly)• How can we fix this?DHCP ThreatsHard10requesting hostxyz.poly.edugaia.cs.umass.eduroot DNS server (‘.’)local DNS server(resolver)dns.poly.edu123456authoritative DNS server(‘umass.edu’, ‘cs.umass.edu’)dns.cs.umass.edu78TLD DNS server (‘.edu’)DNS Lookups via a ResolverHost at xyz.poly.eduwants IP address forgaia.cs.umass.eduCaching heavilyused to minimizelookups11DNS ProtocolDNS protocol: query and reply messages, both with samemessage format(Mainly uses UDP transport rather than TCP)Message header:• Identification: 16 bit # forquery, reply to query usessame #• Replies can include “Authority”(name server responsible foranswer) and “Additional” (infoclient is likely to look up soonanyway)• Replies have a Time To Live(in seconds) for cachingAdditional information(variable # of resource records)Questions(variable # of resource records)Answers(variable # of resource records)Authority(variable # of resource records)# Authority RRs # Additional RRsIdentification Flags# Questions # Answer RRs16 bits 16 bits12DNS Threats• DNS: path-critical for just about everything we do– Maps hostnames ⇔ IP addresses– Design only scales if we can minimize lookup traffico #1 way to do so: cachingo #2 way to do so: return not only answers to queries, butadditional info that will likely be needed shortly• What if attacker eavesdrops on our DNS queries?– Then similar to DHCP, can redirect us w/ misinformation• Consider attackers who can’t eavesdrop - but stillaim to manipulate us via how protocols function• Directly interacting w/ DNS: dig program on Unix– Allows querying of DNS system– Dumps each field in DNS responses13dig eecs.mit.edu A; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3;; QUESTION SECTION:;eecs.mit.edu. IN A;; ANSWER SECTION:eecs.mit.edu. 21600 IN A 18.62.1.6;; AUTHORITY SECTION:mit.edu. 11088 IN NS BITSY.mit.edu.mit.edu. 11088 IN NS W20NS.mit.edu.mit.edu. 11088 IN NS STRAWB.mit.edu.;; ADDITIONAL SECTION:STRAWB.mit.edu. 126738 IN A 18.71.0.151BITSY.mit.edu. 166408 IN A 18.72.0.3W20NS.mit.edu. 126738 IN A 18.70.0.160Use Unix “dig” utility to look up DNSaddress (“A ”) for hostname eecs.mit.edu14dig eecs.mit.edu A; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3;; QUESTION SECTION:;eecs.mit.edu. IN A;; ANSWER SECTION:eecs.mit.edu. 21600 IN A 18.62.1.6;; AUTHORITY SECTION:mit.edu. 11088 IN NS BITSY.mit.edu.mit.edu. 11088 IN NS W20NS.mit.edu.mit.edu. 11088 IN NS STRAWB.mit.edu.;; ADDITIONAL SECTION:STRAWB.mit.edu. 126738 IN A 18.71.0.151BITSY.mit.edu. 166408 IN A 18.72.0.3W20NS.mit.edu. 126738 IN A 18.70.0.160These are just comments from dig itselfwith details of the request/response15dig eecs.mit.edu A; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901;; flags: qr rd ra; QUERY: 1, ANSWER: 1,
View Full Document
Unlocking...