securitycourses.cs.washington.edu/courses/csep561/17sp/week9.pdf · 2017-05-22 · security flaws...
TRANSCRIPT
ComputerNetworks
Security
2
SecurityVulnerabilities• Ateverylayerintheprotocolstack!
• Network-layerattacks– IP-levelvulnerabilities– Routingattacks
• Transport-layerattacks– TCPvulnerabilities
• Application-layerattacks
SecurityFlawsinIP• TheIPaddressesarefilledinbytheoriginatinghost
– Addressspoofing
• Usingsourceaddressforauthentication– r-utilities(rlogin,rsh,rhostsetc..)
Internet
2.1.1.1 C
1.1.1.1 1.1.1.2A B
1.1.1.3 S
•Can A claim it is B to the server S?
•ARP Spoofing
•Can C claim it is B to the server S?
•Source Routing
ARPSpoofing• AttackerusesARPprotocoltoassociateMACaddressofattackerwith
anotherhost'sIPaddress• E.g.becomethedefaultgateway:
– Forwardpacketstorealgateway(interception)– Alterpacketsandforward(man-in-the-middleattack)– Usenon-existentMACaddressorjustdroppackets(denialofserviceattack)
5
SourceRouting• ARPspoofingcannotredirectpacketstoanothernetwork– ifyouspoofanIPsourceaddress,repliesgotothespoofedhost
• Anoption inIPistoprovidearouteinthepacket:sourcerouting.– Equivalenttotunneling.
• Attack:spoofthehostIPaddressandspecifyasourceroutebacktotheattacker.
6
SmurfAttack
Attacking System
Internet
BroadcastEnabledNetwork
Victim System
Pingrequesttoabroadcastaddresswithsource=victim'sIPaddress
Pingrequesttobroadcastaddresswithsource=victim'sIPaddress
Pingreplyfromeveryhost
Repliesdirectedtovictim
ICMPAttacks• Noauthentication• ICMPredirectmessage• OversizedICMPmessagescancrashhosts• Destinationunreachable
– Cancausethehosttodropconnection• Manymore…
– http://www.sans.org/rr/whitepapers/threats/477.php
8
ICMPRedirect• ICMPRedirectmessage:tellahosttouseadifferentgatewayon
thesamenetwork(savesahopforfuturepackets)
HostA
"Good"GatewayAttacker
SpoofanICMPRedirectmessagefrom"Good"GatewaytoredirecttrafficthroughAttacker TCPpackets
TCP-levelattacks• SYN-Floods
– Implementationscreatestateatserversbeforeconnectionisfullyestablished
• Sessionhijack– Pretendtobeatrustedhost– Sequencenumberguessing
• Sessionresets– Closealegitimateconnection
10
SessionHijack
Trusted (T)
Malicious (M)
Server
First send a legitimate SYN to server
SessionHijack
Trusted (T)
Malicious (M)
Server
Using ISN_S1 from earlier connection guess ISN_S2!
TCPLayerAttacks• TCPSYNFlooding
– ExploitstateallocatedatserverafterinitialSYNpacket
– SendaSYNanddon’treplywithACK– Serverwillwaitfor511secondsforACK– Finitequeuesizeforincompleteconnections(1024)– Oncethequeueisfullitdoesn’tacceptrequests
TCPLayerAttacks• TCPSessionPoisoning
– SendRSTpacket• Willteardownconnection
– Doyouhavetoguesstheexactsequencenumber?• Anywhereinwindowisfine• For64kwindowittakes64kpacketstoreset• About15secondsforaT1
Wheredotheproblemscomefrom?• Protocol-levelvulnerabilities
– Implicittrustassumptionsindesign
• Implementationvulnerabilities– Bothonroutersandend-hosts
• Incompletespecifications– Oftenlefttotheimaginationofprogrammers
Denial of Service Attacks
Questions• WhataretheDoS attacksatdifferentlevelsofthenetworkarchitecture?
• Howcanwemitigatethem?
16
17
DoScanhappenatanylayer• SampleDosatdifferentlayers(byorder):
– Link– TCP/UDP– Application
• TherearesomegenericDoS solutions
• However,currentInternetnotdesignedtohandleDDoSattacks
InternetReality• DistributedDenial-of-Serviceisahugeproblemtoday!– AkamaireportsDDOSagainstUSbankspeakingat65Gbps …
• Therearenogreatsolutions– CDNs,networktrafficfiltering,andbestpracticesallhelp
Examples• Alreadydiscussed:
– SmurfICMPamplificationattack– TCPSYNresourceexhaustionattack
19
DNSAttack(May’06)
Millions of open resolvers on Internet
DNSServer
DoSSource
DoSTarget
DNS QuerySrcIP: Dos Target
(60 bytes)EDNS Reponse
(3000 bytes)
DNS Amplification attack: ( ´50 amplification )
AclassicSYNfloodexample• MSBlasterworm (2003)
– InfectedmachinesatnoononAug16th:• SYNfloodonport80towindowsupdate.com• 50SYNpacketseverysecond.
– eachpacketis40bytes.• SpoofedsourceIP:a.b.X.YwhereX,Yrandom.
• MSsolution:– newname:windowsupdate.microsoft.com– WinupdatefiledeliveredbyAkamai
22
LowrateSYNflooddefenses
• Non-solution:– Increasebacklogqueuesizeordecreasetimeout
• Correctsolution (whenunderattack):– Syncookies:removestatefromserver– Smallperformanceoverhead
Syncookies• Idea:usesecretkeyanddatainpackettogen.serverSN
• ServerrespondstoClientwithSYN-ACKcookie:– T=5-bitcounterincrementedevery64secs.– L=MACkey (SAddr,SPort,DAddr,DPort,SNC,T)[24bits]
• key:pickedatrandomduringboot
– SNS =(T.mss .L) (|L|=24bits)
– Serverdoesnotsavestate (otherTCPoptionsarelost)
• HonestclientrespondswithACK(AN=SNS ,SN=SNC+1)
– ServerallocatesspaceforsocketonlyifvalidSNS.
[Bernstein, Schenk]
24
DoSMitigation
PossibledefensesI:Filtering• Filteringatthevictim’sfirewall
– Likelytobeuseless,firewallitselfcanbetargeted
• Filteringattheattacker’sfirewall– Routersdroppacketswithan“invalid”sourceIPaddressfield– Wouldneednearuniversaldeploymenttobeeffective
• Besides,doesnotpreventsubnet-levelspoofing– Economicincentives?
25
Ingress/EgressFiltering
• RFC2827:Routersinstallfilterstodroppacketsfromnetworksthatarenotdownstream
• Feasibleatedges;harderat“core”
204.69.207.0/24 Internet
Drop all packets with source address other than 204.69.207.0/24
26
PossibledefensesII:Pushback• Pushback:ratelimitflowsthatcomposelargetrafficaggregatestomitigate
impactofDDoS• Assumption:canidentifyanomaloustraffic• Distributedsolution:thewholenetworkbenefits
• Requiresroutermodifications– Deploymentmaytakeverylong– Needauthenticationoffilters
27
PossibleDefensesIII:Traceback [Savageetal.’00]
• Goal:– Givensetofattackpackets– Determinepathtosource
• How:changerouterstorecordinfoinpackets
• Assumptions:– Mostroutersremainuncompromised– Attackersendsmanypackets– Routefromattackertovictimremainsrelativelystable
Simplemethod• Writepathintonetworkpacket
– EachrouteraddsitsownIPaddresstopacket
– Victimreadspathfrompacket
Problem:n Requires space in packet
w Path can be longw No extra fields in current IP format
n Changes to packet format too much to expect
Betteridea• DDoSinvolvesmany
packetsonsamepath
• Storeonelinkineachpacket– Eachrouter
probabilisticallystoresownaddress
– Fixedspaceregardlessofpathlength
R6 R7 R8
A4 A5A1 A2 A3
R9 R10
R12
V
EdgeSampling• Datafieldswrittentopacket:
– Edge:start andend IPaddresses– Distance:numberofhopssinceedgestored
• MarkingprocedureforrouterRifcointurnsupheads(withprobabilityp)then
writeRintostartaddresswrite0intodistancefield
elseifdistance==0writeRintoendfieldincrementdistancefield
EdgeSampling:picture• Packetreceived
– R1 receivespacketfromsourceoranotherrouter– Packetcontainsspaceforstart,end,distance
R1 R2 R3
packet s e d
EdgeSampling:picture• Beginwritingedge
– R1 choosestowritestartofedge– Setsdistanceto0
R1 R2 R3
packet R1 0
EdgeSampling
packet R1 R2 1
R1 R2 R3
Finish writing edgen R2 chooses not to overwrite edgen Distance is 0
w Write end of edge, increment distance to 1
EdgeSampling
packet R1 R2 2
R1 R2 R3
Increment distancen R3 chooses not to overwrite edgen Distance >0
w Increment distance to 2
Pathreconstruction• Extractinformationfromattackpackets
• Buildgraphrootedatvictim– Each(start,end,distance)tupleprovidesanedge
• #packetsneededtoreconstructpath
E(X)<
wherepismarkingprobability,dislengthofpath
ln(d) p(1-p)d-1
Capabilitybaseddefense• Basicidea:
– Receiverscanspecifywhatpacketstheywant
• How:– SenderrequestscapabilityinSYNpacket
• Pathidentifierusedtolimit#reqs fromonesource– Receiverrespondswithcapability– Senderincludescapabilityinallfuturepackets
– Mainpoint:Routersonlyforward:• Requestpackets,and• Packetswithvalidcapability
Interdomain Routing Security
InterdomainRouting• AS-leveltopology
– NodesareAutonomousSystems(ASes)– Edgesarelinksandbusinessrelationships
1
2
34
5
67
ClientWeb server
TCPConnectionUnderlyingBGPSession• BGPsessionrunsoverTCP
– TCPconnectionbetweenneighboringrouters– BGPmessagessentoverTCPconnection– MakesBGPvulnerabletoattacksonTCP
41
Validityoftheroutinginformation:Originauthentication
IPAddressOwnershipandHijacking• IPaddressblockassignment
– RegionalInternetRegistries– InternetServiceProviders
• ProperoriginationofaprefixintoBGP– BytheASwhoownstheprefixorbyitsupstreamprovider(s)initsbehalf
• However,what’stostopsomeoneelse?– Prefixhijacking:anotherASoriginatestheprefix– BGPdoesnotverifythattheASisauthorized– Registriesofprefixownershipareinaccurate
PrefixHijacking
1
2
3
4
5
67
12.34.0.0/1612.34.0.0/16
• ConsequencesfortheaffectedASes– Blackhole:datatrafficisdiscarded– Snooping:datatrafficisinspected,andthenredirected– Impersonation:datatrafficissenttobogusdestinations
44
HijackingisHardtoDebug• ThevictimASdoesn’tseetheproblem
– Picksitsownroute– Mightnotevenlearnthebogusroute
• Maynotcauselossofconnectivity– E.g.,ifthebogusASsnoopsandredirects– …mayonlycauseperformancedegradation
• Or,lossofconnectivityisisolated– E.g.,onlyforsourcesinpartsoftheInternet
• Diagnosingprefixhijacking– Analyzingupdatesfrommanyvantagepoints– Launchingtraceroutefrommanyvantagepoints
Sub-PrefixHijacking
1
2
3
4
5
67
12.34.0.0/1612.34.158.0/24
• Originatingamore-specificprefix– EveryASpicksthebogusrouteforthatprefix– Trafficfollowsthelongestmatchingprefix
46
HowtoHijackaPrefix• ThehijackingAShas
– RouterwithBGPsession(s)– Configuredtooriginatetheprefix
• Gettingaccesstotherouter– Networkoperatormakesconfigurationmistake– Disgruntledoperatorlaunchesanattack– Outsiderbreaksintotherouterandreconfigures
• GettingotherASestobelievebogusroute– NeighborASesdonotdiscardthebogusroute– E.g.,notdoingprotectivefiltering
YouTubeOutageonFeb24,2008• YouTube(AS36561)
– Websitewww.youtube.com– Addressblock208.65.152.0/22
• PakistanTelecom(AS17557)– ReceivesgovernmentordertoblockaccesstoYouTube– Startsannouncing208.65.153.0/24toPCCW(AS3491)– AllpacketsdirectedtoYouTubegetdroppedonthefloor
• Mistakesweremade– AS17557:announcingtoeveryone,notjustcustomers– AS3491:notfilteringroutesannouncedbyAS17557
• Lasted100minutesforsome,2hoursforothers
48
Timeline(UTCTime)• 18:47:45
– Firstevidenceofhijacked/24routepropagatinginAsia• 18:48:00
– Severalbigtrans-Pacificproviderscarryingtheroute• 18:49:30
– Bogusroutefullypropagated• 20:07:25
– YouTubestartsadvertisingthe/24toattracttrafficback• 20:08:30
– Many(butnotall)providersareusingthevalidroute
http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml
49
Timeline(UTCTime)• 20:18:43
– YouTubestartsannouncingtwomore-specific/25routes• 20:19:37
– Somemoreprovidersstartusingthe/25routes• 20:50:59
– AS17557startsprepending(“34911755717557”)• 20:59:39
– AS3491disconnectsAS17557• 21:00:00
– Alliswell,videosofcatsflushingtoiletsareavailable
http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml
AnotherExample:Spammers• Spammerssendingspam
– Forma(bidrectional)TCPconnectiontoamailserver– Sendabunchofspame-mail
• But,bestnottouseyourrealIPaddress– Relativelyeasytotracebacktoyou
• Couldhijacksomeone’saddressspace– Butyoumightnotreceiveallthe(TCP)returntraffic– Andthelegitimateowneroftheaddressmightnotice
• Howtoevadedetection– Hijackunused(i.e.,unallocated)addressblockinBGP– TemporarilyusetheIPaddressestosendyourspam
Question• WhatotherattacksarepossiblewithBGP?
51
52
BogusASPaths• RemoveASes fromtheASpath
– E.g.,turn“701371588”into“70188”• Motivations
– MaketheASpathlookshorterthanitis– AttractsourcesthatnormallytrytoavoidAS3715– HelpAS88looklikeitisclosertotheInternet’score
• WhocantellthatthisASpathisalie?– MaybeAS88*does*connecttoAS701directly
701 883715?
BogusASPaths• AddASestothepath
– E.g.,turn“70188”into“701371588”• Motivations
– TriggerloopdetectioninAS3715• Denial-of-serviceattackonAS3715• Or,blockingunwantedtrafficcomingfromAS3715!
– MakeyourASlooklikeishasricherconnectivity• WhocantelltheASpathisalie?
– AS3715could,ifitcouldseetheroute– AS88could,butwoulditreallycareaslongasitreceiveddatatraffic
meantforit?
701
88
BogusASPaths• AddsAShop(s)attheendofthepath
– E.g.,turns“70188”into“701883”• Motivations
– Evadedetectionforabogusroute– E.g.,byaddingthelegitimateAStotheend
• HardtotellthattheASpathisbogus…– EvenifotherASesfilterbasedonprefixownership
InvalidPaths• ASexportsarouteitshouldn’t
– ASpathisavalidsequence,butviolatedpolicy• Example:customermisconfiguration
– Exportsroutesfromoneprovidertoanother• Interactswithproviderpolicy
– Providerpreferscustomerroutes– DirectingallInternettrafficthroughcustomer
• Maindefense– FilteringroutesbasedonprefixesandASpath
Missing/InconsistentRoutes• Peersrequireconsistentexport
– Prefixadvertisedatallpeeringpoints– PrefixadvertisedwithsameASpathlength
• Reasonsforviolatingthepolicy– Trickneighborinto“coldpotato”– Configurationmistake
• Maindefense– AnalyzingBGPupdatesordatatraffic
src
dest
Bad AS
data
BGP
BGPSecurityToday• Applyingbestcommonpractices
– Securingthesession(authentication,encryption)– FilteringroutesbyprefixandASpath– Packetfilterstoblockunexpectedcontroltraffic
• Thisisnotgoodenough– Doesn’taddressfundamentalproblems
• Can’ttellwhoownstheIPaddressblock• Can’ttelliftheASpathisbogusorinvalid• Can’tbesurethedatapacketsfollowthechosenroute
58
ProposedEnhancementstoBGP
S-BGPSecureVersionofBGP• Addressattestations
– Claimtherighttooriginateaprefix– Signedanddistributedout-of-band– CheckedthroughdelegationchainfromICANN
• Routeattestations– DistributedasanattributeinBGPupdatemessage– SignedbyeachASasroutetraversesthenetwork– Signaturesignspreviouslyattachedsignatures
• S-BGPcanvalidate– ASpathindicatestheorderASesweretraversed– NointermediateASeswereaddedorremoved
S-BGPDeploymentChallenges• Complete,accurateregistries
– E.g.,ofprefixownership• PublicKeyInfrastructure
– ToknowthepublickeyforanygivenAS• Cryptographicoperations
– E.g.,digitalsignaturesonBGPmessages• Needtoperformoperationsquickly
– Toavoiddelayingresponsetoroutingchanges• Difficultyofincrementaldeployment
– Hardtohavea“flagday”todeployS-BGP
IncrementallyDeployableSolutions?• Backwardscompatible
– Nochangestorouterhardwareorsoftware– NocooperationfromotherASes
• Incentivesforearlyadopters– SecuritybenefitsforASes thatdeploythesolution– …andfurtherincentivesforotherstodeploy
• Whatkindofsolutionsarepossible?– Detectingsuspiciousroutesandthenfilteringordepreferencing them
61
62
DetectingSuspiciousRoutes• MonitoringBGPupdatemessages
– Usepasthistoryasanimplicitregistry• E.g.,ASthatannounceseachaddressblock
– Prefix18.0.0.0/8usuallyoriginatedbyAS3• E.g.,AS-leveledgesandpaths
– Neverseenthesubpath “7018881785”• Out-of-banddetectionmechanism
– Generatereportsandalerts– PrefixHijackAlertSystem:http://phas.netsec.colostate.edu/
AvoidingSuspiciousRoutes• Softresponsetosuspiciousroutes
– Preferroutesthatagreewiththepast– Delayadoptionofunfamiliarrouteswhenpossible
• Whyisthisgoodenough?– Someattackswillgoawayontheirown– Givenetworkoperatorstimetoinvestigate
• Howwellwoulditwork?– Iftop~40largestASes appliedthetechnique– …mostotherASes areprotected,too– …sincetheymostlylearnroutesfromthebigASes
Conclusions• BorderGatewayProtocolisveryvulnerable
– GluethatholdstheInternettogether– HardforanAStolocallyidentifybogusroutes– Attackscanhaveveryseriousglobalconsequences
• Proposedsolutions/approaches– SecurevariantsoftheBorderGatewayProtocol– Anomalydetectionschemes,withautomatedresponse