Network and DNS Vulnerabilities


Published on

A compilation of attack vectors of the network including TCP/IP stack, Routing algorithms and DNS

Published in: Technology
  • Be the first to comment

Network and DNS Vulnerabilities

  1. 1. n|u Network and DNS Vulnerabilities V l biliti Presented by: Harsimran Walia
  2. 2. Data Formats TCP Header Application message - data Application message Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet k t IP TCP data Link Layer y frame ETH IP TCP data ETF IP Header Link (Ethernet) Link (Ethernet) Header Trailer
  3. 3. IP Internet Protocol Version Header Length Connectionless Type of S i T f Service Unreliable Total Length Identification Best effort Flags Fragment Offset Time to Live Protocol Notes: Header Checksum src and dest ports Source Address of Originating Host not parts of IP hdr g Destination Address of Target Host Options Padding IP Data
  4. 4. Packet forging Client is trusted to embed correct source IP Easy to override using raw sockets Libnet: a library for formatting raw packets with arbitrary IP h d bit headers Anyone who owns their machine can send packets with arbitrary source IP … response will be sent back to forged source IP Implications: Anonymous DoS attacks; y ; Anonymous infection attacks
  5. 5. Basic Security Problems 1. Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a p y y machine close to victim 2. TCP state can be easy to guess Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities
  6. 6. 1 Packet Sniffing 1. Promiscuous NIC reads all packets Read all unencrypted data (e.g., “wireshark”) ftp, telnet (and POP, IMAP) send passwords in clear! p, ( , ) p Eve Alice Ali Network Bob B b Prevention: Encryption SSL (is it still secure??)
  7. 7. 2 Breaking SSL encryption 2. Certificate used for encryption
  8. 8. 2 Breaking SSL encryption 2. Certificate created by attacker and accepted by victim (normally a user ignores warning) attacker can- Sniff the encrypted passwords Decrypt the passwords Countermeasures C t Untrusted certificate should never be accepted All trusted certificates should be installed in the browser
  9. 9. Review: TCP Handshake C S SN ←randC SYN: ANC ←0 Listening C SNS←randS Store SNC , SNS SYN/ACK: AN ←SN S C Wait SN←SNC+1 ACK: AN SN AN←SNS Established
  10. 10. 2 TCP Connection Spoofing 2. Why random initial sequence numbers? (SNC , SNS ) y q ( Suppose init. sequence numbers are predictable Attacker can create TCP session on behalf of forged source IP Breaks IP-based authentication (e.g. SPF, /etc/hosts ) TCP SYN srcIP=victim SYN/ACK dstIP=victim Victim ACK SN=server SNS srcIP=victim Server attacker AN=predicted SNS server thinks command command is from victim IP addr
  11. 11. Example DoS vulnerability Suppose attacker can guess seq. number for an pp g q existing connection: Attacker can send Reset packet to close connection. Results in DoS. Naively, success prob. is 1/232 (32-bit seq. #’s). Most systems allow for a large window of acceptable seq. #’s Much higher success probability.
  12. 12. TCP SYN Flood I: low rate C S Single machine: • SYN Packets with SYNC1 random source IP d SYNC2 addresses • Fills up backlog queue SYNC3 on server SYNC C4 • No further connections possible SYNC5 12
  13. 13. SYN Floods II: Massive flood Command bot army to flood specific target: (DDoS) y p g 20,000 bots can generate 2Gb/sec of SYNs (2003) At web site: Saturates network uplink or network router p Random source IP ⇒ attack SYNs look the same as real SYNs 13
  14. 14. NIC as cpu Attempt to connect to the victim machine, which fails: Sending a ‘magic’ packet to the victim: It worked! Now logged i as root: k d l d in 14
  15. 15. NIC as cpu PoC exists with Broadcom (Manufacturer of NICs) We can remotely execute shell code on the NIC Through shell code we can read/write data on main hard drive As shown we can login as root without even exploiting the system 15
  16. 16. Routing Vulnerabilities
  17. 17. Routing Vulnerabilities Common attack: advertise false routes Causes traffic to go though compromised hosts ARP (addr resolution protocol): IP addr -> eth addr Node A can confuse gateway into sending it traffic for B OSPF: used for routing within an AS BGP: routing between ASs Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.
  18. 18. Issues Security problems Potential for disruptive attacks BGP packets are un-authenticated p Attacker can advertise arbitrary routes Advertisement will propagate everywhere Used for DoS and spam
  19. 19. DoS via route hijacking YouTube is (includes 210 IP addr) youtube com is 208 65 153 238 …, Feb. 2008: Pakistan telecom advertised a BGP path for (includes 28 IP addr) Routing decisions use most specific prefix The entire Internet now thinks 208 65 153 238 is in Pakistan Outage resolved within two hours… but demonstrates huge DoS vuln. with no solution! March 2010: 1 ISP in US configured BGP route wrongly which led some users from US to be a victim of the great firewall of china These victims were redirected to some Chinese govt. Websites instead of legitimate g g sites
  20. 20. Domain Name System
  21. 21. DNS Domain Name System Hierarchical Name Space root org net com edu uk ca orkut yahoo google facebook www mail
  22. 22. DNS Lookup Example root & com DNS server Local DNS DNS server Client resolver DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM)
  23. 23. Caching DNS responses are cached p Quick response for repeated translations Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached g q Save time for nonexistent sites, e.g. misspelling Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record
  24. 24. DNS cache poisoning Victim machine visits attacker’s web site, downloads Javascript Query: user a bank com local Q QID=x1 ns bank com browser DNS resolver IPaddr Random QID y1, y2, … NS A attacker wins if ∃j: x1 = yj attacker response is cached and attacker owns
  25. 25. Defenses Increase Query ID size. Q y How? a. Randomize src port, additional 11 bits p , Now attack takes several hours b. Ask every DNS query twice: Attacker has to guess QueryID correctly twice (32 bits) Apparently DNS system cannot handle the load
  26. 26. Pharming DNS poisoning attack (less common than phishing) p g ( p g) If user visits attacker’s site the cache of user can be poisoned Change IP addresses to redirect URLs to fraudulent sites Potentially more da ge ous t a p s g attac s ote t a y o e dangerous than phishing attacks No email solicitation is required DNS poisoning attacks have occurred: January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent to 2004 Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and j presented them with the message "God Bless Our Troops"
  27. 27. Spoofing DNS spoofing attack p g Intercept the DNS query from the victim Spoof the ip address of the real url Se d o ged Send forged DNS response with the attac e s ip S espo se t t e attacker’s p Victim thinks its legitimate as he accessed real url and gets no warning Can be used for phishing attacks where social engineering p g g g not possible
  28. 28. [DWF’96, R’01] DNS Rebinding Attack g <iframe src=""> DNS-SEC cannot stop this attack 171 64 7 115 TTL = 0 DNS server Firew wall web server corporate web server Read permitted: it s the “same origin it’s same origin”
  29. 29. DNS Rebinding Defenses Browser mitigation: DNS Pinning Refuse to switch to a new IP Interacts poorly with proxies, VPN, dynamic DNS, … p y p , , y , Not consistently implemented in any browser Server-side defenses Check Host header for unrecognized domains Firewall defenses External names can’t resolve to internal addresses Protects browsers inside the organization
  30. 30. Summary Core protocols not designed for security p g y Eavesdropping, Packet injection, Route stealing, DNS poisoning Patched over time to prevent basic attacks (e.g. random TCP SN) More secure variants exist : IP -> IPsec DNS -> DNSsec BGP -> SBGP