* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Lecture 4: Network Layer Security
Survey
Document related concepts
Point-to-Point Protocol over Ethernet wikipedia , lookup
Computer security wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Wireless security wikipedia , lookup
TCP congestion control wikipedia , lookup
Distributed firewall wikipedia , lookup
Internet protocol suite wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Real-Time Messaging Protocol wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Transcript
Network Layer Security Lecture 4 Supakorn Kungpisdan [email protected] NETE4630 1 Overview • • • • IP, ICMP, and Routing protocols IP is connectionless, subjected to DoS ICMP can be used by attackers Routing protocols are subjected to stack attacks 2 NETE4630 Roadmap • Attacking the Network Layer • Defending the Network Layer 3 NETE4630 IP Attacks • • • • • Spoofing Fragmentation Passive and Active Fingerprinting Port Scanning Redirection 4 NETE4630 Spoofing • Local spoofing and blind spoofing • Local spoofing: attacker and victim are on the same subnet • Attacker begins with sniffing traffic, find key pieces of information needed to launch an attack • Session hijacking is another spoofing technique. – The attack starts at transport layer 5 NETE4630 Spoofing (cont.) • Blind spoofing: attacker is not on the same local subnet as victim • More sophisticated and advanced attack • Many pieces of information needed to be successful are not available. The key parameters must be guessed • Most modern OSes use fairly random sequence numbers making the attack difficult to launch 6 NETE4630 Fragmentation • Fragmentation is required when transmitting packets to different networks that have different MTUs • Evasion attack: sends packets to an IDS and target that will be rejected by the IDS and accepted by the target • The idea is to send different data streams to each device • Insertion attack: sends packets to an IDS and target device that will be accepted by the IDS and rejected by the target 7 NETE4630 IP Fragmentation 8 NETE4630 Evasion Attack • An attacker sends the first fragment to an IDS that has a fragmentation timeout of 15 s, while target system has a timeout of 30 s • The attacker waits more than 15 s but less than 30 s before sending the second fragment. • The IDS discards the second (including the first) segment because the timeout reaches • However, the target system accepts the second fragment (within the timeout) • Thus, the IDS will not record this attack 9 NETE4630 Fragmentation Attacks • Overlapping fragmentation can offer an attacker a means of slipping packets past an IDS and firewall • Sending a packet passing a cisco router to a windows-based system • If receiving a duplicated packet, cisco router prefer the last fragment, whereas windows prefers the original fragment 10 NETE4630 Fragmentation Attacks (cont.) • An attacker breaks a message into 3 fragments • He sends fragment 1 and 2 to both router and windows. Both accepts the fragments • He then sends fragment 2 and 3. the retransmitted fragment 2 is of the same size and offset as the original fragment but different payload • Windows keeps the original fragment 2 but the router keeps the retransmitted one 11 NETE4630 Fragmentation Attacks (cont.) #1 #1 Attacker modifies #2 And transmits #2 and #3 #2 #3 Windows and router accepts #1 and #2 #2 #2 #3 Windows keeps #1 #2 #3 Router keeps #1 #2 #3 12 NETE4630 Teardrop Attack • Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, and SynDrop are some of the tools that can crash machines that have a vulnerability in the IP atack • There is a fragmentation bug in the IP stack implementation of some old Linux kernels (2.0), Windows NT, and Windows 95 • Sending malformed packets with fragmentation offset value tweaked so that the receiving packets overlap • A reboot solved the problem until the next attack 13 NETE4630 Teardrop Attack (cont.) 14 NETE4630 Fingerprinting • Fingerprinting is the act of using peculiarities of IP, TCP, UDP, and ICMP to determine the operating system – Not only the OS, but also specific version • Active and passive fingerprinting • Active fingerprinting: sends malformed (or non-RFC-compliant) packets to the target. Different OSes response to these packets differently • Nmap, Xprobe, Scanrand, etc. 15 NETE4630 Passive Fingerprinting • Passive fingerprinting: similar concept, but not injecting traffic into the network • Looking at 4 fields – TTL value – Don’t Fragment bit (DF) – Type of Service (TOS) – Window size • TTL, DF, and TOS are found in IP header • Window size is found in TCP header 16 NETE4630 Passive Fingerprinting: TTL • A packet has its TTL reduced each time it is passed though a router or when it remains in the routers queue too long • No requirement about the suitable of TTL • The attacker may assume that the value observed is less than the original value (no more than 255) 17 NETE4630 Passive Fingerprinting: DF and TOS • DF flag is primary method that systems use to determine the PMTUD (Path MTU Discovery) – Many older OSes don’t use this feature • TOS can be analyzed to determine the OS • Eventhough it is rarely used on the internet, some developers will set it into a value other than zero to prevent this fingerprinting 18 NETE4630 PMTUD • Path MTU discovery works by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets. • Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP Type 3 Code 4 “Destination Unreachable (Fragmentation Needed and DF was set" message containing its MTU, allowing the source host to reduce its assumed path MTU appropriately. • The process repeats until the MTU is small enough to traverse the entire path without fragmentation. 19 NETE4630 PMTUD (cont.) 20 NETE4630 Passive Fingerprinting: Window Size • TCP Window specifies the amount of data that can be sent without having to receive an acknowledgement – Window size should either be as close as possible to the MTU or should be some multiple of this value – Linux 2.0 used a value of 16,384, while version 3 of FreeBSD used a value of 17,520 • The most up-to-date passive fingerprinting tool is p0f • LAB: p0f page 129 21 NETE4630 Idle Scan: Open Port 22 NETE4630 Idle Scan: Close Port 23 NETE4630 Idle Scan: Limitations • The idle host must truly be idle • Not all OSes use an incrementing IPID – Some versions of Linux set IPID to zero or generate a random IPID value • Several message passes need to be performed to validate the results 24 NETE4630 ICMP Attacks • ICMP helps with logical errors and diagnostics • ICMP does not offer authentication • Thus, ICMP can be used to scan and exploit devices – Including using ICMP as a backdoor (convert channel), employing them for echo attacks, to port scan, to redirect traffic, for OS fingerprinting, and DoS attacks 25 NETE4630 Convert Channels • Convert channels offer attackers a way to have a secure communications channel by using allowed services • Convert channels can also work by exploiting flaws or weaknesses in protocols like ICMP, esp. ping • ICMP fields used in ping include: – Type, Code, Identifier, Sequence Number, Optional Data 26 NETE4630 ICMP Format 27 NETE4630 Convert Channels (cont.) 28 NETE4630 Convert Channels (cont.) 29 NETE4630 Convert Channels (cont.) • Some systems like Linux let user add data into the ping # ping –p 2b2b2b415448300 192.168.123.101 will place the modem hang up string into the ping packet • Convert channel tools can use ICMP, TCP, or even IGRP. • Loki, ICMP Backdoor, 007Shell, B0CK 30 NETE4630 ICMP Echo Attacks • Flood target with ping traffic and use up all available bandwidth • Smurf exploits ICMP by sending a spoofed ping packet to the broadcast address and has the source address listed as the victim • In 2002, an attacks was launched against core DNS servers. They had ping enabled – Results in a large DoS attack that slowed the operation of primary DNS servers 31 NETE4630 Port Scanning • ICMP can be of great use to an attacker attempting to discover what ports are open • ICMP is invaluable since there is no response like with TCP • Sending an ICMP packet to a port – will get no response if the port is open and – will receive an ICMP type 3 code 3 packet if the port is closed 32 NETE4630 Port Scanning (cont.) Type 3 (Destination Unreachable) Code 3 (Port Unreachable) 33 NETE4630 ICMP Nuke Attacks • Using spoofed addresses, an attacker might disrupt communications between two hosts by sending “Time Exceeded” (Type 11) or “Destination Unreachable” (ICMP Type 3) messages to both hosts, resulting in a DoS attack – Check out ICMP Types and Codes • ICMP Nuke Attack sends the target an ICMP packet with destination unreachable type 3 messages. The target then breaks communication with existing connections 34 NETE4630 ICMP Redirect Attack • By sending ICMP “redirect” messages, an attacker might force a router to forward packets destined to one host to the attacker’s IP address 35 NETE4630 Preventing ICMP Redirect Attack • With Linux, we can force the kernel not to accept redirect messages for one or all interfaces root@router# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects NETE4630 36 ICMP Flood • Ping Flood creates a broadcast storm of pings that overwhelm the target system • Using Linux, one can flood a host using ping –f. root@router# ping –f 10.10.10.12 –c 1000 The above command floods the host 10.10.10.12 with 1,000 packets 37 NETE4630 Preventing Ping Flood • Ping flood can be stopped by limiting the number of ICMP echo-request messages with IPTables: root@router# iptables –A FORWARD –p icmp –icmptype echo-request –m limit –limit 10/s –j ACCEPT root@router# iptables –A FORWARD –p icmp –icmptype echo-request –j DROP 38 NETE4630 Ping of Death • Ping of Death crashed machines by sending ICMP “echo request” messages in IP packets with larger than the maximum legal length of 65,535 octets, causing a buffer overflow to crash the victim’s device (computer, printer, etc.) • A Linux patch for the ping of death was out in 2 hours, 35 minutes, and 10 seconds, and shortly after, patches for other OSes were available from vendors 39 NETE4630 Routing Protocols Attacks • Misconfigured dynamic routing protocols such as RIP, BGP, and OSPF may allow attackers to inject routes into the routing tables of the machines running instances of those protocols • This may allow attackers to conduct DoS attacks by injecting wrong routes or IP sniffing by configuring its computer to act like a router from the network 40 NETE4630 Routing Protocols Attacks (cont.) • Distance-vector and link-state routing protocols are suffered from attacks especially DoS • RIP is unauthenticated service; it is vulnerable to DoS – Attacker injects miscommunication packets to the network • RIP spoofing works by making fake RIP packets and sending them to gateways and hosts to change their routes – It sends its routing tables to a broadcast address • Attacker can also modify the routing information to cause a redirect through a network, allowing him to sniff passwords or intercept and change date 41 NETE4630 Router and Routing Attacks • Hit-and-run attacks – Hard to detect and isolate – Require an attacker to only inject one or more bad packets but cause lasting damaging effects • Persistent attacks – Attacker continuously inject attack packets in order to inflict significant damages – Suit for link-state protocols – Resilient to hit-and-run attacks 42 NETE4630 Source Routing Attack • Source routing is one of the IP options designed to force a packet to take a specific route through the network – Using Option field in IP header: LSRR and SSRR 43 NETE4630 LSR and SSR • Loose Source Routing is an IP option which can be used for address translation. LSR is also used to implement mobility in IP networks. • LSR uses a source routing option in TCP/IP to record the set of routers a packet must visit. • The destination of the packet is replaced with the next router the packet must visit. • The name LSR comes from the fact that only part of the path is set in advance. This is in contrast with Strict Source Routing (SSR), in which every single step of the route is decided in advance when the packet is sent. • SSR defines specific points between source and destination – No other routers are allowed to handle the datagram Source Routing Attack (cont.) • The use of the LSRR and SSRR options (Loose and Strict Source and Record Route) is discouraged because they create security concerns • Attacker can spoof a source IP as a trusted system and uses source route to forward packets to a victim • Any return packet will be sent to the attacker instead of the trusted host • Many routers block packets containing these options. Roadmap • Attacking the Network Layer • Defending the Network Layer 46 NETE4630 Securing IP • Encryption and authentication are the two best options for securing IP – Built in IPv6, but not in IPv4 • IPSec’s greatest security is that it can allow network managers to apply security without involving end users – IPSec Tunnel Mode: link encryption • Need to manage several keys – IPSec Transport Mode: end-to-end encryption • Source and destination IPs are not masked 47 NETE4630 Securing ICMP • Disable much of ICMP as possible especially at routers – Reject: send an ICMP destination-unreachable back to the source – Drop: send no response • Rejecting a connection allows services to know that something has failed and to timeout quickly • Dropping a connection causes a service to try to connect until a retransmission value is exceeded 48 NETE4630 Securing ICMP (cont.) • From legitimate perspective, – rejecting connections allows services to know that something has failed and to timeout quickly – Dropping a connection can cause a service to continue to try and connect until a retransmission value is exceeded 49 NETE4630 Securing ICMP (cont.) • From security perspective, – dropping packets gives away less information and makes it harder for an attacker to enumerate the target – Rejecting packets can make the router a bigger target for reflective attacks and leave it vulnerable to spewing out ICMP messages to a host being attacked by a third party Protecting against IP Spoofing • Linux kernel has an option named “rp_filter” – root@router# echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter • To disable on one interface e.g. eth0: – root@router# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter • Setting rp_filter to: – 1 enables IP spoofing protection – 0 disables IP spoofing protection 51 NETE4630 Securing Routers and Routing Protocols • Securing routers and traffic that flows though them is primarily achieved by using packet filters • Packet filtering is configured though access control lists (ACLs) How ACL Handles Traffic • Source IP address: Is it from a valid or allowed address? • Destination IP address: Is this address allowed to receive packets from this device? • Source and destination ports: includes TCP, UDP, and ICMP • TCP flags: includes SYN, FIN, ACK, PSH • Protocols: includes FTP, Telnet, HTTP, DNS, and POP3 • Direction: Can allow or deny inbound or outbound traffic • Interface: Can be used to restrict only certain traffic on certain interfaces Preventing Address Spoofing • Do not allow traffic with the internal IP address as source that comes from the internet • Log the dropped packets • Check out router configuration guide at http://www.nsa.gov/snac/downloads_all.cfm • RIPv1 sends update in cleartext and no authentication • RIPv2 has authentication but sends authentication in cleartext • Suggest to use OSPF with MD5 authentication • Restrict dynamic routing when possible • Without this, OSPF may still be vulnerable • Check out Nemesis (a tool to target OSPF routing) at http://sourceforge.net/projects/nemesis 54 NETE4630 NSA Security Configuration Guides http://www.nsa.gov/snac/downloads_all.cfm 55 NETE4630 Question? Next week Transport Layer Security NETE4630 56