Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

Published byDwayne Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing."— Presentation transcript:

1 Internet infrastructure 1

2 Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing  Partial expectations – “good” route (not through malicious nodes), confidentiality, integrity  Implied expectations: temporary data, blending with the crowd r Unreliable endpoints or routes facilitate attacks on confidentiality and integrity  Routes through malicious nodes = MITM 2

3 Some Infrastructure Features r Networks  LAN  AS (ISP network)  Inter AS connections, r Routers r Application level servers (e.g. web, mail,…) r Protocols  ARP  DNS  Routing protocols 3

4 ARP 4

5 r Resolves IP address to link-layer address r Simple request-reply protocol r Packet includes MAC and IP addresses for sender and target. r If target MAC is unknown send request for target IP and broadcast MAC (all 0xF) r Response includes MAC address r Requester stores MAC-IP mapping in ARP table r Any node in LAN requires at least one ARP request to connect to Internet 5

6 ARP Spoofing / Poisoning r ARP is stateless – requests are not connected too replies in a session r Implementations update ARP tables in response to ARP replies (even if entries are still valid) r ARP spoofing – send ARP reply with attacker’s MAC and spoofed (usually gateway) IP r Result – poisoned ARP tables r Legitimate use – force registration to receive full network access, e.g. in hotels 6

7 Countermeasures r Static ARP tables r Update ARP entries only after timeout r Update ARP entries only after sending request (Linux) r Check unusual ARP behavior, e.g. large number of packets r Upgrade to protocol with cryptographic protection (SEND is a secure version of NDP over IPv6)  Example of IPsec problem – chicken and egg with IP addresses in IKE 7

8 Attack on Behavior Analysis* r Assume node disregards “abnormal” ARP activity, e.g.  If MAC x sends many ARP replies with IP y then node assumes that MAC x is not IP y r Attack:  Attacker spoofs gateway MAC (in Ethernet and ARP headers)  Attacker mimics “bad” behavior for gateway  Node disregards gateway  Attacker sends single reply with its own MAC and gateway IP 8

9 DNS 9

10 DNS Architecture r Objective – map name to IP address r Domain – e.g. *.bgu.ac.il. *cse.bgu.ac.il could be a sub-domain or separate domain r DNS client (resolver) r Records: A (IP address), NS (name server), MX (mail server) etc. r Name server –  Authoritative  Recursive r Hierarchy 10

11 Server Hierarchy r 13 root name servers  Named by letters A,…,M  Responsible for root domain (empty string) r Name limited by 512 byte size of DNS packet over UDP without fragmentation r All root servers are clusters r Some are geographically distributed by anycast r Top Level Domain Servers  20 GTLD (global/generic) – e.g. responsible for.net,.com etc.  ~250 Country code TLD 11

12 DNS Query r Triggered by application r Local DNS server may  Be authoritative  Cache recently seen record  Send query to root name server r Queries follow recursive path to authoritative name server r Answered queries populate cache. r Each entry in cache has TTL (set by administrator) 12

13 Cache Poisoning and Defenses r Cache poisoning – fill name server’s cache with mapping of domains to attacker’s IP r Defense:  Response destination port matches request source port  Response Question ID (QID), 16 bits, must match  Bailiwick checking – response is for lower domain in hierarchy, NS for ac.il not accepted for bank.co.il r Weaknesses in “old” implementations – QID incremented by 1 for each query, source port does not change, bad replies are simply dropped 13

14 DNS poisoning r Attacker sets up name server for attacker domain. r Attacker gets target name server to send DNS request to its own server learning QID  Directly  Open web page and users will ask for it r Attacker sends query through target name server for some domain, e.g. bank.co.il r Attacker floods name server with forged replies, guessing source port and QID. r If attacker reply arrives before real reply, the cache is poisoned. 14

15 Countermeasures r Randomize QID r Refresh source port  Will have negative impact on performance r Monitor for flood situation  Will have negative impact on performance 15

16 Kaminsky Attack (2008) r Send request for name that doesn’t exist in a real domain r Send flood of forged replies as in previous attacks r Each reply forges name server of domain r Set very long TTL r Same idea could work for GTLD servers (i.e..com) but not for root servers r Mitigation – randomize source port, currently Windows has 2500 source ports for DNS – 2500*2 16 possibilities 16

17 DNSSEC r Objectives for DNS traffic  Origin authentication  Integrity protection  Authenticated denial of existence r Method: PKI with certificate for every DNS server anchored (root CA) by root DNS. r PKI is chain of:  DNSKEY – public keys for signature verification  DS – Delegation Signer, includes hash of keys  Parent DNSKEY signs DS. Each DS includes hashes of public keys used for self signing the child DNSKEY and for signing zone data 17

18 DNSSEC (cont.) r DNSKEY often includes  ZSK – Zone Signing Keys – validating zone data  KSK – Key Signing Keys – Validating other keys r Resolver is configured with root public key  May be configured with additional anchors r Resolver uses DNS to collect DNSKEY and DS records from root to key signing the requested zone r Zone data is signed in RRSIG records 18

19 Denial of existence r Attackers goal:  Spoof “does not exist” r To solve problem, DNS servers that comply with DNSSEC store NSEC records  Names appear in canonical form  NSEC - signed “next existing” name  Result: signed ranges of non-existent names r Query for name that doesn’t exist is answered with signed range that “covers” this name 19

20 Zone Enumeration in DNSSEC r Zone enumeration – obtain all addresses in domain  Creators of DNSSEC did not consider this to be a threat  Most organizations consider this secret r Attacker enumerates zone by  Querying random name  Receiving range  Deducing that names in range bounds exist  Iterating 20

21 Mitigation of Zone Enumeration r Online approach (currently RFC 4470)  Name server signs “does not exist” online  Name server constructs small (and ever-decreasing range to sign) r NSEC3 approach (currently RFC 5155)  Same idea as NSEC, but use hashed name (cryptographic hash) instead of name  Range does not reveal names r Common names may still be found by dictionary attack  NSEC3 uses several hash functions with a counter on the number of iterated uses of the hash, increasing attacker dictionaries. 21

22 DoS Attacks r October 2002  One hour  All 13 root name servers simultaneously  About 900 Mbps total  ICMP flood, SYN flood, fragment flood  No server crashed, some queries were lost r February 2007  24 hours  4 root servers, 3.info servers  Botnet of ~5000 hosts mostly in Korea  Flood of DNS queries  Two name servers lost up to 90% of the queries 22

23 BGP 23

24 Border Gateway Protocol r One of the standard suite of Internet routing protocols r Is the most common inter-domain routing protocol  Connects different AS, often different service providers  Tens of thousand of different AS r Attackers want to break integrity  MITM  Block access to sites  Use rare IP addresses for e.g. spam r Several prominent incidents led to outage or redirection of large part of Internet 24

25 IP blocks and AS numbers 25

26 BGP route advertisements 26

27 False route 27

28 More specific route 28

29 Additional problems r Manipulation of BGP attributes  Prepending – adding the same AS multiple times to a route, causing it to be longer r BGP runs over TCP – vulnerable to various TCP issues r Solutions – deployed solutions include route filtering and route registries, nothing strong 29

Download ppt "Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
An Engineering Approach to Computer Networking

An Engineering Approach to Computer Networking
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Network Layer4-1 NAT: Network Address Translation 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 138.76.29.7 local network (e.g., home network) 10.0.0/24 rest of.

Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Similar presentations

Ads by Google