Professional Documents
Culture Documents
InternetProtocol
Connectionless
Eachpacketistransported independentlyfromother packets Packetsmaybelost,reordered, corrupted,orduplicated
IPpackets
EncapsulateTCPandUDP packets Encapsulatedintolinklayer frames
Unreliable
Deliveryonabesteffortbasis Noacknowledgments
IPAddressesandPackets
IPaddresses
IPv4:32bitaddresses IPv6:128bitaddresses
IPheaderincludes
v fragmentationinfo TTL prot. source destination
Addresssubdividedinto network,subnet,andhost
E.g.,128.148.32.110
Broadcastaddresses
E.g.,128.148.32.255
Privatenetworks
notroutedoutsideofaLAN 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
IPRouting
Arouterbridgestwoormorenetworks
Operatesatthenetworklayer Maintainstablestoforwardpacketstothe appropriatenetwork Forwardingdecisionsbasedsolelyonthe destinationaddress
Routingtable
MapsrangesofaddressestoLANsorother gatewayrouters
InternetRoutes
InternetControlMessageProtocol(ICMP)
Usedfornetworktestinganddebugging SimplemessagesencapsulatedinsingleIPpackets Consideredanetworklayerprotocol
ToolsbasedonICMP
Ping:sendsseriesofechorequestmessagesand providesstatisticsonroundtriptimesandpacketloss Traceroute:sendsseriesICMPpacketswithincreasing TTLvaluetodiscoverroutes
ICMPAttacks
Pingofdeath
ICMPspecifiesmessagesmustfitasingleIP packet(64KB) Sendapingpacketthatexceedsmaximumsize usingIPfragmentation Reassembledpacketcausedseveraloperating systemstocrashduetoabufferoverflow
Smurf
Pingabroadcastaddressusingaspoofedsource address
SmurfAttack
Amplifying Network
echo request echo response
echo response
Attacker
echo response
Victim
IPVulnerabilities
Unencryptedtransmission
Eavesdroppingpossibleatanyintermediatehostduringrouting
Nosourceauthentication
Sendercanspoofsourceaddress,makingitdifficulttotracepacketbackto attacker
Nointegritychecking
Entirepacket,headerandpayload,canbemodifiedwhileenrouteto destination,enablingcontentforgeries,redirections,andmaninthemiddle attacks
Nobandwidthconstraints
Largenumberofpacketscanbeinjectedintonetworktolaunchadenialof serviceattack Broadcastaddressesprovideadditionalleverage
DenialofServiceAttack
Sendlargenumberofpacketsto hostprovidingservice
Slowsdownorcrasheshost Oftenexecutedbybotnet
Source: M.T. Goodrich, Probabalistic Packet Marking for Large-Scale IP Traceback, IEEE/ACM Transactions on Networking 16:1, 2008.
Attackpropagation
Startsatzombies Travelsthroughtreeofinternet routersrooted Endsatvictim
IPsourcespoofing
Hidesattacker Scattersreturntrafficfrom victim
IPTraceback
Problem
Howtoidentifyleaves ofDoSpropagationtree Approaches Routersnexttoattacker Filteringandtracing (immediatereaction) Issues Messaging(additional Therearemorethan traffic) 2Minternetrouters Logging(additional Attackercanspoof storage) sourceaddress Probabilisticmarking Attackerknowsthat tracebackisbeing performed
ProbabilisticPacketMarking
Method
Randominjectionofinformationintopacketheader Changesseldomusedbits Forwardroutinginformationtovictim Redundancytosurvivepacketlosses Noadditionaltraffic Norouterstorage Nopacketsizeincrease Can be performed online or offline
Benefits
TransmissionControlProtocol
TCPisatransportlayerprotocolguaranteeingreliabledatatransfer,in orderdeliveryofmessagesandtheabilitytodistinguishdatafor multipleconcurrentapplicationsonthesamehost Mostpopularapplicationprotocols,includingWWW,FTPandSSHare builtontopofTCP TCPtakesastreamof8bitbytedata,packagesitintoappropriately sizedsegmentandcallsonIPtotransmitthesepackets Deliveryorderismaintainedbymarkingeachpacketwithasequence number EverytimeTCPreceivesapacket,itsendsoutanACKtoindicate successfulreceiptofthepacket. TCPgenerallychecksdatatransmittedbycomparingachecksumofthe datawithachecksumencodedinthepacket
Ports
TCPsupportsmultipleconcurrentapplicationsonthesameserver Accomplishesthisbyhavingports,16bitnumbersidentifyingwhere dataisdirected TheTCPheaderincludesspaceforbothasourceandadestination port,thusallowingTCPtoroutealldata Inmostcases,bothTCPandUDPusethesameportnumbersforthe sameapplications Ports0through1023arereservedforusebyknownprotocols. Ports1024through49151areknownasuserports,andshouldbe usedbymostuserprogramsforlisteningtoconnectionsandthelike Ports49152through65535areprivateportsusedfordynamic allocationbysocketlibraries
TCPPacketFormat
BitOffset 0 32 64 96 128 160 >=160 Offset Reserved Checksum Options Payload 03 47 SourcePort 815 1618 1931 DestinationPort SequenceNumber AcknowledgmentNumber Flags WindowSize UrgentPointer
EstablishingTCPConnections
TCPconnectionsareestablishedthroughathreewayhandshake. Theservergenerallyhasapassivelistener,waitingforaconnection request TheclientrequestsaconnectionbysendingoutaSYNpacket TheserverrespondsbysendingaSYN/ACKpacket,indicatingan acknowledgmentfortheconnection TheclientrespondsbysendinganACKtotheserverthusestablishing connection
SYN
Seq=x
SYNACK
Seq=y Ack=x+1
ACK
Seq=x+1
SYNFlood
TypicallyDOSattack,thoughcanbecombinedwithotherattack suchasTCPhijacking RelyonsendingTCPconnectionrequestsfasterthantheservercan processthem Attackercreatesalargenumberofpacketswithspoofedsource addressesandsettingtheSYNflagonthese TheserverrespondswithaSYN/ACKforwhichitnevergetsa response(waitsforabout3minuteseach) Eventuallytheserverstopsacceptingconnectionrequests,thus triggeringadenialofservice. Canbesolvedinmultipleways OneofthecommonwaytodothisistouseSYNcookies
TCPDataTransfer
Duringconnectioninitializationusingthethreewayhandshake,initial sequencenumbersareexchanged TheTCPheaderincludesa16bitchecksumofthedataandpartsof theheader,includingthesourceanddestination AcknowledgmentorlackthereofisusedbyTCPtokeeptrackof networkcongestionandcontrolflowandsuch TCPconnectionsarecleanlyterminatedwitha4wayhandshake TheclientwhichwishestoterminatetheconnectionsendsaFIN messagetotheotherclient TheotherclientrespondsbysendinganACK TheotherclientsendsaFIN TheoriginalclientnowsendsanACK,andtheconnectionis terminated
TCPDataTransferandTeardown
Data seq=x Fin seq=x
Ack seq=x+1
Ack seq=x+1
Fin seq=y
Data seq=y
Ack seq=y+1
Ack seq=y+1
Client
Server
Client
Server
TCPCongestionControl
Duringthemid80sitwasdiscoveredthatuncontrolledTCPmessages werecausinglargescalenetworkcongestion TCPrespondedtocongestionbyretransmittinglostpackets,thus makingtheproblemwasworse WhatispredominantlyusedtodayisasystemwhereACKsareusedto determinethemaximumnumberofpacketswhichshouldbesentout MostTCPcongestionavoidancealgorithms,avoidcongestionby modifyingacongestionwindow(cwnd)asmorecumulativeACKsare received Lostpacketsaretakentobeasignofnetworkcongestion TCPbeginswithanextremelylowcwndandrapidlyincreasesthe valueofthisvariabletoreachbottleneckcapacity Atthispointitshiftstoacollisiondetectionalgorithmwhichslowly probesthenetworkforadditionalbandwidth TCPcongestioncontrolisagoodideaingeneralbutallowsforcertain attacks.
OptimisticACKAttack
AnoptimisticACKattacktakesadvantageoftheTCPcongestion control ItbeginswithaclientsendingoutACKsfordatasegmentsit hasntyetreceived ThisfloodofoptimisticACKsmakestheserversTCPstack believethatthereisalargeamountofbandwidthavailableand thusincreasecwnd ThisleadstotheattackerprovidingmoreoptimisticACKs,and eventuallybandwidthusebeyondwhattheserverhasavailable Thiscanalsobeplayedoutacrossmultipleservers,withenough congestionthatacertainsectionofthenetworkisnolonger reachable Therearenopracticalsolutionstothisproblem
SessionHijacking
AlsocommonlyknownasTCPSessionHijacking Asecurityattackoveraprotectednetwork Attempttotakecontrolofanetworksession Sessionsareserverkeepingstateofaclientsconnection Serversneedtokeeptrackofmessagessentbetweenclient andtheserverandtheirrespectiveactions MostnetworksfollowtheTCP/IPprotocol IPSpoofingisonetypeofhijackingonlargenetwork
IPSpoofing
IPSpoofingisanattemptbyanintrudertosendpackets fromoneIPaddressthatappeartooriginateatanother Iftheserverthinksitisreceivingmessagesfromthereal sourceafterauthenticatingasession,itcould inadvertentlybehavemaliciously TherearetwobasicformsofIPSpoofing BlindSpoofing Attackfromanysource NonBlindSpoofing Attackfromthesamesubnet
BlindIPSpoofing
TheTCP/IPprotocolrequiresthatacknowledgementnumbersbesent acrosssessions Makessurethattheclientisgettingtheserverspacketsandviceversa Needtohavetherightsequenceofacknowledgmentnumberstospoof anIPidentity
NonBlindIPSpoofing
IPSpoofingwithoutinherentlyknowingtheacknowledgmentsequence pattern Doneonthesamesubnet Useapacketsniffertoanalyzethesequencepattern Packetsniffersinterceptnetworkpackets Eventuallydecodesandanalyzesthepacketssentacrossthe network Determinetheacknowledgmentsequencepatternfromthe packets Sendmessagestoserverwithactualclient'sIPaddressandwith validlysequencedacknowledgmentnumber
PacketSniffers(cont.)
http://www.rootshell.be/~dhar/downloads/Sniffers.pdf
PacketSniffers
Packetsniffersreadinformationtraversinganetwork Packetsniffersinterceptnetworkpackets Eventuallydecodesandanalyzesthepacketssentacrossthe network Canbeusedaslegitimatetoolstoanalyzeanetwork Monitornetworkusage Filternetworktraffic Analyzenetworkproblems Canalsobeusedmaliciously Stealinformation(i.e.passwords,conversations,etc.) Analyzenetworkinformationtoprepareanattack Packetsnifferscanbeeithersoftwareorhardwarebased Sniffersaredependentonnetworksetup
PacketSniffing(switches)
MorecommonspoofingmethodonswitchednetworksisARPsniffing
AnetworkswitchcontainsanAddressResolutionProtocol(ARP)cache
TheARPisatablethatmapsnetworkIPaddressestotheMACaddress IfnomappingexistsforarequestedIPaddress,broadcastsarequesttoallnetworked machines ThemachinewiththataddressrespondsandismappedintheARP Byreturningafalsereply,aspoofingtoolcanmaptheARPtoitselfinsteadoftheactual clientandthusreceiveallpacketsfromtheservertotheclient
Thereversecanbedoneaswelltoredirecttheclientpacketsthroughthesniffer
Furthermore,theARPisstateless
Itwillacceptareplytoabroadcastevenifnobroadcasthasbeenmade ThiswouldallowasniffertooverwritetheARPcacheentrywithit'sownaddress ThisisknownaspoisoningtheARP
ByutilizinganARPcache,onecansetupapassivesnifferthatcanbeextremelyhard todetect
DetectingSniffers
Sniffersarealmostalwayspassive Theysimplycollectdata Theydonotattemptentrytostealdata Thiscanmakethemextremelyhardtodetect Mostdetectionmethodsrequiresuspicionthatsniffingisoccurring Thensomesortofpingofthesnifferisnecessary Itshouldbeabroadcastthatwillcausearesponseonlyfromasniffer AnothersolutiononswitchedhubsisARPwatch AnARPwatchmonitorstheARPcacheforduplicateentriesofamachine Ifsuchduplicatesappear,raiseanalarm Problem:falsealarms Specifically,DHCPnetworkscanhavemultipleentiresforasingle machine
StoppingPacketSniffing
Thebestwayistoencryptpacketssecurely Snifferscancapturethepackets,buttheyaremeaningless Capturingapacketisuselessifitjustreadsasgarbage SSHisalsoamuchmoresecuremethodofconnection Private/Publickeypairsmakessniffingvirtuallyuseless Onswitchednetworks,almostallattackswillbeviaARPspoofing Addmachinestoapermanentstoreinthecache Thisstorecannotbemodifiedviaabroadcastreply Thus,asniffercannotredirectanaddresstoitself Thebestsecurityistonotletthemininthefirstplace Sniffersneedtobeonyoursubnetinaswitchedhubinthefirstplace Allsniffersneedtosomehowaccessrootatsomepointtostart themselvesup
PortKnocking
Broadlyportknockingistheactofattemptingtomake connectionstoblockedportsinacertainorderinan attempttoopenaport Portknockingisfairlysecureagainstbruteforceattacks sincethereare65536kcombinations,wherekisthe numberofportsknocked Portknockinghoweverifverysusceptibletoreplay attacks.Someonecantheoreticallyrecordportknocking attemptsandrepeatthosetogetthesameopenportagain Onegoodwayofprotectingagainstreplayattackswould beatimedependentknocksequence.
UserDatagramProtocol
UDPisastateless,unreliabledatagramprotocolbuiltontopofIP,thatisitlieson level4 Itdoesnotprovidedeliveryguarantees,oracknowledgments,butissignificantly faster Canhoweverdistinguishdataformultipleconcurrentapplicationsonasingle host. AlackofreliabilityimpliesapplicationsusingUDPmustbereadytoacceptafair amountoferrorpackagesanddataloss.Someapplicationlevelprotocolssuchas TFTPbuildreliabilityontopofUDP. MostapplicationsusedonUDPwillsufferiftheyhavereliability.VoIP, StreamingVideoandStreamingAudioalluseUDP. UDPdoesnotcomewithbuiltincongestionprotection,sowhileUDPdoesnot sufferfromtheproblemsassociatedwithoptimisticACK,therearecaseswhere highrateUDPnetworkaccesswillcausecongestion.
NetworkAddressTranslation
Introducedintheearly90stoalleviateIPv4addressspace congestion Reliesontranslatingaddressesinaninternalnetwork,toan externaladdressthatisusedforcommunicationtoandfromthe outsideworld NATisusuallyimplementedbyplacingarouterinbetweenthe internalprivatenetworkandthepublicnetwork. SavesIPaddressspacesincenoteveryterminalneedsaglobally uniqueIPaddress,onlyanorganizationallyuniqueone WhileNATshouldreallybetransparenttoallhighlevelservices, thisissadlynottruebecausealotofhighlevelcommunication usesthingsonIP
Translation
Routerhasapoolofprivateaddresses 192.168.10.0/24
private realm
s=192.168.10.237 d=128.148.36. 11 s=128.148.36.11 d=192.168.10.237
global realm
s=128.148.36.179 d=128.148.36.11 s=128.148.36.11 d=128.148.36.179
128.148.36.11
47
IPPacketModifications
0 vers len type of service ident time to live proto source IP address destination IP address options data padding flags total length fragment offset 31
header checksum