1
Q
Historical BGP routing attacks
A
- In April 2010, China advertised 50,000 IP prefixes from 170 countries. Lasted for ~20 minutes and appears to have been accidental. The prefixes were long enough so that they didn’t disrupt existing routes.
- The fact that they could leak in the first place highlights vulnerability of BGP.
- BGP basically allows any AS to advertise an IP prefix to a neighboring AS, and that AS will just believe it, and advertise that route to the rest of the internet.
- These events where an AS advertises a prefix that it does not own are called route hijacks. They tend to occur more often than one might expect.
- In Feb 2008: Pakistan “hijacked” the YouTube prefixes, potentially as a botched attempt to block YouTube in the country following a government order.
- Resulted in a disruption of connectivity to YouTube for people all around the world.
- In Jan 2006, ConEdison accidentally hijacked a lot of transit networks, including Level 3, YooNet, and several other large ISPs disrupting connectivity to many customers.
- In April 1995: AS 7007 incident, where this AS advertised all of the IP prefixes on the entire internet as originating in its own AS, resulting in disruption of connectivity to huge fractions of the internet. This case is pretty famous.
2
Q
Popular/effective ways of mounting an attack on naming/DNS
A
“Reflection” or “DNS Reflection”
- A way of generating very large amounts of traffic targeted at a victim in an attack called a Distributed Denial of Service (DDOS) attack (pronounced “dee-dos”)
- DDOS attacks are extremely common and can be mounted in a variety of ways. They can be mounted in ways other than Reflection. We’ll explore some others later.
- Another type of attack on the naming system is Phishing, whereby an attacked exploits the domain name system in an attempt to trick a user into revealing personal information such as passwords on a rogue website
3
Q
What makes the internet insecure?
A
- The internet’s design is fundamentally insecure.
- The internet was designed for simplicity, and as a result, security was not a primary consideration.
- The internet is on by default, meaning when a host is connected to the internet, it is by default, reachable by any other host that has a public IP address. This means that if one has an insecure host, that host is effectively wide open to attack by other hosts on the internet.
- This was not an issue when the internet started out as a small number of trusted networks, but as it has grown, this on-by-default design has come under fire.
- Reason the on-by-default model does not work well:
- Hosts are insecure: makes it possible for remote attacker to compromise a machine connected to the internet and commandeer it for the purposes of attack
- In many cases, an attack might look like “normal” traffic.
- Example: in an attack on a victim web server, every individual request might look normal, but the collection of requests together mounted as parr of a DDOS attack, might add up to a volume of traffic that the server is unable to handle.
- Federated design: obstructs cooperation for diagnosis or mitigation. Because the internet is run by 10s of 1000s of independently operated networks, it can be difficult to coordinate a defense against an attack.
4
Q
Which of the following make the internet’s design fundamentally insecure?
- On by default
- IP addresses are easy to guess
- Attacks look like normal traffic
- Federation
A
- On by default
- Attacks look like normal traffic
- Federation
5
Q
Resource exhaustion attacks
A
- One of the internet’s fundamental design tenants is Packet Switching
- In a packet-switched network, resources are not reserved, and packets are self-contained. Every packet has a destination IP address, and each packet travels independently to the destination host.
- A link may be shared by multiple senders at any given time using statistical multiplexing.
- Packet switched networks allow for high utilization, but also have drawback that a large # of senders can overload a network resources such as a node or a link. Note that circuit switched networks like a phone network do NOT have this problem.
- Therefore, packet-switched networks are extremely vulnerable to resource exhaustion attacks.
- Resource Exhaustion attacks a basic component of security known as availability.
- In a packet-switched network, resources are not reserved, and packets are self-contained. Every packet has a destination IP address, and each packet travels independently to the destination host.
6
Q
Components of Security
A
- Availability: ability to use a resource
- Confidentiality: concealing information
- Example: for a sensitive banking transaction, or a private conversation, you’d like the internet to provide some level of confidentiality
- Authenticity: assures the identity of the origin of a piece of information
- Example: if you’re reading a news article, you want to know that it actually came from the New York Times website as opposed to some other place on the internet
- Integrity: want to know that information wasn’t modified in flight. Prevents unauthorized changes to information as it traverses the network.
7
Q
Security Threat
A
anything that may cause a violation of one of these properties
8
Q
Attack
A
an action that results in the violation of one of these security properties
9
Q
Difference between a threat and an attack
A
potential vs. action
10
Q
Attaks on confidentiality
A
- Eavesdropping: attacker “Eve” might gain unauthorized access to information being sent between Alice and Bob. Example: Alice and Bob chatting on IM, or Alice sending email to Bob, the potential exists (AKA there is a threat) that Eve might be able to hear that communication.
* Various packet sniffing tools such as WireShark or TCPDump that set a machine’s network interface card into what’s called promiscuous mode. If Alice, Bob, and Eve are on the same local area network where packets are being flooded (i.e. connected by a hub, or if the learning switch did not have an entry for Alice or Bob), then Eve might be able to hear some of those packets.
* If NIC is in promiscuous mode, then Eve’s machine will be able to capture some of the packets that are being exchanged between Alice and Bob
* Different aspects of communication can provide attacker with different information.
* Ability to capture DNS lookups can provide attacker with information about what websites you’re visiting
* Ability to capture packet headers might give attacker information about where you’re exchanging traffic, and what types of applications you’re using
* Ability to see a full packet payload would allow an attacker the ability to effectively see every single thing that you’re sending on the network, including content you’re exchanging with other people.
11
Q
MITM
A
Man in the Middle Attack
Eve could suppress Alice’s original message, and she could effectively impersonate Bob or Alice
12
Q
A Denial of Service is an attack on what property of internet security?
- Availability
- Confidentiality
- Authenticity
- Integrity
A
Availability
Note: if an attacker is distributed, a Denial of Service attack is called a Distributed Denial of Service Attack
13
Q
Negative impacts of attacks
A
- Theft of confidential information
* Unauthorized use of network bandwidth or computing resources
* Spread of false information
* Disruption of legitimate services - All of these attacks are related, very dangerous, and sometimes they come hand-in-hand
14
Q
Control plane security
A
typically involves authentication of the messages being advertised by the routing protocol
- Goal: determine the veracity of routing advertisements.
- Various aspects of routing protocol that we seek to verify using control plane authentication:
* Session authentication: protects the point-to-point communication between routers
* Path authentication: protects the AS path, and sometimes other attributes
* Origin authentication: protects origin AS in the AS path, effectively guaranteeing that the Origin AS that advertises a prefix is in fact the owner of that prefix
15
Q
A route hijack is an attack on which form of authentication?
- Session: point-to-point b/w routes
- Path: protects AS path
- Origin: ensures flat AS advertising prefix is the owner
A
-Origin: ensures flat AS advertising prefix is the owner
16
Q
How might route attacks occur?
A
- Router is misconfigured (accidental) - example: AS 7007 attack was the result of a configuration error
- Router might be compromised by an attacker. Once compromised, the attacker can reconfigure it to, for example, advertise false routes.
- Unscrupulous ISPs might also decide to advertise routes that they should not be advertising
17
Q
To launch a route attack, one might:
A
- Reconfigure the router (most common), or tamper wit the management software that changes the configuration
- Tamper with software
- Actively modify a routing message
18
Q
Most common route attack
A
a route hijack attack, or an attack on origin authentication
19
Q
Why hijacks matter
A
- Suppose you want to visit a website. To do so, you first need to issue a DNS query. The authoritative DNS server for a particular domain might be located in a distant network.
- The DNS uses a hierarchy to direct your query to the location of the authoritative name server. That server has an IP address, and you use BGP to reach that IP address.
- If a hacker ran a rogue DNS server and wanted to hijack your DNS query (return a false IP address), the attacker might use BGP to advertise a route for the IP prefix that contains that authoritative DNS server.
* Suddenly your DNS queries that were going to the legitimate server are instead redirected to the rogue DNS server. - Might think of this as an attack whereby an attacker can use the BGP infrastructure to hijack a DNS query and masquerade as a legitimate service.
- A BGP route hijack can also result in a Man in the Middle (MITM) attack, whereby your traffic ultimately reaches the correct destination, but the attacker successfully inserts themselves on the path.
20
Q
Autonomous System Session Authentication
A
- Session authentication attempts to ensure that BGP routing messages sent between routers between ASes are authentic. This is easier than it might appear because the session is a TCP session. Therefore, all we have to do is authenticate this session.
- In practice, this is done using TCP’s MD5 authentication option:
- Every message exchange on the TCP connection contains the message (M) and also a hash of the message with a shared secret key.
- Operators must agree on what that key is, and typically they do that out of band (e.g. by calling each other on the phone) and doing it manually in the router configuration. Once it’s set, all messages between that pair of routers is authenticated.
- Another way to guarantee session authentication is to have AS 1 transmit packets with a TTL of 255, and have the receiving AS drop any packet that has TTL < 254. Because most eBGP sessions are only a single hop, attackers are typically remote, it is not possible for the recipient AS to accept a packet from a remote attacker, because likely that attacker’s packets will have a value of < 254. This defense is called the TTL Hack defense for BGP session authentication.
- In practice, this is done using TCP’s MD5 authentication option:
21
Q
How to guarantee origin and path authentication
A
- Proposal is to modify the existing BGP to add signatures to various parts of the route advertisement. This proposal is sometimes called Secure BGP or BGPSEC. The proposal has 2 different parts:
- Origin Attestation (or Address Attestation): certificate (which must be signed by a trusted party) that binds the IP prefix to the organization that owns that prefix
* “Trusted party” might be a routing registry, organization that allocated that prefix to that organization in the first place
* Path Attestation: set of signatures that accompany the AS path as it is advertised from one AS to the next
- Origin Attestation (or Address Attestation): certificate (which must be signed by a trusted party) that binds the IP prefix to the organization that owns that prefix
22
Q
Path attestation prevents against
A
- Some kinds of hijacks
* Path shortening attacks
* Modification in the AS path
23
Q
Certain attacks that path attestations cannot prevent against
A
- Suppression: if an AS fails to advertise a route or route withdrawal, there’s no way for Path Attestation/BGPSEC to prevent that kind of attack
- Certain types of replay attacks such as a premature re-advertisement of a withdrawn route also cannot be defended against
- No way to actually guarantee the data traffic travels along the advertised AS path. This is a significant weakness of BGP that is yet to be solved by any routing protocol.
24
Q
DNS security
A
To understand the threats and vulnerabilities of DNS, look at the architecture of DNS:
* Stub resolver issues a query to a caching resolver. This could have a MITM attack, or an attacker which observes a query and forges a response.
* If a query goes further than a local caching resolver (for example, to an authoritative name server), an attacker could try to send a reply back to that caching resolver before a real reply comes back, to poison (corrupt) the cache with bogus DNS records for a particular name. This attack is particularly virulent and we’ll look at DNS poisoning later.
* Masters and slaves can both be spoofed, zone files an be corrupted, updates to the dynamic update system can also be spoofed.
* Defense to cache poisoning: OX20.
* Other defense to some of the spoofing attacks: DNSSEC
25
Why is DNS vulnerable?
* Resolvers that issue the DNS query trust the responses that are received after they send out a query regardless of where that response comes from. So, sometimes these responses can be forged.
* When a resolver sends a query, it typically creates a race condition and if the attacker replies before the legitimate responder, then the resolver is likely to believe the attacker.
* DNS responses can also contain additional DNS information unrelated to the query. The fundamental problem is that the basic DNS protocols have no means for authenticating responses, allowing an attacker to forge responses after a resolver sends a query.
* Another reason these spoofed replies are possible is that DNS queries are typically connectionless. Unlike BGP where packets are transmitted over a reliable TCP connection, UDP queries are sent over a connectionless UDP connection. So, a resolver does not have a way of mapping the response that it receives for a query other than the query ID, which can be forged by the attacker.
26
What nature of DNS allows for cache poisoning?
The combination of the lack of authentication and connectionless nature
27
Which aspects of DNS make it vulnerable to attacks?
- Queries over UDP
- DNS names are human readable
- No authentication for query responses
- Distributed/federated
- Queries over UDP
| - No authentication for query responses
28
Why does Ox20 make DNS more secure?
- DNS names are case-sensitive
- Additional entropy
- Efficient encryption
- Additional hierarchy
-Additional entropy
29
DNS amplification attacks
* Exploits the asymmetry in size between queries and the responses
* Attacker might send a DNS query for a particular domain, and that query might only be 60 Bytes. In sending it, however, the attacker might indicate that the source for this query is some victim IP address. Thus, the resolver might send the reply, which is nearly 2 orders of magnitude larger, to a victim.
* The name amplification comes from the fact that the query is 60 Bytes, and the reply is considerably larger. By generating a small amount of initial traffic, the attacker can use the DNS resolver to generate a significantly larger amount of traffic.
* If we add more attackers, then all of these giant replies head to the victim, creating a DOS attack.
* 2 possible defenses against amplification attacks:
* Prevent IP address spoofing in the first place, using for example the appropriate filtering rules.
* Disable the ability for a DNS resolver to resolve queries from arbitrary locations on the internet.
30
DNSSEC
* One of the major reasons for DNS’s vulnerabilities is the lack of authentication.
* DNSSEC protocol adds authentication to DNS responses, simply by adding signatures to the responses that are returned for each DNS reply.
* When a stub resolver issues a query, assuming there’s caching, a query is relayed from a recursive resolver to the root name server, which sends a referral to .com, but this referral includes the signature by the root of the IP address and the public key of the .com server.
* As long as this resolver knows the public key corresponding to the root, it can check the signature, and it knows then that the referral is to the correct IP address for .com. It also now knows the public key corresponding to the .com server. Thus, when the .com server sends the next referral to google.com, that referral is signed by .com’s private key. But, the root has told the resolver the public key corresponding to .com, and thus the resolver can check that this referral is not bogus and in fact that it came from the .com server.
* Similarly, the .com server will return not only the IP address for google.com, but also the IP address and public key for the google.com authoritative server.
* In other words, each authoritative name server in the DNS hierarchy returns not only the referral (as it would with regular DNS), but also a signature containing the IP address for that referral, and the public key for the authoritative name server that corresponds to that referral. That public key then allows the resolver to check the signatures at the next lowest level of the hierarchy, until we finally get to the answer
