Professional Documents
Culture Documents
CS 155
Outline
! Basic Networking:
Internet Infrastructure
ISP
Backbone
ISP
Application
Application protocol
TCP protocol
Transport
Application
Transport
Network
IP protocol
IP
IP protocol
Network
Link
Data
Link
Network
Access
Data
Link
Link
Data Formats
TCP Header
Application
message
segment
Network (IP)
packet
Link Layer
frame
IP Header
TCP
data
TCP
data
IP TCP
data
ETH IP TCP
data
Link (Ethernet)
Header
TCP
data
ETF
Link (Ethernet)
Trailer
IP
Internet Protocol
! Connectionless
Unreliable
Best effort
! Notes:
Version
Flags
Header Length
Type of Service
Total Length
Identification
Fragment Offset
Time to Live
Protocol
Header Checksum
IP Routing
Meg
Office gateway
Packet
121.42.33.12
Source 121.42.33.12
Destination 132.14.11.51
Tom
132.14.11.1
ISP
132.14.11.51
121.42.33.1
! Error reporting
! TTL field:
Implications:
UDP
No acknowledgment
No congenstion control
No message continuation
TCP
Sender
Break data into packets
Attach packet numbers
Receiver
Acknowledge receipt; lost packets are resent
Reassemble packets in correct order
Book
Reassemble book
1
19
1
TCP Header
Source Port
Dest port
SEQ Number
ACK Number
U A P P S F
R C S S Y I
G K H R N N
Other stuff
TCP Header
S
SNCrandC
SYN: AN 0
C
SNSrandS
SYN/ACK: AN SN
S
C
SNSNC+1
ACK: ANSN
S
Listening
Store SNC , SNS
Wait
Established
Received packets with SN too far out of window are dropped
DDoS lecture
1. Packet Sniffing
! Promiscuous NIC reads all packets
Alice
Network
Bob
attacker
ACK
srcIP=victim
AN=predicted SNS
command
Server
SYN/ACK
dstIP=victim
SN=server SNS
Victim
[Watson04]
Routing Vulnerabilities
Routing Vulnerabilities
! Common attack: advertise false routes
! OSPF:
Interdomain Routing
earthlink.net
Stanford.edu
BGP
Autonomous
System
OSPF
BGP overview
! Iterative path announcement
! Protocol specification
BGP example
1
[D. Wetherall]
27
265
7265
7
7
265
327
3265
265
27
65
27
627
Issues
! Security problems
DNS
wisc
edu
net
com
stanford
ucb
cs
www
uk
cmu
ee
ca
mit
Client
Local DNS
resolver
.edu
d
r
o
tanf
s
.
s
.c
www
edu
.
d
r
anfo
t
s
NS
NS cs.stanford
.edu
stanford.edu
DNS server
cs.stanford.edu
DNS server
Caching
! DNS responses are cached
DNS Packet
! Query ID:
Resolver to NS request
Response to resolver
Response contains IP
addr of next NS server
(called glue)
Response ignored if
unrecognized QueryID
final answer
! Obvious problems
(a la Kaminsky08)
user
browser
Query:
a.bank.com
attacker wins if j: x1 = yj
response is cached and
attacker owns bank.com
local
DNS
resolver
a.bank.com
QID=x1
ns.bank.com
IPaddr
256 responses:
Random QID y1, y2,
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker
user
browser
Query:
b.bank.com
local
DNS
resolver
attacker wins if j: x2 = yj
response is cached and
attacker owns bank.com
b.bank.com
QID=x2
ns.bank.com
IPaddr
256 responses:
Random QID y1, y2,
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker
Defenses
! Increase Query ID size.
How?
Pharming
! DNS poisoning attack (less common than phishing)
January 2005, the domain name for a large New York ISP,
Panix, was hijacked to a site in Australia.
In November 2004, Google and Amazon users were sent to
Med Network Inc., an online pharmacy
In March 2003, a group dubbed the "Freedom Cyber Force
Militia" hijacked visitors to the Al-Jazeera Web site and
presented them with the message "God Bless Our Troops"
[DWF96, R01]
<iframe src="http://www.evil.com">
DNS-SEC cannot
stop this attack
www.evil.com?
171.64.7.115 TTL = 0
Firewall
corporate
web server
192.168.0.100
ns.evil.com
DNS server
192.168.0.100
www.evil.com
web server
171.64.7.115
! Server-side defenses
! Firewall defenses
Summary
! Core protocols not designed for security
(next lecture) :