Network Security Flashcards
Network attacks covered
Routing (BGP), Naming (DNS Reflection) [ddos, phishing]
Why is internet vulenarable
Designed for simplicy, on by default, Host are insecure, Attacks can look like normal traffic, federated design
What type of attacks are packet switch networks vulnerable to?
resource exhaustion
Components of security?
Availability, confidentiality, Authenticity, Integrity
Example of confidentiality attack
Man-in-the-middle or Eavesdropping
How can eavesdropping be cared out in practice?
Someone on the same LAN could put their NIC into promiscuous mode and run a packet sniffer
How can eavesdropping be used to execute an Authenticity attack?
Then man in the middle can modify some of the content that was sniffed and then reinject that into the network.
What are the negative impacts of attacks against the components of security
Theft of confidential info, Unauthorized Use, False Info, Disruption of service
Three types of control plane authentication
Session (point-to-point b/w routers), Path (protects AS path), Origin ensures that as advertising prefix is the owner.
A route hijack is an attack on which type of authentecation
Origin
How do routing attacks happen?
Config Error, Routers compromised, unscrupulous ISPs
Most common routing attack?
Hijack
Types of routing attacks
Config / Management s/w, Tamper w/software, Tamper w/routing data
How does DNS masquerading work?
An AS advertises the ip to a known DNS server using BGP. This diverts traffic from the real nameserver. The attackers can then send different destination during name resolution
MITM
Man in the middle
AS poisoning
Allows an AS to become MITM. To get a route back to the origin, the ASs along the path back to the origin are prepended.
How does prepending the addresses cause the AS along the path to keep the original path?
They sec (think) they already have the route and do not want to cause a loop
How can MITM AS “hide”
Traceroute shows messages from hops when the TTL reaches zero. The routers in the AS never decrement the TTL
Two types of session authentication
- Using TCP’s md5 token m = message; MD5(m, k) shared secret. 2. TTL hack; the two ASs agree to use a TTL of 256. Aythign < 256 is dropped
BGPSEC
Secure border gateway protocol
Parts of BGPSEC
Origin Attestation: Certification binding prefix to owner signed by trusted party. Path attestation: signatures along the path
How does Path attestation avoid replay attacks
They include the origin AS id before encrypting
types of attacks path attestation can protect agains
hijacks, shortening, modification
Attacks path attestations cannot protect against.
Suppression, Replay (some types), Cannot guarantee the traffic moves along the dedicated path.
Why is dns vulnerable
Resolvers trust response, Responses can contain info unrelated to the query. No authentication
SOA
Start of Authority
How does DNS cache poisoning work
Attacker can send multiple A records with different IDs to the recursive resolver.
What is the issue with IDs?
2^16 or 16 bit can easily match due to the birthday paradox
Kaminsky Attack
Generate query for 1.google.com, 2.google.com, etc. While sending A records and stuffing in a bogus NS record
Defenses to DNS cache poisoning
- ID randomization, 2. Source port randomization, 3 “0x20 enconding
What is 0x20 encoding?
The resolver and server agree on which characters in the domain will be upper or lower case
DNS amplification attack?
attackers sends a request to the dns resolver and sets the victim as the source
Why are they called amplification attacks?
The response from the dns resolver can be many times larger than the request
