SlideShare a Scribd company logo

network-security_for cybersecurity_experts

Download as PPT, PDF
A
abacusgtuc

Network Security for Cyber security Experts

Software
1 of 54
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Network Technology Review and Security Concerns Computer Security I CS461/ECE422 Fall 2010
Outline  Overview Issues and Threats in Network Security  Review basic network technology  TCP/IP in particular  Attacks specific to particular technologies
Security Issues in Networks
Increased Security Complexity  Different operating systems  Computers, Servers, Network Devices  Multiple Administrative Domains  Need to open access  Multiple Paths and shared resources  Anonymity
OSI Reference Model • The layers – 7: Application, e.g., HTTP, SMTP, FTP – 6: Presentation – 5: Session – 4: Transport, e.g. TCP, UDP – 3: Network, e.g. IP, IPX – 2: Data link, e.g., Ethernet frames, ATM cells – 1: Physical, e.g., Ethernet media, ATM media • Standard software engineering reasons for thinking about a layered design
Message mapping to the layers SVN update message Packet2 D P S P D P S P Packet1 D P S P D P S P D A S A Packet1 D P S P D A S A Pack 2 Communications bit stream D P S P D A S A Packet1 D M S M D P S P D A S A Pack 2 D M S M L7 App L4 TCP L3 IP L2 Eth
Confidentiality/Integrity Physical Layer  Radio waves  Just listen  Microwave  Point-to-point sort of  Dispersal  Ethernet  Inductance of cables  Tapping into ethernet cables  Promiscuous sniffing
Switches • Original ethernet broadcast all packets • Layer two means of passing packets – Learn or config which MAC's live behind which ports – Only pass traffic to the appropriate port • Span ports – Mirror all traffic
Physical Denial of Service  Radio  Jamming  Cables  Cutting or mutilating
Network Layer - IP  Moves packets between computers  Possibly on different physical segments  Best effort  Technologies  Routing  Lower level address discovery (ARP)  Error Messages (ICMP)
IPv4 • See Wikipedia for field details – http://en.wikipedia.org/wiki/IPv4 Version IHL Type of service Total length Identification DF MF Frag Offset Time to live Protocol Header checksum Source address Destination Address 0 or more words of options
Ipv4 Addressing • Each entity has at least one address • Addresses divided into subnetwork – Address and mask combination – 192.168.1.0/24 or 10.0.0.0/8 – 192.168.1.0 255.255.255.0 or 10.0.0.0 255.0.0.0 – 192.168.1.0-192.168.1.255 or 10.0.0.0- 10.255.255.255 • Addresses in your network are “directly” connected – Broadcasts should reach them – No need to route packets to them
Address spoofing • Sender can put any source address in packets he sends: – Can be used to send unwelcome return traffic to the spoofed address – Can be used to bypass filters to get unwelcome traffic to the destination • Reverse Path verification can be used by routers to broadly catch some spoofers
Address Resolution Protocol (ARP) • Used to discover mapping of neighboring ethernet MAC to IP addresses. – Need to find MAC for 192.168.1.3 which is in your interface's subnetwork – Broadcast an ARP request on the link – Hopefully receive an ARP reply giving the correct MAC – The device stores this information in an ARP cache or ARP table
ARP cache poisoning • Bootstrap problem with respect to security. Anyone can send an ARP reply – The Ingredients to ARP Poison, http://www.governmentsecurity.org/articles/TheIngredientstoARPPoison. php • Classic Man-in-the-middle attack – Send ARP reply messages to device so they think your machine is someone else – Better than simple sniffing because not just best effort. • Solutions – Encrypt all traffic – Monitoring programs like arpwatch to detect mapping changes • Which might be valid due to DHCP
Basic IPv4 Routing • Static routing. Used by hosts, firewalls and routers. – Routing table consists of entries of • Network, Next hop address, metric, interface – May have routing table per incoming interface – To route a packet, take the destination address and find the best match network in the table. In case of a tie look at the metric • Use the corresponding next hop address and interface to send the packet on. • The next hop address is on the same link as this device, so you use the next hop’s data-link address, e.g. ethernet MAC address – Decrement “time to live” field in IP header at each hop. Drop packet when it reaches 0 • Attempt to avoid routing loops • As internet got bigger, TTL fields got set bigger. 255 maximum
Routing example • Receive a packet destined to 192.168.3.56 on inside interface • Local routing table for inside interface – 192.168.2.0/30, 127.0.0.1, 1, outside – 192.168.5.0/29, 127.0.0.1, 1, dmz – 192.168.3.0/24, 192.168.5.6, 1, dmz – 192.168.3.0/24, 192.168.1.2, 3, outside – 0.0.0.0/0, 192.168.1.2, 1, outside • Entries 3 and 4 tie. But metric for 3 is better • Entries 1 and 2 are for directly connected networks
Source Based Routing • In the IP Options field, can specify a source route – Was conceived of as a way to ensure some traffic could be delivered even if the routing table was completely screwed up. • Can be used by the bad guy to avoid security enforcing devices – Most folks configure routers to drop packets with source routes set
IP Options in General • Originally envisioned as a means to add more features to IP later • Most routers drop packets with IP options set – Stance of not passing traffic you don’t understand – Therefore, IP Option mechanisms never really took off • In addition to source routing, there are security Options – Used for DNSIX, a MLS network encryption scheme
Dynamic Routing Protocols • For scaling, discover topology and routing rather than statically constructing routing tables – Open Shortest Path First (OSPF): Used for routing within an administrative domain – RIP: not used much anymore – Border Gateway Protocol (BGP): Used for routing between administrative domains. Can encode non-technical transit constraints, e.g. Domain X will only carry traffic of paying customers • Receives full paths from neighbors, so it avoids counts to infinity.
Dynamic Routing • Injecting unexpected routes a security concern. – BGP supports peer authentication – BGP blackholing is in fact used as a mechanism to isolate “bad” hosts – Filter out route traffic from unexpected (external) points – OSPF has MD5 authentication, and can statically configure neighbor routers, rather than discover them. • Accidents are just as big of a concern as malicious injections
Internet Control Message Protocol (ICMP) • Used for diagnostics – Destination unreachable – Time exceeded, TTL hit 0 – Parameter problem, bad header field – Source quench, throttling mechanism rarely used – Redirect, feedback on potential bad route – Echo Request and Echo reply, ping – Timestamp request and Timestamp reply, performance ping – Packet too big • Can use information to help map out a network – Some people block ICMP from outside domain
Smurf Attack • An amplification DoS attack – A relatively small amount of information sent is expanded to a large amount of data • Send ICMP echo request to IP broadcast addresses. Spoof the victim's address as the source • The echo request receivers dutifully send echo replies to the victim overwhelming it • Fraggle is a UDP variant of the same attack
“Smurf” Internet Perpetrator Victim ICM P echo (spoofed source address of victim ) Sent to IP broadcast address ICM P echo reply
Transport Level – TCP and UDP • Service to service communication. – Multiple conversations possible between same pair of computers • Transport flows are defined by source and destination ports • Applications are associated with ports (generally just destination ports) – IANA organizes port assignments http://www.iana.org/ • Source ports often dynamically selected – Ports under 1024 are considered well-known ports – Would not expect source ports to come from the well-known range
Reconnaissance  Port scanning  Send probes to all ports on the target  See which ones respond  Application fingerprinting  Analyze the data returned  Determine type of application, version, basic configuration  Traffic answering from port 8080 is HTTP, Apache or Subversion
Datagram Transport • User Datagram Protocol (UDP) – A best-effort delivery, no guarantee, no ACK – Lower overhead than TCP – Good for best-effort traffic like periodic updates – No long lived connection overhead on the endpoints • Some folks implement their own reliable protocol over UDP to get “better performance” or “less overhead” than TCP – Such efforts don’t generally pan out • TFTP and DNS protocols use UDP • Data channels of some multimedia protocols, e.g., H.323 also use UDP
UDP Header Source Port Destination Port UDP Length UDP checksum
DHCP • Built on older BOOTP protocol (which was built on even older RARP protocol) – Used by diskless Suns • Enables dynamic allocation of IP address and related information • Runs over UDP • No security considered in the design, obvious problems – Bogus DHCP servers handing out addresses of attackers choice – Bogus clients grabbing addresses • IETF attempted to add DHCP authentication but rather late in the game to do this. • Other solutions – Physically secure networks – Use IPSec
Reliable Streams • Transmission Control Protocol (TCP) – Guarantees reliable, ordered stream of traffic – Such guarantees impose overhead – A fair amount of state is required on both ends • Most Internet protocols use TCP, e.g., HTTP, FTP, SSH, H.323 control channels
TCP Header Source Port Destination Port Sequence Number Acknowledgement number HDR Len U R G A C K P S H R S T S Y N F I N Window Size Checksum Urgent Pointer Options (0 or more words)
Three way handshake Machine A Machine B SYN: seqno=100 SYN: seqno=511 ACK = 100 ACK=511
Syn flood • A resource DoS attack focused on the TCP three-way handshake • Say A wants to set up a TCP connection to B – A sends SYN with its sequence number X – B replies with its own SYN and sequence number Y and an ACK of A’s sequence number X – A sends data with its sequence number X and ACK’s B’s sequence number Y – Send many of the first message to B. Never respond to the second message. – This leaves B with a bunch of half open (or embryonic) connections that are filling up memory – Firewalls adapted by setting limits on the number of such half open connections.
SYN Flood Machine A Machine B SYN: seqno=100 SYN: seqno=511 ACK = 100 SYN: seqno=89 SYN: seqno=176 SYN: seqno=344
SYN Flood Constrainer Machine A FW SYN: seqno=100 SYN: seqno=511 ACK = 100 ACK=511 SYN: seqno=176 SYN: seqno=344 Machine B SYN: seqno=56 SYN: seqno=677 ACK = 56 ACK=677
Another Syn Flood solution: SYN cookie  Encode information in the sequence number, so receiver does not need to save anything for half open connection  t = counter , m = MSS, s = crypto function computed over IP addresses and server port and t (24 bits)  Seqno = (t mod 32) || m encoded in 3 bits || s (24 bits)  On receiving ACK, get original seqno by subtracting 1  Check 1 to verify timeout  Recompute s to verify addresses and ports
SYN Flood Machine A Machine B SYN: seqno=100 SYN: seqno=511 ACK = 100 SYN: seqno=89 SYN: seqno=176 SYN: seqno=344
Session Hijacking  Take over a session after the 3 way handshake is performed  After initial authentication too  Local  Can see all traffic.  Simply inject traffic at a near future sequence number  Blind  Cannot see traffic  Must guess the sequence number
Session Hijacking Client Server Attacker
Application Protocols • Single connection protocols – Use a single connection, e.g. HTTP, SMTP • Dynamic Multi-connection Protocols, e.g. FTP and H.323 – Have a well known control channel – Negotiate ports and/or addresses on the control channel for subsidiary data channels – Dynamically open the negotiated data channels • Protocol suites, e.g. Netbios and DNS
Spoofing Applications • Often times ridiculously easy • Fake Client – Telnet to an SMTP server and enter mail from whoever you want – Authenticating email servers • Require a password • Require a mail download before server takes send requests • Fake server – Phishing: misdirect user to bogus server
Default Settings  Many applications installed with default users and passwords  Wireless routers, SCADA systems  Default passwords for many of these systems are easily found on the Internet  http://www.cirt.net/cgi-bin/passwd.pl
Domain Name System (DNS) • Hierarchical service to resolve domain names to IP addresses. – The name space is divided into non-overlapping zones – E.g., consider shinrich.cs.uiuc.edu. – DNS servers in the chain. One for .edu, one for .uiuc.edu, and one for .cs.uiuc.edu • Can have primary and secondary DNS servers per zone. Use TCP based zone transfer to keep up to date • Like DHCP, no security designed in – But at least the DNS server is not automatically discovered – Although this information can be dynamically set via DHCP
DNS Problems • DNS Open relays – Makes it look like good DNS server is authoritative server to bogus name – Enables amplification DoS attack  http://www.us-cert.gov/reading_room/DNS-recursion0330 06.pdf  DNS Cache Poisoning – Change the name to address mapping to something more desirable to the attacker  http://www.secureworks.com/research/articles/cachepois oning – Dan Kaminsky raised issue again last summer  http://www.linuxjournal.com/content/understanding-kamin
DNS Transaction DNS Pictures thanks to http://www.lurhq.com/dnscache.pdf
DNS Communication  Use UDP  Requests and responses have matching 16 bit transaction Ids  Servers can be configured as  Authoritative Nameserver  Officially responsible for answering requests for a domain  Recursive  Pass on requests to other authoritative servers  Both (this can be the problem)
DNS Open Relay Y: D N S S erver A uthoritative for big.com R ecursion enabled for all Internet Z : A ttacker X : Victim S rc= X dst=Y W hat is address of bob.com ? S rc=Y dst=X bob.com = 1.2.3.4
Good DNS Deployment Y : D N S S erver R ecursive Only accepts local requests Internet Z: A ttacker X : Victim S rc=X dst=Y W hat is address of bob.com ? W : D N S S erver A uthoritative for big.com S rc= X dst=W W hat is address of big.com? S rc=X dst= W W hat is address of bob.com?
DNS Cache Poisoning  Older implementations would just accept additional information in a reply  e.g. A false authoritative name server  Fixed by bailiwick checking. Additional records only include entries from the requested domain  Now to spoof a reply must anticipate the correct transaction ID  Only 16 bits  Random selection of ID isn't always the greatest
Bailiwick Checks $ dig @ns1.example.com www.example.com ;; ANSWER SECTION: www.example.com. 120 IN A 192.168.1.10 ;; AUTHORITY SECTION: example.com. 86400 IN NS ns1.example.com. example.com. 86400 IN NS ns2.example.com. ;; ADDITIONAL SECTION: ns1.example.com. 604800 IN A 192.168.2.20 ns2.example.com. 604800 IN A 192.168.3.30 www.linuxjournal.com. 43200 IN A 66.240.243.113
Tricking the Transaction ID's
Kaminsky's Observations  Most implementations don't randomize source ports (making the TID collision more likely)  Try to poison through the additional information (side stepping the bailiwick check) $ dig doesnotexist.example.com ;; ANSWER SECTION: doesnotexist.example.com. 120 IN A 10.10.10.10 ;; AUTHORITY SECTION: example.com. 86400 IN NS www.example.com. ;; ADDITIONAL SECTION: www.example.com. 604800 IN A 10.10.10.20
DNSSEC • Seeks to solve the trust issues of DNS • Uses a key hierarchy for verification • Has been under development for over a decade and still not really deployed  This year articles say root servers for .edu, .org, and .com will be deployed in 2010, 2011 timeframe. • Provides authentication, not confidentiality • DNS Threat Analysis in RFC 3833.
Key Points  Network is complex and critical  Many flaws have been simple implementation problems  Poor configuration also can cause widespread problems  Other guys problems can affect me  Next, what can you do about it?

More Related Content

PDF
Ismail TCP IP.pdf
helloraja
 
PDF
Ismail TCP IP.pdf
helloraja
 
PPT
tcpip.ppt
GauravSankhyan4
 
PPT
tcpip.ppt protocol power point presentation
srajece
 
PPT
tcpip.ppt
AbrarAhmed331135
 
PPT
Introduction to TCP / IP in networking Technology
roykousik2020
 
PPT
tcpip.ppt
Chandni Chandran
 
PPT
tcpip.ppt
MadhuSudhan599544
 
Ismail TCP IP.pdf
helloraja
 
Ismail TCP IP.pdf
helloraja
 
tcpip.ppt
GauravSankhyan4
 
tcpip.ppt protocol power point presentation
srajece
 
tcpip.ppt
AbrarAhmed331135
 
Introduction to TCP / IP in networking Technology
roykousik2020
 
tcpip.ppt
Chandni Chandran
 
tcpip.ppt
MadhuSudhan599544
 

Similar to network-security_for cybersecurity_experts (20)

PPT
tcpip.ppt
AnuarAbdikarimov1
 
PPT
presentation on Internet and its protocol
itsaartihere001
 
PPT
CCNA Exam by quangkien@gmail.com - for CCNA test
epro2k71
 
PPT
networking and computer security prasantation
DasharathChaudhary3
 
PPT
WIFI MODEM Part-22
Techvilla
 
PPTX
Computer network coe351- part3-final
Taymoor Nazmy
 
PPTX
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
PPT
Vulnerabilities in IP Protocols
babak danyal
 
PPTX
Computer network coe351- part2- final
Taymoor Nazmy
 
PPT
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
VINAYTANWAR18
 
PPT
6.Routing
phanleson
 
PDF
Lecture set 7
Gopi Saiteja
 
PPT
Tcp ip
Dhani Ahmad
 
PPTX
Internet protocols Report Slides
Bassam Kanber
 
PPS
QSpiders - Upper layer-protocols
Qspiders - Software Testing Training Institute
 
PPT
Tcp Udp Icmp And The Transport Layer
tmavroidis
 
PPT
Transport Layer
tmavroidis
 
PPTX
Sept 2017 internetworking
shahin raj
 
PPTX
09 Systems Software Programming-Network Programming.pptx
KushalSrivastava23
 
PPT
presentation on TCP/IP protocols data comunications
AnyapuPranav
 
tcpip.ppt
AnuarAbdikarimov1
 
presentation on Internet and its protocol
itsaartihere001
 
CCNA Exam by quangkien@gmail.com - for CCNA test
epro2k71
 
networking and computer security prasantation
DasharathChaudhary3
 
WIFI MODEM Part-22
Techvilla
 
Computer network coe351- part3-final
Taymoor Nazmy
 
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
Vulnerabilities in IP Protocols
babak danyal
 
Computer network coe351- part2- final
Taymoor Nazmy
 
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
VINAYTANWAR18
 
6.Routing
phanleson
 
Lecture set 7
Gopi Saiteja
 
Tcp ip
Dhani Ahmad
 
Internet protocols Report Slides
Bassam Kanber
 
QSpiders - Upper layer-protocols
Qspiders - Software Testing Training Institute
 
Tcp Udp Icmp And The Transport Layer
tmavroidis
 
Transport Layer
tmavroidis
 
Sept 2017 internetworking
shahin raj
 
09 Systems Software Programming-Network Programming.pptx
KushalSrivastava23
 
presentation on TCP/IP protocols data comunications
AnyapuPranav
 
Ad

More from abacusgtuc (7)

PPTX
Variable, Functions, Scoping and Variable Conversion
abacusgtuc
 
PPTX
CHAPTER 2 (Data types,Variables) in Visual Basic Programming
abacusgtuc
 
PPTX
Introduction to Visual Basic Programming
abacusgtuc
 
PDF
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
PDF
ch04_network-vulnerabilities-and-attacks.pdf
abacusgtuc
 
PPT
psychology of everyday things_and_design_concepts.ppt
abacusgtuc
 
PDF
Information Security Planning and Risk Analysis
abacusgtuc
 
Variable, Functions, Scoping and Variable Conversion
abacusgtuc
 
CHAPTER 2 (Data types,Variables) in Visual Basic Programming
abacusgtuc
 
Introduction to Visual Basic Programming
abacusgtuc
 
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
ch04_network-vulnerabilities-and-attacks.pdf
abacusgtuc
 
psychology of everyday things_and_design_concepts.ppt
abacusgtuc
 
Information Security Planning and Risk Analysis
abacusgtuc
 
Ad

Recently uploaded (20)

PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
System and Network Administration Chapter 2
jaramharo
 
AI in Product Development-omnex systems
omnex systems
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Introduction to Artificial Intelligence
lohedi9363
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 

network-security_for cybersecurity_experts

  • 1. Network Technology Review and Security Concerns Computer Security I CS461/ECE422 Fall 2010
  • 2. Outline  Overview Issues and Threats in Network Security  Review basic network technology  TCP/IP in particular  Attacks specific to particular technologies
  • 4. Increased Security Complexity  Different operating systems  Computers, Servers, Network Devices  Multiple Administrative Domains  Need to open access  Multiple Paths and shared resources  Anonymity
  • 5. OSI Reference Model • The layers – 7: Application, e.g., HTTP, SMTP, FTP – 6: Presentation – 5: Session – 4: Transport, e.g. TCP, UDP – 3: Network, e.g. IP, IPX – 2: Data link, e.g., Ethernet frames, ATM cells – 1: Physical, e.g., Ethernet media, ATM media • Standard software engineering reasons for thinking about a layered design
  • 6. Message mapping to the layers SVN update message Packet2 D P S P D P S P Packet1 D P S P D P S P D A S A Packet1 D P S P D A S A Pack 2 Communications bit stream D P S P D A S A Packet1 D M S M D P S P D A S A Pack 2 D M S M L7 App L4 TCP L3 IP L2 Eth
  • 7. Confidentiality/Integrity Physical Layer  Radio waves  Just listen  Microwave  Point-to-point sort of  Dispersal  Ethernet  Inductance of cables  Tapping into ethernet cables  Promiscuous sniffing
  • 8. Switches • Original ethernet broadcast all packets • Layer two means of passing packets – Learn or config which MAC's live behind which ports – Only pass traffic to the appropriate port • Span ports – Mirror all traffic
  • 9. Physical Denial of Service  Radio  Jamming  Cables  Cutting or mutilating
  • 10. Network Layer - IP  Moves packets between computers  Possibly on different physical segments  Best effort  Technologies  Routing  Lower level address discovery (ARP)  Error Messages (ICMP)
  • 11. IPv4 • See Wikipedia for field details – http://en.wikipedia.org/wiki/IPv4 Version IHL Type of service Total length Identification DF MF Frag Offset Time to live Protocol Header checksum Source address Destination Address 0 or more words of options
  • 12. Ipv4 Addressing • Each entity has at least one address • Addresses divided into subnetwork – Address and mask combination – 192.168.1.0/24 or 10.0.0.0/8 – 192.168.1.0 255.255.255.0 or 10.0.0.0 255.0.0.0 – 192.168.1.0-192.168.1.255 or 10.0.0.0- 10.255.255.255 • Addresses in your network are “directly” connected – Broadcasts should reach them – No need to route packets to them
  • 13. Address spoofing • Sender can put any source address in packets he sends: – Can be used to send unwelcome return traffic to the spoofed address – Can be used to bypass filters to get unwelcome traffic to the destination • Reverse Path verification can be used by routers to broadly catch some spoofers
  • 14. Address Resolution Protocol (ARP) • Used to discover mapping of neighboring ethernet MAC to IP addresses. – Need to find MAC for 192.168.1.3 which is in your interface's subnetwork – Broadcast an ARP request on the link – Hopefully receive an ARP reply giving the correct MAC – The device stores this information in an ARP cache or ARP table
  • 15. ARP cache poisoning • Bootstrap problem with respect to security. Anyone can send an ARP reply – The Ingredients to ARP Poison, http://www.governmentsecurity.org/articles/TheIngredientstoARPPoison. php • Classic Man-in-the-middle attack – Send ARP reply messages to device so they think your machine is someone else – Better than simple sniffing because not just best effort. • Solutions – Encrypt all traffic – Monitoring programs like arpwatch to detect mapping changes • Which might be valid due to DHCP
  • 16. Basic IPv4 Routing • Static routing. Used by hosts, firewalls and routers. – Routing table consists of entries of • Network, Next hop address, metric, interface – May have routing table per incoming interface – To route a packet, take the destination address and find the best match network in the table. In case of a tie look at the metric • Use the corresponding next hop address and interface to send the packet on. • The next hop address is on the same link as this device, so you use the next hop’s data-link address, e.g. ethernet MAC address – Decrement “time to live” field in IP header at each hop. Drop packet when it reaches 0 • Attempt to avoid routing loops • As internet got bigger, TTL fields got set bigger. 255 maximum
  • 17. Routing example • Receive a packet destined to 192.168.3.56 on inside interface • Local routing table for inside interface – 192.168.2.0/30, 127.0.0.1, 1, outside – 192.168.5.0/29, 127.0.0.1, 1, dmz – 192.168.3.0/24, 192.168.5.6, 1, dmz – 192.168.3.0/24, 192.168.1.2, 3, outside – 0.0.0.0/0, 192.168.1.2, 1, outside • Entries 3 and 4 tie. But metric for 3 is better • Entries 1 and 2 are for directly connected networks
  • 18. Source Based Routing • In the IP Options field, can specify a source route – Was conceived of as a way to ensure some traffic could be delivered even if the routing table was completely screwed up. • Can be used by the bad guy to avoid security enforcing devices – Most folks configure routers to drop packets with source routes set
  • 19. IP Options in General • Originally envisioned as a means to add more features to IP later • Most routers drop packets with IP options set – Stance of not passing traffic you don’t understand – Therefore, IP Option mechanisms never really took off • In addition to source routing, there are security Options – Used for DNSIX, a MLS network encryption scheme
  • 20. Dynamic Routing Protocols • For scaling, discover topology and routing rather than statically constructing routing tables – Open Shortest Path First (OSPF): Used for routing within an administrative domain – RIP: not used much anymore – Border Gateway Protocol (BGP): Used for routing between administrative domains. Can encode non-technical transit constraints, e.g. Domain X will only carry traffic of paying customers • Receives full paths from neighbors, so it avoids counts to infinity.
  • 21. Dynamic Routing • Injecting unexpected routes a security concern. – BGP supports peer authentication – BGP blackholing is in fact used as a mechanism to isolate “bad” hosts – Filter out route traffic from unexpected (external) points – OSPF has MD5 authentication, and can statically configure neighbor routers, rather than discover them. • Accidents are just as big of a concern as malicious injections
  • 22. Internet Control Message Protocol (ICMP) • Used for diagnostics – Destination unreachable – Time exceeded, TTL hit 0 – Parameter problem, bad header field – Source quench, throttling mechanism rarely used – Redirect, feedback on potential bad route – Echo Request and Echo reply, ping – Timestamp request and Timestamp reply, performance ping – Packet too big • Can use information to help map out a network – Some people block ICMP from outside domain
  • 23. Smurf Attack • An amplification DoS attack – A relatively small amount of information sent is expanded to a large amount of data • Send ICMP echo request to IP broadcast addresses. Spoof the victim's address as the source • The echo request receivers dutifully send echo replies to the victim overwhelming it • Fraggle is a UDP variant of the same attack
  • 24. “Smurf” Internet Perpetrator Victim ICM P echo (spoofed source address of victim ) Sent to IP broadcast address ICM P echo reply
  • 25. Transport Level – TCP and UDP • Service to service communication. – Multiple conversations possible between same pair of computers • Transport flows are defined by source and destination ports • Applications are associated with ports (generally just destination ports) – IANA organizes port assignments http://www.iana.org/ • Source ports often dynamically selected – Ports under 1024 are considered well-known ports – Would not expect source ports to come from the well-known range
  • 26. Reconnaissance  Port scanning  Send probes to all ports on the target  See which ones respond  Application fingerprinting  Analyze the data returned  Determine type of application, version, basic configuration  Traffic answering from port 8080 is HTTP, Apache or Subversion
  • 27. Datagram Transport • User Datagram Protocol (UDP) – A best-effort delivery, no guarantee, no ACK – Lower overhead than TCP – Good for best-effort traffic like periodic updates – No long lived connection overhead on the endpoints • Some folks implement their own reliable protocol over UDP to get “better performance” or “less overhead” than TCP – Such efforts don’t generally pan out • TFTP and DNS protocols use UDP • Data channels of some multimedia protocols, e.g., H.323 also use UDP
  • 28. UDP Header Source Port Destination Port UDP Length UDP checksum
  • 29. DHCP • Built on older BOOTP protocol (which was built on even older RARP protocol) – Used by diskless Suns • Enables dynamic allocation of IP address and related information • Runs over UDP • No security considered in the design, obvious problems – Bogus DHCP servers handing out addresses of attackers choice – Bogus clients grabbing addresses • IETF attempted to add DHCP authentication but rather late in the game to do this. • Other solutions – Physically secure networks – Use IPSec
  • 30. Reliable Streams • Transmission Control Protocol (TCP) – Guarantees reliable, ordered stream of traffic – Such guarantees impose overhead – A fair amount of state is required on both ends • Most Internet protocols use TCP, e.g., HTTP, FTP, SSH, H.323 control channels
  • 31. TCP Header Source Port Destination Port Sequence Number Acknowledgement number HDR Len U R G A C K P S H R S T S Y N F I N Window Size Checksum Urgent Pointer Options (0 or more words)
  • 32. Three way handshake Machine A Machine B SYN: seqno=100 SYN: seqno=511 ACK = 100 ACK=511
  • 33. Syn flood • A resource DoS attack focused on the TCP three-way handshake • Say A wants to set up a TCP connection to B – A sends SYN with its sequence number X – B replies with its own SYN and sequence number Y and an ACK of A’s sequence number X – A sends data with its sequence number X and ACK’s B’s sequence number Y – Send many of the first message to B. Never respond to the second message. – This leaves B with a bunch of half open (or embryonic) connections that are filling up memory – Firewalls adapted by setting limits on the number of such half open connections.
  • 34. SYN Flood Machine A Machine B SYN: seqno=100 SYN: seqno=511 ACK = 100 SYN: seqno=89 SYN: seqno=176 SYN: seqno=344
  • 35. SYN Flood Constrainer Machine A FW SYN: seqno=100 SYN: seqno=511 ACK = 100 ACK=511 SYN: seqno=176 SYN: seqno=344 Machine B SYN: seqno=56 SYN: seqno=677 ACK = 56 ACK=677
  • 36. Another Syn Flood solution: SYN cookie  Encode information in the sequence number, so receiver does not need to save anything for half open connection  t = counter , m = MSS, s = crypto function computed over IP addresses and server port and t (24 bits)  Seqno = (t mod 32) || m encoded in 3 bits || s (24 bits)  On receiving ACK, get original seqno by subtracting 1  Check 1 to verify timeout  Recompute s to verify addresses and ports
  • 37. SYN Flood Machine A Machine B SYN: seqno=100 SYN: seqno=511 ACK = 100 SYN: seqno=89 SYN: seqno=176 SYN: seqno=344
  • 38. Session Hijacking  Take over a session after the 3 way handshake is performed  After initial authentication too  Local  Can see all traffic.  Simply inject traffic at a near future sequence number  Blind  Cannot see traffic  Must guess the sequence number
  • 40. Application Protocols • Single connection protocols – Use a single connection, e.g. HTTP, SMTP • Dynamic Multi-connection Protocols, e.g. FTP and H.323 – Have a well known control channel – Negotiate ports and/or addresses on the control channel for subsidiary data channels – Dynamically open the negotiated data channels • Protocol suites, e.g. Netbios and DNS
  • 41. Spoofing Applications • Often times ridiculously easy • Fake Client – Telnet to an SMTP server and enter mail from whoever you want – Authenticating email servers • Require a password • Require a mail download before server takes send requests • Fake server – Phishing: misdirect user to bogus server
  • 42. Default Settings  Many applications installed with default users and passwords  Wireless routers, SCADA systems  Default passwords for many of these systems are easily found on the Internet  http://www.cirt.net/cgi-bin/passwd.pl
  • 43. Domain Name System (DNS) • Hierarchical service to resolve domain names to IP addresses. – The name space is divided into non-overlapping zones – E.g., consider shinrich.cs.uiuc.edu. – DNS servers in the chain. One for .edu, one for .uiuc.edu, and one for .cs.uiuc.edu • Can have primary and secondary DNS servers per zone. Use TCP based zone transfer to keep up to date • Like DHCP, no security designed in – But at least the DNS server is not automatically discovered – Although this information can be dynamically set via DHCP
  • 44. DNS Problems • DNS Open relays – Makes it look like good DNS server is authoritative server to bogus name – Enables amplification DoS attack  http://www.us-cert.gov/reading_room/DNS-recursion0330 06.pdf  DNS Cache Poisoning – Change the name to address mapping to something more desirable to the attacker  http://www.secureworks.com/research/articles/cachepois oning – Dan Kaminsky raised issue again last summer  http://www.linuxjournal.com/content/understanding-kamin
  • 45. DNS Transaction DNS Pictures thanks to http://www.lurhq.com/dnscache.pdf
  • 46. DNS Communication  Use UDP  Requests and responses have matching 16 bit transaction Ids  Servers can be configured as  Authoritative Nameserver  Officially responsible for answering requests for a domain  Recursive  Pass on requests to other authoritative servers  Both (this can be the problem)
  • 47. DNS Open Relay Y: D N S S erver A uthoritative for big.com R ecursion enabled for all Internet Z : A ttacker X : Victim S rc= X dst=Y W hat is address of bob.com ? S rc=Y dst=X bob.com = 1.2.3.4
  • 48. Good DNS Deployment Y : D N S S erver R ecursive Only accepts local requests Internet Z: A ttacker X : Victim S rc=X dst=Y W hat is address of bob.com ? W : D N S S erver A uthoritative for big.com S rc= X dst=W W hat is address of big.com? S rc=X dst= W W hat is address of bob.com?
  • 49. DNS Cache Poisoning  Older implementations would just accept additional information in a reply  e.g. A false authoritative name server  Fixed by bailiwick checking. Additional records only include entries from the requested domain  Now to spoof a reply must anticipate the correct transaction ID  Only 16 bits  Random selection of ID isn't always the greatest
  • 50. Bailiwick Checks $ dig @ns1.example.com www.example.com ;; ANSWER SECTION: www.example.com. 120 IN A 192.168.1.10 ;; AUTHORITY SECTION: example.com. 86400 IN NS ns1.example.com. example.com. 86400 IN NS ns2.example.com. ;; ADDITIONAL SECTION: ns1.example.com. 604800 IN A 192.168.2.20 ns2.example.com. 604800 IN A 192.168.3.30 www.linuxjournal.com. 43200 IN A 66.240.243.113
  • 52. Kaminsky's Observations  Most implementations don't randomize source ports (making the TID collision more likely)  Try to poison through the additional information (side stepping the bailiwick check) $ dig doesnotexist.example.com ;; ANSWER SECTION: doesnotexist.example.com. 120 IN A 10.10.10.10 ;; AUTHORITY SECTION: example.com. 86400 IN NS www.example.com. ;; ADDITIONAL SECTION: www.example.com. 604800 IN A 10.10.10.20
  • 53. DNSSEC • Seeks to solve the trust issues of DNS • Uses a key hierarchy for verification • Has been under development for over a decade and still not really deployed  This year articles say root servers for .edu, .org, and .com will be deployed in 2010, 2011 timeframe. • Provides authentication, not confidentiality • DNS Threat Analysis in RFC 3833.
  • 54. Key Points  Network is complex and critical  Many flaws have been simple implementation problems  Poor configuration also can cause widespread problems  Other guys problems can affect me  Next, what can you do about it?

Editor's Notes

  • #24: This is a diagram of a “Smurf” or “Fraggle” attack. The single stream from the perpetrator to the broadcast LANrepresents the flow of information from the perpetrator to the broadcast LAN, usually several packets per second of ICMP echo (“Smurf”) or UDP echo (“Fraggle”) traffic spoofed to look like it is coming from the victim’s system. If the router at the edge of the LAN forwards the broadcast ping to the LAN, each device on the LAN will respond with an echo-reply (ICMP) or will bounce the traffic (UDP), creating a multiplication of the original traffic flow. The traffic is then directed to the victim. There are usually several bounce sites involved, used to increase the factor by which traffic is multiplied. This attack is characterized by many ICMP echo reply packets at the victim’s site or many UDP packets involving the diagnostic “echo” port.