Physical security of wires and routers
- trends: hub-and-spoke model.
- high bandwidth links means fewer links
- routers often in same room: physical attack
- earthquate in California -- what is effect on internet?
- WTC attack: no significant effect on inet -- inet resilient
Routing: tough security problems
- System exchange reachability/distance info
- lying or spoofing can cause trouble: If advertise low ping to Japan, get flood of traffic. Machine gets overloaded... black hole
- can prevent spoofing with authenticated messages
- stupidity harder to prevent (malice is harder yet)... essentially unsolved
DNS
- maps www.foo.com to an IP address
- heirarchical method: root server (lookup .com, foo.com, www.foo.com). Lots of caching, proxy, long timeouts (expire dates).
- nobody noticed when 1/2 the DNS servers were taken down -- caching. Enough bandwidth for remaining servers.
- exposures: spoofing or lying servers/proxies, upload, info leakage (can be solved with access control)
- "authoritative": what server says, goes
But beware... there are legit reasons for a DNS mapping change, like moving a web site.
Use digital sig on DNS responses. Special key distribution method, piggyback on DNS.
Each response contains address of server + key (not much overhead, since must authenticate server anyway)
DNS security. Logical, well-designed protocol, not much overhead. But slow adoption!
Solves lying proxy problem.
Dealing with lying servers:
- define away the problem
- if server authoratitive, what is says is the truth; it cannot lie
- feature of DNS: any machine can be www.princeton.edu/. Can contract out name, gets remapped.
- uploads and info leakage (can figure out companies' network topology... approx # of employees, size)
Vulnerabilities: address spoofing, tampering, eavesdropping, jamming
- Address spoofing
- no authentication of sender addr
- solutions
- ingress filtering (drop packets with obviously forged addr). Router only allows address of IP that you have. Reason: DOS (denial of service) attack forges address (hard to fileter, hard to guess who it is)
- reply to claimed addr (works better when things in packet that are not guessable - the initial sequence number)
- address authentication (crypto auth) of return addr
- Tampering and eavesdropping: use std. crypto methods
- Jamming (Denial of service)
- attacks
- flooding: legit traffic can't get through
- flooding with amplification: (attacker does less work than victim)
- TCP SYN attack: server keeps data structure for each connection. Process timeout, dealloc. Recipient does more work than sender.
- ping attack (return addr is broadcast addr). Send 1 packet, many machines reply.
- forged error packet (forget TCP RST packet). Mess up existing connections.
- try to use up any limited resource of server
- defenses
- better filtering (can happen everywhere on network)
- incentive for filtering ofor other other people? Not as strong.
Paper: analyze backscatter of DoS... reply packets to my network. Result: lots of small DoS attacks, personal vendettas.
Attack can send ata from one computer
- suspcious, draws attention
- hard to have same bandwidth as a big site
Distributed attack
- break into 100's or 1000's of machines
- each launches a trickle (not a flood)... but the total is a flood
- hard to defend
- hard to detect attacker
