Network Defense COEN 250
Network Protocols: Layering • Complexity of networking leads to layered architectures. • TCP/IP stack has four levels. • OSI has seven.
Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link
Data Link Layer • Sits on top of physical layer, which provides • Hardware specification • Encoding and signaling • Data transmission and reception • Topology and physical network design • Example Data Link Layers: • Ethernet • Token Ring • FDDI • Wi-Fi (802.11) • Divided into two sublayers • Logical Link Control • Media Access Control (MAC)
Link Layer Address Resolution • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Now typically changeable • In order to accommodate device change when using authentication through MAC address • Format 48b written as twelve hex bytes. • First 6 identify vendor. • Last 6 serial number. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).
Link Layer Address Resolution • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826
Link Layer: ARP Resolution Protocol • Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 • All devices on the link capture the packet and pass it to the IP layer. • 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.
Link Layer: ARP Resolution Protocol ARP requests:
Link Layer Intrusion Detection Network monitoring tools such as Argus or Ethereal log MAC addresses.
Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.
Link Layer Intrusion Detection • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.
Link Layer Intrusion Detection • Some organizations log ARP information. • Routers keep ARP tables. • show ip arp • All hosts keep ARP tables. • DHCP often assigns addresses only to computers with known MAC.
Link Layer Intrusion Detection An employee received harassing e-mail from a host on the employer’s network with IP address 192.168.1.65. DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The router’s ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing) Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.
Link Layer Intrusion Detection • Analyze and filter log files: • Keyword searches • E.g. for USER, PASS, login • Nicknames, channel names • Filters • Reconstruction • E.g. contents of web-mail inbox.
Link Layer Intrusion Detection NetIntercept Screenshot An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence
ARP Package • RFC 826 • ARP package : • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP
ARP Package Ethereal deassembly of ARP package
Monitoring Tools • Arpwatch • monitors ethernet activity and keeps a database of ethernet/ip address pairings.
Attacks on ARP • Package Generators for various OS. • Allow an attacker to subvert a chosen protocol • hping2 for Windows. • *NIX, XWindows: • packit • http://sourceforge.net/projects/packitgui/ • IP Sorcery • and many, many more. • Use to create arbitrary packages
Attacks on ARP • Switch Flooding • Switches contain a switch address table. • Switch address table associates ports with MAC addresses. • Switch flooding creates many false entries. • Switches fail in two different modes: • Fail open: • Switch converts into a hub. • This allows to monitor traffic through the switch from any port. • Fail closed: • Switch stops functioning. • Denial of Service (DoS) attack
Attacks on ARP • ARP Poisoning: attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LAN attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Switch now takes packet from victim and forwards it to attacker. attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router. attacker switch victim Outside world router
Attacks on ARP http://www.watchguard.com/
RARP • RARP (Reverse Address Resolution Protocol) • Used to allow diskless systems to obtain a static IP address. • System requests an IP address from another machine (with its MAC-address). • Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table. • Administrator needs to place table in a gateway. • RARP-daemon (RARP-d) responds to RARP requests.
RARP • RARP vulnerability • Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.
RARP Package • Package Format as in ARP: • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP
IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.
IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • IPv6 addresses are 8*16 bits long.
DHCP • Dynamic Host Configuration Protocol • Evolved from TCP/IP Boot Protocol BOOTP • Solves problem of disk-less workstations • Boot process: • First obtain IP address • Then download OS etc. • BOOTP client sends broadcast to UDP port 67 (BOOTREQUEST) • BOOTP server listens on that port • Replies to client by either • Use client’s hardware address to create ARP entry • Use broadcast • Client downloads OS (using e.g. TFTP)
DHCP • Assigns addresses • Manual allocation (just as BOOTP) • Single point of administration • Automatic Allocation • DHCP assigns address to a given device automatically from a pool of addresses • Dynamic Allocation • DHCP assigns an address from a pool of addresses for the length of a lease • Addresses are reused and shared • Clients need to renew a lease periodically • If clients are rebooting, but still have an active lease, they reconfirm their lease during reboot. • If renewal fails, clients will rebind to any active DHCP server • Clients can release a DHCP assigned IP address
DHCP • Attacks • Denial of Service • Attacker sends DHCP requests, using up all IP address in pool • Attacker uses random MAC addresses • Switches can limit the number of MAC addresses used on a given link and prevent this attack
DHCP • Attacks • Man in the Middle Attack: Default Gateway • Attacker assigns DHCP addresses by • Attacker disables DHCP server and then operates own DHCP server • Attacker runs faster DHCP server • Attacker specifies itself as default gateway • Attacker redirects traffic from victim through itself
DHCP • Attacks • Man in the Middle Attack: DNS Redirection • Attacker assigns DHCP addresses • Attacker specifies itself as the DNS server • Attacker only redirects traffic to selected IP addresses • Banking, Shopping, …
IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. For example • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping. • Used to detect network connectivity before it became too useful for attack reconnaissance. • Does not use ports. • Allows broadcasting. • More on ICMP later
IP: ICMP • ICMP error messages should not be sent: • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway. • Otherwise: ICMP messages could proliferate and throttle a network
IP: ICMP • ICMP errors are not sent: • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.
Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.
TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.
TCP:Three Way Handshake • Initiator to responder: Syns • Responder to initator: Acks, Synt • Initiator to responder: Ackt • Sets up two connections with initial message numbers s and t.
TCP:Three Way Handshake • 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) • 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF) • 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF) Sequence number Flag Window: number of bytes accepted
TCP:Terminating Connections • Graceful shutdown • Party 1 to Party 2: Fin • Party 2 to Party 1: Ack • Party 2 to Party 1: Fin • Party 1 to Party 2: Ack • Abrupt shutdown • Party 1 to Party 2: Res
TCP:Shutting down a connection • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF) • 20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF) • 20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win 16940 (DF) • 20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF) • 20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767 (DF)
TCPExchanging Data • Each packet has a sequence number. • (One for each direction.) • Initial sequence numbers are created during initial three way handshake. • NMap uses the creation of these sequence numbers to determine the OS. • OS are now much better with truly random sequence numbers.
TCP Exchanging Data • Party that receives packet sends an acknowledgement. • Acknowledgement consists in • Ack flag. • Sequence number of the next package to be expected. • (TCPDump shows number of bytes acknowledged).
TCP Exchanging Data • If a package is lost, then the ack sequence number will not change: • “Duplicate acknowledgement” • Depending on settings, sender will resend, after at most three stationary ack numbers. • Also, senders resend after timeout.