View
2
Download
0
Category
Preview:
Citation preview
4MMSR - Network Security2 - Network Security Related Attacks
Fabien Duchene1
1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Grenoble INP Ensimag
firstname.name@imag.fr
2011-2012
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 1/32 2011-2012 1 / 32
http://www.liglab.frhttp://vasco.imag.fr/http://grenoble-inp.fr
Outline
1 Physical and MAC LayersARPVLAN
2 Network and Transport LayersDHCPIP securityFirewalls, Proxies, Routers
3 Application LayersDNS
4 Underground stuffBotnetDDOSPhishing, Spam, Pr0n
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 2/32 2011-2012 2 / 32
Physical and MAC Layers
The lower the better...?
Lower layers vulnerabilities CAN affect higher layers: [Bhaiji 2005]
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 3/32 2011-2012 3 / 32
Physical and MAC Layers
Security principle: In-depth defense
... [(Microsoft) 2004]
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 4/32 2011-2012 4 / 32
Physical and MAC Layers
High level network attacks
Security properties that are violated on the transmitted dataInterruption: ...Interception: ...
Modification: ...Fabrication: ...
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 5/32 2011-2012 5 / 32
Physical and MAC Layers ARP
ARP poisoningNotice also that if an entry already exists forthe ¡protocol type, sender protocol address¿pair, then the new hardware address supersedesthe old one [Group and Plummer 1982]
... : gratuitous ARP Replies[Group et al. 2005]ability for a link-local attackerto redirect ALL network trafficto himself!tools: ettercap, dsniff
ARP poisoning - some counter-measuresmake the switch aware: binding IP ←→ MAC addresses (DHCP snooping, static)limit the ARP Reply rate on given port
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 6/32 2011-2012 6 / 32
http://ettercap.sourceforge.nethttp://monkey.org/~dugsong/dsniff/
Physical and MAC Layers VLAN
VLAN - reminders I
VLAN802.1Q: an extension of 802.1D
[Duda, Rousseau, and Alphand 2011]
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 7/32 2011-2012 7 / 32
Physical and MAC Layers VLAN
VLAN - reminders II
trunks have access to allVLANS (default)route traffic for multiplesVLANS via the same physicallink
tagged vs untaggedVLAN ID=3 is
untagged for port 7tagged for port 2
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 8/32 2011-2012 8 / 32
Physical and MAC Layers VLAN
VLAN hopping attack: basic
Dynamic Trunk Protocol (Cisco) [Bhaiji 2005]automates trunk configurationAuto/On/Off/Desirable/Non-Negotiate
HypothesesDTP set to Auto/On on end-station port
station can spoof aswitch implementationDTPcan be a member of anyVLAN
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 9/32 2011-2012 9 / 32
Physical and MAC Layers VLAN
VLAN hopping attack: double 802.1q encapsulation
Hypothesestrunk has to contain the attacker VLANswitch performs only one decapsulation level
Limitationsunidirectional
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 10/32 2011-2012 10 / 32
Physical and MAC Layers VLAN
VLAN attacks: some counter-measures
on ports facing users:untagdisable auto-trunking
disable unused ports and put them into default vlanalways untag the default vlan, and never use it
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 11/32 2011-2012 11 / 32
Network and Transport Layers DHCP
DHCP reminders
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 12/32 2011-2012 12 / 32
Network and Transport Layers DHCP
DHCP starvation attacks
DHCP reminders [Duda, Rousseau, and Alphand2011]
a DHCP address is given to a DHCP client (MAC address)for a given lease-duration (eg: 3600s)the addressing scope is limited. Eg: 192.168.5.0/24= 232−24 − 2 = 254
DHCP starvationperform ..... ... DHCPREQUEST + DHCPACK from different MACaddresses [Bhaiji 2005]
Some counter-measuresfor DHCPREPLY: reduce the ...force clients to ... (DHCP-Request)PORT SECURITY: limit the number of different MAC @ on a given port switch
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 13/32 2011-2012 13 / 32
Network and Transport Layers DHCP
Rogue DHCP servers
Client Rogue. DHCP S. Leg. D.S.DHCP-Discover ...DHCP-Offer 1 ...
DHCP-Offer 2
DHCP-Request ?
DHCP-ACK ?
clients accept the ... matching the DHCP-Discover Transaction ID
Some consequencesAttacker controlled ... , ... : threats for upper layers!
client IP address: ... [Bhaiji 2005]
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 14/32 2011-2012 14 / 32
Network and Transport Layers DHCP
Rogue DHCP Servers - some counter-measures
DHCP snoopingFiltering on DHCP packets (UDP 67and 68): Offer, ACK, NACKEg (Cisco):
Trusted port: ip dhcp snooping trustUntrusted:
no ip dhcp ...
ip dhcp snooping limit rate 1 (probe per second)... (mac ; ip ; lease ; type ; vlan ; interface) built by snooping DHCP repliesensures hosts only use assigned IP addresses
Server authenticationforce DHCP servers to ... (DHCP-Offer, DHCP-ACK)
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 15/32 2011-2012 15 / 32
Network and Transport Layers IP security
a touch of IP Security
Spoofing... of a MAC address is not guaranteedsame for IP address
QCM: the use of NAT?Network Address Translation permits
A. protecting the confidentiality of an IPv4 network topologyB. using only one public IPv6 for internal several serversC. protecting the confidentiality of an IPv6 network topology
...
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 16/32 2011-2012 16 / 32
Network and Transport Layers IP security
IPSec
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 17/32 2011-2012 17 / 32
• Lecturer: Fabien Duchene • Firewall • Proxy, Socks • Web-Services
4MMSR - Network security course
2.2. Network and Transport Layers security
4MMSR
2011-2012
Grenoble INP Ensimag
2.2.1. Firewall
2 4MMSR - Network Security - 2010-2011
• Introduction • Firewall locations
o Network edge o Endpoint & servers
• Packet filtering • Stateful Packet Inspection • Application firewalls • Firewall policy
Some stuff from Cyril Voisin’s lecture: “Base de la sécurité des réseaux", Principal Security Advisor, Microsoft
2.2.1. Perimeter security
3 4MMSR - Network Security - 2010-2011
• Security at the network layers (transport & network) • Part of the in-depth defense mechanism • Traditional security view
• But… • Old, traditional mechanism • This is NOT SUFICIENT today: a host protection is vital! • Lack of flexibility, cost
o Microsoft now pushes for a “deperimeterization”: IPSec boundaries
2.2.1. Firewall - introduction
4 4MMSR - Network Security - 2010-2011
• Filtering • “limits network access between at least two
networks” o 2 directions filtering o Rules, metrics o RFC2979
• thus located between two networks o L2 switching capabilities o L3 router in an IP path
• Information Disclosure prevention: • IPv4 network: Network Address Translation protects a
network topology from being discovered o 1-to-1 mapping o 1-to-N mapping (discrimation regarding destination port)
2.2.1. Firewall – introduction (2)
5 4MMSR - Network Security - 2010-2011
• Products • Software firewall
o Installable executable – linux iptables – Windows Advanced Firewall
o Virtual machine
• Hardware accelerated firewall “appliance” = HW+SW o Eg: Juniper, NetASQ …
2.2.2. Firewall locations
6 4MMSR - Network Security - 2010-2011
• Endpoint & servers “host-based firewall” • Software: in-depth defense principle! • Tight OS interactions (each socket or routing operation!) • Easier to hack than separate firewalls
• Network Edge o Software o Virtualized o Hardware
Firewall WAN (public network)
LAN (controlled network)
Picture source: Wikipedia
DMZ (DeMilitarized Zone) "perimeter network"
• Two firewall levels • the multiculture principle => different brands
• One firewall level:
2.2.2. some common DMZ network topologies
7 4MMSR - Network Security - 2010-2011
Internet&DMZ&
DMZ&
Internet&
Internal&network&
Internal&network&
2.2.3. Stateless firewalls “packet filtering”
8 4MMSR - Network Security - 2010-2011
• 1st generation: o 1988 Dodong Sean James, Elohra (DEC) o 1980-1990 Bill Cheswick and Steve Bellovin (AT&T
Bell Labs)
• Filter packets for allowing some circuits: o Pass o Drop (silently discard) o Reject (error response to the sender)
• Depending of L3 (Network) and L4 (Transport) metrics o IP source/dest address o TCP/UDP source/dest port number
• Policy example: o allow TCP->21 traffic from networkA to network B o deny all traffic from (any network) to (any network)
Upper%layers%(applica3on,&session,&
presenta3on…)&
Transport%(UDP,&TCP)&
Network&(IP)&
Link%(ethernet)&
Physical%
2.2.4. Stateful packet inspection “session filtering”
9 4MMSR - Network Security - 2010-2011
• Attacks on 1st generation FW: o DoS: eg: SYN flood (firewall ressources consumption)
• 2rd generation o 1989-90: Janardhan Sharma, Dave Presetto, and Kshitij Nigam o 1995: first commercial product by Nir Zuk’s team (CheckPoint)
• Stores the “connection state” o is that new packet conform to that current connection? o or is it for a new connection? o see the NAT connection table (in your network lecture !)
• Additional conformance verification for: o TCP flags (SYN, ACK, RST, PSH, FIN) o Session state and the TCP sequence number! o If any packet does not correspond to the expected state, it is
blocked!
2.2.4. Stateful firewalls – TCP states
10 4MMSR - Network Security - 2010-2011 http://en.wikipedia.org/wiki/Transmission_Control_Protocol
2.2.4. Stateful firewalls – state table
11 4MMSR - Network Security - 2010-2011
• Statically limited size table • Each entry:
• Flushing policy: if the connection is closed, or if no packet is sent during the TIMEOUT time
• Some Internet Protocol numbers:
Source%port%
Des9na9on%port%
Source%IP%
Des9na9on%IP%
IP%number%(op$onnal)%
Protocol%(op$onnal))
Timeout%(op$onnal))
51345& 25& 216.32.180.22& 129.88.30.5& 6& SMTP& 35/50&
IP%number% IP%name%
1& ICMP&
6& TCP&
17& UDP&
http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
Understanding the FW-1 State Table, Lance Spitzner
2.2.4. SPI firewall - example
12 4MMSR - Network Security - 2010-2011
• Eg: web-server (HTTP on TCP 80) publishing over IPv4, protected by D-NAT (Destination NAT) in that case in 1-to-1 mapping
SPI Firewall Web Client 87.98.190.108 10.0.0.4/28
. Web-Server (listening on TCP
8082)
.5 .6
Public IP addresses
91.121.51.205
SourcePort:&TCP&45784&Des3na3onPort:&TCP&80&
SourceIP:&87.98…&Des3na3onIP:91.121…&
SYN%
S_Port:&TCP&45784&D_Port:&TCP&8082&
S_IP:&87…&D_IP:&10.0.0.5&
SYN%
S_Port:&TCP&8082&D_Port:&TCP&45784&
S_IP:&10.0.0.5&D_IP:&87…&
SYN%ACK%
S_Port:&TCP&80&D_Port:&TCP&45784&S_IP:&91.121.51.205&
D_IP:&87…&
SYN%ACK%
DMZ
1%
2%
3%4%
5%6%
7%
SYN processing
12%
The client can now send its HTTP requests and the same kind of checks are performed during the WHOLE communication
…&ACK% …&ACK% 11%10%
8% 9%
Example:)M TCP)has)a)30way)
handshake)(SYN,)SYN)ACK,)ACK))
M If)any)actor)do)not)respect)that,)the)packet)will)be)dropped)
2.2.5. Application firewalls
13 4MMSR - Network Security - 2010-2011
• 3nd generation o 1990-91: Bill Cheswick (AT&T), Marcus Ranum, and
Gene Spafford (Purdue)
• Has a “protocol description” o Sequences, data types & size : eg: HTTP, DNS …
• QoS: traffic prioritization o Useful for applications with real-time requirements (eg: SIP)
• Performs Deep Packet Inspection o blocks known
– attacks (exploit signature) ~ 80% – viruses (signature too)
o force specific protocol behavior – eg: limiting the HTTP header to x bytes
o blocks specific content – eg: sending PDF files via gmail
Bill Cheswick, The Design of a Secure Internet Gateway, USENIX 1990
Upper%layers%(applica3on,&session,&
presenta3on…)&
Transport%(UDP,&TCP)&
Network&(IP)&
Link%(ethernet)&
Physical%
2.2.6. Firewall policy
14 4MMSR - Network Security - 2010-2011
• Set of rules
• Example: • Block all outgoing FTP traffic except from host … to
host … • Allow only a subset of commands of the SIP protocol
• Least privilege principle: • The last evaluated rule has to be
o “Deny All traffic from any network to any network”
2.2.7. Additional cool stuff
15 4MMSR - Network Security - 2010-2011
• Policy depending of the identity of authenticated users: • Role-Based Access Control
• Could also have additional functions: • Proxy • Failover, Load-Balancing
Firewall - interlude
16 4MMSR - Network Security - 2010-2011
• Firewalls and Internet security: repelling the wily hacker, William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin
2.2.2. Proxy
17 4MMSR - Network Security - 2010-2011
• Acts as an intermediary for requests from clients to another service.
• Types • Forward
• Open
• Reverse
• Applications o Squid o Microsoft Forefront Threat Management Gateway (ISA server)
Internet&
Internet&Internet&
Internet&
Internal network
Proxy
Proxy
Proxy
Internal server (eg: webserver)
Internal network
2.2.2. Proxy - features
18 4MMSR - Network Security - 2010-2011
• Policy: • Filtering at the application level
o Similar to Deep-Packet Inspection – eg: HTTP URL filtering – DNS: blacklist
• Caching o Accelerating some requests o (eg: Forward proxy loading static content from google.fr from its
cache rather than fetching it again from the Internet)
• Logging o Each corporation providing an internet access has to log requests
(liability issues)
• the policy could be dependent of the authenticated user/comp.
2.2.2. Proxy - SOCKS
19 4MMSR - Network Security - 2010-2011
• SOCKet Security, RFC1928, default TCP port 1080 (server) • The application has to "understand" a SOCKS dialog • Eg: forward proxy in a corporation ; HTTP GET /
Internet&
Internal network
Proxy Client FW
Identity provider
allow HTTP, DNS from proxy to
Internet
SOCKS
HTTP&
TCP&
IP&clientMserver&
SOCKS&
TCP&IP&clientMproxy&
HTTP&
TCP&IP&(source&=&proxy)&
HTTP&
TCP&IP&(source&=&proxy/fw)&
2.2.3. Service Oriented Architecture
21 4MMSR - Network Security - 2010-2011
• Provides: • UDDI: Service location • WSDL: Service description • SOAP: Remote Procedure Call
• Interesting: • Interoperability • Low-coupling
• Web-Services and Firewalls: o Generally TCP 80 or TCP 443 for the
transport. o "classic DPI" is not enough, since the
"real applications" function at a higher level than HTTP!
XML&
HTTP&/&RPC&
TCP&
IP&
2.2.3. WS-Security
22 4MMSR - Network Security - 2010-2011
• A way of ensuring integrity and confidentiality properties on SOAP messages.
o Author: OASIS (Microsoft, IBM, …)
• Credentials: transport of security tokens • SAML Security Assertion Markup Language
o Authentication o Authorization o .. between "security domains" (eg: Active Directory domains)
• Kerberos • X.509
• Integrity: XML signature • Encryption: XML encryption
2.2.3. WS-Federation & SAML: identity federation
23 4MMSR - Network Security - 2010-2011
• An user authenticates through his Identity Provider (eg: corp A) and gets access to applications published by a Service Provider (eg: corp B) ~ Web-Browser SSO
• Some definitions (see ADFS 1.0 example next slide) • Identity Provider (eg: LDAP, SQL database…) • Claims (FR: revendication)
o Eg: User.Age >=18
• Token (FR: jeton) • Service Provider: provides the application
http://blogs.sun.com/hubertsblog/entry/deep_dive_on_saml_2
2.2.3. Active Directory Federation Services 1.0
24 4MMSR - Network Security - 2010-2011
o Example in Business2Businness Web-Browser Single-Sign-On
Active Directory Federation Services 2.0 (2010), Philippe BERAUD , Microsoft
Web Application
Corporation A (Authentication)
Client C
FSLA% FSLWebLProxy%A%
FSLWebLProxy%R%
Corporation R (Ressource)
Identity Provider
DMZ DMZ
1 HTTP GET / web app. B 2.1 Authenticate to FS-P B (HTTP 302). I need the claims c1,c2..
2.2 security
domain=A
2
3.1. Plz pro
vide a tok
en from F
S-A
3.2 HTTP 302 FS-A User authentication SAML Token Request
3
FS-A - obtains the attributes from IP - build the claims (c1,c2) - add some information regarding C - signs them = SAML token [C,c1,c2]FS-A
4 Intranet Intranet
5
[C,c1,c2…]FS-A HTTP POST
Token construction: - checks the FS-A token signature - and builds [C,c1,c2]FS-R
6
88: HTTP 200 OK, servicing
77.1 [C
,c1,c2..]FS-
R
HTTP POST
X.509 cert. exchange FS-R accepts FS-A tokens
2.2.3 – Network and Transport layer security – key notions
25 4MMSR - Network Security - 2010-2011
Firewall&
• Statefull/stateless&• Which&layers&count&for&deciding?&• Applica3on&• Transport&• Network&
• Do&they&perform&masquerading?&• Eg&NAT&in&IPv4&
• DeepMPacket&Inspec3on&• Loca3on:&endpoint&or&network?&
• QoS?&
Proxy&
• Types&• Forward&• Open&• Reverse&
• Features&• Filtering&(DPI)&• Caching&• Logging&(rela3onship&to&authen3ca3on)&
• SOCKS&• L5&protocol&• Easier&to&administrate&firewalls&
WebMServices&
• SOA&• Service&• Requestor&• Broker&• Provider&
• WSMSecurity&• WSMFedera3on&• SAML&token&• ADFS&1.0&example&
Application Layers DNS
DNS Cache Poisoning
Key pointsJuly 1997: Eugene Kashpureff [DNS and BIND, 4th Edition]Summer 2008 [Kaminsky 2008] alerted vendors most DNS Serversimplementations were vulnerable [US-CERT 2008]Security property violated: ... ... of DNS records
The birthday paradox [O’Connor 2008]n = number of sent queriest = total number of query ID (216 = 65, 536)
Pcollis.(n, t) = 1− (1− 1t )(1−2t )...(1−
n−1t )
≥ 1− (1− 1t )n∗(n−1)
t
Approximatively : n ≥ 700 =⇒ P(n, t) ≥ 0, 95
[Friedl 2008]Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 18/32 2011-2012 18 / 32
Application Layers DNS
DNS Cache Poisoning (simple record) [Friedl 2008]
Hypothesesrecursive queries ...the DNS name to beresolved can’t be inthe victim’s ...the attacker has toreply ...... than thelegitimate server
First DNS replyhaving the same ... .Others are dropped.
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 19/32 2011-2012 19 / 32
Application Layers DNS
DNS cache poisoning: some counter-measures
Randomize Query ID
Use Source Port + Query IDalso randomize the source port (211)216 ∗ 211 = 227 = 134 million
We are trying to ensure the integrity of DNS repliesWhy not signing them? → DNSSec: (next slide!)
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 20/32 2011-2012 20 / 32
Application Layers DNS
DNSSec
nslookup> set q=DNSKEY> udp53.org...udp53.org rdata_48 = 256 3 5
BEAAAAOr2ijJHRRTMTATseOYKej9212iaIyE...
> set q=RRSIG> udp53.org...udp53.org rdata_46 = SOA 5 2 3600
20120228123908 201201291139089234 udp53.org.
nenjX9dlyZYhabfpgyWuIr5K0V4GURVtZVdyUbr3/+5..==
use of PKI for guaranteeing the... of DNS recordssome new DNS records:
DNSKEY: ... (DNS server)RRSIG: ... (DNS record)
signature schemes examples:RSA+MD5RSA+SHA-1RSA+SHA-256
periodic resigning !
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 21/32 2011-2012 21 / 32
Underground stuff Botnet
Botnet
[Bot-net]
Economic model1 Botnet Operator (BO) gains the ability to
... on victims’ computers usually byexploiting at least one vulnerability onthose systems a
2 BO speaks to his Bot network via a ...(eg: IRC, HTTPS, SMTP..)
3 A client ... the botnet usage to BO
4 BO ... to perform the client requestedoperations for:
limited amount of timelimited amount of production (eg:mails)
anew trend: people are voluntarily giving such a privilege
Some possible usages: DDOS, SPAM, Proxy, Password Bruteforcing
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 22/32 2011-2012 22 / 32
Underground stuff Botnet
Botnet: a more technical insight
Protocolregistring new “client” nodes, new “servers”orders: transmitting and returning resultsupdating: mostly automatic (eg: targets, payloads (spam templates))
DNS Fast-Fluxlow SOA TTL ( min. (181 seconds) if not 0 while usually day)[Groz and Maury 2011]meaning the SOA DNS servers can change very quicklyeach node is of the botnet is a compromised host
digSOAensimag .fr ; ;ANSWERSECTION : ensimag .fr .7200INSOAppp.imag .imag .fr .fr − imag − subdom − admin.imag .fr .2011101809216003600360000086400dig SOA void99.com
;; ANSWER SECTION:void99.com. 1800 IN SOA dns1.name-services.com. info.name-services.com.
2002050701 10001 1801 604801 181Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 23/32 2011-2012 23 / 32
Underground stuff Botnet
Botnet: Mega-D IOLTS
Abstracted IOLTS of the Mega-D botnet: [Cho et al. 2010]
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 24/32 2011-2012 24 / 32
Underground stuff DDOS
Distributed Denial Of Service
Denial Of Serviceressource exhaustion:
socketvirtual memorybandwidthCPU clock cycles
violated security property: ...in certain (rare) situations could lead to remote code execution
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 25/32 2011-2012 25 / 32
Underground stuff Phishing, Spam, Pr0n
Phishing
... The spoofing website has a similar“look-and-feel” (FQDN, webpage) (..generally money is derived)
some phishing examplesemail from the XXX bank you have to change yourpasswordsome welfare service sent you some money (eg:“french CAF”)Paypal urge you to log on to your account
Phishing filterssimilarity:
DNS names: mistakes (gooogle.com), redirectors (HTTP, JS), IDNhomograph attacks (UTF-8 for FQDN)webpage: XML distance
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 26/32 2011-2012 26 / 32
Underground stuff Phishing, Spam, Pr0n
Spam
Generating money?promoting drugs (fake or real), porn websitesphishingtraffic broker to exploit vulnerabilities in browser (goal: trojaninstallation for instance to participate in a botnet)
Getting email addresses?crawling the web: regular expressionssql injection: extracting records from other databasesbuying them: undeground market
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 27/32 2011-2012 27 / 32
Underground stuff Phishing, Spam, Pr0n
Pr0n
the adult industry:main goal: generate $attract a lot of trafficadvertissement, payingsbscriptiontraffic broker (see nextslide)some: re-sell vulnerableclients for exploitation
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 28/32 2011-2012 28 / 32
Underground stuff Phishing, Spam, Pr0n
Spam, Pr0n, phishing: some flows
[“Is the Internet for Porn? An Insight Intothe Online Adult Industry”]
trafic broker:
browser vulnerabilityscanning:
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 29/32 2011-2012 29 / 32
Underground stuff For Further Reading
Albitz, Paul and Cricket Liu. DNS and BIND, 4th Edition.Bhaiji, Yusuf (2005). LAYER 2 ATTACKS And MITIGATIONTECHNIQUES. http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf.Cho, Chia Yuan et al. (2010). “Inference and Analysis of Formal Models ofBotnet Command and Control Protocols”. In:Duda, Andrzej, Franck Rousseau, and Olivier Alphand (2011).4MMRES-Networks.https://intranet.ensimag.fr/KIOSK/Matieres/4MMRES/news/?page_id=73.Friedl, Steve (2008). An Illustrated Guide to the Kaminsky DNSVulnerability. http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html.Group, Network Working and David C. Plummer (1982). An EthernetAddress Resolution Protocol – or – Converting Network ProtocolAddresses. https://tools.ietf.org/html/rfc826.
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 30/32 2011-2012 30 / 32
http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdfhttp://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdfhttps://intranet.ensimag.fr/KIOSK/Matieres/4MMRES/news/?page_id=73https://intranet.ensimag.fr/KIOSK/Matieres/4MMRES/news/?page_id=73http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htmlhttp://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htmlhttps://tools.ietf.org/html/rfc826
Underground stuff For Further Reading
Group, Network Working et al. (2005). IPv4 Link-Local.https://www.ietf.org/rfc/rfc3927.txt?number=3927.Groz, Roland and Ghislaine Maury (2011). Ensimag-3MMIRC-IntroducingCommunication Networks.https://intranet.ensimag.fr/KIOSK/Matieres/3MMRTEL/.Kaminsky, Dan (2008). DNS 2008 and the new (old) nature of criticalinfrastructure. http://www.blackhat.com/presentations/bh-dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-Critical-Infrastructure.pdf.(Microsoft), Cyril Voisin (2004). Notions fondamentales de sécurité.O’Connor, Luke (2008). On the DNS Birthday Probability.http://lukenotricks.blogspot.com/2008/11/on-dns-birthday-probability.html.US-CERT (2008). Multiple DNS implementations vulnerable to cachepoisoning. http://www.kb.cert.org/vuls/id/800113.Wikipedia. Botnet. https://en.wikipedia.org/wiki/Botnet.
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 31/32 2011-2012 31 / 32
https://www.ietf.org/rfc/rfc3927.txt?number=3927https://intranet.ensimag.fr/KIOSK/Matieres/3MMRTEL/http://www.blackhat.com/presentations/bh-dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-Critical-Infrastructure.pdfhttp://www.blackhat.com/presentations/bh-dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-Critical-Infrastructure.pdfhttp://www.blackhat.com/presentations/bh-dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-Critical-Infrastructure.pdfhttp://lukenotricks.blogspot.com/2008/11/on-dns-birthday-probability.htmlhttp://lukenotricks.blogspot.com/2008/11/on-dns-birthday-probability.htmlhttp://www.kb.cert.org/vuls/id/800113https://en.wikipedia.org/wiki/Botnet
Underground stuff For Further Reading
Wondracek, Gilbert et al. “Is the Internet for Porn? An Insight Into theOnline Adult Industry”. In:http://iseclab.org/papers/weis2010.pdf.
Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 32/32 2011-2012 32 / 32
http://iseclab.org/papers/weis2010.pdf
Physical and MAC LayersARPVLAN
Network and Transport LayersDHCPIP securityFirewalls, Proxies, Routers
Application LayersDNS
Underground stuffBotnetDDOSPhishing, Spam, Pr0n
Recommended