Download CSE 524: Lecture 17

Protocol perils
“Hacking the stack”
1
Course announcement
• Topics in Cryptography
– Tom Shrimpton (teshrim at cs . pdx . edu)
– http://www.cs.pdx.edu/~teshrim/spring06/info-510.html
2
Hacking the stack
• Protocol attacks at all layers
–
–
–
–
Data-link layer
Network layer
Transport layer
Application layer
3
Data-link layer hacks
4
Sniffing
• Gathering packets from the local network
– Passive (wired network with a hub or a wireless network)
• Turn on promiscuous mode on NIC
– Make NIC accept all data-link layer frames not just its own
• Software
–
–
–
–
Snort (www.snort.org)
tcpdump/ethereal
Sniffit (reptile.rug.ac.be/~coder/sniffit/sniffit.html)
Dsniff (www.monkey.org/~dugsong/dsniff)
– Active (wired network built with a switch)
• Harder (switch prevents data frames from being broadcast)
• How can someone sniff switched traffic?
5
Active Sniffing
• Fool the switch into sending the packets to the sniffer
– MAC Flooding
• Send a flood of traffic with random MAC addresses
• Fill up the switch’s memory
• Switches will then forward packets to all links on the switch
– Dsniff program Macof
– ARP spoofing
• Send fake ARP replies to change the victim’s ARP table
– Dsniff program Arpspoof
• Attacker configures his or her system to forward any traffic it
receives to the router.
• Any traffic from the target machine is sent to the attacker’s machine
before being transferred to the local network.
6
Spoofing ARP Messages
7
Question
How do you detect a sniffer on your machine?
Answer
Check to see if your network interface is in promiscuous mode
ifconfig –a => look for PROMISC
8
Question
How do you detect a sniffer on your network?
Answer
Send a TCP SYN packet to sniffer with bogus MAC address
9
802.11 vulnerabilities
• 802.11 MAC layer
– Nodes are identified with a globally unique 12 byte address.
– No mechanism for verifying the correctness of the identity
– Implicit trust in a speaker's source address.
10
802.11 deauthentication attack
• 802.11 clients
– Authenticate with one or more access
points (AP)
– Associate with the AP that they will
route through.
• Either end-point can request
deauthentication from each other.
– Attacker spoofs this message to interrupt
data flow
– Forces authentication to be reestablished.
Deauthentication
11
802.11 disassociation attack
• Similar to Deauthentication attack.
• Either end-point can request
disassociation from each other.
– Attacker spoofs this message to interrupt
data flow
– Forces association to be reestablished.
• More attacking messages are
required to get same effect of
deauthentication message
Disassociation
Disassociation
12
802.11 power saving attack
• Clients can turn off radio to conserve
energy.
• Client tells AP that it is entering
sleep.
• AP tells client when to wake up for
traffic.
• AP will buffer data and send traffic
indication map (TIM) to client
periodically.
• Client wakes up to receive each TIM
and then retrieve data if available.
Client
Attacker
AP
Entering Sleep
Management Response
Client Sleeps
Client Wakes
TIM
Client Sleeps
Client Wakes
TIM
Client Sleeps
Client Wakes
TIM
Retrieve Data
Client Sleeps
13
802.11 power saving attack
• Messages are sent in the clear.
• Attacker can spoof management
packet and prevent synchronization.
• Attacker can spoof client polling and
discard data.
• Attacker can spoof TIM and
convince client there is no data.
Client
Attacker
AP
Entering Sleep
Management Response
Client Sleeps
Management Response
Retrieve Data
Client Wakes
TIM
Client Sleeps
TIM
14
802.11 carrier sense attacks
• Hidden terminals prevent perfect collision detection.
• Physical and Virtual carrier-sense mechanisms used to
control channel access.
• Both of these mechanisms can be exploited.
15
802.11 physical carrier-sense attack
• Before transmitting frame, node must wait at least a
small interval of time (SIFS for 802.11 ACKs)
– Attacker jams channel towards end of SIFS to force all to
back-off (CSMA)
– SIFS is 20μs for 802.11b
• Requires 50,000 packets per second to disable all access.
• Expensive for attacker
16
802.11 virtual carrier-sense attack
• Each 802.11 frame carries a maximum number of μs to reserve channel
– Specified in NAV
– Max value is 32767, or about 32ms.
– Attacker persistently reserves channel for maximum duration
• Only sends for short time during reservation
• Jams all access with only 30 transmissions a second
– Not all 802.11 hardware obeys NAV (a bug that saves 802.11 from this attack)
17
Other data-link layer attacks
• WEP
– Wired equivalent privacy
– Initial security scheme for 802.11
– Can be broken in under 1 minute
• J. Walker, "IEEE 802.11 Wireless LANs Unsafe at any key size; An
analysis of the WEP encapsulation"
18
Network layer hacks
19
IP spoofing
• Host fills in its own address in sending packets
– Implicitly trusted not to forge the entry
– Leads to all sorts of problems…
• Chapter 3 lecture notes
– IP spoofing scenario using “.rhosts” and predictable TCP ISN
– Establish a blind connection with a remote host
20
Reflector attacks
• Occur at all layers (not just network layer)
– However, most rely on IP spoofing
• A reflector is any IP host that will return a packet or more if sent
a packet.
– Reflector cannot easily locate the initiator because of IP spoofing.
• Examples:
– Web servers: return SYN ACKS or RSTs in response to SYN or other
TCP packets.
– DNS servers: return query replies in response to query requests.
– Routers: return ICMP Time Exceeded in response to TTL expiry or Host
Unreachable messages in response to unroutable IP addresses
21
22
ICMP reflectors
• ICMP echo
– Widely used for “ping”
– Smurf attacks
• Repeatedly send ICMP ping to broadcast IP address of network that
can receive and respond to directed broadcast (smurf amplifier)
• Use the victim’s IP address as the source IP
• Victim’s bandwidth is filled with response packets
• Attacks and software
– Smurf (ICMP), Fraggle (UDP), and Papasmurf (ICMP and UDP)
– www.packetstormsecurity.org/new-exploits/
• List of Smurf Amplifiers: www.netscan.org
23
ICMP reflectors
• Other ICMP candidates
–
–
–
–
–
–
–
–
–
–
Timestamp
Address mask
Router solicitation
Information request/reply
Source quench
Host unreachable
Time exceeded
Parameter problem
Redirect.
Need fragmentation.
24
Routing attacks
• Attack
– Intruder sends bogus routing information to a target and each
of the gateways along the route
• Impersonates an unused host
– Diverts traffic for that host to the intruder’s machine
– Used to monitor “dark” IP addresses
• Impersonates a used host
– All traffic to that host routed to the intruder’s machine
– Intruder inspects packets & resends to host w/ source routing
– Allows capturing of unencrypted passwords, data, etc
25
Routing attacks
• BGP Routing Fault Example:
– ISP mistakenly announced routes to 3000+ prefixes
(destinations) it did not own.
– Other ISPs adopt these routes and blackholed traffic to those
sites.
26
Slides courtesy of Dan Massey
Routing attacks
• Invalid BGP routes exist in everyone’s table.
– These can include routes to root/gTLD servers
– One example observed on 4/16/01:
originates route to
192.26.92/24
ISPs announce new path
3 lasted 20 minutes
1 lasted 3 hours
Internet
rrc00
monitor
c.gtld-servers.net
192.26.92.30
27
Slides courtesy of Dan Massey
Routing attacks
• BGP routing can direct packets to
false server.
• Detected false BGP routes to
root/gTLD severs at major global
ISPs.
Bell Labs
Caching Server
– Routes lasted up to hours, but were
errors and faulty site did not reply.
Internet Routing
• Any response from false server
would be believed.
– NANOG 25/ICDCS 2003 protecting BGP routes to DNS
servers
Root server
Spoofed
Root server
28
Slides courtesy of Dan Massey
Routing attacks
• Defenses
– Filtering based on prior information
• Messes with fault-tolerance but detects intrusion attempts
– Authentication of advertisements
• S-BGP
29
Routing attacks
• Spoofing with Source Routing
– Impersonate system A
– Attacker creates packets from system A to B, with the
attacker’s address in the source route.
– Packet sent to system B, but any replies are sent to the
attacker’s machine.
• Attacker does not forward them to system A because the connection
would be reset.
30
ICMP redirect hacks
• Targeted Denial of Service (DoS)
– Attacker sends ICMP Redirect message to give a bogus route
– Attacker sends Destination Unreachable or TTL exceeded messages to
reset existing connections
– Attacker sends fraudulent Subnet Mask Reply messages
• Blocks communication with target
• Defenses
– Verify ICMP packet contains a plausible sequence #
– Don’t modify Global Route Table due to ICMP Redirect messages
• Disallow ICMP Redirects?
– Check to see if multiple ICMPs from a host agree
31
NIDS avoidance
• NIDS: Network Intrusion Detection System
– Passively monitor network looking for attacks
– Signature analysis done across packets
– Challenges
• Accuracy: false positives and false negatives
• Performance: forensic value of information
• Fundamental problem
– Deployed on a different box
– Potentially on a different network
• Result
– NIDS could see a different stream of packets than host
– Protocol implementation ambiguities
• Different protocol stacks have different behavior
32
NIDS avoidance
• Insertion
– IDS thinks packets are valid; end system rejects these
• Evasion
– end system accepts packets that IDS rejects
• Denial of Service
– resource exhaustion
33
NIDS avoidance
• Confuse the NIDS
– Invalid MAC addresses?
– Invalid headers
• Permissive in receiving, frugal in sending?
• Bad IP checksum will be dropped?
• IP options
– IP TTL ambiguity
• Packet received or not?
– Packet too large for downstream link?
– Source-routed packets
• Will destination reject such packets?
– Fragment time-out
• Will other parts of fragment still be at destination?
– Overlapping fragments
• Which data will be used?
34
NIDS avoidance
• Exhaust resources on NIDS
– CPU, Memory, Network Bandwidth
– Fragmentation
• Send large numbers of fragments
– CPU: data structure attack
– Memory: space attack
– Can lead to DOS (teardrop, jolt2)
• Fragrouter
– Automatically fragment all packets
– Accepts IP packets routed from another system and fragments these
packets according to various schemes
– Generate large numbers of false positives
• Separating script kiddies from sophisticated hackers
• Separating wheat from chaff
35
Transport layer hacks
36
TCP session reset and hijacking attacks
• Problem
– TCP stacks with predictable sequence numbers
– See Chapter 3 lecture notes on TCP ISN selection and the Mitnick attack
• TCP reset attacks
– Uses similar approach to terminate an existing connection
– Send a spoofed TCP RST with guessed sequence numbers
• BGP session reset
• TCP hijacking
– Attacker inserts itself into path
• Already on the path or via ARP spoofing
– Sniff to find sequence numbers of victim connection
– Attacker takes over existing connection using spoofed packets and
dropping packets of one of the end-points
37
TCP session hijacking
• Problem
– Attacker not along path of
hijacked connection
– Attacker sends system B
packets with system A’s IP
address
– System A notices a mismatch
in TCP sequence numbers
– Sends ACK packets to
resynchronize the numbers.
– Continual retransmission of
ACK packets is known as an
ACK storm.
• Most hijacking tools cannot
cope with the ACK storm and
the connection will be dropped.
38
TCP session hijacking
• Hunt (www.packetstormsecurity.org/sniffers/hunt )
– 2 methods to keep session alive
• Use ARP spoofing to keep connection from being dropped
• Attempt to resynchronize the connection
– Send a message to system A saying: msg from root: power failure – try
to type 88 characters, (where 88 is the number of chars. that the attacker
typed during the hijacking)
– Increments the sequence number of system A’s TCP stack to where it
should be.
– Two new ARP spoof messages are then sent, restoring the correct MAC
addresses.
39
40
TCP SYN flooding
• Attacker sends many connection requests w/ spoofed source
addresses to victim
– Victim allocates resources for each request
• Finite # half-open connection requests supported
• Connection requests exist for TIMEOUT period
– Once resources exhausted, all other requests rejected
Normal connection est.
Syn Flooding attack
41
TCP SYN flooding defenses
• System Configuration Improvements
– Reduce timeout period
– Increase length of backlog queue to support more connections
– Disable non-essential services to make a smaller target
• Router Configuration Improvements
– Configure router external interfaces to block packets with source
addresses from internal network
– Configure router internal interfaces to block packets to outside that have
source addresses from outside the internal network
• TCP SYN cookies
– Make handshake stateless on server end
– Server makes ISN a function of a secret nonce it keeps and pieces of the
SYN connection ID
– Only create TCB and establish connection upon verifying client’s ACK
42
TCP SYN flooding defenses
• Firewall as a Relay
– Firewall answers on behalf of
Destination
– Disadvantages
• Adds delay and overhead
• Pushes problem to firewall
43
TCP SYN flooding defenses
• Firewall as a Semi-transparent Gateway
– Firewall forges the 3rd handshake (ack) from the client to the destination
• This moves connection out of backlog queue, freeing resources
– Sends RST packet if no subsequent ACK received from client
– Eventual ACK from a good client will be ignored as a duplicate
– Disadvantages:
• Large # illegitimate open connections if system under attack
• Must very carefully choose timeout periods
44
TCP SYN flooding defenses
Attack w/ semi-transparent
gateway
Legit connection w/ semitransparent gateway 45
TCP congestion control avoidance
• Attempt to trick sender into ignoring congestion control
• ACK division
– Receiver can acknowledge every byte in segment with a separate ACK
– Leads Sender to grow cwnd faster than normal.
• Solution to ACK division
– Modify congestion control to guarantee segment-level granularity
– Only increment MSS when a valid ACK arrives for the entire segment.
Bunch of
acks
Burst 1 RTT later
46
TCP congestion control avoidance
• Duplicate Ack Spoofing
– Receiver sends multiple acks/sequence #
• no way to tell what segment is being acked
– Causes sender to enter fast-recovery mode and inflate cwnd
• Solution to Duplicate Ack Spoofing
– Add new fields to TCP headers.
• “nonce & nonce-reply” – random values sent with segments and replies
• Only increment cwnd for ACKs with previously unseen nonces
Burst of dup acks
Sender enters
Fast Recovery
and bursts 1
RTT later
47
TCP congestion control avoidance
• Optimistic ACKing
– Send acks for segments not yet received
– Decrease perceived RTT, affecting CW growth.
Segment acks
Segs arrive
48
TCP congestion control avoidance
• Solution to optimistic acking:
Cumulative Nonce
– Sender sends random number
(nonce) with each packet
– Segment size slightly
randomized
– Receiver sends cumulative sum
of nonces
– if receiver detects loss, it sends
back the last nonce it received
– Requires modifications to stack
49
TCP congestion control attacks
• The shrew attack
– Use knowledge of TCP congestion control to shut out a
victim
– Time packet bursts to disable victim’s retransmissions and
force exponential back-off
50
TCP reflectors
• TCP stack can be made to reflect via…
– SYN ACK by sending an initial SYN with spoofed IP
address
• Filtering leads to no-remote access.
– RST by sending a FIN.
• Countermeasures problematic
– Filter out SYN ACKs
• Leads to disabling access to services
– Filter out RST
• Results in clogging of stale connections state
51
NIDS avoidance
• TCP tricks to confuse or disable NIDS
– TCP Options fields
• Will packet be accepted?
• Will option be processed?
• Destination might be configured to drop weird options
– Old TCP timestamps (PAWS)
• Destination might be configured to drop
– TCP RSTs with weird sequence numbers
• Is connection reset?
– TCP handshake time-out
• Will TCB still be at destination?
– TCP stream reassembly with overlapping segments
• Rewrite old data or not?
52
Application layer hacks
53
DNS spoofing
• Problem
–
–
–
–
–
–
No authentication of responses
Any DNS response is generally believed.
No attempt to distinguish valid data from invalid.
Responses can contain entries that should not be trusted but are
Responses are cached
Just one false root server could disrupt the entire DNS.
• Attacks
– Inject bogus DNS responses
– Attach additional bogus entries in valid DNS responses (especially for
internal names)
Firewall
Application
Resolver
Local Name Server
(Trusted)
Remote Name Server
(?)
54
*
DNS spoofing
55
DNS spoofing
Easy to observe UDP DNS query sent to
well known server on well known port.
www.darpa.mil A?
Root DNS Server
www.darpa.mil
A 192.5.18.19
Sanjoy’s
Laptop
www.darpa.mil
A 128.9.128.127
Caching
DNS Server
mil DNS Server
Dan’s
Laptop
First response wins. Second response is
silently dropped on the floor.
darpa.mil DNS Server
56
DNS cache poisoning
Bell Labs
Caching Server
Response
www.attacker.com
attacker.com
attacker.com
ns.attacker.com
www.google.com
www.google.com
= 128.9.128.127
A 128.9.128.127
NS ns.attacker.com
NS www.google.com
A 128.9.128.2
A 128.9.128.127
ns.attacker.com
Query
www.attacker.com
Query www.google.com
Any Bell Labs Laptop
Remote attacker
57
DNS cache poisoning
• Defenses
– DNS Proxy
• Filter
– Drop malformed packets
• Verify
– Does the answer, really answer the query made?
– Was the answer received from the appropriate server?
• Proxy performs checks on the answers from outside DNS servers
58
Authenticating DNS Responses
• Attack fundamental problem
– Resolver can’t distinguish between valid and invalid data in a response.
• Add source authentication
– Verify the data received in a response is equal to the data entered by the
zone administrator.
– Each DNS zone signs its data using a private key.
– Query for a particular record returns:
• The requested resource record set.
• A signature (SIG) of the requested resource record set.
– Resolver authenticates response using public key.
• Public key is pre-configured or learned via a sequence of key records in the
DNS heirarchy.
59
Secure DNS Query and Response
Caching DNS Server
www.darpa.mil
Authoritative DNS Servers
www.darpa.mil =
192.5.18.195
Plus (RSA) signature by darpa.mil
Attacker can not forge this answer
without the darpa.mil private key.
End-user
Challenge: add signatures to the protocol
manage DNS public keys
60
Man-in-the-middle attacks
• Web proxying
– Attacker runs webmitm feature on Dsniff and uses DNS spoofing
• Use DNS spoofing to have all HTTP and HTTPS traffic go to webmitm
• Target connects to attacker’s machine and SSL connection is established.
• Attacker’s system establishes a SSL connection with the server the target is
attempting to access.
– Webmitm acts as proxy with two connections
• From the target’s system to the attacker’s machine
• From the attacker’s machine to the actual server the target was trying to
reach
– Note: the target receives attacker’s certificate, not the certificate of the
server the target is trying to reach.
• User receives warning about a certificate that is not signed by a trusted
certificate authority (Who pays attention to those?)
• Webmitm displays the contents of the SSL session on the attacker’s screen
• SSH proxying
– Similar to above with sshmitm (another Dsniff feature)
61
Man-in-the-middle attacks
62
Distributed Denial-of-Service
• Take control of large numbers of machines (zombies)
• Use collection of zombies (Botnet) to knock out target
service
– Example: TFN2K
– www.packetstormsecurity.nl/groups/mixter/index2.html
63
Distributed Denial of Service
• DNS DoS attacks
– DNS root server attack
• DDoS attack disabling 9 of the 13 DNS root servers (10/2002)
• Bringing down all 13 root servers is frequently mentioned as a worst
case scenario that would “cripple the Internet”.
– Local DNS name server attack
• Send large set of valid queries to victim
• Use arbitrary names to thrash cache
• Solution: Provide filtering in name servers so as to only serve
recursive queries from local addresses
64
Packet of death
• Send a malformed packet. Different platforms may be
susceptible to different types of malformed packets.
• These packets have structures that the TCP/IP stacks
cannot anticipate, causing the system to crash.
• Malformed packet suites available at:
www.packetstormsecurity.org/DoS
65
Application layer reflectors
• DNS
– Reflector sending DNS reply in response to a spoofed DNS
request.
• Victim can configure its local DNS servers so as to filter out
unknown DNS server responses.
– If the victim is an authoritative name server
• Attacker queries a large number of local DNS servers which in turn
recursively query the Victim.
• Victim server gets bombarded due to multiple queries.
66
Application layer reflectors
• HTTP proxies
– HTTP proxy caches provide a way that an HTTP client can manipulate a
proxy server into initiating a connection to a victim web server.
– HTTP proxy servers act as reflectors for the DDOS attacks.
• Limitations
– Proxies can be configured to serve a restricted set of clients.
– Not enough proxies to constitute a large pool of possible reflectors.
– Connection between slave and the reflector cannot be spoofed unless the
reflecting proxy has predictable sequence numbers
• Logging helps in identifying the slave’s location.
• Definitely a major threat if proxies running on stacks with predictable
sequence numbers are widely deployed.
67
Application layer reflectors
• Gnutella
– Provides a “push” facility that instructs the server to connect to a given
IP address and port in order to deliver the Gnutella item.
– Gnutella connection to the IP host is separated from the initial client
making it impossible to trace back to the slave.
• Fix
– Modify the protocol to include path information with “push” directives
• Gnutella could be a major problem for DDOS reflector attacks.
68
Application layer reflectors
• SNMP (UDP-based request/reply)
– Sites that fail to block off-site access to SNMP provide a
large number of reflectors.
– SNMP attack is sourced at port 161.
– Filtering out the external SNMP messages leads to major
problem for service providers.
• Configure the filter to receive SNMP messages from interested hosts
• Game protocols
– Quake Qstat (UDP)
– Counter-strike clients (UDP)
69
70
NIDS avoidance
• Confuse NIDS at application-layer
– Addition of interpreted characters (“^H”)
– How does OS interpret?
71
References
•
•
•
•
•
•
•
C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D.
Zamboni, "Analysis of a Denial of Service Attack on TCP"
S. Bellovin, "Security Problems in the TCP/IP Protocol Suite"
S. Bellovin, "Defending against sequence number attacks"
S. Bellovin, "Packets Found on an Internet"
R. Morris, "A Weakness in the 4.2BSD Unix TCP/IP
Software“
B. Cheswick, S. Bellovin, “A DNS Filter and Switch for
Packet-filtering Gateways”.
S. Savage, N. Cardwell, D. Wetherall, T. Anderson, “TCP
Congestion Control with a Misbehaving Receiver”.
72
Extra slides
73
TCP for Transactions (T/TCP) reflectors
• Spoof initial SYN packet with acceptable seq. no.
– Make an expensive request.
• Factors that limit the T/TCP attack
– T/TCP server will begin in slow start.
• Unless the server’s stack has predictable seq. no.
– Amenable to stateless packet filtering.
– T/TCP is not widely deployed.
74
IP Address Spoofing
• Used to disguise the IP address of a system.
• Three ways an IP address can be spoofed: changing
the IP address, undermining UNIX r-commands, and
spoofing with source routing
• Changing the IP address: The attacker can either
reconfigure the whole system to have a different IP
address or use a tool (Nmap or Dsniff) to change the
source address of outgoing packets. Limitation: the
attacker cannot receive any responses.
75
• Undermining UNIX r-Commands:
– Attacker finds two computers with a trust relationship
• Send a bunch of TCP SYN packets to target and see how the initial
sequence numbers change
• A DoS attack is sent to other system
• Attacker initializes a connection with target system, using the IP
address of the other system
• Target system sends TCP SYN and ACK packets to other system,
which is dead
• Attacker estimates initial sequence number of other system and
sends TCP ACK packet back
– If initial sequence numbers match, attacker has successfully gained
one-way access to the target.
76
Undermining UNIX r-Commands
77