IPv4 OverviewOutlineReading MaterialOSI Reference ModelLayers Limit Need for IntelligenceVarious network devicesIPv4Address spoofingFragmentationFragmentation FlawsAddress Resolution Protocol (ARP)ARP cache poisoningBasic IPv4 RoutingRouting exampleSource Based RoutingIP Options in GeneralDynamic Routing ProtocolsDynamic RoutingInternet Control Message Protocol (ICMP)Smurf AttackTransport layerDatagram TransportUDP HeaderReliable StreamsTCP HeaderSyn floodApplication ProtocolsSpoofing ApplicationsDHCPDomain Name System (DNS)DNSSECSummaryIPv4 OverviewCyber SecuritySpring 2006Outline• Review Layered Network Architecture• Network Layer protocols• Transport Layer Protocols• Application Layer ProtocolsReading Material• Many texts on IP networking– Computer Networks, Andrew Tannenbaum– Data and Computer Communications, William Stallings– Internetworking with TCP/IP Vol 1, Douglas Comer• Plus all the originals from the Internet Engineering Task Force (IETF)– http://ietf.org/OSI Reference Model• The layers– 7: Application, e.g., HTTP, SMTP, FTP– 6: Presentation– 5: Session– 4: Transport, e.g. TCP, UDP– 3: Network, e.g. IP, IPX– 2: Data link, e.g., Ethernet frames, ATM cells– 1: Physical, e.g., Ethernet media, ATM media• Standard software engineering reasons for thinking about a layered designLayers Limit Need for Intelligence• Intermediate devices only need to process the packet headers up to the level they understandEtherHdrIP HdrTCPHdrHTTPHdrDataVarious network devices• Hosts and servers – Operate at Level 7 (application)• Proxies – Operate at level 7• Firewalls – Operate between levels 2 and 7. From the outside world make changes at levels 2 (in transparent mode) or 3 (in routing mode)• Routers – Operate at Level 3 (network)• Switches or Hubs – Operate at level 2 (data link)• Gateways – Operate at level 2 EtherHdrIPHdrTCPHdrHttpHdrDataIPv4• 32 bit Addressing scheme– Host address, e.g., 192.168.1.1– Network address, e.g., 192.168.1.0/24 or 192.168.1.0 255.255.255.0– Host address is the first address in subnetwork, e.g. 192.168.1.0– Broadcast address is the last address in the subnetwork, e.g., 192.168.1.255Version IHL Type of service Total lengthIdentificationDF MFFrag OffsetTime to liveProtocolHeader checksumSource addressDestination Address0 or more words of optionsAddress spoofing• Sender can put any source address in packets he sends:– Can be used to send unwelcome return traffic to the spoofed address– Can be used to bypass filters to get unwelcome traffic to the destination• Reverse Path verification can be used by routers to broadly catch some spoofersFragmentation• May need to fragment an IP packet if one data link along the way cannot handle the packet size– Perhaps path is a mix of different HW– Perhaps unexpected encapsulation makes the packet larger than the source expected– Hosts try to understand Maximum Transmission Unit (MTU) to avoid the need for fragmentation (which causes a performance hit)• Any device along the way can fragment– Identification field identifies all elements of the same fragment– Fragmentation stored in the MF (more fragments) and fragment offset fields– Devices can reassemble too– But generally the destination does the reassemblyFragmentation Flaws• Split packet to fool simple firewall and IDS– Intermediate content observers must do reassembly• Overlapping fragments– Can be used to trick IDS by hiding, e.g. a “get /etc/password”request– Different clients reassemble overlapping fragments differently– Just drop overlapping fragments• Bad fragment offsets exploit poor stack implementations– E.g. Teardrop attack, negative offsets or overlarge offsets cause buffer overflows– Firewalls can check for well formed packets.• Resource attacks on re-assemblers– Send all but one fragment for many packetsAddress Resolution Protocol (ARP)• Used to discover mapping of neighboring ethernet MAC to IP addresses.– Need to find MAC for 192.168.1.3 which is in your interfaces subnetwork– Broadcast an ARP request on the link– Hopefully receive an ARP reply giving the correct MAC– The device stores this information in an ARP cache or ARP tableARP cache poisoning• Bootstrap problem with respect to security. Anyone can send an ARP reply– The Ingredients to ARP Poison, http://www.governmentsecurity.org/articles/TheIngredientstoARPPoison.php• Classic Man-in-the-middle attack– Send arp reply messages to device so they think your machine is someone else– Better than simple sniffing because packets will get to your regardless of sniffing.• Solutions– Encrypt all traffic– Monitoring programs like arpwatch to detect mapping changes• Which might be valid due to DHCPBasic IPv4 Routing• Static routing. Used by hosts and some firewalls and routers.– Routing table consists of entries of• Network, Next hop address, metric, interface– May have routing table per incoming interface– To route a packet, take the destination address and find the best match network in the table. In case of a tie look at the metric• Use the corresponding next hop address and interface to send the packet on.• The next hop address is on the same link as this device, so you use the next hop’s data-link address, e.g. ethernet MAC address– Decrement “time to live” field in IP header at each hop. Drop packet when it reaches 0• Attempt to avoid routing loops• As internet got bigger, TTL fields got set bigger. 225 maximumRouting example• Receive a packet destined to 192.168.3.56 on inside interface• Local routing table for inside interface1. 192.168.2.0/30, 127.0.0.1, 1, outside2. 192.168.5.0/29, 127.0.0.1, 1, dmz3. 192.168.3.0/24, 192.168.5.6, 1, dmz4. 192.168.3.0/24, 192.168.1.2, 3, outside5. 0.0.0.0/0, 192.168.1.2, 1, outside• Entries 3 and 4 tie. But metric for 3 is better• Entries 1 and 2 are for directly connected networksSource Based Routing• In the IP Options field, can specify a source route– Was conceived of as a way to ensure some traffic could be delivered even if the routing table was completely screwed up.• Can be used by the bad guy to avoid security enforcing devices– Most folks configure routers to drop packets with source routes setIP Options in General• Originally envisioned as a means to add more features to IP later• Most routers drop packets with IP options set– Stance of not passing traffic
View Full Document
Unlocking...