11 - Network Security

Question 1

Network Security

Answer 1

Attacks:
Routing (BGP)
Naming (DNS) -> “Reflection” (DDoS)
-> Phishing

Question 2

What makes the Internet insecure?

Answer 2

1) the internet is on by default
2) Attacks look like normal traffic
3) Federation ->Thousands of independent operators control

Question 3

In a packet switching network

Answer 3

Resources are not reserved and packets are self-contained

Question 4

Packet switch networks

Answer 4

are vulnerable to resource exhaustion attacks

Question 5

Components of security

Threat: Potential violation
Attack: action that violates

Answer 5

Availability: ability to use a resource
Confidentiality: concealing information
Authenticity: assures the origin of information
Integrity: prevents unauthorized changes

Question 6

Attack on confidentiality

Answer 6

Eavesdropping

Question 7

DDoS is an attack on which property of security?

Answer 7

Availability

Question 8

Negative impacts of attacks:

Answer 8

• theft of confidential info
• Unauthorized use
• False info
• Disruption of service

Question 9

Routing Security (BGP)

Control Plane Authentication

Answer 9

-Origin: Ensures next AS advertising prefix is the owner

protects the origin AS (owner of prefix is the owner)

Question 10

Route attacks - How?

Answer 10

1) Config error - mis-configuration
2) Router is compromised
3) Unserupulous ISPs

Question 11

Types of attacks

Answer 11

Config/management - tamper with management software that changes the configuration
Tamper with software
tamper with routing data

Question 12

Path Attestation

Answer 12

{thePath} signed by the private key
Moving to new As it includes the original route attestation with it’s private key and it’s own route attestation signed by it’s own private key

Question 13

Signing with path attestation prevents

Answer 13

1) Some Hijack attacks
2) Short path attacks
3) Modification of AS paths

Question 14

Attestation cannot prevent

Answer 14

1) Suppression

2) certain replay attacks (premature re-advertisement of a withdrawn route)

Question 15

DNS attacks

Answer 15

1) MITM (DNS SEC)
2) Spoofing (DNS SEC)
3) Cache poisoning (defense: 0x20)
4) Corruption
5) DNS reflection (can be a weapon for DDos)

Question 16

Why is DNS so vulnerable

Answer 16

1) Resolver trusts responses
2) Responses can contain info unrelated to the query (no authentication)
* DNS queries are connection-less through UDP - therefore a resolver does not have a way to map the response it receives from a query (other than ID - which can be forged by an attacker)

Question 17

Quiz:

Which aspects of DNS make it so vulnerable to attacks?

Answer 17

1) Queries are sent over UDP - (connectionless)

2) no way to authenticate the query responses - makes the DNS vulnerable to spoofing and cache poisoning attacks)

Question 18

DNS Cache poisoning

Answer 18

Attacker can guess the query ID and if it gets in before legit query, its cached!

Question 19

DNS poisoning fact

Answer 19

DNS has no way of expunging a message once it has been cached (The query ID is only 16 bits)

Question 20

Birthday paradox

Answer 20

Attacker doesn’t need to send many bogus IDs as a guess

Question 21

Generating a stream of A-record queries to generate a bunch of races and then stuffing the A-Record responses for each of these with a bogus authoritative NS record for the entire zone

Answer 21

Kaminsky attack

Dan Kaminsky discovered this attack

Question 22

Defenses to DNS Cache poisoning

Answer 22

1) ID & randomizing
2) Source port randomization (resource intensive and NAT can be de-randomized)
3) “0x20” -> DNS is case insensitive (Not case sensitive)
The resolver and the authoritative server can agree on the “key” or the capitalization patterns of the URL
i.e. www.GooGle.com x= www.google.com
attacker would have to guess the ID and the capitalization sequence.

Question 23

Quiz:

Why does “0x20” make DNS more secure?

Answer 23

Added enthropy

Question 24

Entropy definition

Answer 24

In data communications, the term entropy refers to the relative degree of randomness.

Question 25

Exploits asymmetry in size between queries and responses

Answer 25

DNS Amplification attack
(i.e. query is only 60 bytes but the reply is 3000 bytes)
By generating a small amount of initial traffic, the attacker can cause the DNS resolver to generate a significant large amount of attack traffic.

Question 26

Possible defenses against DNS amplification

Answer 26

1) Prevent spoofing
2) Disable open resolvers (disable the ability for DNS resolver to resolve queries from arbitrary locations on the internet)

Question 27

DNS SEC protocol

Answer 27

Adds authentication to DNS responses by adding signatures to the responses that are returned for each DNS reply.