22: Exploits and Defenses Up and Down the StackWhere in the stack is security?Network Layer SecurityFalse Dynamic Routing UpdatesICMP AttackIP SpoofingDefenses against IP spoofingIpsec: Network Layer SecurityAuthentication Header (AH) ProtocolESP ProtocolApplication Layer Network SecurityClear Text PasswordsRsh and rcpExploiting rshSshSlide 16ChallengeProtection for the UserOne final attemptLack of Application Layer AuthenticationSecure e-mailSecure e-mail (continued)Slide 23Pretty good privacy (PGP)Distributed TrustPGP key ringsTransport Layer Network SecurityWhat might an attacker insert into an ongoing TCP stream?Attacker-in-the-MiddleDefensesSecure sockets layer (SSL)HTTPSARP AttacksARP Spoofing - CountermeasuresSYN Flooding DoSBuffer OverflowsProcesses in memoryProcesses in MemoryCalling a functionBuffer Overrun =Seg faultCareful Buffer Overrun = AttackSmashing the StackBuffer overflow over the net: Morris WormSlide 447: Network Security 122: Exploits and Defenses Up and Down the StackLast Modified: 01/14/19 03:42 PMSome slides based on notes from cs515 at UMass7: Network Security 2Where in the stack is security?Attacks can be targeted at any layer of the protocol stack Application layer: Password and data sniffing, Forged transactions, Security holes, Buffer Overflows?Transport Layer: TCP Session Stealing, Network Layer: IP Spoofing, False Dynamic Routing Updates, ICMP attacks Link Layer: ARP attacksDenial of Service, IntrusionDefenses can be implemented at multiple levels of the protocol stack tooApplication Layer: PGPTransport Layer: SSLNetwork Layer: IpsecLink Layer: Static ARP tables, Physical security7: Network Security 3Network Layer SecurityLots of potential problems at the IP layerIn Dynamic Routing Protocols, routers exchange messages containing known route information to reach consensus on the best routes through the system – any validation of these messages?No authentication that a packet came from a machine with the IP address listed in the source field (Raw IP Interface)7: Network Security 4False Dynamic Routing UpdatesAttacker injects a RIP update stating she has a path to a particular unused host or networkAll subsequent packets will be routed to her.She replies with raw IP packets listing the IP address of the unused host concealing her identitySimilar attacks for interdomain routing.Also allows a man in the middle attack and denial of service attacks Could instead listen/forward or modify incoming packets.Bad routing tables make a routing black hole where legitimate traffic does not reach7: Network Security 5ICMP AttackSimply, send an ICMP redirect Forces a machine to route through you.Send destination unreachable spoofed from the gatewayConstantly send ICMP source squelches.7: Network Security 6IP Spoofingcan generate “raw” IP packets directly from application, putting any value into IP source address fieldreceiver can’t tell if source is spoofede.g.: C pretends to be BABCsrc:B dest:A payload7: Network Security 7Defenses against IP spoofingGood for routers not to forward datagrams with IP addresses not in their networkDoesn’t help attacks from local networksReally need authentication based on more than IP address Remember authentication using crptography7: Network Security 8Ipsec: Network Layer SecurityNetwork-layer secrecy: sending host encrypts the data in IP datagramTCP and UDP segments; ICMP and SNMP messages.Network-layer authenticationdestination host can authenticate source IP addressTwo principle protocols:authentication header (AH) protocolencapsulation security payload (ESP) protocolFor both AH and ESP, source, destination handshake:create network-layer logical channel called a service agreement (SA)Each SA unidirectional.Uniquely determined by:security protocol (AH or ESP)source IP address32-bit connection ID7: Network Security 9Authentication Header (AH) ProtocolProvides source host authentication, data integrity, but not secrecy.AH header inserted between IP header and IP data field.Protocol field = 51.Intermediate routers process datagrams as usual.AH header includes:connection identifierauthentication data: signed message digest, calculated over original IP datagram, providing source authentication, data integrity.Next header field: specifies type of data (TCP, UDP, ICMP, etc.) in plain text7: Network Security 10ESP ProtocolProvides secrecy, host authentication, data integrity.Data, ESP trailer encrypted.Next header field is in ESP header.ESP authentication field is similar to AH authentication field.Protocol = 50.7: Network Security 11Application Layer Network SecurityMany applications are designed with *HUGE* security problemsOn purpose?  No! many common applications designed when the goal was just to get it to work (security complicates that)Sometimes the cure is worse than the problemBut some applications are bad enough that it makes you wonder7: Network Security 12Clear Text PasswordsWe saw many application level protocols where sending your password in the clear is required by the protocolFTP, TELNET, POP, NewsAttack: packet sniffing can capture passwordsDefenses:Replace these applications with ones that do not send the password in the clearSwitched Networks and Physical Security of Backbone networks7: Network Security 13Rsh and rcp Rsh and rcp are especially badrsh and rcp use the .rhosts file in your directory, which lists hosts and accounts to allows access from without a password.Example .rhosts file:mymachine.cs.cornell.edu jnm*.cs.cornell.edu jnm* *Whats so bad about that?7: Network Security 14Exploiting rshNow that we know a machine is running rsh, how can we pretend to be another machine to gain access? Remember IP Spoofing7: Network Security 15SshProgram for logging into a remote machine and executing commands thereReplaces telnet, rlogin and rshProvides encrypted communications between two untrusted hosts over an insecure network7: Network Security 16SshUsers run ssh_keygen on client to generate two keysprivate key: ~/.ssh/identitypublic key: ~/.ssh/identity.pubUsers append the identity.pub to their ~/.ssh/authorized_keys on serverMachines running sshd maintain similar files /etc/ssh_host_key and /etc/ssh_host_key.pub7: Network Security 17ChallengeFrom client: