Lesson 9 - Internet Security

Question 1

What are the properties of secure communication?

Answer 1

1. Confidentiality
2. Integrity
3. Authentication
4. Availability

Question 2

How does Round Robin DNS (RRDNS) work?

Answer 2

a method to distribute the load of incoming requests to several servers at a single physical location. Servers respond to a DNS request with a list of DNS A records, which it then cycles through in a round robin manner.

Question 3

How does DNS-based content delivery work?

Answer 3

When accessing the name of the service using DNS, the CDN computes the ‘nearest edge server’ and returns its IP address to the DNS client.

Question 4

How does Fast-Flux Service Networks work?

Answer 4

A fucking complicated attack. Suggest answer.

having multiple IP addresses associated with a domain name, and then constantly changing them in quick succession.

Question 5

What are the main data sources to identify hosts that likely belong to rogue networks, used by FIRE (FInding Rogue nEtworks system)?

Answer 5

1. Botnet command and control providers
2. Drive-by-download hosting providers
3. Phish housing providers

Question 6

The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. What are the 2 phases of this system.

Answer 6

1. Training phase

2. Operational phase

Question 7

ASwatch computes statistical models using which three features of each AS.

Answer 7

1. Rewiring activity - frequent changes and less popular providers are suspicious.
2. IP Space Fragmentation and Churn - small BGP prefixes are suspicious
3. BGP Routing Dynamics - annoucing for short periods is suspicious.

Question 8

BGP hijacking. What is the classification by AS-Path announcement?

Answer 8

an illegitimate AS announces the AS-path for a prefix for which it doesn’t have ownership rights.
Type-0, Type-N, & Type-U are all AS-Path hijacking.

Question 9

BGP hijacking. What is the classification by Data-Plane traffic manipulation?

Answer 9

In Data-Plane traffic manipulation, the intention of the attacker is to hijack the network traffic and manipulate the redirected network traffic on its way to the receiving AS.

Question 10

What are the causes or motivations behind BGP attacks?

Answer 10

Human Error
Targeted Attack
High Impact Attack

Question 11

What is prefix hijacking?

Answer 11

When a hijacker announces that it owns some or part of the prefixes owned by another AS.

Question 12

Explain the scenario of hijacking a path

Answer 12

hijacker modifies the path, so that AS’s are more likely to route traffic through the hijacker.

Question 13

What are the key ideas behind ARTEMIS?

Answer 13

1. configuration file: where all the prefixes owned by the network are listed here for reference. This configuration file is populated by the network operator.
2. mechanism for receiving BGP updates: this allows receiving updates from local routers and monitoring services. This is built into the system

Question 14

For a system that protects against BGP hijacking attacks with less manual intervention, we need automated ways of mitigation from BGP hijacking attacks. The ARTEMIS system uses two automated techniques in mitigating these attacks. What are these techniques?

Answer 14

1. Prefix deaggregation: announce more specific prefixes of a certain prefix. (instead of 10.10.10.0/24, announce 10.10.10.128/25 and 10.10.10.0/25)
2. Mitigation with Multiple Origin AS (MOAS) - external third party announces the hijacked address and routes traffic to the correct location. (hijack the hijacker)

Question 15

Explain the structure of a DDoS attack

Answer 15

A Distributed Denial of Service (DDoS) attack is an attempt to compromise a server or network resources with a flood of traffic. To achieve this, the attacker first compromises and deploys flooding servers (slaves).

Question 16

What is spoofing?

Answer 16

IP spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a legitimate server.

Question 17

Explain, how DDoS reflection and amplification work

Answer 17

slaves of a master send request to servers (or reflectors) but set the source address as the victim’s. The reflectors send responses to the victim and overload it’s resources.

Amplification can occur when the reflector’s send a large request to the victim. Not only would the victim receive traffic from millions of servers, the response sent would be large in size, making it further difficult for the victim to handle it.

Question 18

What are the defences against DDoS attacks?

Answer 18

Traffic Scrubbing Services
Access Control List filters
BGP Flowspec
BGP blackholing

Question 19

Explain provider-based black-holing

Answer 19

The victim AS uses BGP to communicate the attacked destination prefix to its upstream AS, which then drops the attack traffic towards this prefix. Then either the provider (or the IXP) will advertise a more specific prefix and modifying the next-hop address that will divert the attack traffic to a null interface.

Question 20

Explain IXP black-holing

Answer 20

In IXP black-holing a victim’s black-hole message is sent to any AS’s that connect to the IXP. Those AS’s in turn black-hole requests directed to the specified IP.

Question 21

What is one of the major drawbacks of BGP black-holing?

Answer 21

the destination under attack becomes unreachable since all the traffic including the legitimate traffic is dropped.

Question 22

What is a rogue network

Answer 22

networks whose main purpose is malicious activity such as phishing, hosting spam pages, hosting pirated software, etc.

Question 23

Describe ASwatch’s Training phase.

Answer 23

1. Training phase - The system is given a list of known malicious and legitimate ASes, then learns control-plane behavior typical of both types of ASes.

Question 24

Describe ASwatch’s Operational phase.

Answer 24

2. Operational phase - Given an unknown AS, it then calculates the features for this AS. It uses the model to then assign a reputation score to the AS. If the system assigns the AS a low reputation score for several days in a row, it identifies it as malicious.

Question 25

ASwatch is based on monitoring global BGP routing activity to learn the _______ plane behavior of a network.

Answer 25

control

Question 26

What is a Type-0 hijacking?

Answer 26

Type 0 - AS announcing a prefix not owned by itself.

Question 27

What is a Type-N hijacking?

Answer 27

Type-N - AS falsifies path between AS1 & AS2 as going through ASn
The N denotes the position of the rightmost fake link in the illegitimate announcement, e.g. {AS2, ASy, AS1 – 10.0.0.0/23} is a Type-2 hijacking

Question 28

What is a Type-U hijacking

Answer 28

In this attack the hijacking AS does not modify the AS-PATH but may change the prefix

Question 29

How is spoofing used in DDOS attacks?

Answer 29

Spoofing is utilized in two ways:
In the first form, the source IP address is spoofed, resulting in the response of the server sent to some other client instead of the attacker’s machine. This results in wastage of network resources and the client resources while also causing denial of service to legitimate users.

In the second type of attack, the attacker sets the same IP address in both the source and destination IP fields. This results in the server sending the replies to itself, causing it to crash.