L17-Low-Level Network Attacks

• WPA: Communicate securely in a wireless local network
• DHCP: Get configurations when first connecting to a network

DHCP

• Layer: 2-3 (see below)
• Purpose: Get configurations when first connecting to a network
• Vulnerability: On-path attackers can see requests and send spoofed malicious responses
• Defense: Accept as a fact of life and rely on higher layers

initial network configuration，初始化链接时使用的

step for DHCP handshake

1. Client Discover: The client broadcasts a request for a configuration

2. DHCP Offer: Any DHCP server can respond with a configuration offer

   • Usually only one DHCP server responds
   • The offer includes an IP address for the client, the DNS server’s IP address, and the (gateway) router’s IP address
   • The offer also has an expiration time (how long the user can use this configuration)

3. Client Request: The client broadcasts which configuration it has chosen

   • If multiple DHCP servers made offers, the ones that were not chosen discard their offer
   • The chosen DHCP server gives the offer to the client

4. DHCP Acknowledgement: The chosen server confirms that its configuration has been given to the client

ppt 上有动画示意图

DHCP attack

也是没法验证 response，只接受第一个 response（race condition），处于同一个 LAN 里。所以存在 MIMT attack 的可能性

ARP VS DHCP attck

都是：race condition，同一个 LAN

defense

也是难以防御，我们需要更高级的 layer 提供防御

Wireless Local Network

wi-fi

layer 2 protocol

Parts of a Wi-Fi network

• Access point: A machine that will help you connect to the network
• SSID (service set identifier): The name of the Wi-Fi network
• Password: Optionally, a password to secure Wi-Fi communications

WPA2

Wi-Fi Protected Access 2 (WPA2): A protocol for securing Wi-Fi network communications with cryptography

Design goals

• Everyone with the Wi-Fi password can join the network
• Messages sent over the network are encrypted with keys
• An attacker who does not know the Wi-Fi network cannot learn the keys

WPA handshake

​​

草，这个地方有点乱...

• Both sides derive secret keys for communication

  • Wi-Fi password → PSK
  • PSK + nonces + MAC addresses → PTK
  • The PTK is used to encrypt and authenticate all future communication
  • Note: The PTK is different for every user, because of the nonces

• The access point encrypts and sends the GTK to the client

  • The GTK is used for messages broadcast to the entire network
  • Everyone on the network uses the same GTK

• The optimized version of the handshake decreases the number of messages sent back and forth

优化版

​​

attacks

rouge AP：假的 AP，提供 Anonce，进行 MIMT 攻击

bf：暴力猜测密码，因为 nonce 和 MAC 都是已知的公开的

no forward secrecy：PSK 已知，可以监听过去全部的信息

WPA 加密

核心问题是每个客户端都用同样的 PSK 生成 PTK——比如家用 wifi，所有人的密码都一样

在一些公共互联网中，使用随机生成的 KEY 而不是 PSK

attack on WPA enterprise

上述的 3 个攻击，加密都可以防御，但是在更高层的 ARP 或者 DHCP 仍然脆弱

BGP

Border Gateway Protocol

复习 IP 协议，还有 subnet

【视频真看不懂了呜呜，看课本吧】

Autonomous System

• Once your system sends the packet to the gateway, the packet has to be routed through the Internet

• The Internet is a network of networks, comprised of many autonomous systems (AS)

  • Each AS handles its own internal routing
  • Each AS is uniquely identified by its autonomous system number (ASN)
  • Each AS is comprised of one or more LANs
  • The AS can forward packet to other connected ASes

• The protocol for communicating between different Autonomous Systems is Border Gateway Protocol (BGP)

  • Each router announces what networks it can provide and the path onward from the router
  • The most precise route with the shortest path and no loops is the preferred route

​​

IP and BGP attack

• Each AS implicitly trusts the surrounding ASes and accepts advertised routes

• IP spoofing: Malicious clients can send IP packets with ​​**==source IP==**​**​ values set to a spoofed value**

  • Edge ASes should block packets with source IPs set to the wrong value, but some don’t
  • Enables packets that look like they’re coming from someone else!
  • We rely on defenses provided by higher layers to further prevent this (“defense in depth”)

• BGP hijacking:​ A malicious autonomous system can lie and ​​**==claims itself to be responsible for a network which it isn’t==**

  • Example: AS3 broadcasts that it is responsible for 128.32.0.0/16

    • Now, the malicious AS can act as a MITM for traffic to 128.32.0.0!

  • No real defenses on this level, so we rely on defenses from higher levels

‍