Download presentation
Presentation is loading. Please wait.
Published byDorothy Garrison Modified over 8 years ago
1
KAIST Yongdae Kim
2
Full Professor at EE, KAIST (2012. 9 ~) Affiliated with CSRC and GIST Formerly at the Univ. of Minnesota (2002 ~ 2012) Contact Information http://syssec.kaist.ac.kr/~yongdaek http://syssec.kaist.ac.kr/~yongdaek yongdaek@gmail.com yongdaek@gmail.com Facebook: https://www.facebook.com/y0ngdaekhttps://www.facebook.com/y0ngdaek Twitter: https://twitter.com/yongdaekhttps://twitter.com/yongdaek 2
3
Full Professor at EE, KAIST (2012. 9 ~) Affiliated with CSRC and GIST 20 year career in security research Applied Cryptography, Group key agreement, Storage, P2P, Mobile/Sensor/Ad- hoc/Cellular Networks, Social networks, Internet, Anonymity, Censorship Published about 70 papers (3,000 Google scholar citations) NSF Career and U of M McKnight Land-Grant Award 10 PhD, 9 MS, 15 BS advised ETRI 19931998200220082012 USC KAIST Tenure, Associate UMN Assistant UMN Assistant 3
4
Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol except data delivery is considered to be control plane protocols Example network Peer-to-peer network, Cellular network, Internet, … 4
5
CreationName# of BotsSpamControl 2004Bagle230K5.7 B/dayCentralized 2007Storm> 1,000K3 B/dayP2P 2008Mariposa12,000K?Centralized 2008Waledac80K?Centralized 2008Conficker>10,000K10 B/dayCtrlzd/P2P 2009?Mega-D4,500K10 B/dayCentralized 2009?Zeus>3,600K? 2009BredoLab30,000K3.6 B/dayCentralized 2010TDL44,500K?P2P
6
1997: AS7007 Claimed shortest path to the whole Internet Causing Internet Black hole 2004: TTNet (AS9121) Claimed shortest path to the whole Internet Lasted for several hours 2006: AS27056 "stole" several important prefixes on the Internet From Martha Stewart Living to The New York Daily News 2008: Pakistan Youtube decided to block Youtube One ISP advertised a small part of YouTube's (AS 36561) network 2010: China 15% of whole Internet traffic was routed through China for 18 minutes including.mil and.gov domain 2011: China All traffic from US iPhone to Facebook routed through China and Korea
7
300 Gbps DDoS against Spamhous from Stophous Mitigation by CloudFlare using anycast Stophous turn targets to IX (Internet Exchange) Korea – World IX Bandwidth KT: 560 Gbps, SKB: 235 Gbps, LGU+: 145 Gbps, SKT: 100 Gbps Total: 1 Tbps 7
8
Max Schuchard, Eugene Vasserman, Abedelaziz Mohaisen, Denis Foo Kune, Nicholas Hopper, Yongdae Kim
9
His thesis: How to crash the Internet – Star Tribune The cyberweapon that could take down the internet – New Scientist Boffins devise 'cyberweapon' to take down internet – The Register Prof. Says New Cyberweapon Could Take Down the Internet – CBS How to crash the Internet – ZDNet Losing Control of the Internet - Using the Data Plane to Attack the Control Plane – Network and Distributed System Security (NDSS)2011
10
Attack on the Internet's control plane Overwhelm routers with BGP updates Launched using only a botnet Defenses are non trivial Different from DDoS on web servers
11
^ No router compromise or misconfiguration BGPSEC or similar technologies ^ Our attack model: Unprivileged adversary can generate only data plane events does not control any BGP speakers botnet of a reasonable size 50, 100, 250, 500k nodes
12
Can we shut down the Internet only using data plane events? How much control plane events can be generated by data plane events caused by coordinated set of compromised computers?
13
AS (Autonomous System) Core AS: High degree of connectivity Fringe AS: very low degrees of connectivity, sitting at the outskirts of the Internet Transit AS: core ASes, which agree to forward traffic to and from other Ases BGP (Border Gateway Protocol) the de facto standard routing protocol spoken by routers connecting different ASes. BGP is a path vector routing algorithm, allowing routers to maintain a table of AS paths to every destination. uses policies to preferentially use certain AS paths in favor.
14
1.0.0.0/8 DST: 1.0.0.0/8 Path: A DST: 1.0.0.0/8 Path: B, A DST: 1.0.0.0/8 Path: C, A A B C D E DST: 1.0.0.0/8 Path: D, B, A DST: 1.0.0.0/8 Path: E, C, A
15
1.0.0.0/8 A B C D E DST: 1.0.0.0/8 Path: B, A DST: 1.0.0.0/8 Path: C, A DST: 1.0.0.0/8 Path: D, B, A DST: 1.0.0.0/8 Path: E, B, A DST: 1.0.0.0/8 Path: B, C, A DST: 1.0.0.0/8 Path: D, C, A DST: 1.0.0.0/8 Path: E, C, A
16
1.0.0.0/8 A B C D E DST: 1.0.0.0/8 Path: B, A DST: 1.0.0.0/8 Path: C, A DST: 1.0.0.0/8 Path: D, B, A DST: 1.0.0.0/8 Path: E, B, A DST: 1.0.0.0/8 Path: B, C, A DST: 1.0.0.0/8 Path: D, C, A DST: 1.0.0.0/8 Path: E, C, A
17
B C D E UPDATE! How does the attacker pick links? How does the attacker direct traffic?
18
A B C D E {DB, DBA, DBAC, DBE}{EB, EBA, EBAC, EBD} {CA, CB, CD, CE} {AB, AC, ABE, ABD} {BA, BC, BD, BE} CB BC 8 7 7 2 4 1 1
19
A B C D E {DB, DBA, DBAC, DBE}{EB, EBA, EBAC, EBD} {CA, CB, CD, CE} {AB, AC, ABE, ABD} {BA, BC, BD, BE} 8 7 7 2 4 1 1
20
A BC D E Spread attack flows!
21
A B C
22
A B C One Target per Attack Flow!
23
Simulator to model network dynamics Topology generated from the Internet Routers fully functional BGP speakers Bot distribution from Waledac Bandwidth model worst case for attacker
24
Targeted link: Any link selected for disruption Last mile links: un-targeted links that connect fringe ASes to the rest of the network Transit link: Any link that does not fit the other two
28
Adversarial route flapping on an Internet scale Implemented using only a modest botnet Defenses are non-trivial, but incrementally deployable
29
^ Cascaded failure Router failure modeling ^ Attacks using remote compromised routers Targeted Attack: Internet Kill Switch ^ Router Design for the Future Internet Software router?
30
Routers placed in certain states fail to provide the functionality they should. Unexpected but perfectly legal BGP messages can place routers into those states Any assumptions about the likelyhood of encountering these messages do not apply under adversarial conditions. Peer Pressure: Exerting Malicious Influence on Routers at a Distance, Max Schuchard, Christopher Thompson, Nicholas Hopper and Yongdae Kim, ICDCS 2013
31
How many BGP updates needed to consume 1GB memory? About 2,000,000 BGP updates is needed to succeed this attack
32
Distinct/long length AS paths and community attribute 300,000 BGP updates is enough for this attack
33
Hash collision makes router spend more processing time
36
Man-in-the-middle between the MS and BST Eavesdropping device used for interception Tracking of cellular phones Undetectable for the users of mobile phones GSM uses one-way authentication UMTS uses mutual authentication, but backward compatible to GSM Manufacturers Meganet, NeoSoft, Shoghi, Proximus Chris Paget built a custom one for $1,500. Detection of IMSI catcher? 2011. Karsten Nohl. catcher catcher!
37
Dec. 2010. Karsten Nohl at CCC $15 phone and open-source software OsmocomBB Free/Open Source GSM Baseband software implementation. Replace the need for a proprietary GSM baseband software ▪ drivers for the GSM analog and digital baseband peripherals ▪ the GSM phone-side protocol stack, from layer 1 up to layer 3 2009: GSM A5/1 encryption can be decryptable How about 3G and LTE? Debugger for the Qualcomm baseband chip MSM6280 CDMA longcode?
38
Location Privacy Marie Colvin: Syria regime accused of murder (Aug. 2012) ▪ Syrian forces had “locked on” to their satellite phone signals Appelbaum ▪ “These phone protocols are intentionally insecure” ▪ “Tracking people is sometimes considered a feature” Confidentiality Driessen and Hund have showed that both GMR-1 and GMR-2 are broken. (Feb. 2012) Completely reverse-engineered the encryption algorithm Took less than 30 min due to insecure design of the algorithm
39
Targeting 2.5G GSM networks Exploiting Open Functionality in SMS-Capable Cellular Networks, McDaniel et. al., ACM CCS 2005 (Mobicom, Usenix Security, …)
40
All systems have bottlenecks; finding them reveals a weak point SMSCs have per-user queues; once reached, texts are dropped Sprint: 30 messages; Verizon: 100: ATT: 400+ Delivery rate from SMSC to MH measured at 7-8 seconds Can send messages via Internet in 0.71 seconds
41
Phone network can be DOSed with enough text Same channels used to initiate voice calls and deliver text How many text messages does it take? Estimate Washington, D.C. can handle 240 msg/sec Internet-based attacker needs only 2.8 Mbps Some networks allow sending to 10 people at once Reduces needed bandwidth to 280 kbps
42
We have the victim’s mobile phone number Can we detect if the victim is in/out of an area of interest? Granularity? 100 km 2 ? 1km 2 ? Next door? No collaboration from service provider i.e. How much information leaks from the HLR over broadcast messages? Attacks by passively listening Paging channel Random access channel Location leaks on the GSM air interface, D. F. Kune, J. Koelndorfer, N. Hopper, Y. Kim, NDSS 2012 Media: Ars Technica, Slashdot, MPR, Fox Twin Cities, Physorg, TG Daily, Network World, e! Science News, Scientific Computing, gizmag, Crazy Engineers, PC Advisor, Mobile Magazine, The CyberJungle, Inquisitr Location leaks on the GSM air interface, D. F. Kune, J. Koelndorfer, N. Hopper, Y. Kim, NDSS 2012 Media: Ars Technica, Slashdot, MPR, Fox Twin Cities, Physorg, TG Daily, Network World, e! Science News, Scientific Computing, gizmag, Crazy Engineers, PC Advisor, Mobile Magazine, The CyberJungle, Inquisitr
43
PSTN MSC BSC VLR ATR HLR HSS BTS MS GSM Air Interface
44
IMSI a unique # associated with all GSM TMSI Randomly assigned by the VLR Updated in a new area PCCH Broadcast paging channel RACH Random Access Channel SDCCH Standalone Dedicated Control Channel LAC has multiple cell towers that uses different ARFCN BTS MS Paging Request PCCH Channel Request RACH Immediate Assignment PCCH Paging Response SDCCH Setup and Data
45
Motorola C118 ($30) VirtualBox running Ubuntu and OsmosomBB software (free) Serial cable and reprogrammer cable ($30) HTC Dream with custom Android Kernel ($100)
46
PSTN PCH Time dt
47
Delay between the call initiation and the paging request: 3 sec Median delay between call initiation and ring: 6 sec
48
Is IA message sent to all towers in the same LAC? How do we identify IA message? No identifiable information Check the correlation between IA and Paging request
52
Towers in this area are observable with a rooftop 12 db gain antenna Observer Downtown Minneapolis John’s newly shaved head Yagi antenna
53
Observer Start End Approximate areas covered by towers to which the victim’s phone was attached to
54
Solutions to offload traffic to other networks Small/cheap cells in residential environments ~ Q2 2011, 31 operators in 20 countries adopted femtocell Rooting is assumed, which is available in Borgaonkar, Redon, Seifert. "Security Analysis of a Femtocell device" Femtocells: A Poisonous Needle in the Operator’s Hay Stack, Borgaonkar, Golde, Redon, Blackhat’11
56
Over-the-Air traffic encrypted but decrypted on the femtocell All traffic between femtocell and network is plaintext and only protected by Ipsec Hijacking control flow of IPSec tunnel software Decode IPsec traffic, extract voice/SMS Femtocells can be a very cheap IMSI-Catcher
57
What if we change the HNB-GW? Full control over all communication Modify traffic, impersonating subscribers Relay messages to subscriber whenever authentication is required Demo implementation based on SMS: Modify messages or inject SMS on behalf of subscriber (will be billed)
58
They found a remote root vulnerability in the webserver (CVE-2011-2900) Take over femtocell network End-user threats become a global problem! Signaling attacks a well known problem, e.g. HLR overload TCP/IP based communication allows for easy signaling traffic generation at a high rate Given a remote root bug this can be amplified with a femtocell botnet Connect to femtocell network without femtocell! Act as femtocell by using network protocols
59
Yongdae Kim yongdaek@gmail.com yongdaek@gmail.com Facebook: https://www.facebook.com/y0ngdaekhttps://www.facebook.com/y0ngdaek Twitter: https://twitter.com/yongdaekhttps://twitter.com/yongdaek Recruiting new graduate students!
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.