Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection system is when an attacker successfully eludes attack detection (for instance, attack signature recognition) by making the NIDS reconstruct a packet sequence including a packet that will be discarded, or not reach, the target. 2. How may the do not fragment flag in a IP header be exploited to enable an insertion attack? Answer: A do not fragment IP packet can be discarded by a router if the length of the IP packet is too long for routing in the next physical network. If the NIDS does not know that the packet will be dropped (ignoring network topology), it may consider the packet as part of the sequence reaching the host. 3. Explain an evasion attack against a NIDS. Answer: An evasion attack against a NIDS is when an attacker eludes detection by making the NIDS reconstruct a packet sequence that does not include a packet that will be accepted by the host. 4. How may an attacker use a bad UDP checksum to exploit the NIDS via an evasion attack? Answer: For instance, if the host does not discard UDP packets with incorrect checksums, but the NIDS does, the attacker can send such a packet. 5. How may IP fragmentation be used to implement a denial-of-service attack against a NIDS? Answer: In order to reconstruct the data stream, NIDS must in particular, reconstruct IP packets by collating IP fragments. In a denial-of-service attack against the NIDS an attacker can initiate transmission of IP packets and never send at least one fragment. If the number of fragmented packets sent by the attacker is large enough, the NIDS will run out of buffer memory to keep the incomplete IP packets. 6. What is the difference between a stateless vs. stateful firewall? Answer: A stateless firewall does not keep information about existing connections, TCP sequence numbers, and other information. It analyzes packets independently, not as part of the packet sequence. 1
7. May a stateless firewall blocks TCP connection initiation requests to some local host, but allow returning traffic to flow to existing connections initiated by the local host to an external host? Answer: Yes. The firewall filters out SYN-packets to the local host, but allows SYN-ACK and other packets to flow through. 8. May a stateless firewall prevents against all probing a specific port without preventing all communication to that port? Why or why not? Answer: No. The reason is that, if any traffic is allowed to the port in the host, a probe may send a packet as packet as if belonging to a previously existing connection. Since the firewall is stateless, and has no knowledge of actual existing connections, it must allow the packet as genuine. This will cause the host (if listening at that port) to send a 9. Suppose a host-based firewall on a server keeps state for existing TCP connections i.e., it tracks the state of TCP handshakes and only allow non-handshake packets on established connections. It must create a SYN-received/SYN-ACK sent queue until it sees a responding ACK. Since the firewall queue is finite, it can be overwhelmed by a SYN-flood attack in which an attacker node sends many requests (SYN packets) under spoofed IP addresses, to cause the firewall to run out of queue space. What will happen if, when the firewall runs out of queue space, it blocks further SYN packets? What will happen if, when the firewall runs out of queue space, it stops enforcing the restriction on non-handshake packets? Explain why an ACK time-out strategy will not work to solve this problem. Answer: In the first case, the firewall will cause a denial-of-service attack on the server by dropping any further connection requests. In the second case, the firewall will loose the ability to enforce the restriction of not accepting non-handshake packets on non-established connections, since it will no longer have knowledge of the set of established connections. An ACK time-out strategy will not work against a large attack. An attacker can generate enough SYN packet to make sure the buffer is filled up before the first ACK time-out takes place. 10. What is a dual-homed host? Answer: A dual-homed host is a computer with two network interfaces, each connected to a different network. The dual-homed host routes packets from one network to the other, and can implement complex filtering rules. 11. What is a perimeter network? Name its important components. Answer: A perimeter network stands between the Internet and the internal network. Important components are the external router connecting the perimeter network to the Internet, the internal router connecting the perimeter network to the internal network, and bastion hosts nodes of the perimeter network. 12. What types of network services are often placed at bastion hosts and why? Answer: DNS, Web, FTP server, and other servers destined to external users. These servers are highly visible and placing them at the internal network puts stress on the internal router, which often implements more complex filtering rules than the external one. 2
13. Fill in the blanks. (a) A machine which provides services to Internet clients is highly visible and therefore a likely attack target. These machines are reinforced with a high level of host-based security measures. Because of these, they are called bastion hosts. (b) Some organizations have to segment their network in several components because they need to deploy machines with different security requirements. The boundaries between these networks need to be separated by screening routers which implement internal firewalls. (c) A screened subnet firewall architecture is characterized by a perimeter network, which stands between the Internet and the internal network. (d) Network intrusion detection systems (NIDS) are vulnerable to several different types of attacks. Some attacks exploit differences between the IP protocol implementation of the NIDS and the end system. For instance, an attack that fools the NIDS into believing that the end system will drop a packet when in fact the packet will be accepted is called an evasion attack, and might prevent the NIDS from recognizing an attack sequence directed at the end system. (e) A denial of service attack on a NIDS directly impede the NIDS from carrying out its functions by forcing it to run out of resources. For instance, such an attack can proceed by sending only some fragments of many IP packets, forcing the NIDS to accumulate all such fragments and exhaust its memory. 14. The security of the RSA cryptosystem is based on the hardness of computing {roots, primes} modulo a composite number whose {factors, exponents} are unknown. 15. Describe the format of the public and private keys of the RSA cryptosystem. Answer: The public key is a composite n and an exponent e. The private key is a pair of primes p, q such that n = pq, and d is an exponent such that ed = 1 mod φ(n). 16. What is the value of the Euler function φ(n) for n that is the product of two primes p and q? Answer: φ(n) = (p 1)(q 1). 17. Is it safe to reveal the value of φ(n) corresponding to the public modulus of an RSA encryption scheme? Answer: No. From knowledge of φ(n) the factors of n can be computed. 18. If M is a message, and E = Encode(M) is a secure encoding of M as an integer in {0,..., n 1}, what is the value of the public key encryption of M using RSA public key (n, e)? Answer: It equals C = E e mod n. 19. What is a key-misbinding attack? Answer: It is a type of man-in-the-middle attack where the goal of the attacker E is to have the two parties A and B compute the same key but bind the key to different identities. 20. Cite three goals of the IKE protocol. Answer: Privacy of the computed key against active goals (including man-in-the-middle attacks), key binding consistency, and optional identity privacy of the communicating parties against eavesdroppers. 3
21. Explain how the IPSec Transport mode works. Answer: The packet header of the original IP packet is duplicated, followed by an appropriate IPSec header, and the (possibly encrypted and authenticated) payload. 22. Explain how the IPSec Tunnel mode works. Answer: The entire IP packet (header and payload) is made into an (possibly encrypted and/or authenticated) payload and a new IP header and IPSec header are created. 23. A corporation establishes gateways GW1 and GW2 at different branches. They enable machines in different branches to communicate securely over the Internet by implementing IPSec at the gateways only. That means that when a machine A inside the first network sends an IP packet to a machine B in the second network, the gateway GW1 intercepts the IP packet in transit and encapsulates it into an IPSec packet. At the other end, GW2 recovers the original IP packet to be routed in the second network to machine B. Which of the IPSec modes, tunnel or transport, and AH or ESP, should be used if it was desired that no Internet eavesdroppers learn about the identities A and B of the communicating parties. Answer: If the identities of the communicating parties must be kept secret (protection against traffic analysis), then tunnel mode with encryption (ESP) should be used. In this case, the original IP packet header (which identifies source and destination machines) is encrypted and sent as payload. The new IP header will only show GW1 and GW2 as the source/destination pair. 24. Why is the authentication header (AH) mode of IPSec incompatible with network address translation (NAT) schemes? Answer: The authentication header includes several fields of the IP packet header that need to be modified by NAT boxes, and which cannot be guessed at the destination. For instance, if the source address is translated to the NAT box address, the receiver can only guess at the original private IP address of the sender. In other words, the receiver cannot verify the integrity of AH-authenticated packets that has been translated. 25. SSL is vulnerable to denial-of-service attack called the rogue packet problem. This attack exploits the fact that SSL runs above the TCP networking protocol. Corrupted SSL payloads that still pass the lower-level checksum will not be re-transmitted and will cause the SSL connection to fail. 26. Describe the rogue packet attack against SSL. Answer: The rogue packet attack is a traffic injection attack. The attacker sniffs traffic between sender and receiver and creates a valid TCP packet for the connection in the sense that it has a correct sequence number and TCP checksum. The packet will be accepted at the destination by the TCP layer, but rejected by the SSL layer. Since SSL cannot trigger a re-transmission of packets (it does not implement a reliable transport mechanism, but depends on TCP for that), the packet becomes permanently lost. This results in an improper SSL connection state that will probably cause the connection to fail. 27. Why is the rogue packet problem a serious denial-of-service attack threat to SSL? 4
Answer: For two reasons. (1) It is easy to mount, requiring only an attacker s ability to sniff traffic close to the targeted server. (2) It causes existing SSL connections to fail. SSL connection initiations require expensive RSA decryption operations, so if SSL connections need to be frequently re-established, the server will be overwhelmed by the cryptographic workload. 28. In SSL, the secret used to generate the session keys is chosen by the { client, server } and sent to the server using { RSA, Elgamal } encryption. In IKE, both client and server generate random contributions to the session key by engaging in a { Diffie-Hellman, DSA } key agreement protocol. The latter is potentially more secure, because if either of the parties has a strong { cryptographic suite, random number generator }, the privacy of the session key is guaranteed. 29. Both SSL and IPSec negotiate their cryptographic algorithms at the beginning of the session establishment dialogue. Could this be exploited by a man-in-the-middle adversary to force the parties to agree on a weak cryptographic suite even though both parties support a common (preferred) strong suite? Answer: In SSL v.2, this can be exploited. A man-in-the-middle can intercept the client message specifying the set of suites supported, and remove from it all strong suites. If both the server and client support the same weak suite, than the agreement will succeed with some weak suite being chosen. In IPSec and SSL v.3, this is not possible, because the protocol later uses the negotiated authentication key to belatedly verify the contents of all messages sent during the session establishment dialogue. Here, one can make the reasonable assumption that, even for the weak suites, it is infeasible for an adversary to break the session authentication key in the short window of time required to forge correct answers to the verification step, which immediately follows the derivation of session keys. 30. Why some protocols such as SSL uses different keys for client authentication and server authentication, even though both could be use the same key with the HMAC? Answer: To prevent reflection attacks, in which a packet from the server to the client is returned to the server, and accepted as coming from the client. 31. Condensed review of material from the first mid-term: Read Chapter 11 (minus the Otway-Rees protocol, not covered) and answer questions 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.8, 11.9.11, 11.9.13. 32. Chapter 16 condenses many topics discussed throughout the SSL and IPSec/IKE chapters. Reading it is a good way to review the most important aspects of these chapters. Do the easy homework part. Also do 16.14.11. 5