Secure Communication Properties

Questions and Answers

Which of the following is the primary goal of attackers abusing the DNS protocol?

• To simplify the process of identifying malicious domains.
• To decrease the uptime of domains.
• To reduce the cost of maintaining malicious infrastructure.
• To remain undetectable for a longer period. (correct)

In Round Robin DNS (RRDNS), what determines how long a DNS client considers a record valid?

• The Time to Live (TTL) value of the A record. (correct)
• The number of servers at a single location.
• The order in which the record appears in the list.
• The network proximity of the record.

How do Content Distribution Networks (CDNs) determine the 'nearest edge server' for a DNS client?

• Using techniques based on network topology and link characteristics. (correct)
• Based on the server's CPU usage.
• Through manual configuration by the network administrator.
• By simply selecting the first server in a list.

What is a key characteristic that differentiates Fast-Flux Service Networks (FFSN) from RRDNS and CDN?

FFSN returns a different set of A records after the TTL expires. (A)

In the context of Fast-Flux Service Networks (FFSN), what role do 'flux agents' play?

They relay requests between the client and the control node. (A)

What is the main purpose of the FIRE system in identifying rogue networks?

To detect networks involved in malicious activities. (C)

According to the FIRE system, what is a key characteristic that distinguishes rogue networks from legitimate networks?

The longevity of malicious behavior on the network. (A)

How does the FIRE system identify the most malicious networks?

By identifying networks with the highest ratio of malicious IP addresses. (D)

What limitation does ASwatch aim to overcome when identifying malicious networks?

It cannot differentiate between legitimate networks that are abused, and those operated by cybercriminals. (D)

Which type of information does ASwatch primarily utilize to identify malicious networks?

Information from BGP routing activity (control plane). (C)

What is the significance of 'rewiring activity' as a feature tracked by ASwatch?

It reflects changes in a network's AS connectivity. (C)

What is indicated by 'IP Space Fragmentation and Churn' in the context of ASwatch’s analysis?

The use of more specific BGP prefixes to partition IP address space. (D)

What is the operational phase of ASwatch primarily focused on?

Assigning a reputation score to an unknown AS based on its behavior. (B)

In the context of assessing network security, what does the term 'mismanagement symptoms' refer to?

The presence of misconfigurations in an organization's network. (D)

What does the detection of 'Open Recursive Resolvers' indicate about an organization's network security?

The network is vulnerable to DNS amplification attacks. (C)

What is the purpose of creating a 'blacklist' of IP addresses involved in malicious activities?

To identify sources of potential threats for security analysis. (C)

In the context of BGP hijacking, what is 'exact prefix hijacking'?

An attack where a counterfeit AS announces a path for the same prefix as a legitimate AS. (A)

How does 'sub-prefix hijacking' exploit the characteristics of BGP?

By exploiting BGP's tendency to favor more specific prefixes. (C)

In a 'Type-N hijacking' attack, what is the purpose of the counterfeit AS announcing an illegitimate path?

To create a fake link between different ASes. (D)

What is the main intention of an attacker in a 'Data-Plane traffic manipulation' attack?

To hijack the network traffic and manipulate the redirected network traffic. (B)

What distinguishes a 'targeted attack' from a 'high impact attack' in the context of BGP hijacking motivations?

Targeted attacks aim to intercept network traffic stealthily, while high impact attacks are obvious in their intent to cause disruption. (C)

In defending against BGP hijacking, what is the purpose of ARTEMIS using a 'configuration file'?

To list all the prefixes owned by the network. (B)

What is the role of prefix deaggregation in mitigating BGP hijacking attacks?

To announce more specific prefixes for a targeted prefix. (B)

What is the purpose of involving third-party organizations in 'Mitigation with Multiple Origin AS (MOAS)'?

To provide BGP announcements for a given network during a hijacking event. (B)

In the Linktel incident, what vulnerability allowed attackers to hijack AS31733?

Expired DNS domain (link-telecom). (B)

In the context of a DDoS attack, what is 'spoofing'?

Setting a false IP address in the source field of a packet. (B)

In a reflection attack, what is the role of a 'reflector'?

A server that sends a response to a request. (D)

How does a 'traffic scrubbing service' mitigate DDoS attacks?

By diverting the incoming traffic to a specialized server for cleaning. (A)

What is a limitation that ACL filters add to filtering out unwanted traffic?

Filtering does not occur at the ingress points which can exhaust the bandwidth to a neighboring AS. (A)

Which action does 'traffic-rate; action with value 0' specify?

Discarding the traffic (D)

In the context of DDoS mitigation, what is BGP blackholing?

A countermeasure to drop all traffic to a targeted DDoS destination. (A)

What is a major drawback of BGP blackholing as a DDoS mitigation technique?

It blocks all traffic, so the destination under attack becomes unreachable. (C)

What should the BGP blackhole message sent to an IXP should contain?

The IXP blackhole community as shown in the following figure. (D)

Flashcards

Confidentiality

Ensuring a message is understood only by the sender and receiver, preventing eavesdropping.

Integrity

Ensuring a message isn't altered during transit, preserving its original state.

Authentication

Verifying the identities of communicating parties to prevent impersonation.

Availability

Ensuring that information or services are available when needed.

Round Robin DNS (RRDNS)

Distributing request load across multiple servers at a single location.

Content Distribution Networks (CDNs)

Distributing content across multiple servers, often globally, to improve responsiveness.

Fast-Flux Service Networks (FFSN)

A network using rapid DNS changes with short TTLs, often for malicious purposes.

Rogue networks

Networks mainly used for malicious activities like phishing and hosting spam.

ASwatch

Monitoring BGP routing activity to detect malicious networks based on control-plane behavior.

BGP Hijacking

Abusing the BGP protocol to misrepresent IP prefixes.

Hijacking due to human error

Caused by accidental manual routing misconfigurations.

Targeted Hijacking Attack

Routing change made to intercept network traffic (MM attack).

High Impact Hijacking Attack

Causes widespread disruption of services when routing is impacted.

ARTEMIS

A system run by network operators to protect against BGP hijacking attempts.

Prefix deaggregation

A countermeasure where a victim divides a targeted prefix into smaller prefixes.

Mitigation with Multiple Origin AS (MOAS)

Have third-party organizations announce routes for a given network.

Denial of Service (DoS) Attack

Compromising a server with a flood of traffic.

Distributed Denial of Service (DDoS) Attack

Using multiple compromised systems to launch the attack.

IP Spoofing

Setting a false IP address in the source field of a packet.

Reflection attack

The attackers use a set of reflectors to initiate an attack on the victim.

Amplification attack

Requests made so that reflectors send large responses

Traffic Scrubbing Services

incoming traffic is diverted to a server, where the traffic is scrubbed

ACL Filters

Filtering unwanted traffic at AS border routers

BGP Flowspec

Mitigates DDoS attacks by deploying fine-grained filters across AS domain borders

BGP Blackholing

Countermeasure where all traffic to a targeted DoS destination is dropped.

Blackholing provider

A computer network that offers blackholing service

Study Notes

Properties of Secure Communication

• There are certain properties to ensure secure communication, even with attackers present

Sender, Receiver, and Intruder

• Communication involves a secure sender (e.g., Alice), a secure receiver (e.g., Bob), and a potential intruder (e.g., Trudy)

Confidentiality

• Confidentiality ensures that the message is understood only by the sender and receiver
• An intruder could perform an eavesdropping attack by sniffing and recording control and data messages
• Encrypting the message acts as a countermeasure, making it impossible to understand if intercepted

Integrity

• Integrity ensures the message remains unmodified during transit from sender to receiver
• An intruder could attack by modifying, inserting, or deleting parts of the message
• Changes can occur maliciously, or accidentally during transmission

Authentication

• Authentication confirms that the communicating parties are who they claim to be
• An intruder may impersonate another entity to steal information
• Authentication techniques are used as a countermeasure to verify identities

Availability

• Availability ensures the information or service provided is accessible when needed
• Proper functioning of the communication channel is needed in the presence of failures or denial-of-service attacks

DNS Abuse

• Attackers abuse DNS protocols to extend uptime of domains, used for malicious purposes like command and control, phishing, spam, and illegal content
• The goal is to remain undetectable for longer

Round Robin DNS (RRDNS)

• Used by large websites to distribute incoming requests to multiple servers at a single location
• Responds to a DNS request with a list of DNS A records, cycled through in a round robin fashion
• DNS client chooses a record using strategies like selecting the first record or the closest one
• Time to Live (TTL) specifies how long the response is valid
• Client receives the same set of records, in a different order, if the lookup is repeated while the mapping is active

DNS-based Content Delivery

• Content Distribution Networks (CDNs) distribute content using more complex DNS-based strategies
• CDNs distribute load among multiple servers across different locations
• The CDN computes the 'nearest edge server' based on network topology and link characteristics, returning its IP address to the DNS client

Fast-Flux Service Networks

• Fast-Flux Service Networks (FFSN) is an extension of RRDNS and CDN
• It uses rapid changes in DNS answers, with a TTL lower than that of RRDNS and CDN
• Returns a different set of A records from a larger set of compromised machines after the TTL expires
• Compromised machines act as proxies between incoming requests and a control node, forming a resilient one-hop overlay network

Content Retrieval Process for Benign HTTP Server

• DNS lookup returns the IP address of the control node of the domain
• HTTP GET request is sent to this control node
• The control node provides content directly

Content Retrieval Process for Content being Hosted in Fast-Flux Service Network

• The DNS lookup returns several IP addresses from compromised machines (flux agents)
• Each time the TTL expires, a lookup returns completely different IP addresses
• The flux agent relays HTTP GET requests to the control node, which sends the content back to the agent and the client

Inferring Network Reputation: Evidence of Abuse

• FIRE (Finding Rogue nEtworks) monitors the Internet for rogue networks involved in malicious activities like phishing and hosting spam
• Rogue networks are networks whose main purpose is malicious activity such as phishing, hosting spam pages, hosting pirated software, etc
• Uses three data sources to identify likely rogue networks

Botnet Command and Control Providers

• A bot-master prefers to host their C&C (Command and Control) on networks unlikely to be taken down
• IRC-based botnets and HTTP-based botnets are two main types of botnets that are considered

Drive-by-Download Hosting Providers

• Drive-by-download is malware installation without user interaction, often through a vulnerable browser

Phish Housing Providers

• URLs of servers host phishing are included
• Phishing pages mimic sites to steal login credentials, credit card numbers and data
• These pages are hosted on compromised servers and often only active for a short time

FIRE (Finding Rogue Networks) processes

• Legitimate networks remove malicious content within a few days, rogues can last weeks
• Disregards IP addresses active a short time to ignore phishing attacks
• Each data source produces a list of malicious IP addresses daily

FIRE identifies rogue AS

• Approach identifies the most malicious networks as having the highest ratio of malicious IP addresses to total owned IP addresses

Inferring Network Reputation: Interconnection Patterns

• Data plane monitoring flags networks with a large concentration of blacklisted IPs as malicious
• Requires observation of malicious behavior for a long time
• This analysis focuses on data plane monitoring, where a large number of IPs belonging to an AS were blacklisted for spamming, phishing, and hijacking

ASwatch

• ASwatch uses, exclusively, information from the control plane (i.e. routing behavior) to identify malicious networks
• ASwatch monitors global BGP routing to learn control plane behaviors
• Has two phases: A training phase, and an operational phase

Training Phase

• System learns control-plane behaviours, typical of known malicious and legitimate ASes
• Keeps track of businesses relationships and BGP updates/withdrawals
• Computes statistical features of each AS

Rewiring Activity

• Frequent changes in customers or providers and connecting with less popular providers are suspicious

IP Space Fragmentation and Churn

• Malicious ASes use small prefixes to partition their IP space, advertising small sections

BGP Routing Dynamics

• Malicious BGP announcements and withdrawals follow different patterns for short period of time

Operational Phase

• Calculates features for unknown ASes, and assigns a reputation score by a trained model
• A low reputation score for several days is deemed malicious

Inferring Network Reputation: Likelihood of Breach

• This estimates likelihood of security breach within an organization using external observable data
• Features used to train a Random Forest, resulting risk probability

Features Used

• Mismanagement which indicates gaps of failing to prevent attacks
• Open Recursive Resolvers - misconfigured open DNS resolvers
• DNS Source Port Randomization – many servers still do not implement this
• BGP Misconfiguration – short-lived routes can cause unnecessary updates to global routing table
• Untrusted HTTPS Certificates – can detect validity by TLS handshake, and Open SMTP Mail Relays

Malicious Activities

• Level to find sources from organization networks and infrastructure by using spam traps/darknet/DNS monitors to create a blacklist
• Capturing spam activity
• Capturing phishing and malware activities
• Capturing scanning activity

Security Incident Reports

• Data is based on actual incidents to train the machine model for wider coverage

Random Forest Algorithm

• Classifier compares it to baseline by support
• Vector Machine (SVM) has 258 features
• Division to test by timer value, secondary/statistics from said features, and organization size
• Inputs are processed and then fed to RF to produce a risk probability (float) by data

Traffic Attraction Attacks: BGP Hijacking

• BGP hijacking attacks classified in by different groups

Types of Classification

• By Affected Prefix: Concerns IP prefixes in Advertisement of Prefix
• Exact Prefix Hijacking: When two different ASes (one is genuine and the other one is counterfeit) announce a path for the same prefix that disrupts routing traffic toward hijacker

AS-Path Announcement

• AS for Path without ownership rights which has different ways to be achieved

Type-0

• Prefix not owned by the the annoucing AS

Type-N

• Counterfeit announces illegitimate path that does not own to create a fake link (path)

Type-U

• Hijacking AS change

Data-Plane Traffic Manipulation

• Intention to hijack network traffic and manipulate redirected network while on way to the AS
• Attacker intercepts in three ways to be achieved: Dropped, Eavesdropped that becomes man in middle, and Impersonated

Traffic Attraction Attacks: Motivations

• Can be classified by causes and motivations
• Human Error: Accidental routing occurs due to manual errors that leads to hijack of prefix
• Targeted Attack: Hijacking AS intercepts network traffic (MM attack) and operates in stealth mode to remain on radar
• High Impact Attack: Causes wide disruption of services such that Pakistan, and essentially blackholing to all of YouTube services for 2 hours

Example BGP Hijack Attacks

• Different of how attacks are carried out
• In legitimate, the AS announces and gets acknowledged by others
• In attac, announces to fake addresses

Announcing a New Prefix

• Attacker is announced through a router, that falls outside of its AS number

Scenario: Hijacking a Path

• Manipulates updates and is made by announcing prefix

Defending against Hijacking Attacks

ARTEMIS is run by local operators to ensure that safeguards are present toward a BPG hijacking attempts by self described manner

Key Aspects Behind Artemis

• Configuration file, as it will have records, and the mechanism for receiving and monitoring

Attacks by Mitigation Techniques

• Prefix deaggregation: Affected network contacts to simply deaggregates where attacked
• Mitigation with Multiple Origin AS (MOAS): Third party organizations and service of DDoS attac

Findings

• Outsourcing BGP announcements to thirds
• Comparison of outsourcing BGP against prefix filtering

Background

• Russian isp sends distress code to Nanog

Takeaway

• Attacker uses second to hijack to announce unallocated

HIJacking

• Made using vulnerability on DNS

DDS

• Background is spoofing, a DOS attack

Master

• Sends controlled messages directed to huge traffic to the victim

Spoofing IP

• Set of packet, which results with response on sever when is not intended but legitimate but for user on intended attack

DDOS

• Refection Attack on servers like DNS

Traffic Scrubbing Service

• Diverts the attack traffic to a specialized server, scrubb and clean traffic