todayReminder: HW3 due in one week: April 18, 2016
CIDR addressing
Border Gateway Protocol
Network reconnaissance via nmap
Idle scans
DNScachepoisoning
Internet
VictimDNSserver
Clientsbankofamerica.com10.1.1.1
Attackersite10.9.9.99
Howmightanattackerdothis?Whatsecurityfeaturesmustanattackerovercome?
.comNS
• Packetspoofing• GuessUDPport• GuessQID
AssumepredictableUDPportAssumeSRCportspoofing
think-pair-share
Phishingiscommonproblem
• Typosquatting:• www.LansdEnd.com• www.goggle.com• secure.bank0fAmerica.com• wíkipedia.org
• Phishingattacks– Trickusersintothinkingamaliciousdomainnameistherealone
CIDRaddressing
backbone
ISP1 ISP2
Prefixesusedtosetuphierarchicalrouting: -Anorganizationassigneda.b.c.d/x -Itmanagesaddressesprefixedbya.b.c.d/x
…1111001
10110…1110000
5.6.7.8
10110…1111000
…1111011
10110…1100011
Classlessinter-domainrouting(CIDR)
Network prefix MSBs Host address
x LSBs
Routing
AS att.net
ASwisc.edu
AScharter.net
Autonomoussystems(AS)areorganizationalbuildingblocks -CollectionofIPprefixesundersingleroutingpolicy -wisc.edu
…1111001
10110…1110000
5.6.7.8
10110…1111000
…1111011
10110…1100011
ASCategories
• Stub:connectedtoonlyonotherAS
• Multi-homed:connectedtomultipleotherAS
• Transit:routestrafficthroughit'sASforotherAS's
3 4
6 57
1
8 2
BGPandrouting
defense.gov
wisc.edu charter.net
Exteriorgatewayprotocol:BorderGatewayProtocol(BGP)
Interiorgatewayprotocol:Openshortest-pathfirst
(OSPF)usedwithinanAS
BorderGatewayProtocol(BGP)
• Policy-basedrouting– AScansetpolicyabouthowtoroute
• economic,security,politicalconsiderations
• BGProutersuseTCPconnectionstotransmitroutinginformation
• Iterativeannouncementofroutes
BGPexample
• 2,7,3,6areTransitAS• 8,1areStubAS• 4,5multihomedAS• AlgorithmseemstoworkOKinpractice
– BGPdoesnotrespondwelltofrequentnodeoutages
3 4
6 57
1
8 27
7
2 7
2 7
2 7
3 2 7
6 2 7
2 6 52 6 5
2 6 5
3 2 6 5
7 2 6 56 5
5
5
[D.Wetherall]
IP/RouteHijacking
• BGPunauthenticated– Anyonecanadvertiseanyroutes
– Falserouteswillbepropagated
• ThisallowsIP/routehijacking– ASannouncesitoriginatesaprefixitshouldn’t
– ASannouncesithasshorterpathtoaprefix
– ASannouncesmorespecificprefix
• 2008:PakistanattemptstoblockYouTube– youtubeis208.65.152.0/22– youtube.com = 208.65.153.238
• PakistanISPadvertises208.65.153.0/24viaBGP– morespecific,prefixhijacking
• Internetthinksyoutube.comisinPakistan
• Outageresolvedin2hours…
Portscanning:legality
• UnitedStates’ComputerFraudandAbuseAct(CFAA)– Computersystemaccessmustbeauthorized
• MoultonvVC3(2000).– portscanning,byitself,doesnotcreateadamagesclaim(directharmmustbeshowntoestablishdamagesundertheCFAA).
• O.Kerr.“Cybercrime’sscope:Interpreting’access’and’authorization’incomputermisusestatutes”.NYULawReview,Vol.78,No.5,pp.1596–1668,November2003.
NMAP
• Networkmaptool
• De-factostandardfornetworkreconnaissance,testing
• Numerousbuiltinscanningmethods
SomeoftheNMAPstatusmessages
• open– hostisacceptingconnectionsonthatport
• closed– hostrespondstoNMAPprobesonport,butdoesnotacceptconnections
• filtered– NMAPcouldn’tgetpacketsthroughtohostonthatport.
– Firewall?
Internet
NetworkDMZ
DMZ(demilitarizedzone)helpsisolatepublicnetworkcomponentsfromprivatenetworkcomponents
Outerfirewall
Innerfirewall
Webserver
IDSCustomerdatabases
FirewallrulestodisallowtrafficfromInternettointernalservices
Idlescans
• Adversarywantstoportscandatabasemachine
Internet
Outerfirewall
Innerfirewall
Webserver
IDSCustomerdatabases(targets)
inet=>webserverOKinet=>databasesXWS=>databasesOK
Idlescans
• Adversarywantstoportscandatabasedespitefirewall/IDSrules
• Salvatore(Antirez)Sanfilippo1998• Idlescan
1) DetermineIPIDofazombieviaSYN/ACK2) SendSYNspoofedfromzombie3) DeterminenewIPIDofzombieviaSYN/ACK
• Oldsystems:IPIDincrementedwitheachIPpacketsent
IPv4
dataENethdr
ENettlr
EthernetframecontainingIPdatagram
IPhdr
4-bitversion
4-bithdrlen
8-bittypeofservice
16-bitidentification
16-bittotallength(inbytes)
3-bitflags
13-bitfragmentationoffset
8-bittimetolive(TTL)
8-bitprotocol
16-bitheaderchecksum
32-bitsourceIPaddress
32-bitdestinationIPaddress
options(optional)
Idlescans
• Wewanttoavoidsendinganynon-spoofedpacketstothetarget,butstillwanttoportscanit
Internet
Outerfirewall
Innerfirewall
Webserver
IDSCustomerdatabases
SYNspoofedasfromWebServer
RSTIPID=12346
TCPSYN/ACK
RSTIPID=12347
TCPSYN/ACK RSTIPID=12345
TCPSYN/ACK
IfportopenfinalIPID=??IfportclosedfinalIPID=??
inet=>webserverOKinet=>databasesXWS=>databasesOK
Idlescans
• Wewanttoavoidsendinganynon-spoofedpacketstothetarget,butstillwanttoportscanit
Internet
Outerfirewall
Innerfirewall
Webserver
IDSCustomerdatabases
SYNspoofedasfromWebServer
RSTIPID=12346
TCPSYN/ACK RSTIPID=12345
TCPSYN/ACK
IfportopenfinalIPID=first+2IfportclosedfinalIPID=first+1
RST