Test 3 Network Security Flashcards

Question 1

Q

Notorious attacks on internet routing

Answer

A

April 8, 2010, China advertised about countries. The event lasted for about 20 minutes. In this particular case, the hijack appears to have been accidental. Because the prefixes were long enough such that they didn’t disrupt existing routes. But the fact that the route advertisements were allowed to leak in the first place highlights the vulnerability of the border gateway protocol.

another event in prefixes, potentially as a botched attempt to block Youtube in the country following a government order. Unfortunately, the event resulted in disruption of connectivity to YouTube for people all around the world.

April 25th in 1995, one of the more famous route hijack incidents was the AS7007 incident, where AS7007 advertised all of the IP prefixes on the entire internet. As originating in its own AS, resulting in disruption of connectivity to huge fractions of the Internet.

Question 2

Q

Whyis BGP susceptible to attacks?

Answer

A

BGP allows any AS to advertise an IP prefix to a neighboring AS, and that AS will typically just believe that route advertisement and advertise it to the rest of the internet. These events that occur where an AS advertises a prefix that it does not own are called route highjacks.

Question 3

Q

DNS reflection

Answer

A

a way of generating very large amounts of traffic targeted at a victim.

Question 4

Q

Distributed Denial of Service, or DDos attack

Answer

A

a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

https://en.wikipedia.org/wiki/Denial-of-service_attack

Question 5

Q

Phishing

Answer

A

an attacker exploits the domain name system in an attempt to trick a user into revealing personal information, such as passwords on a rogue website

Question 6

Q

Why is the Internet fundamentally insecure?

Answer

A

The internet was designed for simplicity, and as a result security was not a primary consideration when the internet was originally designed

it’s on by default. In other words, when a host is connected to the internet, it is by default reachable by any other host that has a public IP address. This means that if one has an insecure host, that host is effectively wide open to attack by other hosts on the internet.

the internet is run by tens of thousands of independently run networks, it can be very difficult to coordinate a defense against an attack because each of these networks is run by different network operators, sometimes in completely different countries

Question 7

Q

Resource Exhaustion Attacks

Answer

A

In a packet switch network, resources are not reserved and packets are self containment. Every packet has a destination IP address, and each packet travels independently to the destination host. In a packet switch network, a link may be shared by multiple senders at any given time, using statistical multiplexing as we learned in previous lessons.

A large number of senders can overload a network resource, such as a node or a link. Note that circuit switch networks like the phone network do not have this problem because every connection effectively has allocated, dedicated resources. For that particular connection until it is terminated. So this problem that an attacker who sends allot of traffic might exhaust resources is unique to a packet switched network environment.

Question 8

Q

Components of Security

Answer

A

availability
–susceptible to resource exhaustion

Confidentiality

Authenticity
–ensures the identity of the origin of a piece of information

Integrity
– information wasn’t modified in flight.

Question 9

Q

security threat defined

Answer

A

anything that might potentially cause a violation of one of the Components of Security

Question 10

Q

attack defined

Answer

A

an action that results in the violation of one of the Components of Security

Question 11

Q

difference between a threat and an attack

Answer

A

the difference between a violation that could potentially occur. Versus an action that actually results in a violation.

Question 12

Q

Confidentiality Attacks

Answer

A

eavesdropping

-an attacker, Eve, might gain unauthorized access to information being sent between Alice and Bob
- packet sniffing tools, such as wireshark and tcpdump, that set a machine’s networking interface card into what’s called promiscuous mode
-If the network interface card is in promiscuous mode then Eve’s machine will be able to capture some of the packets that are being exchanged between Alice and Bob

the ability to see DNS look-ups would provide the attacker information about, say, what websites you’re visiting.

The ability to capture packet headers might give the attacker information, not only about where you’re exchanging traffic, but what types of applications you’re using.

the ability to see a full packet payload would allow an attacker to effectively see every single thing that you are sending on the network. Including content you’re exchanging with other people. Such as private message, email communication, and so forth.

the ability to see a packet, Eve might not only listen to that packet, but might also modify it and re-inject it into the network, potentially after altering the state of the packet.

If additionally Eve could suppress the original message

Question 13

Q

Authenticity Attacks

Answer

A

‘Man in the Middle’ attack.

If, in addition to being able to observe packets that traverse the network, Eve could re-inject packets after having modified them, and suppress Alice’s original message, then Eve could effectively impersonate Alice.

Question 14

Q

integrity Attacks

Answer

A

Alice could also make it appear as though this message came from Alice. In which case, the attack would be an attack on message integrity.

Question 15

Q

A denial of service is an attack on what property of internet security?

Answer

A

A denial of service attack is an attack on availability. Denial of service attacks typically are an attempt to overwhelm the network or a network host in some way by consuming its resources. A common way of launching a denial of service attack is to send a lot of traffic at a victim, often from many distributed locations. If the attacker is in fact distributed, this is called not just a denial of service attack, but a distributed denial of service attack.

Question 16

Q

Negative Impacts of Attacks

Answer

A

theft of confidential information

unauthorized use of network bandwidth or computing resources

the spread of false information

the disruption of legitimate services.

Question 17

Q

Routing Security

Answer

A

focus on:

- inter-domain routing or the security of BGP
- control plane security

Question 18

Q

control plane security

Answer

A

authentication of the messages being advertised by the routing protocol

goal of control plane security, or control plane authentication is to determine the veracity of routing advertisements.

verify:

-session authentication, which protects the point-to-point communication between routers
-path authentication, which protects the AS path, and sometimes other attributes.
-origin authentication. Which protects the origin AS in the AS path; effectively guaranteeing that the origin AS that advertises a prefix is, in fact, the owner of that prefix.

Question 19

Q

A route hijack, is an attack on which form of authentication?

Answer

A

A route hijack is an attack on origin authentication because in a, in a route hijack, the AS that is advertising the prefix is actually not the rightful owner of that prefix. In addition to control plan security, we also have to worry about data plan security or determining whether data is traveling to the intended locations. In general, it can be extremely hard to verify that packets or traffic is traveling along the intended route to the destination. Or that it, in fact, even reaches the intended destination in the first place. Guaranteeing that traffic actually traverses the advertised route remains an important open problem in internet security.

Question 20

Q

Sources of Route Attacks

Answer

A

router is misconfigured. In other words, no one actually intended for the router to advertise a false route, but because of a misconfiguration the router does so.

a router might be compromised by an attacker. Once a router is compromised, the attacker can reconfigure the router to, for example, advertise false routes.

unscrupulous ISPs might also decide to advertise routes that they should not be advertising.

Question 21

Q

launching the route attack

Answer

A

An attacker might reconfigure the router, which is typically the most common way an attacker might launch an attack.

The attacker might also tamper with software, or an attacker could actively modify a routing message.

the attacker might tamper with the management software that changes the configuration.

And the most common attack is a route highjack attack or an attack on origin authentication.

Question 22

Q

Route Hijacking

Answer

A

if an attacker were running a rogue DNS server and wanted to hijack your DNS query, or to return a false IP address, the attacker might use BGP to advertise a route for the IP prefix that contains that authoritative DNS server

DNS queries that were previously going to the legitimate server, are instead redirected to the rouge DNS server

Question 23

Q

how a BGP route hijack can result in a Man in the Middle attack

Answer

A

your traffic ultimately reaches the correct destination, but the attacker successfully inserts themselves on the path. The problem with this particular route hijack. Is that all traffic destined for IP X is going to head for the attacker, even the traffic from the legitimate network. What we’d like to instead have happened is that traffic for IP X first goes to the hijack location and then goes to the legitimate location. So the attacker effectively becomes a Man In The Middle. The problem is that we need to somehow disrupt the routes to the rest of the internet while leaving the routes between the attacker and the legitimate location intact. So that traffic along this path can still head towards the legitimate AS

Question 24

Q

Autonomous System Session Authentication

Answer

A

Session Authentication simply attempts to ensure that BGP Routing messages sent between routers between AS’s are authentic

done using TCP’s MD5 authentication option

-every message exchanged on the TCP connection not only contains the message, but also a hash of the message with a shared secret key. Now this key distribution is manual. The operator in AS1 and the operator in AS2, must agree on what key is, and typically they do that out of band.
-once that key is set, all messages between this pair of routers is authenticated.

Another way to guarantee session authentication, is to have AS1 transmit packets with the of TTL of Because most [UNKNOWN] sessions are only a single hop and attackers are typically remote. It is not possible for the recipient AS to accept a packet from a remote attacker, because likely that attacker’s packets will have a TTL value of less than 254. This defense is aptly called the TTL hack defense for BGP Session Authentication.

Question 25

Q

Origin and Path Authentication

Answer

A

Secure BGP or BGPSEC
–proposal to modify the existing border gateway protocol to add signatures to various parts of the route advertisement

two different parts

-address attestation/ origin attestation, which is a certificate that binds the IP prefix to the organization that owns that prefix, including the origin AS
-path attestation: set of signatures that accompany the AS path as it is advertised from one AS to the next

Question 26

Q

Autonomous System Path Attestation

Answer

A

BGP announcement would contain:

- the prefix p
-the AS path, which so far is just one.
-the path at a station, which is actually the path to one signed by, the private key, of AS1.

When AS2, readvertises that route announcement, it advertises:

- the new AS path to one.
-It adds its own at route at test station, three, two, one signed by it’s own private key.
-includes the original path atastation signed by AS1.

A recipient of a route along this path can thus verify every step of the AS path.

-AS3 can use the first part of the path attestation to verify that the path in fact, goes from AS2 to AS1, and does not contain any other ASs in between.
-It can use the second part of the path attestation to ensure that the path between it, AS3, and the next hop is in fact, AS2, and that no other ASs could’ve inserted themselves on the path between two and three.

Question 27

Q

Autonomous System Path Attestation

Answer

A

BGP announcement would contain:

- the prefix p
-the AS path, which so far is just one.
-the path at a station, which is actually the path to one signed by, the private key, of AS1.

When AS2, readvertises that route announcement, it advertises:

- the new AS path to one.
-It adds its own at route at test station, three, two, one signed by it’s own private key.
-includes the original path atastation signed by AS1.

A recipient of a route along this path can thus verify every step of the AS path.

-AS3 can use the first part of the path attestation to verify that the path in fact, goes from AS2 to AS1, and does not contain any other ASs in between.
-It can use the second part of the path attestation to ensure that the path between it, AS3, and the next hop is in fact, AS2, and that no other ASs could’ve inserted themselves on the path between two and three.

Question 28

Q

Autonomous System Path Attestation: why the AS signs a path attestation with not only its own part of the AS path in the path attestation, but also, the hop of the AS that is intended to receive the BGP route advertisement

Answer

A

prevents hijacking and modification of the AS path

Suppose, that these AS’s were not there in the path at station. In this case. We have a very nice well-formed VGP route advertisement for prefix with the AS path suffix to one, and we have each segment signed, so an attacker could in fact, take such an announcement and advertise sub strings of this route advertisement as their own. Thus an attacker, AS4, could claim that it was connected to prefix P via AS1 when in fact no such link existed. Simply by stealing or replacing the path atastation one that’s signed by K1. But, note that in reality AS1 never generates this signature. In fact it generates the signature,21. Or in this case, it would somehow have to generate the signature 41 signed by AS1’s private key, whereas if AS1 only signed a message with its own AS in the message, such a segment or attestation could easily be replayed. There’s actually no way that AS4 Could forge the path attestation for one, signed by AS1’s private key because it doesn’t own this private key and AS1 never generated a path attestation with this particular signed path., This is the reason that each AS not only signs a path attestation with its own AS on the AS path. But also the next AS along the path.

Question 29

Q

attacks that path attestations cannot defend against

Answer

A

if an AS fails to advertise a route or a route withdrawal There is no way for the path [UNKNOWN] or PGP sec to prevent from that kind of attach. Certain types of replay attacks such as a premature re-advertisement of a withdrawn route also cannot be defended against and of course, there is no way to actually guarantee that the data traffic travels along the advertised AS path, which is a significant weakness of DGP that is yet to be solved by any routing protocol.

Question 30

Q

DNS Security: vulnerability

Answer

A

To understand the threats and vulnerabilities of DNS, let’s take a look at the DNS architecture. So we have a stub resolver which issues a query to a caching resolver. At this point, we could have a man in the middle attack, or an attacker which observes a query and forges a response. If a query goes further than the local caching resolver, say for example, to an authoritative name server, an attacker could try to send a reply back to that caching resolver before the real reply comes back to try to poison, or corrupt, the cache with bogus DNS records for a particular name. This attack is particularly virulent and we will look at a cache poisoning attack in this lecture. Masters and slaves can both be spoofed. Zone files could be corrupted. Updates to the dynamic update system could also be spoofed. We will look at some defenses to cache poisoning, including the OX20 defense, as well as DNSSEC, which can protect against some of these spoofing and man in the middle attacks. In addition to these attacks, we’ll look at an attack called DNS reflection where the DNS can be used to mount a large distributed denial of service attack.

Question 31

Q

Why is DNS Vulnerable

Answer

A

the resolvers that issue the DNS query trust the responses that are received after they send out a query regardless of where that response comes from. So sometimes these responses can be forged.

When a resolver sends out a query, it typically generates what’s called a race condition And if the attacker replies before the legitimate responder, then the resolver is likely to believe the attacker. DNS responses can also contain additional DNS information that’s unrelated to the query.

The fundamental problem is that the basic DNS protocols have no means for authenticating responses. This allows an attacker to forge responses after a resolver sends a query.

A secondary reason that these types of spoofed replies are possible is that DNS queries are typically connectionless unlike BGP where routing messages are transmitted over a reliable TCP connection, UDP queries are sent over a connectionless UDP connection. Therefore, a resolver does not have a way of mapping the response that it receives for a query other than the query ID. Which can be forged by the attacker. Let’s look at how the combination of the lack of authentication and the connectionless nature of a DNS query allows the possibility of cash poisoning.

Question 32

Q

which aspects of DNS make it vulnerable to attack

Answer

A

the fact that the queries are sent over a connectionless channel and that there is no way to authenticate the query responses, makes the DNS vulnerable to various kinds of spoofing and cache poisoning attacks.

The fact that DNS names are human readable does not make the DNS inherently insecure. Nor does the fact that it’s distributed. There are certainly very well understood ways of securing distributed systems and that does not inherently make DNS insecure.

Question 33

Q

DNS Cache Poisioning from wikipedia

Answer

A

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer hacking in which corrupt Domain Name System data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect IP address. This results in traffic being diverted to the attacker’s computer (or any other computer).

Question 34

Q

DNS Cache Poisioning example

Answer

A

consider a network where a stub resolver issues a query to its recursive resolver, and the recursive resolver in turn sends that

A record query to the start of authority for that domain. Now, in an ideal world, the authoritative name server for that domain would reply with the correct IP address.

If an attacker guesses that a recursive resolver might eventually need to issue a query for say, www.google.com. The attacker can simply reply with multiple, specially crafted replies each with different id’s.

Although this query has some query id, the attacker doesn’t need to see that query because the attacker can simply flood the recursive resolver with a bunch of bogus replies and one of them, in this case the response with id3 will match.

As long as this bogus response reaches the recursive resolver before the legitimate response does, the recursive resolver will accept this bogus message.

And worse, it caches the bogus message.

DNS, unfortunately, has no way to expunge a message once it has been cached.

So now this reclusive resolver will continue to send bogus a record responses for any query for this particular domain name until that entry expires from the cache.

Question 35

Q

several defenses against DNS cache poisoning

Answer

A

the query ID.
–the query ID can be guessed.

randomize the ID

-rather than having a resolver end queries where the ID’s increment in sequence, the resolver can pick a random ID.
-This makes the ID tougher to guess, but still, the query ID is only 16 bits, which still makes it possible for an attacker to flood the recursive resolver with many possible responses.

the resolver can randomize the source port on which it sends the query

-thereby adding an additional 16 bits of entropy to the ID that’s associated with the query.
-Unfortunately, picking a random source port can be resource intensive and also a network address translator or a NAT, could derandomize the port.

the 0x20 or the zero x20 encoding
– which is based on the intuition that DNS matching and resolution is entirely case insensitive. So capitalization of individual letters in the domain name do not affect the answer that the resolver will return.

Question 36

Q

DNS query race: Kaminsky Attack

Answer

A

The success of a DNS cache poisoning attack not only depends on the ability to reply to a query with a correct matching ID, but it also depends on winning this race. That is, the attacker must reply to that query before the legitimate authoritative name server replies. If the bad guy, or the attacker, loses the race, then the attacker has to wait for that correct cached entry to expire, before trying again, however the attacker can generate his own DNS query. For example, he could query one.google.com, two.google.com and so forth. Each one of these bogus queries will generate a new race. And eventually the attacker will win one of these races for an A record query. But who cares? Nobody necessarily cares to own one.google.com, or google.com. The attacker really wants to own the entire zone. Well the trick here is that instead of just simply responding with A records in the bogus replies. The attacker can also respond with NS records for the entire zone of google.com. So by creating one of these races, using an A record query, and then responding not only with the A record response, but also with the authoritative of the NS record,for the entire zone. The attacker can in fact own the entire zone. This idea of generating extreme of A record queries to generate a bunch of races and then stuffing the A record responses for each of these with a bogus authoritative NS record for the entire zone. Is what’s called the Kaminsky Attack, after Dan Kaminsky, who discovered the attack.

Question 37

Q

0x20 or the zero x20 encoding DNS Cache Poisoning Defense

Answer

A

the 0x20 or the zero x20 encoding

- which is based on the intuition that DNS matching and resolution is entirely case insensitive. So capitalization of individual letters in the domain name do not affect the answer that the resolver will return.
-This 0x20 bit, or the bit that affects whether a particular character is capitalized or in lower case can also be used to introduce additional entropy.
-When generating a response to a query such as this one, the query is copied from the DNS query into the response exactly as it was in the query.
-The mixed pattern of upper and lower case letters thus constitutes a channel. If the resolver and the authoritative server can agree on a shared key, then the resolver and the authoritative are the only ones who know the appropriate pattern of upper and lower case letters for a particular domain name. Because no attacker would know the appropriate combination of upper and lower case letters for a particular domain. It becomes even more difficult for the attacker to inject a bogus reply, because not only would the attacker have to guess the ID, but the attacker would also have to guess the capitalization sequence for any particular domain name

Question 38

Q

why does the 0x20 encoding make DNS more secure?

Answer

A

The 0x20 bit encoding adds additional entropy to the queries that a DNS resolver sends by tweaking the capitilization on a DNS name in such a way that only the resolver and the authoritative name server know the particular sequence of upper and lower case letters in the reply.

Question 39

Q

DNS Amplification Attacks

Answer

A

This attack exploits the asymmetry in size between DNS queries and their responses.

So an attacker might send a DNS query for a particular domain, and that query might only be attacker might indicate that the source.

For this query is some victim IP address. Thus the resolver might send a reply which is nearly two orders of magnitude larger to a victim.

So the name of the attack amplification comes from the fact that the query is only 60 bytes and a reply is considerably larger.

So, by simply generating a small amount of initial traffic, the attacker can cause the DNS resolver. To generate a significantly larger amount of attack traffic. If we start adding other attackers, all of which specify the victim as the source, then all of these giant replies start heading towards the victim, and we have a denial of service attack on the victim.

Question 40

Q

Defenses against DNS Amplification Attacks

Answer

A

prevent IP address spoofing in the first place using, for example, the appropriate filtering rule

disable the ability for a DNS resolver to resolve queries from arbitrary locations on the Internet.

Question 41

Q

DNSSEC DNS Security

Answer

A

The DNS sec protocol adds authentication to DNS responses simply by adding signatures to the responses that are returned for each DNS reply.

each authoritative name server in the DNS hierarchy returns not only the referral, as it would with regular DNS, but also a signature containing the IP address for that referral. And the public key for the authoritative name server that corresponds to that referral. That public key then allows the resolver to check the signatures at the next lowest level of the hierarchy, until we finally get to the answer.

When a stub resolver issues a query, assuming there is no caching, the query is relayed by the recursive resolver to the root name server. Which, as we know, sends a referral to .com, but this referral includes the signature by the root of the IP address and the public key of the .com server. As long as this resolver knows the public key corresponding to the route, it can check the signature and it knows then, that the referral is to the correct IP address for .com. It also now knows the public key corresponding to the .com server, thus when the .com server sends the next referral to Google.com, that referral is signed by .com’s private key. But the root has told the resolver the public key corresponding to .com, and thus the resolver can check that this referral is not bogus and in fact, came from the .com server. Similarly, the .com server will return, not only the IP address for Google.com, but also the IP address and public key for the Google.com authoritative name server. So that when Google returns its answers, the resolver can check the signatures coming from google.com.

Question 42

Q

Viruses defined

Answer

A

A virus is effectively an infection of an existing program that results in the modification of the original program’s behavior.

Question 43

Q

Worm defined

Answer

A

A worm is code that propagates and replicates itself across the network. A worm is usually spread by exploiting flaws in existing programs or open services whereas viruses typically require user action to spread. For example, opening an attachment on an email or running an executable file that a friend gave you on an USB key. Worms propagate automatically.

Question 44

Q

types of viruses

Answer

A

A parasitic virus typically infects an existing executable file.

A memory- resident virus infects running programs.

A boot-sector virus spreads whenever the system is booted.

A polymorphic virus encrypts part of the virus program using a randomly generated key.

Question 45

Q

key difference between viruses and worms

Answer

A

viruses typically spread with manual user intervention.

Worms typically spread automatically by scanning for vulnerabilities and infecting vulnerable hosts when those vulnerabilities are discovered. A worm might use any of these techniques to infect a particular host before spreading further.

Question 46

Q

Internet Worm Lifecycle

Answer

A

First, the worm needs to scan other hosts to find potentially vulnerable hosts.

In the second step, it needs to spread. By infecting, other vulnerable hosts.

And in the third step, it needs to remain undiscoverable and undiscovered so that it can continue to operate and spread without being removed from systems..

Question 47

Q

First Worm

Answer

A

The first worm was designed by Robert Morris, Jr. in 1988. The worm itself had no malicious payload but, it ended up bogging down the machines that it infected by spawning new processes uncontrollably and exhausting resources. And at the time it was released, it affect ten percent of all Internet hosts. It spread, through three different propagation vectors. The worm tried to crack passwords ,using a small dictionary and a publicly readable password file and also targeted hosts. That were already listed in a trusted host file, on the machine that was already infected.

This ability to perform remote execution was one way that the worm was allowed to spread.

The second way that it spread ,was in a buffer overflow vulnerability, In the finger demon. This was a standard buffer overflow exploit. this is a very common attack that makes remote exploits possible, effectively resulting in the ability to run arbitrary code. At the root level privilege.

The third way that worm spread, was via the debug command in send mail, which is a mail sending service. In early send mail versions, it was possible to execute a command on a remote machine by sending an SMTP message. The worm used this, capability to spread automatically.

A key theme that we’ll see In the design of other worms, is this use of multiple vectors. Now any particular worm, may end up using, a different set of vectors depending on the remote vulnerabilities that it’s trying to exploit. But the idea that any worm should be able to exploit multiple weaknesses in a system gives it more ways to spread. And often also speeds up the propagation of the worm. This worm design also followed the following general approach, which we see showing up over and over again in worm designs.

Question 48

Q

Code Red 1

Answer

A

Code Red 1 was released on July 13th, 2001, and was the first modern worm. It exploited a buffer overflow in Microsoft’s IIS server. From the would spread By finding new targets using a random scan of IP address space, it would spawn 99 new threads, which generated IP addresses at random and then looked for vulnerable instances of IIS. Now version 2 Of code red one, was actually released six days later and fixed that random scanning bug. So that each instance of the worm scanned a different part of IP address space. After the scanning bug was fixed, the worm was able to compromise 350000 vulnerable hosts in a matter of only running the vulnerable version of IAS. On the entire internet. The payload of this worm was to mount a denial of service attack on whitehouse.gov. But a bug in the coding, caused the worm to die, on the 20th of each month. If the victims clock was wrong however, the worm would actually resurrect itself. On the 1st. Fortunately in this case, the payload which launched the denial of service attack on whitehouse.gov actually was launched at a particular IP address, not at the domain name. So the operators of the website needed only to move the web server to another IP address to defend against the denial of service attack. A better worm design would have been much more catastrophic.

Question 49

Q

Code Red 2

Answer

A

released on August 4th, 2001, and was called Code Red2 mainly because of a comment in the code. The worm actually only spread on Windows The scan actually preferred nearby addresses It would choose addresses from the same /8 with probability one half from the same /16 with probability three eighths, and randomly from the entire internet with the remaining one eighth probability. The reason for preferring nearby IP addresses is that if there was one vulnerable host on the network. There was likely to be more, because the same administrator that failed to patch the compromised machine might have other machines on the same network that were also vulnerable. This notion of preferential scanning can speed up infections in some cases by increasing the probability that scanning will find another vulnerable host.

Question 50

Q

Nimda

Answer

A

The payload of this worm was an IIS backdoor, and the worm was completely dead, by design, by October 1, and was interesting mostly because it spread using multiple propagation vectors. It was effectively multi-model. So in addition to using the same IIS vulnerability as Code Red 1 and Code Red 2, there were some additional vectors that it used. It could spread by bulk email as an attachment. It copied itself across open network shares. It installed an exploit code on webpages on the corresponding web server running on the machine, so that any browser that visited the webpage for that server would become infected itself and it would scan for the Code Red 2 backdoors that that worm had installed. The interesting thing about the multi-modal nature of the Nimda worm is that signature based defences don’t necessarily help, because of the many ways that it could spread, for example, by email or via a website exploit, Nimda actually needs firewalls. Most of the firewalls pass the email carrying Nimda completely untouched, using brand new infection with an unknown signature, and those scanners couldn’t detect it. This was the first instance of a worm that exploited what we would call a zero day attack which is when a worm first appears in the wild. And the signature of the worm is not extracted until minutes, or hours later. Zero day attacks are particularly viralent because the worm can spread extremely quickly, before any type of signature-based antivirus has a chance to catch up and prevent the infections in the first place.

Question 51

Q

Modeling Fast-Spreading Worms

Answer

A

We can actually model the spread of these worms using the random constant spread model. If Kis the initial compromised rate, N is the number of vulnerable hosts, and a is the fraction of hosts already compromised, we can now express the number of hosts infected at a particular time increment in terms of the machines already infected, and the rate at which uninfected machines become compromised. So if Nda. Is the number of newly infected machines in DT, we can express that in terms of the number of machines already infected. Which is, N times a. So these are the host already capable of doing more scanning. And now K times 1 minus a is the rate at which uninfected machines become compromised, in a particular time interval dt. If we solve for a the fraction of hosts compromised, which is effectively the y-axis of this graph and we get the following. You get an exponential curve that is exponential where the growth rate depends only on K, or the initial compromise rate. This is very interesting because it tells us that if we want to design a very fast spreading worm, then we should design a worm such that the initial compromise rate is as high as possible. So how do we increase K.

Question 52

Q

Increasing Compromise Rate

Answer

A

create a hit list, or a list of vulnerable hosts ahead of time
–start by performing stealthy scans or some reconnaissance to construct a list of vulnerable hosts before we start spreading, then we can get rid of that initial flat part of the curve where the worm is effectively dormant.

permutation scanning
–Where every compromised host has a shared permutation of an IP address list to scan for vulnerabilities. Now if this list is randomly permuted and a particular host starts scanning from its own IP address in the list And works down, then different effected hosts will start scanning from different parts of this list ensuring that compromised hosts don’t duplicate each other’s work.

Question 53

Q

Slammer worm

Answer

A

One worm that exploited these techniques to spread particularly quickly was the Slammer worm, which spread in January of 2003.

Exploiting a buffer overflow in Microsoft’s SQL sever. In addition to using fast scanning techniques, the entire slammer code fit in a single small UDP packet. The UDP packet contain the worm binary, followed by an overflow pointer back to itself. It would say classic buffer overflow combined with random scanning. Once the control is passed to the worm code, it randomly generated IP addresses and attempted to send a copy of itself to Port 1434 on other hosts.

One brilliant aspect of the slammer worm, is that because it was spread by via single UDP packet, it was connectionless, meaning that it could spread. And was no longer limited by the latency of network round trip time, but only by the bandwidth of the network,

the worm caused $1.2 billion dollars in damage, and temporarily knocked out many elements of critical infrastructue, including Bank of America’s ATM network. An entire cell phone network in South Korea, and five route DNS servers, as well as Continental Airlines’ ticket processing software.

The worm actually did not have a malicious payload, but the bandwidth exhaustion on the network caused resource exhaustion on all the infected machines.

This damage was inflicted in just thirty minutes, due to the very lightweight nature in which Slammer spread.

Question 54

Q

what allowed the Slammer worm to spread so quickly?

Answer

A

Slammer was able to spread quickly, because it spread via connectionless transport, or UDP, and because it could fit in a single packet.

Question 55

Q

Spam

Answer

A

Someone has to design the filters that separate the good traffic from the bad traffic.

Additionally, even if email is classified as spam, if it’s accepted for delivery, the Internet’s mail protocols dictate that the server has to keep the mail, because it’s told the receiver that it has accepted the mail. This creates the potential for spam to consume a significant amount of storage space on email servers.

Finally, spam can create security problems for users who receive spam emails. If the spam messages contain a payload that could harmful, such as malware or a phishing attack or an attempt to steal a user’s private or sensitive information, such as a password.

Question 56

Q

three different ways to construct Spam filters

Answer

A

content-based

based on the IP address of the sender/ blacklisting

based on behavioral features

Question 57

Q

what are some problems with content-based email filters?

Answer

A

they can very easily change the content, of the message that is carrying the spam that they wish to deliver.

They can embed their message in things like images, mp3’s, Excel spreadsheets and so forth, making it relatively difficult for the filter maintainers to keep up.

Question 58

Q

IP Blacklisting

Answer

A

the way an IP blacklists works is that when a sender sends an email to the receiver the receiver sends a query for that IP address to a blacklist or a DNS-based blacklist sometimes called a DNSBL such as spamhaus.

Depending on whether or not that IP address appears in the blacklist the receiver can then decide to accept the message or, if the IP address turns out to be on the blacklist, the receiver can decide to terminate the connection and not even accept the mail in the first place, thereby saving the operator the trouble of even having to store the message.

The third approach is to filter a message on how it is sent. In particular, we can look at such features as the geographic locations of the sender and receiver, the set of target recipients, the sender’s upstream ISP or our inference as to whether the sender is a member of a botnet or a network of comprised hosts that are doing the bidding of some command and control server.

Question 59

Q

Content-based Email Filter

Answer

A

-In other words, you can look at what’s being said in the mail.
-For example, if the mail contains particular words, such as Viagra or Rolex, a content-based filter might pick up on those terms and decide to filter the mail.
-relatively easy for attackers to evade. A recent large commercial mail operator recently told me that he saw something like 80,000 different spellings of Viagra. But additionally, messages can be carried not only in text, but in images, Excel spreadsheets, or even MP3s or movies.

Question 60

Q

Behavioral Based Email Filter

Answer

A

–how the mail is sent. So for example, if the mail is sent at a particular time of day, or if it’s sent in a batch of emails that are all roughly the same size. Then we may be able to figure out that a message is likely spam, simply based on the sender’s sending behavior.

the challenges of buildling a filter around this notion is first, understanding network level behavior and second, building classifiers using network level features to execute the filtering.

Question 61

Q

Avoiding Spam Blacklisting

Answer

A

spammers can perform behavior on the network that is extremely uncanny and unlikely to be performed by a legitimate network user.

For example, what we saw is that the spammer could hijack an IP prefix for a very short period of time, such as 10 minutes. Send the spam or potentially multiple spam messages from IP addresses inside that IP prefix, and at the end of the attack withdraw the prefix.

This allows attackers to use ephemeral IP addresses essentially rendering IP blacklists ineffective.

In fact, we saw on any given day about 10% of the email senders are from previously unseen IP addresses.

This ephemerality or transience of the IP addresses of the spam senders makes it particularly difficult to maintain a blacklist.

Question 62

Q

SNARE, or Spatio-Temperal Network Level Automated Reputation Engine

Answer

A

In fact, we’ve found many single-packet features that tended to work well. In other words, features that a receiver could make a decision on just based on the first packet that a sender sends.

Such single-packet features include, the distance between the sender and the receiver, the density in IP space in terms of how many other mail senders are nearby, and the local time of day at the sender.

Other features, such as the AS of the sender’s IP, also worked well.

If we’re willing look beyond a single packet and look at a single message, the number of recipents, and the length of the message also prove to be effective in distinguising spammers from legitimate senders.

Finally, we can look at aggregates. For example, if we’re willing to look at a group of email messages we can see how message length varies over time or across a group of different messages.

Putting these features together in a system called SNARE, or Spatio-Temperal Network Level Automated Reputation Engine achieved a 70% detection rate for a false positive rate of about one-tenth of 1%. This level of accuracy is good enough to be used in practice. It provides comparable performance to state of the art IP-based blacklists such as Spamhaus. But it only uses network-level features, thus making it less susceptible to the ephemeral nature of IP-based blacklisting.

Question 63

Q

Denial of service defined

Answer

A

Denial of service is simply an attack that attempts to exhaust, various resources.

One resource that a Denial of service attack might exhaust, is network bandwidth.

Another, is TCP connections. For example, a host, might only have a limited number of TCP connections that, that it can open, to various clients.

What the Denial of service attack might attempt to exhaust various server resources. For example, this victim might be web server running complicated scripts to render web pages, and if web server suddenly becomes the target of a bunch of bogus requests, the server may spent lot of resources Rendering pages for requests that are not legitimate.

Before 2000, these denial of service attacks were typically single source.

After 2000, with the rise of internet worms, these attacks could become distributed, effectively being launched from many attackers.

Question 64

Q

3 defenses against denial of service attacks

Answer

A

ingress filtering

URPF, or reverse path filtering checks

TCP syn cookies

Answer 65

A

Let’s suppose that we have a stub autonomous system, whose IP prefix was 204.69.207.0/24. Now this is a stub network, that has no other networks connected to it. And this is the only IP address space that this network owns. Then, the router that is immediately upstream of that internet service provider can simply drop all traffic for which the source IP address is not in the IP address range of that particular network. So this is foolproof and it works at the edges of the internet. Where it’s very easy to determine the IP address range that’s owned by a downstream stub autonomous system. Unfortunately it doesn’t work well in the core, where a particular router might have a lot of difficulty determining whether packets from a particular source IP address could be allowed on a particular incoming interface

Answer 66

A

So the solution that operators try to use in the core is to use the routing tables to determine whether a packet could feasibly arrive on a particular incoming interface.

So if a router had a routing table that said all packets for ten, that’s 0.1.0/24, should be sent. Via interface one. And all packets destined for 10.0.18.0/24 should be sent via interface two, then URPF says if we see a packet for, with a particular source IP address on an incoming interface.

That is different than where would have sent the packet in the reverse direction, then we should go ahead and drop this packet.

So the benefits of URPF is that it’s automatic, but the drawbacks are that it requires symmetric routing. And we know from earlier lessons that routing in the internet is often asymmetric Therefore in any situation where asymmetric routing is a possibility it is not possible or reasonable to use URPF.

Answer 67

A

So in a typical TCP three-way handshake

-the client sends a SYN packet to the server
- the server responds with the SYN-ACK,
- the client then returns with an ACK to the SYN-ACK, at which point the connection is established.

Problem:
client can send a SYN and cause the server to allocate a socket buffer for that TCP connection. But then if the client never returns, the client can force the server to allocate many, many socket buffers, simply by sending a lot of syns and never returning. In fact, these could even be from spoofed IP addresses. So in other words, the client has absolutely no accountability, and no obligation to return to send the final ack, and yet can cause the server to allocate resources.

Solution: syn cookies

Answer 68

A

In the TCP syn cookie approach, when the server receives a syn from the client, the server, instead of allocating a socket buffer for the tuple associated with the connection.

The server keeps no state, and instead picks an initial sequence number for the connection that’s a function of the client’s IP address, and port, and the servers IP address, and port, as well as a random knots to prevent replay attacks.

An honest client that returns can then reply with an acknowledgement with that sequence number in the packet.

The server can check that sequence number simply by rehashing all of the information that it already has. Thereby determining that the acknowledgement here corresponded to the previous SYN-ACK that it had sent the client without requiring the server to store any state.

Only if the sequence number matches the one picked by the server in the syn-ack does the server actually establish the connection.

Answer 69

A

TCP SYN cookies can prevent a server from exhausting state after receiving the initial TCP SYN packet.

Answer 70

A

The idea behind backscatter is that when an attacker spoofs a source IP address, say on a TCP SYN flood attack, that the replies to that initial TCP SYN from the victim will go to the location of the source IP address. This replies to forged attack messages are called” backscatter”.

Now the interesting thing about backscatter is that if we can assume that the source IP addresses are selected by the attacker at random, and we could set up a portion of the network where we could monitor this back scatter traffic, coming back as SYN-ACK replies to forged source IP addresses.

If we assume that these source IP addresses are picked uniformly at random, then the amount of traffic that we see as back scatter represents exactly a fraction that’s proportional to the size of the overall attack.

So for example, if we monitor N IP addresses and we see M attack packets, then we expect to see here N over two to the 32 of the total back scatter packets and hence of the total attack rate.

If we want to compute the total attack rate, we simply invert this fraction. So for example, in this case, if our telescope were a slash eight, or two to the 24th IP addresses, we would simply multiply our observed attack rate x by two to the 32 divided by two to the 24 or 255.

Answer 71

A

A BGP message could be sent to a router by some host (e.g., a remote attacker) that is
not the router’s legitimate neighbor
○ Note that although BGPSec provides session authentication, this kind of attack
can also be prevented without BGPSec by using the “TTL Hack”.

● An AS could lie about being the origin of a particular subnet (i.e., claiming that the AS
contains a subnet when it does not, in fact)
○ BGPSec prevents this by providing certificates that sign the origin claim

● An AS could lie about the AS-path to a particular subnet (i.e., claiming that there is a
path through the AS when there is not, or that there is a more efficient path than there
really is)
○ BGPSec prevents this by providing a chain of signed paths, each partial path in
the chain being signed by the AS that advertised that part of the path

Answer 72

A

When an attacker performs a BGP hijack and leaves its own AS out of the path, it can ensure
that even traceroute cannot discover it (the missing AS, that is) by simply not decrementing the
TTL field on the traceroute when it passes through the attacking AS. To traceroute, it then looks
like that AS isn’t actually there.

Answer 73

A

There are several ways this could happen, but the most common is DNS poisoning. The attacker
can SPAM DNS responses with a bad domain→IP address mapping to a local DNS server. If the
attacker is lucky, or keeps trying for long enough, at some point the local server will issue a
query that a SPAMed response could potentially be a legitimate response to (i.e., it has an ID
that matches the request). When this happens, the local server will accept the attacker’s
response and not only reply to the request with the bad mapping but also cache it and use it to
respond to new requests for the same domain name. Once the bad entry is in place, hosts that
want to reach that domain will instead go to the IP address given by the attacker. The attacker’s
machine at that IP could then intercept traffic as a MITM or simply spoof the legitimate server
(e.g., to collect login credentials).

Answer 74

A

ARP poisoning works similarly to DNS poisoning, except that there is not ID value that the
attacker needs to guess (or SPAM enough guesses that one of them might be right). Not only
that, a host will accept an ARP response even if no ARP request for that IP→MAC mapping was
ever made – such a response is referred to as a “gratuitous ARP response”. An attacker could
send gratuitous ARP responses for a particular IP address to hosts on its local network so that
those hosts send messages to the attacker’s MAC instead. For example, the attacker may send
gratuitous ARP to a host for the network’s gateway router, ensuring all packets headed for
outside the local network instead come to the attacker’s host instead. It could also send a
gratuitous ARP to the router for the host’s IP address, ensuring that return traffic is also sent to
the attacker’s host.

This is particularly powerful because it’s very easy to do and can let an attacker become a MITM
for virtually all traffic to/from a target host. It’s also a little harder to detect because the IP addresses are still the correct IP addresses for all the machines involved – only the MAC address
have changed. The main drawback compared to something like DNS poisoning is that the
attacker must be on the same local network as the target in order to do this. However, users
connected to the same “public hotspot” are indeed all on the same local network, making them
particularly vulnerable to this sort of attack.

Answer 75

A

The server does not allocate resources for the TCP connection immediately upon receiving a
SYN packet, but instead waits for the ACK (final part of the 3-way handshake) to allocate those
resources. In order to prevent attackers from simply doing an “ACK flood” instead of a SYN
flood, the server’s SYN/ACK response to the SYN packet contains a special “SYN cookie” that it
uses as the connection’s initial sequence number. When the server gets an ACK, it can calculate
whether or not the sequence number in that ACK could have been legitimately generated as a
SYN cookie. (The ACK number is the SYN cookie +1, so the server subtracts 1 to get the
candidate SYN cookies that it tests.) If the ACK sequence number (SYN cookie) checks out, then
the server knows 1) that the client has engaged in the entire 3-way handshake, rather than
sending spurious ACKs, and 2) the client’s IP address given by the IP headers is it’s legitimate
address, because otherwise it wouldn’t have received the SYNACK that contains the SYN cookie.

(There are some more details about how exactly it is able to programmatically verify the
legitimacy of a SYN cookie extracted from an ACK message without having stored any data after
the SYN and SYN/ACK steps, as well as how it is able to prevent replay attacks. However, we’ll
leave this answer at this moderate level of detail for now.)

Answer 76

A

The /12 subnet contains 2^(32-12)
= 2^20
= 1048676. So 1048576/1048576 = 1 packet to observe.

Answer 77

A

-BGP does not validate information in routing announcements, so a manipulator can announce
any path they want and claim ownership of a victim’s IP prefix.

-Origin Authentication uses a trusted database for verification so an AS can’t claim ownership of
a victim’s IP prefix, but they can still announce a path that ends at the proper AS, although the
path does not physically exist.

-soBGP uses origin authentication and a trusted database to guarantee that any path physically
exists, but the manipulator can advertise a path that exists but is not actually available.

-S-BGP uses path verification, which limits a single manipulator to announcing available paths,
but they could announce a shorter, more expensive, provider path while actually forwarding
traffic on a cheaper, longer customer path.

-Data plane verification prevents an AS from announcing a path and forwarding on another, so
the manipulator must actually forward traffic on the path he is announcing.

-Defensive filtering polices the BGP announcements made by stubs. With the model in the
paper, each provider keeps a prefix list of the IP prefixes owned by its direct customers that are
stubs. If a stub announces a path to any prefix it doesn’t own, then it is dropped. In this way, if
all providers correctly implement this it eliminated attacks by stubs.

Answer 78

A

Announcing longer paths can be better than announcing shorter ones. In the example given in
Figure 9 of the paper, advertising the shortest path will only pick up traffic from one small
provider. Announcing a longer path to the large provider, will attract more traffic overall as the
large provider will prefer this path over the shorter, peer path as it will be cheaper. It is better
for the manipulator to attract traffic from larger AS. This strategy will work against any secure
routing protocol, except when launched by stubs in a network with defensive filtering, because
it is only implementing a different export policy than usually used.

Announcing to fewer neighbors can be better than announcing to more. In this strategy, by not
exporting to certain Tier providers, customer paths to the victim can be eliminated and
influential ASes will be forced to choose shorter peer paths over a longer customer path
because the customer path was not made known to them. This will work against any secure
protocol as it is just using a clever export policy to manipulate traffic.

The identity of the ASes on the announce path matters since it can be used to strategically
trigger BGP loop detection. With false loop prefix hijack, the manipulator claims an innocent AS
originates the prefix to his provider. But when the false loop is announced, BGP loop detection
will cause the AS to reject the path, removing the customer path from the network. This will
force large ISPs to choose shorter peer paths. Unlike the first two attacks, this one will only
work against BGP, origin authentication or soBGP because it involves false advertising of the
path announced by an innocent AS.

Answer 79

A

Malicious ASes change their providers often to avoid being detected or to avoid the negative
consequences of their customers activities. Among these providers, they are also known to
connect to Providers with lax security policies and / or long response times to abuse
complaints. Even still, Malicious ASes have longer periods of downtime, due to depeering from
their neighboring ASes and detection avoidance strategies they employ.

ASWatch captures these activities by taking snapshots of AS relationships periodically and
observing the changes in relationships over time. These activities are then used to feed the
reputation engine that identifies malicious ASes.

Answer 80

A

Malicious ASes conduct a wide variety of abusive actions, many of which can be countered with
simple blacklisting. Examples of this would be DoS, spamming, and phishing. If a malicious AS
consistently advertises its entire IP address space, it runs a higher risk of having the entire IP
space blacklisted when these activities are detected.

Small fragments of advertised space allow malicious activities to continue their activities in a
fresh IP space fragment when they are blacklisted

Answer 81

A

Botnets conducting a crossfire attack do not need to spoof their IP addresses, and as a result
defenses based on detecting spoofed IP addresses fail. Additionally, the traffic sent by these
botnets to overload links is not unsolicited, the traffic flows from one participating host to
another. Furthermore, the attack overloads links in aggregate, meaning many low intensity
flows combine to DoS the target links. These links are harder to differentiate from legitimate
traffic, which prevents flow monitoring efforts from detecting these attacks.

Answer 82

A

Rolling attacks are implemented by an attacker to indefinitely continue an attack on a target
area. Continuing to flood the same set of target links will ultimately have negative effects on
the attack when router failure detection mechanisms are tripped. Additionally rolling attacks
will make the crossfire attack even harder to detect by changing the attack vector without
changing the overall target area.

Answer 83

A

Off-path adversaries can’t observe DNS queries and responses. They will trigger specific DNS
lookups, but must generate numerous packets in hopes of matching the request the resolver
will accept as they must guess the transaction ID and other entropy. On-path adversaries can
passively observe the actual lookups requested by a resolver and can directly forge DNS replies.
As long as the resolver receives the forged reply before the legitimate one, it will accept the
forged reply. In-path adversaries can both block and modify packets and can block the
legitimate packet. Hold-On can’t help here as the legitimate packets can be blocked.

Answer 84

A

Because the legitimate reply cannot be blocked by on-path adversaries, the “Hold-On” period
can be used to wait for the legitimate reply to arrive. The stub resolver/forwarded first learns
the expected RTT and TTL associated with legitimate traffic to remote recursive resolver. Then
after issuing a DNS query, it starts its Hold-On timer. If a DNSSEC-protected response is
expected, local signature validation is done for each reply and returns the first fully validated
reply to the client or a DNSSEC error if the Hold-On timer expires before one is validated. If
there is no DNSSEC, the resolver compares the timing of the reply to the expected RTT and
compares the TTL field in the header to the expected TTL. If a reply is validated it will return
this reply to the client, but if there are mismatches, it ignores the response and continues to
wait. If the timer expires, it will send the last reply received that was not validated.

Answer 85

A

Network Virtualization refers to abstracting the network away from the physical equipment,
which can be accomplished without SDN (we did this in Project 1 using Mininet!). On the other
hand, SDN refers separating the control plane from the data plane by using a centralized logic
controller. SDN does not necessarily imply Network Virtualization is employed.

Network virtualization software like Mininet allows SDNs to be tested in a virtual environment
by using logical processes to emulate physical network devices, including OpenFlow capable
switches. By emulating the physical equipment, control plane logic for an SDN can be tested
without the need for physical equipment and complicated data collection methods.

Brainscape's Knowledge GenomeTM

Test 3 Network Security Flashcards

Brainscape's Knowledge Genome^TM