Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)

Slides:



Advertisements
Similar presentations
Zhiyun Qian, Z. Morley Mao (University of Michigan)
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks Multipath.
Computer Security and Penetration Testing
1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Computer Security and Penetration Testing
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Middleboxes & Network Appliances EE122 TAs Past and Present.
Instructor: Li Erran Li Spring2013/ 3/12/2013: Cellular Network and Traffic.
Introduction to Honeypot, Botnet, and Security Measurement
IIT Indore © Neminath Hubballi
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
Overview Network communications exposes one to many different types of risks: No protection of the privacy, integrity, or authenticity of messages Traffic.
DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.
PA3: Router Junxian (Jim) Huang EECS 489 W11 /
Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010.
The Transmission Control Protocol (TCP) TCP is a protocol that specifies: –How to distinguish among multiple destinations on a given machine –How to initiate.
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 4. Active Monitoring Techniques.
Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
TCP/IP Vulnerabilities
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Debugging Path MTU Discovery Failures - Techniques and Results Internet2 Member Meeting September 21, 2005 Matthew Luckie, Kenjiro Cho, Bill Owens.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Introduction to Information Security
Executive Director and Endowed Chair
Port Scanning James Tate II
General Classes of TCP/IP Problems
Hping2.
Outline Basics of network security Definitions Sample attacks
TCP/IP Internetworking
TCP/IP Internetworking
COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK
University of Michigan
Figure 3-23: Transmission Control Protocol (TCP) (Study Figure)
Networking Theory (part 2)
IIT Indore © Neminath Hubballi
ITIS 6167/8167: Network and Information Security
Outline Basics of network security Definitions Sample attacks
TCP Connection Management
Networking Theory (part 2)
Presentation transcript:

Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)

Outline  Introduction  Fundamentals of the TCP Sequence Number Inference Attack  TCP Attack Analysis and Design  Attack Implementation and Experimental Results  Vulnerable Networks  Discussion 2012/4/302A Seminar at Advanced Defense Lab

Introduction  TCP was initially designed without many security considerations. 4-tuple: local IP, local Port, foreign IP, foreign Port  Off-path spoofing attacks 2012/4/30A Seminar at Advanced Defense Lab3

Off-Path Spoofing Attacks  One of the critical patches is the randomization of TCP initial sequence numbers (ISN) RFC 6528 [link]link  Firewall vendors soon realized that they can in fact perform sequence number checking at network-based firewalls and actively drop invalid packets even before they can reach end-hosts 2012/4/30A Seminar at Advanced Defense Lab4

Fundamentals of the TCP Sequence Number Inference Attack  Sequence-Number-Checking Firewalls 2012/4/30A Seminar at Advanced Defense Lab5

Sequence-Number-Checking Firewalls  Window size Fixed 64K x 2 N, N is the window scaling factor in SYN and SYN-ACK packet.  Left-only or right-only window  Window moving behavior Window advancing Window shifting 2012/4/30A Seminar at Advanced Defense Lab6

Threat Model  On-site TCP injection/hijacking An unprivileged malware runs on the client with access to network and the list of active connections through standard OS interface.  Off-site TCP injection only when the target connection is long-lived  Establish TCP connection using spoofed IPs 2012/4/30A Seminar at Advanced Defense Lab7

Obtaining Feedback – Side Channels  OS packet counters  IPIDs from responses of intermediate middleboxes An attacker can craft packets with TTL values large enough to reach the firewall middlebox, but small enough that they will terminate at an intermediate middlebox instead of the end-host, triggering the TTL- expired messages. 2012/4/30A Seminar at Advanced Defense Lab8

Sequence Number Inference 2012/4/30A Seminar at Advanced Defense Lab9

Timing of Inference and Injection — TCP Hijacking  For the TCP sequence number inference and subsequent data injection to be successful, a critical challenge is timing.  To address the challenge, we design and implement a number of TCP hijacking attacks. 2012/4/30A Seminar at Advanced Defense Lab10

TCP Attack Analysis and Design  Two base requirements for all attacks The ability to spoof legitimate server’s IP A sequence-number-checking firewall deployed 2012/4/30A Seminar at Advanced Defense Lab11

Attack Requirements 2012/4/30A Seminar at Advanced Defense Lab12

On-site TCP Hijacking  Reset-the-server 2012/4/30A Seminar at Advanced Defense Lab13

On-site TCP Hijacking  Preemptive-SYN Hijacking 2012/4/30A Seminar at Advanced Defense Lab14

On-site TCP Hijacking  Hit-and-run Hijacking 2012/4/30A Seminar at Advanced Defense Lab15

Off-site TCP Injection/Hijacking  URL phishing An attacker can also acquire target four tuples by luring a user to visit a malicious webpage that subsequently redirects the user to a legitimate target website. But it is not implemented in this paper. 2012/4/30A Seminar at Advanced Defense Lab16

Off-site TCP Injection/Hijacking  Long-lived connection inference An approach we discover is through sending a single ICMP error message (e.g., network or port unreachable) to query a four-tuple. Pass through firewall and trigger TTL- expired message 2012/4/30A Seminar at Advanced Defense Lab17

Establish Spoofed Connections  We found that there are many such unresponsive IPs in the nation-wide cellular network that we tested. 2012/4/30A Seminar at Advanced Defense Lab18

Attack Implementation and Experimental Results  Client platform Android 2.2 and TCP window scaling factor: 2 and 4 Vendors: HTC, Samsung, and Motorola  Network An anonymized nation-wide carrier that widely deploys firewall middleboxes at the GGSN-level 2012/4/30A Seminar at Advanced Defense Lab19

Side-channel  /proc/net/snmp: InSegs the number of incoming TCP packets received  /proc/net/netstat: PAWSEstab packets with an old timestamp is received  IPID side-channel the noise level is quite tolerable. 2012/4/30A Seminar at Advanced Defense Lab20

Sequence Number Inference  Assuming a cellular RTT of 200ms  32 times for binary search (4G) About 10s in practice  N-way search  Mix all methods It takes only about 4–5 seconds to complete the inference 2012/4/30A Seminar at Advanced Defense Lab21

On-site TCP Hijacking  Android m.facebook.com + Planetlab server [link]link 2012/4/30A Seminar at Advanced Defense Lab22

Reset-the-server [Demo]Demo  We leverage requirement C4 which tells the attacker that the victim connection’s ISN is at most 2 24 away from the ISN of the attacker-initiated connection.  Since RST packets with any sequence number that falls in the receive window can terminate the connection. P. A. Watson. “Slipping in the Window: TCP Reset Attacks,” /4/30A Seminar at Advanced Defense Lab23

Reset-the-server  The max number of required RST  server_init_window m.facebook.com: 4380  require 7661 RST twitter.com: 5840  require 5746 RST chase.com: /4/30A Seminar at Advanced Defense Lab24

Reset-the-server  Bandwidth requirements  327 Kbps ~ 12 Mbps 2012/4/30A Seminar at Advanced Defense Lab25

Hit-and-run  Bandwidth requirements WIN is 64K x 2 window_scaling_factor For the two Oses is 26Mbps and 6.6Mbps 2012/4/30A Seminar at Advanced Defense Lab26

On-site TCP Hijacking 2012/4/30A Seminar at Advanced Defense Lab27

Off-site TCP Injection  URL phishing No implement Because NAT is deployed.  long-lived connection inference a particular push server IP and port 5228 About 7.8% of the IPs have a connection with the server 2012/4/30A Seminar at Advanced Defense Lab28

Establish Spoofed Connections  Find unresponsive IP We send a SYN packet with a spoofed IP from the attack phone inside the cellular network to our attack server which responds with a legitimate SYN-ACK back. There are 80% of IPs are unresponsive.  We can make about 0.6 successful connection per second on average with more than 90% success rate 2012/4/30A Seminar at Advanced Defense Lab29

Vulnerable Networks  We deployed a mobile application (referred to as MobileApp) on the Android market.  The data are collected between Apr 25th, 2011 and Oct 17th, 2011 over 149 carriers uniquely identified 2012/4/30A Seminar at Advanced Defense Lab30

Firewall Implementation Types  Overall, out of the 149 carriers, we found 47 carriers (31.5%) that deploy sequence-number-checking firewalls. 2012/4/30A Seminar at Advanced Defense Lab31

Intermediate Hop Feedback  24 carriers have responsive intermediate hops that reply with TTL- expired ICMP packets.  8 carriers have NAT that allow single ICMP packet probing to infer active four tuples. 2012/4/30A Seminar at Advanced Defense Lab32

Discussion  Firewall design  Side-channels  HTTPS-only world 2012/4/30A Seminar at Advanced Defense Lab33

2012/4/30A Seminar at Advanced Defense Lab34

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.