Final Flashcards

Question

What is path attestation?

Answer 1

Each AS signs and appends a path attestation to each route advert. If you have AS1 => AS2 => AS3 Then AS1 would send {2, 1}k1 (where k1 is the signature of AS1) to AS2 and then AS2 would send {3, 2, 1}k2, {2,1}k1 to AS3 So each hop see's who the route was intended for and who signed it along the way. Prevents against: - Hijacks - Shortening - Modification Can't protect against - Suppression - Replay

Answer 2

Since DNS queries are UDP (Connectionless) and there is is not authentication, after someone sends a request, the attack can reply before the request comes back (from the master) with a flood of ID's. If one of the ID's matches, then the cache is poisoned until it expires.

Answer 3

1. use an ID (but it can be guessed) 2. randomize the ID (16 bit, only, though) - b/c of birthday paradox, attacker can send only a couple hundred replies instead of all 2^16. 3. randomize the source port - resource intensive - NAT could derandomize port 4. 0x20 Encoding -> DNS is case insensitive * www.GooGle.com == www.google.com * idea is their is a key that randomizes the capitalization and that must also match - ultimately adds additional entropy

Answer 4

attacker makes small DNS queries (~60B) but uses a spoofed source IP. The response may be 3000B, so you get a 2x order of magnitude response. If attacker has fast connection they can send a lot of data and then it gets amplified in return to the victim. Solutions are: * prevent ip address spoofing using appropriate filtering rules * disable DNS resolve from resolving queries from arbitrary locations on the internet

Answer 5

Each Authoritative Name server in hierarchy returns not only referral, but signature containing ip address + public key of authoritative NS that corresponds to that referral. this PK allows resolver to check signatures of next lower level of hierarchy. This continues until the bottom.

Answer 6

Virus: infection of existing program that results in modification of original programs behavior. Usually requires user interaction. Worm: code that propagates/replicates across the network.

Answer 7

Parasitic - infects executable file Memory Resident - Infects running programs Boot Sector - Spreads when system is booted Polymorphic - encrypt part of virus program sing randomly generated key

Answer 8

1. Discover / scan for vulnerabilities 2. Infect vulnerable machines via remote exploit 3. Prevent being discovered.

Answer 9

``` K = initial compromise rate N = vulnerable hosts a = fraction of hosts already compromised ``` Nda = (Na) * K(1-a) dt a = e^(K(t-T)) / (1+e^(K(t-T))) The initial number of hosts is the biggest indicator to how quickly it spreads.

Answer 10

1. Content Based (easy to evade) 2. IP Address of sender (Blacklist) - can be ineffective b/c can use BGP IP Prefix hijack to temporarily hijack a prefix, send spam from those addresses, then withdrawl 3. Behavioral Features (geographic location of sender/receiver, set of targets, upstream isp, botnet?)

Answer 11

Attempt to exhaust resources: - Network bandwidth - tcp connections - server resources

Answer 12

Ingres Filtering - drop if packet IP from a stub does not come from the IP address range that stub owns. + fool proof, works at the edge - doesn't work in the core uRPF checks - Check your routing table to see if the IP address coming in on an interface is from a subnet you would SEND to on that interface. + automatic - requires symmetric routing TCP Syn Cookies - Server waits to establish connection. When syn packet sent, calculates a sequence number and sends in SYN-ACK, when client responds with ACK (including that seq number), it recomputes seq number to make sure it matches. Then it establishes the connection.

Answer 13

Monitor some portion of the IP address space and watch for data proportional to the attack rate. m = x * (2^32 / n) or x = m * (n / 2^32) where: m = total attack rate x = backscatter in packets per second (observed attack rate) n = number of ip addresses you're monitoring

Answer 14

Backbone networks - can easily install a null route to stop attack traffic to a victim Data Centers - migration/provisioning of VMs. All you need to do is update the switch state in the routers for the newly provisioned systems so data still goes to the right machines. Much more easily attained when done from a centralized location.

Answer 15

The lowest level switch and all its servers are considered a 'pod'. Each pod has an address and each server within that now has a pseudo MAC. Switches now only need to maintain switch table entries for reaching other pods. Once frame enters pod, the local switch then handles it. Ultimately, each switch doesn't have to maintain separate entries for EVERY server, only the pods. One problem is mapping the pseudo mac to real mac, and what to do with ARP queries. ARP queries are intercepted by switch and sent to fabric manager, who replies back with the pseudo mac for intended target host.

Answer 16

The fabric manager is a user process running on a dedicated machine responsible for assisting with ARP resolution, fault tolerance, and multicast. Could run as a redundantly separated host or on a separate control network.

Answer 17

- pod.position.port.vmid ``` Pod = pod number of the edge switch Position = position in the pod Port = switch=local view of the port number the host is connect to Vmid = multiplex multiple VM’s on the same machine ``` vmid's are assigned incrementally and reuses them if they don't have traffic for a long enough period of time. Using AMACs, switch state size is O(n), where n is the number of virtual hosts in the data center, whereas state size is O(k) for PMACs, where k is the number of ports on switches used to construct the fat tree network.

Answer 18

Need to know: N - number of racks/switches k - number of ports r - number of ports to be used for switches Then approximation algorithm used with inputs N, k, r to generate RRG(N, k, r).

Answer 19

randomly remove another link from the system (at both ends) and connect one of each of the open ports to where each end you removed used to connect to. No - no longer uniformly random as if you had started over and re-cabled.

Answer 20

● A BGP message could be sent to a router by some host (e.g., a remote attacker) that is not the router's legitimate neighbor ○ Note that although BGPSec provides session authentication, this kind of attack can also be prevented without BGPSec by using the “TTL Hack”. ● An AS could lie about being the origin of a particular subnet (i.e., claiming that the AS contains a subnet when it does not, in fact) ○ BGPSec prevents this by providing certificates that sign the origin claim ● An AS could lie about the AS-path to a particular subnet (i.e., claiming that there is a path through the AS when there is not, or that there is a more efficient path than there really is) ○ BGPSec prevents this by providing a chain of signed paths, each partial path in the chain being signed by the AS that advertised that part of the path

Answer 21

By not allocating resources until the receiving the final ACK from the client. Client : SYN -> Server: generates cookie and sends SYN/ACK with cookie value as initial sequence number -> Client sends back ACK (with sequence # = cookie + 1), then server can check to see if it was legitimate by subtracting 1. If checks out, it will allocate resources to connection.

Answer 22

Groups often 'rewire' with each other, forming short lived groups where one is connected to a legitimate AS. This provides connectivity and protection for the group. May connect directly to a legitimate upstream provider, but they may change frequently. Advertises small portions of ip address space so if they get blacklisted they can quickly jump to another. ASWatch observes control plane behavior (BGP traffic) in order to assess whether an AS is malicious or not. (1) AS rewiring captures aggressive changes in AS connectivity; (2) BGP routing dynamics capture routing behavior that may reflect criminal illicit operations; and (3) Fragmentation and churn of the advertised IP address space capture the partition and rotation of the advertised IP address space.

Answer 23

-BGP does not validate information in routing announcements, so a manipulator can announce any path they want and claim ownership of a victim’s IP prefix. -Origin Authentication uses a trusted database for verification so an AS can’t claim ownership of a victim’s IP prefix, but they can still announce a path that ends at the proper AS, although the path does not physically exist. -soBGP uses origin authentication and a trusted database to guarantee that any path physically exists, but the manipulator can advertise a path that exists but is not actually available. -S-BGP uses path verification, which limits a single manipulator to announcing available paths, but they could announce a shorter, more expensive, provider path while actually forwarding traffic on a cheaper, longer customer path. -Data plane verification prevents an AS from announcing a path and forwarding on another, so the manipulator must actually forward traffic on the path he is announcing. -Defensive filtering polices the BGP announcements made by stubs. With the model in the paper, each provider keeps a prefix list of the IP prefixes owned by its direct customers that are stubs. If a stub announces a path to any prefix it doesn’t own, then it is dropped. In this way, if all providers correctly implement this it eliminated attacks by stubs.

Answer 24

Announce the shortest legitimate available path to everyone instead of the normal path.

Answer 25

Announcing longer paths can be better than announcing shorter ones. In the example given in Figure 9 of the paper, advertising the shortest path will only pick up traffic from one small provider. Announcing a longer path to the large provider, will attract more traffic overall as the large provider will prefer this path over the shorter, peer path as it will be cheaper. It is better for the manipulator to attract traffic from larger AS. This strategy will work against any secure routing protocol, except when launched by stubs in a network with defensive filtering, because it is only implementing a different export policy than usually used. Announcing to fewer neighbors can be better than announcing to more. In this strategy, by not exporting to certain Tier providers, customer paths to the victim can be eliminated and influential ASes will be forced to choose shorter peer paths over a longer customer path because the customer path was not made known to them. This will work against any secure protocol as it is just using a clever export policy to manipulate traffic. Be selective. The identity of the ASes on the announce path matters since it can be used to strategically trigger BGP loop detection. With false loop prefix hijack, the manipulator claims an innocent AS originates the prefix to his provider. But when the false loop is announced, BGP loop detection will cause the AS to reject the path, removing the customer path from the network. This will force large ISPs to choose shorter peer paths. Unlike the first two attacks, this one will only work against BGP, origin authentication or soBGP because it involves false advertising of the path announced by an innocent AS.

Answer 26

* Crossfire attacks use legitimate IP addresses instead of spoofed ones - no ingress filtering * They don’t use unwanted traffic - the requests are legitimate requests. * They use low intensity traffic instead of huge streams of traffic - can’t distinguish unwanted traffic from wanted traffic

Answer 27

To avoid detection and indefinitely continue attack on the target. They don’t want to leave each attack going for so long that it triggers a change in the network topology. Could have negative effects for the attack itself.

Answer 28

Off Path - They aren’t on the path to the DNS Resolver and can’t observe the request. They generally try to trigger a request and then spam the DNS Resolver hoping to get a match. On Path - They can observe the request to the DNS resolver directly. They can forge DNS request replies and as long as their response comes back sooner than real one, they would be accepted. In Path - They are like a man in the middle - but more difficult to deploy b/c they need to intercept packets. Hold on can’t help here. They can block and modify packets.

Answer 29

Once a DNS query is submitted, instead of just accepting the first response it gets back, it waits a period of time for another response. It checks the TTL and the response time against expected values. If response time is < 0.5 * expected, it doesn’t accept that response. It also rejects if the TTL is incorrect. So a match is one where the TTL is matched and the response time within expected range. If no match, returns last invalid response. If DNSSec is used, returns first valid signed response. If not DNSSec response within hold-on, returns DNSSec error.

Answer 30

Separates the control plane from the data plane. SDN is a way to abstract, easily program, control, and distribute filtering, forwarding, and packet modification rules. It defines how various pieces of hardware operate from a higher level, centralized logic controller. Network Virtualization is the ability to have multiple logical networks simultaneously exist on the same set of physical hardware without interfering with each other. How can we use network virtualization to evaluate and test SDNs? Because we can deploy different versions of the SDN on the same physical network using virtualization.

Answer 31

* Useful in research - allows multiple people to use the same underlying physical hardware, but be ‘on a different network’ so they don’t interfere with each other. * Useful - multi-tenant data centers * Useful - Computer networking classes * Not useful - overkill for home networking or possible your office * Networks highly sensitive to latency are not a good option b/c of overheads associated with virtualization

Answer 32

Pyretic is much faster to develop in with a higher level interface and makes everything much easier to reason about. You can easily apply normal CS techniques and software principles when designing the controller.

Answer 33

Connects to openflow clients, interprets packets and checks them against policies, then installs the low level rules on the hardware devices on the network.

Answer 34

* The topology and the traffic * Topology - capacity of each link and router * Traffic - simple counters

Answer 35

* Adjusting link weights. This is how link weights are more often used (as opposed to any ‘real’ property of the link, eg, bandwidth or congestion, etc) * Use SDN to directly control routes used on the network

Answer 36

* Local preference * AS path length * multi_exit_discriminator (MED)

Answer 37

* Can support up to 25% more servers * More nodes are reachable given a certain number of hops (eg, 4 hops) * Incremental expansion * Network load balancing

Answer 38

* Cabling - could require tons of cabling | * Doesn’t handle heterogeneous switches well (different sized switches)

Answer 39

By never decrementing the TTL value so it never runs out on their machine and times out.

Answer 40

DNS poisoning - when DNS sends query to resolver, someone spam replies with an illegitimate request (guessing the entropy) and if accepted it will be cached, now the traffic goes to the MITM.

Answer 41

Send a gratuitous ARP response (without request) spoofing some else’s MAC so that traffic meant for them comes to you. Often can be for the default gateway so everyone’s traffic comes to you. You associate your IP address with someone else’s MAC.

Answer 42

Instead of using a fat tree, use this RRG. You basically, uniformly, randomly connect top of rack switches to each other and end up being able to support more hosts and more hosts can reach more other hosts at a lower number of hops. Cabling is a problem and all switches should at least have the same or more number of ports (or more).

Answer 43

Scaling a fat tree network at layer 2 is hard b/c each switch has a flat map of the entire topology, which can be huge. Instead, put lowest level hosts and their switches into PODs. Then have a fabric manager that responds to ARP requests with a pseudo mac (defined by the pod.postion.port.vmid). This guy can live as it's own host either on the same network or on another network. Now switches only need to hold entries for other switches and the hosts within it's POD.

Answer 44

Why make an attack look like an attack, when you can have the same effect by using normal, low rate traffic spread out over lots and lots of bots? The idea is that you analyze the target area you want to attack, find the common links that go to that area, then setup lots of bots to send legitimate requests to proxy servers (legitimate hosts) that will also use those links. Then you have the bots send small requests, maybe every second, so it looks like normal traffic and they are legitimate requests, however, ALL those requests are going through a target link which will overload it and thus create a DOS to the target area for anything else trying to get through that link. You can 'roll' this attack, eg turn on/off chunks of bots so that you keep the attack going, but don't cause a change in the routing table that may move traffic off the target link.

Answer 45

On-Path DNS poisoning is the easiest to implement b/c the DNS server accepts the first response it receives from a DNS resolver. Basically the moment you see the request go out, you spam back spoofed DNS replies with enough entropy that you are likely to get a match before the legitimate reply comes back. To protect against this the DNS server should do the following: - send normal DNS requests for non-blocked, un-interesting locations - get an avg of the response time and resulting TTL - When the DNS server sends future requests, instead of accepting the first response, wait a period of time for other responses - Check responses against the expected TTL and response time. If those match, use that DNS response - If none match within the given time period, use the last received un-validated response

Answer 46

Bulletproof AS's are those that generally are illegitimate and out to cause problems instead of serving as a legitimate AS - they are dedicated to supporting cybercrime. ASWatch is a system that uses the control plane to monitor BGP route activity to determine if an AS is suspected of being a naughty one. It looks at how they rewire together, size of their advertised prefixes (they usually use small ones so they don't get everything they own blacklisted at once), and how often and long they advertise their prefixes.

Answer 47

Evaluation of various BGP Security protocols to 'smart attacks'. BGP - doesn't really protect against anything. Has no mechanisms for validating information in routing announcements. Manipulator can announce any path they want. Origin Authentication - Uses trusted DB to guarantee that an AS cannot falsely claim to be owner of an IP prefix. Manipulator CAN announce any path that ENDS at at the AS that rightfully owns the victim IP prefix. soBGP - (Secure Origin BGP) - uses origin authentication + additional trusted database that guarantees that any announced path physically exists in the AS-level topology. Manipulator can still announce path that exists but is not actually available. S-BGP - (secure BGP) - uses origin authentication + cryptographically-signed routing announcements to provide path verification. Limits a single manipulator to announcing available paths only. They can still announce a shorter legitimate path (even if it's a provider router, that could cost money), but that doesn't mean they will use it. They may still send the data along a longer path. Data-Plane verification - prevents an AS from announcing one path, but then forwarding on another. (this prevents what was discussed in S-BGP) Defensive Filtering - polices BGP announcements made by stubs. Stub should never announce a prefix that it does not own (b/c it has no customers). In this case, each provider keeps a list of the prefixes owned by each of its direct customers that are stubs. If stub announces any prefix it doesn't own, the provider drops the packet. Defensive filtering is basically on par with S-BGP and data plane verification.

Final Flashcards

(71 cards)