Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Two network security attacks: one on a printer discovery protocol and the other on a dns server using dns amplification. The first attack describes how attila can intercept and manipulate printer discovery packets to gain access to vicky's document. The second attack explains how attackers exploit third-party dns servers to overload turquoise security's web server with traffic. Both attacks involve understanding ip header fields and network traffic manipulation.
Typology: Exams
1 / 10
This page cannot be seen from the preview
Don't miss anything!
Each correct answer was worth 2 points. No credit was given for incorrect answers even if accompanied by an explanation.
(a) TRUE or FALSE : SQL injection vulnerabilities can be avoided by applying the following algorithm to every untrusted input: replace every instance of & with &, replace every instance of < with <, replace every instance of > with >, and replace every instance of " with ". Comment: That might be part of a defense against XSS, but it doesn’t help with SQL injection.
(b) TRUE or FALSE: The same-origin policy generally allows JavaScript from berkeley.edu to read cookies associated with berkeley.edu.
(c) TRUE or FALSE : The same-origin policy generally allows JavaScript from berkeley.edu to read cookies associated with stanford.edu.
(d) TRUE or FALSE: A benefit of privilege separation is that it can provide an opportunity to reduce the size of the TCB.
(e) TRUE or FALSE : If we ensure that the attacker does not have permission to read the value of session cookies stored by the victim’s browser, session fixation attacks become impossible. Comment: Session fixation attacks rely upon the attacker’s ability to write the value of session cookies; reading is irrelevant.
(f) TRUE or FALSE : It is easier to passively eavesdrop on UDP traffic than on TCP traffic. Comment: It is more difficult to spoof TCP traffic, but to simply listen in on it works the same as does listening in on UDP traffic. There is a separate question of how much work it is to then analyze the captured traffic. While TCP is more complex than UDP in this regard, the difficulty will also depend on the application protocol; some UDP-based protocols are very complex, such as file system protocols like SMB and NFS.
(g) TRUE or FALSE : Ingress filtering refers to carefully escaping meta-characters in URLs.
Comment: Ingress filtering refers to filtering of network packets to avoid forged source addresses.
(a) BankOBits is a local bank that offers its customers access to a number of conveniently located ATMs. Normally, when a customer inserts his/her ATM card into a BankOBits ATM, the ATM will contact the BankOBits central server to validate the ATM card inserted into it and check that the corresponding account has sufficient funds before allowing the user to withdraw money. However, if the server does not respond, the network connection is down, or something else goes wrong with this query, the BankOBits ATM will assume all is well, allow the customer to withdraw up to $300, keep a record of the transaction, and upload that information to the BankOBits server whenever connectivity is restored. As a result of this design decision, a gang of criminals are able to steal from the bank by cutting the network connection on BankOBits ATMs and withdrawing $300 from them using a fake ATM card. In this story, which security principle was violated? Circle one (the best answer), and briefly explain. (i) Least privilege. (ii) Fail-safe defaults.
(a) Check that m does not contain any of the following characters: *|‘(). (b) Remove all instances of the following characters from m: *|‘(). (c) Check that m starts with a letter (a-z or A-Z) and is composed solely of the following characters: abc... zABC... Z0123... 9@+-_.. (d) None of the above: This code cannot be made safe, no matter what checks you do on m.
Explain why briefly (one line or less): Whitelisting is safer than blacklisting. The whitelist doesn’t contain any shell metacharacters, so any string that passes the check will be interpreted by the shell as a single argument to mail and will not affect the flow of execution. Comment: Answers indicating (d), that code cannot be made safe regardless of checks on m, were only acceptable if the accompanied by a discussion of a specific remaining vulnerability. For example, it was not enough to state that “popen is inherently unsafe” or “mail could have a vulnerability.” It did however suffice to frame that mail might allocate less than 1,024 bytes for holding its first argument, and thus a long value of m could overflow it, if accompanied by a statement that executable code could be encoded using only those characters allowed by the filter in (c). We also accepted the quite different vulnerability that an attacker could repeatedly abuse sendemail to send spam.
A consortium of printer vendors have come up with a great new protocol to help users automatically discover the set of printers on their local network. In this protocol, when the user wants to print something, the user’s computer automatically broadcasts a Printer Discovery packet. A Printer Discovery packet is a UDP packet whose destination address is the broadcast address, and whose source and destination port is 56184. Because this is a broadcast packet, every host on the local network will receive it.
Printers constantly listen for Printer Discovery packets. Any time that they receive one, they immediately respond with a Printer Announcement packet. A Printer Announcement packet is a UDP packet whose destination address is the broadcast address, and whose source and destination port is 56185; its payload identifies the name of the printer, the printer’s IP address, and any special options supported by the printer (e.g., 2-sided printing, color printing). The Printer Announcement packet is broadcast to the entire network, so that other hosts on the local network can also learn about this printer.
Whenever a machine receives a Printer Announcement packet, it checks that the source address of the packet matches the printer’s IP address found in the payload. In case of a mismatch, it ignores the packet. Otherwise, it accepts the packet and adds this printer to its list of known printers. If the machine’s list of known printers already contains a printer with the same name, the machine overwrites the previous entry in its list with the information found in the newly received packet.
Vicky the Victim is about to connect her laptop to a local switched Ethernet network. Her laptop will use this printer discovery protocol to look for a printer, and then Vicky will connect to one of the printers found in this way and send it a sensitive corporate document to be printed. Meanwhile, Attila the Attacker’s computer is attached to this same network. Attila has the ability to inject packets onto this network and to receive all broadcast packets, but he cannot eavesdrop on other traffic. The printers are in locked rooms that Attila does not have access to, and Attila has not been able to hack or access any of the machines or printers attached to this network, so his only hope is to attack the printer discovery protocol.
(a) Can Attila arrange to learn the contents of Vicky’s document, without physically accessing any of the printers? Circle either “yes” or “no”, then briefly justify your answer. If you circle “yes”, describe the attack; if you circle “no”, explain why this kind of attack is not possible. (i) Yes. (ii) No. Justification: Attila can observe Vicky’s Printer Discovery packet and the real printers’ Printer An- nouncement packets, then (before Vicky prints the document) broadcast Printer Announcement packets containing Attila’s IP address but the name of the other printers. When Vicky prints her document, she will send it to Attila, and Attila can see the contents of the document. Attila can then optionally forward the document on to the printer so Vicky doesn’t notice anything amiss. Comment: As explained on the newsgroup, depending on the specifics of how Vicky’s printing works, the attacker might need to reply before a legitimate printer does, or after it does. Either type of answer was acceptable, as was spoofing an existing printer’s identity or creating a fake, apparently additional printer. Full credit required clearly conveying an understanding that broadcast allows Attila to monitor the request and response traffic. We also allowed a quite different solution inspired by Homework #2, where Attila floods the forwarding table used by the network’s switch so that Vicky’s print job would be broadcast, enabling Attila to observe it.
(b) Can Attila modify what is printed on the printer? In other words, Attila wants to replace Vicky’s chosen document with something else Attila has chosen, hopefully without Vicky noticing. It’s not acceptable if Vicky’s original document gets printed in addition to Attila’s replacement, because then Vicky might notice and get suspicious; Attila is only interested in an attack that causes his document to be printed instead of Vicky’s. Can Attila mount such an attack, without physically accessing any of the printer? Circle either “yes” or “no”, then briefly justify your answer. If you circle “yes”, describe the attack; if you circle “no”, explain why this kind of attack is not possible. (i) Yes. (ii) No. Justification: Do the same as in (a), except modify the document before forwarding it on to the printer. Comment: Full credit required both conveying the notion of a man-in-the-middle attack and also suppressing the printing of Vicky’s document.
This question asks you to consider a (hypothetical) anti-spam company called Turquoise Security Inc. Turquoise Security uses a vigilante approach to fighting spam: when one of Turquoise Security’s users identifies an email they’ve received as spam, Turquoise Security’s servers automatically visits all the web- sites advertised in the spam message and leaves generic complaints on those websites. Turquoise Security operates on the assumption that as their user base grows, the flow of complaints from hundreds of thousands of computers will apply enough pressure on spammers and their clients to convince them to stop spamming.
Yesterday, Turquoise Security’s web site came under a massive DDoS attack using a variety of techniques. The attackers are using DNS amplification: the attackers identified several third-party DNS servers that will respond to any DNS query, and are sending many spoofed DNS queries to those DNS servers with a forged source address. In particular, each query is sent in a spoofed UDP packet, where the source address on each of these DNS queries is forged to be the IP address of Turquoise Security’s web server. Also, each query has been chosen so that it will trigger a response that is much larger than the query itself, amplifying the effect of the attack. This attack has overloaded Turquoise Security’s web server with huge amounts of traffic.
A bit of partial credit was given for answers that were either vague (“filtering”) or would entail signifi- cant “collateral damage”, such as severing all Internet connectivity, rate-limiting all incoming connec- tions, or requiring Turquoise Security to split their web service across multiple servers/IP addresses. Solutions that specified multiple reasons received partial credit proportional to the number of correct reasons versus the number of total reasons. (c) Today, DNS servers accept queries via the UDP protocol. But imagine that DNS had been designed differently, so that DNS used only TCP (not UDP) and DNS servers accepted queries only via TCP (ignoring all UDP packets). Would this make the DNS amplification attack described above easier, harder, or have no effect? Circle one answer, then briefly explain your answer (in one line or less). (i) The attack would be easier. (ii) No effect. (iii) The attack would be harder. Justification: The attackers would have to guess TCP Initial Sequence Numbers to complete the three- way handshake. These days TCP ISNs are usually random unguessable 32-bit numbers, so guessing them is hard. Comment: It’s true that if the attackers sent SYN packets to the third-party DNS servers with the source address forged to be that of Turquoise Security’s web server, those DNS servers would respond with a SYN|ACK packet to Turquoise’s web server. However, this would not provide any amplification, so it’s not a DNS amplification attack (and it’s not clear it has any benefit over just sending packets directly to Turquoise with a spoofed source address). Also, such an attack is not specific to DNS—it’s an attack that can be mounted against any server that is listening on any known TCP port. Full credit required mention of a reason why it is difficult for an attacker to spoof a TCP connection, or mention that use of TCP would result in loss of amplification coupled with an explanation of why. Answers such as “it requires more work on the attacker’s part” or “the server will drop the TCP pack- ets” received partial credit, as did answers that stated the change would have no effect coupled with reasoning that clearly conveyed the view of the attacker targeting per-packet load on the victim rather than per-byte load (the latter of which benefits from amplification).
(d) Setting aside the current DDoS attack on Turquoise Security, how could the Turquoise Security service itself be used to mount a DoS attack on others? Answer 1: An attacker could send millions of spam messages, containing links to a target web site; when the recipients mark those as spam, Turquoise will mount a DoS attack against the target. Answer 2: An attacker could send an email containing thousands of links to the same web site to a conspirator who is a Turquoise customer, and ask the conspirator to mark that email as spam. Then Turquoise servers will send one complaint per link in the email, providing an amplification effect. Comment: Full credit required conveying a means by which many URLs of a given target site would be falsely reported to Turquoise Security as spam. Answers that did not clearly state how the attacker would arrange for many such URLs to be reported received at best partial credit. Answers that assumed that Turquoise Security itself would act in a malicious manner did not receive any credit, as that is missing the basic point of the problem.
(a) Can a stateless firewall (such as a packet filter) enforce the following policy? Policy: Block TCP connection initiation requests from any external host to any internal host. Allow TCP connection initation requests from any internal host to any external host, and also allow returning traffic on these connections initiated by internal hosts.
You may assume that the internal hosts (those on the inside of the firewall) all have IP addresses of the form 128.32.153.x, where the x can be anything in the range 0–255, and no external host has an IP address of this form. You may assume that the TCP/IP stack on every internal host operates correctly. Circle “yes” or “no”, depending on whether you think a stateless firewall (such as a packet filter) can enforce the policy above or not, then briefly explain your answer (in one line or less). (i) Yes, it can enforce the policy. (ii) No, it cannot. Justification: Block any inbound packet that does not have the ACK bit set. Allow everything else. Comment: Full credit required a clear indication that the firewall drops incoming SYNs without the ACK bit set, and allows traffic with ACK set. Mention of SYN without mention of ACK, or mention of “flags” without specifying which, was only worth partial credit. Correct answers that in addition included incorrect reasoning received only partial credit. Numerous answers stated that a stateless firewall cannot have any memory of past connections and so cannot enforce the policy. However, we explicitly covered in lecture how for TCP such filtering is possible due to the protocol’s use of the ACK bit.
(b) Name one security benefit that NAT provides.
Answer 1: A NAT prevents external hosts from initiating connections to internal hosts. Answer 2: A NAT prevents external hosts from scanning of the internal network. Comment: Other answers that received full credit include: (1) prevents the Kaminsky attack by ran- domizing source ports; (2) ameliorates DoS floods by preventing most of the traffic from reaching the internal target; (3) use of a single public address prevents internal hosts from spoofing IP addresses; (4) the NAT hides the internal network’s topology; or (5) an external eavesdropper has more difficulty discerning just who is communicating since multiple private addresses all appear as the same public address. Answers that only hinted at the above, but did not explicitly frame one of these benefits, received only partial credit. Answers that simply stated that addresses are hidden, or that it’s hard for an attacker to locate a given internal host, or that an external attacker cannot eavesdrop on internal hosts (which is the case regard- less of whether a site uses a NAT) did not receive any credit. These lack the notion of attackers being unable to initiate connections to internal hosts, coupled with attackers still being able to exploit hosts that wind up connecting to them. Answers that stated that the NAT provides a chokepoint for enforcing policy did not receive any credit. Any network element at a site, such as a simple router, provides this benefit.
Consider the following C code:
/* Information about the current CD. / struct cd { int numtracks; / The number of tracks on this disc. / int tracklen[16]; / The length of each track on the disc, in seconds. / void (notify)(struct cd ); / Call this whenever the CD info changes. */ };
memory. Third, discussing how control would be transferred to the value loaded via newtracklen: either by modifying the notify structure element, or by altering a return address on the stack.
Solutions that contained correct elements as discussed above, but also included incorrect information were given partial credit.
