Which security feature should be enabled in order to prevent an attacker from overflowing the MAC address table?

Types of attack payloads

When we look at the types of attacks we might face, we can generally place them into one of four categories: interception, interruption, modification, and fabrication. Each category can affect one or more of the principles of the CIA triad, as shown in Figure 1.3. Additionally, the lines between the categories of attack and the particular effects they can have are somewhat blurry. Depending on the attack in question, we might argue for it to be included in more than one category or have more than one type of effect.

Sample Attacks and Threats

Theft is an example of an interception attack. Theft attacks can be targeted at the network, overlay, or application layer with a simple goal of stealing confidential information from others. Theft is the major attack discovered in studies of file sharing system security,479,480,481 in which adversaries took advantage of information leakage and inadvertent disclosures to access confidential information.

Wrapster,486 a free utility software initially designed for Napster users, was released in 2000. It can be used as a tool to enable information leakage in P2P file sharing systems. Wrapster is used to transform any file, such as a program, video, or text, into a file in MP3 format to disguise it. An individual then shares the transformed file as an MP3 file using a P2P file sharing system. A receiving peer uses Wrapster to convert the file to its original format. Thus, using Wrapster together with file sharing software on the company's network, a malicious insider could covertly bypass the company security mechanisms and policies, and leak confidential information to anyone participating in the P2P file sharing system.

The most well-known attack is illegal copy and distribution of multimedia content and software. Copyright protection has been a nonstop battle for the Motion Picture Association of America (MPAA) and Recording Industry Association of America (RIAA). According to recent reports487, U.S. movie studios lose $447 million annually due to online piracy. Placing copyrighted content online and sharing them freely via P2P file sharing applications has been a key attractor of P2P file sharing and streaming. As a result, MPAA and RIAA have targeted P2P networks as a potential threat. One of the most famous lawsuits perhaps is the RIAA v. Napster case, which led to injunction and shutdown of the original Napster service. The legal controversy has continued beyond Napster, however. For example, in Elektra v. Barker, RIAA put individual users on the stand. The goal is to prevent unauthorized copying and online distribution of music files.

Bandwidth clogging, an example of an interruption class of attack, has been a concern of many corporations and universities. It is especially serious for P2P content distribution applications. The rich multimedia (audio and video) files that P2P users share are usually large in size. Consequently, P2P multimedia download and streaming always cause heavy traffic, which clogs an organization's network and affects response time and performance of normal business correspondence. The damage escalates when adversaries manipulate peers to issue multimedia download or streaming simultaneously. This is the reason that many corporations and universities are banning the use of P2P file-sharing or streaming applications.

Denial of service (DoS) is another important type of interruption attack. Almost any attack that obstructs availability can be categorized as a DoS attack. DoS attacks could cause service breakdown through disruption of physical network components; consumption of resources such as storage, computation, or bandwidth resources; obstruction of communications; and interference with configuration and state information. For example, a DoS attacker may use malware to max out a user's CPU time or crash a system by triggering errors in instructions.

P2P networks further open up various possibilities for distributed DoS (DDoS) attacks,488,489,490 networked DoS attacks whereby nodes work together to prevent a system from performing its task. For example, an attacker registers with a P2P overlay, gains access to multiple peer devices, plants zombie processes488 (daemons that perform the actual attack) on those peer devices, and launches an attack with all the zombies on a target device or service at a predetermined time. With hundreds or thousands of zombies located on a P2P network working together, the victim's network bandwidth could be easily drained, causing denial of services.

On May 14, 2007, Prolexic Technologies, a network security vendor specializing in protecting web sites from DoS attacks, issued an alert491 because the company observed an increase in the number and frequency of P2P-based DDoS attacks, which can cause a major local network disruption. “The popularity of peer-to-peer networks has now gained the interest of cyber criminals who see these networks as a huge potential for distributing malware and launching DDoS attacks by convincing 100k+ computers to attack on their behalf. Recently, attackers have found a way to pull off this type of attack anonymously, and with ease, flooding victims with far more connections than they can handle,” the article stated. According to Prolexic, the most aggressive P2P-DDoS attack is a so-called DC++492 attack, which employs the popular DC++ open-source client for Windows using a Direct Connection network. In a DC++ attack, the adversary acts as a puppet master, instructing peers of a P2P network to connect to a victim's Website. With a P2P network of size N peers, and each peer opening m connections simultaneously, the victim's site could potentially be hit with up to mN connections in short order. Prolexic reported very large DC++ attacks of over 300k (N > 300,000) IP addresses in its article,491 which shows how the DDoS problem constantly evolves. Today, an increasing number of P2P-DDoS attacks are targeting Websites. In these attacks, peers (P2P network client computers, for example) are tricked into requesting a file from the victim's site, allowing the adversary to use the P2P network to overwhelm the victim's site and disrupt its availability. To an adversary, the major advantages of using a DDoS attack include (1) more attack traffic with a large number of distributed or peer resources and (2) more difficulty for the victim to track and shut down the attacking sources or zombies.

DDoS attacks appear in various forms. Mirkovic and Reiher489 classify DDoS attacks based on degree of automation, communication mechanism, scanning strategy, propagation mechanism, exploited vulnerability, attack rate dynamics, and impact. For example, based on degree of automation, these attacks can be categorized into manual attacks, semiautomatic attacks, and automatic attacks; random, hit list, topological, permutation, and local subnet are several classes that exist in scanning strategy-based classifications. Alternatively, the attacks can be grouped into central, back-chaining, and autonomous subsets according to their propagation mechanism.

Later in this chapter we look at how P2P overlay networks can be taken advantage of by adversaries to issue DDoS attacks. Some available methods to defend against DoS attacks are also discussed.

The term virus refers to a program that reproduces by introducing a copy of itself and infecting another computer or device without permission or knowledge of the user. Often the virus is appended to the end of a file or the program header is modified to point to the virus code. A virus, as we all know, can cause severe damage to a system or device. A P2P network offers an attractive platform for attackers to spread viruses. A piece of code, the virus, could appear to be a popular file-sharing program and subsequently when downloaded and accessed could unknowingly affect many peers in the P2P overlay. The virus gains access to the peers' devices, modifies data and files on the devices, changes user password or access information, destroys the file system, and more, causing an interception, an interruption, a modification, and/or a fabrication class of attack.

These examples are merely an illustration of the security threats existing in P2P networks. Interested readers can refer to [493] and [494] for more discussion.

Generic Types of Attack

When you are analyzing a new system or protocol against malevolent intrusion, starting at the very basic primitives of CIA can seem self-defeating and long-winded. After all, most attacks inevitably lead to loss of integrity, availability, and confidentiality. For example, a successful buffer overflow attack that allows a hacker shell access will allow that hacker to impact CIA; the same failed attack may compromise availability and integrity, corrupting memory or stalling the applicable service.

Even if you are a great fan of CIA impact analysis, when it’s applied to specific protocol security analysis many feel it is too abstract and academic. Many prefer to either use common criteria analysis (documented in the next chapter) or to analyze the protocol against generic attack types, as detailed in this section.

ARP Spoofing

ARP is a fundamental Ethernet protocol. Perhaps for this reason, manipulation of ARP packets is a potent and frequent attack mechanism on VoIP networks. Most network administrators assume that deploying a fully switched network to the desktop prevents the ability of network users to sniff network traffic and potentially capture sensitive information traversing the network. Unfortunately, several techniques and tools exist that allow any user to sniff traffic on a switched network because ARP has no provision for authenticating queries or query replies. Additionally, because ARP is a stateless protocol, most operating systems (Solaris is an exception) update their cache when receiving ARP reply, regardless of whether they have sent out an actual request.

Among these techniques, ARP redirection, ARP spoofing, ARP hijacking, and ARP cache poisoning are related methods for disrupting the normal ARP process. These terms frequently are interchanged and confused. For the purpose of this section, we’ll refer to ARP cache poisoning and ARP spoofing as the same process. Using freely available tools such as ettercap, Cain, and dsniff, an evil IP device can spoof a normal IP device by sending unsolicited ARP replies to a target host. The bogus ARP reply contains the hardware address of the normal device and the IP address of the malicious device. This “poisons” the host’s ARP cache (see Figure 5.5).

In Figure 5.5, Ned is the attacking computer. When SAM broadcasts an ARP query for Sally’s IP address, Ned, the attacker, responds to the query stating that the IP address (10.1.1.2) belongs to Ned’s MAC address, BA:DB:AD:BA:DB:AD. Packets sent from Sam supposedly to Sally will be sent to Ned instead. Sam will mistakenly assume that Ned’s MAC address corresponds to Sally’s IP address and will direct all traffic destined for that IP address to Ned’s MAC. In fact, Ned can poison Sam’s ARP cache without waiting for an ARP query since on Windows systems (9x/NT/2 K), static ARP entries are overwritten whenever a query response is received regardless of whether or not a query was issued.

Sam’s ARP cache now looks like this:

This entry will remain until it ages out or a new entry replaces it.

ARP redirection can work bidirectionally, and a spoofing device can insert itself in the middle of a conversation between two IP devices on a switched network (see Figure 5.6). This is probably the most insidious ARP-related attack. By routing packets on to the devices that should truly be receiving the packets, this insertion (known as a Man/Monkey/Moron in the Middle attack) can remain undetected for some time. An attacker can route packets to /dev/null (nowhere) as well, resulting in a DoS attack.

Sam’s ARP cache:

Sally’s ARP cache:

As all IP traffic between the true sender and receiver now passes through the attacker’s device, it is trivial for the attacker to sniff that traffic using freely available tools such as Ethereal or tcpdump. Any unencrypted information (including e-mails, usernames and passwords, and web traffic) can be intercepted and viewed.

This interception has potentially drastic implications for VoIP traffic. Freely available tools such as vomit and rtpsniff, as well as private tools such as VoipCrack, allow for the interception and decoding of VoIP traffic. Captured content can include speech, signaling and billing information, multimedia, and PIN numbers. Voice conversations traversing the internal IP network can be intercepted and recorded using this technique.

There are a number of variations of the aforementioned techniques. Instead of imitating a host, the attacker can emulate a gateway. This enables the attacker to intercept numerous packet streams. However, most ARP redirection techniques rely on stealth. The attacker in these scenarios hopes to remain undetected by the users being impersonated. Posing as a gateway may result in alerting users to the attacker’s presence due to unanticipated glitches in the network, because frequently switches behave in unexpected ways when attackers manipulate ARP processes. One unintended (much of the time) consequence of these attacks, particularly when switches are heavily loaded, is that the switch CAM (Content-Addressable Memory) table—a finite-sized IP address to MAC address lookup table—becomes disrupted. This leads to the switch forwarding unicast packets out many ports in unpredictable fashion. Penetration testers may want to keep this in mind when using these techniques on production networks.

In order to limit damage due to ARP manipulation, administrators should implement software tools that monitor MAC to IP address mappings. The freeware tool, Arpwatch, monitors these pairings. At the network level, MAC/IP address mappings can be statically coded on the switch; however, this is often administratively untenable. Dynamic ARP Inspection (DAI) is available on newer Cisco Catalyst 6500 switches. DAI is part of Cisco’s Integrated Security (CIS) functionality and is designed to prevent several layer two and layer three spoofing attacks, including ARP redirection attacks. Note that DAI and CIS are available only on Catalyst switches using native mode (Cisco IOS).

The potential risks of decoding intercepted VoIP traffic can be eliminated by implementing encryption. Avaya’s Media Encryption feature is an example of this. Using Media Encryption, VoIP conversations between two IP endpoints are encrypted using AES encryption. In highly secure environments, organizations should ensure that Media Encryption is enabled on all IP codec sets in use.

DAI enforces authorized MAC-to-IP address mappings. Media Encryption renders traffic, even if intercepted, unintelligible to an attacker.

The following are some additional examples of call or signal interception and hijacking. This class of threats, though typically more difficult to accomplish than DoS, can result in significant loss or alteration of data. DoS attacks, whether caused by active methods or inadvertently, although important in terms of quality of service, are more often than not irritating to users and administrators. Interception and hijacking attacks, on the other hand, are almost always active attacks with theft of service, information, or money as the goal. Note that this list is not exhaustive but illustrates some attack scenarios.

Rogue VoIP Endpoint Attack Rogue IP endpoint contacts VoIP server by leveraging stolen or guessed identities, credentials, and network access. For example, a rogue endpoint can use an unprotected wall jack and auto-registration of VOIP phones to get onto the network. RAS password guessing can be used to masquerade as a legitimate endpoint. Lax account maintenance (expired user accounts left active) increases risk of exploitation.

Registration Hijacking Registration hijacking occurs when an attacker impersonates a valid UA to a registrar and replaces the registration with its own address. This attack causes all incoming calls to be sent to the attacker.

Proxy Impersonation Proxy impersonation occurs when an attacker tricks a SIP UA or proxy into communicating with a rogue proxy. If an attacker successfully impersonates a proxy, he or she has access to all SIP messages.

Toll Fraud Rogue or legitimate VoIP endpoint uses a VoIP server to place unauthorized toll calls over the PSTN. For example, inadequate access controls can let rogue devices place toll calls by sending VoIP requests to call processing applications. VoIP servers can be hacked into in order to make free calls to outside destinations. Social engineering can be used to obtain outside line prefixes.

Message Tampering Capture, modify, and relay unauthenticated VoIP packets to/from endpoints. For example, a rogue 802.11 AP can exchange flames sent or received by wireless endpoints if no payload integrity check (e.g., WPA MIC, SRTP) is used. Alternatively, these attacks can occur through registration hijacking, proxy impersonation, or an attack on any component trusted to process SIP or H.323 messages, such as the proxy, registration servers, media gateways, or firewalls. These represent non-ARP-based MITM attacks.

VoIP Protocol Implementation Attacks Send VoIP servers or endpoints invalid packets to exploit VoIP protocol implementation CVEs. Such attacks can lead to escalation of privileges, installation and operation of malicious programs, and system compromise. For example, CAN-2004-0054 exploits Cisco IOS H.323 implementation CVEs to execute arbitrary code. CSCed33037 uses unsecured IBM Director agent ports to gain administrative control over IBM servers running Cisco VoIP products.

Notes from the Underground…

5.1 Vulnerabilities of the key-storage element

Protecting the key-storage element is vital for logic locking schemes since the exposure of unlocking key breaks the security of the entire scheme. NVM and OTP memories are considered as possible key-storage candidates in logic locking schemes. NVMs, like ROM, EEPROM, and Flash, are the prominent candidates for key-storage. The NVM can be realized as off-chip or on-chip memory. As off-chip memory is vulnerable to data interception attack at chip boundary, on-chip NVM is the only suitable choice as secure key storage. Although aforementioned memory technologies are widely deployed by the industry as secure and tamper-proof memories, the main vulnerability of NVM is the availability of the data stored in the memory during the power-off state. In this state, the memory remains defenseless against any tampering attack. Therefore, an adversary can deploy advanced FA tools to reverse engineer the memory and readout its contents.

Another option for securing key-storage is OTP memory, such as ROM, electric fuse (eFuse) and antifuse. OTP memory facilitates to configure the device before shipping to the end user once the chip is fabricated. eFuse is a continuous metal or polysilicon shape etched on the silicon surface. An eFuse structure is shown in Fig. 6a. When a voltage is applied to the eFuse, electromigration causes the open circuit in the cell (the broken fuse in Fig. 6a) and program the eFuse [38]. An attacker with access to FA tools can deprocess the entire die and locate the location of eFuse. Later, using the SEM, she can differentiate between the programmed and unprogrammed eFuse link by observing the metal or silicide link of the eFuse. Similar information can be extracted using electrical probing [13,41]. On the other hand, due to scalability into 7 nm node technology, relatively smaller antifuse cells appear as rising solutions to key-storage element. Antifuse is a standard CMOS transistor which acts as a high resistance in its unprogrammed state. Once electrical stress is applied to the gate oxide of the transistor (see Fig. 6b), the transistor acts as a low resistance conductive path. Antifuse can also be placed as via between two metal lines in the chip. In such a case, detecting the location of antifuse is difficult with SEM imaging. SEM provides information about the die surface, i.e., the XY plane of the die. However, the lateral information of the metal layers in the die is required to distinguish the antifuse fabricated as via. The lateral information of the metal layers can only be observed by transmission electron microscopy (TEM). As sample preparation and imaging for TEM are more challenging than SEM, differentiating between the programmed and unprogrammed bits is difficult but not impossible for antifuse. However, once the location of anti-fuse is extracted the stored bit can be probed. Moreover, all the OTPs require higher breakdown voltage and a large peripheral circuit, which introduces area overhead and higher power consumption [32].

Other conventional examples of NVMs are EEPROM and Flash memories. Each EEPROM cell has two transistors - a floating gate or storage transistor and a select transistor. The storage transistor has a floating gate which traps the electrons. A Flash cell only has the floating gate transistor and uses the same logic storage mechanism as EEPROM. Since both memory technologies use stored charges in the floating gate for storing the bit values, any attempt to image the memory cell with SEM or TEM can disturb the charges distribution and possibly erase the memory content. Therefore, reverse engineering of such NVMs has always been considered as a challenging task; even after the recent advancements in FA tools. Nardi et al. [42] solved the challenge of maintaining the value of stored charge by accessing the memory from the back-side of IC. Once an attacker gets access to the floating gates of EEPROM/Flash, she can use scanning Kelvin probe microscopy (SKPM), scanning probe microscopy (SPM), passive voltage contrast (PVC) or scanning capacitance microscopy (SCM) for extracting the stored value in the EEPROM/Flash [42,43]. However, the security of the 3D Flash chips (see 3D NAND flash cells in Fig. 6c) have yet to be investigated. In the 3D flash technology, the memory cells, previously organized horizontally, are now stacked vertically and connected with pillar and channels. Although such orientation requires further precaution during polishing the back-side of the chip and PVC analysis, the reverse engineering of 3D NAND memory is, in principle, still possible.

Physical unclonable functions (PUFs), as other possible candidates for secure key-storage, was developed to generate keys from intrinsic properties of the device [44]. Although PUF has been assumed to be tamper-evident against physical attacks, they have demonstrated vulnerabilities against several non- and semi-invasive attacks, like photonic emission analysis and laser fault injection [44] Furthermore, the response of PUF differs for each chip due to process variation which makes it incompatible for ASIC design, where the same mask would be used for fabricating all the chip in the same batch. On the other hand, storing the key value in the battery-backed RAM also does not add any significant security feature to the key-storage as they can be read out through optical attacks, such as thermal laser stimulation (TLS) [45].

Data remanence in key-storage like NVM and RAM is another class of vulnerability for all key-storage elements. Data remanence is the residual physical representation (e.g., the trapped charge or voltage) of the data that has been erased from the memory during a tampering attack or regular operation of the chip. A tamper-sensor enclosure can initiate the erasure procedure for memory if the tampering event is detected. The sensor connects the memory to the ground to zeroized the stored data. However, due to data remanence effect, an attacker can exploit the residual property of the memory to extract the content of the memory. The data remanence vulnerability occurs when data retention time exceeds the time required by a malicious entity to read out or dump the stored value in another memory location. Consequently, the protection mechanism can be defeated [46].