Network and DNS Vulnerabilities

n|u Network and DNS Vulnerabilities V l biliti Presented by: Harsimran Walia

Data Formats TCP Header Application message - data Application message Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet k t IP TCP data Link Layer y frame ETH IP TCP data ETF IP Header Link (Ethernet) Link (Ethernet) Header Trailer

IP Internet Protocol Version Header Length Connectionless Type of S i T f Service Unreliable Total Length Identification Best effort Flags Fragment Offset Time to Live Protocol Notes: Header Checksum src and dest ports Source Address of Originating Host not parts of IP hdr g Destination Address of Target Host Options Padding IP Data

Packet forging Client is trusted to embed correct source IP Easy to override using raw sockets Libnet: a library for formatting raw packets with arbitrary IP h d bit headers Anyone who owns their machine can send packets with arbitrary source IP … response will be sent back to forged source IP Implications: Anonymous DoS attacks; y ; Anonymous infection attacks

Basic Security Problems 1. Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a p y y machine close to victim 2. TCP state can be easy to guess Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities

1 Packet Sniffing 1. Promiscuous NIC reads all packets Read all unencrypted data (e.g., “wireshark”) ftp, telnet (and POP, IMAP) send passwords in clear! p, ( , ) p Eve Alice Ali Network Bob B b Prevention: Encryption SSL (is it still secure??)

2 Breaking SSL encryption 2. Certificate used for encryption

2 Breaking SSL encryption 2. Certificate created by attacker and accepted by victim (normally a user ignores warning) attacker can- Sniff the encrypted passwords Decrypt the passwords Countermeasures C t Untrusted certificate should never be accepted All trusted certificates should be installed in the browser

Review: TCP Handshake C S SN ←randC SYN: ANC ←0 Listening C SNS←randS Store SNC , SNS SYN/ACK: AN ←SN S C Wait SN←SNC+1 ACK: AN SN AN←SNS Established

2 TCP Connection Spoofing 2. Why random initial sequence numbers? (SNC , SNS ) y q ( Suppose init. sequence numbers are predictable Attacker can create TCP session on behalf of forged source IP Breaks IP-based authentication (e.g. SPF, /etc/hosts ) TCP SYN srcIP=victim SYN/ACK dstIP=victim Victim ACK SN=server SNS srcIP=victim Server attacker AN=predicted SNS server thinks command command is from victim IP addr

Example DoS vulnerability Suppose attacker can guess seq. number for an pp g q existing connection: Attacker can send Reset packet to close connection. Results in DoS. Naively, success prob. is 1/232 (32-bit seq. #’s). Most systems allow for a large window of acceptable seq. #’s Much higher success probability.

TCP SYN Flood I: low rate C S Single machine: • SYN Packets with SYNC1 random source IP d SYNC2 addresses • Fills up backlog queue SYNC3 on server SYNC C4 • No further connections possible SYNC5 12

SYN Floods II: Massive flood Command bot army to flood specific target: (DDoS) y p g 20,000 bots can generate 2Gb/sec of SYNs (2003) At web site: Saturates network uplink or network router p Random source IP ⇒ attack SYNs look the same as real SYNs 13

NIC as cpu Attempt to connect to the victim machine, which fails: Sending a ‘magic’ packet to the victim: It worked! Now logged i as root: k d l d in 14

NIC as cpu PoC exists with Broadcom (Manufacturer of NICs) We can remotely execute shell code on the NIC Through shell code we can read/write data on main hard drive As shown we can login as root without even exploiting the system 15

Routing Vulnerabilities

Routing Vulnerabilities Common attack: advertise false routes Causes traffic to go though compromised hosts ARP (addr resolution protocol): IP addr -> eth addr Node A can confuse gateway into sending it traffic for B OSPF: used for routing within an AS BGP: routing between ASs Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.

Issues Security problems Potential for disruptive attacks BGP packets are un-authenticated p Attacker can advertise arbitrary routes Advertisement will propagate everywhere Used for DoS and spam

DoS via route hijacking YouTube is 208.65.152.0/22 (includes 210 IP addr) youtube.com youtube com is 208 65 153 238 … 208.65.153.238, Feb. 2008: Pakistan telecom advertised a BGP path for 208.65.153.0/24 (includes 28 IP addr) Routing decisions use most specific prefix The entire Internet now thinks 208.65.153.238 208 65 153 238 is in Pakistan Outage resolved within two hours… but demonstrates huge DoS vuln. with no solution! March 2010: 1 ISP in US configured BGP route wrongly which led some users from US to be a victim of the great firewall of china These victims were redirected to some Chinese govt. Websites instead of legitimate g g sites

Domain Name System

DNS Domain Name System Hierarchical Name Space root org net com edu uk ca orkut yahoo google facebook www mail

DNS Lookup Example root & com www.google.com DNS server google.com Local DNS DNS server Client resolver DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM)

Caching DNS responses are cached p Quick response for repeated translations Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached g q Save time for nonexistent sites, e.g. misspelling Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record

DNS cache poisoning Victim machine visits attacker’s web site, downloads Javascript Query: a.bank.com user a.bank.com a bank com local Q QID=x1 ns.bank.com ns bank com browser DNS resolver IPaddr Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if ∃j: x1 = yj attacker response is cached and attacker owns bank.com

Defenses Increase Query ID size. Q y How? a. Randomize src port, additional 11 bits p , Now attack takes several hours b. Ask every DNS query twice: Attacker has to guess QueryID correctly twice (32 bits) Apparently DNS system cannot handle the load

Pharming DNS poisoning attack (less common than phishing) p g ( p g) If user visits attacker’s site the cache of user can be poisoned Change IP addresses to redirect URLs to fraudulent sites Potentially more da ge ous t a p s g attac s ote t a y o e dangerous than phishing attacks No email solicitation is required DNS poisoning attacks have occurred: January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent to 2004 Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and j presented them with the message "God Bless Our Troops"

Spoofing DNS spoofing attack p g Intercept the DNS query from the victim Spoof the ip address of the real url Se d o ged Send forged DNS response with the attac e s ip S espo se t t e attacker’s p Victim thinks its legitimate as he accessed real url and gets no warning Can be used for phishing attacks where social engineering p g g g not possible

[DWF’96, R’01] DNS Rebinding Attack g <iframe src="http://www.evil.com"> DNS-SEC cannot stop this attack www.evil.com? ns.evil.com 171.64.7.115 171 64 7 115 TTL = 0 DNS server Firew 192.168.0.100 wall www.evil.com web server corporate web server 171.64.7.115 192.168.0.100 Read permitted: it s the “same origin it’s same origin”

DNS Rebinding Defenses Browser mitigation: DNS Pinning Refuse to switch to a new IP Interacts poorly with proxies, VPN, dynamic DNS, … p y p , , y , Not consistently implemented in any browser Server-side defenses Check Host header for unrecognized domains Firewall defenses External names can’t resolve to internal addresses Protects browsers inside the organization

Summary Core protocols not designed for security p g y Eavesdropping, Packet injection, Route stealing, DNS poisoning Patched over time to prevent basic attacks (e.g. random TCP SN) More secure variants exist : IP -> IPsec DNS -> DNSsec BGP -> SBGP

http://www.harsimranwalia.info	95
http://null.co.in	62
http://harsimranwalia.info	45
http://127.0.0.1:8020	19
http://www.slideshare.net	7
http://nullpresentations.blogspot.com	2

Network and DNS Vulnerabilities

by n|u - The Open Security Community on Apr 04, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

6 Embeds 230

Statistics

Network and DNS Vulnerabilities — Presentation Transcript