Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks Roya Ensafi October 2013
Still A Peach Attacker
Still A Peach Attacker Zombie Victim Attacker
What if we could? ة Scan a firewall port or a hidden machine ة Infer IPbased trust relationships ة Infer communication constraints ة Infer imposed geographical (dis)connectivity ة Infer intentional packet drops Zombie ة … Attacker Victim
Outline ة Background knowledge ة Brief overview of USENIX’10 paper ء Idle Port Scanning and Noninterference Analysis of Network Protocol Stacks ء SYN backlog idle scan Overview PAM’13(Submitted) paper ء Detecting BiDirectional Intentional Packet Drops Using Idle Scans ء Real Data examples ة Future work
Model checking network stack ● Is there a way we automate finding inference attacks... ● Create transition system of network protocol stack ● Check all possible scenarios for non interference property
Shared (limited) resources ➔ Global IPID variable ➔ Global counter that incremented by one any time packet is sent out. ➔ Unique numbers used for fragmentations. ➔ At anytime, it shows number of packets has sent to other destinations. ➔ RST rate limiting counter ➔ A machine limits the number of RST packets that it will send in a given time period. ➔ SYN backlog/cache ➔ A cache for holding halfopen TCP connections ➔ Waiting for proper ACK or RST to drop it
Port & port scanning Port is open Port is open Host1 Host 2 SYN cache = 0 SYN cache = 0 RST counter = 1 RST counter = 1
Port & port scanning Port is open Port is open SYN Packet Host1 Host 2 SYN cache = 0 SYN cache = 1 RST counter = 1 RST counter = 1
Port & port scanning Port is open port is open SYN Packet Host1 Host 2 SYN cache = 0 SYN cache = 1 RST counter = 1 RST counter = 1
Port & port scanning Port is open Port is open SYN Packet SYN/ACK Packet Host1 Host 2 SYN cache = 0 SYN cache = 1 RST counter = 1 RST counter = 1
TCP hand shake Port is open SYN Packet SYN/ACK Packet Host1 Host 2 SYN cache = 0 SYN cache = 0 ACK Packet RST counter = 1 RST counter = 1
Idle scanning Port is open Port is closed Attacker Client 1 Attacker Client 2 Server2 Server1 Senario1 Senario 2
Idle scanning Port is open Port is closed Attacker Client 1 Attacker Client 2 Server2 Server1 Senario1 Senario 2
IPID idle scanning Port is open Port is closed Spoofed SYN Packet Spoofed SYN Packet Client 1 Client 2 Attacker Attacker Attacker IPID is IPID is SYN/ACK RST SYN/ACK 3177 SYN/ACK 3177 Packet Packet RST Packet Packet Packet IPID = 3178 Server2 Server1 IPID=3177 IPID=3177 3178
IPID idle scanning Port is open Port is closed Client 1 Client 2 Attacker Attacker Attacker IPID is IPID is SYN/ACK 3179 SYN/ACK 3178 Packet Packet Server2 Server1 IPID=3178 IPID=3179
Idle scanning with brick wall First idle scan that allows an attacker to scan firewalled networks and ports and infer trust relationships without routing any packets to the victim
SYN backlog idle scanning Port is open Port is open Port is open Port is open Port is open Port is open Port is open Port is closed Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client1 Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim2 Victim1 Client2 Zombie1 Zombie1 Zombie1 Server1 Victim2 Victim2 Victim2 Victim2 Zombie1 Zombie1 Zombie2 Server2 Victim2 Victim2 Victim2 Victim2 SYN cache = 0 SYN cache = 0
SYN backlog idle scanning Port is open Port is open Port is open Port is open Port is open Port is open Port is open Port is closed Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client1 Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim2 Victim1 Client2 Zombie1 Zombie1 Zombie1 Server1 Victim2 Victim2 Victim2 Victim2 Zombie1 Zombie1 Zombie2 Server2 Victim2 Victim2 Victim2 Victim2 SYN cache = 0 SYN cache = 0
SYN backlog idle scanning Port is open Port is open Port is open Port is open Port is open Port is open Port is open Port is closed Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client1 Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim2 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client2 Spoofed SYN Spoofed SYN packet packet Zombie1 Zombie1 Zombie1 Server1 Victim2 Victim2 Victim2 Victim2 Zombie1 Zombie1 Zombie2 Server2 Victim2 Victim2 Victim2 Victim2 SYN cache = 1 SYN cache = 1
SYN backlog idle scanning Port is open Port is open Port is open Port is open Port is open Port is open Port is open Port is closed Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client1 Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim2 Victim1 Victim1 Victim1 Client2 Spoofed SYN SYN/ACK Spoofed SYN SYN/ACK packet Packet packet Packet Zombie1 Zombie1 Zombie1 Server1 Victim2 Victim2 Victim2 Victim2 Zombie1 Zombie1 Zombie2 Server2 Victim2 Victim2 Victim2 Victim2 SYN cache = 1 SYN cache = 1
SYN backlog idle scanning Port is open Port is open Port is open Port is open Port is open Port is open Port is open Port is closed Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client1 Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim2 Victim1 Victim1 Victim1 Victim1 Client2 Spoofed SYN SYN/ACK Spoofed SYN RST packet Packet packet Packet Zombie1 Zombie1 Zombie1 Server1 Victim2 Victim2 Victim2 Victim2 Zombie1 Zombie1 Zombie2 Server2 Victim2 Victim2 Victim2 Victim2 SYN cache = 1 SYN cache = 1
SYN backlog idle scanning Port is open Port is open Port is open Port is open Port is open Port is open Port is open Port is closed Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client1 Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim2 Victim1 Victim1 Victim1 Victim1 Client2 Spoofed SYN SYN/ACK Spoofed SYN RST packet Packet packet Packet Zombie1 Zombie1 Zombie1 Server1 Victim2 Victim2 Victim2 Victim2 Zombie1 Zombie1 Zombie2 Server2 Victim2 Victim2 Victim2 Victim2 SYN cache = 1 SYN cache = 0
SYN backlog idle scanning Port is open Port is open Port is open Port is open Port is open Port is open Port is open Port is closed Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client1 Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim2 Victim1 Victim1 Victim1 Victim1 Client2 Spoofed SYN SYN/ACK Spoofed SYN RST packet Packet packet Packet Zombie1 Zombie1 Zombie1 Server1 Victim2 Victim2 Victim2 Victim2 Zombie1 Zombie1 Zombie2 Server2 Victim2 Victim2 Victim2 Victim2 SYN cache = 1 SYN cache = 0
SYN backlog idle scanning Port is open Port is open Port is open Port is open Port is open Port is open Port is open Port is closed Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client1 Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim2 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client2 SYN Packet SYN Packet Zombie1 Zombie1 Zombie1 Server1 Victim2 Victim2 Victim2 Victim2 Zombie1 Zombie2 Zombie1 Server2 Victim2 Victim2 Victim2 Victim2 SYN cache = 1 SYN cache = 0
SYN backlog idle scanning Port is open Port is open Port is open Port is open Port is open Port is open Port is open Port is closed Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Client1 Attacker Attacker Attacker Attacker Attacker Attacker Attacker Attacker Victim1 Victim1 Victim1 Victim1 Victim1 Victim1 Victim2 Client2 SYN Packet SYN Packet SYN SYN ACK Cookie Packet Zombie1 Zombie1 Zombie1 Server1 Victim2 Victim2 Victim2 Victim2 Zombie2 Zombie1 Zombie1 Server2 Victim2 Victim2 Victim2 Victim2 Packet SYN cache = 1 SYN cache = 1
Can we combine idle scans? ● Is there a way that the combination of IPID and SYN backlog idle scan can give us more information? ● Can we use our idle scans to figure intentional packet drops? – YES, we can.
Can we detect censorship?
Can we connect to Server?
No Direction Blocked
Server to Client Blocked 00
Client to Server Blocked
Recommend
More recommend
