3-1©2007 Raj JainCSE571SWashington University in St. LouisTCP/IP TCP/IP Security AttacksSecurity AttacksRaj Jain Washington University in Saint LouisSaint Louis, MO [email protected] slides are available on-line at:http://www.cse.wustl.edu/~jain/cse571-07/3-2©2007 Raj JainCSE571SWashington University in St. LouisOverviewOverview1. TCP Segment Format, Connection Setup, Disconnect2. IP: Address Spoofing, Covert Channel, Fragment Attacks, ARP, DNS3. TCP Flags: Syn Flood, Ping of Death, Smurf, Fin4. UDP Flood Attack5. Connection Hijacking6. Application: E-Mail, Web spoofing3-3©2007 Raj JainCSE571SWashington University in St. LouisTCP Segment FormatTCP Segment Format! Urgent: Deliver immediately at destination! Push: Leave source immediately! First data byte is ISN+1. Ack is next byte expected. Expecting Ack to Ack+window-1 next.Source Port Destination PortSequence Number Ack NumberData Offset Res Urg Ack Push Reset Syn Fin WindowChecksum Urgent PointerOptions PaddingData3-4©2007 Raj JainCSE571SWashington University in St. LouisTCP Connection SetupTCP Connection Setup! Three way handshakeSyn, ISN=10Syn, Ack 33, ISN=22Ack 44Start connectionestablishment timer(half-open connection)3-5©2007 Raj JainCSE571SWashington University in St. LouisTCP DisconnectionTCP Disconnection! Fin ⇒ No more data. Connection can be closed.! Four-way handshakeFinAckAckFin3-6©2007 Raj JainCSE571SWashington University in St. LouisIP Address SpoofingIP Address Spoofing! Send requests to server with someone X's IP address. The response is received at X and discarded. Both X and server can be kept busy ⇒ DoS attackHacker Victim VVictim XSA=X |DA=VSA=V |DA=X3-7©2007 Raj JainCSE571SWashington University in St. LouisCovert ChannelCovert Channel! Loki - a client server application, " Uses ICMP echo to send covert commands" http://xforce.iss.net/xforce/xfdb/1452! Timing Channel - CPU load indicates a 0 or 1(Two processes on the same machine)! Storage Channel - Print queue length large = 1, small=0HighSecurityMachineLowSecurityMachine3-8©2007 Raj JainCSE571SWashington University in St. LouisIP Fragment AttacksIP Fragment Attacks! Fragments can overlap! Final packets can be too large3-9©2007 Raj JainCSE571SWashington University in St. LouisTCP FlagsTCP Flags! Invalid Combinations! May cause recipient to crash or hang3-10©2007 Raj JainCSE571SWashington University in St. LouisSyn FloodSyn Flood! A sends Syn request with IP address of X to Server V.! V sends a syn+ack to X! X discards syn+ack leaving an half open connection at V.! Many open connections exhausts resources at V ⇒ DoSHacker Victim VVictim XSA=X |DA=V, SynSA=V |DA=X, Syn+Ack3-11©2007 Raj JainCSE571SWashington University in St. LouisPing of DeathPing of Death! Send a ping with more than 64kB in the data field.! Most systems would crash, hang or reboot.3-12©2007 Raj JainCSE571SWashington University in St. LouisSmurfSmurf! Send a broadcast echo request with the V's source address.! All the echo replies will make V very busy.3-13©2007 Raj JainCSE571SWashington University in St. LouisFinFin! In the middle of conversation between X and V.! H sends a packet with Fin flag to V.! V closes the connection and disregards all further packets from X.! RST flag can be used similarly3-14©2007 Raj JainCSE571SWashington University in St. LouisUDP Flood AttackUDP Flood Attack! Character Generator (Chargen) request results in a response with random characters being returned.! Used to diagnose lost packets on the path between two hosts.! Uses TCP/UDP port 19.! H can send a chargen request from X to V.! V can respond to X wasting their bandwidth.3-15©2007 Raj JainCSE571SWashington University in St. LouisConnection HijackingConnection Hijacking! H sends packets to server X which increments the sequence number at X.! All further packets from V are discarded at X.! Responses for packets from H are sent to V - confusing him.Hacker Victim VVictim XSA=X |DA=V, SN=11SA=X |DA=V, SN=223-16©2007 Raj JainCSE571SWashington University in St. LouisARP SpoofingARP Spoofing! X tries to find the MAC address of Victim V! Hacker H responds to ARP request pretending to be V.! All communication for V is captured by H.! Countermeasure: Use static ARPX Victim V HackerDoes anyone know V?Yes, V’s address is H.3-17©2007 Raj JainCSE571SWashington University in St. LouisDNS SpoofingDNS Spoofing! DNS server is compromised to provide H's IP address for V's name.! CountermeasureXCompromised DNSHackerWhat’s IP address for x.com?IP address forx.com is H.3-18©2007 Raj JainCSE571SWashington University in St. LouisEE--Mail SpoofingMail Spoofing! From address is spoofed.! Malware attachment comes from a friendly address.! From: [email protected]©2007 Raj JainCSE571SWashington University in St. LouisWeb SpoofingWeb Spoofing! The web site looks like another! Southwest Airline, http://airlines.ws/southwest-airline.htm! For every .gov site there is a .com, .net giving similar information! For misspellings of popular businesses, there are web sites.3-20©2007 Raj JainCSE571SWashington University in St. LouisSummarySummary1. TCP port numbers, Sequence numbers, ack, flags2. IP addresses are easy to spoof. ARP and DNS are not secure. 3. Flags: Syn Flood, Ping of Death, Smurf, Fin, Connection Hijacking4. UDP Flood Attack5. Application addresses are not secure3-21©2007 Raj JainCSE571SWashington University in St. LouisReferencesReferences1. Gert De Laet and Gert Schauwers, “Network Security Fundamentals,” Cisco Press, 2005, ISBN:15870516723-22©2007 Raj JainCSE571SWashington University in St. LouisLab Homework 3Lab Homework 3! This lab consists of using the following tools:! XP Keylogger, http://www.bestvistadownloads.com/download/t-free-xp-keylogger-download-zhtdqdgn.html! Snort, vulnerability scanner, http://www.codecraft-canada.com/Snort/! Password dump, Pwdump3, http://www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003! John the ripper, Bruteforce password attack, http://www.openwall.com/john/3-23©2007 Raj JainCSE571SWashington University in St. LouisLab Homework 3 (Cont)Lab Homework 3 (Cont)! If you have two computers, you can install these programs on one computer and conduct these exercises.! Alternately, you can remote desktop to CSE571XPC and conduct exercises 1-4 and then remote desktop to CSE571XPS and conduct exercise 5. ! Use your last name (with spaces removed) as your user name.3-24©2007 Raj JainCSE571SWashington University in St.