Tag: Protocol

Attacks against SSL/TLS – BEAST/CRIME/BREACH

 (a) BEAST (Browser Exploit Against SSL/TLS)

  •  By Juliano Rizzo and Thai Duong, 2011 @ ekoparty Security Conference in Buenos Aires, Argentina
  •  Decrypts secure cookies against CBC mode (i.e AES or 3DES) in TLSv1

<References>
Demo and description: http://vnhacker.blogspot.com/2011/09/beast.html
Paper: http://packetstormsecurity.com/files/download/105499/Beast-SSL.rar/
Proof of Concept with javascript: http://erlend.oftedal.no/blog/beast/

(b) CRIME (Compression Ratio Info-leak Made Easy)

  • By Juliano Rizzo and Thai Duong, 2012 @ ekoparty Security Conference in Buenos Aires, Argentina
  • leverages compression side-channel, recovers the HTTP request headers
  • Injects partial chosen plaintext (CPA) into a victim’s requests + measures the size of encrypted traffic
  • HTTP-level compression: gzip (RFC 1952), defalte (RFC 1951)
  • Mitigated by disabling TLS/SPDY compression

<References>
1. Wiki: http://en.wikipedia.org/wiki/CRIME_(security_exploit)
2. Tor and BEAST: https://blog.torproject.org/blog/tor-and-beast-ssl-attack
3. Schneier’s Article: https://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html
4. Generic attacks with compression: http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf

(c) BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext)

  • By Angelo Prado, Neal Harris, and Yoel Gluck, 2013 @ Blackhat 2013
  • CVE-2013-3587
  • leverages compression, takes advantage of HTTP responses
  • Mitigated by:Disabling HTTP compression
    – Separating secrets from user input
    – Randomizing secrets per request
    – Masking secrets (effectively randomizing by XORing with a random secret per request)
    – Protecting vulnerable pages with CSRF
    – Length hiding (by adding random number of bytes to the responses)
    – Rate-limiting the requests

<References>

1. Wiki: http://en.wikipedia.org/wiki/BREACH_(security_exploit)
2. Paper: http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
3. PPT: http://breachattack.com/resources/BREACH%20-%20BH%202013%20-%20PRESENTATION.pdf
4. Source Code: https://github.com/nealharris/BREACH

BGP Security

You can download the slide: BGP Security
(This has been done as a part of homework in CSE508 in SBU CS.)

There are two different kinds of routing protocols: one is for interior purpose – IGP (Interior Gateway Protocol) and the other is for exterior purpose – EGP (Exterior Gateway Protocol). A good example of IGP would be RIP(Routing Information Protocol), OSPF (Open Shortest Path First) which is the most widely used, and EIGRP (Enhanced Interior Gateway Routing Protocol) which is proprietary by Cisco. In EGP, BGP (Border Gateway Protocol) is now de facto standard adapted by the Internet.

First we need to define a couple of terminologies.

1. AS (Autonomous System): A set of computers and routers under a single administration
2. RIB (Routing Information Base): BGP routing entries (Adj-RIB-In, Loc-RIB, and Adj-RIB-Out)
3. BGP Attribute: Types to decide path vector algorithm
(Origin=1, AS_Path=2, Next_Hop=3, MED=4, Local_Pref=5, Atomic_Aggregate=6, Aggregator=7)

As of Feb. 2014, there are more than 500,000 BGP routing tables available. (Check http://bgp.potaroo.net/bgprpts/rva-index.html) You may also want to know current AS summary. (Check http://cidr-report.org/as2.0/) Each BGP speaker uses RIBs and BGP attributes and installs NLRI (or best path) according to the following mechanism. (If the preference ties, then it considers next attribute in order.)

Highest weight →Highest LOCAL-PREF → Originated Source → Shortest AS-PATH → Lowest Origin (IBGP < EBGP < incomplete) → Lowest MED → EBGP over IBGP → Lowest IGP Metric → Lowest Route ID → Lowest Originator ID

The following figure illustrates 4 main BGP messages: OPEN, KEEP-ALIVE, UPDATE, and NOTIFICATION. The communication among BGP speakers maintains unicast over 179/tcp.

bgp1

Now, let’s briefly take a look at BGP vulnerabilities from two perspectives. By running over TCP, listening on port 179, BGP is subject to be vulnerable through all kinds of TCP attacks: IP Spoofing, TCP RST,  TCP RST using ICMP, Session Hijacking, and various denial of service attacks including SYN flooding and so forth. These lead target router to drop the BGP session and both peers withdraw routes, causing disruption of network connection. An attacker takes advantage of eavesdropping, blackholing, and/or traffic analysis by changing routes as well.

bgp2

On top of that, with respect to BGP attacks, fundamental vulnerabilities arise from no mechanism which has specified within BGP in order to (a) validate the authority of an AS and (b) to ensure the authenticity of the path attribute by an AS. This allows an adversary to route manipulation such as message relaying, insertion, deletion, and modification as well as route hijacking. BGP-oriented attacks include:

(1) Route Flapping: repetitive changes rapidly cause the BGP routing table to be withdrawn and then re-advertised
(2) Route Deaggregation: announcing more specific route UPDATE causes a huge number of updates, which makes router crash and shut down
(3) (Unallocated) Route Injection: sending out incorrect routing information or transmitting routes to “bogon” prefixes

bgp3

Lastly, here are BGP attack countermeasures to mitigate corresponding threats above.

1. Use authentication mechanism

  • Use access control list.
  • Use BGP peer authentication: MD5(Routing Advertisement + Shared Key), IPSecif available
  • Configure BGP to allow announcing only designated netblocks
  • Disable BGP version negotiation to provide faster startup
  • Announce only preconfigured list of networks

2. Configure route manipulation protection

  • Use BGP graceful restart
  • Use max prefix limits to avoid filling router tables
  • Filter all bogonprefixes with ingress/egress filtering
  • Do not allow over-specific prefixes
  • Turn off fast external failover, called route flap damping
  • Record peer changes

3. Use secure protocol

  • Only allow peers to connect to port 179 in TCP
  • Randomize sequence number (against spoofing and session hijacking)
  • Consider deploying S-BGP or BGPSec

[References]

RFC 4271 -A Border Gateway Protocol 4 (BGP-4), which obsoletes RFC 1771, 1772
RFC 4272 -BGP Security Vulnerabilities Analysis
RFC 2439 –BGP Route Flap Damping
http://moo.cmcl.cs.cmu.edu/~dwendlan/routing/
http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html

Demystifying BitTorrent Protocol

BitTorrent는 오늘날 개별 파일 공유에 가장 많이 사용하는 대표적인 프로토콜이다. 또한 저작권 측면에서 보면 2010년 이래에 20만 명 이상이 저작권으로 고소당하기도 했던 장본인이기도 하다. 2001년 Bram이라는 친구가 처음 만든 이 프로토콜에 대해 기술적으로 한 번 살펴보자. F-Insight에서 발표한 내용이기도 하니 다음 자료를 참고하자.( BitTorrent-Protocol )

Today the BitTorrent protocol is widely used for file sharing privately. Created by Bram Cohen in 2001, it is estimated that there are 150 million active BitTorrent users, approximately 250 million potential ones as of Jan. 2011. You may want to refer to the material which I presented in “Forensic Insight Seminar“.

1. 주요용어 (Terminology)

(Ref) http://www.bittorrent.com/intl/ko/help/faq/concepts

block a piece of a file when distributed via BitTorrent
peer one of a group of clients downloading the same file
leech a peer that is downloading while uploading very little, or nothing at all. a.k.a leecher
scrape a request to the tracker for information about the statistics of the torrent
seed a complete copy of the file being made available for download
seeder a peer that is done downloading a file and is now just making it available to others.
torrent the instance of a file or group of files being distributed via BitTorrent
swarm a group of seeds and peers sharing the same torrent
tracker a server that keeps track of the peers and seeds in a swarm

블록 BitTorrent 를 통해 배포하는 파일 조각
피어 동일한 파일을 다운로드하는 클라이언트 그룹원
리치 업로드는 거의 하지 않으며 주로 다운로드하는 피어
스크레이프 torrent 통계 관련 정보를 트래커에게 질의
시드 다운로드할 수 있는 전체 복사본 파일
시더 다운로드를 완료한 피어 또는 다른 이에게 파일을 공유할 수 있는 피어
토렌트 BitTorrent를 통해 배포하는 파일 인스턴스
스웜 동일한 토렌트를 공유하는 시드 그룹과 피어
트래커 스웜에서 피어나 시드를 찾는 서버
2. 프로토콜 명세 (Protocol Specification)
(1) Becoding (Binary Encoding): A way to specify the data in a terse format
  • 문자열, 숫자, 리스트, 사전을 아래와 같이 정의해서 간단히 표현한다.

(2) Torrent File Structure

  • 토렌트 파일구조는 아래와 같은데 크게 Info 영역과 Announce 부분으로 나뉜다.
  • Info에서 파일 전체 길이, 이름, 조각길이와 각 조각의 20바이트 SHA1 값으로 구성된다.
  • 길이 조각(length piece)은 파일 크기에 따라 다양하나 256KB를 기본으로 사용한다.
  • 참고로 Torrent 파일을 직접 편집할 수 있는 웹사이트도 존재한다. (http://torrenteditor.com)
An example of torrent file for each part – d for dictionaries, l for listings, i for integers, s for strings.
(3) Tracker HTTP Protocol
  • 아래 표는 Tracker 서버의 Request 영역으로 가장 중요한 부분은 info_hash, peer_id, port, numwant 정보다.
  • Port는 BitTorrent를 구현한 Application마다 다르므로 기본 포트가 다를 수 있다.
  • 기본적으로 tracker에게 piece가 있는 곳 정보를 50군데 제공받고 해당 peer에게 전송받기 시작한다.
  • 아래 그림에서 Tracker Handshaking을 완료하면 조각을 가진 peer가 소유여부(Have)를 알리고 요청(request)한다.
3. 동작방식 (Operation)
(1) File Sharing Mechanism
  • 좌측의 Initial Seeder가 파일을 조각(piece)내고 torrent 파일에 위치정보를 포함하여 tracker로 알려준다.
  • 우측의 leecher는 해당 파일의 torrent 정보를 통해 tracker에게 요청하고 응답받은 후 패킷을 받는다.
  • 이 때 실제는 Performance Issue로 각 piece는 16KB의 sub-piece로 다시 쪼개어 한 번에 다섯 부분만 받는다.
  • 아래 그림에서 고양이 Leecher가 다운완료하면 새로운 Leecher인 닭이 또다시 양쪽에서 요청한다.
(2) 조각 선택 알고리즘 (Piece Selection Algorithms)
  • Super Seeding (Initial Seeding Mode): Special Case
    A peer has nothing to trade initially, so it is Important to get a complete piece ASAP.This makes peer select a random piece of the file and download it.
  • Strict Priority: First Priority
    This policy keeps the initial bitfield from each peer, and updates it with every “have” message.Then a peer downloads the pieces that appear least frequently in these peer bitfields.
  • Rarest First → General rule
    BitTorrent determines the pieces that are most rare among your peers, and download those first.It ensures that the most commonly available pieces are left till the end to download.
  • Endgame modeAs the completion time closes, bitTorrent requests all peers at the same time.
    If the requests seem to pend, then it would be cancelled immediately.