DOC PREVIEW
Berkeley COMPSCI 161 - Network Attacks

This preview shows page 1-2-23-24 out of 24 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1Network Attacks, Part 1CS 161: Computer SecurityProf. Vern PaxsonTAs: Devdatta Akhawe, Mobin Javed& Matthias Vallentinhttp://inst.eecs.berkeley.edu/~cs161/February 3, 20112Announcements / Game Plan• Homework #1 out now, due next week(Weds 2/9, 9:59PM)– Turn in via hardcopy to drop box in 283 Soda• Enrollment is now finalized. My sincereapologies to those unable to get into theclass.• Goal for today: a look at network attacks– With a focus on network layers 1-43Layers 1 & 2: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321Encoding bits to send themover a single physical link e.g. patterns of voltage levels / photon intensities / RF modulationFraming and transmission of acollection of bits into individualmessages sent across asingle “subnetwork” (onephysical technology)4Physical/Link-Layer Threats: Eavesdropping• Also termed sniffing• For subnets using broadcast technologies (e.g.,WiFi, some types of Ethernet), get it for “free”– Each attached system ’s NIC (= Network InterfaceCard) can capture any communication on the subnet– Some handy tools for doing soo Wiresharko tcpdump / windumpo bro• For any technology, routers (and internal“switches”) can look at / export traffic they forward• You can also “tap” a link– Insert a device to mirror physical signal– Or: just steal it!5Stealing Photons67• With physical access to a subnetwork,attacker can– Overwhelm its signalingo E.g., jam WiFi’s RF– Send messages that violate the Layer-2protocol’s ruleso E.g., send messages > maximum allowed size,sever timing synchronization, ignore fairness rules• Routers & switches can simply “drop” traffic• There’s also the heavy-handed approach …Physical/Link-Layer Threats: Disruption89• With physical access to a subnetwork,attacker can create any message they like– Termed spoofing• May require root/administrator access tohave full freedom• Particularly powerful when combined witheavesdropping– Because attacker can understand exact state ofvictim’s communication and craft their spoofedtraffic to match it– Spoofing w/o eavesdropping = blind spoofingPhysical/Link-Layer Threats: Spoofing10Layer 3: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321Bridges multiple “subnets” toprovide end-to-end internetconnectivity between nodes4-bitVersion4-bitHeaderLength8-bitType of Service(TOS)16-bit Total Length (Bytes)16-bit Identification3-bitFlags13-bit Fragment Offset8-bit Time to Live (TTL)8-bit Protocol16-bit Header Checksum32-bit Source IP Address32-bit Destination IP AddressPayloadIP = Internet Protocol11• Major:– Can set arbitrary source addresso “Spoofing” - receiver has no idea who you areo Could be blind, or could be coupled w/ sniffing– Can set arbitrary destination addresso Enables “scanning” - brute force searching for hosts• Lesser:– Fragmentation mechanism can evade networkmonitoring– Identification field leaks information– Time To Live allows discovery of topology– IP “options” can reroute trafficNetwork-Layer Threats(FYI; don’t worry about unless later explicitly covered)125 Minute BreakQuestions Before We Proceed?13Layer 4: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321End-to-end communicationbetween processes (TCP, UDP)Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenFlags0Checksum Urgent pointerOptions (variable)Data14Layer 4: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenFlags0Checksum Urgent pointerOptions (variable)DataThese plus IP addressesdefine a given connection15Layer 4: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenFlags0Checksum Urgent pointerOptions (variable)DataDefines where thispacket fits within thesender’s bytestream16• Normally, TCP finishes (“closes”) a connectionby each side sending a FIN control message– Reliably delivered, since other side must ack• But: if a TCP endpoint finds unable to continue(process dies; info from other “peer” isinconsistent), it abruptly terminates by sending aRST control message– Unilateral– Takes effect immediately (no ack needed)– Only accepted by peer if has correct* sequencenumberTCP Threat: Disruption17Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenFlags0Checksum Urgent pointerOptions (variable)Data18Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenRST0Checksum Urgent pointerOptions (variable)Data19Abrupt Termination• A sends a TCP packet with RESET (RST) flag to B– E.g., because app. process on A crashed• Assuming that the sequence numbers in the RST fit with what Bexpects, That’s It:– B’s user-level process receives: ECONNRESET– No further communication on connection is possibleSYNSYN ACKACKDataRSTACKtimeAB20• Normally, TCP finishes (“closes”) a connectionby each side sending a FIN control message– Reliably delivered, since other side must ack• But: if a TCP endpoint finds unable to continue(process dies; info from other “peer” isinconsistent), it abruptly terminates by sending aRST control message– Unilateral– Takes effect immediately (no ack needed)– Only accepted by peer if has correct* sequencenumber• So: if attacker knows ports & sequence numbers,can disrupt any TCP connectionTCP Threat: Disruption21TCP Threat: Injection• What about inserting data rather than disrupting a connection?– Again, all that’s required is attacker knows correct ports, seq. numbers– Receiver B is none the wiser!• Termed TCP connection hijacking (or “session hijacking”)– General means to take over an already-established connection!• We are toast if an attacker can see our TCP traffic!– Because then they immediately know the port & sequence numbersSYNSYN ACKACKDataACKtimeABNasty DataNasty Data222TCP Threat: Blind Spoofing• Is it possible for an attacker to inject into a TCPconnection even if they can’t see our traffic?• YES: if somehow they can guess the port andsequence numbers• Let’s look at a related attack where the goal of theattacker is to create a fake connection, ratherthan inject into a real one– Why?– Perhaps to leverage a server’s trust of a given client asidentified by its IP address– Perhaps to


View Full Document

Berkeley COMPSCI 161 - Network Attacks

Documents in this Course
Rootkits

Rootkits

11 pages

Load more
Download Network Attacks
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Network Attacks and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Network Attacks 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?