Network Attacks CS 161 Computer Security Profs Vern Paxson David Wagner TAs John Bethencourt Erika Chin Matthew Finifter Cynthia Sturton Joel Weinberger http inst eecs berkeley edu cs161 Feb 10 2010 1 Focus of Today s Lecture Finish discussion of security threats in TCP The problem of cheaters who exceed the allowed transmission rate Summary of TCP issues principles Security threats in DHCP and DNS Summary of issues principles Note that none of these threats concerns 2 direct application threats They all target the building blocks used by applications TCP s Rate Management Unless there s loss TCP doubles data in flight every round trip All TCPs expected to obey fairness Mechanism for each arriving ack for new data increase allowed data by 1 maximum sized packet Src 1 D0 99 Dest 2 A100 D200 299 D100 199 3 4 A200 A300 D D 8 D A D A A A Time E g suppose maximum sized packet 100 bytes 3 TCP Threat Cheating on Allowed Rate How can the destination receiver get data to come to them faster than normally allowed ACK Splitting each ack even though partial increases allowed data by one maximum sized packet Src 2 3 4 5 1 D100 199 D0 99 Dest A25 A50 D500 599 D200 299 A75 D400 499 D300 399 A100 Time How do we defend against this Change rule to require full ack for all data 4 sent in a packet TCP Threat Cheating on Allowed Rate How can the destination receiver still get data to come to them faster than normally allowed Opportunistic ack ing acknowledge data not yet seen Src 2 3 4 5 1 D100 199 D0 99 Dest A100 A200 D500 599 D200 299 A300 D400 499 D300 399 A400 Time How do we defend against this 5 Keeping Receivers Honest Approach 1 if you receive an ack for data you haven t sent kill the connection Works only if receiver acks too far ahead Approach 2 follow the round trip time RTT and if ack arrives too quickly kill the connection Flaky RTT can vary a lot so you might kill innocent connections Approach 3 make the receiver prove they Note a protocol change received the data Add a nonce random marker require receiver to include it in ack Kill connections w incorrect nonces o nonce could be function computed over payload so sender doesn t explicitly transmit only implicitly 6 Summary of TCP Security Issues An attacker who can observe your TCP connection can manipulate it Forcefully terminate by forging a RST packet Inject data into either direction by forging data packets Works because they can include in their spoofed traffic the correct sequence numbers both directions and TCP ports Remains a major threat today 7 8 Summary of TCP Security Issues An attacker who can observe your TCP connection can manipulate it Forcefully terminate by forging a RST packet Inject data into either direction by forging data packets Works because they can include in their spoofed traffic the correct sequence numbers both directions and TCP ports Remains a major threat today An attacker who can predict the ISN chosen by a server can blind spoof a connection to the server Makes it appear that host ABC has connected and has sent data of the attacker s choosing when in fact it hasn t Undermines any security based on trusting ABC s IP address Allows attacker to frame ABC or otherwise avoid detection Fixed today by choosing random ISNs Both highlight flawed security by obscurity assumption 9 TCP Security Issues con t TCP limits the rate at which senders transmit TCP relies on endpoints behaving properly to achieve fairness in how network capacity is used Protocol lacks a mechanism to prevent cheating Senders can cheat by just not abiding by the limits o Remains a significant threat essentially nothing today prevents Receivers can manipulate honest senders into sending too fast because senders trust that receivers are honest To a degree sender can validate e g partial acks A nonce can force receiver to only act on data they ve seen Rate manipulation remains a threat today General observation tension between ease power of protocols that assume everyone follows vs violating Security problems persist due to difficulties of retrofitting coupled with investment in installed base 10 Dynamic Host Configuration Protocol DHC P d is b r o a new client D cove dcas t o ff P C H DHC Threats D er P req b r o a dcas r uest t AC P C H DHCP server offer message includes IP address DNS server gateway router and how long client can have these lease time K 11 Dynamic Host Configuration Protocol DHC P d is b r o a new client D dcas D er P req b r o a dcas r t o ff P C H DHC Attacker on same subnet can hear new host s DHCP request cove uest t AC P C H DHCP server offer message includes IP address DNS server gateway router and how long client can have these lease time K 12 Dynamic Host Configuration Protocol DHC P d is b r o a new client D cove dcas t o ff P C H DHC D er P req b r o a dcas r uest t AC P C H K DHCP server offer message includes IP address DNS server gateway router and how long client can have these lease time Attacker can race the actual server if they win replace DNS server and or gateway router 13 DHCP Threats Substitute a fake DNS server Redirect any of a host s lookups to a machine of attacker s choice Substitute a fake gateway Intercept all of a host s off subnet traffic o even if not preceded by a DNS lookup Relay contents back and forth between host and remote server o Modify however attacker chooses An invisible Man In The Middle MITM Victim host has no way of knowing it s happening o Can t necessarily alarm on peculiarity of receiving multiple DHCP replies since that can happen benignly How can we fix this 14 Non Eavesdropping Threats DNS DHCP attacks show brutal power of attacker who can eavesdrop Consider attackers who can t eavesdrop but still aim to manipulate us via how protocols function DNS path critical for just about everything we do Maps hostnames IP addresses Design only scales if we can minimize lookup traffic o 1 way to do so caching o 2 way to do so return not only answers to queries but additional info that will likely be needed shortly Directly interacting w DNS dig program on Unix Allows querying of DNS system Dumps each field in DNS responses 15 dig eecs mit edu A Use Unix dig utility to look up DNS address A for hostname eecs mit edu DiG 9 6 0 APPLE P2 eecs mit edu a global options cmd Got answer HEADER opcode QUERY status NOERROR id 19901 flags qr rd ra QUERY 1 ANSWER 1 AUTHORITY 3 ADDITIONAL 3 QUESTION SECTION eecs mit edu IN A ANSWER SECTION eecs mit edu 21600 …
View Full Document
Unlocking...