Recall from crypto lectureThe medium-term planInternet protocol (IP)IP packet formatIP header detailsSimple protocol: ICMPIP vs. lower-level net addressesARP Ethernet packet formatLAN EavesdroppingRed {Wrong: Eavesdropping w. switches}UDP -- emph {user datagram protocol}TCP -- emph {Transmission Control Protocol}TCP segmentTCP fieldsTCP FlagsA TCP Connection (no data)Connection establishmentConnection terminationTIME_WAITState summaryldots Sending dataSliding windowA TCP connection (3 byte echo)RetransmissionCongestion avoidanceAccess controlSpoofing TCP source [Morris]Spoofing TCP source [Morris]Spoofing TCP source [Morris]Spoofing TCP [Joncheray]Desynchronizing TCPExploiting desynchronized TCPDomain Name System (DNS)Goals of DNSThe good newsDNS NamesDNS NamesDNS software architectureDNS protocolResource recordsResource record examplesMapping addresses to namesAccess control based on hostnamesAccess control based on hostnamesAccess control based on hostnamesSome implementation detailsSome implementation detailsStructure of a DNS messageHeader formatEncoding of RRsUsing DNS for load-balancingSecondary serversThe SOA recordonlySlide *{1}{Cache issues}onlySlide *{2}{Cache poisoning}onlySlide *{1}{Cache issues}onlySlide *{2}{Cache poisoning}DNS poisoning in the wildTXT recordsSame Origin Principle revisitedExploiting DNS to violate S.O.Recall from crypto lecture• We basically assume bad guys control the network• Now we will make this more precise– p. 1/53The medium-term plan• Today: How Internet works & how to attack it- How attackers can realize picture on previous slide• Thursday: Defense mechanisms• Next Tuesday: Denial of service• Next Thursday: Automated attacks & defenses• Following Tuesday: Privacy & anonymity– p. 2/53Internet protocol (IP)IPcell phoneDSLEthernetTCP,UDPHTTPXML-RPCweb serviceschatemail802.11bFDDICableVOIP• Many different physical networks• Many different network a pplications• Idea: Inter-operate through narrow IP protocol- Often referred to as “hourglass model”– p. 3/53IP packet format0 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 9 0 10 1 2 3hdr lenvers TOS Total LengthIdentification Fragment offsetDMTTL Protocol hdr checksumSource IP addressDestination IP addressOptions PaddingF0FData– p. 4/53IP header details• Routing is based on destination address• TTL (time to live) decremented at each hop (avoidsloops)- TTL mostly saves from routing loops- But other cool uses. . .• Fragmentation possible for large packets- Fragmented in network if crosses link w. small frame size- MF bit means more fragments for this IP packet- DF bit says “don’t fragment” (returns error to sender)• Following IP header is “payload” data- Typically beginning with TCP or UDP header– p. 5/53Simple protocol: ICMP• Internet Control Message Protocol (ICMP)- Echo (ping)- Redirect (from router to source host)- Destination unreachable (protocol, port, or host)- TTL exceeded (so datagrams don’t cycle forever)- Checksum failed- Reassembly failed- Cannot fragment-Many ICMP messages include part of packet that triggeredthem• Example use: Traceroute– p. 6/53IP vs. lower-level net address e s• Must map IP addresses into physical addresses- E.g., Ethernet address of destination host or next hop router- Often called Medium Access Control (MAC) address (notmessage authentication code or mandatory access control)• Could encode MAC address in IP address [IPv6]• Usually use ARP – address resolution protocol- Table of IP to physical address bindings- Broadcast request if IP address not in table- Everybody learns physical address of requesting node(broadcast)- Target machine responds with its physical address- Table entries are discarded if not refreshed– p. 7/53ARP Ethernet packet formatTargetHardwareAddr (bytes 2–5)TargetProtocolAddr (bytes 0–3)SourceProtocolAddr (bytes 2–3)Hardware type = 1 ProtocolType = 0x0800SourceHardwareAddr (bytes 4–5)TargetHardwareAddr (bytes 0–1)SourceProtocolAddr (bytes 0–1)HLen = 48 PLen = 32 OperationSourceHardwareAddr (bytes 0–3)0 8 16 31[figures from Peterson & Davie]– p. 8/53LAN Eavesdropping• Most network cards support “promiscuous mode”- Return all packets, not just those address to your MAC addr.- Useful for network debugging, software Ethernet switches- Also useful for eavesdropping• It used to be all Ethernets were broadcast networks- All hosts tapped into same coaxial cable- Any host could see all other hosts’ packets• Today still the case with 802.11b- What web pages do people surf during lecture?[wireshark demo]• But switched Ethernet solves the problem– p. 9/53Wr o ng: Eavesdropping w. switches• Old switches “fail open” on MAC table overflow- Attacker just generates packets from tons of MAC addresses- Ethernet switch then reverts to broadcast-style network• ARP spoofing- Broadcast an ARP request “from” target’s IP address- Insert your MAC address for target IP in everyone’s ARP table- (Note: May generate log messages)• ICMP redirect abuse• RIP routing protocol abuse• BGP routing protocol abuse• DHCP abuse (give bogus default router)– p. 10/53UDP – user datagram protocolSrcPort DstPortChecksumLengthData0 16 31• Unreliable and unordered datagram service• Adds multiplexing, checksum on whole packet• No flow control, reliability, or order guarantees• Endpoints identified by ports- servers have well-known ports (e.g., 53 for DNS)• Checksum includes “pseudo-header” w. IP addresses– p. 11/53TCP – Transmission Control ProtocolApplication processWritebytesTCPSend bufferSegment Segment SegmentTransmit segmentsApplication processReadbytesTCPReceive buffer………• Full duplex, connection-oriented byte stream• Flow control- If one end stops reading, writes at other eventuall block/fail• Congestion control- Keeps sender from overrunning network– p. 12/53TCP segment0 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 9 0 10 1 2 3source port destination portsequence numberacknowledgment numberreservedURdataGA P R S FCKSHSTYNINWindowdataoffsetchecksum urgent pointeroptions padding– p. 13/53TCP fields• Ports• Seq no. – segment position in byte stream• Ack no. – seq no. sender expects to receive next• Data offse t – # of 4-byte header & o ption words• Window – willing to receive (flow control)• Checksum• Urgent pointer– p. 14/53TCP Flags• URG – urgent data present• ACK – ack no.
View Full Document
Unlocking...