securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · security flaws...
TRANSCRIPT
![Page 1: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/1.jpg)
ComputerNetworks
Security
![Page 2: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/2.jpg)
2
SecurityVulnerabilities• Ateverylayerintheprotocolstack!
• Network-layerattacks– IP-levelvulnerabilities– Routingattacks
• Transport-layerattacks– TCPvulnerabilities
• Application-layerattacks
![Page 3: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/3.jpg)
SecurityFlawsinIP• TheIPaddressesarefilledinbytheoriginatinghost
– Addressspoofing
• Usingsourceaddressforauthentication– r-utilities(rlogin,rsh,rhostsetc..)
Internet
2.1.1.1 C
1.1.1.1 1.1.1.2A B
1.1.1.3 S
•Can A claim it is B to the server S?
•ARP Spoofing
•Can C claim it is B to the server S?
•Source Routing
![Page 4: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/4.jpg)
ARPSpoofing• AttackerusesARPprotocoltoassociateMACaddressofattackerwith
anotherhost'sIPaddress• E.g.becomethedefaultgateway:
– Forwardpacketstorealgateway(interception)– Alterpacketsandforward(man-in-the-middleattack)– Usenon-existentMACaddressorjustdroppackets(denialofserviceattack)
![Page 5: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/5.jpg)
5
SourceRouting• ARPspoofingcannotredirectpacketstoanothernetwork– ifyouspoofanIPsourceaddress,repliesgotothespoofedhost
• Anoption inIPistoprovidearouteinthepacket:sourcerouting.– Equivalenttotunneling.
• Attack:spoofthehostIPaddressandspecifyasourceroutebacktotheattacker.
![Page 6: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/6.jpg)
6
SmurfAttack
Attacking System
Internet
BroadcastEnabledNetwork
Victim System
Pingrequesttoabroadcastaddresswithsource=victim'sIPaddress
Pingrequesttobroadcastaddresswithsource=victim'sIPaddress
Pingreplyfromeveryhost
Repliesdirectedtovictim
![Page 7: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/7.jpg)
ICMPAttacks• Noauthentication• ICMPredirectmessage• OversizedICMPmessagescancrashhosts• Destinationunreachable
– Cancausethehosttodropconnection• Manymore…
– http://www.sans.org/rr/whitepapers/threats/477.php
![Page 8: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/8.jpg)
8
ICMPRedirect• ICMPRedirectmessage:tellahosttouseadifferentgatewayon
thesamenetwork(savesahopforfuturepackets)
HostA
"Good"GatewayAttacker
SpoofanICMPRedirectmessagefrom"Good"GatewaytoredirecttrafficthroughAttacker TCPpackets
![Page 9: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/9.jpg)
TCP-levelattacks• SYN-Floods
– Implementationscreatestateatserversbeforeconnectionisfullyestablished
• Sessionhijack– Pretendtobeatrustedhost– Sequencenumberguessing
• Sessionresets– Closealegitimateconnection
![Page 10: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/10.jpg)
10
SessionHijack
Trusted (T)
Malicious (M)
Server
First send a legitimate SYN to server
![Page 11: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/11.jpg)
SessionHijack
Trusted (T)
Malicious (M)
Server
Using ISN_S1 from earlier connection guess ISN_S2!
![Page 12: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/12.jpg)
TCPLayerAttacks• TCPSYNFlooding
– ExploitstateallocatedatserverafterinitialSYNpacket
– SendaSYNanddon’treplywithACK– Serverwillwaitfor511secondsforACK– Finitequeuesizeforincompleteconnections(1024)– Oncethequeueisfullitdoesn’tacceptrequests
![Page 13: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/13.jpg)
TCPLayerAttacks• TCPSessionPoisoning
– SendRSTpacket• Willteardownconnection
– Doyouhavetoguesstheexactsequencenumber?• Anywhereinwindowisfine• For64kwindowittakes64kpacketstoreset• About15secondsforaT1
![Page 14: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/14.jpg)
Wheredotheproblemscomefrom?• Protocol-levelvulnerabilities
– Implicittrustassumptionsindesign
• Implementationvulnerabilities– Bothonroutersandend-hosts
• Incompletespecifications– Oftenlefttotheimaginationofprogrammers
![Page 15: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/15.jpg)
Denial of Service Attacks
![Page 16: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/16.jpg)
Questions• WhataretheDoS attacksatdifferentlevelsofthenetworkarchitecture?
• Howcanwemitigatethem?
16
![Page 17: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/17.jpg)
17
DoScanhappenatanylayer• SampleDosatdifferentlayers(byorder):
– Link– TCP/UDP– Application
• TherearesomegenericDoS solutions
• However,currentInternetnotdesignedtohandleDDoSattacks
![Page 18: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/18.jpg)
InternetReality• DistributedDenial-of-Serviceisahugeproblemtoday!– AkamaireportsDDOSagainstUSbankspeakingat65Gbps …
• Therearenogreatsolutions– CDNs,networktrafficfiltering,andbestpracticesallhelp
![Page 19: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/19.jpg)
Examples• Alreadydiscussed:
– SmurfICMPamplificationattack– TCPSYNresourceexhaustionattack
19
![Page 20: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/20.jpg)
DNSAttack(May’06)
Millions of open resolvers on Internet
DNSServer
DoSSource
DoSTarget
DNS QuerySrcIP: Dos Target
(60 bytes)EDNS Reponse
(3000 bytes)
DNS Amplification attack: ( ´50 amplification )
![Page 21: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/21.jpg)
AclassicSYNfloodexample• MSBlasterworm (2003)
– InfectedmachinesatnoononAug16th:• SYNfloodonport80towindowsupdate.com• 50SYNpacketseverysecond.
– eachpacketis40bytes.• SpoofedsourceIP:a.b.X.YwhereX,Yrandom.
• MSsolution:– newname:windowsupdate.microsoft.com– WinupdatefiledeliveredbyAkamai
![Page 22: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/22.jpg)
22
LowrateSYNflooddefenses
• Non-solution:– Increasebacklogqueuesizeordecreasetimeout
• Correctsolution (whenunderattack):– Syncookies:removestatefromserver– Smallperformanceoverhead
![Page 23: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/23.jpg)
Syncookies• Idea:usesecretkeyanddatainpackettogen.serverSN
• ServerrespondstoClientwithSYN-ACKcookie:– T=5-bitcounterincrementedevery64secs.– L=MACkey (SAddr,SPort,DAddr,DPort,SNC,T)[24bits]
• key:pickedatrandomduringboot
– SNS =(T.mss .L) (|L|=24bits)
– Serverdoesnotsavestate (otherTCPoptionsarelost)
• HonestclientrespondswithACK(AN=SNS ,SN=SNC+1)
– ServerallocatesspaceforsocketonlyifvalidSNS.
[Bernstein, Schenk]
![Page 24: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/24.jpg)
24
DoSMitigation
![Page 25: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/25.jpg)
PossibledefensesI:Filtering• Filteringatthevictim’sfirewall
– Likelytobeuseless,firewallitselfcanbetargeted
• Filteringattheattacker’sfirewall– Routersdroppacketswithan“invalid”sourceIPaddressfield– Wouldneednearuniversaldeploymenttobeeffective
• Besides,doesnotpreventsubnet-levelspoofing– Economicincentives?
25
![Page 26: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/26.jpg)
Ingress/EgressFiltering
• RFC2827:Routersinstallfilterstodroppacketsfromnetworksthatarenotdownstream
• Feasibleatedges;harderat“core”
204.69.207.0/24 Internet
Drop all packets with source address other than 204.69.207.0/24
26
![Page 27: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/27.jpg)
PossibledefensesII:Pushback• Pushback:ratelimitflowsthatcomposelargetrafficaggregatestomitigate
impactofDDoS• Assumption:canidentifyanomaloustraffic• Distributedsolution:thewholenetworkbenefits
• Requiresroutermodifications– Deploymentmaytakeverylong– Needauthenticationoffilters
27
![Page 28: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/28.jpg)
PossibleDefensesIII:Traceback [Savageetal.’00]
• Goal:– Givensetofattackpackets– Determinepathtosource
• How:changerouterstorecordinfoinpackets
• Assumptions:– Mostroutersremainuncompromised– Attackersendsmanypackets– Routefromattackertovictimremainsrelativelystable
![Page 29: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/29.jpg)
Simplemethod• Writepathintonetworkpacket
– EachrouteraddsitsownIPaddresstopacket
– Victimreadspathfrompacket
Problem:n Requires space in packet
w Path can be longw No extra fields in current IP format
n Changes to packet format too much to expect
![Page 30: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/30.jpg)
Betteridea• DDoSinvolvesmany
packetsonsamepath
• Storeonelinkineachpacket– Eachrouter
probabilisticallystoresownaddress
– Fixedspaceregardlessofpathlength
R6 R7 R8
A4 A5A1 A2 A3
R9 R10
R12
V
![Page 31: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/31.jpg)
EdgeSampling• Datafieldswrittentopacket:
– Edge:start andend IPaddresses– Distance:numberofhopssinceedgestored
• MarkingprocedureforrouterRifcointurnsupheads(withprobabilityp)then
writeRintostartaddresswrite0intodistancefield
elseifdistance==0writeRintoendfieldincrementdistancefield
![Page 32: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/32.jpg)
EdgeSampling:picture• Packetreceived
– R1 receivespacketfromsourceoranotherrouter– Packetcontainsspaceforstart,end,distance
R1 R2 R3
packet s e d
![Page 33: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/33.jpg)
EdgeSampling:picture• Beginwritingedge
– R1 choosestowritestartofedge– Setsdistanceto0
R1 R2 R3
packet R1 0
![Page 34: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/34.jpg)
EdgeSampling
packet R1 R2 1
R1 R2 R3
Finish writing edgen R2 chooses not to overwrite edgen Distance is 0
w Write end of edge, increment distance to 1
![Page 35: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/35.jpg)
EdgeSampling
packet R1 R2 2
R1 R2 R3
Increment distancen R3 chooses not to overwrite edgen Distance >0
w Increment distance to 2
![Page 36: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/36.jpg)
Pathreconstruction• Extractinformationfromattackpackets
• Buildgraphrootedatvictim– Each(start,end,distance)tupleprovidesanedge
• #packetsneededtoreconstructpath
E(X)<
wherepismarkingprobability,dislengthofpath
ln(d) p(1-p)d-1
![Page 37: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/37.jpg)
Capabilitybaseddefense• Basicidea:
– Receiverscanspecifywhatpacketstheywant
• How:– SenderrequestscapabilityinSYNpacket
• Pathidentifierusedtolimit#reqs fromonesource– Receiverrespondswithcapability– Senderincludescapabilityinallfuturepackets
– Mainpoint:Routersonlyforward:• Requestpackets,and• Packetswithvalidcapability
![Page 38: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/38.jpg)
Interdomain Routing Security
![Page 39: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/39.jpg)
InterdomainRouting• AS-leveltopology
– NodesareAutonomousSystems(ASes)– Edgesarelinksandbusinessrelationships
1
2
34
5
67
ClientWeb server
![Page 40: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/40.jpg)
TCPConnectionUnderlyingBGPSession• BGPsessionrunsoverTCP
– TCPconnectionbetweenneighboringrouters– BGPmessagessentoverTCPconnection– MakesBGPvulnerabletoattacksonTCP
![Page 41: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/41.jpg)
41
Validityoftheroutinginformation:Originauthentication
![Page 42: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/42.jpg)
IPAddressOwnershipandHijacking• IPaddressblockassignment
– RegionalInternetRegistries– InternetServiceProviders
• ProperoriginationofaprefixintoBGP– BytheASwhoownstheprefixorbyitsupstreamprovider(s)initsbehalf
• However,what’stostopsomeoneelse?– Prefixhijacking:anotherASoriginatestheprefix– BGPdoesnotverifythattheASisauthorized– Registriesofprefixownershipareinaccurate
![Page 43: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/43.jpg)
PrefixHijacking
1
2
3
4
5
67
12.34.0.0/1612.34.0.0/16
• ConsequencesfortheaffectedASes– Blackhole:datatrafficisdiscarded– Snooping:datatrafficisinspected,andthenredirected– Impersonation:datatrafficissenttobogusdestinations
![Page 44: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/44.jpg)
44
HijackingisHardtoDebug• ThevictimASdoesn’tseetheproblem
– Picksitsownroute– Mightnotevenlearnthebogusroute
• Maynotcauselossofconnectivity– E.g.,ifthebogusASsnoopsandredirects– …mayonlycauseperformancedegradation
• Or,lossofconnectivityisisolated– E.g.,onlyforsourcesinpartsoftheInternet
• Diagnosingprefixhijacking– Analyzingupdatesfrommanyvantagepoints– Launchingtraceroutefrommanyvantagepoints
![Page 45: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/45.jpg)
Sub-PrefixHijacking
1
2
3
4
5
67
12.34.0.0/1612.34.158.0/24
• Originatingamore-specificprefix– EveryASpicksthebogusrouteforthatprefix– Trafficfollowsthelongestmatchingprefix
![Page 46: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/46.jpg)
46
HowtoHijackaPrefix• ThehijackingAShas
– RouterwithBGPsession(s)– Configuredtooriginatetheprefix
• Gettingaccesstotherouter– Networkoperatormakesconfigurationmistake– Disgruntledoperatorlaunchesanattack– Outsiderbreaksintotherouterandreconfigures
• GettingotherASestobelievebogusroute– NeighborASesdonotdiscardthebogusroute– E.g.,notdoingprotectivefiltering
![Page 47: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/47.jpg)
YouTubeOutageonFeb24,2008• YouTube(AS36561)
– Websitewww.youtube.com– Addressblock208.65.152.0/22
• PakistanTelecom(AS17557)– ReceivesgovernmentordertoblockaccesstoYouTube– Startsannouncing208.65.153.0/24toPCCW(AS3491)– AllpacketsdirectedtoYouTubegetdroppedonthefloor
• Mistakesweremade– AS17557:announcingtoeveryone,notjustcustomers– AS3491:notfilteringroutesannouncedbyAS17557
• Lasted100minutesforsome,2hoursforothers
![Page 48: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/48.jpg)
48
Timeline(UTCTime)• 18:47:45
– Firstevidenceofhijacked/24routepropagatinginAsia• 18:48:00
– Severalbigtrans-Pacificproviderscarryingtheroute• 18:49:30
– Bogusroutefullypropagated• 20:07:25
– YouTubestartsadvertisingthe/24toattracttrafficback• 20:08:30
– Many(butnotall)providersareusingthevalidroute
http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml
![Page 49: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/49.jpg)
49
Timeline(UTCTime)• 20:18:43
– YouTubestartsannouncingtwomore-specific/25routes• 20:19:37
– Somemoreprovidersstartusingthe/25routes• 20:50:59
– AS17557startsprepending(“34911755717557”)• 20:59:39
– AS3491disconnectsAS17557• 21:00:00
– Alliswell,videosofcatsflushingtoiletsareavailable
http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml
![Page 50: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/50.jpg)
AnotherExample:Spammers• Spammerssendingspam
– Forma(bidrectional)TCPconnectiontoamailserver– Sendabunchofspame-mail
• But,bestnottouseyourrealIPaddress– Relativelyeasytotracebacktoyou
• Couldhijacksomeone’saddressspace– Butyoumightnotreceiveallthe(TCP)returntraffic– Andthelegitimateowneroftheaddressmightnotice
• Howtoevadedetection– Hijackunused(i.e.,unallocated)addressblockinBGP– TemporarilyusetheIPaddressestosendyourspam
![Page 51: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/51.jpg)
Question• WhatotherattacksarepossiblewithBGP?
51
![Page 52: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/52.jpg)
52
BogusASPaths• RemoveASes fromtheASpath
– E.g.,turn“701371588”into“70188”• Motivations
– MaketheASpathlookshorterthanitis– AttractsourcesthatnormallytrytoavoidAS3715– HelpAS88looklikeitisclosertotheInternet’score
• WhocantellthatthisASpathisalie?– MaybeAS88*does*connecttoAS701directly
701 883715?
![Page 53: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/53.jpg)
BogusASPaths• AddASestothepath
– E.g.,turn“70188”into“701371588”• Motivations
– TriggerloopdetectioninAS3715• Denial-of-serviceattackonAS3715• Or,blockingunwantedtrafficcomingfromAS3715!
– MakeyourASlooklikeishasricherconnectivity• WhocantelltheASpathisalie?
– AS3715could,ifitcouldseetheroute– AS88could,butwoulditreallycareaslongasitreceiveddatatraffic
meantforit?
701
88
![Page 54: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/54.jpg)
BogusASPaths• AddsAShop(s)attheendofthepath
– E.g.,turns“70188”into“701883”• Motivations
– Evadedetectionforabogusroute– E.g.,byaddingthelegitimateAStotheend
• HardtotellthattheASpathisbogus…– EvenifotherASesfilterbasedonprefixownership
![Page 55: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/55.jpg)
InvalidPaths• ASexportsarouteitshouldn’t
– ASpathisavalidsequence,butviolatedpolicy• Example:customermisconfiguration
– Exportsroutesfromoneprovidertoanother• Interactswithproviderpolicy
– Providerpreferscustomerroutes– DirectingallInternettrafficthroughcustomer
• Maindefense– FilteringroutesbasedonprefixesandASpath
![Page 56: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/56.jpg)
Missing/InconsistentRoutes• Peersrequireconsistentexport
– Prefixadvertisedatallpeeringpoints– PrefixadvertisedwithsameASpathlength
• Reasonsforviolatingthepolicy– Trickneighborinto“coldpotato”– Configurationmistake
• Maindefense– AnalyzingBGPupdatesordatatraffic
src
dest
Bad AS
data
BGP
![Page 57: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/57.jpg)
BGPSecurityToday• Applyingbestcommonpractices
– Securingthesession(authentication,encryption)– FilteringroutesbyprefixandASpath– Packetfilterstoblockunexpectedcontroltraffic
• Thisisnotgoodenough– Doesn’taddressfundamentalproblems
• Can’ttellwhoownstheIPaddressblock• Can’ttelliftheASpathisbogusorinvalid• Can’tbesurethedatapacketsfollowthechosenroute
![Page 58: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/58.jpg)
58
ProposedEnhancementstoBGP
![Page 59: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/59.jpg)
S-BGPSecureVersionofBGP• Addressattestations
– Claimtherighttooriginateaprefix– Signedanddistributedout-of-band– CheckedthroughdelegationchainfromICANN
• Routeattestations– DistributedasanattributeinBGPupdatemessage– SignedbyeachASasroutetraversesthenetwork– Signaturesignspreviouslyattachedsignatures
• S-BGPcanvalidate– ASpathindicatestheorderASesweretraversed– NointermediateASeswereaddedorremoved
![Page 60: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/60.jpg)
S-BGPDeploymentChallenges• Complete,accurateregistries
– E.g.,ofprefixownership• PublicKeyInfrastructure
– ToknowthepublickeyforanygivenAS• Cryptographicoperations
– E.g.,digitalsignaturesonBGPmessages• Needtoperformoperationsquickly
– Toavoiddelayingresponsetoroutingchanges• Difficultyofincrementaldeployment
– Hardtohavea“flagday”todeployS-BGP
![Page 61: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/61.jpg)
IncrementallyDeployableSolutions?• Backwardscompatible
– Nochangestorouterhardwareorsoftware– NocooperationfromotherASes
• Incentivesforearlyadopters– SecuritybenefitsforASes thatdeploythesolution– …andfurtherincentivesforotherstodeploy
• Whatkindofsolutionsarepossible?– Detectingsuspiciousroutesandthenfilteringordepreferencing them
61
![Page 62: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/62.jpg)
62
DetectingSuspiciousRoutes• MonitoringBGPupdatemessages
– Usepasthistoryasanimplicitregistry• E.g.,ASthatannounceseachaddressblock
– Prefix18.0.0.0/8usuallyoriginatedbyAS3• E.g.,AS-leveledgesandpaths
– Neverseenthesubpath “7018881785”• Out-of-banddetectionmechanism
– Generatereportsandalerts– PrefixHijackAlertSystem:http://phas.netsec.colostate.edu/
![Page 63: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/63.jpg)
AvoidingSuspiciousRoutes• Softresponsetosuspiciousroutes
– Preferroutesthatagreewiththepast– Delayadoptionofunfamiliarrouteswhenpossible
• Whyisthisgoodenough?– Someattackswillgoawayontheirown– Givenetworkoperatorstimetoinvestigate
• Howwellwoulditwork?– Iftop~40largestASes appliedthetechnique– …mostotherASes areprotected,too– …sincetheymostlylearnroutesfromthebigASes
![Page 64: Securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · Security Flaws in IP • The IP addresses are filled in by the originating host – Address spoofing](https://reader034.vdocuments.net/reader034/viewer/2022042400/5f0f1d2b7e708231d4428f1a/html5/thumbnails/64.jpg)
Conclusions• BorderGatewayProtocolisveryvulnerable
– GluethatholdstheInternettogether– HardforanAStolocallyidentifybogusroutes– Attackscanhaveveryseriousglobalconsequences
• Proposedsolutions/approaches– SecurevariantsoftheBorderGatewayProtocol– Anomalydetectionschemes,withautomatedresponse