Targeted Attack through Network Fingerprinting

[en] Nowadays, simple tools such as traceroute can be used by attackers to acquire topology knowledge remotely. Worse still, attackers can use a lightweight fingerprinting technique, based on traceroute and ping, to retrieve the routers brand, and use that knowledge to launch targeted attacks. In this paper, we show that the hardware ecosystem of network operators can greatly vary from one to another, with all potential security implications it brings. Indeed, depending on the autonomous system (AS), not all brands play the same role in terms of network connectivity and network usage (MPLS vs. standard traffic). An attacker could find an interest in targeting a specific hardware vendor in a particular AS, if known defects are present in this hardware, and if the AS relies heavily on it for forwarding its traffic.

Disciplines :

Computer science

Author, co-author :

Marechal, Emeline ; Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Algorithmique des grands systèmes

Donnet, Benoît ; Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Algorithmique des grands systèmes

Language :

English

Title :

Targeted Attack through Network Fingerprinting

Publication date :

March 2021

Journal title :

Journal of Cyber Security and Mobility

ISSN :

2245-1439

eISSN :

2245-4578

Publisher :

River Publishers, Denmark

Volume :

Issue :

Pages :

347-376

Peer reviewed :

Peer Reviewed verified by ORBi

Available on ORBi :

since 07 April 2021

Statistics

Number of views

130 (22 by ULiège)

Number of downloads

82 (12 by ULiège)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

Bibliography

[1] Configuring mpls te rsvp, August 2018. See https://www.cisco.com/c/ en/us/td/docs/switches/datacenter/sw/5_x/nx-os/mpls/conl'iguration/gu ide/mpls_cg/mp_te _path_prot.html.
[2] Node and path protection for mpls lsps, September 2020. See https: //www'.iuniper.net/documentation/en_US/iunos/topics/topic-map/node-path-protection-lor-mpls.html.
[3] P. Agarwal and B. Akyol. Time-to-live (TTL) processing in multiprotocol label switching (MPLS) networks. RFC 3443, Internet Engineering Task Force, January 2003.
[4] L. Andersson and R. Asati. Multiprotocol label switching (MPLS) label stack entry:EXPfield renamed to tralfic class field. RFC 5462,Internet Engineering Task Force, February 2009.
[5] L. Andersson, I. Minei, and T. Thomas. Ldp specification. RFC 5036, Internet Engineering Task Force, October 2007.
[6] B. Augustin, X. Cuvellier, B. Orgogozo, F. Viger, T. Friedman, M. Lat-apy, C. Magnien, and R. Teixeira. Avoiding traceroute anomalies with Paris traceroute. In Proc. ACM Internet Measurement Conference (IMC), October 2006.
[7] D. Awduche, L. Berger, D. Gan, T. Li, G. Srinivasan, and V. ans Swallow. Rsvp-te: Extensions to rsvp lor lsp tunnels. RFC 3209, Internet Engineering TaskForce,December 2001.
[8] A. Bashandy, C. Filsfils, S. Previdi, B. Decraene, S. Litkowski, and R. Shakir. Segmentroutingwiththemplsdataplane. RFC 8660, In tern et Engineering TaskForce,December 2019.
[9] D. Bleichebacher. Chose ciphertext attacks against protocols based on the RSA encryption standard PKCS#1. In Proc. International Cryptology Conference on Advances in Cryptology (CRYPTO), August 1998.
[10] R. Bonica, D. Gan, D. Tappan, and C. Pignataro. ICMP extensions lor multiprotocol label switching. RFC 4950, Internet Engineering Task Force, August 2007.
[11] kc claffy, Y. Hyun, K. Keys, M. Fomenkov, and D. Krioukov. Internet mapping: from art to science. In Proc. IEEE Cybersecurity Application and Technologies Conference for Homeland Security (CATCH), March 2009.
[12] L. Dall'Asta, I. Alvarez-Hamelin, A. Barrat, A. Vasquez, and A. Vespig-nani. A statistical approach to the traceroute-like exploration of networks: Theory and simulations. In Proc. Combinatorial and Algorithmic Aspects of Networking (CAAN) Workshop, August 2004.
[13] E. Davies and J. Mohacsi. Recommendations for filtering ICMPv6 messages in firewalls. RFC 4890, Internet Engineering Task Force, May 2007.
[14] B. Donnet, M. Luckie, P. Merindol, and J.-J. Pansiot. Revealing MPLS tunnels obscured from traceroute. ACM SIGCOMM Computer Communication Review, 42(2):87-93, April 2012.
[15] D. Felsch, M. Grothe, and J. Schwenk. The dangers of key reuse: Practical attacks on IPsec IKE. In Proc. USENIX Security Symposium, August 2018.
[16] J.-F. Grailet and B. Donnet. Towards a renewed alias resolution with space search reduction and IP fingerprinting. In Proc. IFIP Network Traffic Measurementand Analysis Conference (TMA), June 2017.
[17] B. Hadad, B. Seri, and Y. Sarel. CDPwn: Breaking the discovery protocols of the entreprise of things. Technical White Paper 20200205-1, Armis, Inc., February 2020. See https://www.armis.com/cdpwn/ for additional details.
[18] K. Keys. Internet-scale IP alias resolution techniques. ACM SIGCOMM Computer Communication Review, 40(1):50-55, January 2010.
[19] K. Keys, Y. Hyun, M. Luckie, and kc claffy. Internet-scale IPv4 alias resolution with MIDAR. IEEE/ACM Transactions on Networking, 21(2):383-399, April 2013.
[20] T. Kohno, A. Broido, and kc claffy. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing, 2(2):93-108, May 2005.
[21] M. Kurant and P. Thiran. Layered complex networks. Physical review letters, 96:138701, 05 2006.
[22] J.-R. Luttringer, Y. Vanaubel, P. Merindol, J.-J. Pansiot, and B. Don-net. Let there be light: Revealing hidden MPLS tunnels with TNT. IEEE Transactions on Network and Service Management (TNSM), 17(2):1239-1253, June 2020.
[23] G. F. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Nmap Project, 2009. See http://nmap.org/book/toc.html.
[24] P. Marchetta, P. Mérindol, B. Donnet, A. Pescapé, and J.-J. Pan-siot. Quantifying and mitigating IGMP filtering in topology discovery. In Proc. IEEE Global Communications Conference (GLOBECOM), December 2012.
[25] A. Marder. APPLE: Alias pruning by path length estimation. In Proc. Passive and Active Measurement Conference (PAM), March 2020.
[26] A. Marder, M. Luckie, A. Dhamdhere, B. Huffaker, J. Smith, and kc claffy. Pushing the boundaries with bdrmapIT: Mapping router ownership at internet scale. In Proc. ACM Internet Measurement Conference (IMC), November 2018.
[27] E. Marechal and B. Donnet. Network fingerprinting: Routers under attack. In Proc. International Workshop on Traffic Measurements for Cybersecurity (WTMC), September 2020.
[28] R. Meier, P. Tsankov, V. Lenders, L. Vanbever, and M. Vechev. NetHide: Secure and practical network topology obfuscation. In Proc. USENIX Security Symposium, August 2018.
[29] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. The spread of the sapphire/slammer worm. Technical report, CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE, January 2003.
[30] P. Pan, G. Swallow, and A. Atlas. Fast reroute extensions to rsvp-te for lsp tunnels. RFC 4090, Internet Engineering Task Force, May 2005.
[31] J. Postel. Assigned numbers. RFC 1700, Internet Engineering Task Force, October 1994.
[32] E. Rosen and Y. Rekhter. Bgp/mpls ip virtual private networks (vpns). RFC 4364, Internet Engineering Task Force, February 2006.
[33] E. Rosen, D. Tappan, G. Fedorkow, Y. Rekhter, D. Farinacci, T. Li, and A. Conta. MPLS label stack encoding. RFC 3032, Internet Engineering Task Force, January 2001.
[34] E. Rosen, A. Viswanathan, and R. Callon. Multiprotocol label switching architecture. RFC 3031, Internet Engineering Task Force, January 2001.
[35] Mario Sanchez, Fabian Bustamante, Balachander Krishnamurthy, Walter Willinger, Georgios Smaragdakis, and Jeffrey Erman. Inter-domain traffic estimation for the outsider. In Proc. ACM Internet Measurement Conference (IMC), November 2014.
[36] C. Srinivasan, L. P. Bloomberg, A. Viswanathan, and T. Nadeau. Multiprotocol label switching (mpls) traffic engineering (te) management information base (mib). RFC 3812, Internet Engineering Task Force, June 2004.
[37] S. Staniford, V. Paxson, and N. Weaver. How to own the Internet in your spare time. In Proc. USENIX Security Symposium, 2002.
[38] US Ignite, LIP6, Tandon School of Engineering, Swarm Lab, University of Victoria, the University of Vienna, and Cslash. Edgetnet. See https: //edge-net.org.
[39] Y. Vanaubel, J.-R. Luttringer, P. Mérindol, J.-J. Pansiot, and B. Donnet. TNT, watch me explode: A light in the dark for revealing MPLS tunnels. In Proc. IFIP Network Traffic Measurement and Analysis Conference (TMA), June 2019.
[40] Y. Vanaubel, P. Mérindol, J.-J. Pansiot, and B. Donnet. Through the wormhole: Tracking invisible MPLS tunnels. In Proc. ACM Internet Measurement Conference (IMC), November 2017.
[41] Y. Vanaubel, P. Mérindol, JJ. Pansiot, and B. Donnet. Mpls under the microscope: Revealing actual transit path diversity. In Proc. ACM Internet Measurement Conference (IMC), October 2015.
[42] Y. Vanaubel, J.-J. Pansiot, P. Mérindol, and B. Donnet. Network fingerprinting: TTL-based router signature. In Proc. ACM Internet Measurement Conference (IMC), October 2013.
[43] K. Vermeulen, S. Strowes, O. Fourmaux, and T. Friedman. Multil-vel MDA-lite paris traceroute. In Proc. ACM Internet Measurement Conference (IMC), October 2018.
[44] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. Ataxonomy of computer worms. In Proc. ACM Workshop on Rapid Malcode (WORM), October 2003.
[45] X. Xiao and B. Hannan, A. and Bailey. Traffic engineering with mpls in the internet. In IEEE Network Magazine, April 2000.
[46] C. Zou, D. Towsley, and W. Gong. On the performance of Internet worm scanning strategies. Performance Evaluation, 63(7):700-723, July 2006.
[47] C. Zou, D. Towsley, W. Gong, and S. Cai. Routing worm: a fast, selective attack worm based on IP address information. In Proc. Workshop on Principles of Advanced and Distributed Simulation (‘PADS'), june 2005.