Network Protocol Attacks & Defenses

Posted on May 5, 2025 in Contemporary Music Composition

Week 1: Network Fundamentals & Attacks

Introduction to AS & BGP

The internet consists of autonomous systems (AS) which function like a cloud of routers that can intercommunicate using the BGP protocol (which seems like an internal routing table within routers, with inter-router communication over 179/tcp). This is related to the concept of gateways.

Attacks on BGP

A good high-level overview of BGP.

BGP Vulnerabilities

  • BGP hijacking either by advertising smaller, more-specific subnets or faster routes. This additionally allows traffic sniffing on that gateway router.
  • Swamping a BGP link and force traffic onto a different AS.
  • Re-advertise withdrawn routes.

BGP Mitigations

There are mitigations, for example, Cloudflare advertises its nodes as a single ASN globally.

Attacks on IP Protocol

IP Protocol Vulnerabilities

  • No integrity: Data and headers can be polluted.
  • Compromising the source IP address can cause denial-of-service.
  • Anonymous infections can be performed (e.g., Slammer worm) by source IP randomization.
  • Smurf attack can also be performed by modifying the source IP in ICMP ping requests.
  • The checksum is used for error correction; the threat model is not adversarial.
  • No confidentiality (packet sniffing can be performed).

Defining the Threat Model

  • Threat model defines the desired security property/goal, the capabilities of the attacker, as well as assumptions of the setup.

Week 2: TCP, DNS, and Firewalls

Attacks on TCP Protocol

TCP Handshake & Security

To elaborate on the security afforded by the TCP protocol. Overview of the TCP handshake – used to authenticate the client to the server.

TCP Vulnerabilities

  • Open multiple TCP connections to flood server memory (which needs to store sequence numbers).
  • Predictable/Intercepted sequence numbers, e.g., by spoofing the source IP and predicting the server’s sequence number, the server is misled to think it’s communicating with another client.
  • Cannot rely on TCP for IP authentication, but it is commonly used, e.g., in /etc/hosts.

Threat Modeling for TCP

Need to distinguish what the threat model is when looking at vulnerabilities of the protocol; for example, the TCP protocol is not designed to provide authentication on the OSI layer.

Attacks on DNS

DNS Vulnerabilities

  • Modification of in-transit packets.
  • DNS cache poisoning: It is possible to send spoofed DNS response packets for caching on local DNS resolvers.
  • Implementation of DNS uses predictable sequence number QID, allowing attackers to send spoofed DNS response packets.

DNS Attack Flow Example

Attack flow: An attacker can trick a user into sending a DNS request to a malicious website to retrieve the QID. Then, upon a subsequent request to another DNS server, the attacker replies with a spoofed NS/A IP record. This results in a race condition between the malicious actor and the authoritative server. Flushing the cache by making multiple DNS requests to the DNS resolver can be a countermeasure.

DNS Mitigations

  • Can be mitigated by using a cryptographically secure PRNG.

Here is a resource on DNS security.

Overview of Firewalls

Firewall Types & Implementation

A stateless firewall inspects packets and checks if they match rules. These devices need high overall throughput. Note that the device on which the firewall sits must also be able to support the TCP reconstruction process (why?). Other types of firewalls include stateful firewalls and application-layer firewalls.

On Linux, the firewall is implemented within the Netfilter framework (e.g., iptables), with different hooks for packets, such as INPUT, FORWARD, and POST-ROUTING.

Firewall Vulnerabilities

  • DDoS by routing many requests to the firewall.
  • Does not protect against internal network requests.

Firewall Mitigations

  • Fingerprinting of packet payloads – countermeasure involves splitting packets (and using subsignatures, etc.).

Firewall Threat Model

Adversary Capabilities
  • Adversary can send malicious network packets.
  • Adversary is outside the network perimeter.
Assumptions
  • The network perimeter is correctly defined, which is not necessarily true in the context of Bring-Your-Own-Device (BYOD).
  • Firewall is not compromised.
  • Firewall sees the same data as the endpoint; for deeper packet inspection, the firewall itself needs to perform packet reconstruction as well (there is still always a semantic gap between the firewall and the end application).
  • Defender’s policy can distinguish good from bad traffic.
Threat Model Weakness

Weakness of this threat model: The defender needs to know every specific attack pattern for setting policy, and the adversary can easily evade these assumptions.

Importance of Threat Modeling

The point of this section is to emphasize that thinking about the threat model conceptually is important for defending against attacks.