Lecture10.tex

%!TEX root = InfoSec.tex
% Lecture 10: 13 October 2014
\sektion{10}{Securing network infrastructure}
The internet is a network of networks. Each network is an ``autonomous system'' such as ISPs. For example, Princeton is one autonomous system. Each autonomous system is run by a separate administrator, and they connect together at exchange points. There are about 40,000 autonomous system numbers assigned.

\textbf{Internet routing}\\
Routing is based on BGP (border gateway protocols). BGP is how autonomous systems talk to each other about routing information. IP is the actual routing protocol. 

\textbf{Shortest path routing}\\
This is a simplified way of viewing BGPs. Think of each autonomous system as a single node.
\begin{itemize}
	\item routers talk to each other
	\item they exchange topology and cost info
	\item each router calculates the shortest path to destination based on its neighbors' distances

		``If my closest neighbor can get to destination in 4 steps, then I can get there in 5 steps''

		BUT routers can lie about paths and costs
	\item router calculates the next hop based on neighboring path costs
	\item router forwards packet to the next hop
\end{itemize}

An adversary node can lie about its costs and route packets to itself. There might exist a tunnel for packet reinjections if Z and Z' are both adversarial. Then, Z can modify all packets and send it to Z' for reinjection. This is called prefix hijacking

\subsektion{Prefix Hijacking}
(This often happens as a result of accidental misconfiguration). 

\begin{example}
China ``hijacked the internet'' when it announced route to a random-ish 15\% of the internet. It is an autonomous system (AS) big enough that it didn't get crushed under the load, and simply forwarded the traffic while the user did not notice anything.
\end{example}

Malice is unlikely through prefix hijacking
\begin{enumerate}
	\item can't bypass app-level encryption
	\item can't store all the traffice
	\item it's very easily detectable
\end{enumerate}

\subsektion{How to defend?}
Can crypto help? Remember that AS's can lie about their own links and costs and about
what other nodes said. So, crypto \textit{can} prevent lying about what neighbors said but it \textit{can't} prevent lying about your own links.

\textbf{Routing relies on trust}\\
It is a different adversary model compared to application-layer security. 
\begin{itemize}
	\item small number of AS's
	\item AS's are well known
	\item and physically connected
	\item AS's also don't want to advertise shorter paths than reality because then
		they will likely be overloaded with traffic and go down
\end{itemize}
All of the above are natural protection against attacks. It's not an ideal setup, but it's not terrible either. Is there a much better way to design BGP if we were to do it over? Unclear.

\subsektion{IP packet}
These contain source and destination IP addresses. Can these things be spoofed? 
\begin{itemize}
	\item source IP? yes
	\item destination IP? no, that doesn't even make sense
\end{itemize}

Nodes can only verify claimed source address back one hop; this is why IPs are spoofable. For example, DoS attacks spoof their return IP addresses.

\subsektion{Ingress/egress filtering}
(This is what takes place at the ``gateway'' of the AS)

Ingress filtering: discard incoming packet if source IP is inside the AS (because why would that happen in real life? It wouldn't). This protects against types of DoS. Potects yourself.

Egress filtering: discard outgoing packet if source IP is outside. This protects against types of DoS if adversary takes over internal computer and tries to send DoS packets. Protects the rest of the internet.

\textbf{DDoS is easy if you have a lot of zombies}\\
\textit{More difficult:} DoS from a single machine with more traffic than machine is capable of. So the goal? Amplication of traffic volume.

\textbf{Smurf attack}\\
Attacker broadcasts ECHO request with spoofed source IP address (this is the victim's IP address). All networks hosts (broadcast recipients) hear broadcast and respond. Except they respond to the victim, who is overwhelmed with traffic.

\subsektion{DNS attacks}
DNS: The system that takes a domain name and translate it into an IP address.

\textit{User requests example.com $\rightarrow$ recursive name server $\rightarrow$ root server $\rightarrow$ recursive name server $\rightarrow$ TLD name servers $\rightarrow$ recursive name server $\rightarrow$ thousands of name servers $\rightarrow$ recursive name server $\rightarrow$ 192.168.31}

\textbf{Root servers}\\
Requests are delivered to the root server who is closest and available.

\textbf{Cache poisoning}\\
In the words of Wikipedia: ``DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer).''

\subsektion{Prevention: DNSSEC}
DNS root servers: root of trust\\
DNS hierarchy: chain of trust; each name server signs public keys of servers it delegates to. Resolvers and some clients have root public keys built in. This only authenticates -- no encryption.

\subsektion{Crypto and layers}
Crypto can be incorporated into different layers:\\
Secure sockets layer (SSL) and transport layer security (TLS)
\begin{itemize}
	\item Application level security (or rather, between application and transportation)
	\item Authentication hostnames, encrypts sessions over TCP
	\item Keys verified using certs/certificate authorities
\end{itemize}
IPSec
\begin{itemize}
	\item Network layer security
	\item Authenticates IP addresses, encrypts IP packets
	\item Keys are distributed/verified by DNA or manually
	\item It's a mess because (1) key distribution sucks (2) authenticating IP addresses is hard for user to sanity check (3) network level is hard to implement since IP is stateless
\end{itemize}

\sidenote {
	\textbf{NSA MUSCULAR}\\
	NSA was physically tapping into links between Google data centers, and between Yahoo data centers. IPSec would have stopped this.
}