Identifier Binding Attacks and Defenses in Software-Defined Networks

Similar documents
Identifier Binding Attacks and Defenses in Software-Defined Networks

Network Security. Thierry Sans

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

A Framework for Optimizing IP over Ethernet Naming System

NETWORK SECURITY. Ch. 3: Network Attacks

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

CIS 5373 Systems Security

Configuring Dynamic ARP Inspection

Configuring Dynamic ARP Inspection

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

CSE 565 Computer Security Fall 2018

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

CCNP Switch Questions/Answers Securing Campus Infrastructure

Configuring attack detection and prevention 1

Wireless Network Security Spring 2016

AN INTRODUCTION TO ARP SPOOFING

Understanding and Configuring Dynamic ARP Inspection

Configuring ARP attack protection 1

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

A Security Evaluation of DNSSEC with NSEC Review

ELEC5616 COMPUTER & NETWORK SECURITY

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Towards Layer 2 Authentication: Preventing Attacks based on Address Resolution Protocol Spoofing

Selected Network Security Technologies

Ruijie Anti-ARP Spoofing

Configuring DHCP Features and IP Source Guard

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

N exam.420q. Number: N Passing Score: 800 Time Limit: 120 min N CompTIA Network+ Certification

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Cisco Networking Academy CCNP

Port Mirroring in CounterACT. CounterACT Technical Note

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

DOMAIN NAME SECURITY EXTENSIONS

Man In The Middle Project completed by: John Ouimet and Kyle Newman

CS 161 Computer Security

Endpoint Security - what-if analysis 1

Wireless Network Security

ARP Inspection and the MAC Address Table

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Wireless Network Security Spring 2015

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

CS Paul Krzyzanowski

Man-In-The-Browser Attacks. Daniel Tomescu

DNS Security. * pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi

Configuring attack detection and prevention 1

Securing ARP and DHCP for mitigating link layer attacks

August 14th, 2018 PRESENTED BY:

Configuring DHCP Features and IP Source Guard

CTS2134 Introduction to Networking. Module 08: Network Security

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

ARP SPOOFING Attack in Real Time Environment

On the State of the Inter-domain and Intra-domain Routing Security

Mobile Security Fall 2013

Configuring DHCP Features

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

VoIP Security Threat Analysis

Configuring ARP attack protection 1

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

UDP-based Amplification Attacks and its Mitigations

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Last mile authentication problem

CSCE 463/612 Networks and Distributed Processing Spring 2018

Wireless LAN Security (RM12/2002)

Operation Manual DHCP. Table of Contents

Computer Network Routing Challenges Associated to Tackle Resolution Protocol

CSE 565 Computer Security Fall 2018

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

DHCP Configuration. Page 1 of 14

SYN Flood Attack Protection Technology White Paper

An Approach to Addressing ARP Spoof Using a Trusted Server. Yu-feng CHEN and Hao QIN

CSC 574 Computer and Network Security. DNS Security

Switched environments security... A fairy tale.

White Paper. Ruijie DHCP Snooping. White Paper

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Building world-class security response and secure development processes

Closed book. Closed notes. No electronic device.

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

Chapter 2. Switch Concepts and Configuration. Part II

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

HP High-End Firewalls

Securing Wireless LAN Controllers (WLCs)

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

DHCP Overview. Information About DHCP. DHCP Overview. Last Updated: July 04, 2011

Wireless Network Security Spring 2015

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

White Paper / S4 Access Switch

Copyright

Basic L2 and L3 security in Campus networks. Matěj Grégr CNMS 2016

DHCP Overview. Information About DHCP. DHCP Overview

Transcription:

Identifier Binding Attacks and Defenses in Software-Defined Networks Samuel Jero 1, William Koch 2, Richard Skowyra 3, Hamed Okhravi 3, Cristina Nita-Rotaru 4, and David Bigelow 3 1 Purdue University, 2 Boston University, 3 MIT Lincoln Laboratory, and 4 Northeastern University USENIX Security 2017 DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited. This material is based upon work supported by the Department of Defense under Air Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of Defense. 2017 Massachusetts Institute of Technology. Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work.

A Day in the Life Of Your Browser www.chase.com DNS Request DNS Response ARP Request ARP Reply HTTP Request HTTP Reply DNS Request Insecure identifier bindings make this possible 2

Network Identifiers and Their Bindings Modern networks have many protocols layered on top of each other Network Identifier: An identifier for a device used at some layer of the network stack Examples: IP addresses, MAC addresses, Hostnames Used for forwarding as well as access control and authorization Devices need to bind identifiers from higher layers to lower layers ARP, DHCP, DNS, Active Directory Directory Service DNS ARP DHCP Learning Multi- Homing user1 laptop.example.org 10.0.1.10 42:10:23:34:78:98:1A sw:1,port:1 user2 server.example.org 10.0.1.42 FB:54:23:78:56:F1 sw:2,port:42 Usernames Hostnames IP Addresses MAC Addresses Network Locations Devices 3

Bindings Performed by Insecure Protocols No authentication Binding protocols often rely on simple broadcast queries I do No cross-layer checks No additional checks on binding updates Mutable Identifiers WHO HAS 10.0.1.42? 10.0.1.42 Enables: Host Impersonation Man-In-The-Middle Privilege Escalation Denial of Service 10.0.1.10 ME! ME! ME! I DO! ARP Poisoning 10.0.1.30 4

Existing Defenses Port Security Limits number of MAC address per switch port Ad-hoc, limited to MAC layer, manual configuration Heuristically blocks attackers spoofing MAC addresses Cisco Dynamic ARP Inspection (DAI) Compares ARP responses with internal DHCP server records Limited to ARP, no protection for static IPs, manual configuration Requires use of internal DHCP server DHCP Snooping Trusted / Untrusted zones Limited to DHCP, no protection for static IPs, manual configuration DHCP packets from trusted zone used to setup bindings to filter untrusted zone packets DNSSEC Prevents forged Limited DNS responses to DNS, rogue servers can still exist, manual and complex configuration These are ad-hoc solutions specific to particular identifiers and requiring manual configuration 5

Identifier Binding in Software Defined Networks Unified control plane Single binding table for entire network Bare Metal es es do not include existing defenses against binding attacks Fwd ACLs SDN Controller Control Plane Delayed Flow Rule Consistency Temporary inconsistencies between controller and switches Flow rules are not instantly removed from switches when controller state changes Device Device Data Plane 6

Binding Attacks in Software Defined Networks Unified control plane Attackers anywhere in the network can poison any binding Bare Metal es Existing defenses must be implemented in the controller Most controllers have not implement them Delayed Flow Rule Consistency Attackers can cause a few packets to be forwarded with stale state Stale Fwd ACLs SDN Controller Spread Device Defenses Device Control Plane Data Plane Binding Attacks Have Significantly Amplified Power In SDNs 7

Existing Software Defined Network Defenses Ethane (SIGCOMM 07) Fine grained access Vulnerable control based to MAC on address high level spoofing, identifiers does not protect IP-hostname or Leverages bindings hostname-user for access control bindings at a per-flow level TopoGuard (NDSS 15) Demonstrated attacks on the MAC Address to Location binding Vulnerable to MAC address spoofing, limited to MAC-location binding Defense based on querying old location of MAC address before allowing address to move SPHINX (NDSS 15) Demonstrated attacks on the MAC Address to Location binding Vulnerable to MAC address spoofing, limited to MAC-location binding Defense by ensuring that new flows are consistent with existing bindings These solutions are focused only on specific identifiers, leaving other bindings vulnerable 8

This Paper Focuses On A new, more powerful binding attack The Persona Hijacking Attack Takeover of ALL Identifiers Persistent A defense against ALL binding attacks SecureBinder Mediate Bindings Root-of-trust 9

Persona Hijacking Takeover of the Victim's IP address and DNS name Persists for hours or days Progressively breaks the MAC-Location, MAC-IP, and (possibly) IP-hostname bindings Attacker becomes the owner-of-record for the Victim s IP address Victim appears to be malicious party DHCP server is co-opted to propagate this deception further into the network Operates in two phases: IP Takeover Leverage DHCP server to steal IP address and DNS name from Victim Flow Poisoning Leverage SDN to complete DHCP assignment attacker.evil.org server.example.org 10.0.1.10 10.0.1.42 42:10:23:34:78:98 FB:54:23:78:56:F1 sw:5,port:15 sw:1,port:1 10

IP Takeover Goal: Steal Victim s IP address and co-opt DHCP server to persist and propagate this deception SDN Controller Attacker sends forged DHCP_RELEASE for Victim DHCP Server releases Victim s address, but does not notify Victim Attacker sends DHCP_DISCOVER messages until Victim s address is offered Flow Poisoning ARP Flood RELEASE Victim IP Attacker sends DHCP_REQUEST and launches Flow Poisoning attack DHCP DISCOVER DHCP DISCOVER DHCP DISCOVER DHCP server checks offered IP with an ARP request. Victim s response is blocked by Flow Poisoning DHCP server completes handshake and Attacker becomes the owner-of-record of the Victim s IP address Victim DHCP Server IP OFFER IP OFFER IP OFFER=Victim DHCP ACK Attacker Attacker Owns Victim s IP Address 11

Flow Poisoning Goal: Blackhole ARP response from Victim to DHCP server Attacker sends spoofed packets from the DHCP server to Victim SDN controller believes DHCP server has moved, inserts new flow rules Add Rules Old Rule Host Moved SDN Controller DHCP server sends ARP broadcast to check for users of the Victim s IP address SDN controller discovers true location of DHCP server, but old flow rules are not removed Removed asynchronously via separate thread or timeouts ARP Flood X ARP reply from victim hits old flow rules and is sent to Attacker, not DHCP server DHCP server assigns Victim s IP address to Attacker Victim DHCP Server Attacker 12

Persona Hijacking In The Wild We demonstrated Persona Hijacking against ONOS and Ryu Emulated Mininet environment Persona Hijacking succeeded against both Source code analysis suggests that POX and Floodlight are also vulnerable Controller Experimentally Vulnerable Probably Vulnerable Not Vulnerable ONOS Ryu POX Floodlight 13

Outline Background SDN Persona Hijacking Attack Takeover of ALL Identifiers Persistent SecureBinder: Designing A Defense Mediate Bindings Root-of-trust Evaluation Summary 14

Goals: SecureBinder: Design Isolate identifier binding control traffic from the data-plane Preventing attackers from observing and responding to queries Mediate all bindings and answer queries Validate changes to existing bindings Preventing attackers from poisoning these mappings and impersonating other hosts Use a global network view to detect and resolve conflicts Validate binding control traffic Preventing attacker from using forged lower-layer identifiers to change higher-layer bindings Ensure that lower-layer bindings are valid before processing binding control traffic Protect readily-changed root identifiers (MAC Addresses) Preventing attackers from impersonating known, but powered-off, devices Use IEEE 802.1x to provide a root-of-trust for our network identifiers Active Directory Communication DNS Protocol DHCP ARP L2 ing MAC Addresses No trust required Active Directory Server DNS Server SDN Controller RADIUS Server Trusted 15

SecureBinder: Leveraging SDN Separate control-plane and data-plane Send binding control traffic to the control-plane Seamlessly interpose on all binding protocols and requests ARP, DHCP, DNS, NETBIOS, Active Directory Eliminates broadcast requests Fwd Binding Mediator SDN Controller Global Check ACLs Egress Filter Control Control Plane Global view of the network Validate bindings by ensuring that identifiers are unique and binding requests come from expected locations Validate all layers of binding control traffic Programmatic control of the network Efficiently prevent all spoofed packets using PER PORT egress (outbound) filters Painless for administrators Binding Control Traffic Device Device Egress Filters Data Plane 16

Need to Protect MAC Addresses MAC addresses are easily modified Attacker can trivially clone the MAC address of a victim device Network cannot tell the difference between the legitimate device and a cloned MAC address MAC addresses are often equated with particular devices i.e. The CEO s Laptop, My Desktop, the GIT server Commonly used in or for Access Control A global network view does not help Can ensure that MAC address is at exactly one place in the network Cannot ensure it corresponds to the device we expect Need a root-of-trust While not needed to prevent Persona Hijacking or ARP Poisoning, protecting MAC addresses is required to completely eliminate identifier binding attacks 17

An IEEE 802.1x Solution IEEE 802.1x provides cryptographic assurance that a host is authorized to access the network Optional extension ensures that it has the MAC address we expect Supported by all major OSes and switches Same technology as WPA2 Enterprise Daemon RADIUS Server Network 18

Implementation Open v TBL 0 TBL 1 Egress Fltr Fwd Open v TBL 0 TBL 1 Egress Fltr Fwd DHCP Forwarding ONOS SDN Controller BindingApp IEEE 802.1x ARP Proxy FreeRADIUS Server OF 1.3 Multiple Flow Tables Table 0 is egress filtering and binding traffic separation Table 1+ is forwarding, etc Based on the ONOS SDN controller Version 1.5.1 Including Apps: Forwarding, ARP Proxy, DHCP New Apps Binding Security App maintaining verified bindings IEEE 802.1x app heavily modified 19

Security Evaluation Formal: Model checking analysis using SPIN Modeled ARP and DHCP 7 correctness invariants Found 6 attacks without SecureBinder No attacks found with SecureBinder Experimental: Tested with Mininet, which provides an emulated SDN network environment Launched three identifier binding attacks against ONOS and SecureBinder Attack ONOS SecureBinder Persona Hijacking See the paper for more details ARP Spoofing Host Location Hijacking Attacks Stopped by ONOS and SecureBinder 20

Performance Evaluation Latency and Controller Load: Host Join Latency: time from host connected to network to operational network New Flow Latency: time to start a new flow Only the first packet will be impacted Flow Rules: Limited switch resource Typical switch has ~2-8K slots Approximate controller load based on number of pkt_in events ONOS SecureBinder Host Join Latency 505ms 3505ms (+3sec) New Flow Latency 8ms 6ms (-2ms) Pkt_in s (Load) 131 193 (+47%) Testing done with Mininet, which provides an emulated SDN network environment 21

Summary We demonstrated the power of identifier binding attacks in SDNs by developing a new attack called Persona Hijacking that progressively breaks multiple bindings to hijack a Victim s IP address and hostname persistently and co-opts the network infrastructure to propagate that deception We showed that this attack is effective against ONOS and Ryu We then developed a defense called SecureBinder that systematically and completely prevent all identifier binding attacks at multiple layers of the network stack by leveraging the programmatic control and global view of the network in SDN and a rootof-trust provided by IEEE 802.1x We showed that this defense is effective against 3 identifier binding attacks, including Persona Hijacking, and that its performance overhead is acceptable 22

Questions? Samuel Jero sjero@purdue.edu 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback