15-446 networked systems practicum

15-446 Networked Systems Practicum

Lecture 13 – IP Weaknesses

1

2

Overview

• Security holes

• Firewalls

• TCP receiver attacks

3

Flashback .. Internet design goals

1. Interconnection2. Failure resilience3. Multiple types of service4. Variety of networks5. Management of resources6. Cost-effective7. Low entry-cost8. Accountability for resources

Where is security?

4

Why did they leave it out?

• Designed for connectivity

• Network designed with implicit trust• No “bad” guys

• Can’t security be provided at the edge?• Encryption, Authentication etc• End-to-end arguments in system design

5

Security Vulnerabilities

• At every layer in the protocol stack!

• Network-layer attacks• IP-level vulnerabilities• Routing attacks

• Transport-layer attacks• TCP vulnerabilities

• Application-layer attacks

6

IP-level vulnerabilities

• IP addresses are provided by the source• Spoofing attacks

• Using IP address for authentication• e.g., login with .rhosts

• Some “features” that have been exploited• Fragmentation • Broadcast for traffic amplification

7

Security Flaws in IP

• The IP addresses are filled in by the originating host• Address spoofing

• Using source address for authentication• r-utilities (rlogin, rsh, rhosts etc..)

InternetInternet

2.1.1.1 C

1.1.1.1 1.1.1.2A B

1.1.1.3 S

•Can A claim it is B to the server S?

•ARP Spoofing

•Can C claim it is B to the server S?

•Source Routing

8

ARP Spoofing

• Attacker uses ARP protocol to associate MAC address of attacker with another host's IP address

• E.g. become the default gateway:• Forward packets to real gateway (interception)• Alter packets and forward (man-in-the-middle attack)• Use non-existant MAC address or just drop packets

(denial of service attack)

• ARP Spoofing used in hotel & airport networks to direct new hosts to register before getting "connected"

9

Source Routing

• ARP spoofing cannot redirect packets to another network

• We have studied routing protocols: routers do all the work, so if you spoof an IP source address, replies go to the spoofed host

• An option in IP is to provide a route in the packet: source routing.

• Equivalent to tunneling.• Attack: spoof the host IP address and

specify a source route back to the attacker.

ICMP

• Reports errors and other conditions from network to end hosts

• End hosts take actions to respond to error• No authentication

• Problem• An entity can easily forge a variety of ICMP error messages

• Redirect – informs end-hosts that it should be using different first hop route

• Fragmentation – can confuse path MTU discovery• Destination unreachable – can cause transport connections to be

dropped• Many more…

• http://www.sans.org/rr/whitepapers/threats/477.php

10

11

ICMP Redirect

• ICMP Redirect message: tell a host to use a different gateway on the same network (saves a hop for future packets)

Host A

"Good" GatewayAttacker

Spoof an ICMP Redirect message from "Good" Gateway to redirect traffic through Attacker TCP packets

12

Smurf Attack

Attacking System

InternetInternet

Broadcast Enabled Network

Broadcast Enabled Network

Victim System

Ping request to a broadcast addresswith source = victim'sIP address

Ping request to broadcast addresswith source = victim'sIP address

Ping reply from every host

Replies directedto victim

13

Routing

• Source routing• Destinations are expected to reverse source

route for replies• Problem – Can force packets to be routed

through convenient monitoring point • Solution – Disallow source routing – doesn’t work

well anyway!

14

Routing

• Routing protocol• Malicious hosts may advertise routes into

network• Problem – Bogus routes may enable host to

monitor traffic or deny service to others• Solutions

• Use policy mechanisms to only accept routes from or to certain networks/entities

• In link state routing, can use something like source routing to force packets onto valid route

• Routing registries and certificates

15

Routing attacks

• Divert traffic to malicious nodes• Black-hole• Eavesdropping

• How to implement routing attacks?• Distance-Vector: Announce low-cost routes• Link-state: Dropping links from topology

• BGP vulnerabilities• Prefix-hijacking• Path alteration

• In early 2008, at least eight US Universities had their traffic diverted to Indonesia for about 90 minutes one morning in an attack kept mostly quiet by those involved. Also, in February 2008, a large portion of YouTube's address space was redirected to Pakistan when the PTA decided to block access to the site from inside the country, but accidentally blackholed the route in the global BGP table.

16

DNS

• Users/hosts typically trust the host-address mapping provided by DNS

• Problems • Zone transfers can provide useful list of target

hosts• Interception of requests or comprise of DNS

servers can result in bogus responses• Solution – authenticated requests/responses

17

Basic IP

• End hosts create IP packets and routers process them purely based on destination address alone (not quite in reality)

• Problem – End host may lie about other fields and not affect delivery• Source address – host may trick destination into

believing that packet is from trusted source• Many applications use IP address as a simple authentication

method• Solution – reverse path forwarding checks, better authentication

• Fragmentation – can consume memory resources or otherwise trick destination/firewalls• Solution – disallow fragments

18

Bandwidth DOS Attacks

• Possible solutions• Ingress filtering – examine packets to identify bogus

source addresses• Link testing – how routers either explicitly identify which

hops are involved in attack or use controlled flooding and a network map to perturb attack traffic

• Logging – log packets at key routers and post-process to identify attacker’s path

• ICMP traceback – sample occasional packets and copy path info into special ICMP messages

• IP traceback

19

TCP-level attacks

• SYN-Floods• Implementations create state at servers before

connection is fully established

• Session hijack• Pretend to be a trusted host• Sequence number guessing

• Session resets• Close a legitimate connection

20

SYN Flooding

• Objective of attack: make a service unusable, usually by overloading the server or network

• Example: SYN flooding attack• Send SYN packets with bogus source address• Server responds with SYNACK keeps state about TCP

half-open connection• Eventually server memory is exhausted with this state

• Solution: SYN cookies – make the SYNACK contents purely a function of SYN contents, therefore, it can be recomputed on reception of next ACK

22

TCP

• Each TCP connection has an agreed upon/negotiated set of associated state• Starting sequence numbers, port numbers• Knowing these parameters is sometimes used to

provide some sense of security

• Problem• Easy to guess these values

• Listening ports #’s are well known and connecting port #’s are typically allocated sequentially

• Starting sequence number are chosen in predictable way

• Solution – make sequence number selection more random

23

An Example

Shimomura (S) Trusted (T)

Mitnick

Finger

• Finger @S

• showmount –e

• Send 20 SYN packets to S

• Attack when no one is around

• What other systems it trusts?

• Determine ISN behavior

Showmount -eSYN

24


Mitnick

An Example

• Finger @S

• showmount –e


• SYN flood T




• T won’t respond to packets

Syn flood

X

25


Mitnick

An Example

• Finger @S

• showmount –e


• SYN flood T

• Send SYN to S spoofing as T

• Send ACK to S with a guessed number





• S assumes that it has a session with T

XSYN

SYN|ACK

ACK

26


Mitnick

An Example

• Finger @S

• showmount –e


• SYN flood T

• Send SYN to S spoofing as T

• Send ACK to S with a guessed number

• Send “echo + + > ~/.rhosts”





• S assumes that it has a session with T

• Give permission to anyone from anywhere

X++ > rhosts

27

TCP Layer Attacks

• TCP Session Poisoning• Send RST packet

• Will tear down connection

• Do you have to guess the exact sequence number?• Anywhere in window is fine• For 64k window it takes 64k packets to reset• About 15 seconds for a T1

28

TCP

• TCP senders assume that receivers behave in certain ways (e.g. when they send acks, etc.)• Congestion control is typically done on a “packet” basis while the

rest of TCP is based on bytes

• Problem – misbehaving receiver can trick sender into ignoring congestion control• Ack every byte in packet!• Send extra duplicate acks• Ack before the data is received (needs some application level

retransmission – e.g. HTTP 1.1 range requests)• Solutions

• Make congestion control byte oriented

• Add nonces to packets – acks return nonce to truly indicate reception

29

Where do the problems come from?

• Protocol-level vulnerabilities• Implicit trust assumptions in design

• Implementation vulnerabilities• Both on routers and end-hosts

• Incomplete specifications• Often left to the imagination of programmers

30

Overview

• Security holes

• Firewalls


Introduction

• TCP end-to-end congestion control mechanism implicitly rely on decent endpoints to decide proper data rate.

• But misbehaving senders can send data more quickly, forcing competing traffic to be delayed or discarded. Interestingly, receivers can do the same, too!

• Note that # of receivers is extremely large (all Internet users) and has both the incentive (faster download) and opportunity (open source OSes) to exploit this vulnerability.

31

Quick Review of TCP Congestion Control

• Connection-oriented, reliable, ordered, • byte-stream protocol with explicit flow control• Divides data into SMSS (Sender Maximum

Segment Size), and labels with sequence #s to guarantee ordering and reliability

• When a host receives in-sequence segment, it sends an ACK, if an out-of-sequence segment is received, it sends next expected sequence #

• If no ACK received within a timeout, sender transmits again

32

TCP Congestion Control Algorithms

• Both Slow Start and Congestion Avoidance controls sending rate by manipulating a congestion window (cwnd)

• Slow Start:• Quickly increase and decrease cwnd to roughly

approximate the bottleneck capacity (exponential)

• Congestion Avoidance:• Fine tuning. Increase cwnd more slowly to probe

additional bandwidth that may become available. (linear)

33

Vulnerabilities

• Three types of attack:• ACK division• DupACK spoofing• Optimistic ACKing

• In addition to DoS attacks, these techniques can be used to enhance attacker’s throughput at the expense of behaving clients.

34

Attack #1: ACK Division

• RFC 2581 (most recent TCP congestion control specification at the time of this paper) states

• During slow start, TCP increments cwnd by at most SMSS bytes for each ACK received that acknowledges new data

• …• During congestion avoidance, cwnd is incremented by

one full-sized segment per RTT (round trip time)

• The discord between the byte granularity of error control and the segment granularity of congestion control leads to vulnerability.

35


• The Attack:• When you receive a data segment with N bytes• Divide corresponding ACK into M pieces, where

M N• Each separate ACK covers one of M distinct

pieces of received data

36


• Each ACK is valid since it covers data that was sent and previously unacknowledged

• This leads the sender to grow cwnd M times faster than usual

• Receiver can control this rate of growth, maximum M = N

• As seen in the example, after one RTT, cwnd = 4, instead of the expected value of 2

37

Sample time line for ACK division attack.

Attack #2: DupACK Spoofing

• TCP uses two algorithms, fast retransmit and fast recovery, to decrease the effects of packet loss

• Quoted from RFC 2581• Set cwnd to ssthresh plus 3*SMSS. This artificially

“inflates” the congestion window by the number of segments (3) that have left the network and which the receiver has buffered.

…• For each additional duplicate ACK received, increment

cwnd by SMSS. This artificially inflates the cwnd in order to reflect the additional segment that has left the network.

38


• Two problems with this approach

• Byte vs. segment granularity problem

• TCP requires exact duplicate ACKs, therefore it’s impossible to understand which data segment they correspond to.• There’s no way to differentiate a valid duplicate ACK

with a spoofed one

39


• The Attack

• When you receive a data segment, send lots of ACKs for the last sequence # received (at a start of a connection, this would be for the SYN segment)

40


• The first four ACKs for the same sequence # cause the sender to retransmit the first segment.

• However, cwnd is increased by SMSS for each additional duplicate, for a total of 4 segments

• Since duplicate ACKs are indistinguishable, this attack is also valid.

41

Sample time line for DupACK attack.

Attack #3: Optimistic ACKing

• Since TCP’s cwnd growth is a function of RTT (exponential during slow start, linear during congestion avoidance), sender-receiver pairs with shorter RTT will transfer data more quickly

• Hence, it’s possible for a receiver to emulate a shorter RTT by sending ACKs optimistically for data it has not received yet

42


• The Attack:• When you receive a data segment, send lots of ACKs

anticipating data that will be sent by the sender

• This attack does not preserve end-to-end reliability, e.g. if a packet is lost, it’s unrecoverable• However, new features in HTTP-1.1 allows receivers to

request particular byte ranges• So, data is gathered on one connection and lost

segments are then collected selectively with application layer re-transmissions

43


• What makes Optimistic ACKing more dangerous• After reaching to bottleneck rate, a receiver

sends ACKs in spite of losses• By concealing losses, it eliminates the only

congestion signal available to sender• A malicious attacker can conceal all losses and

leads the sender to increase cwnd indefinitely

44


• Since senders generally send full-sized segments, it’s easy for a receiver to guess the correct sequence # to use in ACKs, but this accuracy is not mandatory

• If an ACK arrives for the data that has not yet been sent, this is generally ignored by sender – allowing the receiver to be more aggressive

45

Sample time line for Optimistic ACKing attack.

Solution to ACK Division

• Ambiguity about how ACKs should be interpreted – violation of 2nd principle

• Two obvious solutions• Increment cwnd only proportional to the amount

of data ACKed• Increment cwnd by one SMSS only when a

valid ACK arrives covering the entire data segment sent• This technique is being used by Linux 2.2.x

46

Solution: Cumulative Nonce

• Sender sends random number (nonce) with each packet

• Receiver sends cumulative sum of nonces

• if receiver detects loss, it sends back the last nonce it received

• Why cumulative?

47

48

Overview

• Security holes

• Firewalls


49

Firewalls

• Basic problem – many network applications and protocols have security problems that are fixed over time• Difficult for users to keep up with changes and

keep host secure• Solution

• Administrators limit access to end hosts by using a firewall

• Firewall and limited number of machines at site are kept up-to-date by administrators

50

Firewalls (contd…)

• Firewall inspects traffic through it• Allows traffic specified in the policy• Drops everything else• Two Types

• Packet Filters, Proxies

InternetInternet

Internal NetworkFirewall

51

Typical Firewall Configuration

• Internal hosts can access DMZ and Internet

• External hosts can access DMZ only, not Intranet

• DMZ hosts can access Internet only

• Advantages?

• If a service gets compromised in DMZ it cannot affect internal hosts

InternetInternet

IntranetIntranet

DMZDMZ

XX

52

Types of Firewalls

• Proxy• End host connects to proxy and asks it to perform actions on its

behalf• Policy determines if action is secure or insecure

• Transport level relays (SOCKS)• Ask proxy to create, accept TCP (or UDP) connection

• Cannot secure against insecure application

• Application level relays (e.g. HTTP, FTP, telnet, etc.)• Ask proxy to perform application action (e.g. HTTP Get, FTP transfer)

• Can use application action to determine security

• Requires applications (or dynamically linked libraries) to be modified to use the proxy

• Considered to be the most secure since it has most information to make decision

54

Types of Firewalls:Packet Filters

• Selectively passes packets from one network interface to another

• Usually done within a router between external and internal network

• What/How to filter?• Packet Header Fields

• IP source and destination addresses• Application port numbers• ICMP message types/ Protocol options etc.

• Packet contents (payloads)

Packet Filters: Possible Actions

• Allow the packet to go through

• Drop the packet (Notify Sender/Drop Silently)

• Alter the packet (NAT?)

• Log information about the packet

55

56

Some examples

• Block all packets from outside except for SMTP servers

• Block all traffic to/from a list of domains

• Ingress filtering• Drop pkt from outside with addresses inside the network

• Egress filtering• Drop pkt from inside with addresses outside the network

57

Firewall implementation

• Stateless packet filtering firewall

• Rule (Condition, Action)

• Rules are processed in top-down order• If a condition satisfied – action is taken

Sample Firewall Rule

58

Dst Port

Alow

Allow

Yes

Any

> 1023

22

TCP22

TCP> 1023

ExtIntOutSSH-2

IntExtInSSH-1

Dst Addr Proto Ack Set? ActionSrc PortSrc Addr

DirRule

Allow SSH from external hosts to internal hostsTwo rules

Inbound and outbound

How to know a packet is for SSH?Inbound: src-port>1023, dst-port=22Outbound: src-port=22, dst-port>1023Protocol=TCP

Ack Set?Problems?

SYN

SYN/ACK

ACK

Client Server

Default Firewall Rules

• Egress Filtering• Outbound traffic from external address Drop

• Benefits?

• Ingress Filtering• Inbound Traffic from internal address Drop

• Benefits?

• Default Deny• Why?

59

Any DenyAnyAnyAnyAnyAnyAny

Any

Dst Port

Any DenyAnyAnyIntAnyIntInIngress

DenyAnyAnyExtAnyExtOutEgress

Dst Addr

ProtoAck Set?

ActionSrc Port

Src Addr

DirRule

Default

60

Packet Filters

• Advantages• Transparent to application/user

• Simple packet filters can be efficient

• Disadvantages• Usually fail open

• Very hard to configure the rules

• May only have coarse-grained information? • Does port 22 always mean SSH?

• Who is the user accessing the SSH?

61

Types of Firewalls

• Stateful packet filters• Typically allow richer parsing of each packet (variable

length fields, application headers, etc.)• Actions can include the addition of new rules and the

creation of state to process future packets• Often have to parse application payload to determine “intent”

and determine security considerations

• Rules can be based on packet contents and state created by past packets

• Provides many of the security benefits of proxies but without having to modify applications

62

Proxy Firewall

• Data Available• Application level information• User information

• Advantages?• Better policy enforcement• Better logging• Fail closed

• Disadvantages?• Doesn’t perform as well• One proxy for each application• Client modification

63

Intrusion Detection Systems

• Firewalls allow traffic only to legitimate hosts and services

• Traffic to the legitimate hosts/services can have attacks

• Solution?• Intrusion Detection Systems• Monitor data and behavior• Report when identify attacks

64

Classes of IDS

• What type of analysis?• Signature-based• Anomaly-based

• Where is it operating?• Network-based• Host-based

Signature-based IDS

• Characteristics• Uses known pattern matching

to signify attack

• Advantages?• Widely available• Fairly fast• Easy to implement• Easy to update

• Disadvantages?• Cannot detect attacks for which it has no signature

65

Anomaly-based IDS

• Characteristics• Uses statistical model or machine learning engine to characterize

normal usage behaviors• Recognizes departures from normal as potential intrusions

• Advantages?• Can detect attempts to exploit new and unforeseen vulnerabilities• Can recognize authorized usage that falls outside the normal

pattern

• Disadvantages?• Generally slower, more resource intensive compared to signature-

based IDS• Greater complexity, difficult to configure• Higher percentages of false alerts

66

Network-based IDS

• Characteristics• NIDS examine raw packets in the network passively and triggers

alerts

• Advantages?• Easy deployment• Unobtrusive• Difficult to evade if done at low level of network operation

• Disadvantages?• Different hosts process packets differently• NIDS needs to create traffic seen at the end host• Need to have the complete network topology and complete host

behavior

67

68

Host-based IDS

• Characteristics• Runs on single host• Can analyze audit-trails, logs, integrity of files and

directories, etc.

• Advantages

• More accurate than NIDS

• Less volume of traffic so less overhead

• Disadvantages• Deployment is expensive• What happens when host get compromised?

15-446 networked systems practicum

Documents

ip source address

source route

host ip address

broadcast addresswith

source routing doesnt

ip weaknesses

source routingarp spoofing

hosts ip addresse