Outline. Outline. Outline

Similar documents
Looking for Trouble: ICMP and IP Statistics to Watch

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Network Security CS 192

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Host Discovery with nmap

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Measurement Study on the Internet reachability. 3.1 Introduction. 3. Internet Backbone

CSCE 465 Computer & Network Security

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Linux Network Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CMPT 471 Networking II

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

allow all such packets? While outgoing communications request information from a

Module 7. Routing and Congestion Control. Version 2 CSE IIT, Kharagpur

co Characterizing and Tracing Packet Floods Using Cisco R

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

Cisco Configuring Commonly Used IP ACLs

Remote Network Analysis

basic BGP in Huawei CLI

ACHILLES CERTIFICATION. SIS Module SLS 1508

Firewall implementation and testing

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Chapter 8 Security Pt 2

Content Distribution Networks (CDN)

Attacks and Defense. Phase 1: Reconnaissance

Inter-domain Routing. Outline. Border Gateway Protocol

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Using IPM to Measure Network Performance

Protecting and controlling Virtual LANs by Linux router-firewall

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CS5008: Internet Computing

Attack and Defense Techniques

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

APNIC elearning: BGP Basics. Contact: erou03_v1.0

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Security of IPv6 and DNSSEC for penetration testers

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Exterior Gateway Protocols (BGP)

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Detection of illegal gateways in protected networks

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Firewalls. Network Security. Firewalls Defined. Firewalls

Understanding Large Internet Service Provider Backbone Networks

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Layer Four Traceroute (and related tools) A modern, flexible path-discovery solution with advanced features for network (reverse) engineers

Strategies to Protect Against Distributed Denial of Service (DD

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:

Quidway MPLS VPN Solution for Financial Networks

Building Secure Network Infrastructure For LANs

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

How To Understand A Network Attack

NetFlow/IPFIX Various Thoughts

Network provider filter lab

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

DDoS Mitigation Techniques

How to protect your home/office network?

Interdomain Routing. Outline

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Bell Aliant. Business Internet Border Gateway Protocol Policy and Features Guidelines

Datagram-based network layer: forwarding; routing. Additional function of VCbased network layer: call setup.

Multihoming and Multi-path Routing. CS 7260 Nick Feamster January

Firewalls 1 / 43. Firewalls

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

Host Fingerprinting and Firewalking With hping

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Linux Routers and Community Networks

Attack Lab: Attacks on TCP/IP Protocols

Development of a Network Intrusion Detection System

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

CIT 380: Securing Computer Systems

BGP route monitoring. Mar, 25, 2008 Matsuzaki maz Yoshinobu

IP address format: Dotted decimal notation:

Technical Support Information Belkin internal use only

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Lecture 23: Firewalls

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Forensics: Detection and Analysis of Stealth Port Scanning Attack

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

A S B

Network Level Multihoming and BGP Challenges

Learn Ethical Hacking, Become a Pentester

Lecture 5: Network Attacks I. Course Admin

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Configuring Health Monitoring

Transcription:

Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today?

Basics Some Techniques What is it? OS fingerprinting aims to gather information about a target host to eventually determine the operating system that the machine is running. Why? Penetration testing is one of the most common motivations for determining a host s OS. Once the OS is known, testers can take a make more focused and directed attempt at penetrating the system. Direct Banner Grabbing Basic, easy form of OS fingerprinting, but often efficient and reliable. One simply connects to the host via telnet or http and looks for any printed messages detailing the system s operating system. Indirect Banner Grabbing Information is leaked about a system from sources such as received emails (in the header information or virus scanner tagging) or the sysit command in FTP that reveals a family of operating systems. Other examples include examining programs such as ls and grep. Some Techniques Automated Fingerprinting Tools - nmap TCP Fingerprinting Each operating system reacts differently to normal and special crafted TCP packets. In particular, the flags header field contains six flags (URG, ACK, PSH, RST, SYN, FIN) that can be used to differentiate operating system behavior. ICMP Fingerprinting A similar approach can be taken using ICMP packets. The relevant field to vary is the Type field, a one byte field at the beginning of the header. 1 First sends an ICMP ping request then connects to port 80 to see if the target is responding. 2 A port scan is performed, identifying at least one open and one closed port. 3 nmap sends several crafted packets and records the replies. 1 A packet is sent with only the SYN flag set. 2 A packet is sent with no flags set. This is often called the null scan. 3 A packet is sent with URG, PSH, SYN, and FIN set. This is often called the "christmas tree" packet. 4 nmap compares replies against an OS detection fingerprint file. Automated Fingerprinting Tools - Xprobe2 A GNU tool that utilizes ICMP packets rather than TCP packets. Utilizes modules to easily adopt new probes. A configuration file contains lists of operating systems along with replies to expect for the different type flag settings. Basically just your average ping sweeper.

Basic Information Other Names IP Hijacking BGP Hijacking Route Hijacking Target and Scope Targets Application Layer protocol BGP (Border Gateway Protocol) Deals with service providers and large private networks Can black hole or intercept large amounts of internet traffic Border Gateway Protocol Border Gateway Protocol Problems We must find loop-free paths to destination This means traveling through ASes with their own set of policies Internet is a connected set of Autonomous Systems (AS) AS Types Backbone Providers Regional Providers Customers BGP aims to decentralize Internet by connecting ASes The way BGP handles these... Have designated border routers Advertise a possible route to destination to other routers Cache answers given by other routers and use those for future questions Some Observations on BGP Strengths Decentralized Doesn t care about network topology Distributed and efficient Exploitable? YES. Relies on border routers trusting one another. Some ideas: 1 If ISP trusts me as a user, advertise whatever I want! 2 If ISP filters EBGP traffic, man-in-the-middle attack their BGP TCP communications.

What do we want to achieve? Black Holing Traffic So we are AS X, and AS Y sends a path query to destination p. We know the next step is the prefix owner, AS O. The legitimate response illustrated here is to tell AS Y to send traffic to AS O. What else can we tell AS Y? Tell AS Y to that route is [X]. We can now grab all traffic send to AS O. Some Remarks on This Approach Very easy to accomplish. Happens accidentally when an ISP s border router has corrupted routing table. Not very sneaky. Intercepting Traffic Fraudulent Advertisements Specificity Tell AS Y that route is [X,O]. Forward traffic to AS O. Some Remarks on This Approach Difficult. We ll cover some problems shortly. Can be maintained discreetly much longer. 1 Advertise an invalid route for an existing routable prefix. Already covered. 2 Advertise a more specific prefix and thus grab all the traffic to that prefix. Problem: Not interceptable because you can t route it onto the prefix owner. 3 Advertise a less specific prefix and get traffic when the owner stops advertising. Problem: Not very efficient and still impossible to forward. We will focus on the first method. Some Routing Assumptions To judge the viability of several types of hijacking attempts, the following assumptions are made regarding ISP routing: Back Propagation The route advertised by AS X will propagate back towards AS Y. Some ISP filtering methods could prevent this, as could some difficulties that we will address. This can be verified in practice by recursively examining each AS in the route between X and Y. Routing Preference The ISP makes the following preference when routing traffic: Customer > Peer > Provider.

Types of Routing Attacks Existing Customer Route With these assumptions, we can divide possible attack attempts into the following groups: 1 Existing route is Customer Route 1 Invalid route is Customer Route 2 Invalid route is Peer Route 3 Invalid route is Provider Route 2 Existing route is Peer Route 1 Invalid route is Customer Route 2 Invalid route is Peer Route 3 Invalid route is Provider Route 3 Existing route is Provider Route 1 Invalid route is Customer Route 2 Invalid route is Peer Route 3 Invalid route is Provider Route Will traffic be hijacked... 1...after change to invalid Customer Route? Maybe The router will use a number of factors, including path length, policies, and distance heuristics, to decide the path to take. Therefore, this will work on some routers and not on others. 2...after change to invalid Peer Route? No 3...after change to invalid Provider Route? No Existing Peer Route Existing Provider Route Will traffic be hijacked... 1...after change to invalid Customer Route? Yes 2...after change to invalid Peer Route? Maybe 3...after change to invalid Provider Route? No Will traffic be hijacked... 1...after change to invalid Customer Route? Yes 2...after change to invalid Peer Route? Yes 3...after change to invalid Provider Route? Maybe Why the need for further analysis? Interception carries some of its own problems. Goal Safety condition - None of the ASes along the route to prefix p used by the hijacking AS should choose the invalid route advertised by it (if they do receive the invalid route) over their existing route to p.

Illustrated Problem How we want things to be: Illustrated Problem How things are: Some more assumptions Existing Customer or Peer Route Routing Preference Again, assume ISPs prefer customers to peers to providers when making routing decisions. Valley-free Property We can assume that once traffic makes a route towards a more highly preferred AS, it will never prefer a route to a less preferred AS tier. Example: Once in a peer AS, traffic will not take a provider route if possible. Advertising any invalid route will be safe. Reasoning It is safe to assume that all further routes are routes of strictly lower tiers by the Valley-free assumption, and as a result it is a safe assumption that the route will not jump back up to AS X. Let s examine some consequences of advertising an invalid path... Existing Provider Route Advertising any invalid route will not always be safe. Reasoning It is possible that every part of the route after X will be moving down to peer and then customer, but it is possible that the first edge could be to a higher tier AS (a provider). In this case, either the invalid or existing route could be preferred by the providers, peers, and clients on the route. This breaks the safety assumption.

How likely is this given existing network infrastructure? First, we focus on hijacking by tier-1 ASes for the following reasons: 1 They have no providers. Therefore, interception is safe. 2 Many tier-1 ASes have publicly available policies. Approach Examine the 7 tier-1 ASes with routes in the Route-Views repository. Estimate how many of those routes would be vulnerable to a routing attack by another tier-1 AS. Focus on top 100 sites, as many belong to a very limited set of ASes. Results Other tiers Comments Scary. This has happened before when Cogent (AS174) hijacked Google s prefix. Comments This is also pretty scary. There are lowered chances of hijacking prefixes with increasingly smaller ASes, but even 5 to 20% of the most popular prefixes could be devastating. Hands-on Experiment History There have been recorded instances of prefix hijacking, but none of the proposed interception. Can it be done? Method The authors (Ballani, Francis, Zhang) decided to do a proof of concept. How did they simulate this attack?

Method Results 1 Five geographically distinct sites were set 2 Router software peered with different ISPs from the different sites 3 They analyzed the network structure and came to the conclusion that traffic was a provider path and therefore safe. 4 Traffic was analyzed by pointing a domain name to their target prefix. Queries to it give a percent of traffic received at the site. Traffic hijacked This ranged between 66% and 97.4%. Traffic intercepted This ranged between 23.4% and 78.8%. Comments This was a successful proof of concept and about what was expected from a low level AS. Methods described could be used by ISPs to intercept traffic. Not so good. Attempt The authors attempted to detect if any interception was currently being done. The method was complicated and did forensics on past routing tables by using the archived routing tables for simulated IP traceroutes. The results were inconclusive and neither detecting nor ruled out ongoing interception. The Need for Fast Detection While detecting interception was shown to be difficult by the previous attempt, it is still important to focus at detecting more general forms of hijacking. As insidious as interception is, black holing traffic is also extremely dangerous and needs to be dealt with as soon as possible.

Observations We Can Make Paths to a prefix might differ, but should all reach the same host. In the event of a hijacking pretending to be the source, we should look for inconsistency. Is this possible? Yes. We showed previously that no hijacking method is perfect, especially not at the lower level tiers available to most attackers. Concluding Remarks References Any questions? Ballani, Hitesh and Francis, Paul and Zhang, Xinyang A study of prefix hijacking and interception in the internet. SIGCOMM Comput. Commun. Rev., 2007. Hu, Xin and Mao, Z. Morley Accurate Real-time Identification of IP Prefix Hijacking. Proc. of IEEE Security and Privacy (Oakand), 2007. Nostromo Techniques in OS-Fingerprinting Hagenberg, Sept. 2005.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information