Networks:IPandTCP

InternetProtocol
Connectionless
Eachpacketistransported independentlyfromother packets Packetsmaybelost,reordered, corrupted,orduplicated

IPpackets
EncapsulateTCPandUDP packets Encapsulatedintolinklayer frames

Unreliable
Deliveryonabesteffortbasis Noacknowledgments

Datalinkframe IPpacket TCPorUDPpacket

IPAddressesandPackets
IPaddresses
IPv4:32bitaddresses IPv6:128bitaddresses

IPheaderincludes

v fragmentationinfo TTL prot. source destination

Addresssubdividedinto network,subnet,andhost
E.g.,128.148.32.110

Broadcastaddresses
E.g.,128.148.32.255

Sourceaddress Destinationaddress Packetlength(upto64KB) Timetolive(upto255) IPprotocolversion Fragmentationinformation Transportlayerprotocol information(e.g.,TCP)

length

Privatenetworks
notroutedoutsideofaLAN 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

IPRouting
Arouterbridgestwoormorenetworks
Operatesatthenetworklayer Maintainstablestoforwardpacketstothe appropriatenetwork Forwardingdecisionsbasedsolelyonthe destinationaddress

Routingtable
MapsrangesofaddressestoLANsorother gatewayrouters

InternetRoutes
InternetControlMessageProtocol(ICMP)
Usedfornetworktestinganddebugging SimplemessagesencapsulatedinsingleIPpackets Consideredanetworklayerprotocol

ToolsbasedonICMP
Ping:sendsseriesofechorequestmessagesand providesstatisticsonroundtriptimesandpacketloss Traceroute:sendsseriesICMPpacketswithincreasing TTLvaluetodiscoverroutes

ICMPAttacks
Pingofdeath
ICMPspecifiesmessagesmustfitasingleIP packet(64KB) Sendapingpacketthatexceedsmaximumsize usingIPfragmentation Reassembledpacketcausedseveraloperating systemstocrashduetoabufferoverflow

Smurf
Pingabroadcastaddressusingaspoofedsource address

SmurfAttack
Amplifying Network
echo request echo response

echo response

Attacker

echo response

Victim

IPVulnerabilities
Unencryptedtransmission
Eavesdroppingpossibleatanyintermediatehostduringrouting

Nosourceauthentication
Sendercanspoofsourceaddress,makingitdifficulttotracepacketbackto attacker

Nointegritychecking
Entirepacket,headerandpayload,canbemodifiedwhileenrouteto destination,enablingcontentforgeries,redirections,andmaninthemiddle attacks

Nobandwidthconstraints
Largenumberofpacketscanbeinjectedintonetworktolaunchadenialof serviceattack Broadcastaddressesprovideadditionalleverage

DenialofServiceAttack
Sendlargenumberofpacketsto hostprovidingservice
Slowsdownorcrasheshost Oftenexecutedbybotnet
Source: M.T. Goodrich, Probabalistic Packet Marking for Large-Scale IP Traceback, IEEE/ACM Transactions on Networking 16:1, 2008.

Attackpropagation
Startsatzombies Travelsthroughtreeofinternet routersrooted Endsatvictim

IPsourcespoofing
Hidesattacker Scattersreturntrafficfrom victim

IPTraceback
Problem
Howtoidentifyleaves ofDoSpropagationtree Approaches Routersnexttoattacker Filteringandtracing (immediatereaction) Issues Messaging(additional Therearemorethan traffic) 2Minternetrouters Logging(additional Attackercanspoof storage) sourceaddress Probabilisticmarking Attackerknowsthat tracebackisbeing performed

ProbabilisticPacketMarking
Method
Randominjectionofinformationintopacketheader Changesseldomusedbits Forwardroutinginformationtovictim Redundancytosurvivepacketlosses Noadditionaltraffic Norouterstorage Nopacketsizeincrease Can be performed online or offline

Benefits

TransmissionControlProtocol
TCPisatransportlayerprotocolguaranteeingreliabledatatransfer,in orderdeliveryofmessagesandtheabilitytodistinguishdatafor multipleconcurrentapplicationsonthesamehost Mostpopularapplicationprotocols,includingWWW,FTPandSSHare builtontopofTCP TCPtakesastreamof8bitbytedata,packagesitintoappropriately sizedsegmentandcallsonIPtotransmitthesepackets Deliveryorderismaintainedbymarkingeachpacketwithasequence number EverytimeTCPreceivesapacket,itsendsoutanACKtoindicate successfulreceiptofthepacket. TCPgenerallychecksdatatransmittedbycomparingachecksumofthe datawithachecksumencodedinthepacket

Ports
TCPsupportsmultipleconcurrentapplicationsonthesameserver Accomplishesthisbyhavingports,16bitnumbersidentifyingwhere dataisdirected TheTCPheaderincludesspaceforbothasourceandadestination port,thusallowingTCPtoroutealldata Inmostcases,bothTCPandUDPusethesameportnumbersforthe sameapplications Ports0through1023arereservedforusebyknownprotocols. Ports1024through49151areknownasuserports,andshouldbe usedbymostuserprogramsforlisteningtoconnectionsandthelike Ports49152through65535areprivateportsusedfordynamic allocationbysocketlibraries

TCPPacketFormat
BitOffset 0 32 64 96 128 160 >=160 Offset Reserved Checksum Options Payload 03 47 SourcePort 815 1618 1931 DestinationPort SequenceNumber AcknowledgmentNumber Flags WindowSize UrgentPointer

EstablishingTCPConnections
TCPconnectionsareestablishedthroughathreewayhandshake. Theservergenerallyhasapassivelistener,waitingforaconnection request TheclientrequestsaconnectionbysendingoutaSYNpacket TheserverrespondsbysendingaSYN/ACKpacket,indicatingan acknowledgmentfortheconnection TheclientrespondsbysendinganACKtotheserverthusestablishing connection
SYN
Seq=x

SYNACK
Seq=y Ack=x+1

ACK
Seq=x+1

SYNFlood
TypicallyDOSattack,thoughcanbecombinedwithotherattack suchasTCPhijacking RelyonsendingTCPconnectionrequestsfasterthantheservercan processthem Attackercreatesalargenumberofpacketswithspoofedsource addressesandsettingtheSYNflagonthese TheserverrespondswithaSYN/ACKforwhichitnevergetsa response(waitsforabout3minuteseach) Eventuallytheserverstopsacceptingconnectionrequests,thus triggeringadenialofservice. Canbesolvedinmultipleways OneofthecommonwaytodothisistouseSYNcookies

TCPDataTransfer
Duringconnectioninitializationusingthethreewayhandshake,initial sequencenumbersareexchanged TheTCPheaderincludesa16bitchecksumofthedataandpartsof theheader,includingthesourceanddestination AcknowledgmentorlackthereofisusedbyTCPtokeeptrackof networkcongestionandcontrolflowandsuch TCPconnectionsarecleanlyterminatedwitha4wayhandshake TheclientwhichwishestoterminatetheconnectionsendsaFIN messagetotheotherclient TheotherclientrespondsbysendinganACK TheotherclientsendsaFIN TheoriginalclientnowsendsanACK,andtheconnectionis terminated

TCPDataTransferandTeardown
Data seq=x Fin seq=x

Ack seq=x+1

Ack seq=x+1

Fin seq=y

Data seq=y

Ack seq=y+1

Ack seq=y+1

Client

Server

Client

Server

TCPCongestionControl
Duringthemid80sitwasdiscoveredthatuncontrolledTCPmessages werecausinglargescalenetworkcongestion TCPrespondedtocongestionbyretransmittinglostpackets,thus makingtheproblemwasworse WhatispredominantlyusedtodayisasystemwhereACKsareusedto determinethemaximumnumberofpacketswhichshouldbesentout MostTCPcongestionavoidancealgorithms,avoidcongestionby modifyingacongestionwindow(cwnd)asmorecumulativeACKsare received Lostpacketsaretakentobeasignofnetworkcongestion TCPbeginswithanextremelylowcwndandrapidlyincreasesthe valueofthisvariabletoreachbottleneckcapacity Atthispointitshiftstoacollisiondetectionalgorithmwhichslowly probesthenetworkforadditionalbandwidth TCPcongestioncontrolisagoodideaingeneralbutallowsforcertain attacks.

OptimisticACKAttack
AnoptimisticACKattacktakesadvantageoftheTCPcongestion control ItbeginswithaclientsendingoutACKsfordatasegmentsit hasntyetreceived ThisfloodofoptimisticACKsmakestheserversTCPstack believethatthereisalargeamountofbandwidthavailableand thusincreasecwnd ThisleadstotheattackerprovidingmoreoptimisticACKs,and eventuallybandwidthusebeyondwhattheserverhasavailable Thiscanalsobeplayedoutacrossmultipleservers,withenough congestionthatacertainsectionofthenetworkisnolonger reachable Therearenopracticalsolutionstothisproblem

SessionHijacking
AlsocommonlyknownasTCPSessionHijacking Asecurityattackoveraprotectednetwork Attempttotakecontrolofanetworksession Sessionsareserverkeepingstateofaclientsconnection Serversneedtokeeptrackofmessagessentbetweenclient andtheserverandtheirrespectiveactions MostnetworksfollowtheTCP/IPprotocol IPSpoofingisonetypeofhijackingonlargenetwork

IPSpoofing
IPSpoofingisanattemptbyanintrudertosendpackets fromoneIPaddressthatappeartooriginateatanother Iftheserverthinksitisreceivingmessagesfromthereal sourceafterauthenticatingasession,itcould inadvertentlybehavemaliciously TherearetwobasicformsofIPSpoofing BlindSpoofing Attackfromanysource NonBlindSpoofing Attackfromthesamesubnet

BlindIPSpoofing
TheTCP/IPprotocolrequiresthatacknowledgementnumbersbesent acrosssessions Makessurethattheclientisgettingtheserverspacketsandviceversa Needtohavetherightsequenceofacknowledgmentnumberstospoof anIPidentity

NonBlindIPSpoofing
IPSpoofingwithoutinherentlyknowingtheacknowledgmentsequence pattern Doneonthesamesubnet Useapacketsniffertoanalyzethesequencepattern Packetsniffersinterceptnetworkpackets Eventuallydecodesandanalyzesthepacketssentacrossthe network Determinetheacknowledgmentsequencepatternfromthe packets Sendmessagestoserverwithactualclient'sIPaddressandwith validlysequencedacknowledgmentnumber

PacketSniffers(cont.)

http://www.rootshell.be/~dhar/downloads/Sniffers.pdf

PacketSniffers
Packetsniffersreadinformationtraversinganetwork Packetsniffersinterceptnetworkpackets Eventuallydecodesandanalyzesthepacketssentacrossthe network Canbeusedaslegitimatetoolstoanalyzeanetwork Monitornetworkusage Filternetworktraffic Analyzenetworkproblems Canalsobeusedmaliciously Stealinformation(i.e.passwords,conversations,etc.) Analyzenetworkinformationtoprepareanattack Packetsnifferscanbeeithersoftwareorhardwarebased Sniffersaredependentonnetworksetup

PacketSniffing(switches)
MorecommonspoofingmethodonswitchednetworksisARPsniffing
AnetworkswitchcontainsanAddressResolutionProtocol(ARP)cache
TheARPisatablethatmapsnetworkIPaddressestotheMACaddress IfnomappingexistsforarequestedIPaddress,broadcastsarequesttoallnetworked machines ThemachinewiththataddressrespondsandismappedintheARP Byreturningafalsereply,aspoofingtoolcanmaptheARPtoitselfinsteadoftheactual clientandthusreceiveallpacketsfromtheservertotheclient
Thereversecanbedoneaswelltoredirecttheclientpacketsthroughthesniffer

Furthermore,theARPisstateless
Itwillacceptareplytoabroadcastevenifnobroadcasthasbeenmade ThiswouldallowasniffertooverwritetheARPcacheentrywithit'sownaddress ThisisknownaspoisoningtheARP

ByutilizinganARPcache,onecansetupapassivesnifferthatcanbeextremelyhard todetect

DetectingSniffers
Sniffersarealmostalwayspassive Theysimplycollectdata Theydonotattemptentrytostealdata Thiscanmakethemextremelyhardtodetect Mostdetectionmethodsrequiresuspicionthatsniffingisoccurring Thensomesortofpingofthesnifferisnecessary Itshouldbeabroadcastthatwillcausearesponseonlyfromasniffer AnothersolutiononswitchedhubsisARPwatch AnARPwatchmonitorstheARPcacheforduplicateentriesofamachine Ifsuchduplicatesappear,raiseanalarm Problem:falsealarms Specifically,DHCPnetworkscanhavemultipleentiresforasingle machine

StoppingPacketSniffing
Thebestwayistoencryptpacketssecurely Snifferscancapturethepackets,buttheyaremeaningless Capturingapacketisuselessifitjustreadsasgarbage SSHisalsoamuchmoresecuremethodofconnection Private/Publickeypairsmakessniffingvirtuallyuseless Onswitchednetworks,almostallattackswillbeviaARPspoofing Addmachinestoapermanentstoreinthecache Thisstorecannotbemodifiedviaabroadcastreply Thus,asniffercannotredirectanaddresstoitself Thebestsecurityistonotletthemininthefirstplace Sniffersneedtobeonyoursubnetinaswitchedhubinthefirstplace Allsniffersneedtosomehowaccessrootatsomepointtostart themselvesup

PortKnocking
Broadlyportknockingistheactofattemptingtomake connectionstoblockedportsinacertainorderinan attempttoopenaport Portknockingisfairlysecureagainstbruteforceattacks sincethereare65536kcombinations,wherekisthe numberofportsknocked Portknockinghoweverifverysusceptibletoreplay attacks.Someonecantheoreticallyrecordportknocking attemptsandrepeatthosetogetthesameopenportagain Onegoodwayofprotectingagainstreplayattackswould beatimedependentknocksequence.

UserDatagramProtocol
UDPisastateless,unreliabledatagramprotocolbuiltontopofIP,thatisitlieson level4 Itdoesnotprovidedeliveryguarantees,oracknowledgments,butissignificantly faster Canhoweverdistinguishdataformultipleconcurrentapplicationsonasingle host. AlackofreliabilityimpliesapplicationsusingUDPmustbereadytoacceptafair amountoferrorpackagesanddataloss.Someapplicationlevelprotocolssuchas TFTPbuildreliabilityontopofUDP. MostapplicationsusedonUDPwillsufferiftheyhavereliability.VoIP, StreamingVideoandStreamingAudioalluseUDP. UDPdoesnotcomewithbuiltincongestionprotection,sowhileUDPdoesnot sufferfromtheproblemsassociatedwithoptimisticACK,therearecaseswhere highrateUDPnetworkaccesswillcausecongestion.

NetworkAddressTranslation
Introducedintheearly90stoalleviateIPv4addressspace congestion Reliesontranslatingaddressesinaninternalnetwork,toan externaladdressthatisusedforcommunicationtoandfromthe outsideworld NATisusuallyimplementedbyplacingarouterinbetweenthe internalprivatenetworkandthepublicnetwork. SavesIPaddressspacesincenoteveryterminalneedsaglobally uniqueIPaddress,onlyanorganizationallyuniqueone WhileNATshouldreallybetransparenttoallhighlevelservices, thisissadlynottruebecausealotofhighlevelcommunication usesthingsonIP

Translation
Routerhasapoolofprivateaddresses 192.168.10.0/24
private realm
s=192.168.10.237 d=128.148.36. 11 s=128.148.36.11 d=192.168.10.237

global realm
s=128.148.36.179 d=128.148.36.11 s=128.148.36.11 d=128.148.36.179

192.168.10.237 router (nat)

2/17/2010 Networks: IP and TCP

128.148.36.11

47

IPPacketModifications
0 vers len type of service ident time to live proto source IP address destination IP address options data padding flags total length fragment offset 31

Computed Modified on output Modified on input ????

header checksum