* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 9-0 Internet Protocol Attacks and some Defenses
Point-to-Point Protocol over Ethernet wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Distributed firewall wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Network tap wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer network wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Deep packet inspection wikipedia , lookup
TCP congestion control wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Internet protocol suite wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Attacks on TCP/IP Isaac Ghansah slide 1 Internet Infrastructure backbone local network local network Internet service provider (ISP) ISP TCP/IP for packet routing and connections Border Gateway Protocol (BGP) for route discovery Domain Name System (DNS) for IP address discovery slide 2 OSI Protocol Stack application email, Web, NFS presentation session transport network data link RPC TCP IP Ethernet physical slide 3 Data Formats application layer transport layer TCP header data network layer data link layer message Application data Ethernet header TCP header data IP TCP header header data IP TCP header header data TCP header data segment packet Ethernet trailer frame slide 4 TCP (Transmission Control Protocol) Sender: break data into packets • Sequence number is attached to every packet Receiver: reassemble packets in correct order • Acknowledge receipt; lost packets are re-sent Connection state maintained on both sides book mail each page remember received pages and reassemble slide 5 IP (Internet Protocol) Connectionless • Unreliable, “best-effort” protocol Uses numeric addresses for routing • Typically several hops in the route Alice’s computer Bob’s ISP Alice’s ISP 128.83.130.239 Packet Source 128.83.130.239 Dest 171.64.66.201 Seq 3 Bob’s computer 171.64.66.201 slide 6 ICMP (Control Message Protocol) Provides feedback about network operation • “Out-of-band” messages carried in IP packets • Error reporting, congestion control, reachability, etc. Example messages: • • • • • • Destination unreachable Time exceeded Parameter problem Redirect to better gateway Reachability test (echo / echo reply) Message transit delay (timestamp request / reply) slide 7 Security Issues in TCP/IP Network packets pass by untrusted hosts • Eavesdropping (packet sniffing) IP addresses are public • Smurf attacks TCP connection requires state • SYN flooding TCP state is easy to guess • TCP spoofing and connection hijacking slide 8 Packet Sniffing Many applications send data unencrypted • ftp, telnet send passwords in the clear Network interface card (NIC) in “promiscuous mode” reads all passing data network Solution: encryption (e.g., IPSec), improved routing slide 9 Smurf Attack Looks like a legitimate “Are you alive?” ping request from the victim 1 ICMP Echo Req Src: victim’s address Dest: broadcast address Every host on the network generates a ping (ICMP Echo Reply) to victim Stream of ping replies overwhelms victim gateway victim Solution: reject external packets to broadcast addresses slide 10 “Ping of Death” If an old Windows machine received an ICMP packet with a payload longer than 64K, machine would crash or reboot • Programming error in older versions of Windows • Packets of this length are illegal, so programmers of Windows code did not account for them Solution: patch OS, filter out ICMP packets slide 11 TCP Handshake C S SYNC Listening… Store data SYNS, ACKC (connection state, etc.) Wait ACKS Connected slide 12 SYN Flooding Attack S SYNC1 Listening… SYNC2 Store data SYNC3 … and more data SYNC4 SYNC5 … and more … and more … and more … and more slide 13 SYN Flooding Explained Attacker sends many connection requests with spoofed source addresses Victim allocates resources for each request • Connection state maintained until timeout • Fixed bound on half-open connections Once resources exhausted, requests from legitimate clients are denied This is a classic denial of service (DoS) attack • Common pattern: it costs nothing to TCP initiator to send a connection request, but TCP responder must allocate state for each request (asymmetry!) slide 14 Preventing Denial of Service DoS is caused by asymmetric state allocation • If responder opens a state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses Cookies ensure that the responder is stateless until initiator produced at least 2 messages • Responder’s state (IP addresses and ports of the connection) is stored in a cookie and sent to initiator • After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator slide 15 SYN Cookies C [Bernstein & Schenk] S SYNC Compatible with standard TCP; simply a “weird” sequence number scheme SYNS, ACKC Listening… Does not store state sequence # = cookie F=Rijndael or crypto hash F(source addr, source port, dest addr, dest port, coarse time, server secret) ACKS(cookie) More info: http://cr.yp.to/syncookies.html Cookie must be unforgeable and tamper-proof (why?) Client should not be able to invert a cookie (why?) Recompute cookie, compare with with the one received, only establish connection if they match slide 16 Anti-Spoofing Cookies: Basic Pattern Client sends request (message #1) to server Typical protocol: • Server sets up connection, responds with message #2 • Client may complete session or not (potential DoS) Cookie version: • Server sends hashed connection data back – Send message #2 later, after client confirms he is listening • Client confirms by returning hashed data – If source IP address is bogus, attacker can’t confirm • Need an extra step to send postponed message #2 – Ok in TCP since the extra step (SYN-ACK) is already there slide 17 Another Defense: Random Deletion SYNC half-open connections 121.17.182.45 231.202.1.16 121.100.20.14 5.17.95.155 If SYN queue is full, delete random entry • Legitimate connections have a chance to complete • Fake addresses will be eventually deleted Easy to implement slide 18 TCP Connection Spoofing Each TCP connection has an associated state • Sequence number, port number TCP state is easy to guess • Port numbers are standard, sequence numbers are often predictable • Can inject packets into existing connections If attacker knows initial sequence number and amount of traffic, can guess likely current number • Send a flood of packets with likely sequence numbers slide 19 “Blind” IP Spoofing Attack Trusted connection between Alice and Bob uses predictable sequence numbers SYN-flood Bob’s queue Alice Bob Open connection to Alice to get initial sequence number Send packets to Alice that resemble Bob’s packets Can’t receive packets sent to Bob, but maybe can penetrate Alice’s computer if Alice uses IP address-based authentication • For example, rlogin and many other remote access programs uses address-based authentication slide 20 DoS by Connection Reset If attacker can guess current sequence number for an existing connection, can send Reset packet to close it • With 32-bit sequence numbers, probability of guessing correctly is 1/232 (not practical) • Most systems accept large windows of sequence numbers much higher probability of success – Need large windows to handle massive packet losses Especially effective against long-lived connections • For example, BGP (Border Gateway Protocol) slide 21 User Datagram Protocol (UDP) UDP is a connectionless protocol • Simply send datagram to application process at the specified port of the IP address • Source port number provides return address • Applications: media streaming, broadcast No acknowledgement, no flow control, no message continuation Denial of service by UDP data flood slide 22 Countermeasures Above transport layer: SSL/TLS and SSH • Protects against connection hijacking and injected data • Does not protect against DoS by spoofed packets Above transport layer: Kerberos • Provides authentication, protects against spoofing • Does not protect against connection hijacking Network (IP) layer: IPSec • Protects against hijacking, injection, DoS using connection resets, IP address spoofing • We will study IPSec in some detail slide 23 DNS Attacks Domain Name System (DNS) is a distributed database mapping host names to IP addresses • For example, www.cs.utexas.edu 128.83.120.155 • Network services trust host-address mappings returned in response to DNS queries – But DNS responses are not authenticated! If attacker takes over DNS server, can respond with addresses of attacker-controlled machines • Some DNS services have known buffer overflows Can use “zone transfer” requests to download a chunk of DNS database and map out the network slide 24 Reverse DNS Spoofing Trusted access is often based on host names • E.g., permit all hosts in .rhosts to run remote shell Network requests such as rsh or rlogin arrive from numeric source addresses • System performs reverse DNS lookup to determine requester’s host name and checks if it’s in .rhosts If attacker can spoof the answer to reverse DNS query, he can fool target machine into thinking that request comes from an authorized host • No authentication for DNS responses and typically no double-checking (numeric symbolic numeric) slide 25 Reading Assignment “IP Spoofing Demystified” from Phrack magazine “SYN cookies” by Bernstein • Both are online on the course website Optional: Joncheray’s paper about TCP connection hijacking slide 26