Network Attacks Control CS 161 Computer Security Profs Vern Paxson David Wagner TAs John Bethencourt Erika Chin Matthew Finifter Cynthia Sturton Joel Weinberger http inst eecs berkeley edu cs161 Feb 17 2010 1 Focus of Today s Lecture Finish discussion of DNS attacks Begin discussion of approaches for controlling network traffic Firewalls restricting allowed communication NATs Network Address Translators 2 DNS Blind Spoofing con t Once we randomize the Identification attacker has a 1 65536 chance of guessing it correctly Are we pretty much safe Attacker can send lots of replies not just one 16 bits 16 bits Identification Flags Questions Answer RRs Authority RRs Additional RRs Questions variable of resource records Answers variable of resource records Authority variable of resource records Additional information variable of resource records However once reply from legit server arrives with correct Unless attacker can send Identification it s cached and 1000s of replies before legit no more opportunity to poison it arrives we re likely safe Victim is innoculated phew 3 DNS Blind Spoofing Kaminsky 2008 Two key ideas Spoof uses Additional field rather than Answer Attacker can get around caching of legit replies by generating a series of different name lookups img src http random1 google com img src http random2 google com img src http random3 google com img src http randomN google com 4 Kaminsky Blind Spoofing con t QUESTION SECTION randomk google com For each lookup of randomk google com attacker returns a bunch of records like this each with a different Identifier IN A ANSWER SECTION randomk google com 21600 IN A doesn t matter AUTHORITY SECTION google com 11088 IN NS mail google com ADDITIONAL SECTION mail google com 126738 IN A 6 6 6 6 Once they win the race not only have they poisoned mail google com but also the cached NS record for google com s name server so any future X google com lookups go through the attacker s machine 5 Kaminsky Blind Spoofing con t QUESTION SECTION randomk google com For each lookup of randomk google com attacker returns a bunch of records like this each with a different Identifier IN A ANSWER SECTION randomk google com 21600 IN A doesn t matter AUTHORITY SECTION google com 11088 IN NS mail google com ADDITIONAL SECTION mail google com 126738 IN A 6 6 6 6 Once they win the race not only have they poisoned mail google com but also the cached NS record for google com s name server so any future X google com lookups go through the attacker s machine 6 Defending Against Blind Spoofing Central problem all that tells a client they should accept a response is that it matches the Identification field With only 16 bits it lacks sufficient entropy even if truly random the search space an attacker must brute force is too small 16 bits 16 bits Identification Flags Questions Answer RRs Authority RRs Additional RRs Questions variable of resource records Answers variable of resource records Authority variable of resource records Additional information variable of resource records Where can we get more entropy Without requiring a protocol change 7 Defending Against Blind Spoofing DNS primarily uses UDP for transport rather than TCP UDP header has 16 bit Source Destination ports identify processes like w TCP 16 bit checksum 16 bit length 16 bits 16 bits SRC port DST port checksum length Identification Flags Questions Answer RRs Authority RRs Additional RRs Questions variable of resource records UDP Payload Answers variable of resource records Authority variable of resource records Additional information variable of resource records 8 Defending Against Blind Spoofing Total entropy 16 bits DNS primarily uses UDP for transport rather than TCP UDP header has 16 bit Source Destination ports identify processes like w TCP 16 bit checksum 16 bit length For requestor to receive DNS reply needs both correct Identification and correct ports On a request DST port 53 SRC port usually also 53 but not fundamental just convenient 16 bits 16 bits Src 53 Dest 53 checksum length Identification Flags Questions Answer RRs Authority RRs Additional RRs Questions variable of resource records Answers variable of resource records Authority variable of resource records Additional information variable of resource records 9 Defending Against Blind Spoofing Fix use random source port 32 bits of entropy makes it orders of magnitude harder for attacker to guess all the necessary fields and dupe victim into accepting spoof response This is what primarily secures DNS today Note not all resolvers have implemented random source ports Total entropy 32 bits 16 bits 16 bits Src rnd Dest 53 checksum length Identification Flags Questions Answer RRs Authority RRs Additional RRs Questions variable of resource records Answers variable of resource records Authority variable of resource records Additional information variable of resource records 10 Summary of DHCP DNS Security Issues DHCP threats highlight Broadcast protocols inherently at risk of attacker spoofing o Attacker knows exactly when to try it When initializing systems are particularly vulnerable because they can lack a trusted foundation to build upon Tension between wiring in trust vs flexibility convenience MITM attacks insidious because no indicators they re occurring 11 Summary of DHCP DNS Security Issues DHCP threats highlight Broadcast protocols inherently at risk of attacker spoofing o Attacker knows exactly when to try it When initializing systems are particularly vulnerable because they can lack a trusted foundation to build upon Tension between wiring in trust vs flexibility convenience MITM attacks insidious because no indicators they re occurring DNS threats highlight Attackers can attack opportunistically rather than eavesdropping o Cache poisoning only requires victim to look up some name under attacker s control Attackers can often manipulate victims into vulnerable activity o E g IMG SRC in web page to force DNS lookups Crucial for identifiers associated with communication to have sufficient entropy a lot of bits of unpredictability Attacks only get better threats that appears technically remote can become practical due to unforeseen cleverness 12 Questions 13 Network Control Firewalls Motivation How do you harden a set of systems against external attack Key Observation The more network services your machines run the greater the risk Due to larger attack surface One approach on each system turn off unnecessary network services But you
View Full Document
Unlocking...