Foundations of Network and Computer SecurityAnnouncementsWhere were we?Basic NetworkingSending a UDP packetPack it Up!Routing on a NetworkLocal Routing TableGetting to the GatewaySending to the GatewayGateway Receives Eth PacketUser2 Receives PacketOther ProtocolsMTU – Maximum Transmission UnitIP – Best Effort DatagramsTCP – Transmission Control ProtocolCrypto on a NetworkNetwork Security: The Biggest ChallengesViruses (Worms)Viruses: HistoryMorris Worm (cont)Modern VirusesViruses: Why?Brief HistoryAIDS Trojan (1989)Tequila (1990)Michelangelo (1992)DMV (1995)Back Orifice Trojan (1998)Melissa (1999)ILoveYou (2000)ILoveYou (cont)Slide 33It Gets WorseCode Red Spread (14 hrs, 350,000 hosts)Code Red PayloadCode Red DetailsSQL/Slammer (2003)Witty Worm (March 2004)Flash VirusesPreventionPrevention (cont)TrojansThompson’s Turing Award Lecture (1995)A Quine in CThompson, Stage IIThompson, Stage IIIImplementing the TrojanMoral of the StoryFoundations of Network and Foundations of Network and Computer SecurityComputer SecurityJJohn BlackLecture #15Oct 20th 2005CSCI 6268/TLEN 5831, Fall 2005Announcements•Reading: How to 0wn the Internet–See schedule page•Project #1 is assigned–See web page for description and cacert.pem–Due Thurs, Nov 3rd (distance students too!)–Note: Martin is out, Tues thru Sunday next week•Midterm #2 is Nov 8th (2.5 weeks from now)Where were we?•The basic model:ISP ISPBackbone(not a single line these days)LAN LANEthEthuser1user2Basic Networking•Suppose user1 sends a UDP packet to user2, what happens?–What’s UDP?•User Datagram Protocol•Just like IP but with ports–Well, first we need an IP address!•What’s an IP address•For IPv4, it’s a “dotted quad” of bytes–Ex, 128.138.242.21–32 bits•For IPv6, it’s 128 bits–16 bytes in hex separated by colonsSending a UDP packet•Assume IPv4–Get IP address via DNS•Domain Name Service•Distributed database mapping textual names to IP addresses•Insecure–DNS spoofing–More on this later–Ok, so we have an IP address–And we presumably have a port #Pack it Up!MessageUDP HeaderSrc IP, Dest IP, Len, Chksm, TTLSrc Port, Dest Port, Len, ChksmEth HeaderIP HeaderSrc addr, Dest addr, ChksmEthernet addresses are called “MAC addresses”Ethernet checksum is actually appended to end of packetEthernet MTU is 1500 bytesRouting on a Network•Usually done via OSPF or LSP for LANs–Open Shortest Path First, Link-State Protocol–These protocols assume “modest sized” networks–A routing protocol decides how to forward packets based on routing tables•BGP is used on backbone–Border Gateway Protocol–Routes using incomplete informationLocal Routing Table•Our local routing table (on host of user1) is not going to have a route to IP of user2–Routing table will therefore send our packet to the gateway–Gateway is the machine/router on the “edge” of the network responsible for processing all incoming/outgoing traffic from/to the LAN•NAT boxing, firewalling, and other stuff is usually done here as wellGetting to the Gateway•How do we route to the IP address of the gateway on our local Ethernet?–ARP (Address Resolution Protocol)•Translates IP addresses into MAC addresses•Caches old lookups, so we probably already have the MAC address of the gateway•If not, we send an ARP Request to the LAN, including the IP address whose MAC we seek•Owner (ie, the gateway) sends ARP Reply with his MAC address and we cache it–Usually, all other machines who hear the ARP Reply cache it as well–Leads to attacks… more laterSending to the Gateway•Now we have the MAC address of the gateway–Send our packet to the gateway via the Ethernet protocol–This is usually done with a hardware device (network card) which often puts the Eth header on your packet for you, computes checksums, etc.•Broadcasts packet, detects collisions•Exponential backoff•Promiscuous mode – Sniffers use this–Works through hubs, but doesn’t work through switches on a switched Ethernet–You can often fool switchesGateway Receives Eth Packet•Strips Eth header and again tries to route the resulting IP packet–Looks in routing table, sends to ISP–ISP probably routes using BGP–Reaches other ISP•Note that we’re using other Ethernets and similar physical-layer protocols for each hop!–Other ISP routes to other LAN’s gateway•Gateway sees IP is in its range and does ARP to route to user2User2 Receives Packet•User2 receives the IP packet–Removes IP header•No one else (is supposed to) look inside packet until user2 receives it•NAT boxes break this rule•Firewalls break this rule–See it’s a UDP packet and “sends” to proper port–Ports are mapped to applications via listento()•Application receives message and processes itOther Protocols•We didn’t even talk about SLIP or PPP•ATM, FDDI, Wireless•What about DHCP?–Dynamic IP addresses•There is also ICMP–Internet Control Message Protocol–Echo (ping), traceroute•Application Layer Protocols–HTTP – Hypertext Protocol–SNMP – Network Management–SMTP – Sendmail–POP/IMAP – Mail protocolsMTU – Maximum Transmission Unit•MTU for Ethernet is 1500 bytes–If MTU is exceeded, packet is “fragmented”–IP has support for packet fragmentation and reassembly–A packet is broken into as many pieces as necessary to comply with MTU–Fragments routed as regular IP datagrams, independent of each other–Reassembly done at host onlyIP – Best Effort Datagrams•IP is “best effort”–There is no tracking of packets–If something is dropped… oh well•ICMP message is sometimes generated and received–If one fragment is dropped, many transport layer protocols (like TCP) will consider the whole thing lost and not ACK–This seems bad, but it’s one of the biggest successes of IP–UDP is IP with ports, so it too is “best effort”TCP – Transmission Control Protocol•Stateful connections–Runs over IP just like UDP, but adds more than just ports–Establish a connection with listen() and connect()•IP and UDP were “stateless” protocols–Reliable delivery•Unlike best-effort, this protocol guarantees delivery of packets, in proper order•Uses sequence numbers, sliding windows, ACKs every transmissionCrypto on a Network•How do we do crypto on a network?–We’ve seen application-layer examples•SSL/TLS, SSH•This is called “end-to-end” cryptography, meaning between hosts•The