1 / 65

Data Link Layer Security & Network Layer Security

Data Link Layer Security & Network Layer Security. Lecture 3 Asst.Prof. Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th. Roadmap. Data-link Layer Security Network Layer Security. Task: MAC Address Spoofing. What is MAC address spoofing? What is its purpose?

rich
Download Presentation

Data Link Layer Security & Network Layer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Link Layer Security &Network Layer Security Lecture 3 Asst.Prof. Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th

  2. NETE4630: Advanced Network Security and Implementation Roadmap • Data-link Layer Security • Network Layer Security

  3. NETE4630: Advanced Network Security and Implementation Task: MAC Address Spoofing • What is MAC address spoofing? • What is its purpose? • Suggest a way to perform an attack using MAC spoofing • Explain how it works • Suggest how to prevent MAC Address Spoofing

  4. NETE4630: Advanced Network Security and Implementation Passive Sniffing • Monitor incoming packets • Rely on a feature of network cards called promiscuous mode • A network card will pass all packets on to the operating system, rather than just those unicast or broadcast to the host • It only listens to incoming packets, but not transmits any packets • Does not work well in a switched network • The attacker can sniff traffic within his/her VLAN

  5. NETE4630: Advanced Network Security and Implementation Active Sniffing • Inject packets into the network that causes traffic that should not be sent to your system, to be sent to your system • Active wireless sniffing involves sending out multiple network probes to identify APs

  6. NETE4630: Advanced Network Security and Implementation ARP Poisoning • Active or passive sniffing?

  7. NETE4630: Advanced Network Security and Implementation ARP Poisoning (cont.) • By spoofing the default gateway’s IP address, all hosts on the subnet will route through the attacker’s machine • Need to poison ARP cache of every host on the subnet • Better if targeting a single host on the network • Should not spoof the IP of another client. Why? • To perform ARP poisoning, • # arp –s <victim IP> <our MAC address> pub

  8. NETE4630: Advanced Network Security and Implementation ARP Flooding • Aka. CAM (Content Addressable Memory) Table Overflow • CAM stores information about MAC addresses available on each physical port and their associated VLAN parameters • CAM is a normal memory limited in size • Flood huge ARP Request to switch • The switch is too busy to enforce its port security and broadcasts all traffic to every port in the network • Thus making possible a MITM attack – the attacker can start sniffing network traffic

  9. NETE4630: Advanced Network Security and Implementation DHCP

  10. NETE4630: Advanced Network Security and Implementation DHCP Starvation Attack • Consuming the IP address space allocated by a DHCP server • Attacker broadcasts a large number of DHCP requests using spoofed MAC addresses • The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, normal clients • Lead to DoS

  11. NETE4630: Advanced Network Security and Implementation Rogue DHCP Server • Set up a rogue DHCP server serving clients with false details • E.g. giving them its own IP as default router • Result in all the traffic passing through the attacker’s computer • Rogue DHCP server can be set up even without DHCP starvation attack, as clients accept the first DHCPOFFER they receive

  12. NETE4630: Advanced Network Security and Implementation Preventing DHCP Attacks • Port security: do not allow more than X MAC addresses on one port • Rogue DHCP is more difficult to prevent • “Authentication for DHCP Messages” (RFC3118) • DHCP snooping filters DHCP messages from non-trusted hosts • It contains database of trusted and untrusted interfaces

  13. NETE4630: Advanced Network Security and Implementation DHCP Snooping • An untrusted interface : interface configured to receive messages from outside the network or firewall • A trusted interface : interface configured to receive only messages from within the network • An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network

  14. NETE4630: Advanced Network Security and Implementation DHCP Snooping (cont.) • DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. • DHCP snooping filters untrusted DHCP messages and by building and maintaining a DHCP snooping binding table • DHCP snooping binding table contains : • MAC address, • IP address, • lease time, • binding type, • VLAN number, and • interface information that corresponds to the local untrusted interfaces of a switch

  15. NETE4630: Advanced Network Security and Implementation DHCP Snooping (cont.) • If the DHCPOFFER came from an untrusted interface, the switch shuts down the port • The switch trusts the interface to which the authorized DHCP server is connected (trusted interface)

  16. NETE4630: Advanced Network Security and Implementation Enabling DHCP Snooping IntGigabitEthernet 5/1 is trusted IntGigabitEthernet 2/1 is untrusted

  17. NETE4630: Advanced Network Security and Implementation Dynamic ARP Inspection (DAI) • DAI validates ARP packets in a network based on IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database • DAI checks IP-to-MAC binding from DHCP snooping DB • It intercepts, log, and discards ARP packets with invalid IP-to-MAC address bindings. • It checks only inbound packets

  18. NETE4630: Advanced Network Security and Implementation How DAI Works • The switch performs these activities: • Intercepts all ARP requests and responses on untrusted ports • Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination • Drops invalid packets

  19. NETE4630: Advanced Network Security and Implementation DAI (cont.) http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=8

  20. NETE4630: Advanced Network Security and Implementation DAI In Actions

  21. NETE4630: Advanced Network Security and Implementation DAI in DHCP Environment • DAI relies on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings. • Configure each secure interface as trusted using the ip arp inspection trust interface configuration command. • The trusted interfaces bypass the ARP inspection validation checks, and all other packets are subject to inspection when they arrive on untrusted interfaces. Switch(config)# interface GigabitEthernet1/0/1 Switch(config-if)# ip arp inspection trust Switch(config)# ip arp inspection vlan 5-10

  22. NETE4630: Advanced Network Security and Implementation DAI in non-DHCP Environment • DAI replies on user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses Switch(config)# arp access-list arpacl Switch(config-arp-acl)# permit ip host 10.1.1.11 mac host 0011.0011.0011 Switch(config-arp-acl)# exit Switch(config)# ip arp inspection filter arpacl vlan 5 Switch(config)# interface GigabitEthernet1/0/2 Switch(config-if)# no ip arp inspection trust • If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks

  23. NETE4630: Advanced Network Security and Implementation DAI Steps • By default, all interfaces are untrusted • The switch does not check ARP packets that it receives from the other switch in the trusted interface • For untrusted interfaces, • the switch intercepts all ARP requests and responses. • It verifies that the intercepted packets have valid IP-to-MAC address bindings. • Firstly it checks from ARP access control list • If no such ACL, check from DHCP snooping database

  24. NETE4630: Advanced Network Security and Implementation Routing Games • One method to ensure that all traffic on a network will pass through your host is to change the routing table of the host you wish to monitor • Sending a fake route advertisement via the RIP, declaring yourself as the default gateway • All outbound traffic will pass though your host then go to the real default gateway • But may not receive returned traffic unless you can modify the default gateway’s routing table

  25. Network Layer Security Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th

  26. NETE4630: Advanced Network Security and Implementation Overview IP Header Length (IPID) IP Packet Format

  27. NETE4630: Advanced Network Security and Implementation Overview • IP, ICMP, and Routing protocols • IP is connectionless, subjected to DoS • ICMP can be used by attackers • Routing protocols are subjected to stack attacks

  28. NETE4630: Advanced Network Security and Implementation IP Attacks • Spoofing • Fragmentation • Passive and Active Fingerprinting • Port Scanning • Redirection

  29. NETE4630: Advanced Network Security and Implementation IP Spoofing Local Spoofing Blind Spoofing Attacker is not on the same local subnet as victim Many pieces of information needed to be successful are not available. The key parameters must be guessed Most modern OSes use fairly random sequence numbers making the attack difficult to launch • Attacker and victim are on the same subnet • Attacker begins with sniffing traffic, find key pieces of information needed to launch an attack • Session hijacking is another spoofing technique. • The attack starts at transport layer

  30. NETE4630: Advanced Network Security and Implementation Fragmentation • Fragmentation is required when transmitting packets to different networks that have different MTUs • The idea is to send different data streams to each device

  31. NETE4630: Advanced Network Security and Implementation IP Fragmentation Fragmentation is required when transmitting packets to different networks that have different MTUs

  32. NETE4630: Advanced Network Security and Implementation Evasion Attack • Evasion attack: sends packets to an IDS and target that will be rejected by the IDS and accepted by the target. IDS drops and does not check the packet payload • An attacker sends the first fragment to an IDS that has a fragmentation timeout of 15 s, while target system has a timeout of 30 s • Attacker waits more than 15 s but less than 30 s before sending the 2nd fragment. • The IDS discards the second (inc. the first) segment because the timeout reaches • However, the target system accepts the second fragment (within the timeout) • Thus, the IDS will not record this attack #2 #1 #2 #1 30 s 15 s

  33. NETE4630: Advanced Network Security and Implementation Fragmentation Attacks • Overlapping fragmentation can offer an attacker a means of slipping packets past an IDS and firewall • Sending a packet passing a cisco router to a windows-based system • If receiving a duplicated packet, • Cisco router prefers the last fragment, whereas • Windows prefers the original fragment

  34. NETE4630: Advanced Network Security and Implementation #1 #2 #3 Windows and router accepts #1 and #2 #1 #2 #2 #3 Attacker modifies #2 And transmits #2 and #3 Windows keeps #1 #2 #3 Router keeps #1 #2 #3 Fragmentation Attacks (cont.) Same size, same offset

  35. NETE4630: Advanced Network Security and Implementation Fragmentation Attacks (cont.) • An attacker breaks a message into 3 fragments • He sends fragment 1 and 2 to both router and windows. Both accepts the fragments • He then sends fragment 2 and 3. The retransmitted fragment 2 is of the same size and offset as the original fragment but different payload • Windows keeps the original fragment 2 but the router keeps the retransmitted one

  36. NETE4630: Advanced Network Security and Implementation Teardrop Attack • Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, and SynDrop are some of the tools that can crash machines that have a vulnerability in the IP atack • There is a fragmentation bug in the IP stack implementation of some old Linux kernels (2.0), Windows NT, and Windows 95 • Sending malformed packets with fragmentation offset value tweaked so that the receiving packets overlap • A reboot solved the problem until the next attack

  37. NETE4630: Advanced Network Security and Implementation Fingerprinting • Fingerprinting is the act of using peculiarities of IP, TCP, UDP, and ICMP to determine the operating system • Active VS passive fingerprinting • Active fingerprinting: sends malformed (or non-RFC-compliant) packets to the target. Different OSes response to these packets differently • Nmap

  38. NETE4630: Advanced Network Security and Implementation Passive Fingerprinting • Passive fingerprinting: similar concept, but not injecting traffic into the network • Looking at 4 fields • TTL value • Don’t Fragment bit (DF) • Type of Service (TOS) • Window size • TTL, DF, and TOS are found in IP header • Window size is found in TCP header

  39. NETE4630: Advanced Network Security and Implementation Passive Fingerprinting: TTL • A packet has its TTL reduced each time it is passed though a router or when it remains in the routers queue too long • No requirement about the suitable of TTL • The attacker may assume that the value observed is less than the original value (no more than 255)

  40. NETE4630: Advanced Network Security and Implementation Passive Fingerprinting: DF and TOS • DF flag is primary method that systems use to determine the PMTUD (Path MTU Discovery) • Many older OSes don’t use this feature • TOS can be analyzed to determine the OS • Eventhough it is rarely used on the internet, some developers will set it into a value other than zero to prevent this fingerprinting

  41. NETE4630: Advanced Network Security and Implementation PMTUD • Path MTU discovery (PMTUD) is a technique in computer networking for determining the MTU size on the network path between two hosts, usually with the goal of avoiding IP fragmentation • Path MTU discovery works by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets. • Any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP Type 3 Code 4 “Destination Unreachable (Fragmentation Needed and DF was set)" message • The ICMP Type 3 Code 4 message contains its MTU, allowing the source host to reduce its assumed path MTU appropriately. • The process repeats until the MTU is small enough to traverse the entire path without fragmentation.

  42. NETE4630: Advanced Network Security and Implementation PMTUD (cont.)

  43. NETE4630: Advanced Network Security and Implementation Passive Fingerprinting: Window Size • TCP Window specifies the amount of data that can be sent without having to receive an acknowledgement • Window size should either be as close as possible to the MTU or should be some multiple of this value • Linux 2.0 used a value of 16,384, while version 3 of FreeBSD used a value of 17,520 • The most up-to-date passive fingerprinting tool is p0f

  44. NETE4630: Advanced Network Security and Implementation Idle Scan: Open Port

  45. NETE4630: Advanced Network Security and Implementation Idle Scan: Close Port

  46. NETE4630: Advanced Network Security and Implementation Idle Scan: Limitations • The idle host must truly be idle • Not all OSes use an incrementing IPID • Some versions of Linux set IPID to zero or generate a random IPID value • Several message passes need to be performed to validate the results

  47. NETE4630: Advanced Network Security and Implementation ICMP Attacks • ICMP helps with logical errors and diagnostics • ICMP does not offer authentication • Payload is not checked by OS • ICMP attacks include using convert channels, echo attacks, to port scan, traffic redirection, OS fingerprinting, and DoS

  48. NETE4630: Advanced Network Security and Implementation Convert Channels • Convert channels offer attackers a way to have a secure communications channel by using allowed services • Convert channels can also work by exploiting flaws or weaknesses in protocols like ICMP, esp. ping • ICMP fields used in ping include: • Type, Code, Identifier, Sequence Number, Optional Data

  49. NETE4630: Advanced Network Security and Implementation ICMP Format

  50. NETE4630: Advanced Network Security and Implementation Convert Channels (cont.)

More Related