Network security BGP and DNS Worms.

Slides:



Advertisements
Similar presentations
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 8 Administering TCP/IP.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Name Resolution Domain Name System.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Issues in Internet Security. Securing the Internet How does the internet hold up security-wise? How does the internet hold up security-wise? Not well:
IIT Indore © Neminath Hubballi
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Objectives: Chapter 5: Network/Internet Layer  How Networks are connected Network/Internet Layer Routed Protocols Routing Protocols Autonomous Systems.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
Lecture 17 Page 1 CS 236 Online Onion Routing Meant to handle issue of people knowing who you’re talking to Basic idea is to conceal sources and destinations.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Role of Router. The Router as a Perimeter Device  Usually the main function of a router is considered as the forwarding of packets between two network.
Role Of Network IDS in Network Perimeter Defense.
Inter-domain Routing Outline Border Gateway Protocol.
Networking (Cont’d). Congestion Control l Is achieved by informing nodes along a route that congestion has occurred and asking them to reduce their packet.
K. Salah1 Security Protocols in the Internet IPSec.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Lecture 19 Page 1 CS 236 Online Privacy Privacy vs. security? Data privacy issues Network privacy issues Some privacy solutions.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Day 13 Intro to MANs and WANs. MANs Cover a larger distance than LANs –Typically multiple buildings, office park Usually in the shape of a ring –Typically.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Ch. 23, 25 Q and A (NAT and UDP) Victor Norman IS333 Spring 2015.
Network Devices and Firewalls Lesson 14. It applies to our class…
Lecture 18 Page 1 CS 236 Online Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems.
Outline Routing security DNS security. Securing Key Internet Technologies Computer Security Peter Reiher March 14, 2017.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS security.
The Issue We all depend on the Internet
Privacy Privacy vs. security? Data privacy issues
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Outline The spoofing problem Approaches to handle spoofing
Presentation transcript:

Network security BGP and DNS Worms

BGP: Border Gateway Protocol Designed in 1989 as a way for autonomous systems (AS) – usually routers - to exchange routing info Sometimes external versus internal is distinguished BGP neighbors (or peers) are established manually between routers – TCP on port 179 A 19-byte message is sent every 30 seconds to maintain the connection

How BGP works An AS notifies everyone else what networks belong to it, and how to direct traffic correctly Based on netblocks: 192.169.0.0/24: all addresses between 192.169.0.0 and 192.169.0.255 192.169.4.0/22: all addresses between 192.169.4.0 and 192.169.7.255 If an AS is responsible for a netblock, it advertises this to neighbors If an AS is willing to provide transit for another AS, it advertises this as well If an AS sees multiple advertisements, it tries to choose the most specific or “shortest path”

Setup for BGP An example:

BGP Blackhole attack First, get labeled as an AS peer by someone Not too hard Then advertise a more specific route: Example: If your victim is 192.169.2.34 in a /16 netblock, advertise a route for 192.169.2.0/24 Your route will take precedence Even if there is a tie, you can still capture or deny traffic for Ass closer to you than your victim, since BGP defaults to shorter path

BGP Blackhole attacks These actually happen! (Rather often…)

Fixing it Resolution of these hacks isn’t easy Human mediated detection and response: Find the upstream point of the bad AS and get them to stop accepting this route along the way. All ASs must trust neighbors, which trust their neighbors, etc – so only takes one malicious AS to break it. In other words, trust in this system is transitive and global, and any such system can be hacked!

Blackhole purposes One bright side – this only allows denial of service, not compromise of system Generally doesn’t last long either, since people notice when their traffic drops RouteViews or similar tools can help find offenders However, can happen by a screwup rather than by malice

Using blackhole for man-in-the-middle The Polokov Attack (performed live at DEFCON 2008): Have two connections to the internet – one with full peering connection (the attack link) and one that doesn’t filter packets by IP address (the return link) Through the return link, perform a traceroute to victim’s network, and compute the AS path for this route (the return path) Through the attack link, advertise your victim’s network (as a blackhole), but prepend the return AS path Result: all BUT the return AS path will direct traffic to you! Then modify the packets, so when one is going to the victim, increment the TTL field and forward it through the return link

General countermeasures for Blackhole attacks Monitor (via routeview services that are easy to get) remote BGP feeds If your network isn’t behaving, alert someone! Small community, so usually easy However, not instantaneous fix A lot of work has focused on cryptographic authentication to verify ownership Problem: BGP thrives on flexibility Another: Routers aren’t flexible, and crypto overhead isn’t negligible

DNS The Domain Name System (DNS) is the distributed system for mapping user friendly domain names (such as google.com or mathcs.slu.edu) to the correct IP addresses. It is hierarchical: Authoritative name servers “own” a domain These govern which servers “own” subdomains Invented in 1983 by Paul Mockapetris; prior to this every computer simply had a file called hosts.txt that stored all computers on the ARPANET.

How it works:

More DNS details DNS is generally udp based (so not terribly reliable). To reduce the load on the system, records are cached for some period of time; this is generally a small amount of time, but the protocol supports up to 68 years. The OS of any computer runs a DNS resolvers that applications hand requests to. In addition, home users are relying on ISPs setting up a DNS server to track their current IP. Things can be even more complex; some applications (such as web browsers) even keep their own DNS cache.

DNS details (cont.) Hostnames and IPs don’t necessarily match 1-1. For example, often set up a domain name with multiple IPs in order to distribute traffic load. Also used for email delivery. Multiple servers are generally provided for each domain to deal with any failures in the system. Variants such as dynamic DNS (DDNS) allow for rapid update by the hosts (such as for mobile systems).

Root servers At the top level, there are 13 root servers (A-M) somewhere in the world, with additional scattered backups.

DNS resource records The data structure that holds the information is called a resource record (often abbreviated RR). Contains:

DNS and security DNS lookups are inherently not secret or secure. Nothing guarantees information integrity in this system. This is a problem – the internet depends on this process working correctly! Obvious availability issues, since these servers going down would disrupt service worldwide. The server or client could be a threat, since nothing is authenticated in this system.

DNS lookup problems What can really go wrong? A DNS answer (coming from a server) could be spoofed by a malicious user. Relatively easy – it’s UDP, remember? Combine with injection attack – send request so server will check, and at the same time flood with your own answer. A DNS server could actually send false data. DNS databases could be corrupted.

How likely? Important names (ie TLD: .gov, .com, etc.) generally have a long TTL field. Attacks can only be attempted once per TTL, so how likely? An attacker can send 1000 packets in an attempt. Odds of success are 1 – (1-2-16)1000 ~ 1.5% (Not that comforting, actually…)

One defense: increase entropy Instead of always using the same UDP source port, select a random one. Now attacker has to guess both transaction ID and the source port, so 1 in 230 instead of 1 in 216 per packet. Also, DNS is case insensitive, but almost all authorities preserve case (lazy programming) So randomly apply a capitalization

DNSSec: one solution The basic concept of DNSSEC is simple – all transactions are “signed” so that you know the correct source is giving you the data. Two options: The server responding can “sign” Or the server that owns the namespace can “sign” DNSSEC has the server that owns the namespace sign the authenticity of any RR’s giving an address. Note: not a privacy solution!

Practical implications to DNSSEC Each DNS database must store signatures for RR’s. Essentially adds several portions to the RR’s, including DNSKEY, RRSIG, etc. The records have gotten much longer as a result. ICANN (which manages DNS) signs for itself and top level domains. Each top level domain signs for domains under it. And so on down.

An example Consider mathcs.slu.edu (or 165.134.234.6). Who signs this translation? The SLU DNS server And how can we be sure that that is the correct server to sign? Because the EDU server verifies the SLU server’s signature Each level leads one step closer to top level ICANN server, and this information lives in DNS databases. Ideally, every query will begin at the top, so entire chain is authenticated.

Some problems To use DNSSEC, it must be supported by the DNS server above you (as well as all the others above that). If no RRSIG comes back in the RR, it could be an error. Or a man-in-the-middle attack. Or a configuration problem along the way. To be secure, need to check all signatures yourself, but also can have trusted authority check them (and to have secure communication between yourself and authority).

Non-existent records How can we get a signed record for EVERY possible non-existent name out there, to be sure they actually don’t exist? Solution: Names are alphabetically ordered. Between any two names, a bunch don’t exist, so we can sign this range of names. When someone looks up one of these names, we give them a range signature.

For Example > host last.cs.ucla.edu lasr.cs.ucla.edu 131.179.192.136 You get authoritative information that the name isn’t assigned lbsr.cs.ucla.edu – pd.cs.ucla.edu NOT ASSIGNED pelican.cs.ucla.edu 131.179.128.17 131.179.128.16 toucan.cs.ucla.edu pelican.cs.ucla.edu 131.179.128.17 131.179.128.16 toucan.cs.ucla.edu Foils spoofing attacks > host last.cs.ucla.edu

DNSSEC status Implementations of DNSSEC are in use, and are heavily promoted (first by DARPA and now by DHS). ICANN has signed the root, and all the major nodes are done (.com, .gov, .edu, .org, .net) NOT all signed below, however, and many “island of security” exist in DNS. These sign for themselves and anyone below. The utility of DNSSEC ultimately depends on the clients actually checking signatures.

Using DNSSEC Unfortunately, installing and managing DNSSEC is also fairly difficult. Particularly hard for domains with lots of things to support, since every new name required lots of new things to sign. In practice, many things sign certificates for lengthy amounts of time (days or months), which makes hijacking after an update much easier, also.

Privacy Obviously, DNSSEC does nothing to keep communication secret. DNS is inherently public! Encryption is the core of how we keep communication secret. So what else should we worry about? Traffic analysis: Sometimes, the goal is to hide that we are even talking to each other. This can be deduced even if our data is encrypted, since routing is a public process.

Location Privacy In addition to knowledge of communication, location information is given away by packet data. IP addresses often give away a lot of information about where you are. Mobile devices communicate while you are on the move! Can be used to get information on our movement and actions, often without our knowledge. What types of solutions are possible today, given our internet infrastructure?

Anonymizer Network sites that accept requests from outsiders. Problem: They submit these requests under their own or a fake identity. Responses are returned to the original requester. In fact, a NAT box is a simple version of this! Problem: The anonymizer knows your identity. Generally, should not assume this is a reliable source of anonymity, since can be tricked, hacked, or compelled into giving up information.

Onion Routing Meant to conceal sources and destinations in all traffic. A group of nodes agree to be onion routers. The users obtain cryptographic keys for those nodes. Each packet goes through many hops. Many users send many packets through the routers, which conceals who is really talking to whom. Setup for a packet: Encrypt the packet with the destination’s key. Wrap that with another packet to another router, encrypted with that router’s key. Iterate this many times.

A picture: Source Destination Onion routers

What’s Really in the Packet

Delivering the Message

What do we get? Assuming it all went right: Nobody could read our data. Nobody is sure who sent it (except the receiver). Nobody is sure who received it (except the sender).

Onion routing issues Using keys properly Traffic analysis is still possible Overhead is a problem Multiple hops Multiple encryptions Limited anti-government possibilities. (In particular, China has a history of disabling these.) Ethical implications, also. This makes running botnets much easier.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.