Lesson 11 - Network Security Flashcards
What are 2 types of attacks common in Network security?
- Routing Attacks
- Naming Attacks
Reflection & Phishing
“Reflection”
generating large amounts of traffic at a victim causing a DDOS attack. Extremely common type of attack.
“Phishing”
attempt to trick user into revealing sensitive info
What is wrong with the Internet’s design and why?
- It is fundamentally insecure
- It was designed for simplicity
- “On by default” - reachable by any other host by default
- Hosts are insecure
- Attacks can look like normal traffic - especially in DDOS attacks were no one request is the problem, but rather a large volume can cause potential problems
- Federated design - the internet is not run by one person so it is difficult to coordinate security
What is the problem with packet switch networks?
- They are inherently vulnerable to resource exhaustion attacks
- Particularly prone to DDOS attacks
What are the 4 Components to Security?
- Availability
- Confidentiality
- Authenticity
- Integrity
What is Availability in Internet Security?
Ability to use a resource
What is Confidentiality in Internet Security?
Concealing information from prying eyes successfully
What is Authenticity in Internet Security?
It assures the correct origin of the information
What is Integrity in Internet Security?
Prevents unauthorized changes to packets/etc
In Security, what is considered a Threat?
Any potential violation of Availability, Confidentiality, Authenticity or Integrity
In Security, what is considered an Attack?
Any action that violates either Availability, Confidentiality, Authenticity or Integrity
What is an example of a threat to Confidentiality?
Eavesdropping with Wireshark and TCPdump in promiscuous mode
What is an example of a threat to Authenticity?
- Man-In-The-Middle - If the person can suppress the original packet, modify it and send it out again, essentially impersonating Alice
- ALSO an attack on Integrity
What is an example of a threat to Availability?
DDOS attack
What is DOS attack vs a DDOS attack?
A regular DOS attack comes from just one origin or host. A DISTRIBUTED DOS attack comes from multiple hosts.
In Security, what are the negative impacts of Attacks?
- Theft of confidential info
- Unauthorized use of info
- Spreading false info
- Disruption of service
Routing Security (BGP)
- Control plane authentication
- Session authentication: point-to-point between routers
- Path authentication: protects AS path routes
- Origin authentication: ensures that AS advertising prefix is the owner of that AS
- Data plane security - determining if data is traveling to the intended locations
What is the goal of control plane authentication?
To determine the veracity(accuracy) of routing advertisements
What is the goal of Data plane security
Determining if data is traveling to the intended locations
How do routing attacks occur?
- Configuration errors (AS 7007 attack)
- Routers can be compromised
- Unscrupulous ISPs
- These attacks all can happen by tampering with the Config, Software or Routing Data
Why do hijacks matter?
- DNS masquerading
* Man In The Middle Attacks
What type of IP protocol connects ASes together?
TCP connections
What is sent over TCP between ASes?
We send a message and a hash of the message and the secret key
What is Secure BGP (BGPSEC)?
Adds signatures to route advertisements making BGP more secure
What is Origin Attestation/Address Attestation?
- Certificate binding a prefix to an owner
* Signed by a trusted party
What is Path Attestation?
- Signatures along AS path
- It includes not only the current path, but also the valid next-hop. The next hop is critical to include since an attacker can steal the signatures and replay them and append them together otherwise
What types of attacks can Path Attestation protect against?
- Hijacks
- Shortening
- Modification
What types of attacks can Path Attestation NOT protect against?
- Suppression (if an AS fails to advertise an attack)
- Replay attacks
- Data Traffic is not guaranteed to actually be traveling along a valid AS path
What is an attack against a DNS Stub?
- Man In The Middle
* Protected by DNSSec
What is an attack against a DNS cache resolver?
- Cache poisoning
* Protected by 0x20
What is an attack against a DNS Master/Slave Authoritative?
- Spoofing
* Protected by DNSSec
What is an attack against a DNS Master Authoritative zone files?
Corruption
What is an attack against a DNS Master Authoritative dynamic updates?
Spoof
Why is DNS vulnerable?
- No Authentication!
- They are Connectionless (UDP)
- Resolvers implicitly trust responses especially in race conditions
What is DNS cache poisoning?
- It’s where a stub resolver sends a request to a recursive resolver and an attacker beats the S.O.A. to sending back a response.
- Typically the correct ID being sent along with the bogus attack response can be guessed by flooding only a few hundred responses due to the birthday paradox
What are the defenses against DNS cache poisoning?
- Add a randomized query ID to the request (weak because of birthday paradox)
- The recursive resolver can randomize the source port (resource intensive and a NAT might unrandomize it)
- 0x20 Encoding - which is essentially where the resolver and authoritative server agree on a specific randomized capitalization. This become hard to crack because you have to guess both capitalization and query ID (adds additional entropy)
Are DNS servers case sensitive?
NO! They are case IN-sensitive
What is the Kaminsky attack?
Generate a stream of queries of A records causing a bunch of races and then stuffing results with bogus answers
What is the DNS Amplification Attack?
- Exploits the asymmetry in size between DNS queries and responses
- You send a relatively small request and specify the victim as the person requesting the page. This is repeated through many systems causing large result sets to flood the victim resulting in a DDOS attack
What are defenses against the DNS Amplification Attack?
- Prevent IP address spoofing through filtering rules
* Disable ability for resolver to resolve queries from arbitrary locations
What is the major weakness of DNS and what is the solution?
- Lack of authentication!
* DNSSEC
