Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Slides:



Advertisements
Similar presentations
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
CSE331: Introduction to Networks and Security Lecture 8 Fall 2002.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
CISCO NETWORKING ACADEMY Chabot College ELEC Address Resolution Protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #37 Dec 14 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CSCI 4550/8556 Computer Networks Comer, Chapter 19: Binding Protocol Addresses (ARP)
IP Routing: an Introduction. Quiz
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
IIT Indore © Neminath Hubballi
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
ARP Poisoning Rushad Shaikh CSCI 5931 Web Security Spring 2004.
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
EE 122: Lecture 20 (Domain Name Server - DNS) Ion Stoica Nov 15, 2001 (* based on the some on-line slides of J. Kurose & K. Rose and of Raj Jain)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
CNIT 124: Advanced Ethical Hacking Ch 7: Capturing Traffic.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
NETWORKING (2) Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
1 Address Resolution Protocol (ARP). 2 Overview 3 Need for Address Translation Note: –The Internet is based on IP addresses –Local area networks use.
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Address Resolution Protocol (ARP)
LAN Vulnerabilities.
ARP and RARP Objectives Chapter 7 Upon completion you will be able to:
DNS Cache Poisoning Attack
DNS security.
Address Resolution Protocol (ARP)
ARP Spoofing.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004

Announcements Proj #2 – Hand in today if you didn’t already Quiz #4: last 30 mins today No class Thurs (Thanksgiving) or Tues (week from today)

More Contemporary Problems in Network Security So WEP is the only wide-spread and officially-recognized security protocol in the standard, and it is awful But wait there’s more: –Several other long-standing protocols are also badly flawed; today we’ll look at two more ARP DNS

ARP: Address Resolution Protocol We already went through this protocol at a high level: –ARP_REQUEST –ARP_REPLY –Passive caching –Easily Spoofed –Note: this is for LANs only

ARP Packet Hardware Type 1 = Ethernet; ProtocolType 0x0800 = IP; Operation 1 = Request, 2 = Reply; Source MAC and IP, then Target MAC and IP follow

ARP Cache Poisoning Client A requests MAC for IP –Client B replies “I am with MAC 01:01:01:01:01:01” (broadcast) –Client C hears reply and caches  01:01:01:01:01:01 Unsolicited replies are also cached –Suppose gateway IP is and A’s IP is –B tells A:  01:01:01:01:01:01 –B tells gateway:  01:01:01:01:01:01 –Note: these are unicast ARP_REPLYs

Man-in-the-Middle A Gateway B B now proxies all traffic between A and the outside world

Tools: Ettercap Ettercap is a freely-available tool that does ARP cache poisoning for you –I had a grad student do his thesis on this topic –It was easy to set up and use –Handles SSH as well Uses OpenSSL library

Defenses Static ARP tables –Administrative headache –Doesn’t scale ARPWatch –Watches all traffic and detects anomolies –But only alerts admin after an attack has already occurred –Sometimes generates false positives

Using Cryptography AuthARP (Hector Urtubia) –Each client must sign replies with a public key –Unapproved users cannot issue ARP_REPLYs –Downside: PKI

DNS: Domain Name System Already covered this service (roughly) Distributed database mapping names to IP addresses –13 root servers –locally cached like ARP –Recursive algorithm: If colorado.edu doesn’t know, ask edu, if they don’t know, ask a root server

DNS: Security BIND –Berkeley DNS implementation –Ubiquitous –History of bugs Even without vulnerabilities, DNS is a flawed protocol –No authentication –Spoofing not too hard

Unsolicited Replies Not Accepted Can’t just send a DNS record to a client who did not request it But we CAN send a reply to a client who DID request it –Problems: we have to know the request was made Not too hard if we control origin of the request (eg, a web page) Not too hard if we can sniff local network –Problems: we have to throttle legitimate replier

DNS Spoofing A requests –Local DNS server may have it cached, or may not; if cached, replies to A –Evil host (on local network) throttles DNS server Ping of death, DoS, overflows, etc Evil host answers for DNS server, redirecting A to bad IP address

Remote Attacks You visit which has a legitimate link to –evil.com then throttles you DNS server and spoofs –evil.com knows you’re waiting for a resolution for amazon.com Doesn’t always work: –Sequence numbers are used, and they are sniffable on a LAN, but not remotely They used to be sequential (thus easy to guess) but now they are randomized Makes remote attacks much harder

Remote DNS Poisoning Attack a local nameserver –Send hundreds of requests to a victim nameserver for the same (bogus) name, bogus.com nameserver must ask someone else, since he won’t have this cached –Send hundreds of replies for bogus.com Problem: sequence numbers of nameserver’s help requests much be matched Answer: birthday phenomenon –Random numbers aren’t that random, which helps –Chance of a collision very high –Now users of this local nameserver will get the IP of your choice when asking for bogus.com

Remote DNS Poisoning

DNSSEC DNSSEC is a project to have a central company, Network Solutions, sign all the.com DNS records. Here's the idea, proposed in 1993: Network Solutions creates and publishes a verification key. (They are the CA) Each *.com creates a key and signs its own DNS records. Yahoo, for example, creates a key and signs the yahoo.com DNS records under that key. Network Solutions signs each *.com key. Yahoo, for example, gives its cert to Network Solutions, and Network Solutions signs a document identifying that key as the yahoo.com key. Computers around the Internet are given the Network Solutions key, and begin rejecting DNS records that aren't accompanied by the appropriate signatures. As of November 2002, Network Solutions simply isn't doing this. There is no Network Solutions key. There are no Network Solutions *.com signatures.

DNSSEC On the table for over 10 years now; as of 2002: We are still doing basic research on what kind of data model will work for dns security. After three or four times of saying "NOW we've got it, THIS TIME for sure" there's finally some humility in the picture... "wonder if THIS'll work?"... It's impossible to know how many more flag days we'll have before it's safe to burn ROMs that marshall and unmarshall the DNSSEC related RR's, or follow chains trying to validate signatures. It sure isn't plain old SIG+KEY, and it sure isn't DS as currently specified. When will it be? We don't know. What has to happen before we will know? We don't know that either is already dead and buried. There is no installed base. We're starting from scratch. BIND 9 was released earlier this year with DNSSEC disabled…