Lesson 9 (Internet Security) Flashcards
What are the properties of a Secure Communication?
1) Confidentiality
2) Integrity
3) Authentication
4) Availability
What is the ultimate goal of DNS Abuse?
To remain undetectable for longer
What are 3 examples of techniques used by attacker to abuse DNS?
1) Round Robin DNS (RRDNS)
- Used to distribute the load of incoming requests to several servers.
- A list of DNS A records is cycled through per request in a round robin manner.
2) DNS-based content delivery (CDN)
- Distribute load among multipler servers at a single location but also to servers acrodd the world.
- The CDN computes the nearest edge server and returns its IP address to the DNS client.
- Results in the content being moved closer to the DNS client
- Can react quickly to changes in link characteristics as their TTL is lower than RRDNS.
3) Fast-Flux Service Networks (FFSN)
- Prior 2 techniques can also benefit spammers.
- > Access to a list of DNS A records means that if at least one IP address is functational, the scam is still working.
- > Spreading the scam across multiple servers makes it the shutdown of a scam complex.
- FFSN is an extension of the ideas behind RRDNS & CDN.
- > Supports a rapid change in DNS answers, with a TTL lower than that of RRDNS and CDN.
- > Once TTL expires, it returns a different set of A records from a larger set of compromised machines.
- > These compromised machines act as proxies between incoming requests and a control node/mothership, forming a resilient, robust, one-hop overlay network
- > The overlay network (via flux agents) to hijack incoming load and response with scam related content.
What is an example of Dataplane Monitoring used to find evidence of abuse?
- FIRE (Finding Roque Networks) is a system that monitors the internet for rogue networks.
- It uses 3 main data sources to identify hosts that likely belong to rogue networks:
1) Botnet command and control providers - Several botnets rely on centralized command and control (C&C).
- A bot-master would prefer to host their C&C on networks where it is unlikely to be taken down.
- Two main types of botnets this system considers are IRC-based botnets and HTTP-based botnets.
2) Drive-by-download hosting providers - Drive-by-download is a method of malware installation without interaction with the user.
- Commonly occurs when the victim visits a web page that contains an exploit for a vulnerable browser.
3) Phish housing providers - Data source contains URLs of servers that host phishing pages that usually mimic authentic sites to steal login credentials, credit card numbers and other personal information.
- These pages are hosted on compromised servers and usually are up only for a short period of time.
- Each of these data sources produces a list of malicious IP addresses daily.
- FIRE combines the info from these 3 data sources to identify rogue AS.
- The most malicious networks have the highest ratio of malicious IPs compared to the total owned IP addresses of that AS.
What is a better approach to finding evidence of abuse than Dataplane Monitoring?
ASwatch which uses information exclusively from the control plane (ie. routing behavior) to identify malicious networks.
- This approach is better at detecting malicious networks run by cyberactors (aka bulletproof) vs networks that are badly abused.
- The approach is based on the observation that bulletproof ASes have distinct interconnection patterns and overall different control plane behavior.
- Bulletproof ASes:
- > Change upstream providers more aggressively
- > Setup customer-provider or peering relationships with likely shady networks
ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. Has two phases: 1) Training Phase 2) Operational Phase
What are the 3 externally observable features that help to predict the likelihood of a security breach?
1) Mismanagement symptoms
2) Malicious Activities - The level of malicious activities that originate from the organization’s network.
3) Security Incident Reports - Data based on actual security incidents is used to train our machine learning models.
What are the 3 classifications of BGP Hijacking attacks?
1) Classification by Affected Prefix
2) Classification by AS-Path announcement
3) Classification by Data-Plane traffic manipulation
What are the 3 reasons for a BGP Hijack attack?
1) Human error
2) Targeted Attack - Attacker is in stealth mode
3) High Impact Attack - Intent is obvious for a widespread disruption
What are 2 examples of BGP Hijack Attacks?
1) Hijacking a prefix
2) Hijacking a path
What is an example detection system for BGP Hijack Attacks?
ARTEMIS is a system that is run locally by network operators to safeguard its own prefixes against malicious BGP hijacking attempts. Uses a configuration file as a reference of network owned prefixes.
Uses 2 techniques to mitigate attacks:
1) Prefix deaggregation
2) Mitigation with Multiple Origin AS (MOAS) - Having 3rd party companies do BGP announcements.
What is Spoofing?
IP Spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a legitimate server.
What is a DDoS reflection attack and amplification attack?
Reflection Attack: The master directs the slaves to send spoofed requests to a very large number of reflectors, usually in the range of 1 million. The slaves set the source address of the packets to the victim’s IP address, thereby redirecting the response of the reflectors to the victim. Thus, the victim receives responses from millions of reflectors in exhaustion of its bandwidth.
Amplification Attack: The victim receives traffic from millions of servers, the response sent would be large in size, making it more difficult for the victim to handle.
What are 3 ways to defend against DDoS attacks?
1) Traffic Scrubbing Services - Diverts the incoming traffic to a specialized server where the traffic is “scrubbed” into either clean or unwanted traffic.
2) ACL Filters - Access Control List filters are deployed by ISPs or IXPs at their AS border routers to filter out unwanted traffic.
3) BGP Flowspec - The flow specification feature of BGP supports the deployment and propagation of fine-grained filters across AS domain borders.
Can you provide an example of a DDoS mitigation technique? What are the limitations/issues?
BGP Blackholing: All attack traffic to a targeted DoS destination is dropped to a null location.
Limitation: One of the major drawbacks of BGP blackholing is that the destination under attack becomes unreachable since all the traffic including the legitimate traffic is dropped.
