Network Attacks

• Network Trust Issues– TCP Congestion control– IP Src Spoofing– Wireless transmission

• Denial of Service Attacks– TCP-SYN – Name Servers

• DDoS (DNS)– DNS Amplification attack

Network Trust Issues

The Gullible Network

• A lot of network protocols assume people are well intentioned – TCP: Congestion Control– Wireless: Transmit power– BGP Route-advertisements

Cheating TCP

5

22, 22 10, 35

35, 10 15, 15

(x, y)A

Increases by 1

Increases by 5

D Increases by 1 Increases by 5

Individual incentives: cheating paysSocial incentives: better off without cheating

Classic Prisoner Dilemma: resolution depends on accountability

Too aggressiveLossesThroughput falls

A Bx

D Ey

Cheating Wireless

6

5Mbps, 5Mbps 0MBps, 20MBps

20Mbps, 0Mbps

10Mbps, 10Mbps

10X Power Normal power

Individual incentives: cheating paysSocial incentives: better off without cheating

Classic Prisoner Dilemma: resolution depends on accountability

10X Power

Normal power

A CB

7

Origin: IP Address Ownership and Hijacking

• Who can advertise a prefix with BGP?– By the AS who owns the prefix– … or, by its upstream provider(s) in its behalf

• Implicit trust between upstream & downstream providers

• However, what’s to stop someone else?– Prefix hijacking: another AS originates the prefix– BGP does not verify that the AS is authorized

8

Prefix Hijacking: full or partial control

1

2

3

4

5

67

12.34.0.0/1612.34.0.0/16

• Consequences for the affected ASes– Blackhole: data traffic is discarded– Snooping: data traffic is inspected, and then redirected– Impersonation: data traffic is sent to bogus destinations

DoS

Denial of Service Attack

• Prevent other people from using a service:– A server– A link in a network

• High level idea– Sent a lot of packets and ensure 100% utilization

• No one else can use it.

11

DNS: Denial Of Service

• Flood DNS servers with requests until they fail

• What was the effect?– … users may not even notice– Caching is almost everywhere

• More targeted attacks can be effective– Local DNS server cannot access DNS– Authoritative server cannot access domain

12

TCP: Denial Of Service (SYN Flood)

• Send a bunch of SYN Packets to a server– Server allocates buffer and TCP sockets– You allocate nothing – Eventually the server runs out of space.

• How to solve this problem?

Recall: TCP Handshake

SYN

SYN/ACK

A Server

Server allocates:• Allocates data structures

• E.g buffer space

• No allocations• No resource

committed

14

TCP: Denial Of Service (SYN Flood)

• Send a bunch of SYN Packets to a server– Server allocates buffer and TCP sockets– Server responds with ‘SYN/ACK’– You allocate nothing– Eventually Server runs out of space.

• How to solve this problem?– SYN Cookies: server stores nothing and instead responds

with a special cookie– If cookie is returned in subsequent packet, then server

allocates space– Assumption: If you come back then you aren’t a bad person

Problems with DoS

• One person attacks one server/link– Easy to figure out who ….– Easy to block ….– Takes a while for the attack to work…..

DDoS

Distributed Denial of Service Attack

• Take over a number of machines– Use a BotNet

• Use all machines to conduct a DoS on a server– Much more effective than regular DoS– Harder to stop and shutdown

DNS Amplification Attack

580,000 open resolvers on Internet (Kaminsky-Shiffman’06)

DNSServer

DoSSource

DoSTarget

DNS QuerySrcIP: DoS Target

(60 bytes)

EDNS Reponse

(3000 bytes)

DNS Amplification attack: ( 40 amplification )

attacker

Solutions

ip spoofed packets

repli

es

victim

openamplifier

preventip spoofing

disableopen amplifiers

DDOS

BotNet

Name Server

DNS Requests

DNS Responses

victim