1Network AttacksCS 161 - Computer SecurityProfs. Vern Paxson & David WagnerTAs: John Bethencourt, Erika Chin, Matthew Finifter,Cynthia Sturton, Joel Weinbergerhttp://inst.eecs.berkeley.edu/~cs161/Feb 10, 20102Focus of Today’s Lecture• Finish discussion of security threats inTCP– The problem of “cheaters” who exceed theallowed transmission rate– Summary of TCP issues/principles• Security threats in DHCP and DNS– Summary of issues/principles• Note that none of these threats concernsdirect application threats. They all targetthe building blocks used by applications.3TCPʼs Rate ManagementUnless there’s loss, TCP doubles data in flight every“round-trip”. All TCPs expected to obey (“fairness”).Mechanism: for each arriving ack for new data,increase allowed data by 1 maximum-sized packetD0-99A100D100-199D200-299A200A300D D DD1243A A A A8E.g., suppose maximum-sized packet = 100 bytesSrcDestTime4TCP Threat: Cheating on Allowed RateHow can the destination (receiver) get data to cometo them faster than normally allowed?D0-99SrcDest1A25A50A75A100D100-199D200-2992How do we defend against this?D300-3993D400-4994D500-5995ACK-Splitting: each ack, even though partial, increasesallowed data by one maximum-sized packetTimeChange rule to require“full” ack for all datasent in a packet5TCP Threat: Cheating on Allowed RateHow can the destination (receiver) still get data tocome to them faster than normally allowed?D0-99SrcDest1A100A200A300A400D100-199D200-2992How do we defend against this?D300-3993D400-4994D500-5995Opportunistic ack’ing: acknowledge data not yet seen!Time6• Approach #1: if you receive an ack for data youhaven’t sent, kill the connection– Works only if receiver acks too far ahead• Approach #2: follow the “round trip time” (RTT)and if ack arrives too quickly, kill the connection– Flaky: RTT can vary a lot, so you might kill innocentconnections• Approach #3: make the receiver prove theyreceived the data– Add a nonce (“random” marker) & require receiver toinclude it in ack. Kill connections w/ incorrect nonceso (nonce could be function computed over payload, so senderdoesn’t explicitly transmit, only implicitly)Keeping Receivers HonestNote: a protocol change7• An attacker who can observe your TCP connection canmanipulate it:– Forcefully terminate by forging a RST packet– Inject data into either direction by forging data packets– Works because they can include in their spoofed traffic thecorrect sequence numbers (both directions) and TCP ports– Remains a major threat todaySummary of TCP Security Issues89• An attacker who can observe your TCP connection canmanipulate it:– Forcefully terminate by forging a RST packet– Inject data into either direction by forging data packets– Works because they can include in their spoofed traffic thecorrect sequence numbers (both directions) and TCP ports– Remains a major threat today• An attacker who can predict the ISN chosen by a servercan “blind spoof” a connection to the server– Makes it appear that host ABC has connected, and has sent dataof the attacker’s choosing, when in fact it hasn’t– Undermines any security based on trusting ABC’s IP address– Allows attacker to “frame” ABC or otherwise avoid detection– Fixed today by choosing random ISNs• Both highlight flawed “security-by-obscurity” assumptionSummary of TCP Security Issues10• TCP limits the rate at which senders transmit:– TCP relies on endpoints behaving properly to achieve “fairness”in how network capacity is used– Protocol lacks a mechanism to prevent cheating– Senders can cheat by just not abiding by the limitso Remains a significant threat: essentially nothing today prevents• Receivers can manipulate honest senders into sendingtoo fast because senders trust that receivers are honest– To a degree, sender can validate (e.g., partial acks)– A nonce can force receiver to only act on data they’ve seen– Rate manipulation remains a threat today• General observation: tension between ease/power ofprotocols that assume everyone follows vs. violating– Security problems persist due to difficulties of retrofitting …– … coupled with investment in installed baseTCP Security Issues, conʼt11Dynamic Host Configuration ProtocolnewclientDHCP serverDHCP discover(broadcast)DHCP offerDHCP requestDHCP ACK(broadcast)“offer” messageincludes IP address,DNS server, “gatewayrouter”, and how longclient can have these(“lease” time)Threats?12Dynamic Host Configuration ProtocolnewclientDHCP serverDHCP discover(broadcast)DHCP offerDHCP requestDHCP ACK(broadcast)“offer” messageincludes IP address,DNS server, “gatewayrouter”, and how longclient can have these(“lease” time)Attacker on samesubnet can hearnew host’sDHCP request13Dynamic Host Configuration ProtocolnewclientDHCP serverDHCP discover(broadcast)DHCP offerDHCP requestDHCP ACK(broadcast)“offer” messageincludes IP address,DNS server, “gatewayrouter”, and how longclient can have these(“lease” time)Attacker can race the actualserver; if they win, replace DNSserver and/or gateway router14• Substitute a fake DNS server– Redirect any of a host’s lookups to a machine ofattacker’s choice• Substitute a fake “gateway”– Intercept all of a host’s off-subnet traffico (even if not preceded by a DNS lookup)– Relay contents back and forth between host andremote servero Modify however attacker chooses• An invisible “Man In The Middle” (MITM)– Victim host has no way of knowing it’s happeningo (Can’t necessarily alarm on peculiarity of receiving multipleDHCP replies, since that can happen benignly)• How can we fix this?DHCP Threats15Non-Eavesdropping Threats: DNS• DHCP attacks show brutal power of attacker whocan eavesdrop• Consider attackers who can’t eavesdrop - but stillaim to manipulate us via how protocols function• DNS: path-critical for just about everything we do– Maps hostnames ⇔ IP addresses– Design only scales if we can minimize lookup traffico #1 way to do so: cachingo #2 way to do so: return not only answers to queries, butadditional info that will likely be needed shortly• Directly interacting w/ DNS: dig program on Unix– Allows querying of DNS system– Dumps each field in DNS responses16dig eecs.mit.edu A; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
View Full Document
Unlocking...