Lesson 9: Internet Security

Question 1

What are the properties of secure communication?

Answer 1

1. Confidentiality
2. Integrity
3. Authentication
4. Availability

Question 2

How does Round Robin DNS (RRDNS) work?

Answer 2

The server responds to a DNS request with a list of DNS A records, which it then cycles through in a round robin manner. The DNS client can then choose a record using different strategies –choose the first record each time, use the closest record in terms of network proximity, etc

Question 3

How does DNS-based content delivery work?

Answer 3

For example CDNs distribute the load amongst multiple servers at a single location, but also distribute these servers across the world. When accessing the name of the service using DNS, the CDN computes the ‘nearest edge server’ and returns its IP address to the DNS client. It uses sophisticated techniques based on network topology and current link characteristics to determine the nearest server.

Question 4

How do Fast-Flux Service Networks work?

Answer 4

it is based on a ‘rapid’ change in DNS answers, with a TTL lower than that of RRDNS and CDN. One key difference between FFSN and the other methods is that after the TTL expires, it returns a different set of A records from a larger set of compromised machines.

Question 5

What are the main data sources to identify hosts that likely belong to rogue networks, used by FIRE (FInding Rogue nEtworks system)?

Answer 5

1. Botnet command and control providers
2. Drive-by-download hosting providers
3. Phish housing providers

Question 6

The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. Describe 2 phases of this system.

Answer 6

1. Training phase

2. Operational phase

Question 7

What are 3 classes of features used to determine the likelihood of a security breach within an organization?

Answer 7

1. Mismanagement symptoms
2. Malicious Activities
3. Security Incident Reports

Question 8

(BGP hijacking) What is the classification by affected prefix?

Answer 8

In this class of hijacking attacks, we are primarily concerned with the IP prefixes that are advertised by BGP

a. Exact prefix hijacking:When two different ASes (one is genuine and the other one is counterfeit) announce a path for the same prefix. This disrupts routing in such a way that traffic is routed towards the hijacker wherever the AS-path route is shortest, thereby disrupting traffic.
b. Sub-prefix hijacking: This is an extension of exact prefix hijacking, except that in this case, the hijacking AS works with a sub-prefix of the genuine prefix of the real AS. This exploits the characteristic of BGP to favor more specific prefixes, and as a result route large/entire amount of traffic to the hijacking AS.

Example: A given hijacking AS labelled AS2 announces that it has a path to prefix 10.10.0.0/24 which is a part of 10.10.0.0/16 owned by AS1.

c. Squatting: In this type of attack, the hijacking AS announces a prefix that has not yet been announced by the owner AS.

Question 9

(BGP hijacking) What is the classification by AS-Path announcement?

Answer 9

In this class of attacks, an illegitimate AS announces the AS-path for a prefix for which it doesn’t have ownership rights. There are different ways this can be achieved:

a. Type-0 hijacking: This is simply an AS announcing a prefix not owned by itself.
b. Type-N hijacking: This is an attack where the counterfeit AS announces an illegitimate path for a prefix that it does not own to create a fake link (path) between different ASes.

For example, {AS2, ASx, ASy, AS1 – 10.0.0.0/23} denotes a fake path between AS2 and AS1, where there is no link between AS2 and ASx.The N denotes the position of the rightmost fake link in the illegitimate announcement, e.g. {AS2, ASy, AS1 – 10.0.0.0/23} is a Type-2 hijacking.

c. Type-U hijacking:In this attack the hijacking AS does not modify the AS-PATH but may change the prefix.

Question 10

(BGP hijacking) What is the classification by data plane traffic manipulation?

Answer 10

In this class of attacks, the intention of the attacker is to hijack the network traffic and manipulate the redirected network traffic on its way to the receiving AS. There are three ways the attack can be realized under this classification, i.e. traffic intercepted by the hijacker can be

a. Dropped, so that it never reaches the intended destination. This attack falls under the category ofblackholing (BH) attack.
b. Eavesdropped or manipulated before it reaches the receiving AS, which is also called asman-in-the-middle attack (MM).
c. Impersonated, e.g. In this case the network traffic of the victim AS is impersonated and the response to this network traffic is sent back to the sender. This attack is calledimposture (IM) attack.

Question 11

What are the causes or motivations behind BGP attacks?

Answer 11

1. Human Error
2. Targeted attack
3. High impact attack

Question 12

Explain the scenario of prefix hijacking.

Answer 12

When an attacker advertises a prefix, other ASes which have a longer path for the same prefix advertised will then believe this new fake advertisement.

Question 13

Explain the scenario of hijacking a path.

Answer 13

When an attacker advertises a path, other ASes which have a longer path for the same advertised will then believe this new fake advertisement.

Question 14

What are the key ideas behind ARTEMIS?

Answer 14

1. Aconfiguration file: where all the prefixes owned by the network are listed here for reference. This configuration file is populated by the network operator.
2. Amechanism for receiving BGP updates: this allows receiving updates from local routers and monitoring services. This is built into the system

Question 15

What are the two automated techniques used by ARTEMIS to protect against BGP hijacking?

Answer 15

1. Prefix deaggregation

2. Mitigation with Multiple Origin AS (MOAS)

Question 16

What are two findings from ARTEMIS?

Answer 16

1. Outsource the task of BGP announcement to third parties: To combat against BGP hijacking attacks, having even just one single external organization to mitigate BGP attacks is highly effective against BGP attacks.
2. Comparison of outsourcing BGP announcements vs prefix filtering: When compared against prefix filtering, which is the current standard defense mechanism, the research work found that filtering is less optimal when compared against BGP announcements.

Question 17

Explain the structure of a DDoS attack.

Answer 17

A Distributed Denial of Service (DDoS) attack is an attempt to compromise a server or network resources with a flood of traffic. To achieve this, the attacker first compromises and deploys flooding servers (slaves).

Later, when initiating an attack, the attacker instructs these flooding servers to send a high volume of traffic to the victim. This results in the victim host either becoming unreachable or in exhaustion of its bandwidth.

Question 18

What is spoofing, and how is related to DDoS attack?

Answer 18

IP spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a legitimate server. In DDoS attacks, this can happen in two forms. In the first form, the source IP address is spoofed, resulting in the response of the server sent to some other client instead of the attacker’s machine. This results in wastage of network resources and the client resources while also causing denial of service to legitimate users.

In the second type of attack, the attacker sets the same IP address in both the source and destination IP fields. This results in the server sending the replies to itself, causing it to crash.

Question 19

Describe a Reflection and Amplification attack.

Answer 19

Attackers can use machines which respond to simple messages such as DNS resolvers known as reflectors to amply a DDoS attack.

Question 20

What are the defenses against DDoS attacks?

Answer 20

1. Traffic Scrubbing Services
2. ACL filters
3. BGP Flowspec

Question 21

Explain provider-based blackholing.

Answer 21

The provider network provides the blackholing service and dumps the traffic directed to the victim AS to the null interface.

Question 22

Explain IXP blackholing

Answer 22

The IXP provides the blackholing service and directs all other participating ASes to dump the traffic directed to the victim AS to the null interface.

Question 23

What is one of the major drawbacks of BGP blackholing?

Answer 23

It dumps all traffic, essentially making the victim unavailable.