cs642

network security

adam everspaugh ace@cs.wisc.edu

computer security

todayDomain name system (DNS)

CIDR

Border Gateway Protocol

dns

Whichoneiseasiertoremember?

54.239.25.208172.111.64.12474.125.193.1623.235.40.6517.172.100.13128.105.123.66

IPaddresses

www.amazon.comtheverge.com

googlemail-smtp.l.google.comhosted-cdn.statuspage.iop05-calendars.icloud.com

print-gw.cs.wisc.edu

DomainName

DomainNameSystem(DNS)translatesdomainnames->IPaddresses

Hierarchicaldomainnamespace

cs ece

www

ICANN(InternetCorporationforAssignedNamesandNumbers)

rootnameserversandauthoritativenameservers

Zone:subtree

SecondLeveldomainswisc umich pepperdine

TopLeveldomains(TLD)org net edu com io ca

root

NameServers

[http://en.wikipedia.org/wiki/File:An_example_of_theoretical_DNS_recursion.svg]

Authoritative name serversProgrammedbyanoriginalsourceRecursivelyhuntsdownananswer

Recurser

Caching

• DNSserverswillcacheresponses– Bothnegativeandpositiveresponses

– Speedsupqueries

– Entriesexpireperiodically.Time-to-live(TTL)setbydataowner

ExampleDNSquerytypes

A IPv4address

AAAA IPv6address

NS nameserver

TXT humanreadabletext

MX mailexchange

DNSpacketonwire

QueryIDis16-bitrandomvalue

QueryfromresolvertoNS

Response contains IP addr of next NS server (called “glue”)

Response ignored if unrecognized QueryID

bailiwickchecking:responseiscachedifitiswithinthesamedomainofquery(i.e.a.comcannotsetNSforb.com)

DNSSecurity

• Whatsecuritychecksareinplace?– RandomqueryID’stolinkresponsestoqueries

– Bailiwickchecking(sanitycheckonresponse)

• Noauthentication

• Manythingstrusthostname↔IPmapping– Browsersame-originpolicy

– URLaddressbar

– Everyapplicationthataccessestheinternet

DNSsec• AuthenticatedDNSprotocol• UsedbyTLDs:)

• Butnooneelse:(

[https://www.huque.com/app/dnsstat/]retrieved:April6,2016

Whatareobviousproblems?

• Corruptednameservers

• Intercept&manipulaterequests(on-pathactiveattacker)

• Otherobviousproblems?

DNScachepoisoning

Internet

VictimDNSserver

Clientsbankofamerica.com10.1.1.1

Attackersite10.9.9.99

Howmightanattackerdothis?Whatsecurityfeaturesmustanattackerovercome?

.comNS

• Packetspoofing• GuessUDPport• GuessQID

AssumepredictableUDPportAssumeSRCportspoofing

think-pair-share

Anotheridea:-PoisoncacheforNSrecordinstead-Nowcantakeoverallofsecondleveldomain

Howmanytriesdoesthisrequire?- Try256differentQIDs- Goodchanceofsuccess

Defenses

• QueryIDsizeisfixedat16bits• RepeateachquerywithfreshQueryID

– Doublesthespace

• RandomizeUDPports• DNSsec

– CryptographicallysignDNSresponses,verifyviachainoftrustfromrootsondown

• Otherproblems?

Phishingiscommonproblem

• Typosquatting:• www.LansdEnd.com• www.goggle.com• secure.bank0fAmerica.com• wíkipedia.org

• Phishingattacks– Trickusersintothinkingamaliciousdomainnameistherealone

ip routing

CIDRaddressing

backbone

ISP1 ISP2

Prefixesusedtosetuphierarchicalrouting: -Anorganizationassigneda.b.c.d/x -Itmanagesaddressesprefixedbya.b.c.d/x

…1111001

10110…1110000

5.6.7.8

10110…1111000

…1111011

10110…1100011

Classlessinter-domainrouting(CIDR)

Network prefix MSBs Host address

x LSBs

Routing

AS att.net

ASwisc.edu

AScharter.net

Autonomoussystems(AS)areorganizationalbuildingblocks -CollectionofIPprefixesundersingleroutingpolicy -wisc.eduWithinAS,mightuseRIP(RoutingInformationProtocol)BetweenAS,useBGP(BorderGatewayProtocol)

…1111001

10110…1110000

5.6.7.8

10110…1111000

…1111011

10110…1100011

ASCategories

• Stub:connectedtoonlyonotherAS

• Multi-homed:connectedtomultipleotherAS

• Transit:routestrafficthroughit'sASforotherAS's

3 4

6 57

1

8 2

BGPandrouting

defense.gov

wisc.edu charter.net

BGP(exteriorBGP)OSPFwithinAS’s(Openshortest-pathfirst)

BorderGatewayProtocol(BGP)

• Policy-basedrouting– AScansetpolicyabouthowtoroute

• economic,security,politicalconsiderations

• BGProutersuseTCPconnectionstotransmitroutinginformation

• Iterativeannouncementofroutes

BGPexample

• 2,7,3,6areTransitAS• 8,1areStubAS• 4,5multihomedAS• AlgorithmseemstoworkOKinpractice

– BGPdoesnotrespondwelltofrequentnodeoutages

3 4

6 57

1

8 27

7

2 7

2 7

2 7

3 2 7

6 2 7

2 6 52 6 5

2 6 5

3 2 6 5

7 2 6 56 5

5

5

[D.Wetherall]

• 2008:PakistanattemptstoblockYouTube– youtubeis208.65.152.0/22– youtube.com = 208.65.153.238

• PakistanISPadvertises208.65.153.0/24viaBGP– morespecific,prefixhijacking

• Internetthinksyoutube.comisinPakistan

• Outageresolvedin2hours…

IPhijacking

• BGPunauthenticated– Anyonecanadvertiseanyroutes

– Falserouteswillbepropagated

• ThisallowsIPhijacking– ASannouncesitoriginatesaprefixitshouldn’t

– ASannouncesithasshorterpathtoaprefix

– ASannouncesmorespecificprefix

recapDNS / DNS insecurity / DNS cache poisoning / Typosquatting

CIDR, BGP / IP route hijacking

Exit slips / 1 thing you learned / 1 thing you didn't understand