SysSec 9 Network Security Aurlien Francillon francill@eurecom.fr - - PowerPoint PPT Presentation

SysSec 9 Network Security
 


Aurélien Francillon francill@eurecom.fr


2

News of the week

3

4

5

6

Overview

• Reconnaissance: discovering topology and servers
• Using network tools
• Fingerprinting
• Offensive
• Man In The Middle attacks, Bugs, Attacks on routing
• Bypassing network restrictions
• Denial of service

Network Reconnaissance

8

Reconnaissance

• Network reconnaissance is always a first step
• Discovering machines
• Understanding what services are running

(open/filtered ports)

• Identify weak/vulnerable point(s) in target

network

• “Collect intelligence”

9

Reconnaissance

• Network reconnaissance is always a first step
• nmap, hping2, netcat
• Public databases always a good start
• domain WHOIS → whois iseclab.org
• DNS queries → dig iseclab.org
• DNS zone transfers* (if very lucky) → dig axfr

ZoneTransfer.me @ns16.zoneedit.com.

• IP WHOIS (IRR) → whois 128.130.60.29

*see http://www.digininja.org/projects/zonetransferme.php

10

Reconnaissance

• robtex.com → the Internet Swiss-army knife
• GeoIP: approximate physical location of an IP

address

• More accurate solutions exist
• Finger directory service to provide information

about users

• Almost not used anymore

11

Scanning

• Basics: Send TCP SYN packet
• Closed port: reply with a RST
• Open port: reply with SYN/ACK
• Filtered port: nothing back or ICMP error packet
• nmap -A -T4 scanme.nmap.org
• Smarter techniques:
• OS detection
• Idle Scan

12

Scanning for vulnerabilities directly

• Nessus / OpenVAS
• Has a list of tests for discovering daemon type, version, kind of

service, options set, etc

• Has a list of vulnerabilities associated
• Will check that automatically and generate reports
• Client/server side can be programmed to run regularly
• Useful for
• Network administrators to check for vulnerabilities on the network
• Lazy attackers to find an attack point!

13

Routing

• Internet is split into smaller networks called Autonomous Systems (AS)
• e.g. Renater, France Telecom, Proxad (free)
• They are interconnected by links between their routers
• BGP is the protocol that is used to know on which links to send

packets depending on their destination (routing)

• Some of the BGP/AS information is publicly available
• IP WHOIS records (Internet Routing Registries, IRRs)
• Looking glass
• Live BGP data feeds (RIPE RIS, RouteViews)

14

Internet-connected device search engines

• Examples: shodan.io, censys.io
• Powered by fast “Internet-scale” scanners
• masscan, zmap
• Aggregates a lot of information about millions of

hosts and networks

shodan.io censys.io

15

Web searches, social media, …

• Instead of performing reconnaissance on the network directly…
• An attacker can search for another vulnerable point of entry:

people

• By running simple web searches
• By checking for social media accounts
• By building profiles of individuals (e.g., employees of the target

company)

• This intelligence can then be used to mount targeted attacks, e.g.,

via social engineerings, spear phishing emails, etc

Network Attacks

17

Denial-of-Service Attack (DoS)

• DoS is an attack that aims at disrupting a service such that none of the

customers can enjoy the services

• The consequence of flooding or vulnerability attacks
• Flooding : an attack that consumes the application resources at such a rate

that the service becomes unresponsive

• In a vulnerability attack, a vulnerability cause the application to crash or go to

an infinite loop

• How common is DoS? Answer: Very common
• Research showed ~4,000 reported attacks in a week (and most attacks go

unreported)

• How likely are you to be victim of DoS?
• A report showed 25% of large companies suffer DoS attacks at some point

18

Denial-of-Service Attack (DoS)

• DDoS → Distributed Denial-of-Service
• Attacking machines are called daemons, slaves, zombies
• r agents
• Zombies are usually poorly secured machines that are

exploited

• Machines that control and command the zombies are called

masters or handlers.

• Attacker hides himself behind machines that are called

stepping stones → cover his trace


19

20

Denial-of-Service Attack (DoS)

• A DoS attacker may look for
• Network reflectors
• To hide the source of the attack
• To prevent blocking it, e.g. ICMP reply to forged source address
• Network “amplifiers”
• To perform efficient DoS: (1) find a service that replies N

packets when 1 packet is sent with forged source that (2) will amplify the DoS

• Vulnerable/exploitable devices, e.g., to build a DDoS botnet

21

Denial-of-Service Attack (DoS): Examples

• SYN flood
• with forged source address
• “Smurf” attack
• E.g. send a ping packet to a broadcast address

(x.x.x.255)

• DNS can generate many requests when the server is

asked about a record not in cache

• DNSSec packets much larger

22

Example: the MIRAI Botnet Architecture

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

• 1. Bots scan for

vulnerable IoT devices

• 2. Bots report vulnerable

IoT devices

• 3. Report server

instructs devices exploitation

• 4. Loader exploits

devices

• 5. Attacker sends

commands

• 6. C2C server relays

attack commands

• 7. DDoS attacks are

launched

Credits: Manos Antonakakis et al., Understanding the Mirai Botnet, USENIX Security, 2017

23

Example: the MIRAI Botnet DDoS Attack Workflow

• 1. Bot Master or DDoS for

Hire User chooses DDoS target and triggers the attack

• 2. Attack command is passed
• nto the Command &

Control server

• 3. Attack command is relayed

to the Botnet Nodes

• 4. Botnet Nodes generate

DIRECT DDoS traffic towards the DDoS victim

Credits: https://www.incapsula.com/blog/how-to-identify-a-mirai-style-ddos-attack.html, Imperva Incapsula

1 2 3 4

24

Denial-of-Service Attacks

• Web applications are particularly susceptible to denial of service

attacks

• A web application can’t easily tell the difference between an attack

and ordinary traffic

• Because there is no reliable way to tell from whom an HTTP request

is coming from, it is very difficult to filter out malicious traffic.

• Slashdotted effect
• Most web servers can handle several hundred concurrent users

under normal use, but a single attacker can still generate enough traffic from a single host to swamp many applications

• Defending against denial of service attacks is difficult and only a small

number of “limited” solutions exist

25

Who Are the Attackers?

• Research has shown that the majority of attacks are launched by script-kiddies
• Such attacks are “easier” to detect and defend against
• Kids use readily available tools to attack
• E.g., LOIC tool, booters/IP stressers (DDoSaaS)

• Some (D)DoS attacks, however, are highly sophisticated and very difficult to

defend against

• Small-scale (targeted) or large-scale (massive)
• Hacktivism
• Financial gain
• Nation-state cyber attacks

26

Denial of Service Attacks: Defenses IP Layer

• Firewall
• Rate limiting, broadcast packets...
• Drop IP connections from a list of IP addresses
• Put in list those that send too many SYN
• Use BGP to reroute attack traffic to a provider with a lot of

bandwidth; e.g. Spamhaus Event:

• http://blog.cloudflare.com/the-ddos-that-

knocked-spamhaus-offline-and-ho

• http://blog.cloudflare.com/the-ddos-that-

almost-broke-the-internet

27

Denial of Service Attacks: Defenses HTTP Layer

• Change the DNS to a CDN (Content Distribution Network)
• With a lot of bandwidth
• Caches HTTP requests
• Applies filtering rules (OWASP)
• e.g., Akamai: http://www.akamai.com/html/solutions/

site_defender.html

• Limit complex requests
• in complexity
• per IP

28

Denial of Service Attacks: 
 Other Defenses

• Use a CAPTCHA if a human is expected to interact
• But they are annoying and not that hard to guess by machines after all …
• Use a Cryptographic Puzzle :
• Some challenges are slow to compute by the client fast but to verify by the

Server

• Sent by the server to the client before handling any further request
• Not very efficient against DDoS
• Make sure your hosts are patched against DoS vulnerabilities
• Anomaly detection and behavioral models
• Ingress filtering
• Firewall : rate limiting, broadcast packets

29

TCP Connection Hijacking

• A bit “old-school”
• Was used by Kevin Mitnick in 1995 …
• Attack on RSH to gain access on a server
• With control of a computer on the network
• Principle of the attack:
• Impersonate a computer with IP spoofing
• TCP sequence number guessing to send packets while ignoring

responses

• DoS the spoofed machine to avoid the spoofed machine to reset

the connection

30

TCP Connection Hijacking: RSH

• Remote Shell
• “Ancestor” of SSH
• Can be configured to allow/deny connection based
• n
• Remote username
• IP address
• No crypto in place... but hijacking an IP address is

not easy

31

TCP Connection Hijacking: TCP

Source: http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentSequenceNumberSynchroniz-2.htm

32

TCP Connection Hijacking:
 TCP 3-way Handshake

SYN SYN/ACK Client Server 33

TCP Connection Hijacking:
 TCP Syn-flooding

• Server keeps a state for each opening connection in a buffer
• This buffer has a limited size

34

TCP Connection Hijacking:
 IP Spoofing

• Sending packets with spoofed IP address is as simple as forging

source IP in a crafted packet

• Usually requires root (raw socket)
• MAC/IP address forging
• May be blocked by the switch / ISP
• Called “Ingress filtering”
• Packets with forged IP address
• Easy to send
• But no response received… → is it still possible to exploit it?

35

IP Address Spoofing

• Can be used directly to exploit stateless protocols,

e.g., based only on UDP

• But in TCP how do we perform the 3-way handshake?
• We don't receive the response packets
• As we don't control the return path...
• How to guess the SEQ#/prevent spoofed host to

respond

36

Mitnick Attack

• DoS server
• Send packets to target guessing sequence numbers
• If guess is correct packets are accepted
• Replies will go to server
• Not seen by attacker
• DoS’ed server will not send an error message
• Used to send command over RSH
• echo + + >>/.rhosts
• Access to target gained!

37

38

ARP Poisoning

• ARP is a protocol to map MAC address to IP address on

Ethernet:

• Who has <IP> ?
• <IP> is at <mac>
• Needed to know where to send IP packets over Ethernet
• This can be abused to inject a wrong MAC address <=> IP

address association

• Perform a Man in the Middle on a switched Ethernet network

39

ARP Poisoning

40

Source Routing

• The route taken by TCP/IP packets is determined by router's routing tables
• Source routing allows to bypass this
• Specify the path that packets should take
• E.g., Authorized host can specify path
• Auth host → A → C → D → Server
• Auth host → A → B → D → Server

41

Source Routing

• This allows an attacker to
• Discover network
• Have its packets go trough a specific network path
• Bypass IP address rules (TCP wrappers, …), firewalls
• Access computers behind a NAT/private address space
• Solution : always disallow source routing → it works :)

42

DNS

• Domain Name Service
• Map host names to IP addresses on the Internet
• Makes Internet more “user friendly”
• A distributed system
• Root servers are at fixed IP
• The “hints” file → http://www.internic.net/zones/named.root
• They provide IP addresses of TLD servers
• Top Level Domains (.com, .net, .org, …) DNS servers provide IP addresses

for domains

• Etc…
• Two query modes: (i) recursive and (ii) iterative

43

DNS

• Their security is very important
• Integrity of DNS responses
• www.bank.com
• SSL certificates certify hostnames, not IP addresses
• Availability
• No DNS → no Internet :(
• Scalability
• Extensive caching

44

Recursive DNS Request

45

Recursive DNS Request

46

Recursive DNS Request

47

Recursive DNS Request

48

Recursive DNS Request

49

Recursive DNS Request

50

Recursive DNS Request

51

Recursive DNS Request

52

Recursive DNS Requests

• Record obtained from the DNS architecture the

first time

• Will remain in cache until TTL timeout
• This record must not be corrupted

53

Kaminsky Attack I

• 2007 Dan Kaminsky found a serious issue
• Almost all DNS servers implementations were

vulnerable to cache poisoning

• Allow to insert malicious information in a cache server
• Attacker takes control over “glue records”
• Allows to impersonate authoritative DNS server for

a domain in the cache

54

Cache Poisoning Attacks

• How do we know the response received is

actually received as a reply to a query ?

• Rely on transaction serial number
• Can be predicted by attacker?

55

Normal DNS Request

http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

56

Basic Poisoning Attack Overview

http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

57

DNS Cache Poisoning

• Query ID can be guessed... Solution ?
• So they should be random ?
• … with good random number generators!
• Randomize the Query ID
• 16-bit field → 64k possibilities
• An attacker has large chances to fail
• When it fails the targeted record is loaded in cache

58

Glue Records

• There is a chicken and egg problem in the DNS System, for

instance: Q: Who is the NS for domain.com ? R: ns.domain.com

• We need a glue record: glue records are used when name

server is a host of that domain and provide IP address Q: Who is the NS for domain.com ? R: ns.domain.com and it is at a.b.c.d

59

Kaminsky Attack

• Glue records are cached as well
• What if we poison a glue record?
• Completely owns the domain, can forge any

subdomain/hostname of that domain

• Query ID randomization?
• A failed attempt is not a problem, so we can try

many times !

http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

60

Kaminsky Attack Wrap-up

61

DNS Cache Poisoning

• Very damaging attacks
• Mitigations:
• Cache servers should not face the Internet, e.g.

not be at the same time a cache server and an authoritative server for a domain

• Randomize: query ID, source port, host name

capitalization

• DNSsec : authenticated DNS records

AS2 AS3 AS5 AS1 AS4 62

The Border Gateway Protocol:
 The art of Building the Internet

• The Internet is divided into thousands of smaller

networks called Autonomous Systems (ASes) administered by a single entity (e.g., an Internet Service Provider, a company, a university)

5.0.0.0/8 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 2.2.0.0/16 1.1.0.0/16 1.2.0.0/16 63

The Border Gateway Protocol:
 The art of Building the Internet

• Each AS “owns” or is responsible for managing a set
• f network IP addresses (e.g., AS3 is responsible

for the IP address block 2.2.0.0/16)

AS2 AS3 AS5 AS1 AS4

AS2 AS3 AS1 AS4 physical link BGP message 64

The Border Gateway Protocol:
 The art of Building the Internet

• The Border Gateway Protocol (BGP) allows ASes to

interconnect with each other by exchanging network IP address block reachability information

• BGP glues ASes together to form the Internet

5.0.0.0/8 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 2.2.0.0/16 1.1.0.0/16 1.2.0.0/16 AS5

65

The Border Gateway Protocol:
 The art of Building the Internet

AS2 AS3 AS1 AS4 physical link BGP message 5.0.0.0/8 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 2.2.0.0/16 1.1.0.0/16 1.2.0.0/16 AS5 AS3 to AS1,AS4: “I am AS3 and I am responsible for 2.2.0.0/16!”

• The Border Gateway Protocol (BGP) allows ASes to

interconnect with each other by exchanging network IP address block reachability information

• BGP glues ASes together to form the Internet

66

The Border Gateway Protocol:
 The art of Building the Internet

• The Border Gateway Protocol (BGP) allows ASes to

interconnect with each other by exchanging network IP address block reachability information

• BGP glues ASes together to form the Internet

AS2 AS3 AS1 AS4 physical link BGP message 5.0.0.0/8 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 2.2.0.0/16 1.1.0.0/16 1.2.0.0/16 AS5 AS1 to AS2: “AS3 told me he is responsible for 2.2.0.0/16!” AS4 to AS2,AS5: “AS3 told me he is responsible for 2.2.0.0/16!”

67

The Border Gateway Protocol:
 The art of Building the Internet

AS2 AS3 AS1 AS4 physical link BGP message 5.0.0.0/8 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 2.2.0.0/16 1.1.0.0/16 1.2.0.0/16 AS5 All networks on the Internet can eventually talk to each other!

• The Border Gateway Protocol (BGP) allows ASes to

interconnect with each other by exchanging network IP address block reachability information

• BGP glues ASes together to form the Internet

Network: 192.92.94.0/24 AS path : AS35289 AS5466 Eircom Ltd AS35289 Symantec Ltd 192.92.94.0/24 INTERNET AS702 Verizon Network: 192.92.94.0/24 AS path : AS5466,AS35289 Network: 192.92.94.0/24 AS path : AS702,AS35289 Network: 192.92.94.0/24 AS path : AS35289 BGP message 68

The Border Gateway Protocol:
 The art of Building the Internet

• BGP messages record the path of ASes they go

through to avoid routing loops

AS5466 Eircom Ltd AS35289 Symantec Ltd 192.92.94.0/24 INTERNET AS702 Verizon

(UPSTREAM) TRANSIT PROVIDERS CUSTOMER

69

The Border Gateway Protocol:
 The art of Building the Internet

• Inter-AS links reflect the business relationships

between their respective owner (e.g., some provide transit connectivity to the Internet to their customers)

[1] Stealing The Internet An Internet-Scale Man In The Middle Attack (Defcon 2008) [2] http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html

70

BGP Hijacking:
 The Art of Breaking the Internet

• CAUSES
• The injection of erroneous network reachability information into BGP
• Trust-based exchange of network reachability information
• No widely deployed security mechanism yet
• EFFECTS
• Blackhole (e.g., Youtube hijack by Pakistan Telecom)
• Impersonation (e.g., Spamhaus hijack)
• MITM (e.g., BGP MITM [1])
• of the victim network
• EXPLANATIONS
• Router misconfiguration, operational fault (e.g., AS7007 incident [2])
• Malicious intent?

71

BGP Hijacks in the News

72

BGP Hijacks in the News

RENESYS 1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013

ISC SEVERAL BANKS TARGETED BY BGP HIJACKS

73

BGP Hijacks in the News

RENESYS 1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013

74

BGP Hijacks in the News

ISC SEVERAL BANKS TARGETED BY BGP HIJACKS BGPmon.net BGP HIJACK ATTACK AGAINST ANTI-SPAM COMPANY “SPAMHAUS” RENESYS 1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013

75

BGP Hijacks in the News

? BENIGN! MALICIOUS!

76

BGP Hijacks: Challenges

• Identifying BGP hijacks is challenging
• BGP hijacks look similar to some legitimate

BGP engineering practices

• lack of ground truth information, only the
• wner of a network can precisely diagnose

routing events related to his network

AS5466 Eircom Ltd 192.92.94.0/24 AS702 Verizon ASX iSpam Inc AS35289 Symantec Ltd INTERNET Network: 192.92.94.0/25 Network: 192.92.94.128/25 AS path : ASX, AS35289

SYMANTEC NETWORK IS BLACKHOLED

BGP message 77

Case I: BGP Blackhole

• DoS of the victim network
• similar to Youtube hijack
• Here is an example

*Understanding the Network-level Behavior of Spammers (SIGCOMM 2006)

78

Case II: BGP Impersonation
 Fly-by Spammers

• CONJECTURE
• Spammers would use BGP hijacking to send spam from

the stolen IP space and evade spam sender blacklists

• “BGP spectrum agility”: short-lived (<1 day) spam networks*
• POTENTIAL EFFECTS
• Misattribute attacks launched from hijacked networks due

to hijackers stealing IP identity

• Spam filters heavily rely on IP reputation as a first layer of

defense

79

Fly-by Spammers: Hijack Signature

• Hijacked networks
• are dormant IP address blocks, i.e., by the time the networks

are hijacked they have been left unadvertised by their

• wner
• advertised for a rather short period of time
• AS hijack: prefix is advertised in BGP from an apparently

legitimate origin AS but via a presumably illegitimate upstream provider AS

• Prefix hijack: prefix is advertised in BGP from an apparently

rogue origin AS but via a presumably legitimate upstream provider AS

A.B.C.0/24 ASX iSpam Inc ASY

• wner of

A.B.C.0/24 INTERNET Network: A.B.C.D/E AS path: ASX, ASY

ILLEGITIMATE (UPSTREAM) TRANSIT PROVIDER AS LEGITIMATE AS

BGP message spam spam A.B.C.1…A.B.C.255 80

Fly-by Spammers: AS Hijack Illustration

81

Fly-by Spammers: Case Study

• IP prefixes are only announced when spam is received!
• Few blacklisted spam sources at the time of the BGP announcements!

Stealing The Internet An Internet-Scale Man In The Middle Attack (Defcon 2008)

82

Case III: BGP Man-In-The-Middle

• Step 1: discover path between AS_Mallory (attacker) and AS_Alice (victim)
• AS_Mallory → AS_D → AS_A → AS_Alice
• Step 2: advertise more specific prefix 66.102.0.0/24 and secure backup

route (P)

• Step 3: adjust TTLs (ultimate stealth!)

83

Securing BGP?

• Security extensions to BGP
• e.g., RPKI, BGPsec, ROVER
• Similar to DNSSEC for DNS
• Deployment is expansive
• BGP monitoring
• Analyze BGP updates and trigger alarm upon abnormal routing change, e.g.,

BGP hijack

• e.g., BGPmon.net, Renesys (Dyn/Oracle), UCLA Cyclops
• BGP “best current practices”
• e.g., Customer routes filtering
• Seldom followed by network operators

84

Conclusion

• Myriad of network attacks and defenses
• Can be surprisingly easy to mount attacks
• Many countermeasures are known already
• And many are in place on most networks
• Still some very difficult attacks to solve and

countermeasures to deploy

• DoS
• DNSsec