Address Spoofing and Denial of Service - PowerPoint PPT Presentation

oria
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Address Spoofing and Denial of Service PowerPoint Presentation
Download Presentation
Address Spoofing and Denial of Service

play fullscreen
1 / 33
Download Presentation
Address Spoofing and Denial of Service
141 Views
Download Presentation

Address Spoofing and Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Address Spoofing and Denial of Service • Agenda • Mac Modification • Address Resolution Protocol Trickery • IP address spoofing • TCP session Hijacking • Domain Name Spoofing • Email Spoofing (not in lab) • Denial of Service ECE 4112 - Internetwork Security

  2. IP Spoofing and Denial of Service Lab Exercises Medium Access Control Address Spoofing Windows XP MAC modification Linux MAC modification IP Spoofing From Windows wINJECT From Linux fraggle.c Domain Name System Spoofing dsniff tool Denial of Service datapool tool synful teardrop udpflood ECE 4112 - Internetwork Security

  3. The Ethernet Frame - IEEE 802.3 • Destination and Source MAC Addresses are modified for spoofing. ECE 4112 - Internetwork Security

  4. MAC modification/Spoofing • Change the MAC on a Host (Cloning) • Linux (ifconfig) • Windows Network Settings • Creating Link Layer Packets (Spoofing) • libnet (API) • Linkcat (tool – netcat for link layer) ECE 4112 - Internetwork Security

  5. Modifying Windows XP Network Interface ECE 4112 - Internetwork Security

  6. Modifying Windows XP Network Interface (continued) ECE 4112 - Internetwork Security

  7. Modifying Linux Network Interface ECE 4112 - Internetwork Security

  8. Address Resolution Protocol (ARP) • Method to finding a host's Ethernet address • Broadcast message looking for the IP address • Hosts maintain a cache to avoid frequent requests ECE 4112 - Internetwork Security

  9. ARP Cache Poisoning • Man in the Middle (MiM) Attack • Session Stealing • Packet/Data Injection • Beat the Switch • Making a Switch into a Hub ECE 4112 - Internetwork Security

  10. Arpspoof Example ECE 4112 - Internetwork Security

  11. Network and Transport Layers • Internet Protocol (IP) • Internet Control Message Protocol (ICMP) • Transmission Control Protocol (TCP) • User Data Protocol • TCP Session Hijacking ECE 4112 - Internetwork Security

  12. version IHL Type of Service Total length Identification DF DF MF Fragment offset Time to live Protocol Header checksum Source address Destination address Options (0 or more words) Internet Protocol (IP) • IP provides a best-effort way to route datagrams from source to destination • Source address, destination address: network number and host number • IP spoofing: change or disguise source address ECE 4112 - Internetwork Security

  13. IP Spoofing • Non-blind attacks • Attacker and target on same subnet • Reply traffic can be sniffed • Blind attacks • Attacker and target on different subnets • Reply traffic cannot be seen by attacker • Attacker must be able to predict replies ECE 4112 - Internetwork Security

  14. IP Spoofing • Attacks made possible by IP spoofing include • Denial of Service (DOS) • Session Hijacking • Man in the Middle • To take over a TCP stream, sequence and acknowledgement numbers must be sniffed or predicted. ECE 4112 - Internetwork Security

  15. Source port Destination port Sequence number Acknowledgement number TCP HL URG ACK PSH RST SYN FIN Window size Checksum Urgent pointer Options (0 or more 32-bit words) Data (Optional) Transmission Control Protocol (TCP) • Source and Destination Ports • Sequence and Acknowledgement number • Reliability Checksum (not tamperproof) ECE 4112 - Internetwork Security

  16. Transmission Control Protocol (TCP) • Packet Types • URG - Urgent • ACK - Acknowledge • PSH - Push • RST - Reset • SYN - Synchronize can flood a server • FIN - Finish ECE 4112 - Internetwork Security

  17. Host 1 Host 2 SYN (SEQ=x) SYN (SEQ=y, ACK=x+1) (SEQ=x+1, ACK=y+1) Transmission Control Protocol (TCP) (4) • TCP connection initiation • Three-way handshake ECE 4112 - Internetwork Security

  18. Session Hijacking • Session hijacking attacks: based on sniffing and IP spoofing • Attacker monitors packets between Alice and Bob • Attacker injects spoofed traffic with a source IP address of Alice Alice telnet Alice Bob network “Hi, I am Alice” Attacker ECE 4112 - Internetwork Security

  19. DNS Spoofing • Causes name resolution to result in an • incorrect IP address • In our lab, use tool dsniff to accomplish ECE 4112 - Internetwork Security

  20. DSniff • Collection of tools for network auditing and penetration testing. • Tools included • ArpSpoof • DNSspoof • Dsniff • Filesnarf • Macof ECE 4112 - Internetwork Security

  21. DSniff • Mailsnarf • Msgsnarf • TCPKill • TCPnice • URLSnarf • WebSpy • SSHMITM • WebMITM ECE 4112 - Internetwork Security

  22. DSniff • All kinds of attacks can be run. E.g. – • Password Sniffing • Message and File Capture • URL Capture • Man-In-The-Middle • Lab exercises • DNS Spoofing ECE 4112 - Internetwork Security

  23. Email Spoofing • Email spoofing is effective because most people don’t have time to double check their headers all the time. • An email’s true origin can be further obfuscated by forging extra “Received:” lines. • To force a verification, email can be cryptographically signed. ECE 4112 - Internetwork Security

  24. Email Spoofing • Email spoofing is a form of social engineering. • Email spoofing is also used by spammers to make it more difficult to track them. • A forged email can be detected by close inspection of its headers. • Login to SMTP (port 25) is unauthenticated, so anyone can log in and send mail. ECE 4112 - Internetwork Security

  25. Email Spoofing (Not in Lab Assignment) • telnet mail.xyz.gatech.edu 25 • 220 sark.xyz.gatech.edu ESMTP Sendmail 8.12.10/8.12.8; • Mon, 1 Dec 2003 040500 (EST) • HELO abc4883.com • 250 sark.xyz.gatech.edu Hello ece-237-37.abc.gatech.edu • [130.207.237.37], pleased to meet you • MAIL FROM: <fake@abc4883.com> • 250 2.1.0 <fake@abc4883.com>... Sender ok • RCPT TO: <gotcha@abc.gatech.edu> • 250 2.1.5 <gotcha@abc.gatech.edu>... Recipient ok • DATA • 354 Enter mail, end with "." on a line by itself • Greetings from abc4883! • . • 250 2.0.0 hAUMOh6c005386 Message accepted for delivery • QUIT • 221 2.0.0 sark.xyz.gatech.edu closing connection ECE 4112 - Internetwork Security

  26. Raw Sockets • Allows the application to directly access the Network Access Layer (TCP/IP model) • Develop new or build upon existing protocols • Programming difference: • socket( sockfd, SOCK_RAW, IPPROTO_TCP); • Manually build the necessary headers • Requires super user access • Not implemented the same across all platforms ECE 4112 - Internetwork Security

  27. libnet • Raw Sockets and Link Layer facilities • Simplifies packet injection programming • libnet_build_ipv4( packet_length, type_of_service, identity, fragment, time-to-live, protocol, checksum, source_port, destination_port, payload, payload_size, libnet, ptag) • libnet_autobuild_ipv4( packet_length, protocol, destination_port, libnet); • Allows for prebuilding streams of packets • Efficient mechanism for packet injection • Portable solution for packet injection ECE 4112 - Internetwork Security

  28. Denial of Service • Denial of Service • Easy to mount – script kiddies • Requires few computing resources • Most common attack – deadly results • Comes in various forms. E.g. – • Buffer Overflow Attack • Teardrop Attack • Syn Flood • Smurf Attack ECE 4112 - Internetwork Security

  29. Internet Control Message Protocol (ICMP) • ICMP is used to test the Internet. • Each ICMP message type is encapsulated in an IP packet. ECE 4112 - Internetwork Security

  30. Denial of Service • Buffer Overflow • Send more data than allotted buffer space. E.g. – More than 256 chars in email from field. • Tear Drop • Takes advantage of IP Fragmentation. • Syn Flood • Flood target with connection requests. • Smurf • ICMP echo requests with spoofed IP. ECE 4112 - Internetwork Security

  31. Denial of Service • Tool to be used in lab – Datapool • Customizable script with capabilities to run 106 different DoS attacks (including ones discussed)! • Can run attacks against multiple IPs and learns about vulnerabilities of each. • IPSpoofing used to disguise source of attack. ECE 4112 - Internetwork Security

  32. References WWW • OSI Model: RAD Data Communications • libnet (packetfactory.net) • Raw Socket Programming (mixter.void.ru) • Paketto (www.doxpara.com/paketto) • Dsniff (naughty.monkey.org/~dugsong/dsniff) ECE 4112 - Internetwork Security

  33. References Books • Computer Networks Third Edition, Andrew Tanenbaum, Prentice-Hall1996. • Counter Hack. Ed Skoudis, Prentice-Hall 2002. • TCP/IP Illustrated, Volume 1. W. Richard Stevens, Addison-Wesley1994. ECE 4112 - Internetwork Security