1Network Protocols and VulnerabilitiesJohn MitchellOutlineuBasic Networking (FMU)uNetwork attacks• Attack host networking protocols– SYN flooding, TCP Spoofing, …• Attack network infrastructure– Routing– Domain Name SystemThis lecture is about the way things work now and how they are not perfect. Next lecture – some security improvements (still not perfect).BackboneISPISPInternet InfrastructureuLocal and interdomain routing• TCP/IP for routing, connections• BGP for routing announcementsuDomain Name System• Find IP addressTCP Protocol StackApplicationTransportNetworkLinkApplication protocolTCP protocolIP protocolData LinkIPNetwork AccessIP protocolData LinkApplicationTransportNetworkLinkData FormatsApplicationTransport (TCP, UDP)Network (IP)Link LayerApplication message - dataTCP data TCP data TCP dataTCP HeaderdataTCPIPIP HeaderdataTCPIPETH ETFLink (Ethernet)HeaderLink (Ethernet)Trailersegment packetframemessageInternet ProtocoluConnectionless• Unreliable• Best effortuTransfer datagram• Header• DataIPVersion Header LengthType of ServiceTotal LengthIdentificationFlagsTime to LiveProtocolHeader ChecksumSource Address of Originating HostDestination Address of Target HostOptionsPaddingIP DataFragment Offset2IP RoutinguInternet routing uses numeric IP addressuTypical route uses several hopsMegTomISPOffice gateway121.42.33.12132.14.11.515SourceDestinationSequencePacket121.42.33.12121.42.33.1132.14.11.51132.14.11.1IP Protocol Functions (Summary)uRouting• IP host knows location of router (gateway)• IP gateway must know route to other networksuError reporting• IP reports discards to sourceuFragmentation and reassembly• If packets smaller than the user dataUser Datagram ProtocoluIP provides routing• IP address gets datagram to a specific machineuUDP separates traffic by port• Destination port number gets UDP datagram to particular application process, e.g., 128.3.23.3, 53• Source port number provides return addressuMinimal guarantees (… mice and elephants)• No acknowledgment• No flow control• No message continuationUDPTransmission Control ProtocoluConnection-oriented, preserves order• Sender – Break data into packets– Attach packet numbers• Receiver– Acknowledge receipt; lost packets are resent– Reassemble packets in correct orderTCPBook Mail each page Reassemble book19511 1Internet Control Message ProtocoluProvides feedback about network operation• Error reporting• Reachability testing• Congestion ControluExample message types• Destination unreachable• Time exceeded• Parameter problem• Redirect to better gateway• Echo/echo reply - reachability test• Timestamp request/reply - measure transit delayICMPBasic Security ProblemsuNetwork packets pass by untrusted hosts• Eavesdropping, packet sniffinguIP addresses are public• SmurfuTCP connection requires state• SYN flooding attackuTCP state easy to guess• TCP spoofing attack3Packet SniffinguPromiscuous NIC reads all packets• Read all unencrypted data• ftp, telnet send passwords in clear!Alice BobEveNetworkNetworkPrevention: Encryption, improved routing (Next lecture: IPSEC)Sweet Hall attack installed sniffer on local machineSmurf AttackuChoose victim• Idea: Flood victim with packets from many sourcesuGenerate ping stream (ICMP Echo Req) • Network broadcast address with spoofed source IP set to victimuWait for responses• Every host on target network will generate a ping reply (ICMP Echo Reply) to victim• Ping reply stream can overload victimPrevention: Turn off ping? Authenticated IP addresses?TCP HandshakeCSSYNCSYNS, ACKCACKSListeningStore dataWaitConnectedSYN FloodingCSSYNC1 ListeningStore dataSYNC2SYNC3SYNC4SYNC5SYN FloodinguAttacker sends many connection requests• Spoofed source addresses uVictim allocates resources for each request• Connection requests exist until timeout• Fixed bound on half-open connectionsuResources exhausted ⇒ requests rejectedProtection against SYN AttacksuClient sends SYNuServer responds to Client with SYN-ACK cookie• sqn = f(src addr, src port, dest addr, dest port, rand)• Server does not save stateuHonest client responds with ACK(sqn)uServer checks response • If matches SYN-ACK, establishes connectionSee http://cr.yp.to/syncookies.html [Bernstein, Schenk]4Random DeletionuIf queue is full, delete random entry• Legitimate connections have chance to complete• Fake addresses eventually deletedEasy to implement, some improvement171.64.82.03232.61.28.05168.44.14.21121.49.16.22132.24.14.28SYNCHalf-open sessionsTCP Connection SpoofinguEach TCP connection has an associated state• Sequence number, port numberuProblem• Easy to guess state– Port numbers are standard– Sequence numbers often chosen in predictable wayIP Spoofing AttackuA, B trusted connection• Send packets with predictable seq numbersuE impersonates B to A• Opens connection to A to get initial seq number• SYN-floods B’s queue• Sends packets to A that resemble B’s transmission• E cannot receive, but may execute commands on AABEAttack can be blocked if E is outside firewall.TCP Sequence NumbersuNeed high degree of unpredictability• If attacker knows initial seq # and amount of traffic sent, can estimate likely current values• Send a flood of packets with likely seq numbers– larger bandwidth => larger flood possibleuReported to be safe from practical attacks• Cisco IOS, OpenBSD 2.8-current, FreeBSD 4.3-RELEASE, AIX, HP/UX 11i, Linux Kernels after 1996• Solaris 2.6 if strong seq numbers turned on:– Set TCP_STRONG_ISS to 2 in /etc/default/inetinit. • HP/UX , IRIX 6.5.3, … if so configured Cryptographic protectionuSolutions above the transport layer • Examples: SSL and SSH• Protect against session hijacking and injected data• Do not protect against denial-of-service attacks caused by spoofed packetsuSolutions at network layer • IPSec• Can protect against – session hijacking and injection of data – denial-of-service attacks using session resetsTCP Congestion ControluIf packets are lost, assume congestion• Reduce transmission rate by half, repeat• If loss stops, increase rate very slowlyDesign assumes routers blindly obey this policySourceDestination5CompetitionuAmiable Alice yields to boisterous Bob• Alice and Bob both experience packet loss• Alice backs off• Bob disobeys protocol, gets better resultsSource ASource BDestinationDestinationTCP Attack on Congestion Control uMisbehaving
View Full Document
Unlocking...