1 / 39

CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012

School of Computer Science. CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012. Wednesday, Feb. 22, 2012. Review. Quiz at the end of class. Source sends series of UDP segments to dest First has TTL =1 Second has TTL=2, etc.

luyu
Download Presentation

CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. School of Computer Science CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012 Wednesday, Feb. 22, 2012 CS 445 – Internet Security

  2. Review Quiz at the end of class CS 445 – Internet Security

  3. Source sends series of UDP segments to dest First has TTL =1 Second has TTL=2, etc. When n-th datagram arrives to n-th router: Router discards datagram (TTL=0) And sends to source an ICMP message (type 11, code 0) When ICMP message arrives, source calculates RTT Traceroute does this 3 times On windows, “tracert” ICMP and Traceroute CS 445 – Internet Security

  4. Application Presentation Session Transport Network Data Link Physical MAC address vs. IP address • A computer has two addresses • MAC address (Data Link Layer) works only in LAN • To send it across multiple LAN, you need to use IP address (Network Layer) • If you know only your destination’s IP address, how can you find out its MAC address? • Without MAC address, you can’t deliver it CS 445 – Internet Security

  5. Autonomous System (AS) • A collection of IP networks and routers under the control of one entity, typically an Internet service provider or a very large organization • A unique AS number is allocated to each AS • 32-bit number (was 16-bit until 2007) • http://www.cidr-report.org/as2.0/autnums.html • Over 35,000 Ases • Search ASN for my IP • http://whois.arin.net/ui CS 445 – Internet Security

  6. Routing Algorithms in the Internet Within an AS Interior Gateway Protocol (IGP): OSPF, RIP based on Performance OSPF is link state algorithm – complete topology information is disseminated Between ASes Exterior Gateway Protocol (EGP): BGP Based on Policy. Not link state algorithm. Why not? Can’t store all destinations in routing tables Number of hosts in Internet: 888,239,420 in Jan 2012 http://www.isc.org/solutions/survey routing table exchange would swamp links! Routers in different AS can run different IGP

  7. Attacks in Network Layer • Network scanning • Ping sweeping: find live systems • Network mapping • Anonymous scanning with IP sequence number predictability • Avoiding detection • IP fragmentation attack • IP address spoofing attack • Killing the target • Denial-of-service attack CS 445 – Internet Security

  8. 1. Ping Sweeping • Most port scanners determine if an address is in use before scanning it • Ping sweeping • Sending ICMP echo request to a wide range of IP addresses • If the target replies, a system is on the network • If it does not reply, the system • may not be on the network • The system has turned off ICMP service • Firewall may be blocking ICMP • Ping sweep can be easily detected by properly configured IDS (Intrusion Detection System) CS 445 – Internet Security

  9. 2. Network Mapping • Network topology • Internet connectivity – DMZ, perimeter networks • Internal network (with access from modem or wireless access point) • Attacker can better plan an attack by understanding the topology of the target network • The layout of routers and hosts can show vulnerabilities • Or at least let the attacker know where the potential targets are • Cheops-ng • http://cheops-ng.sourceforge.net • Zenmap • http://nmap.org/zenmap/ CS 445 – Internet Security

  10. 2. Network Mapping - ZenMap http://nmap.org/download.html CS 445 – Internet Security

  11. Computer Networks AttacksOverview Layer 3 (Network layer) Continued

  12. 3. Stealthy scanning • nmap (more later) has a stealthy scanning mode • Nmap scans a target for open ports • Using the real IP address is dangerous to attacker • Attacker wants to spoof the source IP address to prevent trace back • But then, the reply won’t return to the attacker! • What can the attacker do? • Use the ID field predictability to infer the reply CS 445 – Internet Security

  13. IP Packet (v4) 0100 Bit 0 Bit 31 Version (4 bits) Header Length (4 bits) Type of Service (8 bits) Total Length (16 bits) Identification (16 bits) Flags Fragment Offset (13 bits) Time to Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP, 17=TCP Header Checksum (16 bits) Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Padding Data Field (variable) Options: timestamp, record route taken, specify list of routers to visit, etc. CS 445 – Internet Security

  14. 3. Stealthy scanning - IP Identification Field • The IP Identification field • Used for packet fragmentation to group all fragments together for packet reassembly • Has a unique value, which can be assigned randomly or incrementally • If incremental, each packet gets a value that is one bigger than previous packet’s value • TCP 3-way handshaking process • SYN (Clients sends to a server) • SYN-ACK (Server replies if the TCP port is open) • ACK (Client confirms) CS 445 – Internet Security

  15. 3. Stealthy scanning – step 1 Target 3. Remember ID = X 2. SYN-ACK with ID = X 1. SYN Intermediary CS 445 – Internet Security

  16. 3. Stealthy scanning – step 2 Target 4. Spoofed SYN to TCP Port p 5. SYN-ACK From Port p 6. RST, ID=X+1 7. SYN 8. SYN-ACK Intermediary CS 445 – Internet Security

  17. So what? • Consider step 6 • RST is sent only when it receives SYN-ACK • If it doesn’t receive a packet, no reply is sent • Okay, so? • Step 7 is important to the attacker. • Attacker sends a packet again to the intermediary • The reply will have ID value of either X+1 or X+2 • If X+2, intermediary sent RST, so the port is open • If X+1, intermediary didn’t send RST, so the port is closed • Note • The IP value of the intermediary must be predictable. That is, it should not be busy, otherwise the ID value will increase unpredictably. Nmap calls this “idle” scanning. • Defense? CS 445 – Internet Security

  18. 4. IP Fragmentation Attacks • Useful in avoiding detection by some network-based Intrusion Detection Systems (IDS) • Can be used for scanning and exploiting • The principles are described in “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998 • http://www.creangel.com/papers/Eluding%20Network%20Intrusion%20Detection.pdf CS 445 – Internet Security

  19. length =1060 length =1500 length =4020 length =1500 ID =x ID =x ID =x ID =x fragflag =1 fragflag =0 fragflag =0 fragflag =1 offset =370 offset =0 offset =0 offset =185 One large datagram becomes three smaller datagrams IP Fragmentation and Reassembly 4000 Example • 4000 byte datagram • MTU = 1500 bytes • Note: IP header = 20 bytes 1480 1480 bytes in data field 1480 offset (starting location in 8-byte units)=1480/8 1040 CS 445 – Internet Security

  20. Attack detection at IDS • Consider an attack • “cat /etc/passwd” • IDS will match the string “/etc/passwd” • How can the attacker avoid detection? • Use fragmentation because IDS may look at only each fragment IDS cat /etc/passwd Attacker target Network CS 445 – Internet Security

  21. How can she use IP fragmentation? • Tiny fragment attack • Break a string into smaller pieces • “cat /etc/p” + “asswd” • Fragment overlap attack • Break into pieces, and make them overlap to hide original content • “cat /etc/paqxyhs” + “sswd” (with offset 11) • See RFC 1858, Security Considerations for IP Fragment Filtering CS 445 – Internet Security

  22. IP Fragment Attack Tools • Fragrouter • Written by Dug Song, • All packets entering one interface go out the other interface fragmented • The attacker can specify how fragmentation will occur • Fragment size, out of order, etc • An improved version: FragRoute released in 2002 CS 445 – Internet Security

  23. Fragroute CS 445 – Internet Security

  24. Handling Reassembly • How do OSes handle overlapped fragments? • Different OS reassemble packets differently • Examples • Earliest fragments can’t be overlapped • The fragment with the lowest offset will overwrite others, regardless of arrival time • Complete overlap or partial overlap are handled differently in different Oss • The same set of IP fragments may have very different result in different OSes, which may be harmful or harmless CS 445 – Internet Security

  25. 5. IP address spoofing attack • Attackers don’t want to be traced • But simply changing source IP is not very useful unless they want simply bombard a victim • The reply from the victim goes to the spoofed IP address. • However, attackers can communicate with the victim by guessing the victim’s response • How? By predicting the TCP sequence number CS 445 – Internet Security

  26. TCP Sequence Number (Layer 4) • TCP has a capability of error recovery • packet loss, reordered packets, duplicate packets • If lost, retransmit the lost one • Sequence and Acknowledgement Number • Unit = bytes • Sequence numbers identify segment’s place in the sequence • ISN: Initial Sequence Number • Acknowledgement number identifies which segment is being acknowledged Sequence Number (32 bits) Acknowledgment Number (32 bits) CS 445 – Internet Security

  27. TCP 3-way handshaking (Layer 4) PC Transport Process Webserver Transport Process 1. SYN (Open) 2. SYN, ACK (1) (Acknowledgement of 1) 3. ACK (2) ISN is included in SYN CS 445 – Internet Security

  28. 5. IP address spoofing attack Record ISN from regular 3-way Handshaking with A 0 Harvest ISNA values without spoofing (send SYN and get SYN-ACK) X, Y: data size Hacker 2 1 Silence it. (SYN flooding DoS attack on port 513, rlogin) Syn (B, ISNB) Ack (B, ISNA+Y) 4 Ack (B, ISNB + X),Syn (A, ISNA) 3 A: Victim B: Trusted machine by victim (login) CS 445 – Internet Security

  29. Then what? • The hacker has a one-way connection to the victim which appears to be from the trusted machine. • It can maintain the connection and send data if it properly ACKs any data sent by the victim. • The message:rsh victim "echo + + >>/.rhosts" (Make the victim accessible from all hosts) • Total elapsed time since the first spoofed packet: < 16 seconds CS 445 – Internet Security

  30. Real IP address spoofing attack • Used by Kevin Mitnick in December 1994 to attack Tsutomu Shimomura’s computer • The incident inspired the books “Takedown” and “The Fugitive Game” and a movie “Trackdown” • The detailed story, timeline, evidences (tcpdump) are available at http://www.takedown.com and http://www.gulker.com/ra/hack CS 445 – Internet Security

  31. Kevin Mitnick vs. Tsutomu Shimomura • Kevin Mitnick, then and now… • http://mitnicksecurity.com • Books: The Art of Deception, The Art of Intrusion,… CS 445 – Internet Security

  32. Lessons from IP Spoofing attack • Make the Initial Sequence Numbers as unpredictable as possible • Need to install patches for TCP/IP stacks • Random since Windows NT and Windows 2000 • Be careful with trust relationship • Both Windows and Unix • Do not extend trust outside of firewall • Do not use r-commands • Don’t base authentication on IP addresses • Use passwords, crypto, or other techniques • Ultimate solution? Use encryption (SSH) CS 445 – Internet Security

  33. 6. Denial-of-Service Attacks • Making a computer resource unavailable to its intended users • Disable the victim machine • Congest the communication link to the victim • Types • Malformed packet attack • exploits the fault in protocol stack or OS • Packet flooding attack (To be covered later) • Both single source attack and distributed attacks are possible CS 445 – Internet Security

  34. Ping of Death Attack • Sending a very large ping packet to a victim can crash some operating systems (1996) • Most operating systems before 1997 or so crashed or rebooted when the IP packet size exceed the maximum length (65535 bytes) • Ping packet sizes • Normally 64 bytes including 8 byte ICMP header • The largest IP size is 65535 bytes including 20 byte header • Maximum data size = 65535 – 20 – 8 = 65507 • How to send a packet greater than 65507? • Use fragmentation: In the last fragment, make (offset + size) > 65535 • C: \> ping -1 65527 • Overflows memory buffer CS 445 – Internet Security

  35. Smurf Attack (ICMP flooding) • Smurf sends ICMP echo request (ping) to a network’s broadcast address with spoofed IP address as the victim’s address • Can be from a remote host (= directed broadcast) • All the reply goes to the poor victim • Prevention is easy • Filter out ICMP echo rely • In cisco router, specify “no ip directed-broadcast” Broadcast ping spoofed from 10.1.1.1  131.216.18.255 10.1.1.1 CS 445 – Internet Security

  36. Other Dos Attacks • Land Attack (1997) • Send a TCP SYN packet with the source address spoofed to victim’s address • The machine replies to itself continuously an crash • Firewalls can block it • Teardrop • Sending IP fragments with overlapping oversized payloads • Winnuke • Sending data to TCP port 139 crashes the victim CS 445 – Internet Security

  37. DoS Suites • There are many other • bonk (Win95), jolt (variation of Ping of Death), land, teardrop, nestea (linux 2.0, teardrop), newtear, syndrop, …. • Instead of launching each one of these, you can conveniently use a DoS suite • Targa, by Mixter, with 8 differnet DoS malformed packet attacks • Xcrush by Anon, with 33 different DoS malformed packet attacks • Spike by Spikeman, with 33 different DoSD malformed packet attacks • Toast by Gridmark, with 49 different malformed packet attacks CS 445 – Internet Security

  38. DoS Tools Archive • 250+ suites are available at http://www.packetstormsecurity.org/DoS/ • http://tools.l0t3k.net/Denial/targa.c • Cf. DDoS (Distributed DoS) will be covered later at Transport layer CS 445 – Internet Security

  39. Wrapping up • We studied • Attacks in Network layer • Next class • Transport layer overview • Transport layer attack • Quiz now CS 445 – Internet Security

More Related