22: Exploits and Defenses Up and Down the StackWhere in the stack is security?Network Layer SecurityFalse Dynamic Routing UpdatesICMP AttackIP SpoofingDefenses against IP spoofingIpsec: Network Layer SecurityAuthentication Header (AH) ProtocolESP ProtocolApplication Layer Network SecurityClear Text PasswordsRsh and rcpExploiting rshSshSlide 16ChallengeProtection for the UserOne final attemptLack of Application Layer AuthenticationSecure e-mailSecure e-mail (continued)Slide 23Pretty good privacy (PGP)Distributed TrustPGP key ringsTransport Layer Network SecurityWhat might an attacker insert into an ongoing TCP stream?Attacker-in-the-MiddleDefensesSecure sockets layer (SSL)HTTPSARP AttacksARP Spoofing - CountermeasuresSYN Flooding DoSBuffer OverflowsProcesses in memoryProcesses in MemoryCalling a functionBuffer Overrun =Seg faultCareful Buffer Overrun = AttackSmashing the StackBuffer overflow over the net: Morris WormSlide 447: Network Security 122: Exploits and Defenses Up and Down the StackLast Modified: 01/14/19 03:42 PMSome slides based on notes from cs515 at UMass7: Network Security 2Where in the stack is security?Attacks can be targeted at any layer of the protocol stack Application layer: Password and data sniffing, Forged transactions, Security holes, Buffer Overflows?Transport Layer: TCP Session Stealing, Network Layer: IP Spoofing, False Dynamic Routing Updates, ICMP attacks Link Layer: ARP attacksDenial of Service, IntrusionDefenses can be implemented at multiple levels of the protocol stack tooApplication Layer: PGPTransport Layer: SSLNetwork Layer: IpsecLink Layer: Static ARP tables, Physical security7: Network Security 3Network Layer SecurityLots of potential problems at the IP layerIn Dynamic Routing Protocols, routers exchange messages containing known route information to reach consensus on the best routes through the system – any validation of these messages?No authentication that a packet came from a machine with the IP address listed in the source field (Raw IP Interface)7: Network Security 4False Dynamic Routing UpdatesAttacker injects a RIP update stating she has a path to a particular unused host or networkAll subsequent packets will be routed to her.She replies with raw IP packets listing the IP address of the unused host concealing her identitySimilar attacks for interdomain routing.Also allows a man in the middle attack and denial of service attacks Could instead listen/forward or modify incoming packets.Bad routing tables make a routing black hole where legitimate traffic does not reach7: Network Security 5ICMP AttackSimply, send an ICMP redirect Forces a machine to route through you.Send destination unreachable spoofed from the gatewayConstantly send ICMP source squelches.7: Network Security 6IP Spoofingcan generate “raw” IP packets directly from application, putting any value into IP source address fieldreceiver can’t tell if source is spoofede.g.: C pretends to be BABCsrc:B dest:A payload7: Network Security 7Defenses against IP spoofingGood for routers not to forward datagrams with IP addresses not in their networkDoesn’t help attacks from local networksReally need authentication based on more than IP address Remember authentication using crptography7: Network Security 8Ipsec: Network Layer SecurityNetwork-layer secrecy: sending host encrypts the data in IP datagramTCP and UDP segments; ICMP and SNMP messages.Network-layer authenticationdestination host can authenticate source IP addressTwo principle protocols:authentication header (AH) protocolencapsulation security payload (ESP) protocolFor both AH and ESP, source, destination handshake:create network-layer logical channel called a service agreement (SA)Each SA unidirectional.Uniquely determined by:security protocol (AH or ESP)source IP address32-bit connection ID7: Network Security 9Authentication Header (AH) ProtocolProvides source host authentication, data integrity, but not secrecy.AH header inserted between IP header and IP data field.Protocol field = 51.Intermediate routers process datagrams as usual.AH header includes:connection identifierauthentication data: signed message digest, calculated over original IP datagram, providing source authentication, data integrity.Next header field: specifies type of data (TCP, UDP, ICMP, etc.) in plain text7: Network Security 10ESP ProtocolProvides secrecy, host authentication, data integrity.Data, ESP trailer encrypted.Next header field is in ESP header.ESP authentication field is similar to AH authentication field.Protocol = 50.7: Network Security 11Application Layer Network SecurityMany applications are designed with *HUGE* security problemsOn purpose? No! many common applications designed when the goal was just to get it to work (security complicates that)Sometimes the cure is worse than the problemBut some applications are bad enough that it makes you wonder7: Network Security 12Clear Text PasswordsWe saw many application level protocols where sending your password in the clear is required by the protocolFTP, TELNET, POP, NewsAttack: packet sniffing can capture passwordsDefenses:Replace these applications with ones that do not send the password in the clearSwitched Networks and Physical Security of Backbone networks7: Network Security 13Rsh and rcp Rsh and rcp are especially badrsh and rcp use the .rhosts file in your directory, which lists hosts and accounts to allows access from without a password.Example .rhosts file:mymachine.cs.cornell.edu jnm*.cs.cornell.edu jnm* *Whats so bad about that?7: Network Security 14Exploiting rshNow that we know a machine is running rsh, how can we pretend to be another machine to gain access? Remember IP Spoofing7: Network Security 15SshProgram for logging into a remote machine and executing commands thereReplaces telnet, rlogin and rshProvides encrypted communications between two untrusted hosts over an insecure network7: Network Security 16SshUsers run ssh_keygen on client to generate two keysprivate key: ~/.ssh/identitypublic key: ~/.ssh/identity.pubUsers append the identity.pub to their ~/.ssh/authorized_keys on serverMachines running sshd maintain similar files /etc/ssh_host_key and /etc/ssh_host_key.pub7: Network Security 17ChallengeFrom client:
View Full Document