11 - Network Security Flashcards
Network Security
Attacks:
Routing (BGP)
Naming (DNS) -> “Reflection” (DDoS)
-> Phishing
What makes the Internet insecure?
1) the internet is on by default
2) Attacks look like normal traffic
3) Federation ->Thousands of independent operators control
In a packet switching network
Resources are not reserved and packets are self-contained
Packet switch networks
are vulnerable to resource exhaustion attacks
Components of security
Threat: Potential violation
Attack: action that violates
Availability: ability to use a resource
Confidentiality: concealing information
Authenticity: assures the origin of information
Integrity: prevents unauthorized changes
Attack on confidentiality
Eavesdropping
DDoS is an attack on which property of security?
Availability
Negative impacts of attacks:
- theft of confidential info
- Unauthorized use
- False info
- Disruption of service
Routing Security (BGP)
Control Plane Authentication
-Origin: Ensures next AS advertising prefix is the owner
protects the origin AS (owner of prefix is the owner)
Route attacks - How?
1) Config error - mis-configuration
2) Router is compromised
3) Unserupulous ISPs
Types of attacks
Config/management - tamper with management software that changes the configuration
Tamper with software
tamper with routing data
Path Attestation
{thePath} signed by the private key
Moving to new As it includes the original route attestation with it’s private key and it’s own route attestation signed by it’s own private key
Signing with path attestation prevents
1) Some Hijack attacks
2) Short path attacks
3) Modification of AS paths
Attestation cannot prevent
1) Suppression
2) certain replay attacks (premature re-advertisement of a withdrawn route)
DNS attacks
1) MITM (DNS SEC)
2) Spoofing (DNS SEC)
3) Cache poisoning (defense: 0x20)
4) Corruption
5) DNS reflection (can be a weapon for DDos)
Why is DNS so vulnerable
1) Resolver trusts responses
2) Responses can contain info unrelated to the query (no authentication)
* DNS queries are connection-less through UDP - therefore a resolver does not have a way to map the response it receives from a query (other than ID - which can be forged by an attacker)
Quiz:
Which aspects of DNS make it so vulnerable to attacks?
1) Queries are sent over UDP - (connectionless)
2) no way to authenticate the query responses - makes the DNS vulnerable to spoofing and cache poisoning attacks)
DNS Cache poisoning
Attacker can guess the query ID and if it gets in before legit query, its cached!
DNS poisoning fact
DNS has no way of expunging a message once it has been cached (The query ID is only 16 bits)
Birthday paradox
Attacker doesn’t need to send many bogus IDs as a guess
Generating a stream of A-record queries to generate a bunch of races and then stuffing the A-Record responses for each of these with a bogus authoritative NS record for the entire zone
Kaminsky attack
Dan Kaminsky discovered this attack
Defenses to DNS Cache poisoning
1) ID & randomizing
2) Source port randomization (resource intensive and NAT can be de-randomized)
3) “0x20” -> DNS is case insensitive (Not case sensitive)
The resolver and the authoritative server can agree on the “key” or the capitalization patterns of the URL
i.e. www.GooGle.com x= www.google.com
attacker would have to guess the ID and the capitalization sequence.
Quiz:
Why does “0x20” make DNS more secure?
Added enthropy
Entropy definition
In data communications, the term entropy refers to the relative degree of randomness.
Exploits asymmetry in size between queries and responses
DNS Amplification attack
(i.e. query is only 60 bytes but the reply is 3000 bytes)
By generating a small amount of initial traffic, the attacker can cause the DNS resolver to generate a significant large amount of attack traffic.
Possible defenses against DNS amplification
1) Prevent spoofing
2) Disable open resolvers (disable the ability for DNS resolver to resolve queries from arbitrary locations on the internet)
DNS SEC protocol
Adds authentication to DNS responses by adding signatures to the responses that are returned for each DNS reply.
