Protocol perils Hacking the stack

Course announcement
Topics in Cryptography
Tom Shrimpton (teshrim at cs . pdx . edu) http://www.cs.pdx.edu/~teshrim/spring06/info-510.html

Hacking the stack

Protocol attacks at all layers
Data-link layer Network layer Transport layer Application layer

Data-link layer hacks

Sniffing
Gathering packets from the local network
Passive (wired network with a hub or a wireless network)
Turn on promiscuous mode on NIC
Make NIC accept all data-link layer frames not just its own

Software
Snort (www.snort.org) tcpdump/ethereal Sniffit (reptile.rug.ac.be/~coder/sniffit/sniffit.html) Dsniff (www.monkey.org/~dugsong/dsniff)

Active (wired network built with a switch)

Harder (switch prevents data frames from being broadcast) How can someone sniff switched traffic?
5

Active Sniffing
Fool the switch into sending the packets to the sniffer
MAC Flooding
Send a flood of traffic with random MAC addresses Fill up the switchs memory Switches will then forward packets to all links on the switch
Dsniff program Macof

ARP spoofing
Send fake ARP replies to change the victims ARP table
Dsniff program Arpspoof

Attacker configures his or her system to forward any traffic it receives to the router. Any traffic from the target machine is sent to the attackers machine before being transferred to the local network.
6

Spoofing ARP Messages

Question How do you detect a sniffer on your machine?

Answer Check to see if your network interface is in promiscuous mode ifconfig a => look for PROMISC

Question How do you detect a sniffer on your network?

Answer Send a TCP SYN packet to sniffer with bogus MAC address

802.11 vulnerabilities
802.11 MAC layer
Nodes are identified with a globally unique 12 byte address. No mechanism for verifying the correctness of the identity Implicit trust in a speaker's source address.

10

802.11 deauthentication attack

802.11 clients
Authenticate with one or more access points (AP) Associate with the AP that they will route through.

Either end-point can request deauthentication from each other.

Attacker spoofs this message to interrupt data flow Forces authentication to be reestablished.
Deauthenticat ion

11

802.11 disassociation attack

Similar to Deauthentication attack. Either end-point can request disassociation from each other.
Attacker spoofs this message to interrupt data flow Forces association to be reestablished.

More attacking messages are required to get same effect of deauthentication message

Disassociation

Disassociati on

12

802.11 power saving attack

Clients can turn off radio to conserve energy. Client tells AP that it is entering sleep. AP tells client when to wake up for traffic. AP will buffer data and send traffic indication map (TIM) to client periodically. Client wakes up to receive each TIM and then retrieve data if available.
Client Attacker
Entering Sleep Management Response
Client Sleeps

AP

Client Wakes Client Sleeps Client Wakes Client Sleeps Client Wakes

TIM

TIM

TIM

Retrieve Data

Client Sleeps

13

802.11 power saving attack

Messages are sent in the clear. Attacker can spoof management packet and prevent synchronization. Attacker can spoof client polling and discard data. Attacker can spoof TIM and convince client there is no data.
Client Attacker
Entering Sleep Management Response
Client Sleeps

AP

Management Response Retrieve Data

Client Wakes Client Sleeps

TIM

TIM

14

802.11 carrier sense attacks

Hidden terminals prevent perfect collision detection. Physical and Virtual carrier-sense mechanisms used to control channel access. Both of these mechanisms can be exploited.

15

802.11 physical carrier-sense attack

Before transmitting frame, node must wait at least a small interval of time (SIFS for 802.11 ACKs)
Attacker jams channel towards end of SIFS to force all to back-off (CSMA) SIFS is 20s for 802.11b
Requires 50,000 packets per second to disable all access. Expensive for attacker

16

802.11 virtual carrier-sense attack

Each 802.11 frame carries a maximum number of s to reserve channel
Specified in NAV Max value is 32767, or about 32ms. Attacker persistently reserves channel for maximum duration
Only sends for short time during reservation Jams all access with only 30 transmissions a second

Not all 802.11 hardware obeys NAV (a bug that saves 802.11 from this attack)

17

Other data-link layer attacks

WEP
Wired equivalent privacy Initial security scheme for 802.11 Can be broken in under 1 minute
J. Walker, "IEEE 802.11 Wireless LANs Unsafe at any key size; An analysis of the WEP encapsulation"

18

Network layer hacks

19

IP spoofing
Host fills in its own address in sending packets
Implicitly trusted not to forge the entry Leads to all sorts of problems
Chapter 3 lecture notes
IP spoofing scenario using .rhosts and predictable TCP ISN Establish a blind connection with a remote host

20

Reflector attacks
Occur at all layers (not just network layer)
However, most rely on IP spoofing

A reflector is any IP host that will return a packet or more if sent a packet.
Reflector cannot easily locate the initiator because of IP spoofing.

Examples:
Web servers: return SYN ACKS or RSTs in response to SYN or other TCP packets. DNS servers: return query replies in response to query requests. Routers: return ICMP Time Exceeded in response to TTL expiry or Host Unreachable messages in response to unroutable IP addresses

21

22

ICMP reflectors
ICMP echo
Widely used for ping Smurf attacks
Repeatedly send ICMP ping to broadcast IP address of network that can receive and respond to directed broadcast (smurf amplifier) Use the victims IP address as the source IP Victims bandwidth is filled with response packets Attacks and software
Smurf (ICMP), Fraggle (UDP), and Papasmurf (ICMP and UDP) www.packetstormsecurity.org/new-exploits/

List of Smurf Amplifiers: www.netscan.org

23

ICMP reflectors
Other ICMP candidates
Timestamp Address mask Router solicitation Information request/reply Source quench Host unreachable Time exceeded Parameter problem Redirect. Need fragmentation.
24

Routing attacks
Attack
Intruder sends bogus routing information to a target and each of the gateways along the route
Impersonates an unused host
Diverts traffic for that host to the intruders machine Used to monitor dark IP addresses

Impersonates a used host

All traffic to that host routed to the intruders machine Intruder inspects packets & resends to host w/ source routing Allows capturing of unencrypted passwords, data, etc

25

Routing attacks
BGP Routing Fault Example:
ISP mistakenly announced routes to 3000+ prefixes (destinations) it did not own. Other ISPs adopt these routes and blackholed traffic to those sites.

26
Slides courtesy of Dan Massey

Routing attacks
Invalid BGP routes exist in everyones table.
These can include routes to root/gTLD servers One example observed on 4/16/01:

ISPs announce new path 3 lasted 20 minutes 1 lasted 3 hours

originates route to 192.26.92/24

rrc00 monito r

Internet

c.gtld-servers.net 192.26.92.30
27
Slides courtesy of Dan Massey

Routing attacks
BGP routing can direct packets to false server. Detected false BGP routes to root/gTLD severs at major global ISPs.
Routes lasted up to hours, but were errors and faulty site did not reply.
Bell Labs Caching Server

Internet Routing

Any response from false server would be believed.

NANOG 25/ICDCS 2003 protecting BGP routes to DNS servers

Root server

Spoofed Root server

28
Slides courtesy of Dan Massey

Routing attacks
Defenses
Filtering based on prior information
Messes with fault-tolerance but detects intrusion attempts

Authentication of advertisements
S-BGP

29

Routing attacks
Spoofing with Source Routing
Impersonate system A Attacker creates packets from system A to B, with the attackers address in the source route. Packet sent to system B, but any replies are sent to the attackers machine.
Attacker does not forward them to system A because the connection would be reset.

30

ICMP redirect hacks

Targeted Denial of Service (DoS)
Attacker sends ICMP Redirect message to give a bogus route Attacker sends Destination Unreachable or TTL exceeded messages to reset existing connections Attacker sends fraudulent Subnet Mask Reply messages
Blocks communication with target

Defenses
Verify ICMP packet contains a plausible sequence # Dont modify Global Route Table due to ICMP Redirect messages
Disallow ICMP Redirects?

Check to see if multiple ICMPs from a host agree

31

NIDS avoidance
NIDS: Network Intrusion Detection System
Passively monitor network looking for attacks Signature analysis done across packets Challenges
Accuracy: false positives and false negatives Performance: forensic value of information

Fundamental problem
Deployed on a different box Potentially on a different network

Result
NIDS could see a different stream of packets than host Protocol implementation ambiguities
Different protocol stacks have different behavior

32

NIDS avoidance
Insertion
IDS thinks packets are valid; end system rejects these

Evasion
end system accepts packets that IDS rejects

Denial of Service
resource exhaustion

33

NIDS avoidance
Confuse the NIDS
Invalid MAC addresses? Invalid headers
Permissive in receiving, frugal in sending? Bad IP checksum will be dropped? IP options

IP TTL ambiguity
Packet received or not?

Packet too large for downstream link? Source-routed packets

Will destination reject such packets?

Fragment time-out
Will other parts of fragment still be at destination?

Overlapping fragments
Which data will be used?
34

NIDS avoidance
Exhaust resources on NIDS
CPU, Memory, Network Bandwidth Fragmentation
Send large numbers of fragments
CPU: data structure attack Memory: space attack Can lead to DOS (teardrop, jolt2)

Fragrouter
Automatically fragment all packets Accepts IP packets routed from another system and fragments these packets according to various schemes

Generate large numbers of false positives

Separating script kiddies from sophisticated hackers Separating wheat from chaff
35

Transport layer hacks

36

TCP session reset and hijacking attacks

Problem
TCP stacks with predictable sequence numbers See Chapter 3 lecture notes on TCP ISN selection and the Mitnick attack

TCP reset attacks

Uses similar approach to terminate an existing connection Send a spoofed TCP RST with guessed sequence numbers
BGP session reset

TCP hijacking
Attacker inserts itself into path
Already on the path or via ARP spoofing

Sniff to find sequence numbers of victim connection Attacker takes over existing connection using spoofed packets and dropping packets of one of the end-points
37

TCP session hijacking

Problem
Attacker not along path of hijacked connection Attacker sends system B packets with system As IP address System A notices a mismatch in TCP sequence numbers Sends ACK packets to resynchronize the numbers. Continual retransmission of ACK packets is known as an ACK storm.

Most hijacking tools cannot cope with the ACK storm and the connection will be dropped.

38

TCP session hijacking

Hunt (www.packetstormsecurity.org/sniffers/hunt )
2 methods to keep session alive
Use ARP spoofing to keep connection from being dropped Attempt to resynchronize the connection
Send a message to system A saying: msg from root: power failure try to type 88 characters, (where 88 is the number of chars. that the attacker typed during the hijacking) Increments the sequence number of system As TCP stack to where it should be. Two new ARP spoof messages are then sent, restoring the correct MAC addresses.

39

40

TCP SYN flooding

Attacker sends many connection requests w/ spoofed source addresses to victim
Victim allocates resources for each request
Finite # half-open connection requests supported Connection requests exist for TIMEOUT period

Once resources exhausted, all other requests rejected

Normal connection est.

Syn Flooding attack

41

TCP SYN flooding defenses

System Configuration Improvements
Reduce timeout period Increase length of backlog queue to support more connections Disable non-essential services to make a smaller target

Router Configuration Improvements

Configure router external interfaces to block packets with source addresses from internal network Configure router internal interfaces to block packets to outside that have source addresses from outside the internal network

TCP SYN cookies

Make handshake stateless on server end Server makes ISN a function of a secret nonce it keeps and pieces of the SYN connection ID Only create TCB and establish connection upon verifying clients ACK
42

TCP SYN flooding defenses

Firewall as a Relay
Firewall answers on behalf of Destination Disadvantages
Adds delay and overhead Pushes problem to firewall

43

TCP SYN flooding defenses

Firewall as a Semi-transparent Gateway
Firewall forges the 3rd handshake (ack) from the client to the destination
This moves connection out of backlog queue, freeing resources

Sends RST packet if no subsequent ACK received from client Eventual ACK from a good client will be ignored as a duplicate Disadvantages: Large # illegitimate open connections if system under attack Must very carefully choose timeout periods

44

TCP SYN flooding defenses

Attack w/ semi-transparent gateway

Legit connection w/ semitransparent gateway 45

TCP congestion control avoidance

Attempt to trick sender into ignoring congestion control ACK division
Receiver can acknowledge every byte in segment with a separate ACK Leads Sender to grow cwnd faster than normal.

Solution to ACK division

Modify congestion control to guarantee segment-level granularity Only increment MSS when a valid ACK arrives for the entire segment.
Bunch of acks

Burst 1 RTT later

46

TCP congestion control avoidance

Duplicate Ack Spoofing
Receiver sends multiple acks/sequence #
no way to tell what segment is being acked

Causes sender to enter fast-recovery mode and inflate cwnd

Solution to Duplicate Ack Spoofing

Add new fields to TCP headers.
nonce & nonce-reply random values sent with segments and replies Only increment cwnd for ACKs with previously unseen nonces Burst of dup acks Sender enters Fast Recovery and bursts 1 RTT later

47

TCP congestion control avoidance

Optimistic ACKing
Send acks for segments not yet received Decrease perceived RTT, affecting CW growth.

Segment acks Segs arrive

48

TCP congestion control avoidance

Solution to optimistic acking: Cumulative Nonce
Sender sends random number (nonce) with each packet Segment size slightly randomized Receiver sends cumulative sum of nonces if receiver detects loss, it sends back the last nonce it received Requires modifications to stack

49

TCP congestion control attacks

The shrew attack
Use knowledge of TCP congestion control to shut out a victim Time packet bursts to disable victims retransmissions and force exponential back-off

50

TCP reflectors
TCP stack can be made to reflect via
SYN ACK by sending an initial SYN with spoofed IP address
Filtering leads to no-remote access.

RST by sending a FIN.

Countermeasures problematic
Filter out SYN ACKs
Leads to disabling access to services

Filter out RST

Results in clogging of stale connections state

51

NIDS avoidance
TCP tricks to confuse or disable NIDS
TCP Options fields
Will packet be accepted? Will option be processed? Destination might be configured to drop weird options

Old TCP timestamps (PAWS)

Destination might be configured to drop

TCP RSTs with weird sequence numbers

Is connection reset?

TCP handshake time-out

Will TCB still be at destination?

TCP stream reassembly with overlapping segments

Rewrite old data or not?
52

Application layer hacks

53

DNS spoofing
Problem
No authentication of responses Any DNS response is generally believed. No attempt to distinguish valid data from invalid. Responses can contain entries that should not be trusted but are Responses are cached Just one false root server could disrupt the entire DNS.

Attacks
Inject bogus DNS responses Attach additional bogus entries in valid DNS responses (especially for internal names)
Firewall Application Resolver Local Name Server (Trusted) Remote Name Server (?) 54

DNS spoofing

55

DNS spoofing
Easy to observe UDP DNS query sent to well known server on well known port. www.darpa.mil A? www.darpa.mil A 192.5.18.19
Sanjoys Laptop Root DNS Server

www.darpa.mil A 128.9.128.127

Caching DNS Server Dans Laptop

mil DNS Server

First response wins. Second response is silently dropped on the floor.

darpa.mil DNS Server

56

DNS cache poisoning

Bell Labs Caching Server Response www.attacker.com attacker.com attacker.com ns.attacker.com www.google.com A 128.9.128.127 NS ns.attacker.com NS www.google.com A 128.9.128.2 A 128.9.128.127 ns.attacker.com Query www.attacker.com

www.google.com = 128.9.128.127

Query www.google.com

Any Bell Labs Laptop

Remote attacker
57

DNS cache poisoning

Defenses
DNS Proxy
Filter
Drop malformed packets

Verify
Does the answer, really answer the query made? Was the answer received from the appropriate server?

Proxy performs checks on the answers from outside DNS servers

58

Authenticating DNS Responses

Attack fundamental problem
Resolver cant distinguish between valid and invalid data in a response.

Add source authentication

Verify the data received in a response is equal to the data entered by the zone administrator. Each DNS zone signs its data using a private key. Query for a particular record returns:
The requested resource record set. A signature (SIG) of the requested resource record set.

Resolver authenticates response using public key.

Public key is pre-configured or learned via a sequence of key records in the DNS heirarchy.

59

Secure DNS Query and Response

Caching DNS Server

www.darpa.mil
Authoritative DNS Servers End-user

www.darpa.mil = 192.5.18.195 Plus (RSA) signature by darpa.mil Attacker can not forge this answer without the darpa.mil private key. Challenge: add signatures to the protocol manage DNS public keys
60

Man-in-the-middle attacks
Web proxying
Attacker runs webmitm feature on Dsniff and uses DNS spoofing
Use DNS spoofing to have all HTTP and HTTPS traffic go to webmitm Target connects to attackers machine and SSL connection is established. Attackers system establishes a SSL connection with the server the target is attempting to access.

Webmitm acts as proxy with two connections

From the targets system to the attackers machine From the attackers machine to the actual server the target was trying to reach

Note: the target receives attackers certificate, not the certificate of the server the target is trying to reach.
User receives warning about a certificate that is not signed by a trusted certificate authority (Who pays attention to those?) Webmitm displays the contents of the SSL session on the attackers screen

SSH proxying
Similar to above with sshmitm (another Dsniff feature)
61

Man-in-the-middle attacks

62

Distributed Denial-of-Service
Take control of large numbers of machines (zombies) Use collection of zombies (Botnet) to knock out target service
Example: TFN2K www.packetstormsecurity.nl/groups/mixter/index2.html

63

Distributed Denial of Service

DNS DoS attacks
DNS root server attack
DDoS attack disabling 9 of the 13 DNS root servers (10/2002) Bringing down all 13 root servers is frequently mentioned as a worst case scenario that would cripple the Internet.

Local DNS name server attack

Send large set of valid queries to victim Use arbitrary names to thrash cache Solution: Provide filtering in name servers so as to only serve recursive queries from local addresses

64

Packet of death
Send a malformed packet. Different platforms may be susceptible to different types of malformed packets. These packets have structures that the TCP/IP stacks cannot anticipate, causing the system to crash. Malformed packet suites available at: www.packetstormsecurity.org/DoS

65

Application layer reflectors

DNS
Reflector sending DNS reply in response to a spoofed DNS request.
Victim can configure its local DNS servers so as to filter out unknown DNS server responses.

If the victim is an authoritative name server

Attacker queries a large number of local DNS servers which in turn recursively query the Victim. Victim server gets bombarded due to multiple queries.

66

Application layer reflectors

HTTP proxies
HTTP proxy caches provide a way that an HTTP client can manipulate a proxy server into initiating a connection to a victim web server. HTTP proxy servers act as reflectors for the DDOS attacks.

Limitations
Proxies can be configured to serve a restricted set of clients. Not enough proxies to constitute a large pool of possible reflectors. Connection between slave and the reflector cannot be spoofed unless the reflecting proxy has predictable sequence numbers
Logging helps in identifying the slaves location. Definitely a major threat if proxies running on stacks with predictable sequence numbers are widely deployed.

67

Application layer reflectors

Gnutella
Provides a push facility that instructs the server to connect to a given IP address and port in order to deliver the Gnutella item. Gnutella connection to the IP host is separated from the initial client making it impossible to trace back to the slave.

Fix
Modify the protocol to include path information with push directives

Gnutella could be a major problem for DDOS reflector attacks.

68

Application layer reflectors

SNMP (UDP-based request/reply)
Sites that fail to block off-site access to SNMP provide a large number of reflectors. SNMP attack is sourced at port 161. Filtering out the external SNMP messages leads to major problem for service providers.
Configure the filter to receive SNMP messages from interested hosts

Game protocols
Quake Qstat (UDP) Counter-strike clients (UDP)

69

70

NIDS avoidance
Confuse NIDS at application-layer
Addition of interpreted characters (^H) How does OS interpret?

71

References
C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, "Analysis of a Denial of Service Attack on TCP" S. Bellovin, "Security Problems in the TCP/IP Protocol Suite" S. Bellovin, "Defending against sequence number attacks" S. Bellovin, "Packets Found on an Internet" R. Morris, "A Weakness in the 4.2BSD Unix TCP/IP Software B. Cheswick, S. Bellovin, A DNS Filter and Switch for Packet-filtering Gateways. S. Savage, N. Cardwell, D. Wetherall, T. Anderson, TCP Congestion Control with a Misbehaving Receiver.

72

Extra slides

73

TCP for Transactions (T/TCP) reflectors

Spoof initial SYN packet with acceptable seq. no.
Make an expensive request.

Factors that limit the T/TCP attack

T/TCP server will begin in slow start.
Unless the servers stack has predictable seq. no.

Amenable to stateless packet filtering. T/TCP is not widely deployed.

74

IP Address Spoofing
Used to disguise the IP address of a system. Three ways an IP address can be spoofed: changing the IP address, undermining UNIX r-commands, and spoofing with source routing Changing the IP address: The attacker can either reconfigure the whole system to have a different IP address or use a tool (Nmap or Dsniff) to change the source address of outgoing packets. Limitation: the attacker cannot receive any responses.
75

 Undermining UNIX r-Commands:

Attacker finds two computers with a trust relationship
Send a bunch of TCP SYN packets to target and see how the initial sequence numbers change A DoS attack is sent to other system Attacker initializes a connection with target system, using the IP address of the other system Target system sends TCP SYN and ACK packets to other system, which is dead Attacker estimates initial sequence number of other system and sends TCP ACK packet back
If initial sequence numbers match, attacker has successfully gained one-way access to the target.

76

Undermining UNIX r-Commands

77