Internet Protocol Security (Contd.

)
CS155 Computer and Network Security
L2: Ethernet
Provides connectivity between hosts on a single Local Area Network

Data is split into ~1500 byte Frames, which are addressed to a device’s
physical (MAC) address — assigned by manufacturer

Switches forward frames based on learning where di erent MACs are

located. No guarantees not sent to other hosts!

No security (con dentiality, authentication, or integrity)

fi
ff
ARP: Address Resolution Protocol
ARP lets hosts to nd each others’ MAC addresses on a local network. For
example, when you need to send packets to the upstream router to reach
Internet hosts

Client: Broadcast (all MACs): Which MAC address has IP 192.168.1.1?

Response: I have this IP address (sent from correct MAC)

No built-in security. Attacker can impersonate a host by faking its identity and
responding to ARP requests or sending gratuitous ARP announcements
fi
IP: Internet Protocol
Provides routing between hosts on the Internet. Unreliable. Best E ort.
- Packets can be dropped, corrupted, repeated, reordered
Routers simply route IP packets based on their destination address.
- Must be simple in order to be fast — insane number packets FWD'ed

No inherent security. Packets have a checksum, but it’s non-

cryptographic. Attackers can change any packet.

Source address is set by sender—can be faked by an attacker

ff
BGP (Border Gateway Protocol)

Internet Service Providers (ISPs) announce their presence on the Internet via
BGP. Each router maintains list of routes to get to di erent announced pre xes

No authentication—possible to announce someone else’s network

Commonly occurs (often due to operator error but also due to attacks)

ff
fi
Ports
Each application (e.g., HTTP server) on a host is identi ed by a port number

TCP connection established between port A on host X to port B on host Y

Ports are 1–65535 (16 bits)

Some destination port numbers used for speci c applications by convention

! !

" "

fi
fi
Common Ports
Port Application
80 HTTP (Web)
443 HTTPS (Secure Web)
25 SMTP (mail delivery)
67 DHCP (host con g)
22 SSH (secure shell)
23 Telnet
fi
DNS (Domain Name System)
Application-layer protocols (and people) usually refer to Internet
host by host name (e.g., google.com)
DNS is a delegatable, hierarchical name space

www.stanford.edu

Top Level Domain

Third Level Second Level (TLD)
Domain Domain
 DNS Record
A DNS server has a set of records it authoritatively knows about
$ dig bob.ucsd.edu

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30439
;; ags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6

;; QUESTION SECTION:
;bob.ucsd.edu. IN A

;; ANSWER SECTION:
bob.ucsd.edu. 3600 IN A 132.239.80.176

;; AUTHORITY SECTION:
ucsd.edu. 3600 IN NS ns0.ucsd.edu.
ucsd.edu. 3600 IN NS ns1.ucsd.edu.
ucsd.edu. 3600 IN NS ns2.ucsd.edu.
fl
DNS Root Name Servers
In total, there are 13 main DNS root servers, each of which is
named with the letters 'A' to 'M'.
 DNS Packet
DNS requests sent over UDP

Four sections: questions,

answers, authority, additional
records

Query ID:
16 bit random value
Links response to query
Request
Response
Authoritative Response
DNS Security
Users/hosts trust the host-address mapping provided by DNS
Used as basis for many security policies:
Browser same origin policy, URL address bar

Interception of requests or compromise of DNS servers can result

in incorrect or malicious responses
Caching
DNS responses are cached
Quick response for repeated translations
NS records for domains also cached
DNS negative queries are cached
Save time for nonexistent sites, e.g. misspelling
Cached data periodically times out
Lifetime (TTL) of data controlled by owner of data
TTL passed with every record
DNS Cache Poisoning
DNS query results include Additional Records section
– Provide records for anticipated next resolution step

Early servers accepted and cached all additional records

provided in query response
Glue Records
Can we just stop using additional section?
– Only accept answers from authoritative servers?

Glue records: non-authoritative are records necessary to

contact next hop in resolution chain
– Necessary given current design of DNS

Bailiwick Checking: Only accept additional records that are

for a domain in the original question.
DNS Spoo ng
Scenario: DNS client issues query to server

Attacker would like to inject a fake reply

Attacker does not see query or real response

How does client authenticate response?

fi
DNS Spoo ng
How does client authenticate response?

UDP port numbers must match

Destination port usually port 53 by convention

16-bit query ID must match

fi
Kaminsky Attack
Try Again!
Defenses
Increase QueryID space. But how? Don’t want to change packet.

Randomize src port, additional 11 bits of entropy

- Attack now takes several hours

DNS Rebinding
Rebinding Defenses
Browser Mitigations:
- Refuse to switch IPs mid session
- Interacts poorly with proxies, VPNs, CDNs, etc
- Not consistently implemented in any browser

Server Defenses
- Check Host header for unrecognized domains
- Authenticate users with something else beyond IP address
DNSSEC
Adds authentication and integrity to DNS responses
Authoritative DNS servers sign DNS responses using
cryptographic key

Clients can verify that a response is legitimate by checking

signature through PKI similar to HTTPS

Most people don’t use DNSSEC and never will. Use TLS instead.
Network Security Takeaway
Assume the network is out to get you.

If you want any guarantee of any security, use TLS.

 Denial of Service Attacks
Goal: take large site o ine by overwhelming it with network
tra c such that they can’t process real requests

How: nd mechanism where attacker doesn’t have to spend a lot

of e ort, but requests are di cult/expensive for victim to
process
ffi
ff
fi
ffl
ffi
Types of Attacks

DoS Bug: design aw that allows one machine to disrupt a

service. Generally a protocol asymmetry, e.g., easy to send
request, di cult to create response. Or requires server state.

DoS Flood: control a large number of requests from a botnet of

machines you control
ffi
fl
Possible at Every Layer

Link Layer: send too much tra c for switches/routers to handle

TCP/UDP: require servers to maintain large number of concurrent
connections or state
Application Layer: require servers to perform expensive queries
or cryptographic operations
ffi
TCP Handshake
SYN Floods
Core Problem
Problem: server commits resources (memory) before con rming
identify of client (when client responds)
Bad Solution:
- Increase backlog queue size
- Decrease timeout
Real Solution: Avoid state until 3-way handshake completes

fi
SYN Cookies
Idea: Instead of storing SNc and SNs…
send a cookie back to the client.

L = MACkey (SAddr, SPort, DAddr, DPort, SNC, T)

key: picked at random during boot
T = 5-bit counter incremented every 64 secs.
SNs = ( T || mss || L )

Honest client sends ACK (AN=SNs , SN=SNC+1)

Server allocates space for socket only if valid SNs
Server does not save state
(loses TCP options)
 Ampli cation Attacks MX
MX mx1
MX mx1 .exam
MX mx1 .exam ple.c
MX mx1 .exam ple.c om.
MX mx1 .exam ple.c om. A1
.e
MX mx1 xam ple.c m. o .2.3
A 1.2 .8
MX mx1 .exam ple.c om. A 1 .3.9
mx .exa ple om A 1 .2.3.4
m. 1.e mp .co .
.co xam le.
c
m. A 1 .2.3.5
ple ple om
.co . A .2.3
xam m. 1.2 .6
A 1 .3.7
N Ye A 1 .2.3.8
S A .2.3
DN .9

60-70x Increase in Size

Image: Cloud are

fl
fi
Common UDP Ampli ers
DNS: ANY query returns all records server has about a domain
NTP: MONLIST returns list of last 600 clients who asked for the
time recently

Only works if you can receive a big response by sending a single

packet — otherwise spoo ng doesn’t help you.
fi
fi
Ampli cation Attacks

2013: DDoS attack generated 300 Gbps (DNS)

- 31,000 miscon gured open resolvers, each at 10 Mbps
- Source: 3 networks that allowed IP spoo ng

2014: 400 Gbps DDoS attacked used 4500 NTP servers

fi
fi
fi
Memcache

Memcache: retrieve large record

The server responds by ring back as much

as 50,000 times the data it received.
fi
October 21, 2016
 Krebs Graph

“The magnitude of the attacks seen during the nal week were signi cantly larger than
the majority of attacks Akamai sees on a regular basis. […] In fact, while the attack on
September 20 was the largest attack ever mitigated by Akamai, the attack on September
22 would have quali ed for the record at any other time, peaking at 555 Gbps.”

Source: 2017 Akamai State of the Internet

fi
fi
fi
“We are still working on analyzing the data but the estimate at the time of
this report is up to 100,000 malicious endpoints. […] There have been
some reports of a magnitude in the 1.2 Tbps range; at this time we are
unable to verify that claim.”

Image: Verisign
 A Botnet of IoT Devices

GRE
HTTP
Bot Master TLS
OVH/Dyn/Krebs

≈ 200K Hosts
200K IoT devices

Not Ampli cation.

Flood with SYN, ACK, UDP, and GRE packets
fi
The Mirai Malware
Attacker
Send command

5-7. Later, the bot master will issue commands to

pause scanning and to start an attack
Command Report
Dispatch Loader
Infrastructure & Control Server
Attack Command:
- Action (e.g., START, STOP) Relay Load

- Target IP(s) Report

- Attack Type (e.g., GRE, DNS, TCP)

- Attack Duration Devices Scan Victim

Bots

Attack

DDoS Target
Password Guessing
 Mirai Population
700,000
Total Mirai Scans TCP/6789
# network telescope scans

600,000 TCP/23231 TCP/8080

TCP/22 TCP/80
500,000 TCP/2222 TCP/23
TCP/37777 TCP/2323
400,000 TCP/443 TCP/7547
TCP/5555
300,000

200,000

100,000

0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date

~600K devices compromised

Booter Services
Google Project Shield
DDoS Attacks are often used to censor content. In the case of Mirai,
Brian Kreb’s blog was under attack.
Google Project shield uses Google bandwidth to shield vulnerable
websites (e.g., news, blogs, human rights orgs)
Moving Up Stack: GET Floods
Command bot army to:
* Complete real TCP connection
* Complete TLS Handshake
* GET large image or other content

Will bypass ood protections…. but attacker can no longer use

random source IPs

Victim site can block or rate limit bots

fl
Github Attacks
1.35 Tbps attack against Github caused by javascript injected into HTTP web
requests

The Chinese government was widely suspected to be behind the attack

Client Puzzles
Idea: What if we force every client to do moderate amount of
work for every connection they make?
Example:
1) Server Sends: C
2) Client: nd X s.t. LSBn(SHA-1(C||X)) = 0n
Assumption:
Puzzle takes 2n for the client to compute (0.3 s on 1Ghz core)
Solution is trivial for server to check (single SHA-1)
fi
Client Puzzles
Not frequently used in the real world

Bene ts:
* Can change n based on amount of attack tra c
Limitations:
* Requires changes to both protocols, clients, and servers
* Hurts low power legitimate clients during attack (e.g., phones)
fi
ffi