1Network Protocols andVulnerabilitiesJohn Mitchell(Hovav Shacham filling in – hovav@cs)Outline Basic Networking Network attacks• Attack host networking protocols– SYN flooding, TCP Spoofing, …• Attack network infrastructure– Routing– Domain Name System This lecture is about the way things work now and how they are notperfect. Next lecture – some security improvements (still not perfect).BackboneISPISPInternet Infrastructure Local and interdomain routing• TCP/IP for routing, connections• BGP for routing announcements Domain Name System• Find IP addressTCP Protocol StackApplicationTransportNetworkLinkApplication protocolTCP protocolIP protocolDataLinkIPNetworkAccessIP protocolDataLinkApplicationTransportNetworkLinkData FormatsApplicationTransport (TCP, UDP)Network (IP)Link LayerApplication message - dataTCP data TCP data TCP dataTCP HeaderdataTCPIPIP HeaderdataTCPIPETH ETFLink (Ethernet) HeaderLink (Ethernet) Trailersegment packetframemessageInternet Protocol Connectionless• Unreliable• Best effort Transfer datagram• Header• DataIPVersion Header LengthType of ServiceTotal LengthIdentificationFlagsTime to LiveProtocolHeader ChecksumSource Address of Originating HostDestination Address of Target HostOptionsPaddingIP DataFragment Offset2IP Routing Internet routing uses numeric IP address Typical route uses several hopsMegTomISPOffice gateway121.42.33.12132.14.11.515SourceDestinationSequencePacket121.42.33.12121.42.33.1132.14.11.51132.14.11.1IP Protocol Functions (Summary) Routing• IP host knows location of router (gateway)• IP gateway must know route to other networks Fragmentation and reassembly• If max-packet-size less than the user-data-size Error reporting• ICMP packet to source if packet is droppedUser Datagram Protocol IP provides routing• IP address gets datagram to a specific machine UDP separates traffic by port• Destination port number gets UDP datagram toparticular application process, e.g., 128.3.23.3, 53• Source port number provides return address Minimal guarantees• No acknowledgment• No flow control• No message continuationUDPTransmission Control Protocol Connection-oriented, preserves order• Sender– Break data into packets– Attach packet numbers• Receiver– Acknowledge receipt; lost packets are resent– Reassemble packets in correct orderTCPBook Mail each page Reassemble book19511 1Internet Control Message Protocol Provides feedback about network operation• Error reporting• Reachability testing• Congestion Control Example message types• Destination unreachable• Time-to-live exceeded• Parameter problem• Redirect to better gateway• Echo/echo reply - reachability test• Timestamp request/reply - measure transit delayICMPBasic Security Problems Network packets pass by untrusted hosts• Eavesdropping, packet sniffing IP addresses are public• Smurf TCP connection requires state• SYN flooding attack TCP state easy to guess• TCP spoofing attack3Packet Sniffing Promiscuous NIC reads all packets• Read all unencrypted data• ftp, telnet send passwords in clear!Alice BobEveNetworkNetworkPrevention: Encryption, improved routing (Next lecture: IPSEC)Sweet Hall attack installed sniffer on local machineSmurf DoS Attack Send ping request to brdcst addr (ICMP Echo Req) Lots of responses:• Every host on target network generates a pingreply (ICMP Echo Reply) to victim• Ping reply stream can overload victimPrevention: reject external packets to brdcst address.gatewayDoSSourceDoSTarget1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr3 ICMP Echo ReplyDest: Dos TargetTCP HandshakeCSSYNCSYNS, ACKCACKSListeningStore dataWaitConnectedSYN FloodingCSSYNC1ListeningStore dataSYNC2SYNC3SYNC4SYNC5SYN Flooding Attacker sends many connection requests• Spoofed source addresses Victim allocates resources for each request• Connection requests exist until timeout• Fixed bound on half-open connections Resources exhausted ⇒ requests rejectedProtection against SYN Attacks Client sends SYN Server responds to Client with SYN-ACK cookie• sqn = f(src addr, src port, dest addr, dest port, rand)• Server does not save state Honest client responds with ACK(sqn) Server checks response• If matches SYN-ACK, establishes connectionSee http://cr.yp.to/syncookies.html[Bernstein, Schenk]4TCP Connection Spoofing Each TCP connection has an associated state• Client IP and port number; same for server!• Sequence numbers for client, server flows Problem• Easy to guess state– Port numbers are standard– Sequence numbers often chosen in predictable wayIP Spoofing Attack A, B trusted connection• Send packets withpredictable seq numbers E impersonates B to A• Opens connection to A to getinitial seq number• SYN-floods B’s queue• Sends packets to A thatresemble B’s transmission• E cannot receive, but mayexecute commands on AServer ABEAttack can be blocked if E is outside firewall.TCP Sequence Numbers Need high degree of unpredictability• If attacker knows initial seq # and amount oftraffic sent, can estimate likely current values• Send a flood of packets with likely seq numbers• Attacker can inject packets into existing connectionRecent DoS vulnerability [Watson’04] Suppose attacker can guess seq. number for anexisting connection:• Attacker can send Reset packet toclose connection. Results in DoS.• Naively, success prob. is 1/232 (32-bit seq. #’s).• Most systems allow for a large window ofacceptable seq. #’s– Much higher success probability. Attack is most effective against long livedconnections, e.g. BGP.Cryptographic protection Solutions above the transport layer• Examples: SSL and SSH• Protect against session hijacking and injected data• Do not protect against denial-of-service attacks caused byspoofed packets Solutions at network layer• Use cryptographically random ISNs [RFC 1948]• More generally: IPsec• Can protect against– session hijacking and injection of data– denial-of-service attacks using session resetsTCP Congestion Control If packets are lost, assume congestion• Reduce transmission rate by half, repeat• If loss stops, increase rate very slowlyDesign assumes routers blindly obey this policySourceDestination5Competition Amiable Alice yields to boisterous Bob• Alice and Bob both experience packet loss• Alice
View Full Document
Unlocking...