CS155: Computer and Network Security

CS155: Homework #2

Spring 2009

Due: Tuesday, May. 19


Problem 1: firewalls

A packet-filter firewall decides whether to allow a packet through the firewall based on the TCP/IP header of the packet. Such a firewall can either be stateless, and ignore past history, or stateful. Assume a packet-filter firewall is installed between an enterprise network and the external Internet, for the purpose of protecting users on the enterprise network.

For each of the following attacks, say whether the attack can be detected and mitigated (to a significant degree) by a stateless or stateful firewall. Explain briefly.

  1. Port sweep
  2. Syn flooding (too many SYN packets with no matching ACK; see slide 13 of lecture 8)
  3. DNS cache poisoning
  4. viruses in incoming email addressed to enterprise users
  5. DNS rebinding
  6. unrequested streaming video

Problem 2: IP tricks

Recall that the IP packet header contains a 16-bit identification field that is used for assembling packet fragments. IP mandates that the identification field be unique for each packet for a given (SourceIP,DestIP) pair. A common method for implementing the identification field is to maintain a single counter that is incremented by one for every packet sent. The current value of the counter is embedded in each outgoing packet. Since this counter is used for all connections to the host, we say that the host implements a global identification field.
  1. Suppose a host P (whom we'll call the Patsy for reasons that become clear later) implements a global identification field. Suppose further that P responds to ICMP ping requests. You control some other host A. How can you test if P sent a packet to anyone (other than A) within a certain one minute window? You are allowed to send your own packets to P.
  2. Your goal now is to test whether a victim host V is running a server that accepts connection to port n (that is, test if V is listening to port n). You wish to hide the identity of your machine A. Hence, A cannot directly send a packet to V, unless that packet contains a spoofed source IP address. Explain how to use the patsy host P to do this.

    Hint: Recall the following facts about TCP:

    • A host that receives a SYN packet to an open port n sends back a SYN/ACK response to the source IP.
    • A host that receives a SYN packet to a closed port n sends back a RST packet to the source IP.
    • A host that receives a SYN/ACK packet that it is not expecting sends back a RST packet to the source IP.
    • A host that receives a RST packet sends back no response.
  3. How would you change host P to avoid this problem? You are not allowed to modify the TCP/IP protocol or the services running on P. You may only modify the implementation of TCP/IP on host P.

Problem 3: detecting worms

Assume that you are working for a security company that has to monitor a network link for worm traffic. You want to implement a detector that will look at IP-layer network traffic and tell if a worm with a fixed payload (such as conficker) is active.
  1. Suppose that after careful analysis you discover that worm generated traffic always contains a fixed 4-byte sequence (called a signature). You build an IP-layer analyzer than signals an alarm whenever it detects a packet containing this 4-byte pattern. Is this detector guaranteed to raise an alarm whenever worm traffic is present in your network?
    Hint: recall that TCP payload data is broken into packets.
  2. Propose an architecture that fixes the problem from part (a). Recall that the network link is used for packets from different source IPs and different destination IPs. Also recall that IP packets can traverse the link out of order (i.e. packet number i+1 can arrive before packet number i).
  3. Suppose benign network traffic is uniformly distributed. That is, every payload byte is chosen uniformly at random. Calculate the expected time until a 100MB/sec link will cause a false alarm. Recall that you are looking for a fixed 4-byte signature.
  4. Assume now that the signature length is 8 bytes. Calculate the expected time until a 100MB/sec link will cause a false alarm.
  5. Discuss the limitations of detectors designed as outlined in previous parts of this problem, and suggest ways an attacker can evade detection. Discuss at least two evasion methods.

Problem 4: Denial of Service

Suppose that a web site uses a service like prolexic to defend itself against packet floods. (There is a short prolexic overview on the web.) The protected web site comes under an attack from a bot army that generates a flood of normal-looking HTTP requests.
  1. Can a packet flood filter (like prolexic) stop the attack?
  2. Suppose the site maintains a list of past IP addresses that legitimately browsed the site before the attack started. Describe an architecture that would enable the site to keep servicing those machines on the list. How is the list updated and how is it used?
  3. Can you suggest a way that the bot-net can adapt to defeat your defense measure from part (2)?

Problem 5: DNSSEC

DNSSEC (DNS Security Extensions) is designed to prevent network attacks such as DNS record spoofing and cache poisoning. In its introductory RFC, DNSSEC's stated purpose is to provide "origin authentication and integrity assurance services for DNS data, including mechanisms for authenticated denial of existence of DNS data." To be more specific, when queried about a record that it possesses (e.g. when the DNSSEC server for example.com is queried about the IP address of www.example.com), a DNSSEC server will return its answer with an associated signature, which can be used to authenticate the answer using with the server's public signature verification key. In this problem, assume that the public verification key of a DNS server is acquired by some trustworthy means.

In this problem, we wish to explore the rationale and design behind the "authenticated denial of existence" service provided by DNS. In plain words, we will explore how DNSSEC allows the querier to trust that the DNS server does not have an answer to the query; this will occur if we ask the DNSSEC server for example.com for the IP address of doesnotexist.example.com.

Suppose a user R (a resolver, in DNS parlance) queries a DNSSEC server S, but all of the network traffic between R and S is visible to a network attacker N. The attacker N may send packets to R that appear to originate from S. Suppose that R sends S queries Q1 and Q2 asking for the IP address of service1.example.com and service2.example.com, and S contains a record to answer Q2 but not Q1.

  1. Why is authenticated denial of existence necessary? To answer this question, assume that S sends the same unsigned DOES-NOT-EXIST response to any query for which it has no matching record. Describe a possible attack.
  2. Assume now that S cryptographically signs its DOES-NOT-EXIST response, but the response does not say what query it is a response to. How is an attack still possible?
  3. DNSSEC specifies that, in response to a query for which there is no matching record, a special cryptographically signed response NSEC shall be returned. An NSEC response contains two names, corresponding to the existent record on the server that immediately precedes the query (in lexicographic order), and the existent record that immediately follows the query. For example, if a DNSSEC server has records for a.example.com, b.example.com, and c.example.com, the NSEC response to a query for (non-existent) abc.example.com contains a.example.com and b.example.com because these come just before and just after the requested name. To be complete, NSEC records also wrap-around, so a query for a non-existent name after the last existent name will receive an NSEC containing the last and first existent names.

    How should the resolver use the information contained in NSEC records to prevent the attacks you described in previous parts of this problem?

  4. NSEC leaks information that may be useful to attackers on the Internet. Describe how an attacker can use NSEC to enumerate all of the hosts sharing a common domain-name suffix. How is this information useful for attackers?
    Hint: you may assume that the attacker has a dictionary of common host names that contains all the names of interest for the domain.
  5. An alternative authenticated denial of existence format named NSEC3 has been proposed so that DNS responses do not reveal unnecessary information. NSEC3 uses the lexicographic order of hashed records, instead of their unhashed order. In response to a query without a matching record, NSEC3 will return the hashed names that are just before and just after the hash of the query. For example, on a server containing a.example.com, b.example.com, and c.example.com, if a hashes to 30, b to 10, c to 20, and abc to 15, the NSEC3 response to a query for abc.example.com would contain 10.example.com and 20.example.com. Hashed names are also assumed to wrap around, in the same way as unhashed names in NSEC.

    How should the resolver verify the validity of a response under NSEC3?

  6. The hashes in NSEC3 are a function of the original name, plus a salt and an iteration parameter, computed as follows (from the RFC):
       Define H(x) to be the hash of x using the Hash Algorithm selected by
       the NSEC3 RR, k to be the number of Iterations, and || to indicate
       concatenation.  Then define:
    
          IH(salt, x, 0) = H(x || salt), and
    
          IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0
    
       Then the calculated hash of a name is
    
          IH(salt, name, iterations)
    
    In a NSEC3 reply, the name of the hash function, the salt and the number of iterations are also included, and all names use the same salt value and the same number of iterations.

    Assume that an attacker can get all of the NSEC3 responses for a domain suffix and has access to a dictionary of common host names. Describe how the can use the NSEC3 responses to enumerate hostnames with this domain suffix.

  7. According to the NSEC3 RFC, salts are used to increase the size of computed dictionaries, "because there must be an entry for each word combined with each possible salt value". Given the specification of NSEC3 as described, are salts an effective security tool here? If yes, answer why. If no, answer why not and propose a simple change that improves the security of NSEC3.