24. Principles of Network Security/ Internet Attacks and Defenses

24. Principles of Network Security/

Internet Attacks and Defenses

n 

Basic principles

n 

Symmetric encryption

n 

Public-key encryption

n 

Signatures, authentication, message integrity

n 

Service & Distributed

Denial-of-Service

n 

Attacks on the Internet Routing System

n 

General Defense Mechanisms

John DeHart

Based on material from Jon Turner, Roch Guerin

and Kurose & Ross

Course Evaluation Time

n 

Nov. 17 – Dec 9

n 

Please complete it.

n 

They are helpful to us.

Four Elements of Network Security

n 

Confidentiality

»

only sender, intended receiver should

“

understand

”

message

»

sender encrypts message, receiver decrypts

n 

Authentication

»

sender, receiver want to confirm identity of each other

»

Use of “certification of authenticity” issued by trusted entity

n 

Message integrity

»

sender, receiver want to ensure message not altered (in transit,

or afterwards) without detection

n 

Access and availability

A Traditional Model of Security

n 

Alice & Bob want to communicate

“

securely

”

n 

Trudy (intruder) may intercept, delete, add, and

modify messages

Secure Sender

channel data, control messages data data Alice Bob Trudy Secure Receiver

The Language of Cryptography

m

plaintext message

K

(

m

) ciphertext, encrypted with key

K

m

=

K

(

K

(

m

))

Note that

K

and

K

need not be identical,

i.e.,

symmetric vs. asymmetric encryption

plaintext ciphertext plaintext

K

encryption

algorithm decryption _algorithm Alice’s encryption key Bob’s decryption key

K

Simple Encryption Scheme

n 

Substitution cipher

»

substituting one thing for another

»

Mono-alphabetic cipher: substitute one letter for another

plaintext:

abcdefghijklmnopqrstuvwxyz

ciphertext:

mnbvcxzasdfghjklpoiuytrewq

plaintext:

bob. i love you. alice

ciphertext:

nkn. s gktc wky. mgsbc

Encryption key: mapping from set of 26 letters to set

of 26 letters (26! Possible mappings to choose from)

Breaking an Encryption Scheme

n 

Cipher-text only attack

»

Trudy just has ciphertext she can analyze

»

two approaches:

•  brute force: search through all keys

•  statistical analysis – e.g., using fact that ‘e’ is most common letter

n 

Known-plaintext attack

»

Trudy has at least some plaintext corresponding to ciphertext

»

e.g.,

in mono-alphabetic cipher, Trudy determines pairings for

a,l,i,c,e,b,o,

n 

Chosen-plaintext attack

»

Trudy can get ciphertext for chosen plaintext

n 

Ideally, an encryption scheme should be resistant to

Block Cipher Encryption – (1)

n 

Transposition block cipher

»

Changing the order of the input

»

a.k.a. a scrambler

3-bit block: 1 2 3

3-bit transposed block: 2 3 1

input:

011 110 001 010 000

ciphertext:

110 101 010 100 000

Encryption key: permutation of k-bit blocks (k!=6

distinct permutations for k=3, i.e., key of size

_⎡

log

k!

_⎤

or

⎡

log

3!

⎤

= 3 bits)

Why 3 bits? What do we use the 3 bits to identify?

Block Cipher Encryption – (2)

n 

Substitution block cipher

»

Maps a

k

-bit block to another uniquely distinct

k

-bit block

»

k

-bit block input is one out of 2

possible input

»

Substitution applies permutation to all possible 2

inputs

input:

011 110 001 010 000

ciphertext:

111 001 011 100 101

Encryption key: permutation among 2

_{=8 3-bit blocks (8!}

=40,320 distinct permutations, i.e., key of size

_⎡

log

8!

_⎤

=

16 bits Why 16 bits? What do we use the 16 bits for?

9 3x8 decoder 1 2 3 8 blocks permutation 3x8 decoder 1 2 3 000 101 001 011 010 100 011 111 100 000 101 010 110 001 111 110

Symmetric Key Cryptography

n 

Symmetric key cryptography

»

Bob and Alice share same (symmetric) key:

K

»

e.g

.,

key is knowing substitution pattern in mono alphabetic

substitution cipher

n 

Main issue: how do Bob and Alice agree on key value?

»

need a separate, secure channel (to exchange key)

»

governments can use couriers, but that’s not a practical

solution for individuals over the Internet

plaintext ciphertext

K_S

encryption

algorithm decryption algorithm plaintext

message, m

K_S

Block Ciphers

n 

DES is an example of a

block cipher

»

encrypts fixed length chunks separately (each chunk is a letter

in an alphabet of size 2

_,

_where

_k

_{is the chunk size in bits)}

n 

Naive implementation can be vulnerable

»

if each block is encrypted in the same way, repeated clear-text

blocks produce repeated cipher-text blocks

»

statistics of repeated blocks can aid attacker

n 

Cipher Block Chaining (CBC) used to address this

»

makes identical clear-text blocks look different when encrypted

»

example: each clear-text block

m

is xor-ed with a different

“random” value before encryption

•  start with random Initialization Vector (IV) and xor this with first

block before encrypting (IV sent to receiver, but need not be secret) •  before encrypting each subsequent block, xor it with the ciphertext

General Cipher Block Chaining

n 

Repeat across independent blocks

(IV = Initial Vector – can be sent in the clear)

IV Block₁ Cipher₁ DES Block₂ Cipher₂ DES Block₃ Cipher₃ DES Block₄ Cipher₄ DES XOR

n 

Any other cipher block encryption can be used

Data Encryption Standard (DES)

n 

Block cipher with cipher block chaining

»

56-bit symmetric key, 64-bit plaintext input

n 

How secure is it?

»

DES Challenge: 56-bit-key-encrypted phrase decrypted

(brute force) in less than a day in January 1999

»

no known good analytic attack

»

Has been withdrawn as a NIST standard.

n 

More secure variant

»

3DES: encrypt 3 times with 3 different keys

»

Advanced Encryption Standard (AES)

•  replaced DES in 2001

•  processes data in 128 bit blocks •  128, 192, or 256 bit keys

•  a computer that could break DES in one second (by brute force) would need 149 trillion years to break AES

DES Cipher

n 

encrypt 64 bit chunks

n 

initial permutation

n 

16 identical

“

rounds

”

of

function application, each

using different 48 bits of

key = F(56 bit key)

n 

final permutation

DES operation

Public Key Cryptography

n 

The problem with symmetric keys

»

They require sender & receiver to know a shared secret key

»

ok for governments perhaps, but no good for public internet

n 

Public key cryptography

»

radically different approach [Diffie-Hellman76, RSA78]

»

built around idea of “one-way functions” that are easy to

compute, but computationally difficult to invert

»

uses two keys

•  public key known to all (used to encrypt messages)

•  private key known only to message recipient (used to decrypt)

»

since no common shared key, allows communication with

strangers over insecure network

»

drawback: computationally expensive for large messages

Public Key Cryptography

plaintext message, m

ciphertext encryption

algorithm decryption _algorithm

Bob’_{s public key}

plaintext message

Bob’_{s private key}

encryption algorithm _K +B(m) _m=K –B(K+B(m)) K_–B K_+B

One-Way Functions

n 

Function that is easy to compute, hard to invert

»

example: easy to multiply two large prime numbers, but hard to

find prime factors of a large composite number

•  no known method that is substantially better than trial-and error •  a 300 digit number has about 10150 candidate factors

n 

Key idea leading to practical public-key encryption

»

compute product of two large primes and make product public,

while keeping prime factors private

»

product can be used to encrypt message, but to decrypt it, you

must know the prime factors

n 

RSA method based on this idea

»

named for its inventors

R

ivest,

S

hamir and

A

delman

n 

Alternate one-way functions have been proposed

Background: Modulo Arithmetic

n 

x

mod

n

= remainder of

x

when divided by

n

n 

Basic properties

[(

a

mod

n

) + (

b

mod

n

)] mod

n

= (

a

+

b

) mod

n

[(

a

mod

n

) – (

b

mod

n

)] mod

n

= (

a

–

b

) mod

n

[(

a

mod

n

) * (

b

mod

n

)] mod

n

= (

a

*

b

) mod

n

n 

Consequently,

(

a

mod

n

)

_mod

_n

₌

_a

_mod

_n

= [(

a

mod

n

)

_mod

_n

_]*

[(

a

mod

n

)

_mod

_n

_{] mod}

_n

n 

Example:

a

=14,

n

=10,

d

=3:

(

a

mod

n

)

_mod

_n

_{= (14 mod 10)}

_{mod 10}

= 4

_{mod 10}

= 64 mod 10 = 4

Creating an RSA Key Pair

1.  Choose two large prime numbers p, q (say, 1024 bits long) and compute n=pq

2.  Choose a number e<(p–1)(q–1) with no common factor >1 with (p–1)

(q–1), i.e., e and (p–1)(q–1) are relatively prime

3.  Choose a number d such that ed–1 is a multiple of

(p–1)(q–1) – equivalently, d = (k(p–1)(q–1)+1)/e for some positive integer k

4.  Public key K₊=(n,e), private key K_–=(n,d)

5.  Advertise K₊ but keep K_– private, and discard (do not disclose) p and q (if p and q are known, e and d can be easily inferred)

Example with small numbers:

p=5, q=7, n=35, (p–1)(q–1)=24, e=5, d=29 (d = (6*4*6+1)/5 = 29 for k=6, p-1=4, q-1=6, e=5 )

Dependent on having an efficient way to generate large prime numbers and efficient ways to select e and d

RSA Encryption/Decryption

Sending encrypted message to owner of (

K

K

)

n 

Given (

n

,

e

), (

n

,

d

) as discussed, and message

m

<

n

»

m MUST be less than n

n 

Encrypt by computing

K

(

m

) =

c = m

mod

n

n 

Decrypt by computing

K

(

c

)

= c

mod

n = m

(you need

to know

d

to successfully decrypt a message)

n 

This works because

c

_mod

_{n =}

₍

_m

_mod

_n

₎

_mod

_n

= m

_mod

_n

= m

_mod

_n

_*

= m

_mod

_{n = m **}

* by the magic of number theory

From

number theory

,

p

&

q

prime with

n

=

pq

implies

So that

Since

ed=

1 mod (

p

-1)(

q

-1)

by construction of

d

n

a

n

a

b

mod

b

mod[(

p

−

1

)(

q

−

1

)]

mod

=

(

)

[

]

m

n

m

n

m

n

m

n

n

m

q

p

ed

ed

d

e

=

=

=

=

−

−

mod

mod

mod

mod

mod

1

)

1

)(

1

mod(

RSA Encryption/Decryption

Sending encrypted message to owner of (

K

K

)

n 

p and q are prime. n = pq

n 

Then number theory gives us:

»  xy mod n = xy mod (p-1)(q-1) mod n

n 

Choose e

<(

p

–1)(

q

–1) such that e and (

p

–1)(

q

–1), relatively prime

Choose d

such that

ed–

1

is a multiple of (

p

–1)(

q

–1)

»  ed = k(p–1)(q–1)+1 for some positive integer k

»  ed mod (p-1)(q-1) = (k(p-1)(q-1) + 1) mod (p-1)(q-1) = 1

•  Because (xy + 1) mod y = 1

n 

Message m < n

n 

Encrypt: K

(m) = c = m

mod n

n 

Decrypt: K

(c) = c

mod n = m

n 

This works because

c

_{mod n = (m}

_{mod n)}

_{mod n}

= m

_{mod n}

= m

_{mod n (number theory)}

Simple RSA Example

1. 

Pick

p

=7,

q

=11 prime

»

n

=

pq

= 77,

z

= (

p

-1)(

q

-1) = 60

2. 

Choose Encryption key

e

<

n

such that

e

&

z

are

relatively prime:

»

e

= 17

3. 

pick Decryption key

d

such that

ed

[mod

z

] = 1

»

d = 53 (53 x 17 = 901 which mod 60 is 1)

4. 

Pub. Key: (

n

,

e

)=(77,17); Priv. Key: (

n

,

d

)=(77,53)

n 

Assume message value of

m

= 9

encode it as

c

= 9

_{[mod 77] = 4,}

decode this as 4

_{[mod 77] = 9}

Note: If too big, compute

x

_mod

_v

_{progressively,}

Simple RSA Example

encode it as

c

= 9

_{[mod 77] = 4,}

decode this as 4

_{[mod 77] = 9}

Note: If too big, compute

x

_mod

_v

_{progressively,}

i.e.,

(

x

mod

v

)

_{mod v}

c = 917 _{[mod 77] = ((9}2 _{mod 77)}8 _{* (9 mod 77)) mod 77}

= ((81 mod 77)8 _{* 9) mod 77}

= ((4 mod 77)8 _{* 9) mod 77}

= ((256 mod 77) * (256 mod 77) * 9) mod 77 = (25 * 25 * 9) mod 77

= ((125 mod 77) * (5 * 9 mod 77)) mod 77 = (48 * 5 * 9) mod 77

= ((240 mod 77) * (9 mod 77)) mod 77 = ( 9 * 9) mod 77

Simple RSA Example

encode it as

c

= 9

_{[mod 77] = 4,}

decode this as 4

_{[mod 77] = 9}

Note: If too big, compute

x

_mod

_v

_{progressively,}

i.e.,

(

x

mod

v

)

_{mod v}

c = 917 _{[mod 77] = ((9}2 _{mod 77)}8 _{* (9 mod 77)) mod 77}

= ((81 mod 77)8 _{* 9) mod 77}

= ((4 mod 77)8 _{* 9) mod 77}

= ((46 _{mod 77) * (4}2 _{* 9 mod 77)) mod 77}

= ((4096 mod 77) * (16 * 9 mod 77)) mod 77 = (15 * 16 * 9) mod 77

= (3 * 80 * 9) mod 77 = (3 * 3 * 9) mod 77 = 4

More About RSA Operation

n 

To break RSA, need to find

d

, given

e

and

n

»

this can be done if we know (

p

–1)(

q

–1), but that requires

knowing

p

and

q

»

and that requires being able to factor

n

, which is hard

n 

Session keys

»

exponentiation required by RSA is expensive for large values

•  because multiplication time grows as product of the number of bits

»

in practice, use RSA to exchange “session keys” for use with

symmetric encryption method like AES

n 

Keys can also be “reversed” – useful for authentication

»

Sign with

K

(private) and verify signature with

K

(public)

K

(

K

(

m

)) =

m

_{mod n = m = m}

_{mod n =}

K

Elements of Network Security

n 

Confidentiality

»

only sender, intended receiver should

“

understand

”

message

»

sender encrypts message, receiver decrypts

n 

Authentication

»

sender, receiver want to confirm identity of each other

»

Use of “certification of authenticity” issued by trusted entity

n 

Message integrity

»

sender, receiver want to ensure message not altered (in transit,

or afterwards) without detection

n 

Access and availability

Digital Signatures

n 

Authentication

n 

Digital signatures allow user to “sign” a document in a

way that can’t be forged

»

this ensures that user cannot repudiate a signed document

n 

A

can sign a message by “encrypting” it using

A

’s

private key

»

message can then be “decrypted” using

A

’s public key

»

so long as no one but

A

has access to the private key, the

message must have come from

A

n 

A

can also encrypt message using

B

’s public key to

provide privacy

»

K

(

K

(

m

))=

c

=>

K

(

K

(

c

))=

m

Certificate Authorities

n 

Public-key systems require a secure way of making

public keys available

»

can’t simply start by exchanging public keys in the clear, as this

allows a “man-in-the-middle” attack

•  intruder, sitting between A and B, can substitute its own public key, causing A to encrypt messages using intruder’s public key •  intruder can then snoop on messages and re-encrypt using B’s

public key, so B can’t detect intrusion

n 

Certificate Authority (CA) vouches for the association

between a user and their public key

»

CA provides Bob with

signed certificate

of Bob’s identity

•  CA encrypts Bob’s identifier and public key using CA’s private key

»

so, Alice decrypts certificate using CA’s public key

•  public keys for “reputable” CAs “built in” to browsers

»

security depends on trustworthiness/reliability of CAs

Elements of Network Security

n 

Confidentiality

»

only sender, intended receiver should

“

understand

”

message

»

sender encrypts message, receiver decrypts

n 

Authentication

»

sender, receiver want to confirm identity of each other

»

Use of “certification of authenticity” issued by trusted entity

n 

Message integrity

»

sender, receiver want to ensure message not altered (in transit,

or afterwards) without detection

n 

Access and availability

Verifying Message

Integrity

n 

How do we prevent an intruder from tampering with

messages?

»

can encrypt and sign messages, but is this necessary?

n 

Use a

hash function

h

to produce

message digest

»

sender computes

h

(

m

) and sends pair (

m

,

h

(

m+s

)=

MAC

)

•  s is a shared secret, hash value is Message Authentication Code

»

receiver computes

h

(

m+s

) and compares to received value

»

requires hash function that is hard to invert

•  MD5, SHA-1, SHA-2, SHA-3 are commonly used “cryptographic hash functions”

n 

Can also use this to reduce effort for digital signatures

»

sender encrypts

h

(

m

) and sends pair (

m

,

K

(

h

(

m

)))

»

receiver computes

h

(

m

) and compares it to received value,

Sample Material from

Arbor Networks 2014 Report

n  Report originating primarily from ISPs and ICPs

n  DDoS traffic attacks are the main threat with many exceeding the

100Gbps (up to over 300 Gbps)

»  Bandwidth/volumetric attacks are the most common, but sophisticated

application layer attacks are on the rise

•  http GET flood attacks are among the most common application layer DDoS

attacks

•  https has become a main target for application layer attacks

»  DNS based attacks remain common and effective, e.g., DNS reflection/

amplification attacks

»  Most DDoS attacks target customer sites, but there is a growing number of

DDoS attacks against the Internet infrastructure

n  Data centers have been a main target of attacks (attacks often

overwhelm their Internet connectivity)

n  In contrast, cloud services have surprisingly not seen too many attacks

Elements of Network Security

n 

Confidentiality

»

only sender, intended receiver should

“

understand

”

message

»

sender encrypts message, receiver decrypts

n 

Authentication

»

sender, receiver want to confirm identity of each other

»

Use of “certification of authenticity” issued by trusted entity

n 

Message integrity

»

sender, receiver want to ensure message not altered (in transit,

or afterwards) without detection

n 

Access and availability

Traffic Attacks & Defenses Overview

n  Access and Availability

n  Traffic attacks: The goal is to overwhelm the target’s resources at either

the network or host/application level

»  Network attacks

•  DNS amplification attack: Requires access to open DNS server and use of spoofed

addresses (that of the target)

•  Bandwidth flooding: If you have a large enough botnet, you can generate lots of

traffic without resorting to address spoofing

»  Application attacks

•  TCP SYN attack: Seeks to exhaust server state resources by opening lots of fake

connections

•  HTTP GET flood: Same concept but with HTTP

•  TCP “shrew” attacks: takes advantage of TCP’s own behavior (more on later slide)

n  Defenses: Aimed at detecting, redirecting, and preventing attacking

packets from reaching their target (or the target’s network)

»  Address filtering: Primarily aimed at countering address spoofing

»  Unicast Reverse Path Filtering (uRPF): Discards traffic arriving from incorrect or

invalid interface (only works when routing is symmetric)

»  Black holes and sink holes: Used to attract unwanted traffic (backscatter) or

First Some Definitions

n 

Bogon prefix

»

route that should never appear in an internet routing table.

•  Private, reserved, unallocated, etc.

»

Often used by attackers as their source address.

»

IANA maintains bogon list

»

IPv4 bogon list is shrinking as address space is used up.

n 

Internet Background Noise (IBN)

»

Packets addressed to addresses or ports where there is no

network device to receive them.

n 

Backscatter

RFC 4948 - Report from the

IAB workshop on Unwanted Traffic

n  An underground economy

»  Uses IRC servers for coordination

»  Large number of vulnerable systems fuels the market

»  Locality of most laws conflicts with enforcement on a global Internet scale

n  Backbone provider are not overly concerned about traffic attacks on their networks

n  Access providers and their clients bear the brunt of the impact of traffic attacks

»  Motivated to foster the deployment of security solutions in their customers (slow adoption though – 40% adoption rate per month)

n  Enterprise network are typically better equipped with security solution »  Awareness of the cost impact of attacks

n  DNS is increasingly being attacked, and there is concern about the maturity of security extensions (DNSSEC)

n  Main vulnerabilities

»  Address spoofing and its use in DDoS attacks

»  Route hijacking

»  Complexity of hard security solutions

n  Main solutions

»  BCP 38 and BCP 84 (not consistently deployed)

»  ACLs (performance impact), black-hole routing (does the attacker’s job…), and uRPF (works well only in some situations)

»  Firewalls and app level gateways (expensive and potential performance issues)

n  Future solutions

»  Information and policy sharing across stake-holders

Network Ingress Filtering

n 

Defeating Denial of Service Attacks which employ IP

Source Address Spoofing – BCP 38 (RFC 2827)

»

BCP: Internet

B

est

C

urrent

P

ractices

n 

Covers cases involving spoofing of both unreachable as

well as valid addresses

»

The latter can translate into a “double” attack,

i.e.,

the spoofed

source may now be filtered by the domain under attack, or the

response traffic may swamp the unwitting source,

e.g.,

as with

a DNS amplification attack

n 

Filter traffic entering router from a known domain to

ensure that source address is from that domain.

n 

Mentions the possibility of uRPF to verify source.

•  uRPF: Unicast Reverse Path Forwarding

»

Not recommended because of the prevalence of asymmetric

Black-Hole Router

n 

Helps identify attacks when they start, including on the

network infrastructure itself

n 

Also called Network Telescope

»

Targets the dark/unused address space of Internet.

n 

Advertise reachability to prefix in bogon address space

n 

Inferring DDoS attacks from backscatter measurements

»

Assumes that attackers use randomly selected spoofed

addresses, with “responses” from victims sent back to those

random source addresses

»

Extrapolates frequency, magnitude, and types of attacks from

backscatter responses sent to address located in a “quiet” /8

network (1/256

_{of the Internet address space)}

Sink Holes

n 

The network equivalent of a honey pot: One or more

dedicated network/router that seeks to attract or divert

attack traffic and support its analysis

»

A double monitoring and defense role

»

Advertise host route for server under attack

•  Diverts all attack traffic to sink hole network

»

Advertise default route in local domain

•  Pulls in all internal (and external) “junk” traffic, e.g., to bogon address space

n 

Other uses

»

Monitoring scanning of infrastructure addresses (pre-attack)

•  By advertising default route of routed for bogon IPs

»

Monitoring activity on dark space (worms for locally infected

clients)

»

Capture backscatter,

i.e.,

responses (from attack victims) to

DNS Attacks

n 

Redirecting traffic to an attacker by hijacking DNS

replies

»

Faking a response to a query requires only spoofing a source

address and guessing an ID field value (DNS has no

authentication)

»

This together with DNS caching behavior makes it easy to

implement various DoS attacks a.k.a. cache poisoning (setting

the TTL value of the reply to a high value will ensure that

resolvers keep the fake answer for a long time)

»

The scope of cache poisoning can range from a single client to a

slave primary server handling an entire zone (the attack then

targets the zone transfer messages)

»

DNSSEC (RFCs 4033, 4035) adds one-way authentication to

DNS responses,

i.e.,

provides data integrity and origin

authentication

DNS Attacks (continued)

n 

DNS Amplification Attack

»

Attacker issues DNS request with source address spoofed to

target machine

•  Request asks for large amount of data, type “ANY”.

»

Amplification is a function of the number of replies that can be

directed to the host under attack,

and

the size of those replies

(creating fake DNS records that can be used during attacks can

significantly augment the size of the DNS replies)

n 

DNSSEC does not prevent DNS amplification attacks

»

They only require spoofing the source address of DNS queries,

Application Layer attacks: Low-Rate

TCP-Targeted Denial of Service Attacks

n  Most servers now have mechanisms to defend against TCP SYN attacks,

so attackers need to be a bit more creative

n  Rather than blast traffic to swamp a server, take advantage of TCP’s

behavior to mount effective attacks that are harder to detect (low rate)

n  Relies on sending properly timed short periodic bursts of packets

»  Packet bursts induce multiple losses and delay retransmissions for RTO

•  RTO: Retransmission TimeOut

»  Another burst after another RTO can result in many/most flows experiencing

repeated time-outs

n  Effective even in the presence of flows with heterogeneous RTO and RTT

values

»  Select appropriate intermediate RTO value

»  Can actually force the time-out synchronization of heterogeneous flows

n  Neither router based schemes (RED-PD) nor end-host based schemes

Attack on Routing Protocols

n  Attacks basically involve either disrupting the router’s timely access to

routing information, e.g., through standard DoS attacks, or injecting false routing information

n  Avoiding those problems calls for securing routers’ communications, e.g.,

through authentication (MD5), and limiting/filtering who can talk to a

router and the kind of information they can send, e.g., TTL hack or route filters

»  MD5 authentication is expensive, so that it could itself be used to mount a DoS

attack on a router

»  As a general rule, routers should not be accessible or visible from the outside

(make it hard to mount application layer attacks on them)

»  Enable bogus route filtering at peering points

»  Limit TTL of incoming routing protocol packets (your peer is typically close –one

hop- so that limiting TTL values will prevent most remote attacks)

»  Use uRPF at the “edges” to validate origin of protocol messages (symmetric

routing usually holds for direct connections or connection to “nearby” peer)

Some OSPF Attacks

n 

MaxAge OSPF attack is essentially a DoS attack that

affects the reachability of the target subnets as they are

flushed from the database

n 

The Sequence++ attack can trigger instabilities by

having the attacker and owning router continuously

generate new LSAs

n 

Sending lots of T5 LSAs from a compromised ASBR can

overwhelm the routing tables of internal routers

n 

All those attacks, except possibly the last one, can be

RFC 4272 - BGP Security Vulnerabilities

Analysis

n 

BGP’s three main vulnerabilities

1.

No strong protection for integrity and freshness of messages,

and peer authenticity, except for TCP MD5

2.

No ability to validate the authority of an AS to announce a

prefix

3.

No ability to validate the authenticity of path attributes

n 

BGP attacks

»

Resetting a BGP session and deleting all the associated routing

information

»

Hijacking prefixes by advertising “shorter” paths

»

Diverting prefix traffic (through attacker’s AS) by advertising

BGP Man-In-The-Middle Attacks

n 

Man-in-the-Middle attack

»  Hijack address block by advertising more specific prefixes, but ultimately deliver the traffic to its intended destination (can still sniff or alter traffic)

n 

Detection is difficult

»  Can easily defeat traceroute through TTL increases

»  Can easily omit including its own AS number to avoid association with the attack

»  An external monitor with “global” perspective is needed

n 

Detection mechanisms

»  External monitor that knows about all your legal prefix advertisements

•  Needs to peer at multiple locations to make sure it has enough coverage

»  Cross-check with registry systems

»  Use information from the two AS_PATH segments present in a man-in-the-middle attack, i.e., check if ASes from first segment actually see the more specific prefixes

BGPSEC

draft-ietf-sidr-bgpsec-protocol-10

draft-ietf-sidr-bgpsec-overview-05

n 

Introduces extensions to BGP to protect the integrity of the

AS_PATH and validate the authority of the source AS to

originate a route

»  Addition of a BGPSEC_Path_Signature attribute that includes a nested

sequence of signatures protecting the AS_PATH segments as they are built

n 

Additional processing required to validate the integrity of the

AS_PATH and the origin AS authority

»  This involves information retrieved from both the BGP message and

from a local cache of information extracted from valid RPKI objects

n 

A chicken-and-egg adoption dilemma

»  Useful only when most of the Internet has adopted it, and requires

Exercises

1.  Consider a system for distributing keys, based on the existence of a

central key master. Every user has an individual key known to them and the key master. When two users want to communicate, they request a new “session key” from the key master, which creates a key and sends a copy to each, using their individual key. Does such a system really help with the key distribution problem? Could such a system be made secure? What vulnerabilities might it have? Any other drawbacks?

Exercises

1.  Consider a system for distributing keys, based on the existence of a

central key master. Every user has an individual key known to them and the key master. When two users want to communicate, they request a new “session key” from the key master, which creates a key and sends a copy to each, using their individual key. Does such a system really help with the key distribution problem? Could such a system be made secure? What vulnerabilities might it have? Any other drawbacks?

A system closely related to this system is the basis of the Kerberos system that has been effectively used for key distribution in local networks. There are,

however, a number of issues that need to be addressed to offer a meaningful solution.

One of them is the fact that the approach is open to replay attacks. Another is the need for synchronization between parties before they can communicate securely. Without this, one side may need to buffer messages, which would allow simple DoS attacks. One approach to handle this issue is to have the server send both keys (encrypted) to on party, and have that party forward the second key to the other party before sending any data.

Exercises

2.  Consider a simple block cipher that uses 4 bit blocks, where each block is encrypted by adding 3 to it and discarding any “overflow bits”. So for example,

0010 0101 1110 becomes 0101 1000 0001

To make this more secure, we add cipher block chaining. Suppose the initial vector is 1011. What is the cipher text corresponding to the

following clear text? 0101 1011 0011

Exercises

2.  Consider a simple block cipher that uses 4 bit blocks, where each block is encrypted by adding 3 to it and discarding any “overflow bits”. So for example,

0010 0101 1110 becomes 0101 1000 0001

To make this more secure, we add cipher block chaining. Suppose the initial vector is 1011. What is the cipher text corresponding to the

following clear text? 0101 1011 0011

We start by adding (mod 2) 1011 to 0101, which gives 1110, to which we add 3=0011 to get 0001 after discarding the overflow bits.

Next 0001 is added (mod 2) to 1011, which gives 1010, to which we add 3 to get 1101.

Finally, 1101 is added (mod 2) to 0011, which gives 1110, to which we add 3 to get 0001.

Exercises

3.  Consider the RSA key pair (91,5), (91,29). Assume the first is the encryption key and the second is the decryption key. What is the encrypted value of the number 10? (Hint: 102 _{mod 91=9)}

Exercises

3.  Consider the RSA key pair (91,5), (91,29). Assume the first is the encryption key and the second is the decryption key. What is the encrypted value of the number 10? (Hint: 102 _{mod 91=9)}

Recall that given (n,e), (n,d) and message m<n Encrypt by computing K₊(m) = c = me _{mod n}

Decrypt by computing K_–(c) = c d _{mod n = m}

So c = 105 _{mod 91 = (10}2 _{mod 91)*(10}2 _{mod 91)*10 mod 91}

Exercises

4.  Consider (31,5), (31,11) as a possible RSA key pair. Does it satisfy the requirements for such a key pair (ignore the fact that the values are too small)? Why or why not? What about (77,5), (77,43)? What about (77,7), (77,43)?

Exercises

4.  Consider (31,5), (31,11) as a possible RSA key pair. Does it satisfy the requirements for such a key pair (ignore the fact that the values are too small)? Why or why not? What about (77,5), (77,43)? What about (77,7), (77,43)?

n=31 is a prime number itself, and so cannot be the product of two primes, i.e., be of the form n=pq with p,q>1. Hence (31,5), (31,11) cannot be a possible RSA key pair.

n=77=7*11 is the product of two primes, but e =5 <n has a factor in common with (p-1)(q-1)= 60 = 5*3*2, namely 5. Hence, (77,5),

(77,43) is also not a possible RSA key pair. Note that it is also not

possible to find a d value that satisfies 5*d=k*60+1, since any such d is of the form d = 5*k+0.2.

(77,7), (77,43) satisfies the conditions that 77=n=pq=7*11 is the

product of two primes and e=7 is relatively prime with (p-1)(q-1)=60. We also have d = 43 = (5*6*10+1)/7, which satisfies the condition

Exercises

Exercises

5.  Construct a valid RSA key pair using p=11, q=13.

We have n = 143, and (p-1)(q-1) = 10*12 = 120 =2*2*2*3*5. We can, therefore, choose e = 7*11 = 77.

Next, we need to pick d so that d = (k(p–1)(q–1)+1)/e = (k*120+1)/77 for some value of k. A value of k = 34 yields d = (34*120+1)/77 = 53. Hence, (143,77), (143,53) is a valid RSA key pair.

Exercises

6.  Suppose that we distributed public keys by simply posting them on the internet on a public web site. Users would then retrieve keys using their web browser and http. Why is this not an acceptable solution to the key distribution problem? How might you change it to make it workable? How does this compare to the approach that uses certificate

Exercises

6.  Suppose that we distributed public keys by simply posting them on the internet on a public web site. Users would then retrieve keys using their web browser and http. Why is this not an acceptable solution to the key distribution problem? How might you change it to make it workable? How does this compare to the approach that uses certificate

authorities?

Posting a key on the Internet does not address the issue of certifying the association of an entity’s identity with the key.

Addressing this issue would require that the hosting company of the

public web site on which keys are posted, perform an identity verification step of the stated identity of the entity posting the key. This is in a sense similar to the verification step that is required from any Certification