Network Attacks Part 1 CS 161 Computer Security Prof Vern Paxson TAs Devdatta Akhawe Mobin Javed Matthias Vallentin http inst eecs berkeley edu cs161 February 3 2011 1 Announcements Game Plan Homework 1 out now due next week Weds 2 9 9 59PM Turn in via hardcopy to drop box in 283 Soda Enrollment is now finalized My sincere apologies to those unable to get into the class Goal for today a look at network attacks With a focus on network layers 1 4 2 Layers 1 2 General Threats 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Framing and transmission of a collection of bits into individual messages sent across a single subnetwork one physical technology Encoding bits to send them over a single physical link e g patterns of voltage levels photon intensities RF modulation 3 Physical Link Layer Threats Eavesdropping Also termed sniffing For subnets using broadcast technologies e g WiFi some types of Ethernet get it for free Each attached system s NIC Network Interface Card can capture any communication on the subnet Some handy tools for doing so o Wireshark o tcpdump windump o bro For any technology routers and internal switches can look at export traffic they forward You can also tap a link Insert a device to mirror physical signal Or just steal it 4 Stealing Photons 5 6 Physical Link Layer Threats Disruption With physical access to a subnetwork attacker can Overwhelm its signaling o E g jam WiFi s RF Send messages that violate the Layer 2 protocol s rules o E g send messages maximum allowed size sever timing synchronization ignore fairness rules Routers switches can simply drop traffic There s also the heavy handed approach 7 8 Physical Link Layer Threats Spoofing With physical access to a subnetwork attacker can create any message they like Termed spoofing May require root administrator access to have full freedom Particularly powerful when combined with eavesdropping Because attacker can understand exact state of victim s communication and craft their spoofed traffic to match it Spoofing w o eavesdropping blind spoofing 9 Layer 3 General Threats 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Bridges multiple subnets to provide end to end internet connectivity between nodes 4 bit 8 bit 4 bit Version Header Type of Service Length TOS 3 bit Flags 16 bit Identification 8 bit Time to Live TTL 16 bit Total Length Bytes 8 bit Protocol 13 bit Fragment Offset 16 bit Header Checksum 32 bit Source IP Address 32 bit Destination IP Address IP Internet Protocol Payload 10 Network Layer Threats Major Can set arbitrary source address o Spoofing receiver has no idea who you are o Could be blind or could be coupled w sniffing Can set arbitrary destination address o Enables scanning brute force searching for hosts Lesser FYI don t worry about unless later explicitly covered Fragmentation mechanism can evade network monitoring Identification field leaks information Time To Live allows discovery of topology IP options can reroute traffic 11 5 Minute Break Questions Before We Proceed 12 Layer 4 General Threats 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical End to end communication between processes TCP UDP Source port Destination port Sequence number Acknowledgment HdrLen 0 Flags Advertised window Checksum Urgent pointer Options variable Data 13 Layer 4 General Threats 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical These plus IP addresses define a given connection Source port Destination port Sequence number Acknowledgment HdrLen 0 Flags Advertised window Checksum Urgent pointer Options variable Data 14 Layer 4 General Threats 7 Application 4 Transport 3 Inter Network 2 Link 1 Physical Defines where this packet fits within the sender s bytestream Source port Destination port Sequence number Acknowledgment HdrLen 0 Flags Advertised window Checksum Urgent pointer Options variable Data 15 TCP Threat Disruption Normally TCP finishes closes a connection by each side sending a FIN control message Reliably delivered since other side must ack But if a TCP endpoint finds unable to continue process dies info from other peer is inconsistent it abruptly terminates by sending a RST control message Unilateral Takes effect immediately no ack needed Only accepted by peer if has correct sequence number 16 Source port Destination port Sequence number Acknowledgment HdrLen 0 Flags Advertised window Checksum Urgent pointer Options variable Data 17 Source port Destination port Sequence number Acknowledgment RST HdrLen 0 Advertised window Checksum Urgent pointer Options variable Data 18 Abrupt Termination RST D a ta ACK ACK CK A SY N A SY N B time A sends a TCP packet with RESET RST flag to B E g because app process on A crashed Assuming that the sequence numbers in the RST fit with what B expects That s It B s user level process receives ECONNRESET No further communication on connection is possible 19 TCP Threat Disruption Normally TCP finishes closes a connection by each side sending a FIN control message Reliably delivered since other side must ack But if a TCP endpoint finds unable to continue process dies info from other peer is inconsistent it abruptly terminates by sending a RST control message Unilateral Takes effect immediately no ack needed Only accepted by peer if has correct sequence number So if attacker knows ports sequence numbers 20 can disrupt any TCP connection TCP Threat Injection ta 2 N ast y Da ta y Da N ast D a ta ACK ACK CK A SY N A SY N B time What about inserting data rather than disrupting a connection Again all that s required is attacker knows correct ports seq numbers Receiver B is none the wiser Termed TCP connection hijacking or session hijacking General means to take over an already established connection We are toast if an attacker can see our TCP traffic Because then they immediately know the port sequence numbers 21 TCP Threat Blind Spoofing Is it possible for an attacker to inject into a TCP connection even if they can t see our traffic YES if somehow they can guess the port and sequence numbers Let s look at a related attack where the goal of the attacker is to create a fake connection rather than inject into a real one Why Perhaps to leverage a server s trust of a given client as identified by its IP address Perhaps to frame a given client so the attacker s actions during the connections can t be traced back to 22 the attacker TCP Threat Blind Spoofing TCP connection establishment Server 5 6 7 8 Client 1 2 3 4 SYN Seq Num x SYN ACK Se ck
View Full Document
Unlocking...