Test 3 Network Security Flashcards
Notorious attacks on internet routing
April 8, 2010, China advertised about countries. The event lasted for about 20 minutes. In this particular case, the hijack appears to have been accidental. Because the prefixes were long enough such that they didn’t disrupt existing routes. But the fact that the route advertisements were allowed to leak in the first place highlights the vulnerability of the border gateway protocol.
another event in prefixes, potentially as a botched attempt to block Youtube in the country following a government order. Unfortunately, the event resulted in disruption of connectivity to YouTube for people all around the world.
April 25th in 1995, one of the more famous route hijack incidents was the AS7007 incident, where AS7007 advertised all of the IP prefixes on the entire internet. As originating in its own AS, resulting in disruption of connectivity to huge fractions of the Internet.
Whyis BGP susceptible to attacks?
BGP allows any AS to advertise an IP prefix to a neighboring AS, and that AS will typically just believe that route advertisement and advertise it to the rest of the internet. These events that occur where an AS advertises a prefix that it does not own are called route highjacks.
DNS reflection
a way of generating very large amounts of traffic targeted at a victim.
Distributed Denial of Service, or DDos attack
a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
https://en.wikipedia.org/wiki/Denial-of-service_attack
Phishing
an attacker exploits the domain name system in an attempt to trick a user into revealing personal information, such as passwords on a rogue website
Why is the Internet fundamentally insecure?
The internet was designed for simplicity, and as a result security was not a primary consideration when the internet was originally designed
it’s on by default. In other words, when a host is connected to the internet, it is by default reachable by any other host that has a public IP address. This means that if one has an insecure host, that host is effectively wide open to attack by other hosts on the internet.
the internet is run by tens of thousands of independently run networks, it can be very difficult to coordinate a defense against an attack because each of these networks is run by different network operators, sometimes in completely different countries
Resource Exhaustion Attacks
In a packet switch network, resources are not reserved and packets are self containment. Every packet has a destination IP address, and each packet travels independently to the destination host. In a packet switch network, a link may be shared by multiple senders at any given time, using statistical multiplexing as we learned in previous lessons.
A large number of senders can overload a network resource, such as a node or a link. Note that circuit switch networks like the phone network do not have this problem because every connection effectively has allocated, dedicated resources. For that particular connection until it is terminated. So this problem that an attacker who sends allot of traffic might exhaust resources is unique to a packet switched network environment.
Components of Security
availability
–susceptible to resource exhaustion
Confidentiality
Authenticity
–ensures the identity of the origin of a piece of information
Integrity
– information wasn’t modified in flight.
security threat defined
anything that might potentially cause a violation of one of the Components of Security
attack defined
an action that results in the violation of one of the Components of Security
difference between a threat and an attack
the difference between a violation that could potentially occur. Versus an action that actually results in a violation.
Confidentiality Attacks
eavesdropping
- -an attacker, Eve, might gain unauthorized access to information being sent between Alice and Bob
- packet sniffing tools, such as wireshark and tcpdump, that set a machine’s networking interface card into what’s called promiscuous mode
- -If the network interface card is in promiscuous mode then Eve’s machine will be able to capture some of the packets that are being exchanged between Alice and Bob
the ability to see DNS look-ups would provide the attacker information about, say, what websites you’re visiting.
The ability to capture packet headers might give the attacker information, not only about where you’re exchanging traffic, but what types of applications you’re using.
the ability to see a full packet payload would allow an attacker to effectively see every single thing that you are sending on the network. Including content you’re exchanging with other people. Such as private message, email communication, and so forth.
the ability to see a packet, Eve might not only listen to that packet, but might also modify it and re-inject it into the network, potentially after altering the state of the packet.
If additionally Eve could suppress the original message
Authenticity Attacks
‘Man in the Middle’ attack.
If, in addition to being able to observe packets that traverse the network, Eve could re-inject packets after having modified them, and suppress Alice’s original message, then Eve could effectively impersonate Alice.
integrity Attacks
Alice could also make it appear as though this message came from Alice. In which case, the attack would be an attack on message integrity.
A denial of service is an attack on what property of internet security?
A denial of service attack is an attack on availability. Denial of service attacks typically are an attempt to overwhelm the network or a network host in some way by consuming its resources. A common way of launching a denial of service attack is to send a lot of traffic at a victim, often from many distributed locations. If the attacker is in fact distributed, this is called not just a denial of service attack, but a distributed denial of service attack.
Negative Impacts of Attacks
theft of confidential information
unauthorized use of network bandwidth or computing resources
the spread of false information
the disruption of legitimate services.
Routing Security
focus on:
- inter-domain routing or the security of BGP
- control plane security
control plane security
authentication of the messages being advertised by the routing protocol
goal of control plane security, or control plane authentication is to determine the veracity of routing advertisements.
verify:
- -session authentication, which protects the point-to-point communication between routers
- -path authentication, which protects the AS path, and sometimes other attributes.
- -origin authentication. Which protects the origin AS in the AS path; effectively guaranteeing that the origin AS that advertises a prefix is, in fact, the owner of that prefix.
A route hijack, is an attack on which form of authentication?
A route hijack is an attack on origin authentication because in a, in a route hijack, the AS that is advertising the prefix is actually not the rightful owner of that prefix. In addition to control plan security, we also have to worry about data plan security or determining whether data is traveling to the intended locations. In general, it can be extremely hard to verify that packets or traffic is traveling along the intended route to the destination. Or that it, in fact, even reaches the intended destination in the first place. Guaranteeing that traffic actually traverses the advertised route remains an important open problem in internet security.
Sources of Route Attacks
router is misconfigured. In other words, no one actually intended for the router to advertise a false route, but because of a misconfiguration the router does so.
a router might be compromised by an attacker. Once a router is compromised, the attacker can reconfigure the router to, for example, advertise false routes.
unscrupulous ISPs might also decide to advertise routes that they should not be advertising.
launching the route attack
An attacker might reconfigure the router, which is typically the most common way an attacker might launch an attack.
The attacker might also tamper with software, or an attacker could actively modify a routing message.
the attacker might tamper with the management software that changes the configuration.
And the most common attack is a route highjack attack or an attack on origin authentication.
Route Hijacking
if an attacker were running a rogue DNS server and wanted to hijack your DNS query, or to return a false IP address, the attacker might use BGP to advertise a route for the IP prefix that contains that authoritative DNS server
DNS queries that were previously going to the legitimate server, are instead redirected to the rouge DNS server
how a BGP route hijack can result in a Man in the Middle attack
your traffic ultimately reaches the correct destination, but the attacker successfully inserts themselves on the path. The problem with this particular route hijack. Is that all traffic destined for IP X is going to head for the attacker, even the traffic from the legitimate network. What we’d like to instead have happened is that traffic for IP X first goes to the hijack location and then goes to the legitimate location. So the attacker effectively becomes a Man In The Middle. The problem is that we need to somehow disrupt the routes to the rest of the internet while leaving the routes between the attacker and the legitimate location intact. So that traffic along this path can still head towards the legitimate AS
Autonomous System Session Authentication
Session Authentication simply attempts to ensure that BGP Routing messages sent between routers between AS’s are authentic
done using TCP’s MD5 authentication option
- -every message exchanged on the TCP connection not only contains the message, but also a hash of the message with a shared secret key. Now this key distribution is manual. The operator in AS1 and the operator in AS2, must agree on what key is, and typically they do that out of band.
- -once that key is set, all messages between this pair of routers is authenticated.
Another way to guarantee session authentication, is to have AS1 transmit packets with the of TTL of Because most [UNKNOWN] sessions are only a single hop and attackers are typically remote. It is not possible for the recipient AS to accept a packet from a remote attacker, because likely that attacker’s packets will have a TTL value of less than 254. This defense is aptly called the TTL hack defense for BGP Session Authentication.
Origin and Path Authentication
Secure BGP or BGPSEC
–proposal to modify the existing border gateway protocol to add signatures to various parts of the route advertisement
two different parts
- -address attestation/ origin attestation, which is a certificate that binds the IP prefix to the organization that owns that prefix, including the origin AS
- -path attestation: set of signatures that accompany the AS path as it is advertised from one AS to the next
Autonomous System Path Attestation
BGP announcement would contain:
- the prefix p
- -the AS path, which so far is just one.
- -the path at a station, which is actually the path to one signed by, the private key, of AS1.
When AS2, readvertises that route announcement, it advertises:
- the new AS path to one.
- -It adds its own at route at test station, three, two, one signed by it’s own private key.
- -includes the original path atastation signed by AS1.
A recipient of a route along this path can thus verify every step of the AS path.
- -AS3 can use the first part of the path attestation to verify that the path in fact, goes from AS2 to AS1, and does not contain any other ASs in between.
- -It can use the second part of the path attestation to ensure that the path between it, AS3, and the next hop is in fact, AS2, and that no other ASs could’ve inserted themselves on the path between two and three.
Autonomous System Path Attestation
BGP announcement would contain:
- the prefix p
- -the AS path, which so far is just one.
- -the path at a station, which is actually the path to one signed by, the private key, of AS1.
When AS2, readvertises that route announcement, it advertises:
- the new AS path to one.
- -It adds its own at route at test station, three, two, one signed by it’s own private key.
- -includes the original path atastation signed by AS1.
A recipient of a route along this path can thus verify every step of the AS path.
- -AS3 can use the first part of the path attestation to verify that the path in fact, goes from AS2 to AS1, and does not contain any other ASs in between.
- -It can use the second part of the path attestation to ensure that the path between it, AS3, and the next hop is in fact, AS2, and that no other ASs could’ve inserted themselves on the path between two and three.
Autonomous System Path Attestation: why the AS signs a path attestation with not only its own part of the AS path in the path attestation, but also, the hop of the AS that is intended to receive the BGP route advertisement
prevents hijacking and modification of the AS path
Suppose, that these AS’s were not there in the path at station. In this case. We have a very nice well-formed VGP route advertisement for prefix with the AS path suffix to one, and we have each segment signed, so an attacker could in fact, take such an announcement and advertise sub strings of this route advertisement as their own. Thus an attacker, AS4, could claim that it was connected to prefix P via AS1 when in fact no such link existed. Simply by stealing or replacing the path atastation one that’s signed by K1. But, note that in reality AS1 never generates this signature. In fact it generates the signature,21. Or in this case, it would somehow have to generate the signature 41 signed by AS1’s private key, whereas if AS1 only signed a message with its own AS in the message, such a segment or attestation could easily be replayed. There’s actually no way that AS4 Could forge the path attestation for one, signed by AS1’s private key because it doesn’t own this private key and AS1 never generated a path attestation with this particular signed path., This is the reason that each AS not only signs a path attestation with its own AS on the AS path. But also the next AS along the path.
attacks that path attestations cannot defend against
if an AS fails to advertise a route or a route withdrawal There is no way for the path [UNKNOWN] or PGP sec to prevent from that kind of attach. Certain types of replay attacks such as a premature re-advertisement of a withdrawn route also cannot be defended against and of course, there is no way to actually guarantee that the data traffic travels along the advertised AS path, which is a significant weakness of DGP that is yet to be solved by any routing protocol.
DNS Security: vulnerability
To understand the threats and vulnerabilities of DNS, let’s take a look at the DNS architecture. So we have a stub resolver which issues a query to a caching resolver. At this point, we could have a man in the middle attack, or an attacker which observes a query and forges a response. If a query goes further than the local caching resolver, say for example, to an authoritative name server, an attacker could try to send a reply back to that caching resolver before the real reply comes back to try to poison, or corrupt, the cache with bogus DNS records for a particular name. This attack is particularly virulent and we will look at a cache poisoning attack in this lecture. Masters and slaves can both be spoofed. Zone files could be corrupted. Updates to the dynamic update system could also be spoofed. We will look at some defenses to cache poisoning, including the OX20 defense, as well as DNSSEC, which can protect against some of these spoofing and man in the middle attacks. In addition to these attacks, we’ll look at an attack called DNS reflection where the DNS can be used to mount a large distributed denial of service attack.
Why is DNS Vulnerable
the resolvers that issue the DNS query trust the responses that are received after they send out a query regardless of where that response comes from. So sometimes these responses can be forged.
When a resolver sends out a query, it typically generates what’s called a race condition And if the attacker replies before the legitimate responder, then the resolver is likely to believe the attacker. DNS responses can also contain additional DNS information that’s unrelated to the query.
The fundamental problem is that the basic DNS protocols have no means for authenticating responses. This allows an attacker to forge responses after a resolver sends a query.
A secondary reason that these types of spoofed replies are possible is that DNS queries are typically connectionless unlike BGP where routing messages are transmitted over a reliable TCP connection, UDP queries are sent over a connectionless UDP connection. Therefore, a resolver does not have a way of mapping the response that it receives for a query other than the query ID. Which can be forged by the attacker. Let’s look at how the combination of the lack of authentication and the connectionless nature of a DNS query allows the possibility of cash poisoning.
which aspects of DNS make it vulnerable to attack
the fact that the queries are sent over a connectionless channel and that there is no way to authenticate the query responses, makes the DNS vulnerable to various kinds of spoofing and cache poisoning attacks.
The fact that DNS names are human readable does not make the DNS inherently insecure. Nor does the fact that it’s distributed. There are certainly very well understood ways of securing distributed systems and that does not inherently make DNS insecure.
DNS Cache Poisioning from wikipedia
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer hacking in which corrupt Domain Name System data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect IP address. This results in traffic being diverted to the attacker’s computer (or any other computer).
DNS Cache Poisioning example
consider a network where a stub resolver issues a query to its recursive resolver, and the recursive resolver in turn sends that
A record query to the start of authority for that domain. Now, in an ideal world, the authoritative name server for that domain would reply with the correct IP address.
If an attacker guesses that a recursive resolver might eventually need to issue a query for say, www.google.com. The attacker can simply reply with multiple, specially crafted replies each with different id’s.
Although this query has some query id, the attacker doesn’t need to see that query because the attacker can simply flood the recursive resolver with a bunch of bogus replies and one of them, in this case the response with id3 will match.
As long as this bogus response reaches the recursive resolver before the legitimate response does, the recursive resolver will accept this bogus message.
And worse, it caches the bogus message.
DNS, unfortunately, has no way to expunge a message once it has been cached.
So now this reclusive resolver will continue to send bogus a record responses for any query for this particular domain name until that entry expires from the cache.