Tag: Defined

VMware and Trend Micro: Security for the Software Defined Datacenter – Trend Micro

Hello, I'm Steve Kwan[sp]. And I'm here with Adim Nahid[sp] And we're excited to do another year of a great partnership between VMware and Trend Micro. Over the last [xx] years our customer have been moving quickly to adopt cloud. And security is top of mind for them and I think the relationship has really …

Networking Security Intro – Georgia Tech – Software Defined Networking

To see how see how a DNS cache poisoning attack works, consider a network where a stub resolver issues a query to its recursive resolver, and the recursive resolver in turn sends that A record query to the start of authority for that domain.

Now, in an ideal world, the authoritative name server for that domain Would reply with the correct IP address.

If an attacker guesses that a recursive resolver might eventually need to issue a query for say, www.



The attacker can simply reply with multiple, specially crafted.

Replies each with different id's.

Although this query has some query id, the attacker doesn't need to see that query because the attacker can simply flood the recursive resolver with a bunch of bogus replies and one of them, in this case the response with id3 will match.

As long as this bogus response reaches the recursive resolver before the legitimate response does, the recursive resolver will accept this bogus message.

And worse, it caches the bogus message.

And DNS, unfortunately, has no way to expunge.

A message once it has been cached.

So now this reclusive resolver will continue to send bogus A record responses for any query for this particular domain name until that entry expires from the cache.

Now there's several defenses against DNS cache poisoning, and we've already seen one, which is the query ID.

But of course, the query ID can be guessed.

The next defense is to randomize the ID so rather than having a resolver, end queries where the ID's increment in sequence, the resolver can pick a random ID.

This makes the ID tougher to guess, but still, the query ID is only 16 bits, which still makes it possible for an attacker to flood the recursive resolver with many possible responses.

And, it's likely that, with relatively few responses, One of these bogus responses will match the ID for the real query.

Due to the birthday paradox, the success probability for achieving a collision between the query ID of the query ,and of the response actually only requires sending hundreds of replies, not a complete 32,000.

Due to the birthday paradox, The probability that such an attack will succeed, using only a few hundreds of replies, is relatively close to one.

The attacker does not need to send replies with all two to the 16th possible IDs.

The success of a DNS cache poisoning attack not only depends on the ability to reply to a query with a correct matching ID, but it also depends on winning this race.

That is, the attacker must reply to that query before the legitimate authoritative name server replies.

If the bad guy, or the attacker, loses the race, then the attacker has to wait for that correct cached entry to expire, before trying again, however the attacker can generate his own DNS query.

For example, he could query one.


Com, two.


Com and so forth.

Each one of these bogus queries will generate a new race.

And eventually the attacker will win one of these races for an A record query.

But who cares? Nobody necessarily cares to own one.


Com, or google.


The attacker really wants to own the entire zone.

Well the trick here is that instead of just simply responding with A records in the bogus replies.

The attacker can also respond with NS records for the entire zone of google.


So by creating one of these races, using an A record query, and then responding not only with the A record response, but also with the authoritative of the NS record,for the entire zone.

The attacker can in fact own the entire zone.

This idea of generating extreme of A record queries to generate a bunch of races and then stuffing the A record responses for each of these with a bogus authoritative NS record for the entire zone.

Is what's called the Kaminsky Attack, after Dan Kaminsky, who discovered the attack.

The defenses of picking a query ID and randomizing the ID, help, but remember the randomization is only 16 bits, so let's think about other possible defenses.

Source: Youtube

Need for Network Security – Georgia Tech – Software Defined Networking

In addition to having query ID and randomization of that ID, the resolver can randomize the source port on which it sends the query, thereby adding an additional 16 bits of entropy to the ID that's associated with the query.

Unfortunately, picking a random source port can be resource intensive and also a network address translator or a NAT, could derandomize the port.

Another defense is called the 0x20 or the zero x20 encoding, which is based on the intuition that DNS matching and resolution is entirely case insensitive.

So capitalization of individual letters in the domain name do not affect the answer that the resolver will return.

This 0x20 bit, or the bit that affects whether a particular character is capitalized or in lower case can also be used to introduce additional entropy.

When generating a response to a query such as this one, the query is copied from the DNS query into the response exactly as it was in the query.

The mixed pattern of upper and lower case letters thus constitutes a channel.

If the resolver and the authoritative server can agree on a shared key, then the resolver and the authoritative are the only ones who know the appropriate pattern of upper and lower case letters for a particular domain name.

Because no attacker would know the appropriate combination of upper and lower case letters for a particular domain.

It becomes even more difficult for the attacker to inject a bogus reply, because not only would the attacker have to guess the ID, but the attacker would also have to guess the capitalization sequence for any particular domain name.

Source: Youtube

Routing Security – Georgia Tech – Software Defined Networking

The first worm was designed by Robert Morris, Jr.

in 1988.

The worm itself had no malicious payload but, it ended up bogging down the machines that it infected by spawning new processes uncontrollably and exhausting resources.

And at the time it was released, it affect ten percent of all Internet hosts.

It spread, through three different propagation vectors.

The worm tried to crack passwords ,using a small dictionary and a publicly readable password file and also targeted hosts.

That were already listed in a trusted host file, on the machine that was already infected.

This ability to perform remote execution was one way, that the worm was allowed to spread.

The second way that it spread ,was in a buffer overflow vulnerability, In the finger demon.

This was a standard buffer overflow exploid.

And ,if you don't know about buffer overflows, I would urge you to take a computer security coarse.

But essentially, this is a very common attack that makes remote exploits possible, effectively resulting in the ability to run arbitrary code.

At the root level privilege.

The third way that worm spread, was via the debug command in send mail, which is a mail sending service.

In early send mail versions, it was possible to execute a command on a remote machine by sending an SMTP message.

The worm used this, capability to spread automatically.

A key theme that we'll see In the design of other worms, is this use of multiple vectors.

Now any particular worm, may end up using, a different set of vectors depending on the remote vulnerabilities that it's trying to exploit.

But the idea that any worm should be able to exploit multiple weaknesses in a system gives it more ways to spread.

And often also speeds up the propagation of the worm.

This worm design also followed the following general approach, which we see showing up over and over again in worm designs.

First, the worm needs to scan other hosts to find potentially vulnerable hosts.

In the second step, it needs to spread.

By infecting, other vulnerable hosts.

And in the third step, it needs to remain undiscoverable and undiscovered so that it can continue to operate and spread without being removed from systems.

Source: Youtube

DNS Security Quiz Answer – Georgia Tech – Software Defined Networking

Let's talk about how to infer denial of service activity using a technique called backscatter.

The idea behind backscatter is that when an attacker spoofs a source IP address, say on a TCP SYN flood attack, that the replies to that initial TCP SYN from the victim will go to the location of the source IP address.

This replies to forged attack messages are called" backscatter".

Now the interesting thing about backscatter is that if we can assume that the source IP addresses are selected by the attacker at random, and we could set up a portion of the network where we could monitor this back scatter traffic, coming back as SYN-ACK replies to forged source IP addresses.

If we assume that these source IP addresses are picked uniformly at random, then the amount of traffic that we see as back scatter.

Represents exactly a fraction that's proportional to the size of the overall attack.

So for example, if we monitor N IP addresses and we see M attack packets, then we expect to see here N over two to the 32 of the total back scatter packets and hence of the total attack rate.

If we want to compute the total attack rate, we simply invert this fraction.

So for example, in this case, if our telescope were a slash eight, or two to the 24th IP addresses, we would simply multiply our observed attack rate x by two to the 32 divided by two to the 24 or 255.

Source: Youtube