TCP/IP security - Cs Team Site | courses.cs.tau.ac.il

Download Report

Transcript TCP/IP security - Cs Team Site | courses.cs.tau.ac.il

Introduction to Information Security
0368-3065, Spring 2016
Lecture 7:
TCP/IP security
Avishai Wool
Slides credit:
Dan Boneh, Stanford
1
Internet Infrastructure
ISP
Backbone
Local and interdomain routing


TCP/IP for routing and messaging
BGP for routing announcements
DNS (Domain Name System DNS)

2
Find IP address from domain name
ISP
TCP Protocol Stack
Application protocol
Application
Application
TCP protocol
Transport
Network
Link
3
IP protocol
Data
Link
IP
Network
Access
Transport
IP protocol
Data
Link
Network
Link
TCP/IP Packets
TCP Header
Application
message
Transport (TCP, UDP)
segment
Network (IP)
packet
Link Layer
frame
IP Header
Application message - data
TCP
data
TCP
data
IP TCP
data
ETH IP TCP
data
Link (Ethernet)
Header
TCP
data
ETF
Link (Ethernet)
Trailer
4
Inside a LAN:
Layer 2 issues - ARP
5
5
Addressing in Layer 2 / Layer 3
Layer 3 (IP)


IP Address
32 bits long
Layer 2 (MAC)


MAC address
48 bits long
How to translate from IP address to MAC
address?
“Layer 2.5” protocol : ARP
6
ARP (Address Resolution Protocol)
ARP request – broadcast to all stations on LAN

7
Computer A asks the network, "Who has this IP address?“
ARP(2)
ARP reply

8
Computer B tells Computer A, "I have that IP. My Physical Address
is [whatever it is].“
Cache Table
Every computer stores the translations it knows in a “cache”
To view: “arp –a”
9
ARP Poisoning
To avoid making an ARP request before sending every IP
packet, each host has a local cache.
Another trick to avoid excessive ARP requests, is that
every host will send a broadcast ARP reply when it
comes online / every interval, to let everyone know its
MAC address (known as “Gratuitous ARP”)
Most implementations are state-less by design, and will
happily store ARP replies even if they didn’t issue a
request (for reasons stated above)
Result – everyone on the local network can impersonate
any other host, by sending a malicious ARP reply in their
name.
ARP Poisoning
Simplicity also leads to insecurity



No Authentication
ARP provides no way to verify that the responding device is
really who it says it is
Stateless protocol
Attacks


11
Denial of Service (DoS)
 Hacker can easily associate an operationally significant IP
address to a false MAC address
Man-in-the-Middle
 Intercept network traffic between two devices in your network
Man-In-The-Middle: poison #1
12
Man-In-The-Middle: poison #2
13
Man-In-The-Middle: success!
14
Promiscuous mode
Normally, the network card will listen to every
incoming packet, and discard any packet whose
destination MAC address is not its own.
When someone is running a sniffer, they’ll want to
capture as much information as possible about the
network.
Network cards can support this by going into what’s
called “Promiscuous mode” – where every packet
received is sent to the OS for further processing.
Detecting Promiscuous Hosts
We want to detect if someone on our network is using a
sniffer in promiscuous mode.
The trick –
Send out a ping request with the wrong destination
MAC address, but the right IP target (or broadcast).
Regular hosts will discard the packet, but anyone in
promiscuous mode will reply, since the IP target
was valid
Layer 3 issues - IP
17
IP
Internet Protocol
Connectionless


Unreliable
Best effort
Notes:

src and dest ports
not parts of IP
header
Version
Flags
Header Length
Type of Service
Total Length
Identification
Fragment Offset
Time to Live
Protocol
Header Checksum
Source Address of Originating Host
Destination Address of Target Host
Options
Padding
IP Data
18
IP Routing
Meg
Office gateway
Packet
121.42.33.12
Source 121.42.33.12
Destination 132.14.11.51
Tom
132.14.11.1
ISP
121.42.33.1
Typical route uses several hops
IP: no ordering or delivery guarantees
19
132.14.11.51
IP Protocol Functions (Summary)
Routing


IP host knows location of router (gateway)
IP gateway must know route to other networks
Fragmentation and reassembly

If max-packet-size less than the user-data-size
Error reporting

ICMP packet to source if packet is dropped
TTL field:

20
decremented after every hop
Packet dropped if TTL=0.
Prevents infinite loops.
Basic IP tools
21
“IP spoofing”:
no src IP authentication
Client is trusted to embed correct source IP


Easy to override using raw sockets
SCAPY, libnet: tools for formatting raw packets with
arbitrary IP headers
Anyone who owns their machine can send packets
with arbitrary source IP

… response will be sent back to forged source IP
 Implications:


22
Anonymous DoS attacks
Anonymous infection attacks (e.g. slammer worm)
Routing Vulnerabilities
23
23
Interdomain Routing
earthlink.net
Stanford.edu
BGP
Autonomous
System (AS)
OSPF
24
connected group of one or
more Internet Protocol
prefixes under a single
routing policy (aka domain)
Routing Vulnerabilities
Routing protocols:
OSPF:
used for routing within an AS
BGP: routing between ASs


Attacker can cause entire Internet to send traffic
for a victim IP to attacker’s address.
Some examples:
 2008: YouTube IP address space redirected to Pakistan
(censorship done wrong…)
 2010: Chinese IP publishes 37,000 prefixes covering many
many major websites
25
Whois: IP/Domain/AS information
26
BGP example
1
[D. Wetherall]
27
265
8
2
7265
7
265
7
7
327
3
265
27
3265
5
65
27
627
6
5
27
4
5
BGP Security Issues
BGP path attestations are un-authenticated



Attacker can inject advertisements for arbitrary routes
Advertisement will propagate everywhere
Used for DoS, spam, and eavesdropping
Human error problems:

Mistakes quickly propagate to the entire Internet
Not quite as bad it as it could be because BGP
operators are a “closed club” with selective
acceptance and some internal sanctions.
28
Layer 4 issues: TCP
29
29
TCP: Transmission Control Protocol
Connection-oriented, preserves order

Sender
 Break data into packets
 Attach packet numbers

Receiver
 Acknowledge receipt; lost packets are resent
 Reassemble packets in correct order
Book
Mail each page
Reassemble book
1
19
1
5
1
TCP Header
(IP protocol 6)
Source Port
Dest port
SEQ Number
ACK Number
U A P P S F
R C S S Y I
G K H R N N
TCP Header
Other stuff
31
Review: TCP Handshake
C
S
SN randC
SYN: ANC 0
C
SYN/ACK:
SNSrandS
ANSSNC
SNSN +1
Listening
Store SNC , SNS
Wait
ACK: ANSNC
S
Established
Received packets with SN too far out of window are dropped
32
Basic Security Problems
1. Network packets pass by untrusted hosts


Eavesdropping, packet sniffing
Especially easy when attacker controls a
machine close to victim
2. TCP state easily obtained by eavesdropping

Enables spoofing and session hijacking
3. Denial of Service (DoS) vulnerabilities
33
Why random initial sequence numbers?
Suppose initial seq. numbers (SNC , SNS ) are predictable:
Attacker can create TCP session with spoofed source IP
TCP SYN
srcIP=victim
attacker
ACK
srcIP=victim
AN=predicted SNS
command
Server
SYN/ACK
dstIP=victim
SN=server SNS
Victim
server thinks command
is from victim IP addr
Example DoS vulnerability
[Watson’04]
Attacker sends a Reset packet to an open socket

If correct SNS then connection will close ⇒ DoS

Naively, success prob. is 1/232
(32-bit seq. #’s).
 … but ,host systems allow for a large window of
acceptable seq. #‘s.

Much higher success probability.
Attacker can flood with RST packets until one works
Most effective against long lived
connections, e.g. BGP
35
Domain Name System
(sort of layer5)
36
DNS: Domain Name System
Hierarchical Name Space
root
org
wisc
edu
net
stanford
ucb
cs
www
37
com
uk
cmu
ee
ca
mit
DNS Root Name Servers
Hierarchical service



Root name servers for
top-level domains
Authoritative name
servers for subdomains
Local name resolvers
contact authoritative
servers when they do
not know a name
38
DNS Lookup Example
www.cs.stanford.edu
Client
Local DNS
resolver
root & edu
DNS server
stanford.edu
DNS server
cs.stanford.edu
DNS server
39
DNS record types (partial list):
- NS: name server (points to other server)
- A:
address record (contains IP address)
- MX: address in charge of handling email
- TXT: generic text (e.g. used to distribute site public keys (DKIM) )
nslookup
40
Caching
DNS responses are cached


Quick response for repeated translations
Useful for finding servers as well as addresses
 NS records for domains
DNS negative queries are cached

Save time for nonexistent sites, e.g. misspelling
Cached data periodically times out


41
Lifetime (TTL) of data controlled by owner of data
TTL passed with every record
DNS Packet
Query ID:


16 bit random value
Links response to query
(from Steve Friedl)
42
Resolver to NS request
43
Response to resolver
Response contains IP
addr of next NS server
(called “glue”)
Response ignored if
unrecognized QueryID
44
Authoritative response to resolver
bailiwick checking:
response is cached if
it is within the same
domain of query
(i.e. a.com cannot
set NS for b.com)
final answer
45
Basic DNS Vulnerabilities
Users/hosts trust the host-address mapping
provided by DNS:

Used as basis for many security policies:
Browser same origin policy,
URL address bar
Obvious problems


46
Interception of requests or compromise of DNS
servers can result in incorrect or malicious responses
 e.g.: malicious access point in a Cafe
Solution – authenticated requests/responses
 Provided by DNSsec
… but few use DNSsec
DNS cache poisoning
(a la Kaminsky’08)
Victim machine visits attacker’s web site, downloads Javascript
user
browser
JS Query:
a.bank.com
local
DNS
resolver
attacker wins if j: x1 = yj
response is cached and
attacker owns bank.com
47
a.bank.com
QID=x1
ns.bank.com
IPaddr
256 responses:
Random QID y1, y2, …
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker
If at first you don’t succeed …
Victim machine visits attacker’s web site, downloads Javascript
user
browser
JS Query:
b.bank.com
local
DNS
resolver
attacker wins if j: x2 = yj
response is cached and
attacker owns bank.com
48
b.bank.com
QID=x2
ns.bank.com
IPaddr
256 responses:
Random QID y1, y2, …
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker
success after  256 tries (few minutes)
Defenses
• Increase Query ID size. How?
• Randomize src port, additional 11 bits
 Now attack takes several hours
• Ask every DNS query twice:

Attacker has to guess QueryID correctly twice
(32 bits)

49
… Apparently DNS system cannot handle the
load
DNS poisoning attacks in the wild
January 2005, the domain name for a large New York ISP,
Panix, was hijacked to a site in Australia.
In November 2004, Google and Amazon users were sent
to Med Network Inc., an online pharmacy
In March 2003, a group dubbed the "Freedom Cyber
Force Militia" hijacked visitors to the Al-Jazeera Web site
and presented them with the message "God Bless Our
Troops"
50
Summary
Core protocols not designed for security


Eavesdropping, Packet injection, Route stealing,
DNS poisoning
Patched over time to prevent basic attacks
(e.g. random TCP SN, random DNS source port)
More secure variants exist
IP ⟶ IPsec
DNS ⟶ DNSsec
BGP ⟶ SBGP
51