CSE 127 Computer Security

Transcription

1 CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 17 Network Security II

2 Review: Internet Protocol Suite Application Layer Examples: SMTP, FTP, SSH, HTTP, etc. Transport Layer: Port-addressed host-to-host communications (on LAN or WAN). User Datagram Protocol (UDP): single packet transmission with no reliability or ordering mechanisms. Transmission Control Protocol (TCP): connection establishment, reliable transmission, and flow-control. Internet Layer (IP): Fragmentation, reassembly, and end-to-end (across network boundaries) routing of data packets. Provides a uniform interface that hides the underlying network topology. Link Layer: Transmission of data frames within a local network (without intervening routers). Example: Ethernet Physical Layer: Transmission of raw bits (rather than logical data packets) over a physical data link connecting network nodes. Example: 100BASE-T [Technically not part of the Internet Protocol Model, but is still there]

3 IP Addressing Earlier IP addresses are globally unique. Yeah, about that A few exceptions: Network Address Translation Anycast

4 Network Address Translation Internet NAT Port

5 Network Address Translation NAT maintains a table of the form: <client IP> <client port> <NAT ID> Outgoing packets (on non-nat port): Look for client IP address, client port in the mapping table If found replace client port with previously allocated NAT ID (same size as PORT #) If not found allocate a new unique NAT ID and replace source port with NAT ID Replace source address with NAT address

6 Network Address Translation Incoming Packets (on NAT port) Look up destination port number as NAT ID in port mapping table If found replace destination address and port with client entries from the mapping table If not found the packet is not for us and should be rejected Table entries expire after 2-3 minutes to allow them to be garbage collected

7 Network Address Translation Benefits Only allows connections to the outside that are established from inside. Hosts from outside can only contact internal hosts that appear in the mapping table, and they re only added when they establish the connection Don t need as large an external address space (i.e. 10 machines can share 1 IP address) Costs Rewriting IP addresses isn t so easy (what if they appear in protocol data? Then what happens to sequence numbers?) Breaks some protocols (e.g., streaming protocols commonly have client invoke server and then server opens new connection to client)

8 Anycast Basic idea: Multiple hosts with the same IP address. Typically, geographically distributed. Different routes (to different hosts) are announced via BGP. Packets get routed to the host that s easier to reach from a given source. Only one destination host gets any given packet, but a packet can go to any host with the given IP address.

9 Anycast

10 Anycast Pros: A single globally known address can be routed to a nearby host (CDN, etc.) Cons: Works well for UDP, not so well for TCP (especially long-lived connections) What if some packets go to one host and some to another

11 Domain Name System (DNS)

12 Domain Name System (DNS) Say I want to send packet to Need IP address for Domain Name System (DNS): maps host names to IP addresses Large distributed database Critical Internet infrastructure Control of DNS allows attacker to impersonate any domain (in the absence of end-toend host authentication using SSH or TLS) Target of attacks

13 Domain Name System (DNS) Mail client Applications Root Name Server Web browser Name Server DNS resolver OS Recursive Name Server Name Server

14

15 Domain Name System (DNS) Hierarchical Name Space root Root org net edu com uk ca Top Level Domain (TLD) wisc ucb ucsd cmu mit Second Level Domain cs www ece Subdomain

16 Domain Name System (DNS) Hierarchical service for the hierarchical name space Root name servers for top-level domains Authoritative name servers for subdomains Local name resolvers contact authoritative servers when they do not know a name Authoritative server: provides authoritative information for a set of domains Does not handle queries about other domains Recursive resolver: provides recursive resolution of a domain to return requested record to client Handles queries about all domains Same protocol for both types of servers Distinction is in intended purpose only

17 Domain Name System (DNS)

18 DNS Root Servers Hostname IP Addresses Manager a.root-servers.net , 2001:503:ba3e::2:30 VeriSign, Inc. b.root-servers.net , 2001:500:200::b University of Southern California (ISI) c.root-servers.net , 2001:500:2::c Cogent Communications d.root-servers.net , 2001:500:2d::d University of Maryland e.root-servers.net , 2001:500:a8::e NASA (Ames Research Center) f.root-servers.net , 2001:500:2f::f Internet Systems Consortium, Inc. g.root-servers.net , 2001:500:12::d0d US Department of Defense (NIC) h.root-servers.net , 2001:500:1::53 US Army (Research Lab) i.root-servers.net , 2001:7fe::53 Netnod j.root-servers.net , 2001:503:c27::2:30 VeriSign, Inc. k.root-servers.net , 2001:7fd::1 RIPE NCC l.root-servers.net , 2001:500:9f::42 ICANN m.root-servers.net , 2001:dc3::35 WIDE Project

19 DNS Root Servers

20 Domain Name System (DNS) Root Name Server [a.root-servers.net] 3. where s 4. check with ns-auth2.ucsd.edu? Name Server [a.edu-servers.net] Recursive Name Server Name Server [ns-auth2.ucsd.edu]

21 DNS Messages DNS uses UDP as transport Query ID links response to query 16 bits

22 DNS Messages Response types A (1): Address Record. Here s the IP address you are looking for. NS (2): Name Server. Go ask that guy over there. CNAME (5): Alias. The server you are looking for goes by another name. dozens more

23 DNS Caching DNS responses are cached Quick response for repeated translations Useful for finding servers as well as addresses NS records for domains DNS negative queries are cached Save time for nonexistent sites, e.g. misspelling Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record

24 DNS Caching

25 Security of DNS Users/hosts trust the host-address mapping provided by DNS Used as the basis for many security policies Browser same origin policy, URL address bar, user trust Basic DNS uses UDP without any authentication Man-in-the-middle attacks are possible Forging response to observed query is trivial Off-path attacks require guessing two parameters Query ID from response (16 bits) Source port (approx. 15 bits) Caching introduces additional vulnerabilities

26 Additional Record Injection DNS query results include Additional Records section Provide records for anticipated next resolution step Early DNS resolvers accepted and cached all additional records What is wrong with this? Let s say you are retrieving an image from a malicious site (img.attacker.com) The Authoritative Name Server for img.attacker.com is ns.attacker.com When ns.attacker.com responds to the DNS query it includes an additional record for

27 Additional Record Injection Can we just stop using additional section? Only accept answers from authoritative servers? Glue records: non-authoritative records necessary to contact next hop in resolution chain Necessary given current design of DNS Countermeasure: Bailiwick Rules

28 Bailiwick Rules Bailiwick rule: defines what response records a recursive resolver will accept Bailiwick: set of domains about which a server is has direct or indirect authority to speak Bailiwick determined by the initiator of query Answer should be relevant (in response to request) Answer should be in bailiwick

29 Forging DNS Replies For performance reasons, some DNS resolvers (e.g. BIND) re-used the same socket for all queries If source port is same: can be determined by attacker by having recursive resolver query attacker-controlled authoritative server Attacker only needs to guess 16-bit query ID Non-random query ID generators may make it easier

30 DNS Cache Poisoning Caching allows for attack amplification Once an incorrect record is cached, it is used until TTL expires Attack sketch: Attacker gets victim to issue a DNS query Example: embedded content in a web page If the queried domain is already in cache, attack fails Otherwise, flood resolver with forged responses Attacker wins if one of the responses has correct port and query ID, and arrives before the real response If real response wins, cache is updated and attacker is locked out until TTL expires

31 DNS Cache Poisoning Insight 1: start of race is controlled by attacker Forged responses can be synchronized with request Easier to win timing race against real name server Kaminsky 2008 Insight 2: Attacker can trigger requests for non-existing domains, guaranteed not to be in cache Example: foobar123.google.com Multiple requests Bypassing TTL timeouts Insight 3: Forged response can be NS record Redirects rest of recursive search to attacker-controlled name server Satisfies bailiwick rules Allows attacker to bundle A record for with response for foobar123.google.com

32

33

34 DNS Cache Poisoning Lots of DNS poisoning attacks have occurred in the wild January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops 2000 campaign: Hilary2000.org -> hilaryno.com

35 DNS Defenses Increase size of secret attacker needs to guess CSPRNG to generate query ID CSPRNG to select source port Make queries case-sensitive Duplicate queries Decrease opportunities for poisoning Ignore any additional record that is not necessary for current query Authentication DNSSEC TLS

36 DNS Defenses DNSSEC Signed DNS records How do you authenticate the non-existence of a record? TLS Only host with private key for domain will be able to complete TLS handshake Certificate ensures that rightful owner of domain has key

37 DNS Defenses (0x20 Encoding) Goal: Increase entropy in DNS Idea: Vary capitalization of queried domain DNS is case insensitive DNS server s response must use same capitalization All known servers happen to do this One additional bit of entropy per letter Attack must guess capitalization also

38 Summary Current DNS system does not provide strong evidence binding request to response Response can provide more data than was asked for Together allows attacker to poison DNS and divert traffic to their sites

39 Network Perimeter Defense

40 Network Perimeter Defense Typical elements Firewalls Network Address Translation Network Intrusion Detection/Prevention Systems(NIDS/NIPS)

41 Firewalls Goal: Protecting or isolating one part of the network from other parts In particular: protect your network from global Internet Filter or otherwise limit bad network traffic Protect services offered internally from outside access. Provide outside services to hosts located inside.

42 Firewalls Network Filter: inspect and block packets Stateless: each packet is evaluated in isolation Source, destination, other header fields Stateful: firewall maintains state about connections May be application-aware and inspect packet payload May be coupled with NAT Application Proxy Man in the middle: Act as a server to the client, act as a client to the server. Protected side receives only well-formed traffic from the proxy Personal Firewall Application on the end host Has additional application/user specific information

43 Packet Filtering Firewalls Filter packets based on network and transport layer headers: Source and destination IP addresses and ports Flags (e.g. ACK)

44 Ports Ports are used to distinguish applications and services on a machine. Low numbered ports are often reserved for server listening. High numbered ports are often assigned for client requests. Port 7 (UDP,TCP): echo server Port 13 (UDP,TCP): daytime Port 20 (TCP): FTP data Port 21 (TCP): FTP control Port 22 (TCP): ssh Port 25 (TCP): SMTP (Mail) Port 80 (TCP): HTTP Port 123 (UDP): NTP Port 143 (TCP): IMAP Port 2049 (UDP): NFS Ports 6000 to 6xxx (TCP): X11

45 Packet Filtering Firewalls Some firewalls keep state about open TCP connections Allows conditional filtering rules of the form if internal machine has established the TCP connection, permit inbound reply packets

46 Network Firewalls Internal Network External-facing Servers External Network

47 Principles for Firewall Configuration Least Privilege: Turn off everything that is unnecessary (e.g. Web Servers should disable port 25 [SMTP]) Failsafe Defaults: By default should reject (Note that this can cause usability problems ) Egress Filtering: Filter outgoing packets too! You know the valid IP addresses for machines internal to the network, so drop those that aren t valid. This can help prevent DoS attacks in the Internet.

48 Proxy Firewalls Proxy acts like both a client and a server. Able to filter using application-level info For example, permit some URLs to be visible outside and prevent others from being visible. Proxies can provide other services too Caching, load balancing, etc. Web Server Web Proxy External Network

49 Firewalls Benefits Reduced attack surface against external attackers Filter out lots of noise in network traffic (helps focus attention) Reduced liability (common practice) Costs Actual cost: both hardware and administration Bottleneck and single point of failure on network False sense of security Limited language (addresses, ports); doesn t help with worms/viruses, ssh exploits, cross-site scripting, etc Inside vs outside model is fragile (once an internal host is compromised firewall does no good); What about wireless laptops?

50 Network Content Analysis Lots of devices want to look at network traffic for security Network Intrusion detection/prevention Systems (NIDS/NIPS) Try to find signatures of attacks or malware Spam filters Try to detect unwanted Data leakage Try to prevent sensitive information from leaving company Traffic differentiation Filter or slow down p2p traffic (e.g. Comcast)

51 Challenges Expensive to look into each packet 10Gbps -> ~1M packets per second ns per byte Network vantage point is imperfect What does a packet mean? What if a session is encrypted? Network evasion?

52 Network evasion Typically network intrusion detection systems are deployed like firewalls (between internal network and Internet) Key assumption is that NIDS sees the same traffic as destination host Not quite true Lots of ways to evade a NIDS by exploiting ambiguity

53 TTL evasion Suppose destination is 2 hops after NIDS box This is what NIDS sees (each letter is one pkt) ttl=2 ttl=2 ttl=2 ttl=2 ttl=1 ttl=2 ttl=2 I A M B E A D This is destination sees ttl=1 ttl=1 ttl=1 ttl=1 ttl=1 ttl=1 I A M B A D

54 Sequence # evasion Suppose attacker sends two packets 5 6 TCP Seq # A D I A M B E What does destination see? IAMBED? IAMBAD? IAMBD? Depends on host Lots of other evasion techniques E.g., how do you reassemble packet fragments

55 Solution Protocol normalization NIDS rewrites packets to remove all ambiguity E.g. all packets have ttl rewritten to reach any internal destination IDS tracks each flow and does not allow overlapping packets Can be very tricky to get right and expensive Potentially must buffer large amounts of data What if you get seq #2 through #100, but not seq #1? Tradeoff: when to drop data vs when to buffer

56 Summary Core protocols not designed for security Eavesdropping, Packet injection, Route stealing, DNS poisoning Patched over time to prevent basic attacks (e.g. random TCP SN) More secure variants exist (but limited deployment) IP -> IPsec DNS -> DNSsec BGP -> SBGP Still need to be careful about protocol semantics Perimeter defenses can shrink the attack surface exposed by the network, but can t stop everything this way

57 Additional Resources DNS and BIND By Paul Albitz and Cricket Liu Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin

58 Homework Assignment 5 is due next week 10pm)

59 Next Lecture Hardware Security: Meltdown and Spectre (and Rowhammer if there s time)