[en] Nowadays, simple tools such as traceroute can be used by attackers to acquire topology knowledge remotely. Worse still, attackers can use a lightweight fingerprinting technique, based on traceroute and ping, to retrieve the routers brand, and use that knowledge to launch targeted attacks.
In this paper, we show that the hardware ecosystem of network operators can greatly vary from one to another, with all potential security implications it brings. Indeed, depending on the autonomous system (AS), not all brands play the same role in terms of network connectivity. An attacker could find an interest in targeting a specific hardware vendor in a particular AS, if known defects are present in this hardware, and if the AS relies heavily on it for forwarding its traffic.
Disciplines :
Sciences informatiques
Auteur, co-auteur :
Marechal, Emeline ; Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Systèmes informatiques répartis et sécurité
Donnet, Benoît ; Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Algorithmique des grands systèmes
Langue du document :
Anglais
Titre :
Network Fingerprinting: Routers under Attack
Date de publication/diffusion :
septembre 2020
Nom de la manifestation :
IEEE International Workshop on Traffic Measurements for Cybersecurity (WTMC)
Date de la manifestation :
7 septembre 2020
Manifestation à portée :
International
Titre de l'ouvrage principal :
IEEE International Workshop on Traffic Measurements for Cybersecurity (WTMC)
G. F. Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Nmap Project, 2009, see http://nmap.org/book/toc.html.
T. Kohno, A. Broido, and k. claffy, "Remote physical device fingerprinting," IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 2, pp. 93-108, May 2005.
Y. Vanaubel, J.-J. Pansiot, P. Mérindol, and B. Donnet, "Network fingerprinting: TTL-based router signature," in Proc. ACM Internet Measurement Conference (IMC), October 2013.
J.-F. Grailet and B. Donnet, "Towards a renewed alias resolution with space search reduction and IP fingerprinting," in Proc. IFIP Network Traffic Measurementand Analysis Conference (TMA), June 2017.
K. Vermeulen, S. Strowes, O. Fourmaux, and T. Friedman, "Multilvel MDA-lite paris traceroute," in Proc. ACM Internet Measurement Conference (IMC), October 2018.
Y. Vanaubel, P. Mérindol, J.-J. Pansiot, and B. Donnet, "Through the wormhole: Tracking invisible MPLS tunnels," in Proc. ACM Internet Measurement Conference (IMC), November 2017.
B. Hadad, B. Seri, and Y. Sarel, "CDPwn: Breaking the discovery protocols of the entreprise of things," Armis, Inc., Technical White Paper 20200205-1, February 2020, see https://www.armis.com/cdpwn/foradditionaldetails.
D. Bleichebacher, "Chose ciphertext attacks against protocols based on the RSA encryption standard PKCS#1," in Proc. International Cryptology Conference on Advances in Cryptology (CRYPTO), August 1998.
D. Felsch, M. Grothe, and J. Schwenk, "The dangers of key reuse: Practical attacks on IPsec IKE," in Proc. USENIX Security Symposium, August 2018.
J. Postel, "Assigned numbers," Internet Engineering Task Force, RFC 1700, October 1994.
Y. Vanaubel, J.-R. Luttringer, P. Mérindol, J.-J. Pansiot, and B. Donnet, "TNT, watch me explode: A light in the dark for revealing MPLS tunnels," in Proc. IFIP Network Traffic Measurement and Analysis Conference (TMA), June 2019.
J.-R. Luttringer, Y. Vanaubel, P. Mérindol, J.-J. Pansiot, and B. Donnet, "Let there be light: Revealing hidden MPLS tunnels with TNT," IEEE Transactions on Network and Service Management (TNSM), vol. 17, no. 2, pp. 1239-1253, June 2020.
B. Augustin, X. Cuvellier, B. Orgogozo, F. Viger, T. Friedman, M. Latapy, C. Magnien, and R. Teixeira, "Avoiding traceroute anomalies with Paris traceroute," in Proc. ACM Internet Measurement Conference (IMC), October 2006.
k. claffy, Y. Hyun, K. Keys, M. Fomenkov, and D. Krioukov, "Internet mapping: from art to science," in Proc. IEEE Cybersecurity Application and Technologies Conference for Homeland Security (CATCH), March 2009.
K. Keys, Y. Hyun, M. Luckie, and k. claffy, "Internet-scale IPv4 alias resolution with MIDAR," IEEE/ACM Transactions on Networking, vol. 21, no. 2, pp. 383-399, April 2013.
K. Keys, "Internet-scale IP alias resolution techniques," ACM SIGCOMM Computer Communication Review, vol. 40, no. 1, pp. 50-55, January 2010.
A. Marder, M. Luckie, A. Dhamdhere, B. Huffaker, J. Smith, and k. claffy, "Pushing the boundaries with bdrmapIT: Mapping router ownership at internet scale," in Proc. ACM Internet Measurement Conference (IMC), November 2018.
M. Sanchez, F. Bustamante, B. Krishnamurthy, W. Willinger, G. Smaragdakis, and J. Erman, "Inter-domain traffic estimation for the outsider," in Proc. ACM Internet Measurement Conference (IMC), November 2014.
M. Faloutsos, P. Faloutsos, and C. Faloutsos, "On power-law relationships of the internet topology," in Proc. ACM SIGCOMM, September 1999.
L. Dall'Asta, I. Alvarez-Hamelin, A. Barrat, A. Vásquez, and A. Vespignani, "A statistical approach to the traceroute-like exploration of networks: Theory and simulations," in Proc. Combinatorial and Algorithmic Aspects of Networking (CAAN) Workshop, August 2004.
R. Albert, H. Jeong, and A.-L. Barábsi, "Error and attack tolerance of complex networks," Nature, vol. 406, pp. 378-382, July 2000.
R. Meier, P. Tsankov, V. Lenders, L. Vanbever, and M. Vechev, "NetHide: Secure and practical network topology obfuscation," in Proc. USENIX Security Symposium, August 2018.
P. Marchetta, P. Mérindol, B. Donnet, A. Pescapé, and J.-J. Pansiot, "Quantifying and mitigating IGMP filtering in topology discovery," in Proc. IEEE Global Communications Conference (GLOBECOM), December 2012.
E. Davies and J. Mohacsi, "Recommendations for filtering ICMPv6 messages in firewalls," Internet Engineering Task Force, RFC 4890, May 2007.
