Presentation is loading. Please wait.

Presentation is loading. Please wait.

KAIST Yongdae Kim.  Full Professor at EE, KAIST (2012. 9 ~)  Affiliated with CSRC and GIST  Formerly at the Univ. of Minnesota (2002 ~ 2012)  Contact.

Published byDorothy Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "KAIST Yongdae Kim.  Full Professor at EE, KAIST (2012. 9 ~)  Affiliated with CSRC and GIST  Formerly at the Univ. of Minnesota (2002 ~ 2012)  Contact."— Presentation transcript:

1 KAIST Yongdae Kim

2  Full Professor at EE, KAIST (2012. 9 ~)  Affiliated with CSRC and GIST  Formerly at the Univ. of Minnesota (2002 ~ 2012)  Contact Information  http://syssec.kaist.ac.kr/~yongdaek http://syssec.kaist.ac.kr/~yongdaek  yongdaek@gmail.com yongdaek@gmail.com  Facebook: https://www.facebook.com/y0ngdaekhttps://www.facebook.com/y0ngdaek  Twitter: https://twitter.com/yongdaekhttps://twitter.com/yongdaek 2

3  Full Professor at EE, KAIST (2012. 9 ~)  Affiliated with CSRC and GIST  20 year career in security research  Applied Cryptography, Group key agreement, Storage, P2P, Mobile/Sensor/Ad- hoc/Cellular Networks, Social networks, Internet, Anonymity, Censorship  Published about 70 papers (3,000 Google scholar citations)  NSF Career and U of M McKnight Land-Grant Award  10 PhD, 9 MS, 15 BS advised ETRI 19931998200220082012 USC KAIST Tenure, Associate UMN Assistant UMN Assistant 3

4  Data Plane: Actual data delivery  Control Plane  To support data delivery (efficiently, reliably, and etc.)  Routing information exchange  In some sense, every protocol except data delivery is considered to be control plane protocols  Example network  Peer-to-peer network, Cellular network, Internet, … 4

5 CreationName# of BotsSpamControl 2004Bagle230K5.7 B/dayCentralized 2007Storm> 1,000K3 B/dayP2P 2008Mariposa12,000K?Centralized 2008Waledac80K?Centralized 2008Conficker>10,000K10 B/dayCtrlzd/P2P 2009?Mega-D4,500K10 B/dayCentralized 2009?Zeus>3,600K? 2009BredoLab30,000K3.6 B/dayCentralized 2010TDL44,500K?P2P

6  1997: AS7007  Claimed shortest path to the whole Internet  Causing Internet Black hole  2004: TTNet (AS9121)  Claimed shortest path to the whole Internet  Lasted for several hours  2006: AS27056  "stole" several important prefixes on the Internet  From Martha Stewart Living to The New York Daily News  2008: Pakistan Youtube  decided to block Youtube  One ISP advertised a small part of YouTube's (AS 36561) network  2010: China  15% of whole Internet traffic was routed through China for 18 minutes  including.mil and.gov domain  2011: China  All traffic from US iPhone to Facebook  routed through China and Korea

7  300 Gbps DDoS against Spamhous from Stophous  Mitigation by CloudFlare using anycast  Stophous turn targets to IX (Internet Exchange)  Korea – World IX Bandwidth  KT: 560 Gbps, SKB: 235 Gbps, LGU+: 145 Gbps, SKT: 100 Gbps  Total: 1 Tbps 7

8 Max Schuchard, Eugene Vasserman, Abedelaziz Mohaisen, Denis Foo Kune, Nicholas Hopper, Yongdae Kim

9 His thesis: How to crash the Internet – Star Tribune The cyberweapon that could take down the internet – New Scientist Boffins devise 'cyberweapon' to take down internet – The Register Prof. Says New Cyberweapon Could Take Down the Internet – CBS How to crash the Internet – ZDNet Losing Control of the Internet - Using the Data Plane to Attack the Control Plane – Network and Distributed System Security (NDSS)2011

10  Attack on the Internet's control plane  Overwhelm routers with BGP updates  Launched using only a botnet  Defenses are non trivial  Different from DDoS on web servers

11 ^ No router compromise or misconfiguration  BGPSEC or similar technologies ^ Our attack model: Unprivileged adversary  can generate only data plane events  does not control any BGP speakers  botnet of a reasonable size  50, 100, 250, 500k nodes

12 Can we shut down the Internet only using data plane events? How much control plane events can be generated by data plane events caused by coordinated set of compromised computers?

13  AS (Autonomous System)  Core AS: High degree of connectivity  Fringe AS: very low degrees of connectivity, sitting at the outskirts of the Internet  Transit AS: core ASes, which agree to forward traffic to and from other Ases  BGP (Border Gateway Protocol)  the de facto standard routing protocol spoken by routers connecting different ASes.  BGP is a path vector routing algorithm, allowing routers to maintain a table of AS paths to every destination.  uses policies to preferentially use certain AS paths in favor.

14 1.0.0.0/8 DST: 1.0.0.0/8 Path: A DST: 1.0.0.0/8 Path: B, A DST: 1.0.0.0/8 Path: C, A A B C D E DST: 1.0.0.0/8 Path: D, B, A DST: 1.0.0.0/8 Path: E, C, A

15 1.0.0.0/8 A B C D E DST: 1.0.0.0/8 Path: B, A DST: 1.0.0.0/8 Path: C, A DST: 1.0.0.0/8 Path: D, B, A DST: 1.0.0.0/8 Path: E, B, A DST: 1.0.0.0/8 Path: B, C, A DST: 1.0.0.0/8 Path: D, C, A DST: 1.0.0.0/8 Path: E, C, A

16 1.0.0.0/8 A B C D E DST: 1.0.0.0/8 Path: B, A DST: 1.0.0.0/8 Path: C, A DST: 1.0.0.0/8 Path: D, B, A DST: 1.0.0.0/8 Path: E, B, A DST: 1.0.0.0/8 Path: B, C, A DST: 1.0.0.0/8 Path: D, C, A DST: 1.0.0.0/8 Path: E, C, A

17 B C D E UPDATE! How does the attacker pick links? How does the attacker direct traffic?

18 A B C D E {DB, DBA, DBAC, DBE}{EB, EBA, EBAC, EBD} {CA, CB, CD, CE} {AB, AC, ABE, ABD} {BA, BC, BD, BE} CB BC 8 7 7 2 4 1 1

19 A B C D E {DB, DBA, DBAC, DBE}{EB, EBA, EBAC, EBD} {CA, CB, CD, CE} {AB, AC, ABE, ABD} {BA, BC, BD, BE} 8 7 7 2 4 1 1

20 A BC D E Spread attack flows!

21 A B C

22 A B C One Target per Attack Flow!

23  Simulator to model network dynamics  Topology generated from the Internet  Routers fully functional BGP speakers  Bot distribution from Waledac  Bandwidth model worst case for attacker

24 Targeted link: Any link selected for disruption Last mile links: un-targeted links that connect fringe ASes to the rest of the network Transit link: Any link that does not fit the other two

25

26

27

28  Adversarial route flapping on an Internet scale  Implemented using only a modest botnet  Defenses are non-trivial, but incrementally deployable

29 ^ Cascaded failure  Router failure modeling ^ Attacks using remote compromised routers  Targeted Attack: Internet Kill Switch ^ Router Design for the Future Internet  Software router?

30  Routers placed in certain states fail to provide the functionality they should.  Unexpected but perfectly legal BGP messages can place routers into those states  Any assumptions about the likelyhood of encountering these messages do not apply under adversarial conditions. Peer Pressure: Exerting Malicious Influence on Routers at a Distance, Max Schuchard, Christopher Thompson, Nicholas Hopper and Yongdae Kim, ICDCS 2013

31  How many BGP updates needed to consume 1GB memory? About 2,000,000 BGP updates is needed to succeed this attack

32  Distinct/long length AS paths and community attribute 300,000 BGP updates is enough for this attack

33  Hash collision makes router spend more processing time

34

35

36  Man-in-the-middle between the MS and BST  Eavesdropping device used for interception  Tracking of cellular phones  Undetectable for the users of mobile phones  GSM uses one-way authentication  UMTS uses mutual authentication, but backward compatible to GSM  Manufacturers  Meganet, NeoSoft, Shoghi, Proximus  Chris Paget built a custom one for $1,500.  Detection of IMSI catcher?  2011. Karsten Nohl. catcher catcher!

37  Dec. 2010. Karsten Nohl at CCC  $15 phone and open-source software  OsmocomBB  Free/Open Source GSM Baseband software implementation.  Replace the need for a proprietary GSM baseband software ▪ drivers for the GSM analog and digital baseband peripherals ▪ the GSM phone-side protocol stack, from layer 1 up to layer 3  2009: GSM A5/1 encryption can be decryptable  How about 3G and LTE?  Debugger for the Qualcomm baseband chip MSM6280  CDMA longcode?

38  Location Privacy  Marie Colvin: Syria regime accused of murder (Aug. 2012) ▪ Syrian forces had “locked on” to their satellite phone signals  Appelbaum ▪ “These phone protocols are intentionally insecure” ▪ “Tracking people is sometimes considered a feature”  Confidentiality  Driessen and Hund have showed that both GMR-1 and GMR-2 are broken. (Feb. 2012)  Completely reverse-engineered the encryption algorithm  Took less than 30 min due to insecure design of the algorithm

39  Targeting 2.5G GSM networks Exploiting Open Functionality in SMS-Capable Cellular Networks, McDaniel et. al., ACM CCS 2005 (Mobicom, Usenix Security, …)

40  All systems have bottlenecks; finding them reveals a weak point  SMSCs have per-user queues; once reached, texts are dropped  Sprint: 30 messages; Verizon: 100: ATT: 400+  Delivery rate from SMSC to MH measured at 7-8 seconds  Can send messages via Internet in 0.71 seconds

41  Phone network can be DOSed with enough text  Same channels used to initiate voice calls and deliver text  How many text messages does it take?  Estimate Washington, D.C. can handle 240 msg/sec  Internet-based attacker needs only 2.8 Mbps  Some networks allow sending to 10 people at once  Reduces needed bandwidth to 280 kbps

42  We have the victim’s mobile phone number  Can we detect if the victim is in/out of an area of interest?  Granularity? 100 km 2 ? 1km 2 ? Next door?  No collaboration from service provider  i.e. How much information leaks from the HLR over broadcast messages?  Attacks by passively listening  Paging channel  Random access channel Location leaks on the GSM air interface, D. F. Kune, J. Koelndorfer, N. Hopper, Y. Kim, NDSS 2012 Media: Ars Technica, Slashdot, MPR, Fox Twin Cities, Physorg, TG Daily, Network World, e! Science News, Scientific Computing, gizmag, Crazy Engineers, PC Advisor, Mobile Magazine, The CyberJungle, Inquisitr Location leaks on the GSM air interface, D. F. Kune, J. Koelndorfer, N. Hopper, Y. Kim, NDSS 2012 Media: Ars Technica, Slashdot, MPR, Fox Twin Cities, Physorg, TG Daily, Network World, e! Science News, Scientific Computing, gizmag, Crazy Engineers, PC Advisor, Mobile Magazine, The CyberJungle, Inquisitr

43 PSTN MSC BSC VLR ATR HLR HSS BTS MS GSM Air Interface

44  IMSI  a unique # associated with all GSM  TMSI  Randomly assigned by the VLR  Updated in a new area  PCCH  Broadcast paging channel  RACH  Random Access Channel  SDCCH  Standalone Dedicated Control Channel  LAC has multiple cell towers that uses different ARFCN BTS MS Paging Request PCCH Channel Request RACH Immediate Assignment PCCH Paging Response SDCCH Setup and Data

45 Motorola C118 ($30) VirtualBox running Ubuntu and OsmosomBB software (free) Serial cable and reprogrammer cable ($30) HTC Dream with custom Android Kernel ($100)

46 PSTN PCH Time dt

47  Delay between the call initiation and the paging request: 3 sec  Median delay between call initiation and ring: 6 sec

48  Is IA message sent to all towers in the same LAC?  How do we identify IA message?  No identifiable information  Check the correlation between IA and Paging request

49

50

51

52 Towers in this area are observable with a rooftop 12 db gain antenna Observer Downtown Minneapolis John’s newly shaved head Yagi antenna

53 Observer Start End Approximate areas covered by towers to which the victim’s phone was attached to

54  Solutions to offload traffic to other networks  Small/cheap cells in residential environments  ~ Q2 2011, 31 operators in 20 countries adopted femtocell  Rooting is assumed, which is available in  Borgaonkar, Redon, Seifert. "Security Analysis of a Femtocell device" Femtocells: A Poisonous Needle in the Operator’s Hay Stack, Borgaonkar, Golde, Redon, Blackhat’11

55

56  Over-the-Air traffic encrypted but decrypted on the femtocell  All traffic between femtocell and network is plaintext and only protected by Ipsec  Hijacking control flow of IPSec tunnel software  Decode IPsec traffic, extract voice/SMS  Femtocells can be a very cheap IMSI-Catcher

57  What if we change the HNB-GW?  Full control over all communication  Modify traffic, impersonating subscribers  Relay messages to subscriber whenever authentication is required  Demo implementation based on SMS:  Modify messages or inject SMS on behalf of subscriber (will be billed)

58  They found a remote root vulnerability in the webserver (CVE-2011-2900)  Take over femtocell network  End-user threats become a global problem!  Signaling attacks a well known problem, e.g. HLR overload  TCP/IP based communication allows for easy signaling traffic generation at a high rate  Given a remote root bug this can be amplified with a femtocell botnet  Connect to femtocell network without femtocell!  Act as femtocell by using network protocols

59  Yongdae Kim  yongdaek@gmail.com yongdaek@gmail.com  Facebook: https://www.facebook.com/y0ngdaekhttps://www.facebook.com/y0ngdaek  Twitter: https://twitter.com/yongdaekhttps://twitter.com/yongdaek Recruiting new graduate students!

Download ppt "KAIST Yongdae Kim.  Full Professor at EE, KAIST (2012. 9 ~)  Affiliated with CSRC and GIST  Formerly at the Univ. of Minnesota (2002 ~ 2012)  Contact."

Similar presentations

Exploiting Open Functionality in SMS-Capable Cellular Networks 20123550 Chang-Jae Lee Some of the slides and figures were borrowed from the author’s slides.

Exploiting Open Functionality in SMS-Capable Cellular Networks Chang-Jae Lee Some of the slides and figures were borrowed from the author’s slides.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
Cellular Networks II KAIST Yongdae Kim.

Cellular Networks II KAIST Yongdae Kim.
GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.

GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
CSCI-235 Micro-Computers in Science The Network. Network Fundamentals A computer network consists of two or more computers linked together to exchange.

CSCI-235 Micro-Computers in Science The Network. Network Fundamentals A computer network consists of two or more computers linked together to exchange.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015.

SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015.
D. Foo Kune, J. Koelndorfer, N. Hopper, Y. Kim.  News  Nov 2011: Carrier IQ  Oct 2011: HTC Android phone location leakage  April 2011: iPhone and.

D. Foo Kune, J. Koelndorfer, N. Hopper, Y. Kim.  News  Nov 2011: Carrier IQ  Oct 2011: HTC Android phone location leakage  April 2011: iPhone and.
Telefónica Móviles España GPRS (General Packet Radio Service)

Telefónica Móviles España GPRS (General Packet Radio Service)
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Communications and Networks Chapter 8.

Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Communications and Networks Chapter 8.
Routing Security in Ad Hoc Networks

Routing Security in Ad Hoc Networks
14 – Inter/Intra-AS Routing

14 – Inter/Intra-AS Routing
Exploiting Open Functionality in SMS-Capable Cellular Networks Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Publication:

Exploiting Open Functionality in SMS-Capable Cellular Networks Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Publication:
1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)

1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)
ROUTING ON THE INTERNET COSC 6590 1 14-Aug-15. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.

ROUTING ON THE INTERNET COSC Aug-15. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.
Computer Networks Layering and Routing Dina Katabi

Computer Networks Layering and Routing Dina Katabi
Network Topologies.

Network Topologies.

Similar presentations

Ads by Google