1Network Attacks, Part 1CS 161: Computer SecurityProf. Vern PaxsonTAs: Devdatta Akhawe, Mobin Javed& Matthias Vallentinhttp://inst.eecs.berkeley.edu/~cs161/February 3, 20112Announcements / Game Plan• Homework #1 out now, due next week(Weds 2/9, 9:59PM)– Turn in via hardcopy to drop box in 283 Soda• Enrollment is now finalized. My sincereapologies to those unable to get into theclass.• Goal for today: a look at network attacks– With a focus on network layers 1-43Layers 1 & 2: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321Encoding bits to send themover a single physical link e.g. patterns of voltage levels / photon intensities / RF modulationFraming and transmission of acollection of bits into individualmessages sent across asingle “subnetwork” (onephysical technology)4Physical/Link-Layer Threats: Eavesdropping• Also termed sniffing• For subnets using broadcast technologies (e.g.,WiFi, some types of Ethernet), get it for “free”– Each attached system ’s NIC (= Network InterfaceCard) can capture any communication on the subnet– Some handy tools for doing soo Wiresharko tcpdump / windumpo bro• For any technology, routers (and internal“switches”) can look at / export traffic they forward• You can also “tap” a link– Insert a device to mirror physical signal– Or: just steal it!5Stealing Photons67• With physical access to a subnetwork,attacker can– Overwhelm its signalingo E.g., jam WiFi’s RF– Send messages that violate the Layer-2protocol’s ruleso E.g., send messages > maximum allowed size,sever timing synchronization, ignore fairness rules• Routers & switches can simply “drop” traffic• There’s also the heavy-handed approach …Physical/Link-Layer Threats: Disruption89• With physical access to a subnetwork,attacker can create any message they like– Termed spoofing• May require root/administrator access tohave full freedom• Particularly powerful when combined witheavesdropping– Because attacker can understand exact state ofvictim’s communication and craft their spoofedtraffic to match it– Spoofing w/o eavesdropping = blind spoofingPhysical/Link-Layer Threats: Spoofing10Layer 3: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321Bridges multiple “subnets” toprovide end-to-end internetconnectivity between nodes4-bitVersion4-bitHeaderLength8-bitType of Service(TOS)16-bit Total Length (Bytes)16-bit Identification3-bitFlags13-bit Fragment Offset8-bit Time to Live (TTL)8-bit Protocol16-bit Header Checksum32-bit Source IP Address32-bit Destination IP AddressPayloadIP = Internet Protocol11• Major:– Can set arbitrary source addresso “Spoofing” - receiver has no idea who you areo Could be blind, or could be coupled w/ sniffing– Can set arbitrary destination addresso Enables “scanning” - brute force searching for hosts• Lesser:– Fragmentation mechanism can evade networkmonitoring– Identification field leaks information– Time To Live allows discovery of topology– IP “options” can reroute trafficNetwork-Layer Threats(FYI; don’t worry about unless later explicitly covered)125 Minute BreakQuestions Before We Proceed?13Layer 4: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321End-to-end communicationbetween processes (TCP, UDP)Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenFlags0Checksum Urgent pointerOptions (variable)Data14Layer 4: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenFlags0Checksum Urgent pointerOptions (variable)DataThese plus IP addressesdefine a given connection15Layer 4: General Threats?ApplicationTransport(Inter)NetworkLinkPhysical74321Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenFlags0Checksum Urgent pointerOptions (variable)DataDefines where thispacket fits within thesender’s bytestream16• Normally, TCP finishes (“closes”) a connectionby each side sending a FIN control message– Reliably delivered, since other side must ack• But: if a TCP endpoint finds unable to continue(process dies; info from other “peer” isinconsistent), it abruptly terminates by sending aRST control message– Unilateral– Takes effect immediately (no ack needed)– Only accepted by peer if has correct* sequencenumberTCP Threat: Disruption17Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenFlags0Checksum Urgent pointerOptions (variable)Data18Source port Destination portSequence numberAcknowledgmentAdvertised windowHdrLenRST0Checksum Urgent pointerOptions (variable)Data19Abrupt Termination• A sends a TCP packet with RESET (RST) flag to B– E.g., because app. process on A crashed• Assuming that the sequence numbers in the RST fit with what Bexpects, That’s It:– B’s user-level process receives: ECONNRESET– No further communication on connection is possibleSYNSYN ACKACKDataRSTACKtimeAB20• Normally, TCP finishes (“closes”) a connectionby each side sending a FIN control message– Reliably delivered, since other side must ack• But: if a TCP endpoint finds unable to continue(process dies; info from other “peer” isinconsistent), it abruptly terminates by sending aRST control message– Unilateral– Takes effect immediately (no ack needed)– Only accepted by peer if has correct* sequencenumber• So: if attacker knows ports & sequence numbers,can disrupt any TCP connectionTCP Threat: Disruption21TCP Threat: Injection• What about inserting data rather than disrupting a connection?– Again, all that’s required is attacker knows correct ports, seq. numbers– Receiver B is none the wiser!• Termed TCP connection hijacking (or “session hijacking”)– General means to take over an already-established connection!• We are toast if an attacker can see our TCP traffic!– Because then they immediately know the port & sequence numbersSYNSYN ACKACKDataACKtimeABNasty DataNasty Data222TCP Threat: Blind Spoofing• Is it possible for an attacker to inject into a TCPconnection even if they can’t see our traffic?• YES: if somehow they can guess the port andsequence numbers• Let’s look at a related attack where the goal of theattacker is to create a fake connection, ratherthan inject into a real one– Why?– Perhaps to leverage a server’s trust of a given client asidentified by its IP address– Perhaps to
View Full Document