SlideShare a Scribd company logo

Network and DNS Vulnerabilities

n|u - The Open Security Community
n|u - The Open Security Community

A compilation of attack vectors of the network including TCP/IP stack, Routing algorithms and DNS

Technology
1 of 30
Download to read offline
n|u Network and DNS Vulnerabilities V l biliti Presented by: Harsimran Walia
Data Formats TCP Header Application message - data Application message Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet k t IP TCP data Link Layer y frame ETH IP TCP data ETF IP Header Link (Ethernet) Link (Ethernet) Header Trailer
IP Internet Protocol Version Header Length Connectionless Type of S i T f Service Unreliable Total Length Identification Best effort Flags Fragment Offset Time to Live Protocol Notes: Header Checksum src and dest ports Source Address of Originating Host not parts of IP hdr g Destination Address of Target Host Options Padding IP Data
Packet forging Client is trusted to embed correct source IP Easy to override using raw sockets Libnet: a library for formatting raw packets with arbitrary IP h d bit headers Anyone who owns their machine can send packets with arbitrary source IP … response will be sent back to forged source IP Implications: Anonymous DoS attacks; y ; Anonymous infection attacks
Basic Security Problems 1. Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a p y y machine close to victim 2. TCP state can be easy to guess Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities
1 Packet Sniffing 1. Promiscuous NIC reads all packets Read all unencrypted data (e.g., “wireshark”) ftp, telnet (and POP, IMAP) send passwords in clear! p, ( , ) p Eve Alice Ali Network Bob B b Prevention: Encryption SSL (is it still secure??)
2 Breaking SSL encryption 2. Certificate used for encryption
2 Breaking SSL encryption 2. Certificate created by attacker and accepted by victim (normally a user ignores warning) attacker can- Sniff the encrypted passwords Decrypt the passwords Countermeasures C t Untrusted certificate should never be accepted All trusted certificates should be installed in the browser
Review: TCP Handshake C S SN ←randC SYN: ANC ←0 Listening C SNS←randS Store SNC , SNS SYN/ACK: AN ←SN S C Wait SN←SNC+1 ACK: AN SN AN←SNS Established
2 TCP Connection Spoofing 2. Why random initial sequence numbers? (SNC , SNS ) y q ( Suppose init. sequence numbers are predictable Attacker can create TCP session on behalf of forged source IP Breaks IP-based authentication (e.g. SPF, /etc/hosts ) TCP SYN srcIP=victim SYN/ACK dstIP=victim Victim ACK SN=server SNS srcIP=victim Server attacker AN=predicted SNS server thinks command command is from victim IP addr
Example DoS vulnerability Suppose attacker can guess seq. number for an pp g q existing connection: Attacker can send Reset packet to close connection. Results in DoS. Naively, success prob. is 1/232 (32-bit seq. #’s). Most systems allow for a large window of acceptable seq. #’s Much higher success probability.
TCP SYN Flood I: low rate C S Single machine: • SYN Packets with SYNC1 random source IP d SYNC2 addresses • Fills up backlog queue SYNC3 on server SYNC C4 • No further connections possible SYNC5 12
SYN Floods II: Massive flood Command bot army to flood specific target: (DDoS) y p g 20,000 bots can generate 2Gb/sec of SYNs (2003) At web site: Saturates network uplink or network router p Random source IP ⇒ attack SYNs look the same as real SYNs 13
NIC as cpu Attempt to connect to the victim machine, which fails: Sending a ‘magic’ packet to the victim: It worked! Now logged i as root: k d l d in 14
NIC as cpu PoC exists with Broadcom (Manufacturer of NICs) We can remotely execute shell code on the NIC Through shell code we can read/write data on main hard drive As shown we can login as root without even exploiting the system 15
Routing Vulnerabilities
Routing Vulnerabilities Common attack: advertise false routes Causes traffic to go though compromised hosts ARP (addr resolution protocol): IP addr -> eth addr Node A can confuse gateway into sending it traffic for B OSPF: used for routing within an AS BGP: routing between ASs Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.
Issues Security problems Potential for disruptive attacks BGP packets are un-authenticated p Attacker can advertise arbitrary routes Advertisement will propagate everywhere Used for DoS and spam
DoS via route hijacking YouTube is 208.65.152.0/22 (includes 210 IP addr) youtube.com youtube com is 208 65 153 238 … 208.65.153.238, Feb. 2008: Pakistan telecom advertised a BGP path for 208.65.153.0/24 (includes 28 IP addr) Routing decisions use most specific prefix The entire Internet now thinks 208.65.153.238 208 65 153 238 is in Pakistan Outage resolved within two hours… but demonstrates huge DoS vuln. with no solution! March 2010: 1 ISP in US configured BGP route wrongly which led some users from US to be a victim of the great firewall of china These victims were redirected to some Chinese govt. Websites instead of legitimate g g sites
Domain Name System
DNS Domain Name System Hierarchical Name Space root org net com edu uk ca orkut yahoo google facebook www mail
DNS Lookup Example root & com www.google.com DNS server google.com Local DNS DNS server Client resolver DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM)
Caching DNS responses are cached p Quick response for repeated translations Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached g q Save time for nonexistent sites, e.g. misspelling Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record
DNS cache poisoning Victim machine visits attacker’s web site, downloads Javascript Query: a.bank.com user a.bank.com a bank com local Q QID=x1 ns.bank.com ns bank com browser DNS resolver IPaddr Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if ∃j: x1 = yj attacker response is cached and attacker owns bank.com
Defenses Increase Query ID size. Q y How? a. Randomize src port, additional 11 bits p , Now attack takes several hours b. Ask every DNS query twice: Attacker has to guess QueryID correctly twice (32 bits) Apparently DNS system cannot handle the load
Pharming DNS poisoning attack (less common than phishing) p g ( p g) If user visits attacker’s site the cache of user can be poisoned Change IP addresses to redirect URLs to fraudulent sites Potentially more da ge ous t a p s g attac s ote t a y o e dangerous than phishing attacks No email solicitation is required DNS poisoning attacks have occurred: January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent to 2004 Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and j presented them with the message "God Bless Our Troops"
Spoofing DNS spoofing attack p g Intercept the DNS query from the victim Spoof the ip address of the real url Se d o ged Send forged DNS response with the attac e s ip S espo se t t e attacker’s p Victim thinks its legitimate as he accessed real url and gets no warning Can be used for phishing attacks where social engineering p g g g not possible
[DWF’96, R’01] DNS Rebinding Attack g <iframe src="http://www.evil.com"> DNS-SEC cannot stop this attack www.evil.com? ns.evil.com 171.64.7.115 171 64 7 115 TTL = 0 DNS server Firew 192.168.0.100 wall www.evil.com web server corporate web server 171.64.7.115 192.168.0.100 Read permitted: it s the “same origin it’s same origin”
DNS Rebinding Defenses Browser mitigation: DNS Pinning Refuse to switch to a new IP Interacts poorly with proxies, VPN, dynamic DNS, … p y p , , y , Not consistently implemented in any browser Server-side defenses Check Host header for unrecognized domains Firewall defenses External names can’t resolve to internal addresses Protects browsers inside the organization
Summary Core protocols not designed for security p g y Eavesdropping, Packet injection, Route stealing, DNS poisoning Patched over time to prevent basic attacks (e.g. random TCP SN) More secure variants exist : IP -> IPsec DNS -> DNSsec BGP -> SBGP

Recommended

08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
pantu_1961
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
network security
network securitynetwork security
network security
Srinivasa Rao
 
Tcp ip
Tcp ipTcp ip
Tcp ip
Akshay Nagpurkar
 
internet applications
internet applications internet applications
internet applications
Srinivasa Rao
 
Peer-to-Peer Application Recognition Based on Signaling Activity
Peer-to-Peer Application Recognition Based on Signaling ActivityPeer-to-Peer Application Recognition Based on Signaling Activity
Peer-to-Peer Application Recognition Based on Signaling Activity
Academia Sinica
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
Raul Bernardino, BSc MSc
 

Recommended

08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
pantu_1961
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
network security
network securitynetwork security
network security
Srinivasa Rao
 
Tcp ip
Tcp ipTcp ip
Tcp ip
Akshay Nagpurkar
 
internet applications
internet applications internet applications
internet applications
Srinivasa Rao
 
Peer-to-Peer Application Recognition Based on Signaling Activity
Peer-to-Peer Application Recognition Based on Signaling ActivityPeer-to-Peer Application Recognition Based on Signaling Activity
Peer-to-Peer Application Recognition Based on Signaling Activity
Academia Sinica
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
Raul Bernardino, BSc MSc
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
Sukh Sandhu
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
David Sweigert
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dns
Culverton Blessy
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORK
prakash m
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
Videoguy
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
An analysis of the skype peer to-peer
An analysis of the skype peer to-peerAn analysis of the skype peer to-peer
An analysis of the skype peer to-peer
xiaoran815
 
Himanshupptx
HimanshupptxHimanshupptx
Himanshupptx
Himanshu Chaurishiya
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
phanleson
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
Ozkan E
 
An experimental study of the skype peer to-peer vo ip system
An experimental study of the skype peer to-peer vo ip systemAn experimental study of the skype peer to-peer vo ip system
An experimental study of the skype peer to-peer vo ip system
xiaoran815
 
Bluetooth mobileip
Bluetooth mobileipBluetooth mobileip
Bluetooth mobileip
ramlakshmiram
 
Common Dos and DDoS
Common Dos and DDoSCommon Dos and DDoS
Common Dos and DDoS
Jayesh Patel
 
Content aware p2 p video streaming with lowlatency
Content aware p2 p video streaming with lowlatencyContent aware p2 p video streaming with lowlatency
Content aware p2 p video streaming with lowlatency
xiaoran815
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
Siena Perry
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1
HamesKellor
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
Olivier Bonaventure
 

More Related Content

What's hot

Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
Sukh Sandhu
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORK
prakash m
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
Videoguy
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 

What's hot (20)

Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dns
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORK
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
An analysis of the skype peer to-peer
An analysis of the skype peer to-peerAn analysis of the skype peer to-peer
An analysis of the skype peer to-peer
 
Himanshupptx
HimanshupptxHimanshupptx
Himanshupptx
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
An experimental study of the skype peer to-peer vo ip system
An experimental study of the skype peer to-peer vo ip systemAn experimental study of the skype peer to-peer vo ip system
An experimental study of the skype peer to-peer vo ip system
 
Bluetooth mobileip
Bluetooth mobileipBluetooth mobileip
Bluetooth mobileip
 
Common Dos and DDoS
Common Dos and DDoSCommon Dos and DDoS
Common Dos and DDoS
 
Content aware p2 p video streaming with lowlatency
Content aware p2 p video streaming with lowlatencyContent aware p2 p video streaming with lowlatency
Content aware p2 p video streaming with lowlatency
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1
 

Similar to Network and DNS Vulnerabilities

Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
Olivier Bonaventure
 

Similar to Network and DNS Vulnerabilities (20)

Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
 
TCPIP
TCPIPTCPIP
TCPIP
 
ip spoofing
ip spoofingip spoofing
ip spoofing
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisited
 
Day-3 PowerPoint
Day-3 PowerPointDay-3 PowerPoint
Day-3 PowerPoint
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networks
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)
Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)
Efficient Telecommunication Infrastructure with Internet Telephony (VoIP)
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Lync 2010 deep dive edge
Lync 2010 deep dive edgeLync 2010 deep dive edge
Lync 2010 deep dive edge
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Dos ddos
Dos ddosDos ddos
Dos ddos
 
IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
 
Client server
Client serverClient server
Client server
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environment
 
Sockets
SocketsSockets
Sockets
 
Sockets
SocketsSockets
Sockets
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 

Recently uploaded (20)

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 

Network and DNS Vulnerabilities

  • 1. n|u Network and DNS Vulnerabilities V l biliti Presented by: Harsimran Walia
  • 2. Data Formats TCP Header Application message - data Application message Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet k t IP TCP data Link Layer y frame ETH IP TCP data ETF IP Header Link (Ethernet) Link (Ethernet) Header Trailer
  • 3. IP Internet Protocol Version Header Length Connectionless Type of S i T f Service Unreliable Total Length Identification Best effort Flags Fragment Offset Time to Live Protocol Notes: Header Checksum src and dest ports Source Address of Originating Host not parts of IP hdr g Destination Address of Target Host Options Padding IP Data
  • 4. Packet forging Client is trusted to embed correct source IP Easy to override using raw sockets Libnet: a library for formatting raw packets with arbitrary IP h d bit headers Anyone who owns their machine can send packets with arbitrary source IP … response will be sent back to forged source IP Implications: Anonymous DoS attacks; y ; Anonymous infection attacks
  • 5. Basic Security Problems 1. Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a p y y machine close to victim 2. TCP state can be easy to guess Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities
  • 6. 1 Packet Sniffing 1. Promiscuous NIC reads all packets Read all unencrypted data (e.g., “wireshark”) ftp, telnet (and POP, IMAP) send passwords in clear! p, ( , ) p Eve Alice Ali Network Bob B b Prevention: Encryption SSL (is it still secure??)
  • 7. 2 Breaking SSL encryption 2. Certificate used for encryption
  • 8. 2 Breaking SSL encryption 2. Certificate created by attacker and accepted by victim (normally a user ignores warning) attacker can- Sniff the encrypted passwords Decrypt the passwords Countermeasures C t Untrusted certificate should never be accepted All trusted certificates should be installed in the browser
  • 9. Review: TCP Handshake C S SN ←randC SYN: ANC ←0 Listening C SNS←randS Store SNC , SNS SYN/ACK: AN ←SN S C Wait SN←SNC+1 ACK: AN SN AN←SNS Established
  • 10. 2 TCP Connection Spoofing 2. Why random initial sequence numbers? (SNC , SNS ) y q ( Suppose init. sequence numbers are predictable Attacker can create TCP session on behalf of forged source IP Breaks IP-based authentication (e.g. SPF, /etc/hosts ) TCP SYN srcIP=victim SYN/ACK dstIP=victim Victim ACK SN=server SNS srcIP=victim Server attacker AN=predicted SNS server thinks command command is from victim IP addr
  • 11. Example DoS vulnerability Suppose attacker can guess seq. number for an pp g q existing connection: Attacker can send Reset packet to close connection. Results in DoS. Naively, success prob. is 1/232 (32-bit seq. #’s). Most systems allow for a large window of acceptable seq. #’s Much higher success probability.
  • 12. TCP SYN Flood I: low rate C S Single machine: • SYN Packets with SYNC1 random source IP d SYNC2 addresses • Fills up backlog queue SYNC3 on server SYNC C4 • No further connections possible SYNC5 12
  • 13. SYN Floods II: Massive flood Command bot army to flood specific target: (DDoS) y p g 20,000 bots can generate 2Gb/sec of SYNs (2003) At web site: Saturates network uplink or network router p Random source IP ⇒ attack SYNs look the same as real SYNs 13
  • 14. NIC as cpu Attempt to connect to the victim machine, which fails: Sending a ‘magic’ packet to the victim: It worked! Now logged i as root: k d l d in 14
  • 15. NIC as cpu PoC exists with Broadcom (Manufacturer of NICs) We can remotely execute shell code on the NIC Through shell code we can read/write data on main hard drive As shown we can login as root without even exploiting the system 15
  • 17. Routing Vulnerabilities Common attack: advertise false routes Causes traffic to go though compromised hosts ARP (addr resolution protocol): IP addr -> eth addr Node A can confuse gateway into sending it traffic for B OSPF: used for routing within an AS BGP: routing between ASs Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.
  • 18. Issues Security problems Potential for disruptive attacks BGP packets are un-authenticated p Attacker can advertise arbitrary routes Advertisement will propagate everywhere Used for DoS and spam
  • 19. DoS via route hijacking YouTube is 208.65.152.0/22 (includes 210 IP addr) youtube.com youtube com is 208 65 153 238 … 208.65.153.238, Feb. 2008: Pakistan telecom advertised a BGP path for 208.65.153.0/24 (includes 28 IP addr) Routing decisions use most specific prefix The entire Internet now thinks 208.65.153.238 208 65 153 238 is in Pakistan Outage resolved within two hours… but demonstrates huge DoS vuln. with no solution! March 2010: 1 ISP in US configured BGP route wrongly which led some users from US to be a victim of the great firewall of china These victims were redirected to some Chinese govt. Websites instead of legitimate g g sites
  • 21. DNS Domain Name System Hierarchical Name Space root org net com edu uk ca orkut yahoo google facebook www mail
  • 22. DNS Lookup Example root & com www.google.com DNS server google.com Local DNS DNS server Client resolver DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM)
  • 23. Caching DNS responses are cached p Quick response for repeated translations Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached g q Save time for nonexistent sites, e.g. misspelling Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record
  • 24. DNS cache poisoning Victim machine visits attacker’s web site, downloads Javascript Query: a.bank.com user a.bank.com a bank com local Q QID=x1 ns.bank.com ns bank com browser DNS resolver IPaddr Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if ∃j: x1 = yj attacker response is cached and attacker owns bank.com
  • 25. Defenses Increase Query ID size. Q y How? a. Randomize src port, additional 11 bits p , Now attack takes several hours b. Ask every DNS query twice: Attacker has to guess QueryID correctly twice (32 bits) Apparently DNS system cannot handle the load
  • 26. Pharming DNS poisoning attack (less common than phishing) p g ( p g) If user visits attacker’s site the cache of user can be poisoned Change IP addresses to redirect URLs to fraudulent sites Potentially more da ge ous t a p s g attac s ote t a y o e dangerous than phishing attacks No email solicitation is required DNS poisoning attacks have occurred: January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent to 2004 Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and j presented them with the message "God Bless Our Troops"
  • 27. Spoofing DNS spoofing attack p g Intercept the DNS query from the victim Spoof the ip address of the real url Se d o ged Send forged DNS response with the attac e s ip S espo se t t e attacker’s p Victim thinks its legitimate as he accessed real url and gets no warning Can be used for phishing attacks where social engineering p g g g not possible
  • 28. [DWF’96, R’01] DNS Rebinding Attack g <iframe src="http://www.evil.com"> DNS-SEC cannot stop this attack www.evil.com? ns.evil.com 171.64.7.115 171 64 7 115 TTL = 0 DNS server Firew 192.168.0.100 wall www.evil.com web server corporate web server 171.64.7.115 192.168.0.100 Read permitted: it s the “same origin it’s same origin”
  • 29. DNS Rebinding Defenses Browser mitigation: DNS Pinning Refuse to switch to a new IP Interacts poorly with proxies, VPN, dynamic DNS, … p y p , , y , Not consistently implemented in any browser Server-side defenses Check Host header for unrecognized domains Firewall defenses External names can’t resolve to internal addresses Protects browsers inside the organization
  • 30. Summary Core protocols not designed for security p g y Eavesdropping, Packet injection, Route stealing, DNS poisoning Patched over time to prevent basic attacks (e.g. random TCP SN) More secure variants exist : IP -> IPsec DNS -> DNSsec BGP -> SBGP