Test 3 Network Security Flashcards

Question

Origin and Path Authentication

Answer 1

Secure BGP or BGPSEC --proposal to modify the existing border gateway protocol to add signatures to various parts of the route advertisement two different parts - -address attestation/ origin attestation, which is a certificate that binds the IP prefix to the organization that owns that prefix, including the origin AS - -path attestation: set of signatures that accompany the AS path as it is advertised from one AS to the next

Answer 2

BGP announcement would contain: - - the prefix p - -the AS path, which so far is just one. - -the path at a station, which is actually the path to one signed by, the private key, of AS1. When AS2, readvertises that route announcement, it advertises: - - the new AS path to one. - -It adds its own at route at test station, three, two, one signed by it's own private key. - -includes the original path atastation signed by AS1. A recipient of a route along this path can thus verify every step of the AS path. - -AS3 can use the first part of the path attestation to verify that the path in fact, goes from AS2 to AS1, and does not contain any other ASs in between. - -It can use the second part of the path attestation to ensure that the path between it, AS3, and the next hop is in fact, AS2, and that no other ASs could've inserted themselves on the path between two and three.

Answer 3

BGP announcement would contain: - - the prefix p - -the AS path, which so far is just one. - -the path at a station, which is actually the path to one signed by, the private key, of AS1. When AS2, readvertises that route announcement, it advertises: - - the new AS path to one. - -It adds its own at route at test station, three, two, one signed by it's own private key. - -includes the original path atastation signed by AS1. A recipient of a route along this path can thus verify every step of the AS path. - -AS3 can use the first part of the path attestation to verify that the path in fact, goes from AS2 to AS1, and does not contain any other ASs in between. - -It can use the second part of the path attestation to ensure that the path between it, AS3, and the next hop is in fact, AS2, and that no other ASs could've inserted themselves on the path between two and three.

Answer 4

prevents hijacking and modification of the AS path Suppose, that these AS's were not there in the path at station. In this case. We have a very nice well-formed VGP route advertisement for prefix with the AS path suffix to one, and we have each segment signed, so an attacker could in fact, take such an announcement and advertise sub strings of this route advertisement as their own. Thus an attacker, AS4, could claim that it was connected to prefix P via AS1 when in fact no such link existed. Simply by stealing or replacing the path atastation one that's signed by K1. But, note that in reality AS1 never generates this signature. In fact it generates the signature,21. Or in this case, it would somehow have to generate the signature 41 signed by AS1's private key, whereas if AS1 only signed a message with its own AS in the message, such a segment or attestation could easily be replayed. There's actually no way that AS4 Could forge the path attestation for one, signed by AS1's private key because it doesn't own this private key and AS1 never generated a path attestation with this particular signed path., This is the reason that each AS not only signs a path attestation with its own AS on the AS path. But also the next AS along the path.

Answer 5

if an AS fails to advertise a route or a route withdrawal There is no way for the path [UNKNOWN] or PGP sec to prevent from that kind of attach. Certain types of replay attacks such as a premature re-advertisement of a withdrawn route also cannot be defended against and of course, there is no way to actually guarantee that the data traffic travels along the advertised AS path, which is a significant weakness of DGP that is yet to be solved by any routing protocol.

Answer 6

To understand the threats and vulnerabilities of DNS, let's take a look at the DNS architecture. So we have a stub resolver which issues a query to a caching resolver. At this point, we could have a man in the middle attack, or an attacker which observes a query and forges a response. If a query goes further than the local caching resolver, say for example, to an authoritative name server, an attacker could try to send a reply back to that caching resolver before the real reply comes back to try to poison, or corrupt, the cache with bogus DNS records for a particular name. This attack is particularly virulent and we will look at a cache poisoning attack in this lecture. Masters and slaves can both be spoofed. Zone files could be corrupted. Updates to the dynamic update system could also be spoofed. We will look at some defenses to cache poisoning, including the OX20 defense, as well as DNSSEC, which can protect against some of these spoofing and man in the middle attacks. In addition to these attacks, we'll look at an attack called DNS reflection where the DNS can be used to mount a large distributed denial of service attack.

Answer 7

the resolvers that issue the DNS query trust the responses that are received after they send out a query regardless of where that response comes from. So sometimes these responses can be forged. When a resolver sends out a query, it typically generates what's called a race condition And if the attacker replies before the legitimate responder, then the resolver is likely to believe the attacker. DNS responses can also contain additional DNS information that's unrelated to the query. The fundamental problem is that the basic DNS protocols have no means for authenticating responses. This allows an attacker to forge responses after a resolver sends a query. A secondary reason that these types of spoofed replies are possible is that DNS queries are typically connectionless unlike BGP where routing messages are transmitted over a reliable TCP connection, UDP queries are sent over a connectionless UDP connection. Therefore, a resolver does not have a way of mapping the response that it receives for a query other than the query ID. Which can be forged by the attacker. Let's look at how the combination of the lack of authentication and the connectionless nature of a DNS query allows the possibility of cash poisoning.

Answer 8

the fact that the queries are sent over a connectionless channel and that there is no way to authenticate the query responses, makes the DNS vulnerable to various kinds of spoofing and cache poisoning attacks. The fact that DNS names are human readable does not make the DNS inherently insecure. Nor does the fact that it's distributed. There are certainly very well understood ways of securing distributed systems and that does not inherently make DNS insecure.

Answer 9

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect IP address. This results in traffic being diverted to the attacker's computer (or any other computer).

Answer 10

consider a network where a stub resolver issues a query to its recursive resolver, and the recursive resolver in turn sends that A record query to the start of authority for that domain. Now, in an ideal world, the authoritative name server for that domain would reply with the correct IP address. If an attacker guesses that a recursive resolver might eventually need to issue a query for say, www.google.com. The attacker can simply reply with multiple, specially crafted replies each with different id's. Although this query has some query id, the attacker doesn't need to see that query because the attacker can simply flood the recursive resolver with a bunch of bogus replies and one of them, in this case the response with id3 will match. As long as this bogus response reaches the recursive resolver before the legitimate response does, the recursive resolver will accept this bogus message. And worse, it caches the bogus message. DNS, unfortunately, has no way to expunge a message once it has been cached. So now this reclusive resolver will continue to send bogus a record responses for any query for this particular domain name until that entry expires from the cache.

Answer 11

the query ID. --the query ID can be guessed. randomize the ID - -rather than having a resolver end queries where the ID's increment in sequence, the resolver can pick a random ID. - -This makes the ID tougher to guess, but still, the query ID is only 16 bits, which still makes it possible for an attacker to flood the recursive resolver with many possible responses. the resolver can randomize the source port on which it sends the query - -thereby adding an additional 16 bits of entropy to the ID that's associated with the query. - -Unfortunately, picking a random source port can be resource intensive and also a network address translator or a NAT, could derandomize the port. the 0x20 or the zero x20 encoding -- which is based on the intuition that DNS matching and resolution is entirely case insensitive. So capitalization of individual letters in the domain name do not affect the answer that the resolver will return.

Answer 12

The success of a DNS cache poisoning attack not only depends on the ability to reply to a query with a correct matching ID, but it also depends on winning this race. That is, the attacker must reply to that query before the legitimate authoritative name server replies. If the bad guy, or the attacker, loses the race, then the attacker has to wait for that correct cached entry to expire, before trying again, however the attacker can generate his own DNS query. For example, he could query one.google.com, two.google.com and so forth. Each one of these bogus queries will generate a new race. And eventually the attacker will win one of these races for an A record query. But who cares? Nobody necessarily cares to own one.google.com, or google.com. The attacker really wants to own the entire zone. Well the trick here is that instead of just simply responding with A records in the bogus replies. The attacker can also respond with NS records for the entire zone of google.com. So by creating one of these races, using an A record query, and then responding not only with the A record response, but also with the authoritative of the NS record,for the entire zone. The attacker can in fact own the entire zone. This idea of generating extreme of A record queries to generate a bunch of races and then stuffing the A record responses for each of these with a bogus authoritative NS record for the entire zone. Is what's called the Kaminsky Attack, after Dan Kaminsky, who discovered the attack.

Answer 13

the 0x20 or the zero x20 encoding - - which is based on the intuition that DNS matching and resolution is entirely case insensitive. So capitalization of individual letters in the domain name do not affect the answer that the resolver will return. - -This 0x20 bit, or the bit that affects whether a particular character is capitalized or in lower case can also be used to introduce additional entropy. - -When generating a response to a query such as this one, the query is copied from the DNS query into the response exactly as it was in the query. - -The mixed pattern of upper and lower case letters thus constitutes a channel. If the resolver and the authoritative server can agree on a shared key, then the resolver and the authoritative are the only ones who know the appropriate pattern of upper and lower case letters for a particular domain name. Because no attacker would know the appropriate combination of upper and lower case letters for a particular domain. It becomes even more difficult for the attacker to inject a bogus reply, because not only would the attacker have to guess the ID, but the attacker would also have to guess the capitalization sequence for any particular domain name

Answer 14

The 0x20 bit encoding adds additional entropy to the queries that a DNS resolver sends by tweaking the capitilization on a DNS name in such a way that only the resolver and the authoritative name server know the particular sequence of upper and lower case letters in the reply.

Answer 15

This attack exploits the asymmetry in size between DNS queries and their responses. So an attacker might send a DNS query for a particular domain, and that query might only be attacker might indicate that the source. For this query is some victim IP address. Thus the resolver might send a reply which is nearly two orders of magnitude larger to a victim. So the name of the attack amplification comes from the fact that the query is only 60 bytes and a reply is considerably larger. So, by simply generating a small amount of initial traffic, the attacker can cause the DNS resolver. To generate a significantly larger amount of attack traffic. If we start adding other attackers, all of which specify the victim as the source, then all of these giant replies start heading towards the victim, and we have a denial of service attack on the victim.

Answer 16

prevent IP address spoofing in the first place using, for example, the appropriate filtering rule disable the ability for a DNS resolver to resolve queries from arbitrary locations on the Internet.

Answer 17

The DNS sec protocol adds authentication to DNS responses simply by adding signatures to the responses that are returned for each DNS reply. each authoritative name server in the DNS hierarchy returns not only the referral, as it would with regular DNS, but also a signature containing the IP address for that referral. And the public key for the authoritative name server that corresponds to that referral. That public key then allows the resolver to check the signatures at the next lowest level of the hierarchy, until we finally get to the answer. When a stub resolver issues a query, assuming there is no caching, the query is relayed by the recursive resolver to the root name server. Which, as we know, sends a referral to .com, but this referral includes the signature by the root of the IP address and the public key of the .com server. As long as this resolver knows the public key corresponding to the route, it can check the signature and it knows then, that the referral is to the correct IP address for .com. It also now knows the public key corresponding to the .com server, thus when the .com server sends the next referral to Google.com, that referral is signed by .com's private key. But the root has told the resolver the public key corresponding to .com, and thus the resolver can check that this referral is not bogus and in fact, came from the .com server. Similarly, the .com server will return, not only the IP address for Google.com, but also the IP address and public key for the Google.com authoritative name server. So that when Google returns its answers, the resolver can check the signatures coming from google.com.

Answer 18

A virus is effectively an infection of an existing program that results in the modification of the original program's behavior.

Answer 19

A worm is code that propagates and replicates itself across the network. A worm is usually spread by exploiting flaws in existing programs or open services whereas viruses typically require user action to spread. For example, opening an attachment on an email or running an executable file that a friend gave you on an USB key. Worms propagate automatically.

Answer 20

A parasitic virus typically infects an existing executable file. A memory- resident virus infects running programs. A boot-sector virus spreads whenever the system is booted. A polymorphic virus encrypts part of the virus program using a randomly generated key.

Answer 21

viruses typically spread with manual user intervention. Worms typically spread automatically by scanning for vulnerabilities and infecting vulnerable hosts when those vulnerabilities are discovered. A worm might use any of these techniques to infect a particular host before spreading further.

Answer 22

First, the worm needs to scan other hosts to find potentially vulnerable hosts. In the second step, it needs to spread. By infecting, other vulnerable hosts. And in the third step, it needs to remain undiscoverable and undiscovered so that it can continue to operate and spread without being removed from systems..

Answer 23

The first worm was designed by Robert Morris, Jr. in 1988. The worm itself had no malicious payload but, it ended up bogging down the machines that it infected by spawning new processes uncontrollably and exhausting resources. And at the time it was released, it affect ten percent of all Internet hosts. It spread, through three different propagation vectors. The worm tried to crack passwords ,using a small dictionary and a publicly readable password file and also targeted hosts. That were already listed in a trusted host file, on the machine that was already infected. This ability to perform remote execution was one way that the worm was allowed to spread. The second way that it spread ,was in a buffer overflow vulnerability, In the finger demon. This was a standard buffer overflow exploit. this is a very common attack that makes remote exploits possible, effectively resulting in the ability to run arbitrary code. At the root level privilege. The third way that worm spread, was via the debug command in send mail, which is a mail sending service. In early send mail versions, it was possible to execute a command on a remote machine by sending an SMTP message. The worm used this, capability to spread automatically. A key theme that we'll see In the design of other worms, is this use of multiple vectors. Now any particular worm, may end up using, a different set of vectors depending on the remote vulnerabilities that it's trying to exploit. But the idea that any worm should be able to exploit multiple weaknesses in a system gives it more ways to spread. And often also speeds up the propagation of the worm. This worm design also followed the following general approach, which we see showing up over and over again in worm designs.

Answer 24

Code Red 1 was released on July 13th, 2001, and was the first modern worm. It exploited a buffer overflow in Microsoft's IIS server. From the would spread By finding new targets using a random scan of IP address space, it would spawn 99 new threads, which generated IP addresses at random and then looked for vulnerable instances of IIS. Now version 2 Of code red one, was actually released six days later and fixed that random scanning bug. So that each instance of the worm scanned a different part of IP address space. After the scanning bug was fixed, the worm was able to compromise 350000 vulnerable hosts in a matter of only running the vulnerable version of IAS. On the entire internet. The payload of this worm was to mount a denial of service attack on whitehouse.gov. But a bug in the coding, caused the worm to die, on the 20th of each month. If the victims clock was wrong however, the worm would actually resurrect itself. On the 1st. Fortunately in this case, the payload which launched the denial of service attack on whitehouse.gov actually was launched at a particular IP address, not at the domain name. So the operators of the website needed only to move the web server to another IP address to defend against the denial of service attack. A better worm design would have been much more catastrophic.

Answer 25

released on August 4th, 2001, and was called Code Red2 mainly because of a comment in the code. The worm actually only spread on Windows The scan actually preferred nearby addresses It would choose addresses from the same /8 with probability one half from the same /16 with probability three eighths, and randomly from the entire internet with the remaining one eighth probability. The reason for preferring nearby IP addresses is that if there was one vulnerable host on the network. There was likely to be more, because the same administrator that failed to patch the compromised machine might have other machines on the same network that were also vulnerable. This notion of preferential scanning can speed up infections in some cases by increasing the probability that scanning will find another vulnerable host.

Answer 26

The payload of this worm was an IIS backdoor, and the worm was completely dead, by design, by October 1, and was interesting mostly because it spread using multiple propagation vectors. It was effectively multi-model. So in addition to using the same IIS vulnerability as Code Red 1 and Code Red 2, there were some additional vectors that it used. It could spread by bulk email as an attachment. It copied itself across open network shares. It installed an exploit code on webpages on the corresponding web server running on the machine, so that any browser that visited the webpage for that server would become infected itself and it would scan for the Code Red 2 backdoors that that worm had installed. The interesting thing about the multi-modal nature of the Nimda worm is that signature based defences don't necessarily help, because of the many ways that it could spread, for example, by email or via a website exploit, Nimda actually needs firewalls. Most of the firewalls pass the email carrying Nimda completely untouched, using brand new infection with an unknown signature, and those scanners couldn't detect it. This was the first instance of a worm that exploited what we would call a zero day attack which is when a worm first appears in the wild. And the signature of the worm is not extracted until minutes, or hours later. Zero day attacks are particularly viralent because the worm can spread extremely quickly, before any type of signature-based antivirus has a chance to catch up and prevent the infections in the first place.

Answer 27

We can actually model the spread of these worms using the random constant spread model. If Kis the initial compromised rate, N is the number of vulnerable hosts, and a is the fraction of hosts already compromised, we can now express the number of hosts infected at a particular time increment in terms of the machines already infected, and the rate at which uninfected machines become compromised. So if Nda. Is the number of newly infected machines in DT, we can express that in terms of the number of machines already infected. Which is, N times a. So these are the host already capable of doing more scanning. And now K times 1 minus a is the rate at which uninfected machines become compromised, in a particular time interval dt. If we solve for a the fraction of hosts compromised, which is effectively the y-axis of this graph and we get the following. You get an exponential curve that is exponential where the growth rate depends only on K, or the initial compromise rate. This is very interesting because it tells us that if we want to design a very fast spreading worm, then we should design a worm such that the initial compromise rate is as high as possible. So how do we increase K.

Answer 28

create a hit list, or a list of vulnerable hosts ahead of time --start by performing stealthy scans or some reconnaissance to construct a list of vulnerable hosts before we start spreading, then we can get rid of that initial flat part of the curve where the worm is effectively dormant. permutation scanning --Where every compromised host has a shared permutation of an IP address list to scan for vulnerabilities. Now if this list is randomly permuted and a particular host starts scanning from its own IP address in the list And works down, then different effected hosts will start scanning from different parts of this list ensuring that compromised hosts don't duplicate each other's work.

Answer 29

One worm that exploited these techniques to spread particularly quickly was the Slammer worm, which spread in January of 2003. Exploiting a buffer overflow in Microsoft's SQL sever. In addition to using fast scanning techniques, the entire slammer code fit in a single small UDP packet. The UDP packet contain the worm binary, followed by an overflow pointer back to itself. It would say classic buffer overflow combined with random scanning. Once the control is passed to the worm code, it randomly generated IP addresses and attempted to send a copy of itself to Port 1434 on other hosts. One brilliant aspect of the slammer worm, is that because it was spread by via single UDP packet, it was connectionless, meaning that it could spread. And was no longer limited by the latency of network round trip time, but only by the bandwidth of the network, the worm caused $1.2 billion dollars in damage, and temporarily knocked out many elements of critical infrastructue, including Bank of America's ATM network. An entire cell phone network in South Korea, and five route DNS servers, as well as Continental Airlines' ticket processing software. The worm actually did not have a malicious payload, but the bandwidth exhaustion on the network caused resource exhaustion on all the infected machines. This damage was inflicted in just thirty minutes, due to the very lightweight nature in which Slammer spread.

Answer 30

Slammer was able to spread quickly, because it spread via connectionless transport, or UDP, and because it could fit in a single packet.

Answer 31

Someone has to design the filters that separate the good traffic from the bad traffic. Additionally, even if email is classified as spam, if it's accepted for delivery, the Internet's mail protocols dictate that the server has to keep the mail, because it's told the receiver that it has accepted the mail. This creates the potential for spam to consume a significant amount of storage space on email servers. Finally, spam can create security problems for users who receive spam emails. If the spam messages contain a payload that could harmful, such as malware or a phishing attack or an attempt to steal a user's private or sensitive information, such as a password.

Answer 32

content-based based on the IP address of the sender/ blacklisting based on behavioral features

Answer 33

they can very easily change the content, of the message that is carrying the spam that they wish to deliver. They can embed their message in things like images, mp3's, Excel spreadsheets and so forth, making it relatively difficult for the filter maintainers to keep up.

Answer 34

the way an IP blacklists works is that when a sender sends an email to the receiver the receiver sends a query for that IP address to a blacklist or a DNS-based blacklist sometimes called a DNSBL such as spamhaus. Depending on whether or not that IP address appears in the blacklist the receiver can then decide to accept the message or, if the IP address turns out to be on the blacklist, the receiver can decide to terminate the connection and not even accept the mail in the first place, thereby saving the operator the trouble of even having to store the message. The third approach is to filter a message on how it is sent. In particular, we can look at such features as the geographic locations of the sender and receiver, the set of target recipients, the sender's upstream ISP or our inference as to whether the sender is a member of a botnet or a network of comprised hosts that are doing the bidding of some command and control server.

Answer 35

- -In other words, you can look at what's being said in the mail. - -For example, if the mail contains particular words, such as Viagra or Rolex, a content-based filter might pick up on those terms and decide to filter the mail. - -relatively easy for attackers to evade. A recent large commercial mail operator recently told me that he saw something like 80,000 different spellings of Viagra. But additionally, messages can be carried not only in text, but in images, Excel spreadsheets, or even MP3s or movies.

Answer 36

--how the mail is sent. So for example, if the mail is sent at a particular time of day, or if it's sent in a batch of emails that are all roughly the same size. Then we may be able to figure out that a message is likely spam, simply based on the sender's sending behavior. the challenges of buildling a filter around this notion is first, understanding network level behavior and second, building classifiers using network level features to execute the filtering.

Answer 37

spammers can perform behavior on the network that is extremely uncanny and unlikely to be performed by a legitimate network user. For example, what we saw is that the spammer could hijack an IP prefix for a very short period of time, such as 10 minutes. Send the spam or potentially multiple spam messages from IP addresses inside that IP prefix, and at the end of the attack withdraw the prefix. This allows attackers to use ephemeral IP addresses essentially rendering IP blacklists ineffective. In fact, we saw on any given day about 10% of the email senders are from previously unseen IP addresses. This ephemerality or transience of the IP addresses of the spam senders makes it particularly difficult to maintain a blacklist.

Answer 38

In fact, we've found many single-packet features that tended to work well. In other words, features that a receiver could make a decision on just based on the first packet that a sender sends. Such single-packet features include, the distance between the sender and the receiver, the density in IP space in terms of how many other mail senders are nearby, and the local time of day at the sender. Other features, such as the AS of the sender's IP, also worked well. If we're willing look beyond a single packet and look at a single message, the number of recipents, and the length of the message also prove to be effective in distinguising spammers from legitimate senders. Finally, we can look at aggregates. For example, if we're willing to look at a group of email messages we can see how message length varies over time or across a group of different messages. Putting these features together in a system called SNARE, or Spatio-Temperal Network Level Automated Reputation Engine achieved a 70% detection rate for a false positive rate of about one-tenth of 1%. This level of accuracy is good enough to be used in practice. It provides comparable performance to state of the art IP-based blacklists such as Spamhaus. But it only uses network-level features, thus making it less susceptible to the ephemeral nature of IP-based blacklisting.

Answer 39

Denial of service is simply an attack that attempts to exhaust, various resources. One resource that a Denial of service attack might exhaust, is network bandwidth. Another, is TCP connections. For example, a host, might only have a limited number of TCP connections that, that it can open, to various clients. What the Denial of service attack might attempt to exhaust various server resources. For example, this victim might be web server running complicated scripts to render web pages, and if web server suddenly becomes the target of a bunch of bogus requests, the server may spent lot of resources Rendering pages for requests that are not legitimate. Before 2000, these denial of service attacks were typically single source. After 2000, with the rise of internet worms, these attacks could become distributed, effectively being launched from many attackers.

Answer 40

ingress filtering URPF, or reverse path filtering checks TCP syn cookies

Answer 41

Let's suppose that we have a stub autonomous system, whose IP prefix was 204.69.207.0/24. Now this is a stub network, that has no other networks connected to it. And this is the only IP address space that this network owns. Then, the router that is immediately upstream of that internet service provider can simply drop all traffic for which the source IP address is not in the IP address range of that particular network. So this is foolproof and it works at the edges of the internet. Where it's very easy to determine the IP address range that's owned by a downstream stub autonomous system. Unfortunately it doesn't work well in the core, where a particular router might have a lot of difficulty determining whether packets from a particular source IP address could be allowed on a particular incoming interface

Answer 42

So the solution that operators try to use in the core is to use the routing tables to determine whether a packet could feasibly arrive on a particular incoming interface. So if a router had a routing table that said all packets for ten, that's 0.1.0/24, should be sent. Via interface one. And all packets destined for 10.0.18.0/24 should be sent via interface two, then URPF says if we see a packet for, with a particular source IP address on an incoming interface. That is different than where would have sent the packet in the reverse direction, then we should go ahead and drop this packet. So the benefits of URPF is that it's automatic, but the drawbacks are that it requires symmetric routing. And we know from earlier lessons that routing in the internet is often asymmetric Therefore in any situation where asymmetric routing is a possibility it is not possible or reasonable to use URPF.

Answer 43

So in a typical TCP three-way handshake - -the client sends a SYN packet to the server - - the server responds with the SYN-ACK, - - the client then returns with an ACK to the SYN-ACK, at which point the connection is established. Problem: client can send a SYN and cause the server to allocate a socket buffer for that TCP connection. But then if the client never returns, the client can force the server to allocate many, many socket buffers, simply by sending a lot of syns and never returning. In fact, these could even be from spoofed IP addresses. So in other words, the client has absolutely no accountability, and no obligation to return to send the final ack, and yet can cause the server to allocate resources. Solution: syn cookies

Answer 44

In the TCP syn cookie approach, when the server receives a syn from the client, the server, instead of allocating a socket buffer for the tuple associated with the connection. The server keeps no state, and instead picks an initial sequence number for the connection that's a function of the client's IP address, and port, and the servers IP address, and port, as well as a random knots to prevent replay attacks. An honest client that returns can then reply with an acknowledgement with that sequence number in the packet. The server can check that sequence number simply by rehashing all of the information that it already has. Thereby determining that the acknowledgement here corresponded to the previous SYN-ACK that it had sent the client without requiring the server to store any state. Only if the sequence number matches the one picked by the server in the syn-ack does the server actually establish the connection.

Answer 45

TCP SYN cookies can prevent a server from exhausting state after receiving the initial TCP SYN packet.

Answer 46

The idea behind backscatter is that when an attacker spoofs a source IP address, say on a TCP SYN flood attack, that the replies to that initial TCP SYN from the victim will go to the location of the source IP address. This replies to forged attack messages are called" backscatter". Now the interesting thing about backscatter is that if we can assume that the source IP addresses are selected by the attacker at random, and we could set up a portion of the network where we could monitor this back scatter traffic, coming back as SYN-ACK replies to forged source IP addresses. If we assume that these source IP addresses are picked uniformly at random, then the amount of traffic that we see as back scatter represents exactly a fraction that's proportional to the size of the overall attack. So for example, if we monitor N IP addresses and we see M attack packets, then we expect to see here N over two to the 32 of the total back scatter packets and hence of the total attack rate. If we want to compute the total attack rate, we simply invert this fraction. So for example, in this case, if our telescope were a slash eight, or two to the 24th IP addresses, we would simply multiply our observed attack rate x by two to the 32 divided by two to the 24 or 255.

Answer 47

A BGP message could be sent to a router by some host (e.g., a remote attacker) that is not the router's legitimate neighbor ○ Note that although BGPSec provides session authentication, this kind of attack can also be prevented without BGPSec by using the “TTL Hack”. ● An AS could lie about being the origin of a particular subnet (i.e., claiming that the AS contains a subnet when it does not, in fact) ○ BGPSec prevents this by providing certificates that sign the origin claim ● An AS could lie about the AS-path to a particular subnet (i.e., claiming that there is a path through the AS when there is not, or that there is a more efficient path than there really is) ○ BGPSec prevents this by providing a chain of signed paths, each partial path in the chain being signed by the AS that advertised that part of the path

Answer 48

When an attacker performs a BGP hijack and leaves its own AS out of the path, it can ensure that even traceroute cannot discover it (the missing AS, that is) by simply not decrementing the TTL field on the traceroute when it passes through the attacking AS. To traceroute, it then looks like that AS isn't actually there.

Answer 49

There are several ways this could happen, but the most common is DNS poisoning. The attacker can SPAM DNS responses with a bad domain→IP address mapping to a local DNS server. If the attacker is lucky, or keeps trying for long enough, at some point the local server will issue a query that a SPAMed response could potentially be a legitimate response to (i.e., it has an ID that matches the request). When this happens, the local server will accept the attacker's response and not only reply to the request with the bad mapping but also cache it and use it to respond to new requests for the same domain name. Once the bad entry is in place, hosts that want to reach that domain will instead go to the IP address given by the attacker. The attacker's machine at that IP could then intercept traffic as a MITM or simply spoof the legitimate server (e.g., to collect login credentials).

Answer 50

ARP poisoning works similarly to DNS poisoning, except that there is not ID value that the attacker needs to guess (or SPAM enough guesses that one of them might be right). Not only that, a host will accept an ARP response even if no ARP request for that IP→MAC mapping was ever made – such a response is referred to as a “gratuitous ARP response”. An attacker could send gratuitous ARP responses for a particular IP address to hosts on its local network so that those hosts send messages to the attacker's MAC instead. For example, the attacker may send gratuitous ARP to a host for the network's gateway router, ensuring all packets headed for outside the local network instead come to the attacker's host instead. It could also send a gratuitous ARP to the router for the host's IP address, ensuring that return traffic is also sent to the attacker's host. This is particularly powerful because it's very easy to do and can let an attacker become a MITM for virtually all traffic to/from a target host. It's also a little harder to detect because the IP addresses are still the correct IP addresses for all the machines involved – only the MAC address have changed. The main drawback compared to something like DNS poisoning is that the attacker must be on the same local network as the target in order to do this. However, users connected to the same “public hotspot” are indeed all on the same local network, making them particularly vulnerable to this sort of attack.

Answer 51

The server does not allocate resources for the TCP connection immediately upon receiving a SYN packet, but instead waits for the ACK (final part of the 3-way handshake) to allocate those resources. In order to prevent attackers from simply doing an “ACK flood” instead of a SYN flood, the server's SYN/ACK response to the SYN packet contains a special “SYN cookie” that it uses as the connection's initial sequence number. When the server gets an ACK, it can calculate whether or not the sequence number in that ACK could have been legitimately generated as a SYN cookie. (The ACK number is the SYN cookie +1, so the server subtracts 1 to get the candidate SYN cookies that it tests.) If the ACK sequence number (SYN cookie) checks out, then the server knows 1) that the client has engaged in the entire 3-way handshake, rather than sending spurious ACKs, and 2) the client's IP address given by the IP headers is it's legitimate address, because otherwise it wouldn't have received the SYNACK that contains the SYN cookie. (There are some more details about how exactly it is able to programmatically verify the legitimacy of a SYN cookie extracted from an ACK message without having stored any data after the SYN and SYN/ACK steps, as well as how it is able to prevent replay attacks. However, we'll leave this answer at this moderate level of detail for now.)

Answer 52

The /12 subnet contains 2^(32-12) = 2^20 = 1048676. So 1048576/1048576 = 1 packet to observe.

Answer 53

-BGP does not validate information in routing announcements, so a manipulator can announce any path they want and claim ownership of a victim’s IP prefix. -Origin Authentication uses a trusted database for verification so an AS can’t claim ownership of a victim’s IP prefix, but they can still announce a path that ends at the proper AS, although the path does not physically exist. -soBGP uses origin authentication and a trusted database to guarantee that any path physically exists, but the manipulator can advertise a path that exists but is not actually available. -S-BGP uses path verification, which limits a single manipulator to announcing available paths, but they could announce a shorter, more expensive, provider path while actually forwarding traffic on a cheaper, longer customer path. -Data plane verification prevents an AS from announcing a path and forwarding on another, so the manipulator must actually forward traffic on the path he is announcing. -Defensive filtering polices the BGP announcements made by stubs. With the model in the paper, each provider keeps a prefix list of the IP prefixes owned by its direct customers that are stubs. If a stub announces a path to any prefix it doesn’t own, then it is dropped. In this way, if all providers correctly implement this it eliminated attacks by stubs.

Answer 54

Announcing longer paths can be better than announcing shorter ones. In the example given in Figure 9 of the paper, advertising the shortest path will only pick up traffic from one small provider. Announcing a longer path to the large provider, will attract more traffic overall as the large provider will prefer this path over the shorter, peer path as it will be cheaper. It is better for the manipulator to attract traffic from larger AS. This strategy will work against any secure routing protocol, except when launched by stubs in a network with defensive filtering, because it is only implementing a different export policy than usually used. Announcing to fewer neighbors can be better than announcing to more. In this strategy, by not exporting to certain Tier providers, customer paths to the victim can be eliminated and influential ASes will be forced to choose shorter peer paths over a longer customer path because the customer path was not made known to them. This will work against any secure protocol as it is just using a clever export policy to manipulate traffic. The identity of the ASes on the announce path matters since it can be used to strategically trigger BGP loop detection. With false loop prefix hijack, the manipulator claims an innocent AS originates the prefix to his provider. But when the false loop is announced, BGP loop detection will cause the AS to reject the path, removing the customer path from the network. This will force large ISPs to choose shorter peer paths. Unlike the first two attacks, this one will only work against BGP, origin authentication or soBGP because it involves false advertising of the path announced by an innocent AS.

Answer 55

Malicious ASes change their providers often to avoid being detected or to avoid the negative consequences of their customers activities. Among these providers, they are also known to connect to Providers with lax security policies and / or long response times to abuse complaints. Even still, Malicious ASes have longer periods of downtime, due to depeering from their neighboring ASes and detection avoidance strategies they employ. ASWatch captures these activities by taking snapshots of AS relationships periodically and observing the changes in relationships over time. These activities are then used to feed the reputation engine that identifies malicious ASes.

Answer 56

Malicious ASes conduct a wide variety of abusive actions, many of which can be countered with simple blacklisting. Examples of this would be DoS, spamming, and phishing. If a malicious AS consistently advertises its entire IP address space, it runs a higher risk of having the entire IP space blacklisted when these activities are detected. Small fragments of advertised space allow malicious activities to continue their activities in a fresh IP space fragment when they are blacklisted

Answer 57

Botnets conducting a crossfire attack do not need to spoof their IP addresses, and as a result defenses based on detecting spoofed IP addresses fail. Additionally, the traffic sent by these botnets to overload links is not unsolicited, the traffic flows from one participating host to another. Furthermore, the attack overloads links in aggregate, meaning many low intensity flows combine to DoS the target links. These links are harder to differentiate from legitimate traffic, which prevents flow monitoring efforts from detecting these attacks.

Answer 58

Rolling attacks are implemented by an attacker to indefinitely continue an attack on a target area. Continuing to flood the same set of target links will ultimately have negative effects on the attack when router failure detection mechanisms are tripped. Additionally rolling attacks will make the crossfire attack even harder to detect by changing the attack vector without changing the overall target area.

Answer 59

Off-path adversaries can’t observe DNS queries and responses. They will trigger specific DNS lookups, but must generate numerous packets in hopes of matching the request the resolver will accept as they must guess the transaction ID and other entropy. On-path adversaries can passively observe the actual lookups requested by a resolver and can directly forge DNS replies. As long as the resolver receives the forged reply before the legitimate one, it will accept the forged reply. In-path adversaries can both block and modify packets and can block the legitimate packet. Hold-On can’t help here as the legitimate packets can be blocked.

Answer 60

Because the legitimate reply cannot be blocked by on-path adversaries, the “Hold-On” period can be used to wait for the legitimate reply to arrive. The stub resolver/forwarded first learns the expected RTT and TTL associated with legitimate traffic to remote recursive resolver. Then after issuing a DNS query, it starts its Hold-On timer. If a DNSSEC-protected response is expected, local signature validation is done for each reply and returns the first fully validated reply to the client or a DNSSEC error if the Hold-On timer expires before one is validated. If there is no DNSSEC, the resolver compares the timing of the reply to the expected RTT and compares the TTL field in the header to the expected TTL. If a reply is validated it will return this reply to the client, but if there are mismatches, it ignores the response and continues to wait. If the timer expires, it will send the last reply received that was not validated.

Answer 61

Network Virtualization refers to abstracting the network away from the physical equipment, which can be accomplished without SDN (we did this in Project 1 using Mininet!). On the other hand, SDN refers separating the control plane from the data plane by using a centralized logic controller. SDN does not necessarily imply Network Virtualization is employed. Network virtualization software like Mininet allows SDNs to be tested in a virtual environment by using logical processes to emulate physical network devices, including OpenFlow capable switches. By emulating the physical equipment, control plane logic for an SDN can be tested without the need for physical equipment and complicated data collection methods.