Escolar Documentos
Profissional Documentos
Cultura Documentos
CS 155
Internet Security:
How the Internet works and
some basic vulnerabilities
Dan Boneh
Internet Infrastructure
Backbone
ISP
ISP
Application
Application protocol
TCP protocol
Transport
Network
IP protocol
Link
Data
Link
Application
Transport
IP
IP protocol
Network
Network
Access
Data
Link
Link
Data Formats
TCP Header
Application
message
segment
Network (IP)
packet
Link Layer
frame
TCP
IP Header
data
TCP
data
IP TCP
data
ETH IP TCP
data
Link (Ethernet)
Header
TCP
data
ETF
Link (Ethernet)
Trailer
IP
Internet Protocol
Connectionless
Unreliable
Best effort
Version
Flags
Fragment Offset
Time to Live
Protocol
Header Checksum
Notes:
src and dest ports
not parts of IP hdr
Header Length
Type of Service
Total Length
Identification
IP Routing
Meg
Office gateway
Packet
121.42.33.12
Source 121.42.33.12
Destination 132.14.11.51
Tom
132.14.11.1
ISP
132.14.11.51
121.42.33.1
Error reporting
TTL field:
Implications:
TCP
Sender
Break data into packets
Attach packet numbers
Receiver
Acknowledge receipt; lost packets are resent
Reassemble packets in correct order
Book
Reassemble book
1
19
1
TCP Header
(protocol=6)
Source Port
Dest port
SEQ Number
ACK Number
U A P P S F
R C S S Y I
G K H R N N
TCP Header
Other stuff
S
SYN:
SNCrandC
ANC0
SN randS
SYN/ACK: ANS SN
S
SNSN +1
Listening
Store SNC , SNS
Wait
ACK: ANSNC
S
Established
Received packets with SN too far out of window are dropped
DDoS lecture
TCP SYN
srcIP=victim
attacker
ACK
srcIP=victim
AN=predicted SNS
Server
SYN/ACK
dstIP=victim
SN=server SNS
Victim
command
Routing Security
ARP, OSPF, BGP
Interdomain Routing
(AS#32)
Stanford.edu
BGP
earthlink.net
(AS#4355)
Autonomous
System
connected group of one or
more Internet Protocol
prefixes under a single
routing policy (aka domain)
OSPF
Routing Protocols
ARP (addr resolution protocol):
IP addr eth addr
Security issues: (local network attacks)
OSPF:
BGP example
[D. Wetherall]
27
265
7265
7
265
327
3
265
27
3265
65
27
627
Security Issues
BGP path attestations are un-authenticated
Solutions:
RPKI: AS obtains a certificate (ROA) from RIR and
attaches ROA to path advertisements.
Advertisements without a valid ROA are ignored.
Defends against a malicious AS (but not a network attacker)
route
in effect
for several
hours
Normally:
OSPF:
routing inside an AS
Ra
Rb LSA
Rb
R3
LSA
DB:
Net-1
Ra
2
3
1
Rb
1
1
Security features
OSPF message integrity (unlike BGP)
DNS
wisc
edu
net
com
stanford
ucb
cs
uk
cmu
ca
mit
ee
www
Client
Local DNS
resolver
stanford.edu
DNS server
cs.stanford.edu
DNS server
DNS record types (partial list):
- NS: name server (points to other server)
- A:
address record (contains IP address)
- MX: address in charge of handling email
- TXT: generic text (e.g. used to distribute site public keys (DKIM) )
Caching
DNS responses are cached
DNS Packet
Query ID:
Resolver to NS request
10
Response to resolver
Response contains IP
addr of next NS server
(called glue)
Response ignored if
unrecognized QueryID
final answer
Obvious problems
11
(a la Kaminsky08)
user
browser
a.bank.com
QID=x1
local
DNS
resolver
ns.bank.com
IPaddr
256 responses:
Random QID y1, y2,
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker wins if j: x1 = yj
response is cached and
attacker owns bank.com
attacker
user
browser
b.bank.com
b.bank.com
QID=x2
local
DNS
resolver
attacker wins if j: x2 = yj
response is cached and
attacker owns bank.com
ns.bank.com
IPaddr
256 responses:
Random QID y1, y2,
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker
Defenses
Increase Query ID size.
How?
12
[DWF96, R01]
<iframe src="http://www.evil.com">
DNS-SEC cannot
stop this attack
www.evil.com?
171.64.7.115 TTL = 0
Firewall
192.168.0.100
corporate
web server
192.168.0.100
ns.evil.com
DNS server
www.evil.com
web server
171.64.7.115
Server-side defenses
Firewall defenses
Summary
Core protocols not designed for security
13