10 Week11 12 Network Security

Lecture 11-12 – Network
Protocol Security and Defenses

Dr. Cong Wang
CS Department
City University of Hong Kong
Slides partially adapted from lecture notes by M. Goodrich&R. Tamassia,
W. Stallings&L. Brown, Dan Boneh, and Dawn Song.
CS4293 Topics on Cybersecurity 1
Networks: IP and TCP

Internet Infrastructure
Backbone ISP
ISP
• Local and interdomain routing

– TCP/IP for routing and messaging
– BGP for routing announcements
• Domain Name System
– Find IP address from symbolic name (www.cs.stanford.edu)

TCP Protocol Stack
Application protocol
Application Application
TCP protocol
Transport Transport
IP protocol IP protocol
Network IP Network
Data Network Data

Link Link
Access
Link Link

Data Formats
TCP Header
Application message - data
Application message
Transport (TCP, UDP) segment TCP data TCP data TCP data
Network (IP) packet

IP TCP data
Link Layer frame ETH IP TCP data ETF
IP Header Link (Ethernet) Link (Ethernet)

Header Trailer

IP
Internet Protocol
Version Header Length
• Connectionless Type of Service
Total Length
– Unreliable Identification
– Best effort Flags Fragment Offset
Time to Live
Protocol
Header Checksum
• Notes: Source Address of Originating Host
– src and dest ports
Destination Address of Target Host
not parts of IP hdr
Options
Padding
IP Data
IP Routing
Meg Office gateway
Packet
Source 121.42.33.12 Tom
121.42.33.12 Destination 132.14.11.51
132.14.11.1
ISP 132.14.11.51
121.42.33.1
• Typical route uses several hops

• IP: no ordering or delivery guarantees

IP Routing
• A router bridges two or more networks
– Operates at the network layer
– Maintains tables to forward packets to the
appropriate network
– Forwarding decisions based solely on the
destination address
• Routing table
– Maps ranges of addresses to LANs or other
gateway routers
IP Protocol Functions (Summary)
• Routing
– IP host knows location of router (gateway)
– IP gateway must know route to other networks
• Fragmentation and reassembly

– If max-packet-size less than the user-data-size
• Error reporting
– ICMP packet to source if packet is dropped
• TTL field: decremented after every hop

– Packet dropped f TTL=0. Prevents infinite loops.
Problem: no src IP authentication
• Client is trusted to embed correct source IP
– Easy to override using raw sockets
– Libnet: a library for formatting raw packets with
arbitrary IP headers
• Anyone who owns their machine can send packets

with arbitrary source IP
– … response will be sent back to forged source IP
• Implications: (solutions in DDoS lecture)

– Anonymous DoS attacks;
– Anonymous infection attacks (e.g. slammer worm)
IP Vulnerabilities
• Unencrypted transmission
– Eavesdropping possible at any intermediate host during routing
• No source authentication
– Sender can spoof source address, making it difficult to trace packet back to
attacker
• No integrity checking
– Entire packet, header and payload, can be modified while en route to
destination, enabling content forgeries, redirections, and man-in-the-middle
attacks
• No bandwidth constraints
– Large number of packets can be injected into network to launch a denial-of-
service attack
– Broadcast addresses provide additional leverage
Denial of Service Attack
• Send large number of packets to Source:
host providing service M.T. Goodrich, Probabalistic Packet Marking
for Large-Scale IP Traceback, IEEE/ACM
– Slows down or crashes host Transactions on Networking 16:1, 2008.
– Often executed by botnet
• Attack propagation
– Starts at zombies
– Travels through tree of internet
routers rooted
– Ends at victim
• IP source spoofing
– Hides attacker
– Scatters return traffic from
victim

Virtual Private Network (VPN)
• Three different modes of use:
– Remote access client connections
– LAN-to-LAN internetworking
– Controlled access within an intranet
• Several different protocols
– PPTP – Point-to-point tunneling protocol Data layer
– L2TP – Layer-2 tunneling protocol
– IPsec (Layer-3: network layer)

Credit: Checkpoint CS4293 Topics on Cybersecurity 14
IPSEC
• Security extensions for IPv4 and IPv6
• IP Authentication Header (AH)
– Authentication and integrity of payload and
header
• IP Encapsulating Security Protocol (ESP)
– Confidentiality of payload
• ESP with optional ICV (integrity check value)
– Confidentiality, authentication and integrity of
payload

Recall packet formats and layers
TCP Header
Application message - data
Application message
Transport (TCP, UDP) segment TCP data TCP data TCP data
Network (IP) packet

IP TCP data
Link Layer frame ETH IP TCP data ETF
IP Header Link (Ethernet) Link (Ethernet)

Header Trailer

IPSec Transport Mode: IPSEC instead of IP header

http://www.tcpipguide.com/free/t_IPSecModesTransportandTunnel.htm
IPSEC Tunnel Mode

IPSec Tunnel Mode: IPSEC header + IP header

IKE subprotocol from IPSEC
m1
A, (ga mod p)
B, (gb mod p)
A , signB(m1,m2) B
m2
signA(m1,m2)
Result: A and B share secret gab mod p

TCP Protocol Stack
Application protocol
Application Application
TCP protocol
Transport Transport
Network IP protocol IP IP protocol Network
Network
Link Data Data Link
Access
Link Link

TCP
Transmission Control Protocol

=keep
• Connection-oriented, preserves order
– Sender
• Break data into packets Ensure the transmission
• Attach packet numbers is fully complete
– Receiver
• Acknowledge receipt; lost packets are resent
• Reassemble packets in correct order
Book Mail each page Reassemble book

1
19
1 5 1
TCP Header
Source Port Dest port

SEQ Number
ACK Number
U A P P S F
R C S S Y I
G K H R N N TCP Header
Other stuff

Review: TCP Handshake
C S
SN ¬randC
SYN: ANC ¬0 Listening
C
SN ¬rand Store SNC , SNS

SYN/ACK: ANS ¬SN S
S C
Wait
SN¬SNC+1
ACK: AN¬SNS
Established
Received packets with SN CS4293

too far out of window are dropped
Topics on Cybersecurity 24
Basic Security Problems
1. Network packets pass by untrusted hosts
– Eavesdropping, packet sniffing
– Especially easy when attacker controls a
machine close to victim
2. TCP state can be easy to guess

– Enables spoofing and session hijacking
3. Denial of Service (DoS) vulnerabilities

– DDoS lecture
1. Packet Sniffing
Attacker NIC reads all packets
• Read all unencrypted data (e.g., wireshark )
• ftp, telnet (and POP, IMAP) may send passwords in clear
Get unencrypted pw
Eve
Alice Network Bob
Prevention: Encryption (via. IPSEC)

Defeat the sniffing
Remember SSL/TLS
Version, Crypto choice, nonce
Version, Choice, nonce,

Signed certificate
containing server’s
public key Ks
C Secret key K
encrypted with S
server’s key Ks
switch to negotiated cipher
Hash of sequence of messages
Hash of sequence of messages
data transmission
2. TCP Connection Spoofing
• Why random initial sequence numbers? (SNC , SNS )
• Suppose init. sequence numbers are predictable
– Attacker can create TCP session on behalf of forged source IP
• Breaks IP-based authentication
TCP SYN
srcIP=victim SYN/ACK
Victim
dstIP=victim
ACK SN=server SNS
srcIP=victim Server
attacker
AN=predicted SNS
server thinks command

command is from victim IP addr
Example DoS vulnerability [Watson 04]
• Suppose attacker can guess seq. number for an existing

connection:
– Attacker can send Reset packet to
close connection. Results in DoS.
– Naively, success prob. is 1/232 (32-bit seq. # s).
– Most systems allow for a large window of
acceptable seq. # s
• Much higher success probability.
• Attack is most effective against long lived connections.

Random initial TCP SNs
• Unpredictable SNs prevent basic packet injection
– … but attacker can inject packets after
eavesdropping to obtain current SN
• Most TCP stacks now generate random SNs
– Random generator should be unpredictable
– GPR 06: Linux RNG for generating SNs is predictable

• Attacker repeatedly connects to server
• Obtains sequence of SNs
• Can predict next SN
• Attacker can now do TCP spoofing (create TCP
session with forged source IP)
What TCP simply do: auto adjust trans speed
TCP Congestion Control

=traffic
• During the mid-80s it was discovered that uncontrolled TCP

messages were causing large scale network congestion
– TCP responded to congestion by retransmitting lost packets
• What is predominantly used today is a system where ACKs are
used to determine the maximum number of packets which
should be sent out
– Most TCP congestion avoidance algorithms, avoid congestion by modifying a
congestion window (cwnd) as more cumulative ACKs are received
• Lost packets are taken to be a sign of network congestion
– TCP begins with an extremely low cwnd and rapidly increases the value of this
variable to reach bottleneck capacity
– At this point it shifts to a collision detection algorithm which slowly probes
the network for additional bandwidth
• TCP congestion control is a good idea in general but allows for
certain attacks.
Optimistic ACK Attack
• An optimistic ACK attack takes advantage of the TCP congestion
control
• It begins with a client sending out ACKs for data segments it
hasn’t yet received
• This flood of optimistic ACKs makes the servers TCP stack
believe that there is a large amount of bandwidth available and
thus increase cwnd
• This leads to the attacker providing more optimistic ACKs, and
eventually bandwidth use beyond what the server has available
• This can also be played out across multiple servers, with enough
congestion that a certain section of the network is no longer
reachable
• There are no practical solutions to this problem

Routing Vulnerabilities

Routing Vulnerabilities
Routing protocols:
• ARP (addr resolution protocol): IP addr ⟶ eth addr
– Node A can confuse gateway into sending it traffic for B
– By proxying traffic, attacker A can easily inject packets
into B s session (e.g. WiFi networks)
• OSPF: used for routing within an AS
• BGP: routing between ASs

– Attacker can cause entire Internet to send traffic
for a victim IP to attacker s address.
– Example: Youtube mishap
Example: Pakistan Youtube
• In 2008 Pakistan Telecom used this technique in an attempt to censor YouTube

• YouTube owns 208.65.152.0/22 and advertised a route to this block
• Pakistan Telecom advertised a route to 208.65.153.0/24 (more specific) (to upstream provider
PCCW in HK) and then dropped all traffic to those addresses
• The IP addresses of all YouTube’s DNS servers and web servers were contained in 208.65.153.0/24
• Rather than censor YouTube in Pakistan it completely “disappeared” from the Internet for two
hours
• Fixed when AS36561 (YouTube) starts announcing 208.65.153.128/25 and 208.65.153.0/25.
Interdomain Routing
earthlink.net Stanford.edu
BGP
Autonomous
System
connected group of one or
OSPF more Internet Protocol
prefixes under a single
routing policy (aka domain)

BGP example [D. Wetherall]
327
1 27 3 4
265 265 3265 5
27
8 2 65
7265 7 27
7 627
265
6 5
7
5
• Transit: 2 provides transit for 7

• Algorithm seems to work OK in practice
– … but BGP does not respond well to frequent node outages

BGP Security Issues
BGP packets are un-authenticated
– Attacker can inject advertisements for arbitrary
routes
– Advertisement will propagate everywhere
– Used for DoS and spam

BGP Security Issues
• BGP is the basis for all inter-ISP routing
• Benign configuration errors affect about 1% of all routing
table entries at any time
• The current system is highly vulnerable to human errors, and
a wide range of malicious attacks
– links
– routers
– management stations
• MD5 MAC is rarely used, perhaps due to lack of automated
key management, and it addresses only one class of attacks

Slide: Steve Kent
S-BGP Design Overview
• IPsec: secure point-to-point router communication
• Public Key Infrastructure: authorization framework for all S-
BGP entities
• Attestations: digitally-signed authorizations
– Address: authorization to advertise specified address blocks
– Route: Validation of UPDATEs based on a new path attribute, using PKI
certificates and attestations
• Repositories for distribution of certificates, CRLs, and address
attestations
• Tools for ISPs to manage address attestations, process
certificates & CRLs, etc.

Slide: Steve Kent
Domain Name System

DNS
Domain Name System

• Hierarchical Name Space
root
org net edu com uk ca
wisc ucb stanford cmu mit
cs ee
www

DNS Root Name Servers
• Hierarchical service
– Root name servers for top-
level domains
– Authoritative name servers
for subdomains
– Local name resolvers
contact authoritative
servers when they do not
know a name

DNS Lookup Example
k
root & edu.hk
u. e du.h DNS server
www.cs.cityu.edu.hk .cs.city
www du.hk
.e
S cityu
N
cityu.edu.hk
Local DNS NS cs.cityu.edu DNS server
.hk
Client
resolver
Aw
ww
=IP cs.cityu.edu.hk
add
r
DNS server
DNS record types (partial list):
- NS: name server (points to other server)
- A: address record (contains IP address)
- MX: address in charge of handling email
- TXT: generic text (e.g. used to distribute site public keys (DKIM) )
Caching
• DNS responses are cached
– Quick response for repeated translations
– Useful for finding servers as well as addresses
• NS records for domains
• DNS negative queries are cached

– Save time for nonexistent sites, e.g. misspelling
• Cached data periodically times out

– Lifetime (TTL) of data controlled by owner of data
– TTL passed with every record

DNS Packet
• Query ID:
– 16 bit random value
– Links response to query
CS4293 Topics on Cybersecurity (from Steve Friedl)

46
Basic DNS Vulnerabilities
• Users/hosts trust the host-address mapping
provided by DNS:
– Used as basis for many security policies:
Browser same origin policy, URL address bar
• Obvious problems
– Interception of requests or compromise of DNS servers can result in
incorrect or malicious responses
• e.g.: malicious access point in a Cafe
– Solution – authenticated requests/responses
• Provided by DNSsec … but few use DNSsec

DNS cache poisoning (Kaminsky 08)
Query: a.bank.com
user a.bank.com local QID=x1
ns.bank.com
browser DNS
resolver IPaddr
256 responses:
Random QID y1, y2, …
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker wins if $j: x1 = yj attacker
response is cached and
attacker owns bank.com
If at first you don t succeed …
Query: b.bank.com
user local QID=x2
ns.bank.com
browser b.bank.com DNS
resolver IPaddr
256 responses:
Random QID y1, y2, …
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker wins if $j: x2 = yj attacker
response is cached and
attacker owns bank.com
success after » 256 tries (few minutes)
Defenses
• Increase Query ID size. How?
a. Randomize src port, additional 11 bits

Now attack takes several hours
b. Ask every DNS query twice:

– Attacker has to guess QueryID correctly twice (32
bits)
– Apparently DNS system cannot handle the load

DNS poisoning attacks in the wild
• January 2005, the domain name for a large New York ISP,
Panix, was hijacked to a site in Australia.
• In November 2004, Google and Amazon users were sent to

Med Network Inc., an online pharmacy
• In March 2003, a group dubbed the "Freedom Cyber Force

Militia" hijacked visitors to the Al-Jazeera Web site and
presented them with the message "God Bless Our
Troops"

DNSSEC Goal
“The Domain Name System (DNS) security extensions
provide origin authentication and integrity assurance
services for DNS data, including mechanisms for
authenticated denial of existence of DNS data.”
-RFC 4033

DNSSEC
• Basically no change to packet format
– Object security of DNS data, not channel security
• New Resource Records (RRs)
– RRSIG : signature of RR by private zone key
– DNSKEY : public zone key
– DS : crypto digest of child zone key
– NSEC / NSEC3 :authenticated denial of existence
• Lookup referral chain (unsigned)
• Origin attestation chain (PKI) (signed)
– Start at pre-configured trust anchors
• DS/DNSKEY of zone (should include root)
– DS → DNSKEY → DS forms a link

DNSSEC Deployment
• As the internet becomes regarded as critical
infrastructure there is a push to secure DNS
• NIST is in the process of deploying it on root
servers now
• May add considerable load to dns servers with
packet sizes considerably larger than 512 byte
size of UDP packets
• There are political concerns with the US
controlling the root level of DNS

Summary
• Core protocols not designed for security
– Eavesdropping, Packet injection, Route stealing,
DNS poisoning
– Patched over time to prevent basic attacks
(e.g. random TCP SN)
• More secure variants exist :

IP -> IPsec
DNS -> DNSsec
BGP -> SBGP

Wireless Networks
(Page 56-72 optional)

Welcome to Wireless
• Radio waves • Security concerns
– No need to be physically – Radio signals leaking outside
plugged into the network buildings
– Remote access – Detection of unauthorized
devices
• Coverage
– Intercepting wireless
– Personal Area Network (PAN)
communications
– Local Area Network (LAN)
– Man-in-the-middle attacks
– Metropolitan Area Network
– Verification of users
(MAN)
– Restricting access

Types of Wireless Networks
• Infrastructure
– Client machines establish a radio Client
Client Client
connection to a special network
device, called access point
– Access points connected to a wired Access
Point
network, which provides a gateway to
the internet
Wired LAN
– Most common type of wireless
network
Peer
• Peer-to-peer Peer
– Multiple peer machines connect to
each other
– Typically used in ad-hoc networks and
Peer
internet connection sharing Peer
Eavesdropping and Spoofing
• All wireless network traffic can be
eavesdropped
• MAC-based authentication typically used to
identify approved machines in corporate
network
• MAC spoofing attacks possible, as in wired
networks

Wired Equivalent Privacy
WEP-protected
• Goals WLAN
– Confidentiality: eavesdropping is prevented
– Data integrity: packets cannot be tampered with
– Access control: only properly encrypted packets are routed
• Design constraints
– Inexpensive hardware implementation with 90’s technology
– Compliance with early U.S. export control regulations on encryption
devices (40-bit keys)
• Implementation and limitations
– Encrypts the body of each frame at the data-link level
– Legacy IEEE 802.11 standard to be avoided
WEP Protocol
• Setup • Client authentication
– Access point and client share – Access point sends
40-bit key K unencrypted random
– The key never changes during a challenge to client
WEP session – Client responds with
encrypted challenge
• Encryption
– Compute CRC-32 checksum of • Transmission
message M (payload of frame) – Send V || C
– Pick 24-bit initialization vector V
– Using the RC4 stream cipher, Message CRC
generate key stream S(K,V)
– Create ciphertext Å
C = (M || crc(M)) Å S(K,V) Key Stream

Reused Initialization Vectors
• Repeated IV implies reused key stream
– Attacker obtains XOR of two messages
– Attacker can recover both message and key stream
– Recovered key stream can be used by attacker to inject traffic
• Default IV
– Several flawed implementations of IV generation
– E.g., start at zero when device turned on and then repeatedly
increment by one
• Random IV
– Small length (24 bits) leads to repetition in a short amount of time
even randomly generated
– E.g., collision expected with high probability after 212 » 4,000
transmissions

WEP Cracking Setup
• The access point and client are using WEP
encryption
• The hacker is sniffing packets
Hacker
WEP-protected
WLAN

Slow Attack: WEP Sniffing
• To crack a 64-bit WEP key you can capture:
– 50,000 to 200,000 packets containing
Initialization Vectors (IVs)
– Only about ¼ of the packets contain IVs
– So you need 200,000 to 800,000 packets
• It can take a long time (typically several hours
or even days) to capture that many packets

Fast Attack: Packet Injection
• The hacker injects packets to create a more
“interesting” packet
• Special wireless card driver is necessary to perform
injection
Hacker
WEP-protected
WLAN

Initialization vector (IV)
• One for each packet, a 24-bit value
• Sent in the cleartext part of the message!
• Small space of initialization vectors guarantees
reuse of the same key stream
• IV Collision:
– Attack the XOR of the two plaintext messages
– IV is often very predictable and introduces a lot of
redundancy

Injection Method
• Suppose attacker knows one plaintext for one
encrypted message, X
– RC4(X) Å X Å Y = RC4(Y)
– constructing a new message calculating the CRC32
• Even without a complete knowledge of the packet, it
is possible to flip selected bits in a message and
successfully adjust the encrypted CRC
• We know ARP, reinject it:
– ARP will normally rebroadcast and generate IVs

Reference
• Nikita Borisov, Ian Goldberg, David Wagner,
Intercepting Mobile Communications: The Insecurity
of 802.11. MOBICOM, 2001.

Wi-Fi Protected Access (WPA)
• WEP became widely known as insecure
– In 2005, FBI publically cracked a WEP key in only 3
minutes!
• Wi-Fi Protected Access (WPA) proposed in 2003
• Improves on WEP in several ways:
– Larger secret key (128 bits) and initialization data (48 bits)
– Supports various types of authentication besides a shared
secret, such as username/password
– Dynamically changes keys as session continues
– Cryptographic method to check integrity
– Frame counter to prevent replay attacks
WPA2
• WPA was an intermediate stepping-stone
– Final version: IEEE 802.11i, aka WPA2
• Improvements over WPA are incremental rather than
changes in philosophy:
– Uses AES instead of RC4
– Handles encryption, key management, and integrity
– MAC provided by Counter Mode with Cipher Block
Chaining (CCMP) used in conjunction with AES
• WPA2 needs recent hardware to operate properly,
but this will get better over time
WPA2 Encryption
• Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol
• Compute a 64-bit message integrity code (MIC) on the
plaintext header and the payload using the Michael algorithm
• Encrypt the payload and MIC
• Michael is not a strong cryptographic hash function
Header Payload MIC
Authenticated
Encrypted

Alternatives and Add-Ons
• WEP, WPA, and WPA2 all protect your traffic only up
to the access point
– No security provided beyond access point
• Other methods can encrypt end-to-end:
– SSL, SSH, VPN, PGP, and so on
• End-to-end encryption is often simpler than setting
up network-level encryption
• Most of these solutions require per-application
configuration

DoS and DDoS

Defining DoS
“A transient or persistent set of actions by a third
party preventing authorised users from access to or
use of a resource or service”
• Although this definition assumes that a DoS is the
result of actions by a third party, these need not be
malicious
– Resources may also simply become exhausted by
legitimate users (flash crowds)
– Where malicious agency can be established, this is
referred to as a DoS attack

Modes of Attack
DoS attacks can take on a number of forms:
• Consumption (exhaustion) of resources
• Disruption or deletion of configuration information
• Disruption of physical resources
Simple degradation might be good enough.

Consumption of Scarce Resources
• Network connectivity
– To prevent hosts or networks from communicating
on the network
– Does not depend on the attacker being able to
consume your network bandwidth. For example,
the attacker consumes local resources on a server
involved in establishing a network connection.
• Bandwidth consumption
– Consume all the available bandwidth on your
network by generating a large number of packets
directed to your network.
ICMP Echo or Ping Flooding
• Uses common diagnostic tool ping
• ping is a simple loopback test that sends an ICMP Echo to a
host which responds with an ICMP Echo Reply
• In the Ping Flooding Attack, attacker floods victim with IP
Ping packets
• Ping of Death send oversized ping message
– The attacker constructs datagrams that appear to be fragments
from a single datagram
– The sum of the sizes of these fragment datagrams is greater
than 2^16
– When the recipient puts the fragments together and copies the
resulting datagram to a buffer an overflow occurs
• Unpredictable result(System crash? Overflow exploit?)

Smurf Attack
1 ICMP Echo Req 3 ICMP Echo Reply
Src: Dos Target Dest: Dos Target
Dest: brdct addr
DoS
gateway DoS
Source Target
• Variant of the Ping Flooding Attack

• Smurf is installed on a computer using a stolen account
• Attacker sends a series of IP Ping packets to the directed broadcast address
of the target network
• IP Ping packets have forged source address
• Upon arrival at the gateway directly connected to the target network, the
gateway forwards the ICMP Echo message to all hosts on the target network
• All hosts send ICMP Response packets to the forged source address, which is
the actual target of the attack
TCP SYN Flooding (with IP Spoofing)
• Client attempts to establish TCP connection to server
• After SYN-ACK, the server has allocated memory describing
the half-open connection
• If client s IP address is spoofed by attacking system. The
‘client’ will not respond with ACK
• Data structure where half-open connections are stored can
be made to overflow
• Eventually, no new incoming network connection can be
accepted.

TCP SYN Flood
C S
SN ¬randC
SYN: ANC ¬0 Listening
C
SN ¬rand Store SNC , SNS

SYN/ACK: ANS ¬SN S
S C
Dedicates resources!
Wait (for a long time)

NO ACK!
Attacker keeps sending
new SYN requests

Consumption of Scarce Resources
• Consumption of other resources
– State storage/processing structures (TCP SYN)
– Consume disk space (large anonymous ftp
uploads)
– Disrupt specific person’s resource (email bombs)
– Power (forced to remain resource-intensive state)
– Security features (Login attempts?)

Effort Amplification
• Key concept for DoS attacker is resource
amplification
– The factor between the effort expended by an
attacker and effort required of a victim during the
attack
– Remember Smurf attack? Send single message vs
receive many messages
– DoS works similarly with NTP or DNS
– Sending a file vs verifying signature of file or
parsing (XML) file

Destruction or Alteration of
Configuration Information
• An improperly configured computer may
not perform well or may not operate at all
• An intruder may be able to alter or destroy
configuration information that prevents
you from using your computer or network
• Example:
– Intruder changes routing information in routers
à network may be disabled.
– Remember the BGP example…
Disruption of Physical Resources
• Physical resources can be damaged or destroyed or
service disrupted.
• Cutting cables, power cuts.
• Wireless networks are particularly vulnerable to
jamming attacks, which can be affected both at the
protocol and physical layers.
• Physical jammers exist for a number of frequencies
and protocols including GSM/UMTS, GPS and IEEE
802.11

Disruption of Physical Resources

And So To DDoS
• DoS attacks are restricted by the attacker having more

resources at his disposal than the victim, or on forcing an
asymmetric workload on the victim.
• If neither can be assured, attackers may simply ‘gang up’
and use multiple attackers on a network – this makes it
more difficult to trace the origin.
• Bot net architectures provide scalability & anonymity –
and are often synchronised.

Distributed Denial of Service
• Many computers are used to launch a
coordinated DoS attack against one or more
targets
• A DDoS master program is installed on one
computer
• Master program communicates to a number of
agent programs, installed on compromised
computers anywhere on the Internet
• Agents initiate attack simultaneously
Distributed Denial of Service Attack
Attacker Master
Victim

Slaves
Simple DDoS Tools: Trinoo
• First in a row of so-called DDoS attack tools
• Trinoo master program, called a handler,
– Is installed on compromised machine
– Automates control of agent programs
– List of agents (e.g. their IP addresses) stored on handler
• Attacker logs into handler in order to start the
attack
• Flood network with UDP packets
• Source IP address of Trinoo packets is not spoofed
• Agents can be found easily
Tribal Flood Network and TFN2K
• Generate multiple types of attacks
– UDP Flood
– TCP SYN Flood
– ICMP Echo request flood
– ICMP directed broadcast
• Generate packets with spoofed IP addresses
• List of IP addresses that contains the locations of agents is
encrypted
• TFN2K is more sophisticated than TFN
– Supports different protocols for master to agent communication
– Can send corrupt packages to cause a system to crash
– Can defeat some defence mechanisms

Stacheldraht
• Based on Trinoo/TFN master agent model
• Encrypted communication between attacker
and master program
• Automated updates of agent programs
• Multiple types of attacks
• Generate packets with spoofed source IP
addresses

Voluntary crowdsource…
Low Orbit Ion Cannon (2010)

Bot Networks (Botnets)
• Modern DDoS approach…

• Victim machines are compromised e.g. through Trojans or worms
using software vulnerabilities.
• Malware deploys a number of components, including rootkit
functions and command & control mechanisms
• Zombies use more than one channel and handlers can be deployed in
multiple layers and may be able to control hundreds or thousands of
nodes each.
– Botnet architecture and tools are complex/advanced!
– Heavily protected channels! Botnets are valuable – you lose control of
the channel you lose the botnet.
Botnet
C&C
Master Victim
C&C Slaves/Zombie/Bots
Botnet operation: Basics
• Infection Mechanisms
– Web download, mail attachments, scan/exploit
– Automated process…
• Command and Control (C&C)
– Centralized, P2P, unstructured
• Communication Protocols
– IRC, HTTP, P2P, proprietary…
• Payload/Actions
– Spam, DDoS, Keyloggers, Clickfraud, Bitcoin mining
Dismantling a Botnet
• Dismantling takes time and effort
– Building one could be a one man job
– Easier to disable than to destroy
• Some examples SANS Newsbites :
– Kelihos
• Microsoft shuts it down (45,000 hosts) (Sept 2011)
• Alleged Mastermind named in lawsuit (Jan 2012)
• Regaining Momentum (Feb-April 2012)
– Kelihos.b (110,000 hosts by February, shut down March)
– Kelihos.c (70,000 hosts by April….)
– Bamital
• Microsoft Shuts Down Bamital (February 2013)

10 Week11 12 Network Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10 Week11 12 Network Security

Uploaded by

Copyright:

Available Formats

Lecture 11-12 – Network

Protocol Security and Defenses

CS4293 Topics on Cybersecurity 2

• Local and interdomain routing

CS4293 Topics on Cybersecurity 3

Data Network Data

CS4293 Topics on Cybersecurity 4

Network (IP) packet

Link Layer frame ETH IP TCP data ETF

IP Header Link (Ethernet) Link (Ethernet)

CS4293 Topics on Cybersecurity 5

• Typical route uses several hops

CS4293 Topics on Cybersecurity 7

• Fragmentation and reassembly

• TTL field: decremented after every hop

• Anyone who owns their machine can send packets

• Implications: (solutions in DDoS lecture)

CS4293 Topics on Cybersecurity 12

CS4293 Topics on Cybersecurity 13

CS4293 Topics on Cybersecurity 15

Network (IP) packet

Link Layer frame ETH IP TCP data ETF

IP Header Link (Ethernet) Link (Ethernet)

CS4293 Topics on Cybersecurity 16

CS4293 Topics on Cybersecurity 17

CS4293 Topics on Cybersecurity 18

CS4293 Topics on Cybersecurity 19

Result: A and B share secret gab mod p

CS4293 Topics on Cybersecurity 20

Network IP protocol IP IP protocol Network

CS4293 Topics on Cybersecurity 21

Transmission Control Protocol

Book Mail each page Reassemble book

Source Port Dest port

CS4293 Topics on Cybersecurity 23

SN ¬rand Store SNC , SNS

Received packets with SN CS4293

2. TCP state can be easy to guess

3. Denial of Service (DoS) vulnerabilities

Alice Network Bob

Prevention: Encryption (via. IPSEC)

Version, Choice, nonce,

switch to negotiated cipher

Hash of sequence of messages

Hash of sequence of messages

server thinks command

• Suppose attacker can guess seq. number for an existing

• Attack is most effective against long lived connections.

CS4293 Topics on Cybersecurity 29

– GPR 06: Linux RNG for generating SNs is predictable

TCP Congestion Control

• During the mid-80s it was discovered that uncontrolled TCP

CS4293 Topics on Cybersecurity 32

CS4293 Topics on Cybersecurity 33

• OSPF: used for routing within an AS

• BGP: routing between ASs

• In 2008 Pakistan Telecom used this technique in an attempt to censor YouTube

CS4293 Topics on Cybersecurity 36

• Transit: 2 provides transit for 7

CS4293 Topics on Cybersecurity 37

CS4293 Topics on Cybersecurity 38

CS4293 Topics on Cybersecurity 39

CS4293 Topics on Cybersecurity 40

CS4293 Topics on Cybersecurity 41