Transcript Lab 4

1
Outline

Introduction about MITM attack scenarios

ARP poisoning
 Quick refresh on ARP
 ARP methods and defenses

DNS poisoning




Quick refresh on DNS
DNS security goals
DNS poisoning by out-of-bailiwick glue RR
DNS poisoning by spoofed responses
2
MITM attack scenarios
Different attacks in different scenarios:
LOCAL AREA NETWORK:
- ARP poisoning
- DNS spoofing
- STP mangling
- Port stealing
FROM LOCAL TO REMOTE (through a gateway):
- ARP poisoning
- DNS spoofing - DHCP spoofing
-ICMP redirection - IRDP spoofing - route mangling
REMOTE:
- DNS poisoning
- route mangling
- traffic tunneling
3
Addresses in Data Link Layer
32-bit IP address:


network-layer address
used to route to destination network
LAN (or MAC or physical or Ethernet) address:





To identify source & destination on same network
Known to the adapter (e.g. in PROM)
Most LANs: 48 bits, global address space
Few LANs: configurable, e.g. as function of IP addr
Special broadcast address – send to all nodes
 Used for address resolution (ARP)…
4
Address Resolution Table
Each host maintains its own address resolution table
 Each entry correlates between IP address and MAC
address
 In an entry there is a field that marks the way the entry
was created (Static or Dynamic)
Example:

IP Address
MAC Address
TTL
1.1.24.1
00:30:7b:91:bd:6c
8:00
1.1.24.65
00:60:e1:00:9c:70
---
1.1.24.223
00:60:e1:00:07:91
8:03
5
ARP Mechanism
Broadcast Request: Sender IP, Sender MAC, Target IP
A
B
C
C learns A’s IP, MAC
B, D could also learn, but
usually don’t (since they may
not send to A).
D
Unicast Response
A learns C’s IP, MAC
A
B
C
D
7
ARP protocol (RFC 826)
A wants to send datagram
to B, knows B’s IP address.
 B on same subnet… but
her MAC addr not in A’s
table
 A broadcasts ARP query
packet, with B's IP address
 all machines on subnet
receive ARP query
 B receives ARP query,
replies to A with its (B's)
MAC address


A caches <IP,MAC> in
ARP table
 Sent to A’s MAC address
(unicast)
8
ARP Poisoning Attack

The ability to associate any IP address
with any MAC address provides hackers
with many attack vectors, including
 Denial of Service,
 Man in the Middle,
 MAC Flooding.
9
ARP Poisoning Attack
Attackers are often on isolated segments
 How to intercept traffic from Alice to Bob?

 Trick Alice into sending to Eve’s MAC address

ARP poisoning attack:
 Alice uses ARP broadcast to find Bob
 Eve answers Alice uses Eve’s Link address
 Eve can forward to Bob becomes MITM
Switch
Eve
Alice
Bob
10
ARP Poisoning Methods

Unsolicited
 Send ARP request with false sender’s IP
○ (some) hosts use to update their ARP tables
 Send ARP response with incorrect mapping
○ Unsolicited: (some) hosts update their ARP table
even if they didn’t make request
 Solution: ignore unsolicitated mappings

Response to ARP request
 Mapping to attacker’s MAC address
 Send upon hearing / expecting request
 Improve chances by loading destination’s segment/host
11
ARP Poisoning Example

Example:
 Assume router’s IP is 10.1.1.0
 Host’s IP is 10.1.1.1
 Malicious host with IP 10.1.1.2 spoofs 10.1.1.1
and replies to requests from 10.1.1.0 with its MAC
address
 From this point on all packets meant for 10.1.1.1 is
routed to 10.1.1.2 because the router has the MAC
address of 10.1.1.2 in its routing table
12
ARP Poisoning Tools

ARP Poisoning tools are:
 ARPoison
 Ettercap
 Parasite
13
Port Security Mechanisms
Switch
Eve
Alice
IP:… MAC:
Gateway
Bob
DHCP Server
15
Outline

Introduction about MITM attack scenarios

ARP poisoning
 Quick refresh on ARP
 ARP methods and defenses

DNS poisoning




Quick refresh on DNS
DNS security goals
DNS poisoning by out-of-bailiwick glue RR
DNS poisoning by spoofed responses
16
DNS Resolution Process
Client
Local
Server
Resolve `A`
www.bob.com
Root
Server
Resolve `NS`
com
.com TLD Authoritative
Server
ns.bob.com
132.3.3.4
Server
156.4.5.6
`NS` 132.3.3.4
Resolve `A` www.bob.com
`NS` ns.bob.com `A` 156.4.5.6
Resolve `A` www.bob.com
`A` 156.6.6.6 (IP of www.bob.com)
Request to 156.6.6.6 (www.bob.com)
17
Domain Names and IP Addresses

IP packets contain source, dest IP addresses
 32 bits, e.g. 128.33.44.223

Routers use IP Addresses
 To deliver packets to their destinations


Users use Domain Names, e.g. www.foo.edu
Domain Names are hierarchical, and:
 Meaningful: *.edu: university, www.*: web server
 Easier to manage, remember and use

DNS – Map domain names to IP addresses
 Fixed IP, current IP, best IP (e.g. proximity)
18
DNS Caching

Caching is critical for DNS performance

All DNS modules perform caching

Client DNS Cache

Local DNS Server Cache
 DNS server used only to cache records
 Clients always access this server
 May be nested (…  DNS.foo.edu  ISP DNS)

Caching is of DNS Resource Records (RR)
19
Reverse DNS
`Reverse` DNS query: IP  name
 How? PTR query to in-addr.arpa domain

 E.g., rDNS for IP=1.2.3.4 : DNS query for PTR
record for address 4.3.2.1.in-addr.arpa
 Note reverse order of address bytes (why?)
4.3.2.1.in-addr.arpa controlled by ISP/owner
 Use for security:

 Servers should have rDNS to domain name
 Use rDNS to identify (dial-in, DSL,…) clients
20
DNS Messages
DNS protocol: send request, receive reply
 Single format for requests & replies

Header
Questions Answers Authority
ID (16
bits)
Flags
Name
Number of
questions
Number of
answers
Type of
RR
Number of
authority
Number of
other
Other
Name
Type of RR
TTL in seconds
Value
RR (Resource Record)
21
DNS Security: Goals

Authenticity
 Owners should control mappings (name IP)
 DNS-Security: cryptographically-signed DNS RR
○ To ensure security against MITM attacker
○ Although MITM attacker can forget IP addresses anyway
○ See few extra foils after conclusions

Availability
 Prevent Denial of Service (DoS) attacks

Non-Goal: Confidentiality
 Protocol allows any server to query any other
 Servers may restrict distribution
 Encrypt records if needed (non-standard)
 No support for hiding requests
 Undesirable: allowing `what’s there?` query
22
MITM via DNS Poisoning

Allows blind attacker to become MITM
 Web spoofing / phishing attacks
Bob.com
129.4.4.5
 Spoof blacklist responses,…
3. DstIP=6.6.6.6
Dear Bob, …
1. DNS request:
bob.com
2. Response:
bob.com6.6.6.6
0. Poison:
bob.com6.6.6.6
6.6.6.6
DNS server
23