Outline. Network Protocols and Vulnerabilities. Internet Infrastructure. TCP Protocol Stack

Transcription

1 Network Protocols and Vulnerabilities John Mitchell Outline u Basic Networking (FMU) u Network attacks Attack host networking protocols SYN flooding, TCP Spoofing, Attack network infrastructure Routing Domain Name System This lecture is about the way things work now and how they are not perfect. Next lecture some security improvements (still not perfect). Internet Infrastructure TCP Protocol Stack ISP Backbone ISP Application Transport Application protocol TCP protocol Application Transport u Local and interdomain routing TCP/IP for routing, connections BGP for routing announcements u Domain Name System Find IP address Network Link IP protocol Data Link IP Network Access IP protocol Data Link Network Link 1

2 Data Formats IP Internet Protocol Application Transport (TCP, UDP) Network (IP) TCP Header Application message - data message segment TCP data TCP data TCP data packet IP TCP data u Connectionless Unreliable Best effort u Transfer datagram Header Data Version Flags Header Length Type of Service Total Length Identification Fragment Offset Time to Live Protocol Header Checksum Source Address of Originating Host Link Layer frame ETH IP TCP data ETF Destination Address of Target Host IP Header Link (Ethernet) Header Link (Ethernet) Trailer Options Padding IP Data IP Routing Meg Office gateway Packet Source Destination Sequence ISP Tom Two-level Address Hierarchy u Addresses divided into two parts First: the domain (network) of the host Second: address of host within domain Network Number (Prefix) IP Address Host Number u Internet routing uses numeric IP address u Typical route uses several hops Three different address formats: Class A, Class B, Class C (not important for this course) 2

3 Simple Routing Example IP Protocol Functions (Summary) A Router b l1 c l2 Link1 (l1) Link2 (l2) Router Router B u Routing IP host knows location of router (gateway) IP gateway must know route to other networks u Error reporting IP reports discards to source u Fragmentation and reassembly If packets smaller than the user data Routing table tells how to get to subnet (not individual host) C UDP User Datagram Protocol u IP provides routing IP address gets datagram to a specific machine u UDP separates traffic by port Destination port number gets UDP datagram to particular application process, e.g., , 53 Source port number provides return address u Minimal guarantees ( mice and elephants) No acknowledgment No flow control No message continuation TCP Transmission Control Protocol u Connection-oriented, preserves order Sender Break data into packets Attach packet numbers Receiver Acknowledge receipt; lost packets are resent Reassemble packets in correct order Book Mail each page Reassemble book

4 FTP File Transfer Protocol u FTP uses TCP to transfer files u Steps in FTP Login connection User connects to remote computer Specifies name and password Data transfer Specify file names to send or receive Can also ask for list of file names, other functions SMTP Simple Mail Transfer Protocol u Protocol for transferring mail on Internet u Three associated standards Protocol used to send mail using TCP HELO, EHLO, messages Format for mail messages Set of header fields and their interpretation To: <address> From: <address> Methods for including data other than plain text Routing mail using the Domain Name System ICMP Internet Control Message Protocol u Provides feedback about network operation Error reporting Reachability testing Congestion Control u Example message types Destination unreachable Time exceeded Parameter problem Redirect to better gateway Echo/echo reply - reachability test Timestamp request/reply - measure transit delay Basic Security Problems u Network packets pass by untrusted hosts Eavesdropping, packet sniffing u IP addresses are public Smurf u TCP connection requires state SYN flooding attack u TCP state easy to guess TCP spoofing attack 4

5 Packet Sniffing u Promiscuous NIC reads all packets Read all unencrypted data ftp, telnet send passwords in clear! Alice Eve Network Bob Smurf Attack u Choose victim Flood victim with packets from many sources u Generate ping stream (ICMP Echo Req) Network broadcast address with a spoofed source IP set to a victim host u Wait for responses Every host on target network will generate a ping reply (ICMP Echo Reply) to victim Ping reply stream can overload victim Sweet Hall attack installed sniffer on local machine TCP Handshake SYN Flooding C S C S SYN C Listening SYN C1 Listening SYN S, ACK C Store data SYN C2 SYN C3 Store data Wait SYN C4 ACK S SYN C5 Connected 5

6 SYN Flooding u Attacker sends many connection requests Spoofed source addresses u Victim allocates resources for each request Connection requests exist until timeout Fixed bound on half-open connections u Resources exhausted fi requests rejected TCP Connection Spoofing u Each TCP connection has an associated state Sequence number, port number u Problem Easy to guess state Port numbers are standard Sequence numbers often chosen in predictable way IP Spoofing Attack TCP Congestion Control A B E u A, B trusted connection Send packets with predictable seq numbers u E impersonates B to A Opens connection to A to get initial seq number SYN-floods B s queue Sends packets to A that resemble B s transmission E cannot receive, but may execute commands on A Attack can be blocked if E is outside firewall. Source u If packets are lost, assume congestion Reduce transmission rate by half, repeat If loss stops, increase rate very slowly Design assumes routers blindly obey this policy Destination 6

7 Competition Source A Source B u Amiable Alice yields to boisterous Bob Alice and Bob both experience packet loss Alice backs off Bob disobeys protocol, gets better results Destination Destination TCP Attack on Congestion Control u Misbehaving receiver can trick sender into ignoring congestion control Receiver: duplicate ACK indicates gap Packets within seq number range assumed lost Sender executes fast retransmit algorithm Malicious receiver can Send duplicate ACK ACK before data is received needs some application level retransmission e.g. HTTP 1.1 range requests See RFC 2581 Solutions Add nonces ACKs return nonce to prove reception See: Savage et al., TCP Congestion Control with a Misbehaving Receiver ICMP u Reports errors and other conditions from network to hosts u Hosts take actions to respond to error u Problem An entity can easily forge a variety of ICMP error messages Redirect informs end-hosts that it should be using different first hop route Fragmentation can confuse path MTU discovery Destination unreachable can cause transport connections to be dropped Prevention u Eavesdropping Encryption, improved routing (Next lecture: IPSEC) u Smurf Turn off ping? Authenticated IP addresses? u SYN Flooding Cookies Random deletion u IP spoofing Use less predictable sequence numbers 7

8 Protection against SYN Attacks [Bernstein, Schenk] u Client sends SYN u Server responds to Client with SYN-ACK cookie sqn = f(src addr, src port, dest addr, dest port, rand) Server does not save state u Honest client responds with ACK(sqn) u Server checks response If matches SYN-ACK, establishes connection Random Deletion SYN C Half-open sessions u If queue is full, delete random entry Legitimate connections have chance to complete Fake addresses eventually deleted Easy to implement, some improvement TCP Sequence Numbers u Need high degree of unpredictability If attacker knows TCP/IP initial sequence number and amount of traffic sent, Then attacker may know set of likely values Can send a flood of packets with likely sequence numbers; one correct packet will be accepted The larger the available bandwidth, the larger the possible guess Status of sequence generators u Reported to be safe from practical attacks Cisco IOS, OpenBSD 2.8-current, FreeBSD 4.3- RELEASE, AIX, HP/UX 11i, Linux Kernels after 1996 Solaris 2.6 if strong initial sequence numbers has been turned on. Set TCP_STRONG_ISS to 2 in /etc/default/inetinit. HP/UX version by applying TRANSPORT patch PHNE_22397 IRIX and above by using the tcpiss_md5 tunable kernel parameter, which by default is off 8

9 Cryptographic protection u Solutions above the transport layer Examples: SSL and SSH Protect against session hijacking and injected data Do not protect against denial-of-service attacks caused by spoofed packets u Solutions at network layer IPSec Can protect against session hijacking and injection of data denial-of-service attacks using session resets Routing Vulnerabilities u Source routing attack Can direct response through compromised host u Routing Information Protocol (RIP) Direct client traffic through compromised host u Exterior gateway protocols Advertise false routes Send traffic through compromised hosts Source Routing Attacks u Attack Destination host may use reverse of source route provided in TCP open request to return traffic Modify the source address of a packet Route traffic through machine controlled by attacker u Defenses Gateway rejects external packets claiming to be local Reject pre-authorized connections if source routing info present Only accept source route if trusted gateways listed in source routing info Routing Table Update Protocols u Interior Gateway Protocols: IGPs distance vector type - each gateway keeps track of its distance to all destinations Gateway-to-Gateway: GGP Routing Information Protocol: RIP u Exterior Gateway Protocol: EGP used for communication between different autonomous systems 9

10 Routing Information Protocol (RIP) u Attack Intruder sends bogus routing information to a target and each of the gateways along the route Impersonates an unused host Diverts traffic for that host to the intruder s machine Impersonates a used host All traffic to that host routed to the intruder s machine Intruder inspects packets & resends to host w/ source routing Allows capturing of unencrypted passwords, data, etc Routing Information Protocol (RIP) u Defense Paranoid gateway Filters packets based on source and/or destination addresses Don t accept new routes to local networks Interferes with fault-tolerance but detects intrusion attempts Authenticate RIP packets Difficult in a broadcast protocol Only allows for authentication of prior sender Interdomain Routing earthlink.net Stanford.edu Interior Gateway Protocol Exterior Gateway Protocol Autonomous System connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain) 10

11 Transit and Peering Transit Peering Peering Transit: ISP sells access Peering: reciprocal connectivity BGP protocol: routing announcements for both BGP overview u Iterative path announcement Path announcements grow from destination to source Subject to policy (transit, peering) Packets flow in reverse direction u Protocol specification Announcements can be shortest path Nodes allowed to use other policies E.g., cold-potato routing by smaller peer Not obligated to use path you announce BGP example [D. Wetherall] Issues u Transit: 2 provides transit for 7 7 reaches and is reached via 2 u Peering: 4 and 5 peer exchange customer traffic u BGP convergence problems Protocol allows policy flexibility Some legal policies prevent convergence Even shortest-path policy converges slowly u Incentive for dishonesty ISP pays for some routes, others free u Security problems Potential for disruptive attacks 11

12 The BGP Security Problem u BGP is critical for interdomain routing Benign configuration errors wreak havoc Highly vulnerable to human errors, attacks u Little authentication, integrity At best, BGP uses point-to-point keyed MAC, with no automated key management Attack Model u BGP can be attacked in various ways Eavesdrop communication links between routers Tamper with BGP software Tamper with router management data en route Tamper with router management servers u Countermeasures add new concerns Compromise of secret/private keying material in the routers or in the management infrastructure BGP Security Requirements [Kent] u Verification of address space ownership u Authentication of Autonomous Systems (AS) u Router authentication and authorization (relative to an AS) u Route and address advertisement authorization u Route withdrawal authorization u Integrity and authenticity of all BGP traffic on the wire u Timeliness of BGP traffic DNS Domain Name System u Hierarchical Name Space org net root edu com uk ca wisc ucb stanford cmu mit cs ece www 12

13 DNS Root Name Servers DNS Lookup Example u Root name servers u Local name servers contact root servers when they cannot resolve a name Client Local NS stanford.edu NS cs.stanford.edu www=ipaddr root & edu stanford.edu cs.stanford.edu Caching Subsequent Lookup Example u DNS responses are cached Quick response for repeated translations Other queries may reuse some parts of lookup NS records for domains u DNS negative queries are cached Don t have to repeat past mistakes E.g. misspellings, search strings in resolv.conf u Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record Client ftp.cs.stanford.edu Local ftp.cs. stanford.edu ftp=ipaddr root & edu stanford.edu cs.stanford.edu 13

14 DNS Implementation Vulnerabilities u Reverse query buffer overrun in BIND gain root access abort DNS service u MS DNS for NT 4.0 crashes on certain input Inherent DNS Vulnerabilities u Users/hosts typically trust the host-address mapping provided by DNS u Problems Zone transfers can provide list of target hosts Forge messages by intercepting requests or compromising of s Solution authenticated requests/responses Bellovin/Mockapetris Attack u Trust relationships use symbolic addresses /etc/hosts.equiv contains friend.stanford.edu u Requests come with numeric source address Use reverse DNS to find symbolic name Decide access based on /etc/hosts.equiv, u Attack Spoof reverse DNS to make host trust attacker Reverse DNS u Given numeric IP address, find symbolic addr u To find , Query in-addr.arpa Get list of symbolic addresses, e.g., 1 IN PTR server.small.com 2 IN PTR boss.small.com 3 IN PTR ws1.small.com 4 IN PTR ws2.small.com 14

15 Attack u Gain control of DNS service for domain u Select target machine in domain u Find trust relationships SNMP, finger can help find active sessions, etc. Example: target trusts host1 u Connect Attempt rlogin from compromised machine Target contacts reverse with IP addr Use modified reverse DNS to say addr is host1 Target allows rlogin Defenses against this attack u Double-check reverse DNS Modify rlogind, rshd to query See if symbolic addr maps to numeric addr u Use another service besides DNS Network Information Service (NIS, or YP) Only works if attacker cannot control NIS u Authenticate entries in DNS tables Relies on some form of PKI? Next lecture 15