Network Protocols and VulnerabilitiesOutlineInternet InfrastructureTCP Protocol StackData FormatsInternet ProtocolIP RoutingIP Protocol Functions (Summary)User Datagram ProtocolTransmission Control ProtocolInternet Control Message ProtocolBasic Security ProblemsPacket SniffingSmurf DoS AttackTCP HandshakeSYN FloodingSlide 17Protection against SYN AttacksTCP Connection SpoofingIP Spoofing AttackTCP Sequence NumbersRecent DoS vulnerability [Watson’04]Cryptographic network protectionWireless ThreatsEvolution of Wireless SecurityWhat Went Wrong With WEPIEEE 802.11i - WPA2Security issues in development of 802.11iTCP Congestion ControlCompetitionRouting VulnerabilitiesSource Routing AttacksRouting Table Update ProtocolsInterdomain RoutingBGP overviewBGP example [D. Wetherall]IssuesBGP Route InstabilitySlide 41Slide 42Domain Name SystemDNS Root Name ServersDNS Lookup ExampleCachingLookup using cached DNS serverDNS Implementation VulnerabilitiesInherent DNS VulnerabilitiesDNS cache poisoningPharmingDNS Rebinding AttackDNS Rebinding DefensesSummary (I)Summary (II)Network Protocols and Vulnerabilities John MitchellCS 155Spring 2008OutlineBasic NetworkingNetwork attacksAttacking host-to-host datagram protocolsSYN flooding, TCP Spoofing, …Attacking network infrastructureRoutingDomain Name System This lecture is about the way things work now and how they are not perfect. Next lecture – some security improvements (still not perfect)BackboneISPISPInternet InfrastructureLocal and interdomain routingTCP/IP for routing, connectionsBGP for routing announcementsDomain Name SystemFind IP address from symbolic name (www.cs.stanford.edu)TCP Protocol StackApplicationTransportNetworkLinkApplication protocolTCP protocolIP protocolData LinkIPNetwork AccessIP protocolData LinkApplicationTransportNetworkLinkData FormatsApplicationTransport (TCP, UDP)Network (IP)Link LayerApplication message - dataTCP data TCP data TCP dataTCP HeaderdataTCPIPIP HeaderdataTCPIPETH ETFLink (Ethernet) HeaderLink (Ethernet) Trailersegment packetframemessageInternet ProtocolConnectionlessUnreliableBest effortTransfer datagramHeaderDataIPVersion Header LengthType of ServiceTotal LengthIdentificationFlagsTime to LiveProtocolHeader ChecksumSource Address of Originating HostDestination Address of Target HostOptionsPaddingIP DataFragment OffsetIP RoutingInternet routing uses numeric IP addressTypical route uses several hopsMegTomISPOffice gateway121.42.33.12132.14.11.51SourceDestinationPacket121.42.33.12121.42.33.1132.14.11.51132.14.11.1IP Protocol Functions (Summary)RoutingIP host knows location of router (gateway)IP gateway must know route to other networksFragmentation and reassemblyIf max-packet-size less than the user-data-sizeError reportingICMP packet to source if packet is droppedUser Datagram ProtocolIP provides routingIP address gets datagram to a specific machineUDP separates traffic by portDestination port number gets UDP datagram to particular application process, e.g., 128.3.23.3, 53Source port number provides return addressMinimal guaranteesNo acknowledgmentNo flow controlNo message continuationUDPTransmission Control ProtocolConnection-oriented, preserves orderSender Break data into packetsAttach packet numbersReceiverAcknowledge receipt; lost packets are resentReassemble packets in correct orderTCPBook Mail each page Reassemble book19511 1Internet Control Message ProtocolProvides feedback about network operationError reportingReachability testingCongestion ControlExample message typesDestination unreachableTime-to-live exceededParameter problemRedirect to better gatewayEcho/echo reply - reachability testTimestamp request/reply - measure transit delayICMPBasic Security ProblemsNetwork packets pass by untrusted hostsEavesdropping, packet sniffing (e.g., “ngrep”)IP addresses are publicSmurfTCP connection requires stateSYN flooding attackTCP state can be easy to guessTCP spoofing attackPacket SniffingPromiscuous NIC reads all packetsRead all unencrypted data (e.g., “ngrep”)ftp, telnet send passwords in clear!Alice BobEveNetworkNetworkPrevention: Encryption, improved routing (Another lecture: IPSEC)Sweet Hall attack installed sniffer on local machineSmurf DoS AttackSend ping request to broadcast addr (ICMP Echo Req) Lots of responses:Every host on target network generates a ping reply (ICMP Echo Reply) to victimPing reply stream can overload victimPrevention: reject external packets to broadcast addressgatewayDoSSourceDoSTarget1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr3 ICMP Echo ReplyDest: Dos TargetTCP HandshakeCSSYNCSYNS, ACKC+1ACKS+1ListeningStore dataWaitConnectedSYN FloodingCSSYNC1 ListeningStore dataSYNC2SYNC3SYNC4SYNC5SYN FloodingAttacker sends many connection requestsSpoofed source addresses Victim allocates resources for each requestConnection requests exist until timeoutFixed bound on half-open connectionsResources exhausted requests rejectedProtection against SYN AttacksClient sends SYNServer responds to Client with SYN-ACK cookiesqn = f(src addr, src port, dest addr, dest port, rand)Normal TCP response but server does not save stateHonest client responds with ACK(sqn)Server checks response If matches SYN-ACK, establishes connection“rand” is top 5 bits of 32-bit time counterServer checks client response against recent valuesSee http://cr.yp.to/syncookies.html [Bernstein, Schenk]TCP Connection SpoofingEach TCP connection has an associated stateClient IP and port number; same for serverSequence numbers for client, server flowsProblemEasy to guess statePort numbers are standardSequence numbers often chosen in predictable wayIP Spoofing AttackA, B trusted connectionSend packets with predictable seq numbersE impersonates B to AOpens connection to A to get initial seq numberSYN-floods B’s queueSends packets to A that resemble B’s transmissionE cannot receive, but may execute commands on AServer ABEAttack can be blocked if E is outside firewall.TCP Sequence NumbersNeed high degree of unpredictabilityIf attacker knows initial seq # and amount of traffic sent, can estimate likely current valuesSend a flood of packets with likely seq numbersAttacker can inject packets into existing connectionSome implementations are vulnerableRecent DoS vulnerability
View Full Document
Unlocking...