What are the properties of secure communication?
- Confidentiality
- Integrity
- Authentication
- Availability
How does Round Robin DNS (RRDNS) work?
a method to distribute the load of incoming requests to several servers at a single physical location. Servers respond to a DNS request with a list of DNS A records, which it then cycles through in a round robin manner.
How does DNS-based content delivery work?
When accessing the name of the service using DNS, the CDN computes the ‘nearest edge server’ and returns its IP address to the DNS client.
How does Fast-Flux Service Networks work?
A fucking complicated attack. Suggest answer.
having multiple IP addresses associated with a domain name, and then constantly changing them in quick succession.
What are the main data sources to identify hosts that likely belong to rogue networks, used by FIRE (FInding Rogue nEtworks system)?
- Botnet command and control providers
- Drive-by-download hosting providers
- Phish housing providers
The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. What are the 2 phases of this system.
- Training phase
2. Operational phase
ASwatch computes statistical models using which three features of each AS.
- Rewiring activity - frequent changes and less popular providers are suspicious.
- IP Space Fragmentation and Churn - small BGP prefixes are suspicious
- BGP Routing Dynamics - annoucing for short periods is suspicious.
BGP hijacking. What is the classification by AS-Path announcement?
an illegitimate AS announces the AS-path for a prefix for which it doesn’t have ownership rights.
Type-0, Type-N, & Type-U are all AS-Path hijacking.
BGP hijacking. What is the classification by Data-Plane traffic manipulation?
In Data-Plane traffic manipulation, the intention of the attacker is to hijack the network traffic and manipulate the redirected network traffic on its way to the receiving AS.
What are the causes or motivations behind BGP attacks?
Human Error
Targeted Attack
High Impact Attack
What is prefix hijacking?
When a hijacker announces that it owns some or part of the prefixes owned by another AS.
Explain the scenario of hijacking a path
hijacker modifies the path, so that AS’s are more likely to route traffic through the hijacker.
What are the key ideas behind ARTEMIS?
- configuration file: where all the prefixes owned by the network are listed here for reference. This configuration file is populated by the network operator.
- mechanism for receiving BGP updates: this allows receiving updates from local routers and monitoring services. This is built into the system
For a system that protects against BGP hijacking attacks with less manual intervention, we need automated ways of mitigation from BGP hijacking attacks. The ARTEMIS system uses two automated techniques in mitigating these attacks. What are these techniques?
- Prefix deaggregation: announce more specific prefixes of a certain prefix. (instead of 10.10.10.0/24, announce 10.10.10.128/25 and 10.10.10.0/25)
- Mitigation with Multiple Origin AS (MOAS) - external third party announces the hijacked address and routes traffic to the correct location. (hijack the hijacker)
Explain the structure of a DDoS attack
A Distributed Denial of Service (DDoS) attack is an attempt to compromise a server or network resources with a flood of traffic. To achieve this, the attacker first compromises and deploys flooding servers (slaves).
What is spoofing?
IP spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a legitimate server.
Explain, how DDoS reflection and amplification work
slaves of a master send request to servers (or reflectors) but set the source address as the victim’s. The reflectors send responses to the victim and overload it’s resources.
Amplification can occur when the reflector’s send a large request to the victim. Not only would the victim receive traffic from millions of servers, the response sent would be large in size, making it further difficult for the victim to handle it.
What are the defences against DDoS attacks?
Traffic Scrubbing Services
Access Control List filters
BGP Flowspec
BGP blackholing
Explain provider-based black-holing
The victim AS uses BGP to communicate the attacked destination prefix to its upstream AS, which then drops the attack traffic towards this prefix. Then either the provider (or the IXP) will advertise a more specific prefix and modifying the next-hop address that will divert the attack traffic to a null interface.
Explain IXP black-holing
In IXP black-holing a victim’s black-hole message is sent to any AS’s that connect to the IXP. Those AS’s in turn black-hole requests directed to the specified IP.
What is one of the major drawbacks of BGP black-holing?
the destination under attack becomes unreachable since all the traffic including the legitimate traffic is dropped.
What is a rogue network
networks whose main purpose is malicious activity such as phishing, hosting spam pages, hosting pirated software, etc.
Describe ASwatch’s Training phase.
- Training phase - The system is given a list of known malicious and legitimate ASes, then learns control-plane behavior typical of both types of ASes.
Describe ASwatch’s Operational phase.
- Operational phase - Given an unknown AS, it then calculates the features for this AS. It uses the model to then assign a reputation score to the AS. If the system assigns the AS a low reputation score for several days in a row, it identifies it as malicious.
