OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

Similar documents
s642 web security computer security adam everspaugh

Produced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar

CSE 565 Computer Security Fall 2018

HTTP Protocol and Server-Side Basics

Network Security. Thierry Sans

Introduction to Network. Topics

CSC 574 Computer and Network Security. DNS Security

::/Topics/Configur...

Running Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner

A Security Evaluation of DNSSEC with NSEC Review

CSCE 463/612 Networks and Distributed Processing Spring 2018

Computer Systems and Networks

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

Application Level Protocols

How the Internet Works

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

Network concepts introduction & wireshark

Computer Security CS 426

Application Layer: OSI and TCP/IP Models

The State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

CS 5450 HTTP. Vitaly Shmatikov

Writing Assignment #1. A Technical Description for Two Different Audiences. Yuji Shimojo WRTG 393. Instructor: Claudia M. Caruana

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Networking Overview. CS 161: Computer Security Prof. Vern Paxson. TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin

CIS 5373 Systems Security

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

CSE 127: Computer Security Network Security. Kirill Levchenko

DOMAIN NAME SECURITY EXTENSIONS

Network Security. Network Vulnerabilities

Web Security, Part 2

Lecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

Application Layer Introduction; HTTP; FTP

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

TCP/IP Networking Basics

COMPUTER NETWORKS AND COMMUNICATION PROTOCOLS. Web Access: HTTP Mehmet KORKMAZ

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Transport Level Security

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Protecting Privacy: The Evolution of DNS Security

Network concepts introduction & wireshark. workshop

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Threat Pragmatics & Cryptography Basics. PacNOG July, 2017 Suva, Fiji

20-CS Cyber Defense Overview Fall, Network Basics

COSC 2206 Internet Tools. The HTTP Protocol

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Uniform Resource Locators (URL)

SecSpider: Distributed DNSSEC Monitoring and Key Learning

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

HP Load Balancing Module

Domain Name System Security

PLEASE READ CAREFULLY BEFORE YOU START

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015

Network Security Part 3 Domain Name System

Transport Layer Security

INGI1341: Project 2 Analysis of a website

CSE Computer Security

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber

CSC 574 Computer and Network Security. TCP/IP Security

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

EECS 122: Introduction to Computer Networks DNS and WWW. Internet Names & Addresses

ICS 351: Today's plan. HTTPS: SSL and TLS certificates cookies DNS reminder Simple Network Management Protocol

CS4/MSc Computer Networking. Lecture 3: The Application Layer

Internet Architecture. Web Programming - 2 (Ref: Chapter 2) IP Software. IP Addressing. TCP/IP Basics. Client Server Basics. URL and MIME Types HTTP

Chapter 8 roadmap. Network Security

ECCouncil Certified Ethical Hacker. Download Full Version :

Network Security. DNS (In)security. Radboud University, The Netherlands. Spring 2017

Scan Report Executive Summary

How to Configure DNS Sinkholing in the Firewall

DNS Authentication-as-a-Service Preventing Amplification Attacks

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

Scan Report Executive Summary

Network Security Protocols and Defensive Mechanisms

Internet Content Distribution

CSE 127 Computer Security

Information Network I: The Application Layer. Doudou Fall Internet Engineering Laboratory Nara Institute of Science and Technique

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

CSE543 Computer and Network Security Module: Network Security

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

CS 43: Computer Networks. Layering & HTTP September 7, 2018

Lab 2. All datagrams related to favicon.ico had been ignored. Diagram 1. Diagram 2

DNSSEC: what every sysadmin should know to keep things working

Remote DNS Cache Poisoning Attack Lab

0 0& Basic Background. Now let s get into how things really work!

Application Layer. Applications and application-layer protocols. Goals:

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Web Security. Mahalingam Ramkumar

Transcription:

OSI Session / presentation / application Layer Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 1

Higher level protocols On top of IP, TCP, UDP, etc. there are a plethora of application-level protocols FTP à file transfer SMTP/POP/IMAP à mail Telnet à remote access SSH à remote access HTTP à web DNS à infrastructure Pointless exercise to go through them all Rather, we focus on some most important threats Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 2

Domain Name Service (quick intro) DNS is a hierarchical system for domain name resolving Translates human-readable addressed (google.com) to (a set of) IP addresses the domain is reachable at UDP for fast answers (port 53) Each transaction identified by an ID (16 bits) Transaction ID: TXID Original DNS implementation à incremental TXID Several type of records. Of interest here A (AAAA) à IPv4 (IPv6) of the requested domain e.g. a.website.com A 65.61.198.201 NS à IP of the DNS server to ask e.g. a.website.com NS ns.website.com Followed by an A answer for the dns ns.website.com A 2.2.2.2 Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 3

DNS hierarchy Root DNSs à responsible for top level domain queries e.g..com NS ns.auth.net Authoritative DNS à a DNS server that answers queries whose answer it already knows Does not ask to other DNSs Recursive DNS à a DNS server that forwards queries to Authoritative DNSs Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 4

DNS queries, authoritative answers, and caching (simplified) When the client wants to contact www.website.com it sends a query to its local DNS (also called recursive DNS) Local DNS forwards request to authoritative DNS Local DNS caches entry 65.61.198.201 3b. Cache website.com is at 65.61.198.201 1. ID=x Where is website.com? 2. ID=a Where is website.com? 4. ID=x website.com is at 65.61.198.201 3. ID=a website.com is at 65.61.198.201 Recursive DNS Authoritative DNS Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 5

DNS cache poisoning 65.61.198.201 Recursive DNS cache: website.com A 1.2.2.2 The first received answer is cached Subsequent answers with same TXID are ignored. Attacker must win the race. 3b. Cache website.com is at 1.2.2.2 1. ID =x Where is website.com? 2. ID=a Where is website.com? 4. website.com is at 1.2.2.2 X Recursive DNS 3. ID=a website.com is at 65.61.198.201 Authoritative DNS 3. ID=z website.com is at 1.2.2.2 3. ID=a website.com is at 1.2.2.2 1.2.2.2 Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 6

DNS cache poisoning Recursive DNS cache: website.com A 1.2.2.2 65.61.198.201 Local DNS now has in cache website.com is at 1.2.2.2 Recursive DNS Authoritative DNS 1.2.2.2 Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 7

Recursive DNS cache: DNS, the full picture Has embedded list of 13 root DNSs 1. ID =x Where is a.website.com? Recursive DNS 8. ID =x a.website.com A 65.61.198.201.com NS ns.auth.com ns.auth.com A 1.1.1.1 website.com NS ns.website.com ns.website.com A 2.2.2.2 a.website.coma 65.61.198.201 recursive DNS 5. ID =b ask ns.website.com IP=j 4. ID =b Where is a.website.com? called delegation. Happens with a response of type NS a.website.com 65.61.198.201 ns.website.com j=2.2.2.2 ns.auth.com k=1.1.1.1 Root DNS Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 8

Kaminsky vulnerability The Kaminsky vulnerability can lead to a cache poisoning attack The attacker rather than replacing an A record replaces an NS record This way the attacker can get control over any (sub)domain b.a.website.com a.website.com website.com.com Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 9

Recursive DNS cache: Kaminsky attack (cntd) 1. ID =x Where is a.website.com? recursive DNS 8. ID =x a.website.com A 3.3.3.5.com NS ns.auth.com ns.auth.com A 1.1.1.1 website.com NS ns.attacker.com ns.attacker.com A 3.3.3.3 a.website.coma 3.3.3.5 9. GET a.website.com/index.htm ttacker.com 3.3.3.5 a.website.com 65.61.198.201 Attacker s system 3.3.3.4 5. ID =b ask ns.website.com IP=j X 4. ID b= Where is a.website.com? The first received answer is cached Subsequent answers with same TXID are ignored. Attacker must win the race. ns.attacker.com ns.auth.com Root DNS h=3.3.3.3 ns.website.com k=1.1.1.1 j=2.2.2.2 Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 10

Recursive DNS cache: Kaminsky attack (cntd) 1. ID =j Where is login.website.com? recursive DNS 4. ID =j login.website.com A 3.3.3.5.com NS ns.auth.com ns.auth.com A 1.1.1.1 website.com NS ns.attacker.com ns.attacker.com A 3.3.3.3 a.website.coma 3.3.3.5 login.website.com A 3.3.3.5 5. GET login.website.com ttacker.com 3.3.3.5 Attacker s system 3.3.3.4 a.website.com 65.61.198.201 ns.attacker.com 3.3.3.3 ns.website.com 2.2.2.2 ns.auth.com 1.1.1.1 Root DNS Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 11

Mitigation of Kaminsky s vulnerability Source of attack is low entropy with a 16 bit ID Randomness is not enough to represent a significant margin Moving ID size to 32 bits is not feasible Can not change the protocol Solution à randomize the source port (16 bits) to increase entropy In reality can t use all 16 bits for the source port because of reserved values Any answer that does not match both source port and transaction ID will be dropped Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 12

DNS amplification attack A type of DoS attack Exploits certain type of DNS answers that are much bigger in size than the requests attack s throughput much bigger than attacker s input DNS works over UDP à source IP easy to spoof SourceIP=5.5.5.5 ANY information on zone (60 bytes) DestIP=5.5.5.5 ANY information on zone (3000 bytes) attacker DNS DoS ed Victim 5.5.5.5 Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 13

DNS zone transfer A zone is a domain for which a server is authoritative slave servers can ask authoritative servers to copy their zone database Over TCP An attacker pretends to be a slave server and dump the zone DB Acquires knowledge of zone s infrastructure Can be used to facilitate further attacks (e.g. spoofing or more direct attacks) Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 14

DNSSec Secure implementation of the DNS protocol Implements DNS authentication on top of normal DNS exchange Digitally signed over a chain-of-trust starting from the root server Uses electronic certificates Public-key crypto à authenticate by showing proof that you own a secret key Protects data integrity No confidentiality protection Additional reading Hao Yang ; Osterweil, E. ; Massey, D. ; Songwu Lu ; Lixia Zhang. Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC. IEEE Transactions on Dependable and Secure Computing. Vol 8, Issue 5. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 15

DNS root servers location http://root-servers.org Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 16

HTTP Main protocol on which the www works Based on the notion that client can either request or submit data to a server Two methods GET à Requests data from a specified resource GET /test/demo_form.asp?name1=value1&name2=value2 HTTP/1.1 POST à Submits data to be processed to a specified resource POST /test/demo_form.asp HTTP/1.1 Host: w3schools.com name1=value1&name2=value2 HTTP is Stateless HTTP cookies enable statefulness Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 17

URLs Global identifiers of network-retrievable documents Example: http: //disi.unitn.it:81/class?name=cs155#homework Protocol Fragment Hostname Port Path Query Special characters are encoded as hex: %0A = newline %20 or + = space, %2B = + (special exception)

HTTP GET Request Method File HTTP version Headers Parameters GET /index.php&user=luca&password=1234 HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=example

HTTP POST Request Method File HTTP version Headers POST /index.php HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=example user=luca&password=1234 Parameters

HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.1 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: Content-Length: 2543 Data <HTML> Some data... blah, blah, blah </HTML> Cookies

Cookies Used to store state on user s machine Browser POST HTTP Header: Server Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=null: expires = (when expires) ; this session only secure = (only over SSL) Browser POST Cookie: NAME = VALUE Server HTTP is stateless protocol; cookies add state

Cookie example: authentication Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 23

Attack example: HTTP session hijacking Session ID used by webserver to authenticate client victim Send over cookie in-the-clear Attacker can read the session ID cookie and spoof the victim s identity e.g. access to personal webpages/accounts (e.g. Facebook until 2011) https://www.owasp.org/index.php/session_hijacking_attack Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 24

Secure Cookies Browser GET HTTP Header: Set-cookie: NAME=VALUE ; Secure=true Server Provides confidentiality against network attacker Browser will only send cookie back over encrypted channels but no integrity Can rewrite secure cookies over HTTP network attacker can rewrite secure cookies

Telnet Protocol used in remote control services Implemented through a virtual terminal that connects to systems Operates over TCP port 23 Remote client can issue commands to server Plain-text commands Typically no authentication Typically no channel encryption No need to go through possible attacks here Use SSH instead :-) Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 26

Common issues Most of the network attacks we ve seen so far have at least one of two issues common among most network problems Lack of authentication à the real sender/receiver of a packet/datagram can not be authenticated It is possible to spoof its identity Communication channel is in the clear à a clever or wellpositioned (in the network) attacker can read and potentially modify the information exchanged over the channel Confidentiality problem that becomes an authentication problem à Encryption helps mitigating many of these problems Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 27

Suggested reading Bykova, Marina, and Shawn Ostermann. "Statistical analysis of malformed packets and their origins in the modern Internet." Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment. ACM, 2002. Hao Yang ; Osterweil, E. ; Massey, D. ; Songwu Lu ; Lixia Zhang. Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC. IEEE Transactions on Dependable and Secure Computing. Vol 8, Issue 5. Internet Census 2012. Port scanning /0 using insecure embedded devices. http://internetcensus2012.bitbucket.org/paper.html Blackert, W. J., et al. "Analyzing interaction between distributed denial of service attacks and mitigation technologies." DARPA information survivability conference and exposition, 2003. Proceedings. Vol. 1. IEEE, 2003. S. M. Bellovin. 1989. Security problems in the TCP/IP protocol suite. SIGCOMM Comput. Commun. Rev. 19, 2 (April 1989), 32-48. DOI=http://dx.doi.org/10.1145/378444.378449 Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 28

Useful network tools Wireshark / tcpdump à traffic monitoring ARP requests DNS requests TCP 3-way handshake à SYN ACK Network stack overview Nmap à scans (TCP; UDP;..) Scapy à Python interface to generate network packets at the stack level Manually craft network packets Other tools: Ettercap à MitM attacks (ARP poisoning etc.) Netcat à legacy tool to generate UDP/TCP traffic Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback