Data Formats Network Security TCP Header Application message Transport TCP UDP segment Dawn Song dawnsong cs berkeley edu Network IP packet Link Layer frame Application message data TCP IP Header data TCP data IP TCP data ETH IP TCP data Link Ethernet Header TCP data ETF Link Ethernet Trailer Some slides from John Mitchell 1 4 IP Internet Infrastructure Internet Protocol Connectionless ISP Backbone Version Unreliable Best effort ISP Transfer datagram Header Length Type of Service Total Length Identification Flags Header Data Fragment Offset Time to Live Protocol Header Checksum Source Address of Originating Host Local and interdomain routing Destination Address of Target Host TCP IP for routing connections BGP for routing announcements Options Domain Name System Padding Find IP address from symbolic name www cs stanford edu IP Data 2 5 TCP Protocol Stack IP Routing Alice Application Application protocol TCP protocol Transport Application 121 42 33 12 Transport Network IP protocol IP IP protocol Network Link Data Link Network Access Data Link Link Office gateway Packet Source 121 42 33 12 Destination 132 14 11 51 Bob 132 14 11 1 ISP 132 14 11 51 121 42 33 1 Internet routing uses numeric IP address Typical route uses several hops 3 6 ICMP IP Protocol Functions Internet Control Message Protocol Routing Provides feedback about network operation IP host knows location of router gateway IP gateway must know route to other networks Error reporting Reachability testing Congestion Control Example message types Fragmentation and reassembly Destination unreachable Time to live exceeded Parameter problem Redirect to better gateway Echo echo reply reachability test Timestamp request reply measure transit delay If max packet size less than the user data size Error reporting ICMP packet to source if packet is dropped 7 10 UDP User Datagram Protocol Basic Security Problems Internet was designed with a different trust model IP provides routing No security in mind IP address gets datagram to a specific machine Network packets pass by untrusted hosts UDP separates traffic by port Eavesdropping packet sniffing e g ngrep Destination port number gets UDP datagram to particular application process e g 128 3 23 3 53 Source port number provides return address TCP state can be easy to guess TCP spoofing attack TCP connection requires state SYN flooding attack Minimal guarantees DDoS attacks No acknowledgment No flow control No message continuation 8 11 TCP Transmission Control Protocol Packet Sniffing Connection oriented preserves order Promiscuous NIC reads all packets Sender Read all unencrypted data e g ngrep ftp telnet send passwords in clear Break data into packets Attach packet numbers Solution Receiver Encryption Acknowledge receipt lost packets are resent Reassemble packets in correct order Book Mail each page Eve Reassemble book Alice 1 Network Network Bob 19 1 5 1 9 12 TCP Handshake C Force TCP Session Close Suppose attacker can guess seq number for an existing connection S SYNC Listening SYNS ACKC 1 Attacker can send Reset packet to close connection Results in DoS Naively success prob is 1 232 32 bit seq s Most systems allow for a large window of acceptable seq s Store data Wait Much higher success probability ACKS 1 Attack is most effective against long lived connections e g BGP Connected 13 16 TCP Connection Spoofing SYN Flooding Each TCP connection has an associated state Client Server s IP and port number Sequence numbers C S SYNC1 SYNC2 Problem Easy to guess state SYNC3 Port numbers are standard Sequence numbers often chosen in predictable way Listening Store data SYNC4 SYNC5 14 TCP Session Hijacking 17 SYN Flooding Attacker sends many connection requests Need high degree of unpredictability If attacker knows initial seq and amount of traffic sent can estimate likely current values Send a flood of packets with likely seq numbers Attacker can inject packets into existing connection Some implementations are vulnerable Spoofed source addresses Victim allocates resources for each request Connection requests exist until timeout Fixed bound on half open connections Resources exhausted requests rejected SYN flooding may require much less bandwidth than a bandwidth exhaustion attack Defense SYN Cookie Server computes MAC of TCP header info including src dst IP addresses port Use this MAC value as SYN ACK 15 18 Denial of Service DoS Attack Reflector Attacks A Denial of Service DoS attack is an action that prevents or impairs the authorized use of networks systems or applications by exhausting resources such as CPU memory bandwidth and disk space Put victim s IP as the source address in requests to reflectors Use reflectors to flood victim Advantages Bandwidth amplification Hiding origin of attack A DoS attack can be local within a single host or network based Many examples A Distributed Denial of Service DDoS attack is a networked based DoS attack using a multiple attacking hosts DNS Register com Jan 2001 19 22 19 Distributed Denial of Service Long History of DDoS Attacks Early attacks took down Yahoo eBay for fun fame 2000 Hacker s compromise machines zombies and use them to flood a particular server Early DDoS tools zoombie network Recent attacks Network Resource Attack Server Processing Attack Botnets Extortion for profit 10 000 online game servers in games such as Return to Castle Wolfenstein Halo Counter Strike attacked by RUS hacker group 2007 IP Spoofing Complicates effective filtering Cyber warfare Attacks on Estonia government website May 2007 Attacks on Georgia government website before war 2008 modified from grc com 20 23 20 DDoS Activity Measurement Backscatter Smurf DoS Attack Use Internet telescope 1 ICMP Echo Req Src Dos Target Dest brdct addr DoS Source 3 ICMP Echo Reply Dest Dos Target gateway Monitor large blocks of IP addresses Receive TCP SYN ACKs in IP spoofing DDoS attacks Estimate global activity assuming spoofed IP addresses are generated uniformly at random Study finds 12000 attacks on over 5000 victims in three weeks DoS Target Send ping request to broadcast addr ICMP Echo Req Lots of responses Every host on target network generates a ping reply ICMP Echo Reply to victim Ping reply stream can overload victim Prevention reject external packets to broadcast address Mostly short attacks some last for weeks 21 24 DDoS Attack Defenses Other Defenses Traffic scrubbing 1 Server resource exhaustion based attacks Centralized service with big pipe Forward cleaned traffic to victim
View Full Document
Unlocking...