1 / 203

Network Defense

Network Defense. COEN 250. Network Protocols: Layering. Complexity of networking leads to layered architectures. TCP/IP stack has four levels. OSI has seven. Network Protocols: Layering. Network Protocols: Layering. Each layer adds a header. Application TCP IP Link. Data Link Layer.

Download Presentation

Network Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Network Defense COEN 250

  2. Network Protocols: Layering • Complexity of networking leads to layered architectures. • TCP/IP stack has four levels. • OSI has seven.

  3. Network Protocols: Layering

  4. Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link

  5. Data Link Layer • Sits on top of physical layer, which provides • Hardware specification • Encoding and signaling • Data transmission and reception • Topology and physical network design • Example Data Link Layers: • Ethernet • Token Ring • FDDI • Wi-Fi (802.11) • Divided into two sublayers • Logical Link Control • Media Access Control (MAC)

  6. Link Layer Address Resolution • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Now typically changeable • In order to accommodate device change when using authentication through MAC address • Format 48b written as twelve hex bytes. • First 6 identify vendor. • Last 6 serial number. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).

  7. Link Layer Address Resolution • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826

  8. Link Layer: ARP Resolution Protocol • Assume node A with IP address and MAC 00:01:02:03:04:05 wants to talk to IP address • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has • All devices on the link capture the packet and pass it to the IP layer. • is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.

  9. Link Layer: ARP Resolution Protocol ARP requests:

  10. Link Layer: ARP Resolution Protocol

  11. Link Layer Intrusion Detection Network monitoring tools such as Argus or Ethereal log MAC addresses.

  12. Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.

  13. Link Layer Intrusion Detection • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.

  14. Link Layer Intrusion Detection • Some organizations log ARP information. • Routers keep ARP tables. • show ip arp • All hosts keep ARP tables. • DHCP often assigns addresses only to computers with known MAC.

  15. Link Layer Intrusion Detection An employee received harassing e-mail from a host on the employer’s network with IP address DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The router’s ARP table showed that the IP address was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing) Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.

  16. Link Layer Intrusion Detection • Analyze and filter log files: • Keyword searches • E.g. for USER, PASS, login • Nicknames, channel names • Filters • Reconstruction • E.g. contents of web-mail inbox.

  17. Link Layer Intrusion Detection NetIntercept Screenshot An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence

  18. ARP Package • RFC 826 • ARP package : • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP

  19. ARP Package Ethereal deassembly of ARP package

  20. Monitoring Tools • Arpwatch • monitors ethernet activity and keeps a database of ethernet/ip address pairings.

  21. Attacks on ARP • Package Generators for various OS. • Allow an attacker to subvert a chosen protocol • hping2 for Windows. • *NIX, XWindows: • packit • http://sourceforge.net/projects/packitgui/ • IP Sorcery • and many, many more. • Use to create arbitrary packages

  22. Attacks on ARP • Switch Flooding • Switches contain a switch address table. • Switch address table associates ports with MAC addresses. • Switch flooding creates many false entries. • Switches fail in two different modes: • Fail open: • Switch converts into a hub. • This allows to monitor traffic through the switch from any port. • Fail closed: • Switch stops functioning. • Denial of Service (DoS) attack

  23. Attacks on ARP • ARP Poisoning: attacker switch victim Outside world router

  24. Attacks on ARP • ARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LAN attacker switch victim Outside world router

  25. Attacks on ARP • ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address attacker switch victim Outside world router

  26. Attacks on ARP • ARP Poisoning: Switch now takes packet from victim and forwards it to attacker. attacker switch victim Outside world router

  27. Attacks on ARP • ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router. attacker switch victim Outside world router

  28. Attacks on ARP http://www.watchguard.com/

  29. RARP • RARP (Reverse Address Resolution Protocol) • Used to allow diskless systems to obtain a static IP address. • System requests an IP address from another machine (with its MAC-address). • Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table. • Administrator needs to place table in a gateway. • RARP-daemon (RARP-d) responds to RARP requests.

  30. RARP • RARP vulnerability • Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.

  31. RARP Package • Package Format as in ARP: • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP

  32. IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.

  33. IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • IPv6 addresses are 8*16 bits long.

  34. DHCP • Dynamic Host Configuration Protocol • Evolved from TCP/IP Boot Protocol BOOTP • Solves problem of disk-less workstations • Boot process: • First obtain IP address • Then download OS etc. • BOOTP client sends broadcast to UDP port 67 (BOOTREQUEST) • BOOTP server listens on that port • Replies to client by either • Use client’s hardware address to create ARP entry • Use broadcast • Client downloads OS (using e.g. TFTP)

  35. DHCP • Assigns addresses • Manual allocation (just as BOOTP) • Single point of administration • Automatic Allocation • DHCP assigns address to a given device automatically from a pool of addresses • Dynamic Allocation • DHCP assigns an address from a pool of addresses for the length of a lease • Addresses are reused and shared • Clients need to renew a lease periodically • If clients are rebooting, but still have an active lease, they reconfirm their lease during reboot. • If renewal fails, clients will rebind to any active DHCP server • Clients can release a DHCP assigned IP address

  36. DHCP • Attacks • Denial of Service • Attacker sends DHCP requests, using up all IP address in pool • Attacker uses random MAC addresses • Switches can limit the number of MAC addresses used on a given link and prevent this attack

  37. DHCP • Attacks • Man in the Middle Attack: Default Gateway • Attacker assigns DHCP addresses by • Attacker disables DHCP server and then operates own DHCP server • Attacker runs faster DHCP server • Attacker specifies itself as default gateway • Attacker redirects traffic from victim through itself

  38. DHCP • Attacks • Man in the Middle Attack: DNS Redirection • Attacker assigns DHCP addresses • Attacker specifies itself as the DNS server • Attacker only redirects traffic to selected IP addresses • Banking, Shopping, …

  39. IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. For example • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping. • Used to detect network connectivity before it became too useful for attack reconnaissance. • Does not use ports. • Allows broadcasting. • More on ICMP later

  40. IP: ICMP • ICMP error messages should not be sent: • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway. • Otherwise: ICMP messages could proliferate and throttle a network

  41. IP: ICMP • ICMP errors are not sent: • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.

  42. Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.

  43. TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.

  44. TCP:Three Way Handshake • Initiator to responder: Syns • Responder to initator: Acks, Synt • Initiator to responder: Ackt • Sets up two connections with initial message numbers s and t.

  45. TCP:Three Way Handshake • 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) • 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF) • 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF) Sequence number Flag Window: number of bytes accepted

  46. TCP:Terminating Connections • Graceful shutdown • Party 1 to Party 2: Fin • Party 2 to Party 1: Ack • Party 2 to Party 1: Fin • Party 1 to Party 2: Ack • Abrupt shutdown • Party 1 to Party 2: Res

  47. TCP:Shutting down a connection • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF) • 20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF) • 20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win 16940 (DF) • 20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF) • 20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767 (DF)

  48. TCPExchanging Data • Each packet has a sequence number. • (One for each direction.) • Initial sequence numbers are created during initial three way handshake. • NMap uses the creation of these sequence numbers to determine the OS. • OS are now much better with truly random sequence numbers.

  49. TCP Exchanging Data • Party that receives packet sends an acknowledgement. • Acknowledgement consists in • Ack flag. • Sequence number of the next package to be expected. • (TCPDump shows number of bytes acknowledged).

  50. TCP Exchanging Data • If a package is lost, then the ack sequence number will not change: • “Duplicate acknowledgement” • Depending on settings, sender will resend, after at most three stationary ack numbers. • Also, senders resend after timeout.

More Related