Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless...
-
Upload
phyllis-phelps -
Category
Documents
-
view
228 -
download
0
Transcript of Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless...
• Network Trust Issues– TCP Congestion control– IP Src Spoofing– Wireless transmission
• Denial of Service Attacks– TCP-SYN – Name Servers
• DDoS (DNS)– DNS Amplification attack
The Gullible Network
• A lot of network protocols assume people are well intentioned – TCP: Congestion Control– Wireless: Transmit power– BGP Route-advertisements
Cheating TCP
5
22, 22 10, 35
35, 10 15, 15
(x, y)A
Increases by 1
Increases by 5
D Increases by 1 Increases by 5
Individual incentives: cheating paysSocial incentives: better off without cheating
Classic Prisoner Dilemma: resolution depends on accountability
Too aggressiveLossesThroughput falls
A Bx
D Ey
Cheating Wireless
6
5Mbps, 5Mbps 0MBps, 20MBps
20Mbps, 0Mbps
10Mbps, 10Mbps
10X Power Normal power
Individual incentives: cheating paysSocial incentives: better off without cheating
Classic Prisoner Dilemma: resolution depends on accountability
10X Power
Normal power
A CB
7
Origin: IP Address Ownership and Hijacking
• Who can advertise a prefix with BGP?– By the AS who owns the prefix– … or, by its upstream provider(s) in its behalf
• Implicit trust between upstream & downstream providers
• However, what’s to stop someone else?– Prefix hijacking: another AS originates the prefix– BGP does not verify that the AS is authorized
8
Prefix Hijacking: full or partial control
1
2
3
4
5
67
12.34.0.0/1612.34.0.0/16
• Consequences for the affected ASes– Blackhole: data traffic is discarded– Snooping: data traffic is inspected, and then redirected– Impersonation: data traffic is sent to bogus destinations
Denial of Service Attack
• Prevent other people from using a service:– A server– A link in a network
• High level idea– Sent a lot of packets and ensure 100% utilization
• No one else can use it.
11
DNS: Denial Of Service
• Flood DNS servers with requests until they fail
• What was the effect?– … users may not even notice– Caching is almost everywhere
• More targeted attacks can be effective– Local DNS server cannot access DNS– Authoritative server cannot access domain
12
TCP: Denial Of Service (SYN Flood)
• Send a bunch of SYN Packets to a server– Server allocates buffer and TCP sockets– You allocate nothing – Eventually the server runs out of space.
• How to solve this problem?
Recall: TCP Handshake
SYN
SYN/ACK
A Server
Server allocates:• Allocates data structures
• E.g buffer space
• No allocations• No resource
committed
14
TCP: Denial Of Service (SYN Flood)
• Send a bunch of SYN Packets to a server– Server allocates buffer and TCP sockets– Server responds with ‘SYN/ACK’– You allocate nothing– Eventually Server runs out of space.
• How to solve this problem?– SYN Cookies: server stores nothing and instead responds
with a special cookie– If cookie is returned in subsequent packet, then server
allocates space– Assumption: If you come back then you aren’t a bad person
Problems with DoS
• One person attacks one server/link– Easy to figure out who ….– Easy to block ….– Takes a while for the attack to work…..
Distributed Denial of Service Attack
• Take over a number of machines– Use a BotNet
• Use all machines to conduct a DoS on a server– Much more effective than regular DoS– Harder to stop and shutdown
DNS Amplification Attack
580,000 open resolvers on Internet (Kaminsky-Shiffman’06)
DNSServer
DoSSource
DoSTarget
DNS QuerySrcIP: DoS Target
(60 bytes)
EDNS Reponse
(3000 bytes)
DNS Amplification attack: ( 40 amplification )
attacker
Solutions
ip spoofed packets
repli
es
victim
openamplifier
preventip spoofing
disableopen amplifiers