protocol perils

8/3/2019 Protocol Perils

1/77

1

Protocol perils

Hacking the stack


2/77

2

Course announcement

Topics in Cryptography Tom Shrimpton (teshrim at cs . pdx . edu)

http://www.cs.pdx.edu/~teshrim/spring06/info-510.html
http://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.html


3/77

3

Hacking the stack

Protocol attacks at all layers Data-link layer

Network layer

Transport layer

Application layer
http://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.html


4/77

4

Data-link layer hacks
http://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.html


5/77

5

Sniffing

Gathering packets from the local network Passive (wired network with a hub or a wireless network)

Turn on promiscuous mode on NIC

Make NIC accept all data-link layer frames not just its own

Software

Snort (www.snort.org)

tcpdump/ethereal

Sniffit (reptile.rug.ac.be/~coder/sniffit/sniffit.html)

Dsniff (www.monkey.org/~dugsong/dsniff)

Active (wired network built with a switch) Harder (switch prevents data frames from being broadcast)

How can someone sniff switched traffic?
http://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.snort.org/http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniffhttp://www.snort.org/


6/77

6

Active Sniffing

Fool the switch into sending the packets to the sniffer MAC Flooding

Send a flood of traffic with random MAC addresses

Fill up the switchs memory

Switches will then forward packets to all links on the switch Dsniff program Macof

ARP spoofing

Send fake ARP replies to change the victims ARP table

Dsniff program Arpspoof

Attacker configures his or her system to forward any traffic it

receives to the router.

Any traffic from the target machine is sent to the attackers machine

before being transferred to the local network.


7/77

7

Spoofing ARP Messages


8/77

8

Question

How do you detect a sniffer on your machine?

Answer

Check to see if your network interface is in promiscuous modeifconfig a => look for PROMISC


9/77

9

Question

How do you detect a sniffer on your network?

Answer

Send a TCP SYN packet to sniffer with bogus MAC address


10/77

10

802.11 vulnerabilities

802.11 MAC layerNodes are identified with a globally unique 12 byte address.

No mechanism for verifying the correctness of the identity

Implicit trust in a speaker's source address.


11/77

11

802.11 deauthentication attack

802.11 clients Authenticate with one or more access

points (AP)

Associate with the AP that they will

route through.

Either end-point can requestdeauthentication from each other.

Attacker spoofs this message to interrupt

data flow

Forces authentication to be

reestablished.

Deauthenticat

ion


12/77

12

802.11 disassociation attack

Similar to Deauthentication attack.

Either end-point can request

disassociation from each other.

Attacker spoofs this message to interrupt

data flow

Forces association to be reestablished.

More attacking messages are required

to get same effect of deauthentication

message Disassociation

Disassociation


13/77

13

802.11 power saving attack

Clients can turn off radio to conserveenergy.

Client tells AP that it is entering

sleep.

AP tells client when to wake up fortraffic.

AP will buffer data and send traffic

indication map (TIM) to client

periodically.

Client wakes up to receive each TIM

and then retrieve data if available.

Client Attacker AP

EnteringSleep

ManagementResponse

TIM

Client Sleeps

Client Wakes

Client Sleeps

TIMClient Wakes

Client Sleeps

TIMClient Wakes

Client Sleeps

Retrieve Data


14/77

14

802.11 power saving attack

Messages are sent in the clear.

Attacker can spoof management

packet and prevent synchronization.

Attacker can spoof client polling and

discard data. Attacker can spoof TIM and convince

client there is no data.

Client Attacker AP

EnteringSleep

ManagementResponse

Client Sleeps

TIMClient Wakes

ManagementResponse

Retrieve Data

Client Sleeps

TIM


15/77

15

802.11 carrier sense attacks

Hidden terminals prevent perfect collision detection. Physical and Virtual carrier-sense mechanisms used to

control channel access.

Both of these mechanisms can be exploited.


16/77

16

802.11 physical carrier-sense attack

Before transmitting frame, node must wait at least asmall interval of time (SIFS for 802.11 ACKs)

Attacker jams channel towards end of SIFS to force all to

back-off (CSMA)

SIFS is 20s for 802.11b Requires 50,000 packets per second to disable all access.

Expensive for attacker


17/77

17

802.11 virtual carrier-sense attack

Each 802.11 frame carries a maximum number of s to reserve channel Specified in NAV

Max value is 32767, or about 32ms.

Attacker persistently reserves channel for maximum duration

Only sends for short time during reservation

Jams all access with only 30 transmissions a second

Not all 802.11 hardware obeys NAV (a bug that saves 802.11 from this attack)


18/77

18

Other data-link layer attacks

WEP Wired equivalent privacy

Initial security scheme for 802.11

Can be broken in under 1 minute

J. Walker, "IEEE 802.11 Wireless LANs Unsafe at any key size; Ananalysis of the WEP encapsulation"


19/77

19

Network layer hacks


20/77

20

IP spoofing

Host fills in its own address in sending packets Implicitly trusted not to forge the entry

Leads to all sorts of problems

Chapter 3 lecture notes

IP spoofing scenario using .rhosts and predictable TCP ISN Establish a blind connection with a remote host


21/77

21

Reflector attacks

Occur at all layers (not just network layer) However, most rely on IP spoofing

A reflector is any IP host that will return a packet or more if senta packet. Reflector cannot easily locate the initiator because of IP spoofing.

Examples: Web servers: return SYN ACKS or RSTs in response to SYN or other

TCP packets.

DNS servers: return query replies in response to query requests.

Routers: return ICMP Time Exceeded in response to TTL expiry or Host

Unreachable messages in response to unroutable IP addresses


22/77

22


23/77

23

ICMP reflectors

ICMP echo Widely used for ping

Smurf attacks

Repeatedly send ICMP ping to broadcast IP address of network that

can receive and respond to directed broadcast (smurf amplifier) Use the victims IP address as the source IP

Victims bandwidth is filled with response packets

Attacks and software

Smurf (ICMP), Fraggle (UDP), and Papasmurf (ICMP and UDP)

www.packetstormsecurity.org/new-exploits/

List of Smurf Amplifiers: www.netscan.org
http://www.netscan.org/http://www.netscan.org/


24/77

24

ICMP reflectors

Other ICMP candidates Timestamp Address mask

Router solicitation

Information request/reply Source quench

Host unreachable

Time exceeded

Parameter problem Redirect.

Need fragmentation.
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


25/77

25

Routing attacks

Attack Intruder sends bogus routing information to a target and each

of the gateways along the route

Impersonates an unused host

Diverts traffic for that host to the intruders machine

Used to monitor dark IP addresses

Impersonates a used host

All traffic to that host routed to the intruders machine

Intruder inspects packets & resends to host w/ source routing

Allows capturing of unencrypted passwords, data, etc
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


26/77

26

Routing attacks

BGP Routing Fault Example: ISP mistakenly announced routes to 3000+ prefixes

(destinations) it did not own.

Other ISPs adopt these routes and blackholed traffic to those

sites.

Slides courtesy of Dan Massey
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


27/77

27

Routing attacks

Internet c.gtld-servers.netrrc00monitor

192.26.92.30

originates route to192.26.92/24

Invalid BGP routes exist in everyones table.

These can include routes to root/gTLD servers

One example observed on 4/16/01:

ISPs announce new path

3 lasted 20 minutes

1 lasted 3 hours

http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


28/77

28

Routing attacks

BGP routing can direct packets to

false server.

Detected false BGP routes to

root/gTLD severs at major global

ISPs.

Routes lasted up to hours, but were

errors and faulty site did not reply.

Any response from false server

would be believed.

NANOG 25/ICDCS 2003 -protecting BGP routes to DNS

servers

Bell LabsCaching Server

Root serverSpoofed

Root server

Internet Routing

http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


29/77

29

Routing attacks

Defenses Filtering based on prior information

Messes with fault-tolerance but detects intrusion attempts

Authentication of advertisements

S-BGP
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


30/77

30

Routing attacks

Spoofing with Source Routing Impersonate system A

Attacker creates packets from system A to B, with the

attackers address in the source route.

Packet sent to system B, but any replies are sent to theattackers machine.

Attacker does not forward them to system A because the connection

would be reset.
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


31/77

31

ICMP redirect hacks

Targeted Denial of Service (DoS)

Attacker sends ICMP Redirect message to give a bogus route

Attacker sends Destination Unreachable or TTL exceeded messages to

reset existing connections

Attacker sends fraudulent Subnet Mask Reply messages

Blocks communication with target

Defenses

Verify ICMP packet contains a plausible sequence #

Dont modify Global Route Table due to ICMP Redirect messages

Disallow ICMP Redirects?

Check to see if multiple ICMPs from a host agree
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


32/77

32

NIDS avoidance

NIDS: Network Intrusion Detection System Passively monitor network looking for attacks

Signature analysis done across packets

Challenges

Accuracy: false positives and false negatives

Performance: forensic value of information

Fundamental problem Deployed on a different box

Potentially on a different network

Result

NIDS could see a different stream of packets than host Protocol implementation ambiguities

Different protocol stacks have different behavior
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


33/77

33

NIDS avoidance

Insertion IDS thinks packets are valid; end system rejects these

Evasion

end system accepts packets that IDS rejects

Denial of Service

resource exhaustion
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


34/77

34

NIDS avoidance

Confuse the NIDS Invalid MAC addresses?

Invalid headers

Permissive in receiving, frugal in sending?

Bad IP checksum will be dropped?

IP options

IP TTL ambiguity

Packet received or not?

Packet too large for downstream link?

Source-routed packets

Will destination reject such packets?

Fragment time-out

Will other parts of fragment still be at destination?

Overlapping fragments

Which data will be used?
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


35/77

35

NIDS avoidance

Exhaust resources on NIDS CPU, Memory, Network Bandwidth

Fragmentation Send large numbers of fragments

CPU: data structure attack

Memory: space attack Can lead to DOS (teardrop, jolt2)

Fragrouter

Automatically fragment all packets

Accepts IP packets routed from another system and fragments these

packets according to various schemes Generate large numbers of false positives

Separating script kiddies from sophisticated hackers

Separating wheat from chaff
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


36/77

36

Transport layer hacks
http://www.netscan.org/http://www.netscan.org/


37/77

37

TCP session reset and hijacking attacks

Problem

TCP stacks with predictable sequence numbers

See Chapter 3 lecture notes on TCP ISN selection and the Mitnick attack

TCP reset attacks

Uses similar approach to terminate an existing connection

Send a spoofed TCP RST with guessed sequence numbers

BGP session reset

TCP hijacking

Attacker inserts itself into path

Already on the path or via ARP spoofing

Sniff to find sequence numbers of victim connection

Attacker takes over existing connection using spoofed packets and

dropping packets of one of the end-points
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


38/77

38

TCP session hijacking

Problem

Attacker not along path ofhijacked connection

Attacker sends system Bpackets with system As IPaddress

System A notices a mismatchin TCP sequence numbers

Sends ACK packets toresynchronize the numbers.

Continual retransmission ofACK packets is known as anACK storm.

Most hijacking tools cannot

cope with the ACK storm andthe connection will bedropped.
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/


39/77

39

TCP session hijacking

Hunt (www.packetstormsecurity.org/sniffers/hunt ) 2 methods to keep session alive

Use ARP spoofing to keep connection from being dropped

Attempt to resynchronize the connection

Send a message to system A saying: msg from root: power failure try

to type 88 characters, (where 88 is the number of chars. that the attackertyped during the hijacking)

Increments the sequence number of system As TCP stack to where it

should be.

Two new ARP spoof messages are then sent, restoring the correct MAC

addresses.
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.packetstormsecurity.org/sniffers/hunthttp://www.packetstormsecurity.org/sniffers/hunthttp://www.packetstormsecurity.org/sniffers/hunt


40/77

40


41/77

41

TCP SYN flooding

Attacker sends many connection requests w/ spoofed source

addresses to victim Victim allocates resources for each request

Finite # half-open connection requests supported

Connection requests exist for TIMEOUT period

Once resources exhausted, all other requests rejected

Normal connection est. Syn Flooding attack


42/77

42

TCP SYN flooding defenses

System Configuration Improvements Reduce timeout period

Increase length of backlog queue to support more connections

Disable non-essential services to make a smaller target

Router Configuration Improvements

Configure router external interfaces to block packets with sourceaddresses from internal network

Configure router internal interfaces to block packets to outside that havesource addresses from outside the internal network

TCP SYN cookies

Make handshake stateless on server end Server makes ISN a function of a secret nonce it keeps and pieces of the

SYN connection ID

Only create TCB and establish connection upon verifying clients ACK


43/77

43


Firewall as a Relay

Firewall answers on behalf of

Destination

Disadvantages

Adds delay and overhead

Pushes problem to firewall


44/77

44


Firewall as a Semi-transparent Gateway Firewall forges the 3rd handshake (ack) from the client to the destination This moves connection out of backlog queue, freeing resources

Sends RST packet if no subsequent ACK received from client

Eventual ACK from a good client will be ignored as a duplicate

Disadvantages:

Large # illegitimate open connections if system under attack

Must very carefully choose timeout periods


45/77

45


Attack w/ semi-transparent

gateway

Legit connection w/ semi-

transparent gateway


46/77

46

TCP congestion control avoidance

Attempt to trick sender into ignoring congestion control

ACK division Receiver can acknowledge every byte in segment with a separate ACK

Leads Sender to grow cwnd faster than normal.

Solution to ACK division

Modify congestion control to guarantee segment-level granularity Only increment MSS when a valid ACK arrives for the entire segment.

Bunch ofacks

Burst 1 RTT later


47/77

47


Duplicate Ack Spoofing Receiver sends multiple acks/sequence #

no way to tell what segment is being acked

Causes sender to enter fast-recovery mode and inflate cwnd

Solution to Duplicate Ack Spoofing

Add new fields to TCP headers. nonce & nonce-reply random values sent with segments and replies Only increment cwnd for ACKs with previously unseen nonces

Burst of dup acks

Sender enters

Fast Recoveryand bursts 1 RTTlater


48/77

48


Optimistic ACKing

Send acks for segments not yet received

Decrease perceived RTT, affecting CW growth.

Segment acks

Segs arrive


49/77

49


Solution to optimistic acking:

Cumulative Nonce

Sender sends random number

(nonce) with each packet

Segment size slightly

randomized Receiver sends cumulative sum

of nonces

if receiver detects loss, it sends

back the last nonce it received

Requires modifications to stack


50/77

50

TCP congestion control attacks

The shrew attack

Use knowledge of TCP congestion control to shut out a

victim

Time packet bursts to disable victims retransmissions and

force exponential back-off


51/77

51

TCP reflectors

TCP stack can be made to reflect via

SYN ACK by sending an initial SYN with spoofed IP address

Filtering leads to no-remote access.

RST by sending a FIN.

Countermeasures problematic Filter out SYN ACKs

Leads to disabling access to services

Filter out RST

Results in clogging of stale connections state


52/77

52

NIDS avoidance

TCP tricks to confuse or disable NIDS TCP Options fields

Will packet be accepted?

Will option be processed?

Destination might be configured to drop weird options

Old TCP timestamps (PAWS) Destination might be configured to drop

TCP RSTs with weird sequence numbers Is connection reset?

TCP handshake time-out Will TCB still be at destination?

TCP stream reassembly with overlapping segments Rewrite old data or not?


53/77

53

Application layer hacks

fi


54/77

54

DNS spoofing

Problem

No authentication of responses

Any DNS response is generally believed.

No attempt to distinguish valid data from invalid.

Responses can contain entries that should not be trusted but are

Responses are cached

Just one false root server could disrupt the entire DNS.

Attacks Inject bogus DNS responses

Attach additional bogus entries in valid DNS responses (especially for

internal names)

ApplicationRemote Name Server

(?)

Local Name Server

(Trusted)Resolver

*Firewall

DNS fi


55/77

55

DNS spoofing

DNS spoofing


56/77

56

DNS spoofing

Caching

DNS Server

Sanjoys

Laptop

www.darpa.mil A?

www.darpa.mil

A 128.9.128.127

Root DNS Server

mil DNS Server

darpa.mil DNS Server

Dans

Laptop

Easy to observe UDP DNS query sent to

well known server on well known port.

www.darpa.mil

A 192.5.18.19

First response wins. Second response is

silently dropped on the floor.

DNS h i i


57/77

57

DNS cache poisoning

ns.attacker.com

Bell Labs

Caching Server

Remote attacker

Query

www.attacker.com

Response

www.attacker.com A 128.9.128.127

attacker.com NS ns.attacker.comattacker.com NS www.google.com

ns.attacker.com A 128.9.128.2

www.google.com A 128.9.128.127

Any Bell Labs Laptop

Query www.google.com

www.google.com

= 128.9.128.127

DNS h i i


58/77

58

DNS cache poisoning

Defenses

DNS Proxy

Filter

Drop malformed packets

Verify

Does the answer, really answer the query made?

Was the answer received from the appropriate server?

Proxy performs checks on the answers from outside DNS servers

A th ti ti DNS R


59/77

59

Authenticating DNS Responses

Attack fundamental problem

Resolver cant distinguish between valid and invalid data in a response.

Add source authentication

Verify the data received in a response is equal to the data entered by the

zone administrator.

Each DNS zone signs its data using a private key. Query for a particular record returns:

The requested resource record set.

A signature (SIG) of the requested resource record set.

Resolver authenticates response using public key.

Public key is pre-configured or learned via a sequence of key records in the

DNS heirarchy.

Secure DNS Query and Response


60/77

60

Secure DNS Query and Response

Caching DNS Server

End-user

www.darpa.mil

www.darpa.mil =

192.5.18.195

Plus (RSA) signature by darpa.mil

Attacker can not forge this answerwithout the darpa.mil private key.

Authoritative DNS Servers

Challenge: add signatures to the protocol

manage DNS public keys

M i th iddl tt k


61/77

61

Man-in-the-middle attacks

Web proxying

Attacker runs webmitm feature on Dsniff and uses DNS spoofing Use DNS spoofing to have all HTTP and HTTPS traffic go to webmitm

Target connects to attackers machine and SSL connection is established.

Attackers system establishes a SSL connection with the server the target isattempting to access.

Webmitm acts as proxy with two connections From the targets system to the attackers machine

From the attackers machine to the actual server the target was trying to reach

Note: the target receives attackers certificate, not the certificate of theserver the target is trying to reach.

User receives warning about a certificate that is not signed by a trustedcertificate authority (Who pays attention to those?)

Webmitm displays the contents of the SSL session on the attackers screen

SSH proxying Similar to above with sshmitm (another Dsniff feature)

M i th iddl tt k


62/77

62

Man-in-the-middle attacks

Di t ib t d D i l f S i


63/77

63

Distributed Denial-of-Service

Take control of large numbers of machines (zombies)

Use collection of zombies (Botnet) to knock out target

service

Example: TFN2K

www.packetstormsecurity.nl/groups/mixter/index2.html

Di t ib t d D i l f S i
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


64/77

64

Distributed Denial of Service

DNS DoS attacks

DNS root server attack

DDoS attack disabling 9 of the 13 DNS root servers (10/2002)

Bringing down all 13 root servers is frequently mentioned as a worst

case scenario that would cripple the Internet.

Local DNS name server attack

Send large set of valid queries to victim

Use arbitrary names to thrash cache

Solution: Provide filtering in name servers so as to only serve

recursive queries from local addresses

P k t f d th
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


65/77

65

Packet of death

Send a malformed packet. Different platforms may be

susceptible to different types of malformed packets.

These packets have structures that the TCP/IP stacks

cannot anticipate, causing the system to crash.

Malformed packet suites available at:www.packetstormsecurity.org/DoS

Application la er reflectors
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


66/77

66

Application layer reflectors

DNS

Reflector sending DNS reply in response to a spoofed DNS

request.

Victim can configure its local DNS servers so as to filter out

unknown DNS server responses.

If the victim is an authoritative name server

Attacker queries a large number of local DNS servers which in turn

recursively query the Victim.

Victim server gets bombarded due to multiple queries.

http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


67/77

67


HTTP proxies

HTTP proxy caches provide a way that an HTTP client can manipulate a

proxy server into initiating a connection to a victim web server.

HTTP proxy servers act as reflectors for the DDOS attacks.

Limitations

Proxies can be configured to serve a restricted set of clients. Not enough proxies to constitute a large pool of possible reflectors.

Connection between slave and the reflector cannot be spoofed unless the

reflecting proxy has predictable sequence numbers

Logging helps in identifying the slaves location.

Definitely a major threat if proxies running on stacks with predictable

sequence numbers are widely deployed.

http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


68/77

68


Gnutella

Provides a push facility that instructs the server to connect to a given

IP address and port in order to deliver the Gnutella item.

Gnutella connection to the IP host is separated from the initial client

making it impossible to trace back to the slave.

Fix Modify the protocol to include path information with push directives

Gnutella could be a major problem for DDOS reflector attacks.

http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


69/77

69


SNMP (UDP-based request/reply)

Sites that fail to block off-site access to SNMP provide a

large number of reflectors.

SNMP attack is sourced at port 161.

Filtering out the external SNMP messages leads to majorproblem for service providers.

Configure the filter to receive SNMP messages from interested hosts

Game protocols

Quake Qstat (UDP) Counter-strike clients (UDP)
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


70/77

70

NIDS avoidance
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


71/77

71

NIDS avoidance

Confuse NIDS at application-layer

Addition of interpreted characters (^H)

How does OS interpret?

References
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


72/77

72

References

C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D.

Zamboni, "Analysis of a Denial of Service Attack on TCP" S. Bellovin, "Security Problems in the TCP/IP Protocol Suite"

S. Bellovin, "Defending against sequence number attacks"

S. Bellovin, "Packets Found on an Internet"

R. Morris, "A Weakness in the 4.2BSD Unix TCP/IPSoftware

B. Cheswick, S. Bellovin, A DNS Filter and Switch forPacket-filtering Gateways.

S. Savage, N. Cardwell, D. Wetherall, T. Anderson, TCPCongestion Control with a Misbehaving Receiver.


73/77

73

Extra slides

TCP for Transactions (T/TCP) reflectors
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


74/77

74

TCP for Transactions (T/TCP) reflectors

Spoof initial SYN packet with acceptable seq. no.

Make an expensive request.

Factors that limit the T/TCP attack

T/TCP server will begin in slow start.

Unless the servers stack has predictable seq. no. Amenable to stateless packet filtering.

T/TCP is not widely deployed.

IP Address Spoofing
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


75/77

75

IP Address Spoofing

Used to disguise the IP address of a system.

Three ways an IP address can be spoofed: changing the

IP address, undermining UNIX r-commands, and

spoofing with source routing

Changing the IP address: The attacker can either

reconfigure the whole system to have a different IP

address or use a tool (Nmap or Dsniff) to change thesource address of outgoing packets. Limitation: the

attacker cannot receive any responses.

Undermining UNIX r Commands:


76/77

76

Undermining UNIX r-Commands:

Attacker finds two computers with a trust relationship

Send a bunch of TCP SYN packets to target and see how the initial

sequence numbers change

A DoS attack is sent to other system

Attacker initializes a connection with target system, using the IP

address of the other system

Target system sends TCP SYN and ACK packets to other system,which is dead

Attacker estimates initial sequence number of other system and

sends TCP ACK packet back

If initial sequence numbers match, attacker has successfully gained

one-way access to the target.

Undermining UNIX r-Commands
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html


77/77

Undermining UNIX r Commands
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html

protocol perils

Documents