Professional Documents
Culture Documents
Application protocol
Application Application
TCP protocol
Transport Transport
IP protocol IP protocol
Network IP Network
TCP Header
Application message - data
Application message
Transport (TCP, UDP) segment TCP data TCP data TCP data
Internet Protocol
Version Header Length
• Connectionless Type of Service
Total Length
– Unreliable Identification
– Best effort Flags Fragment Offset
Time to Live
Protocol
Header Checksum
• Notes: Source Address of Originating Host
– src and dest ports
Destination Address of Target Host
not parts of IP hdr
Options
Padding
IP Data
CS4293 Topics on Cybersecurity 6
IP Routing
Meg Office gateway
Packet
Source 121.42.33.12 Tom
121.42.33.12 Destination 132.14.11.51
132.14.11.1
ISP 132.14.11.51
121.42.33.1
• Error reporting
– ICMP packet to source if packet is dropped
• No source authentication
– Sender can spoof source address, making it difficult to trace packet back to
attacker
• No integrity checking
– Entire packet, header and payload, can be modified while en route to
destination, enabling content forgeries, redirections, and man-in-the-middle
attacks
• No bandwidth constraints
– Large number of packets can be injected into network to launch a denial-of-
service attack
– Broadcast addresses provide additional leverage
CS4293 Topics on Cybersecurity 11
Denial of Service Attack
• Send large number of packets to Source:
host providing service M.T. Goodrich, Probabalistic Packet Marking
for Large-Scale IP Traceback, IEEE/ACM
– Slows down or crashes host Transactions on Networking 16:1, 2008.
– Often executed by botnet
• Attack propagation
– Starts at zombies
– Travels through tree of internet
routers rooted
– Ends at victim
• IP source spoofing
– Hides attacker
– Scatters return traffic from
victim
TCP Header
Application message - data
Application message
Transport (TCP, UDP) segment TCP data TCP data TCP data
m1
A, (ga mod p)
B, (gb mod p)
A , signB(m1,m2) B
m2
signA(m1,m2)
Application protocol
Application Application
TCP protocol
Transport Transport
Network
Link Data Data Link
Access
Link Link
– Receiver
• Acknowledge receipt; lost packets are resent
• Reassemble packets in correct order
19
1 5 1
CS4293 Topics on Cybersecurity 22
TCP Header
Other stuff
Wait
SN¬SNC+1
ACK: AN¬SNS
Established
Remember SSL/TLS
Version, Crypto choice, nonce
C Secret key K
encrypted with S
server’s key Ks
data transmission
CS4293 Topics on Cybersecurity 27
2. TCP Connection Spoofing
• Why random initial sequence numbers? (SNC , SNS )
• Suppose init. sequence numbers are predictable
– Attacker can create TCP session on behalf of forged source IP
• Breaks IP-based authentication
TCP SYN
srcIP=victim SYN/ACK
Victim
dstIP=victim
ACK SN=server SNS
srcIP=victim Server
attacker
AN=predicted SNS
BGP
Autonomous
System
connected group of one or
OSPF more Internet Protocol
prefixes under a single
routing policy (aka domain)
327
1 27 3 4
265 265 3265 5
27
8 2 65
7265 7 27
7 627
265
6 5
7
5
cs ee
www
• Hierarchical service
– Root name servers for top-
level domains
– Authoritative name servers
for subdomains
– Local name resolvers
contact authoritative
servers when they do not
know a name
• Query ID:
– 16 bit random value
– Links response to query
• Obvious problems
– Interception of requests or compromise of DNS servers can result in
incorrect or malicious responses
• e.g.: malicious access point in a Cafe
– Solution – authenticated requests/responses
• Provided by DNSsec … but few use DNSsec
Query: a.bank.com
user a.bank.com local QID=x1
ns.bank.com
browser DNS
resolver IPaddr
256 responses:
Random QID y1, y2, …
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker wins if $j: x1 = yj attacker
response is cached and
attacker owns bank.com
CS4293 Topics on Cybersecurity 48
If at first you don t succeed …
Query: b.bank.com
user local QID=x2
ns.bank.com
browser b.bank.com DNS
resolver IPaddr
256 responses:
Random QID y1, y2, …
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker wins if $j: x2 = yj attacker
response is cached and
attacker owns bank.com
success after » 256 tries (few minutes)
CS4293 Topics on Cybersecurity 49
Defenses
• Increase Query ID size. How?
-RFC 4033
Hacker
WEP-protected
WLAN
WEP-protected
WLAN
Authenticated
Encrypted
DoS
gateway DoS
Source Target
Attacker Master
Victim
C&C
Master Victim
C&C Slaves/Zombie/Bots
CS4293 Topics on Cybersecurity 94
Botnet operation: Basics
• Infection Mechanisms
– Web download, mail attachments, scan/exploit
– Automated process…
• Command and Control (C&C)
– Centralized, P2P, unstructured
• Communication Protocols
– IRC, HTTP, P2P, proprietary…
• Payload/Actions
– Spam, DDoS, Keyloggers, Clickfraud, Bitcoin mining
CS4293 Topics on Cybersecurity 95
Dismantling a Botnet
• Dismantling takes time and effort
– Building one could be a one man job
– Easier to disable than to destroy
• Some examples SANS Newsbites :
– Kelihos
• Microsoft shuts it down (45,000 hosts) (Sept 2011)
• Alleged Mastermind named in lawsuit (Jan 2012)
• Regaining Momentum (Feb-April 2012)
– Kelihos.b (110,000 hosts by February, shut down March)
– Kelihos.c (70,000 hosts by April….)
– Bamital
• Microsoft Shuts Down Bamital (February 2013)
CS4293 Topics on Cybersecurity 96