ZigBee and 6LoWPAN wireless sensor network development
Download
Report
Transcript ZigBee and 6LoWPAN wireless sensor network development
A Study in TCP/BGP Session
Security
By
Ilias Pallikarakis
Motivation
Inadequate security in BGP
Defcon 16 Presentation by Pilosov and
Kapela
Is it possible to replicate the attacks using a
MitM approach ?
BGP Security
Mechanisms currently used :
TCP-MD5
Generalized TTL Security Mechanism (GTSM)
Mechanisms to be implemented :
TCP-AO
RPKI
3
Defcon 16 Presentation Overview
They successfully advertised fake prefixes.
Made the attack hard to detect by making the
router advertising the fake prefixes
‘undetectable’ by the traceroute tool.
Main Goals
Set a MitM attack between two routers and attempt to hijack the
BGP session
Implement a script similar to the one of Defcon 16 to hide part of
the network
Tools Used
Ettercap :
MitM (ARP Poison)
Network Hiding
Scapy :
Network Hiding
BGP Session Hijacking
6
Tools Used
Ettercap :
Easy to use
Good for simple script but not for complex
NO user intercation
Scapy :
Python library
Automatically calculates length/checksum
fields
Much slower
7
Testing Network
8
General Methodology
Hide Network :
Exploit Traceroute’s function
Increase TTL to hide network from traceroute
BGP Session Hijacking:
Intercept the BGP update messages
Find a specific prefix and alter it
9
BGP Hijacking Issues
Manipulate IP/TCP checksums
Manipulate variable length field :
IP Length
BGP Header Length
BGP Update Length fields
TCP session manipulation
10
TCP Session Manipulation
What if the altered BGP Prefix has different
length than the original ?
Need to adjust Sequence/Acknowledgement
numbers :
Keep the offset and Add/Remove it (Best)
Copy previous sequence to next
Acknowledgement and vice versa (Easiest)
11
Sequence Adjusting Mechanism
Next Acknowledgement number is always the
previous Sequence + original message’s
length
For Sequence number there are 2 cases :
The previous message was sent by the
receiver (previous ack)
Previous message sent by the sender
(previous forged seq)
12
Example
13
Ettercap TTL Script
In one word Simple… :
if (ip.dst == '1.1.1.1'){
ip.ttl += 3;
msg("Increase TTL\n");
}
14
Ettercap Script BGP
Not possible :
Human processing in Binary.
Cannot manipulate variable length fields.
Can replace only 2-byte length strings.
15
Scapy Methodology
Scripts are composed by :
Main : Create the nfqueue and calls Process
Process : mainly filters packets and calls
altering function
Altering Function : Varied content, does the
packet altering
16
Scapy BGP issues
Originally Scapy could not understand multiple BGP
update messages in the same TCP packet
Would read only first update.
Incorrect length calculation.
Unexpected session establishment :
While a TCP/BGP session was working one of the
routers attempted to setup a new one.
17
BGP Issue Solutions
BGP Multiple Update Messages :
Use the Header Marker to find how many
messages appear.
Modified original Scapy code for BGP
Unexpected Sessions :
Drop all packets where one port is 179 and the
other one is NOT the working session.
18
Cisco Issue : Description
Strange packets observed of the form :
Circumstances of appearance :
Change prefix length with Incorrect Seq/Ack
Change prefix to lower length with working
Script (occasionally)
19
Cisco Issue : Thoughts
Definitely related with seq/ack numbers.
Test showed that when ack is larger issue
always appears.
Why it appears in correct script ??
20
Cisco Issue : Thoughts
Test correct script for potential mistake
Thoroughly check the TCP flags before the
strange packets.
Check strange traffic message by message in
contrast to the same traffic sent by router.
21
Conclusion
Working script (implemented in two different
ways !) to increase TTL.
Successful traceroute veil.
Renders GTSM obsolete.
Working TCP Adjusting Mechanism
Could be used in all TCP communication
22
Conclusion
Successfully replaced a prefix with one of our
choice with Scapy
Contributed in Scapy BGP allowing multiple
Updates to be sent/received
Discovery of Cisco issue
23
Tests
Live Demonstration !
24
Thank You !