Transcript Lab 4
1 Outline Introduction about MITM attack scenarios ARP poisoning Quick refresh on ARP ARP methods and defenses DNS poisoning Quick refresh on DNS DNS security goals DNS poisoning by out-of-bailiwick glue RR DNS poisoning by spoofed responses 2 MITM attack scenarios Different attacks in different scenarios: LOCAL AREA NETWORK: - ARP poisoning - DNS spoofing - STP mangling - Port stealing FROM LOCAL TO REMOTE (through a gateway): - ARP poisoning - DNS spoofing - DHCP spoofing -ICMP redirection - IRDP spoofing - route mangling REMOTE: - DNS poisoning - route mangling - traffic tunneling 3 Addresses in Data Link Layer 32-bit IP address: network-layer address used to route to destination network LAN (or MAC or physical or Ethernet) address: To identify source & destination on same network Known to the adapter (e.g. in PROM) Most LANs: 48 bits, global address space Few LANs: configurable, e.g. as function of IP addr Special broadcast address – send to all nodes Used for address resolution (ARP)… 4 Address Resolution Table Each host maintains its own address resolution table Each entry correlates between IP address and MAC address In an entry there is a field that marks the way the entry was created (Static or Dynamic) Example: IP Address MAC Address TTL 1.1.24.1 00:30:7b:91:bd:6c 8:00 1.1.24.65 00:60:e1:00:9c:70 --- 1.1.24.223 00:60:e1:00:07:91 8:03 5 ARP Mechanism Broadcast Request: Sender IP, Sender MAC, Target IP A B C C learns A’s IP, MAC B, D could also learn, but usually don’t (since they may not send to A). D Unicast Response A learns C’s IP, MAC A B C D 7 ARP protocol (RFC 826) A wants to send datagram to B, knows B’s IP address. B on same subnet… but her MAC addr not in A’s table A broadcasts ARP query packet, with B's IP address all machines on subnet receive ARP query B receives ARP query, replies to A with its (B's) MAC address A caches <IP,MAC> in ARP table Sent to A’s MAC address (unicast) 8 ARP Poisoning Attack The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including Denial of Service, Man in the Middle, MAC Flooding. 9 ARP Poisoning Attack Attackers are often on isolated segments How to intercept traffic from Alice to Bob? Trick Alice into sending to Eve’s MAC address ARP poisoning attack: Alice uses ARP broadcast to find Bob Eve answers Alice uses Eve’s Link address Eve can forward to Bob becomes MITM Switch Eve Alice Bob 10 ARP Poisoning Methods Unsolicited Send ARP request with false sender’s IP ○ (some) hosts use to update their ARP tables Send ARP response with incorrect mapping ○ Unsolicited: (some) hosts update their ARP table even if they didn’t make request Solution: ignore unsolicitated mappings Response to ARP request Mapping to attacker’s MAC address Send upon hearing / expecting request Improve chances by loading destination’s segment/host 11 ARP Poisoning Example Example: Assume router’s IP is 10.1.1.0 Host’s IP is 10.1.1.1 Malicious host with IP 10.1.1.2 spoofs 10.1.1.1 and replies to requests from 10.1.1.0 with its MAC address From this point on all packets meant for 10.1.1.1 is routed to 10.1.1.2 because the router has the MAC address of 10.1.1.2 in its routing table 12 ARP Poisoning Tools ARP Poisoning tools are: ARPoison Ettercap Parasite 13 Port Security Mechanisms Switch Eve Alice IP:… MAC: Gateway Bob DHCP Server 15 Outline Introduction about MITM attack scenarios ARP poisoning Quick refresh on ARP ARP methods and defenses DNS poisoning Quick refresh on DNS DNS security goals DNS poisoning by out-of-bailiwick glue RR DNS poisoning by spoofed responses 16 DNS Resolution Process Client Local Server Resolve `A` www.bob.com Root Server Resolve `NS` com .com TLD Authoritative Server ns.bob.com 132.3.3.4 Server 156.4.5.6 `NS` 132.3.3.4 Resolve `A` www.bob.com `NS` ns.bob.com `A` 156.4.5.6 Resolve `A` www.bob.com `A` 156.6.6.6 (IP of www.bob.com) Request to 156.6.6.6 (www.bob.com) 17 Domain Names and IP Addresses IP packets contain source, dest IP addresses 32 bits, e.g. 128.33.44.223 Routers use IP Addresses To deliver packets to their destinations Users use Domain Names, e.g. www.foo.edu Domain Names are hierarchical, and: Meaningful: *.edu: university, www.*: web server Easier to manage, remember and use DNS – Map domain names to IP addresses Fixed IP, current IP, best IP (e.g. proximity) 18 DNS Caching Caching is critical for DNS performance All DNS modules perform caching Client DNS Cache Local DNS Server Cache DNS server used only to cache records Clients always access this server May be nested (… DNS.foo.edu ISP DNS) Caching is of DNS Resource Records (RR) 19 Reverse DNS `Reverse` DNS query: IP name How? PTR query to in-addr.arpa domain E.g., rDNS for IP=1.2.3.4 : DNS query for PTR record for address 4.3.2.1.in-addr.arpa Note reverse order of address bytes (why?) 4.3.2.1.in-addr.arpa controlled by ISP/owner Use for security: Servers should have rDNS to domain name Use rDNS to identify (dial-in, DSL,…) clients 20 DNS Messages DNS protocol: send request, receive reply Single format for requests & replies Header Questions Answers Authority ID (16 bits) Flags Name Number of questions Number of answers Type of RR Number of authority Number of other Other Name Type of RR TTL in seconds Value RR (Resource Record) 21 DNS Security: Goals Authenticity Owners should control mappings (name IP) DNS-Security: cryptographically-signed DNS RR ○ To ensure security against MITM attacker ○ Although MITM attacker can forget IP addresses anyway ○ See few extra foils after conclusions Availability Prevent Denial of Service (DoS) attacks Non-Goal: Confidentiality Protocol allows any server to query any other Servers may restrict distribution Encrypt records if needed (non-standard) No support for hiding requests Undesirable: allowing `what’s there?` query 22 MITM via DNS Poisoning Allows blind attacker to become MITM Web spoofing / phishing attacks Bob.com 129.4.4.5 Spoof blacklist responses,… 3. DstIP=6.6.6.6 Dear Bob, … 1. DNS request: bob.com 2. Response: bob.com6.6.6.6 0. Poison: bob.com6.6.6.6 6.6.6.6 DNS server 23