Games and the Impossibility of Realizable Ideal Functionality

Internet Security: How the Internet works and some basic vulnerabilitiesDan Boneh(Modified by Vijay Ganesh)ECE 458Winter 2013

BackboneISP

ISP

Internet InfrastructureLocal and interdomain routingTCP/IP for routing and messagingBGP for routing announcementsDomain Name SystemFind IP address from symbolic name (www.cs.stanford.edu)Internet Topology

TCP/IP Protocol StackApplicationTransportNetworkLinkApplication protocolTCP protocolIP protocolData LinkIPNetwork AccessIP protocolData LinkApplicationTransportNetworkLinkData FormatsApplicationTransport (TCP, UDP)Network (IP)Link LayerApplication message - dataTCPdataTCPdataTCPdataTCP HeaderdataTCPIPIP HeaderdataTCPIPETHETFLink (Ethernet) HeaderLink (Ethernet) Trailersegment packetframemessageInternet ProtocolConnectionlessUnreliableBest effort

Notes:src and dest ports not parts of IP hdr

IPVersionHeader LengthType of ServiceTotal LengthIdentificationFlagsTime to LiveProtocolHeader ChecksumSource Address of Originating HostDestination Address of Target HostOptionsPaddingIP DataFragment Offset IP RoutingTypical route uses several hopsIP: no ordering or delivery guarantees

MegTomISPOffice gateway121.42.33.12132.14.11.51SourceDestinationPacket121.42.33.12121.42.33.1132.14.11.51132.14.11.1

IP Protocol Functions (Summary)RoutingIP host knows location of router (gateway)IP gateway must know route to other networks

Fragmentation and reassemblyIf max-packet-size less than the user-data-size

Error reportingICMP packet to source if packet is dropped

TTL field: decremented after every hopPacket dropped if TTL=0. Prevents infinite loops.Problem: no src IP authenticationClient is trusted to embed correct source IPEasy to override using raw socketsLibnet:a library for formatting raw packets with arbitrary IP headersAnyone who owns their machine can send packets with arbitrary source IP response will be sent back to forged source IPImplications:Anonymous DoS attacksUser Datagram Protocol (protocol=17)Unreliable transport on top of IP:No acknowledgmentNo congenstion controlNo message continuationUDP

Transmission Control ProtocolConnection-oriented, preserves orderSender Break data into packetsAttach packet numbersReceiverAcknowledge receipt; lost packets are resentReassemble packets in correct orderTCPBookMail each pageReassemble book

195111

TCP Header (protocol=6)Source PortDest portSEQ NumberACK NumberOther stuffURGPSRACKPSHSYNFINTCP HeaderReview: TCP HandshakeCSSYN:SYN/ACK:ACK:ListeningStore SNC , SNSWaitEstablishedSNCrandCANC0SNSrandSANSSNCSNSNC+1ANSNSReceived packets with SN too far out of window are droppedBasic Security Problems1. Network packets pass by untrusted hostsEavesdropping, packet sniffingEspecially easy when attacker controls a machine close to victim

2. TCP state can be easy to guessEnables spoofing and session hijacking

Denial of Service (DoS) vulnerabilities1. Packet SniffingPromiscuous NIC reads all packetsRead all unencrypted data (e.g., wireshark)ftp, telnet (and POP, IMAP) may send passwords in clear

AliceBobEveNetworkPrevention: Encryption2. TCP Connection SpoofingWhy random initial sequence numbers? (SNC , SNS )Suppose initial sequence numbers are predictableAttacker can create TCP session on behalf of forged source IPBreaks IP-based authentication (e.g. SPF, /etc/hosts )VictimServerSYN/ACKdstIP=victimSN=server SNSACKsrcIP=victimAN=predicted SNScommandserver thinks command is from victim IP addrattackerTCP SYNsrcIP=victimExample commands: send spam email on behalf of victim IP address16Example DoS vulnerability [Watson04]Suppose attacker can guess seq. number for an existing connection:Attacker can send Reset packet to close connection. Results in DoS.Naively, success prob. is 1/232 (32-bit seq. #s).Most systems allow for a large window of acceptable seq. #sMuch higher success probability.

Attack is most effective against long lived connections, e.g. BGPRandom initial TCP SNsUnpredictable SNs prevent basic packet injection but attacker can inject packets after eavesdropping to obtain current SN

Most TCP stacks now generate random SNsRandom generator should be unpredictableGPR06: Linux RNG for generating SNs is predictableAttacker repeatedly connects to serverObtains sequence of SNsCan predict next SNAttacker can now do TCP spoofing (create TCP session with forged source IP)Routing VulnerabilitiesRouting VulnerabilitiesRouting protocols:ARP (addr resolution protocol): IP addr eth addrNode A can confuse gateway into sending it traffic for BBy proxying traffic, attacker A can easily inject packets into Bs session (e.g. WiFi networks)OSPF: used for routing within an Autonomous SystemBGP: routing between Autonomous SystemsAttacker can cause entire Internet to send traffic meant for a victim IP to attackers address.Example: Youtube mishapOSPF: open shortest path first20Interdomain Routingconnected group of one or more Internet Protocol prefixes under a single routing policy (aka domain)OSPFBGPAutonomous Systemearthlink.netStanford.eduOSPF: open shortest path first21BGP example [D. Wetherall]Transit: 2 provides transit for 7Algorithm seems to work OK in practice but BGP does not respond well to frequent node outages34657182772 72 72 73 2 76 2 72 6 52 6 52 6 53 2 6 57 2 6 56 555Security IssuesBGP packets are un-authenticated

Attacker can inject advertisements for arbitrary routesAdvertisement will propagate everywhereUsed for DoS and spam

Human error problems:

Mistakes quickly propagate to the entire Internet

OSPF: routing inside an Autonomous SystemLink State Advertisements (LSA):Flooded throughout AS so that all routers in the AS have a complete view of the AS topologyTransmission: IP datagrams, protocol = 89

Neighbor discovery:Routers dynamically discover direct neighbors on attached links --- sets up an adjacentyOnce setup, they exchange their LSA databases

RaLSA DB:

Rb

Rb LSAR3

RaRbNet-1Net-1Ra LSA

RaRbNet-13223111Example: LSA from Ra and RbRa and Rb send an LSA about the connection between them. That LSA is received by R3 and it updates its own LSA database.25Security featuresOSPF message integrity (unlike BGP)Every link can have its own shared secretUnfortunately, OSPF uses an insecure MAC: MAC(k,m) = MD5(data ll key ll pad ll len)Every LSA is flooded throughout the ASIf a single malicious router, valid LSAs may still reach dest.The fight back mechanismIf a router receives its own LSA with a newer timestamp than the latest it sent, it immediately floods a new LSALinks must be advertised by both endsStill many attacks [NKGB12]Threat model: single malicious router wants to disrupt all AS trafficExample problem: adjacency setup need no peer feedback LAN

Victim (DR)a remote attackeradjacencyadjacency

False Hello and DBD messages net 1phantom router

adjacencyResult: DoS on net 1A router can setup an adjacency with a peer router without ever hearing back from the peer. Therefore, a remote attacker can cause a victim router to setup an adjacency with a phantom peer, resulting in DoS. 27Domain Name SystemDomain Name SystemHierarchical Name SpacerootedunetorgukcomcawiscucbstanfordcmumitcseewwwDNSDNS Root Name ServersHierarchical serviceRoot name servers for top-level domainsAuthoritative name servers for subdomainsLocal name resolvers contact authoritative servers when they do not know a name

DNS Lookup ExampleClientLocal DNS resolverroot & edu DNS serverstanford.edu DNS serverwww.cs.stanford.eduNS stanford.eduwww.cs.stanford.eduNS cs.stanford.eduA www=IPaddrcs.stanford.eduDNS serverDNS record types (partial list): - NS:name server (points to other server)- A:address record (contains IP address)- MX:address in charge of handling email- TXT:generic text (e.g. used to distribute site public keys (DKIM) )

DNS Lookup ExampleDNS

CachingDNS responses are cached Quick response for repeated translationsUseful for finding servers as well as addresses NS records for domains

DNS negative queries are cachedSave time for nonexistent sites, e.g. misspelling

Cached data periodically times outLifetime (TTL) of data controlled by owner of dataTTL passed with every recordDNS PacketQuery ID:16 bit random valueLinks response to query

(from Steve Friedl)Resolver to NS request

Response to resolver

Response contains IP addr of next NS server(called glue)

Response ignored if unrecognized QueryID

Authoritative response to resolverfinal answerbailiwick checking: response is cached if it is within the same domain of query (i.e. a.com cannot set NS for b.com)

Basic DNS VulnerabilitiesUsers/hosts trust the host-address mapping provided by DNS:Used as basis for many security policies:Browser same origin policy, URL address bar

Obvious problems Interception of requests or compromise of DNS servers can result in incorrect or malicious responsese.g.: malicious access point in a CafeSolution authenticated requests/responsesProvided by DNSsec but few use DNSsecDNS cache poisoning (a la Kaminsky08)Victim machine visits attackers web site, downloads JavascriptuserbrowserlocalDNSresolverQuery: a.bank.coma.bank.comQID=x1attackerattacker wins if j: x1 = yj response is cached and attacker owns bank.comns.bank.comIPaddr256 responses:Random QID y1, y2, NS bank.com=ns.bank.comA ns.bank.com=attackerIP If at first you dont succeed Victim machine visits attackers web site, downloads JavascriptuserbrowserlocalDNSresolverQuery:

b.bank.comb.bank.comQID=x2attacker256 responses:Random QID y1, y2, NS bank.com=ns.bank.comA ns.bank.com=attackerIP attacker wins if j: x2 = yj response is cached and attacker owns bank.comns.bank.comIPaddrsuccess after 256 tries (few minutes) Birthday paradox: success once xi = yj for some i,j . Success probability after each try is 1/256 needs 256 tries on average until success40DefensesIncrease Query ID size. How?

a. Randomize src port, additional 11 bitsNow attack takes several hours

b. Ask every DNS query twice:Attacker has to guess QueryID correctly twice (32 bits)Apparently DNS system cannot handle the loadDNS poisoning attacks in the wildJanuary 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.

In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy

In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"DNS Rebinding AttackRead permitted: its the same origin

Firewallwww.evil.comweb serverns.evil.comDNS server171.64.7.115www.evil.com?corporateweb server171.64.7.115 TTL = 0

192.168.0.100192.168.0.100[DWF96, R01]DNS-SEC cannot stop this attackDNS Rebinding DefensesBrowser mitigation: DNS PinningRefuse to switch to a new IPInteracts poorly with proxies, VPN, dynamic DNS, Not consistently implemented in any browserServer-side defensesCheck Host header for unrecognized domainsAuthenticate users with something other than IPFirewall defensesExternal names cant resolve to internal addressesProtects browsers inside the organizationSummaryCore protocols not designed for securityEavesdropping, Packet injection, Route stealing, DNS poisoningPatched over time to prevent basic attacks(e.g. random TCP SN)

More secure variants exist (next lecture) : IP -> IPsecDNS -> DNSsecBGP -> SBGP