A Very Incomplete Diagram of Network Attacks TCP/IP Stack Reconnaissance Spoofing Tamper DoS Internet Transport Application HTTP SMTP DNS TCP UDP IP ICMP Network/Link 1) HTML/JS files 2)Banner Grabbing 1) Email Addresses 2)Banner Grabbing 1) Systems/Zones 2)Banner Grabbing TCP/UDP Port Scanning ICMP Scanning Network Sniffing 1) HTTP Referrer 2) CSRF 1) Mail From 2) SPAM DNS Spoofing Seq. # Pred. UDP Spoofing IP Spoofing ARP Spoofing 1) SQLi 2) XSS Cache Poising 1) HTTP Flood DNS Reflection 1) Reset 2) Syn Flood UDP Flood ICMP Flood 1) ICMP Flood 2) Ping of death
Reconnaissance TCP/IP Stack Reconnaissance Internet Transport Application HTTP SMTP DNS TCP UDP IP ICMP 1) HTML/JS files 2)Banner Grabbing 1) Email Addresses 2)Banner Grabbing 1) Systems/Zones 2)Banner Grabbing TCP/UDP Port Scanning ICMP Scanning Network/Link Network Sniffing
Reconnaissance Goal: Gain Information Important pre-attack steps to help identify vulnerabilities and targets Approaches Passive monitoring the traffic to determine Search banners or other related parameters Tools: Wireshark, p0f Active System/Port Scanning sends packets to TCP/UPD ports, ICMP to explore available systems/services Tools: nmap (network mapper) Vulnerability scanning more advanced probing of system based on known vulnerability fingerprints Tools: Nessus Vulnerability Scan, OpenVAS, Zed Attack Proxy (HTTP)
Recon - Passive 2) Sniff traffic to collect packets (Wireshark) Attacker 1) Access physical network (e.g., WiFi) 3) Search for useful information -software banners(products/versions) -authentication data (users, passwords, etc) -other sensitive information (email, http traffic) Target Network/Systems
Recon System/Port Scanning System Scanning -search for all systems on a network -Ping sweep 4) Attacker List of systems on network 1) 3)...... Target Network 1.1.1.X 2) If system exists: -send ICMP Echo Response Else -send ICMP Dst. Host Unreachable Port Scanning -search system for open ports (services) -TCP Syn Scan 3) 1)... Target System 2) If TCP port listening: -send TCP Syn/Ack Else -send TCP Reset 4) Attacker List of open ports... 1.1.1.2
Recon Vulnerability Scanning 2) 1) Attacker Vulnerability Scanner -database of vulnerability indictors, examples: - Configurations (e.g., TLS) - Software versions - Vulnerabilities 3)... Target System 4) List of vulnerabilities, Example: -SSL v2 -Apache 2.2 -Shellshock
Spoofing TCP/IP Stack Internet Transport Application HTTP SMTP DNS TCP UDP IP ICMP Network/Link Spoofing 1) HTTP Referrer 2) CSRF 1) Mail From 2) SPAM DNS Spoofing Seq. # Pred. UDP Spoofing IP Spoofing ARP Spoofing
ARP Spoofing Recall ARP Address Resolution Protocol Know the IP address, but not the MAC (link address) of a system Problem ARP messages aren t authenticated Attack can create malicious ARP Response claiming to be the systems with the requested IP Generally a race between attacker and actual target Security Mechanisms: Static arp tables on hosts/network switches
ARP Spoofing Normal ARP Source Destination IP: 1.2.3.4 MAC: 00:11:22:33:44:55 Spoofed ARP Attacker Destination IP: 1.2.3.4 MAC: 00:11:22:33:44:55
IP Quick Review Source: RFC 791 Internet Protocol https://www.ietf.org/rfc/rfc793.txt
IP Spoofing IP developed without authentication capabilities (1970s) Source address can be spoofed so receiver thinks sender was someone else Still seen frequently (usually with DoS attacks) Security Mechanisms: Routers may filter packets with incorrect source IP addresses IPsec provide authentication of IP packets IPv6 default support for IPsec
TCP - Quick Review syn, sn=x syn-ack, sn=y, ack=x+1 ack, ack=y+1 Handshake Ack, sn=x+1, ack=y+1 Ack, sn=y+1, ack=x+1+data1 Established Ack, sn=x+1+data1, ack=y+1 fin ack fin ack Tear Down
TCP Spoofing TCP stateful connection Has sequence & acknowledgement numbers Packets with incorrect sequence numbers will be rejected Inside current Receive Window Sequence number (2 32 bit number) Also need to predict src/dst port *Also requires IP spoofing Security mechanisms: Randomized Initial Sequence Numbers (ISNs) to prevent a users from guess the number Not helpful if the attacker can view your TCP session and obtain current sequence numbers
DNS Quick Review Local Network 8 1 Local Name Server 2 3 5 4 Internet Root Name Server.Com Name Server DNS HTTP 10 9 7 6 RandomSite.com Name Server www.randomsite.com RandomSite Network
DNS Spoofing Local Network 8 1 Local Name Server 2 3 5 4 Internet Root Name Server.Com Name Server DNS HTTP 10 7 9 6 RandomSite.com Name Server attacker.com www.randomsite.com RandomSite Network
DNS Spoofing Originally DNS didn t have any authentication Attackers could spoof DNS response to get a user to visit a different system If MITM attack Simply manipulate DNS response If Spoofing only (i.e. no ability to see current traffic) DNS request unique 16 bit Query ID If response Query ID!= request Query ID -> disregard response Before ~2008 Query ID was sequential Attacker could guess future query IDs and inject spoofed DNS responses Examples China manipulated DNS records for sites http://www.computerworld.com/article/2516831/security0/china-s-great-firewall-spreadsoverseas.html Turkey manipulated DNS to block Twitter http://www.theguardian.com/world/2014/mar/21/turkey-blocks-twitter-prime-minister Security Mechanisms Randomize DNS Query ID Spoofed DNS response must also have correct Dst. Port DNSSEC
DNSSEC DNSSEC authentication for DNS responses Zones are digitally signed (authentication/integrity) New DNS record types Issues: DNSKEY - public key for DNS resolvers KSK (key signing key) used to sign DNSKEY ZSK (zone signing key) used to sign all records RRSIG DNSSEC signature for a record set Still not widely deployed (<5%) http://blog.cloudflare.com/dnssec-an-introduction/
Email Spoofing Simple Mail Transport Protocol (SMTP) protocols for sending email Many authentication challenges, which allow spoofing Examples: SPAM unsolicited emails Phishing spoofed emails attempting to carry attack How: Difficult to establish trust between mail domains Can often forge email fields Mail From
Email spoofing example > telnet mailserver 25 >EHLO mailserver >MAIL FROM: barackobama@whitehouse.gov > RCPT TO: ahahn@eecs.wsu.edu. >DATA This is a fake message..
Email S/MIME Security Mechanisms S/MIME encryption for email messages MIME Multipurpose Internet Mail Extension specification of mail format S/MIME utilizes public key encryption Messages can be Signed, Enveloped (encrypted), or Both Problem Difficult to create PKI Feasible within an organization, more difficult between organizations PGP (Pretty Good Privacy) similar to S/MIME, but no centralized PKI Users can publish own public key info
Email S/MIME
Denial of Server (DoS) Attacks
Denial of Server (DoS) Attacks TCP/IP Stack DoS Internet Transport Application HTTP SMTP DNS TCP UDP IP ICMP 1) HTTP Flood DNS Reflection 1) Reset 2) Syn Flood UDP Flood ICMP Flood 1) ICMP Flood 2) Ping of death Network/Link
DoS Attacks Definition DoS is an action that prevents or impairs the authorized use of network systems, or applications by exhausting resources such as central processing unit (CPU), memory, bandwidth, and disk space Techniques Malformed (poison) Packet malformed packet that triggers some software vulnerability/weakness causing a system crash Flooding overwhelming system resources (e.g., network bandwidth, CPU speed) Other DoS Types DDoS Distributed DoS Reflection/Amplification Non-malicious slashdotted, flash crowd
Flooding Goal: Overload the capacity of the network/system Network consume resources (e.g., bandwidth) System exhaust system s ability to process data Types ICMP Flood ICMP Echo Request messages - often filtered ICMP Destination Unreachable - not as commonly filtered UDP Flood send large UDP packets to some system (e.g., DNS) UDP connectionless so no TCP handshake overhead HTTP Flood sending legitimate HTTP GET/POST messages to web server
Flooding - Continued TCP Syn Flood How Attacker sends large number of TCP Syn packets to server Server creates half-open connection and sends Syn-Ack Client doesn t send Ack to open connection Result Attack exhausts finite list of half-open connections allowed by operating system Defense After server send Syn-Ack, removes entry from Syn queue Stores Syn cookies which encodes IP addresses/ports, sequence numbers Prevents exhaustion of Syn queue
Malformed (poison) Packet Causes software or operating system to crash Usually result of software vulnerability/error Example Ping of Death ICMP ping packet > 2^16 bytes violates protocols Caused buffer overflow/crashing of older Windows/Unix systems Teardrop Targets incorrect reassembly of fragmented IP packets Overlapping fragments caused operating system to crash
Reflection Reflection How Attack system spoofs IP address of intermediate system Intermediate system responds to target system Victim thinks attack originates from intermediate system, not attacker Why Attack less likely to be identified Example protocols: TCP handshake UDP (DNS, NTP, SNMP) attacker doesn t have to set up sessions!
Reflection Example: TCP Normal TCP Handshake Normal TCP Handshake TCP Syn spoofing Spoofed Syn causes server to continually send Syn- Acks to target system
Amplification Generally used along with reflection Increases the attacks bandwidth Bandwidth sent by intermediate system is greater than bandwidth produced used by attacker Response packet > spoofed request packet Common protocols: DNS, NTP Example: DNS Request = 60 bytes Response = 512 bytes max
DDoS Distributed DoS Utilize large number of attacking systems Improves amount traffic sent by attack More difficult to prevent Can t filter single system Difficult to differentiate attack from normal traffic Control Centralized Single attack has control over large number of systems (e.g., botnet) Example: http://blog.cloudflare.com/65gbps-ddos-no-problem/ Distributed Attacks launched by individual parties (e.g., Anonymous) Example: http://bits.blogs.nytimes.com/2012/11/15/anonymousattacks-israeli-web-sites/
DDoS Architecture Botnet command and control data DoS traffic
DDoS Examples 65 GB DoS attack http://blog.cloudflare.com/65gbps-ddos-noproblem/ 65,000 systems with 1Mbps link (upstream) Amplification Assuming 60 byte request, 512 byte response Only ~7617 systems required for same DoS attack
DoS Defenses Attack Prevention and Preemption Employ back up resources Distributed data hosting (Content Delivery Networks ) Data hosted on multiple severs (often geographically distributed) DNS used to optimally direct requests to different servers Examples: Akamai Firewalls/traffic filtering Identify and block unwanted traffic Often challenging to different wanted/unwanted traffic Discussed more later Attack source traceback/identification Identify source of attack Usually requires coordination between Internet service providers and law enforcement