Network Attacks

1. Network Attacks

2. Network Trust Issues • TCP Congestion control • IP Src Spoofing • Wireless transmission • Denial of Service Attacks • TCP-SYN • Name Servers • DDoS (DNS) • DNS Amplification attack

3. Network Trust Issues

4. The Gullible Network • A lot of network protocols assume people are well intentioned • TCP: Congestion Control • Wireless: Transmit power • BGP Route-advertisements

5. x A B y D E Cheating TCP D  Increases by 1 Increases by 5 A Increases by 1 Increases by 5 (x, y) • Too aggressive • Losses • Throughput falls Individual incentives: cheating pays Social incentives: better off without cheating Classic Prisoner Dilemma: resolution depends on accountability

6. Cheating Wireless B A C 10X Power Normal power 10X Power Normal power Individual incentives: cheating pays Social incentives: better off without cheating Classic Prisoner Dilemma: resolution depends on accountability

7. Origin: IP Address Ownership and Hijacking • Who can advertise a prefix with BGP? • By the AS who owns the prefix • … or, by its upstream provider(s) in its behalf • Implicit trust between upstream & downstream providers • However, what’s to stop someone else? • Prefix hijacking: another AS originates the prefix • BGP does not verify that the AS is authorized

8. 4 3 5 2 6 7 1 Prefix Hijacking: full or partial control • Consequences for the affected ASes • Blackhole: data traffic is discarded • Snooping: data traffic is inspected, and then redirected • Impersonation: data traffic is sent to bogus destinations 12.34.0.0/16 12.34.0.0/16

9. DoS

10. Denial of Service Attack • Prevent other people from using a service: • A server • A link in a network • High level idea • Sent a lot of packets and ensure 100% utilization • No one else can use it.

11. DNS: Denial Of Service • Flood DNS servers with requests until they fail • What was the effect? • … users may not even notice • Caching is almost everywhere • More targeted attacks can be effective • Local DNS server  cannot access DNS • Authoritative server  cannot access domain

12. TCP: Denial Of Service (SYN Flood) • Send a bunch of SYN Packets to a server • Server allocates buffer and TCP sockets • You allocate nothing  • Eventually the server runs out of space. • How to solve this problem?

13. SYN SYN/ACK Recall: TCP Handshake • No allocations • No resource committed A Server • Server allocates: • Allocates data structures • E.g buffer space

14. TCP: Denial Of Service (SYN Flood) • Send a bunch of SYN Packets to a server • Server allocates buffer and TCP sockets • Server responds with ‘SYN/ACK’ • You allocate nothing • Eventually Server runs out of space. • How to solve this problem? • SYN Cookies: server stores nothing and instead responds with a special cookie • If cookie is returned in subsequent packet, then server allocates space • Assumption: If you come back then you aren’t a bad person

15. Problems with DoS • One person attacks one server/link • Easy to figure out who …. • Easy to block …. • Takes a while for the attack to work…..

16. DDoS

17. Distributed Denial of Service Attack • Take over a number of machines • Use a BotNet • Use all machines to conduct a DoS on a server • Much more effective than regular DoS • Harder to stop and shutdown

18. DNS QuerySrcIP: DoS Target (60 bytes) EDNS Reponse (3000 bytes) DNS Amplification Attack DNS Amplification attack: ( 40 amplification ) DNSServer DoSSource DoSTarget 580,000 open resolvers on Internet (Kaminsky-Shiffman’06)

19. Solutions ip spoofed packets open amplifier attacker replies prevent ip spoofing disable open amplifiers victim

20. DDOS BotNet DNS Requests Name Server DNS Responses victim