cs642

network security

adam everspaugh ace@cs.wisc.edu

computer security

todayReminder: HW3 due in one week: April 18, 2016

CIDR addressing

Border Gateway Protocol

Network reconnaissance via nmap

Idle scans

DNScachepoisoning

Internet

VictimDNSserver

Clientsbankofamerica.com10.1.1.1

Attackersite10.9.9.99

Howmightanattackerdothis?Whatsecurityfeaturesmustanattackerovercome?

.comNS

• Packetspoofing• GuessUDPport• GuessQID

AssumepredictableUDPportAssumeSRCportspoofing

think-pair-share

Phishingiscommonproblem

• Typosquatting:• www.LansdEnd.com• www.goggle.com• secure.bank0fAmerica.com• wíkipedia.org

• Phishingattacks– Trickusersintothinkingamaliciousdomainnameistherealone

ip routing

CIDRaddressing

backbone

ISP1 ISP2

Prefixesusedtosetuphierarchicalrouting: -Anorganizationassigneda.b.c.d/x -Itmanagesaddressesprefixedbya.b.c.d/x

…1111001

10110…1110000

5.6.7.8

10110…1111000

…1111011

10110…1100011

Classlessinter-domainrouting(CIDR)

Network prefix MSBs Host address

x LSBs

Routing

AS att.net

ASwisc.edu

AScharter.net

Autonomoussystems(AS)areorganizationalbuildingblocks -CollectionofIPprefixesundersingleroutingpolicy -wisc.edu

…1111001

10110…1110000

5.6.7.8

10110…1111000

…1111011

10110…1100011

ASCategories

• Stub:connectedtoonlyonotherAS

• Multi-homed:connectedtomultipleotherAS

• Transit:routestrafficthroughit'sASforotherAS's

3 4

6 57

1

8 2

BGPandrouting

defense.gov

wisc.edu charter.net

Exteriorgatewayprotocol:BorderGatewayProtocol(BGP)

Interiorgatewayprotocol:Openshortest-pathfirst

(OSPF)usedwithinanAS

BorderGatewayProtocol(BGP)

• Policy-basedrouting– AScansetpolicyabouthowtoroute

• economic,security,politicalconsiderations

• BGProutersuseTCPconnectionstotransmitroutinginformation

• Iterativeannouncementofroutes

BGPexample

• 2,7,3,6areTransitAS• 8,1areStubAS• 4,5multihomedAS• AlgorithmseemstoworkOKinpractice

– BGPdoesnotrespondwelltofrequentnodeoutages

3 4

6 57

1

8 27

7

2 7

2 7

2 7

3 2 7

6 2 7

2 6 52 6 5

2 6 5

3 2 6 5

7 2 6 56 5

5

5

[D.Wetherall]

IP/RouteHijacking

• BGPunauthenticated– Anyonecanadvertiseanyroutes

– Falserouteswillbepropagated

• ThisallowsIP/routehijacking– ASannouncesitoriginatesaprefixitshouldn’t

– ASannouncesithasshorterpathtoaprefix

– ASannouncesmorespecificprefix

• 2008:PakistanattemptstoblockYouTube– youtubeis208.65.152.0/22– youtube.com = 208.65.153.238

• PakistanISPadvertises208.65.153.0/24viaBGP– morespecific,prefixhijacking

• Internetthinksyoutube.comisinPakistan

• Outageresolvedin2hours…

reconnaissance

Portscanning:legality

• UnitedStates’ComputerFraudandAbuseAct(CFAA)– Computersystemaccessmustbeauthorized

• MoultonvVC3(2000).– portscanning,byitself,doesnotcreateadamagesclaim(directharmmustbeshowntoestablishdamagesundertheCFAA).

• O.Kerr.“Cybercrime’sscope:Interpreting’access’and’authorization’incomputermisusestatutes”.NYULawReview,Vol.78,No.5,pp.1596–1668,November2003.

NMAP

• Networkmaptool

• De-factostandardfornetworkreconnaissance,testing

• Numerousbuiltinscanningmethods

nmap–PN–sT–p22192.168.1.0/24

SomeoftheNMAPstatusmessages

• open– hostisacceptingconnectionsonthatport

• closed– hostrespondstoNMAPprobesonport,butdoesnotacceptconnections

• filtered– NMAPcouldn’tgetpacketsthroughtohostonthatport.

– Firewall?

Portscanofhost

Servicedetection

nmap–PN–sT–p22192.168.1.0/24

Portscanofhost

Servicedetection

Whatistcpwrapped?Firewallsoftware“mantcpd”

OSfingerprinting

Anotherexample

idle scans

Internet

NetworkDMZ

DMZ(demilitarizedzone)helpsisolatepublicnetworkcomponentsfromprivatenetworkcomponents

Outerfirewall

Innerfirewall

Webserver

IDSCustomerdatabases

FirewallrulestodisallowtrafficfromInternettointernalservices

Idlescans

• Adversarywantstoportscandatabasemachine

Internet

Outerfirewall

Innerfirewall

Webserver

IDSCustomerdatabases(targets)

inet=>webserverOKinet=>databasesXWS=>databasesOK

Idlescans

• Adversarywantstoportscandatabasedespitefirewall/IDSrules

• Salvatore(Antirez)Sanfilippo1998• Idlescan

1) DetermineIPIDofazombieviaSYN/ACK2) SendSYNspoofedfromzombie3) DeterminenewIPIDofzombieviaSYN/ACK

• Oldsystems:IPIDincrementedwitheachIPpacketsent

IPv4

dataENethdr

ENettlr

EthernetframecontainingIPdatagram

IPhdr

4-bitversion

4-bithdrlen

8-bittypeofservice

16-bitidentification

16-bittotallength(inbytes)

3-bitflags

13-bitfragmentationoffset

8-bittimetolive(TTL)

8-bitprotocol

16-bitheaderchecksum

32-bitsourceIPaddress

32-bitdestinationIPaddress

options(optional)

Idlescans

• Wewanttoavoidsendinganynon-spoofedpacketstothetarget,butstillwanttoportscanit

Internet

Outerfirewall

Innerfirewall

Webserver

IDSCustomerdatabases

SYNspoofedasfromWebServer

RSTIPID=12346

TCPSYN/ACK

RSTIPID=12347

TCPSYN/ACK RSTIPID=12345

TCPSYN/ACK

IfportopenfinalIPID=??IfportclosedfinalIPID=??

inet=>webserverOKinet=>databasesXWS=>databasesOK

Idlescans

• Wewanttoavoidsendinganynon-spoofedpacketstothetarget,butstillwanttoportscanit

Internet

Outerfirewall

Innerfirewall

Webserver

IDSCustomerdatabases

SYNspoofedasfromWebServer

RSTIPID=12346

TCPSYN/ACK RSTIPID=12345

TCPSYN/ACK

IfportopenfinalIPID=first+2IfportclosedfinalIPID=first+1

RST

Preventingidlescans

• Howcanwepreventoursystemfrombeingazombie?

recapCIDR, BGP / IP/route hijacking

Network reconnaissance / scanning, nmap, fingerprinting

Idle scans, zombie hosts

Exit slips / 1 thing you learned / 1 thing you didn't understand