* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Lecture 3: Data Link Layer Security
Survey
Document related concepts
Parallel port wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Computer network wikipedia , lookup
Airborne Networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
Nonblocking minimal spanning switch wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Wireless security wikipedia , lookup
Network tap wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Distributed firewall wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
Transcript
Data Link Layer Security Lecture 3 Supakorn Kungpisdan [email protected] NETE4630 1 Roadmap • Attacking Data Link Layer • Defending Your Network from Sniffers • Employing Detection Techniques 2 NETE4630 MAC Address Spoofing • What is MAC address spoofing? • What is its purpose? • Explain how it works 3 NETE4630 Passive VS Active Sniffing • Passive sniffing involves using a sniffer (Ethereal or Tcpdump) to monitor incoming packets • Passive sniffing relies on a feature of network cards called promiscuous mode • When placed in promiscuous mode, a network card will pass all packets on to the operating system, rather than just those unicast or braodcast to the host • However, passive sniffing does not work well in a switched network • The attacker can sniff traffic within his/her VLAN 4 NETE4630 Active Sniffing • Active sniffing relies on injecting packets into the network that causes traffic that should not be sent to your system, to be sent to your system • Active sniffing is required to bypass the segmentation that switches provide • In wireless networks, passive sniffing involves sending no packets, and monitoring the packets sent by others. • Active wireless sniffing involves sending out multiple network probes to identify APs 5 NETE4630 ARP Poisoning • Performing active sniffing on switches ethernet 6 NETE4630 ARP Poisoning (cont.) • By spoofing the default gateway’s IP address, all hosts on the subnet will router through the attacker’s machine – You have to poison the ARP cache of every host on the subnet – Better if targeting a single host on the network – Should not spoof the IP of another client • To perform ARP poisoning, – # arp –s <victim IP> <our MAC address> pub • Alternatively, use Cain and Abel 7 NETE4630 Cain and Abel 8 NETE4630 WinArpAttacker 9 NETE4630 ARP Flooding • ARP flooding is another ARP Cache Poisoning technique aimed at network switches • Aka CAM Table Overflow attack • Some switches will drop into a hub-like mode when the CAM table is flooded • CAM (Content Addressable Memory) is a physical part of a switch • CAM stores information about MAC addresses available on each physical port and their associated VLAN parameters • CAM is a normal memory limited in size • Can also use WinArpAttacker to perform ARP Flood 10 NETE4630 ARP Flooding (cont.) • In 1999, Ian Vitek created a tool called macof, later integrated in dsniff, which floods with invalid source MAC addresses (up to 155,000/minute) • This quickly fills up the CAM table of the switch to which the computer running this tool is connected, and also the adjacent switches • The switch is too busy to enforce its port security and broadcasts all traffic to every port in the network • Thus making possible a MITM attack – the attacker can start sniffing network traffic 11 NETE4630 DHCP 12 NETE4630 DHCP Starvation Attack • Consuming the IP address space allocated by a DHCP server • An attacker broadcasts a large number of DHCP requests using spoofed MAC addresses • The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, normal clients • Leads to DoS 13 NETE4630 Rogue DHCP Server • Set up a rogue DHCP server serving clients with false details – E.g. giving them its own IP as default router – Result in all the traffic passing through the attacker’s computer • Rogue DHCP server can be set up even without DHCP starvation attack, as clients accept the first DHCPOFFER they receive • Both attacks can be accomplished using gobbler 14 NETE4630 Preventing DHCP Attacks • DHCP Starvation Attack can be prevented by using port security features that don’t allow more than X MAC addresses on one port • Rogue DHCP is more difficult to prevent – May implement “Authentication for DHCP Messages” (RFC3118) – Some smart and expensive switches have “DHCP snooping” functions which filters DHCP messages from non-trusted hosts • It contains database of trusted and untrusted interfaces 15 NETE4630 DHCP Snooping • DHCP snooping provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table • An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network • DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch • An untrusted interface is an interface that is configured to receive messages from outside the network or firewall • A trusted interface is an interface that is configured to receive only messages from within the network 16 NETE4630 DHCP Snooping (cont.) • DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. • It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch • DHCP snooping is used to prevent rogue DHCP server • If the DHCPOFFER came from an untrusted interface, the switch shuts down the port • The switch trusts the interface to which the authorized DHCP server is connected 17 NETE4630 DHCP Snooping (cont.) 18 NETE4630 Enabling DHCP Snooping 19 NETE4630 Adding Information to DHCP Snooping DB 20 NETE4630 IP Source Guard • IP Source Guard is enabled on a DHCP snooping untrusted Layer 2 port • For each untrusted Layer 2 port, there are two levels of IP traffic security filtering: – Source IP address filter: IP traffic is filtered based on its source IP address. Only IP traffic with a source IP address that matches the IP source binding entry is permitted – Source IP and MAC address filter: IP traffic is filtered based on its source IP address and its MAC address; only IP traffic with source IP and MAC addresses matching the IP source binding entry are permitted 21 NETE4630 Configuring IP Source Guard 22 NETE4630 Dynamic ARP Inspection • For cisco devices, it is called Dynamic ARP Inspection (DAI) • DAI is a security feature that validates ARP packets in a network • It intercepts, log, and discards ARP packets with invalid IP-to-MAC address bindings. • DAI ensures that only valid ARP requests and responses are relayed. • The switch performs these activities: – Intercepts all ARP requests and responses on untrusted ports – Verifies that each of these intercepted packets has a valid IP-toMAC address binding before updating the local ARP cach or before forwarding the packet to the appropriate destination – Drops invalid packets 23 NETE4630 Dynamic ARP Inspection (cont.) • Dynamic ARP inspection determines the validity of an ARP packet based on IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database • In non-DHCP environments, DAI can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses • If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks 24 NETE4630 DAI (cont.) • By default, all interfaces are untrusted • The switch does not check ARP packets that it receives from the other switch in the trusted interface • For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating local cache and before forwarding the packet to the appropriate destination – Firstly it checks from ARP access control list – If no such ACL, check from DHCP snooping database 25 NETE4630 DAI (cont.) 26 NETE4630 Configuring DAI in DHCP Environments • Both Switch A and B are running DAI on VLAN1 where the hosts are located • A DHCP server is connected to Switch A. both hosts acquire IP addresses from the same DHCP server • Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2 27 NETE4630 Configuring ARP ACLs in non-DHCP Environments • Switch B does not support DAI or DHCP snooping, but Switch A does • If configuring port 1 on Switch A as trusted, a security hole is created because Switch A and Host 1 could be attacked by either Switch B or Host 2 • Thus, configure port 1 on Switch A as untrusted • If the IP address of Host 2 is not static, such that it is impossible to apply the ACL configuration on Switch A, you must separate Switch A from Switch B at Layer 3 and use router to route packets between them 28 NETE4630 Configuring ARP ACLs in non-DHCP Environments (cont.) 29 NETE4630 Routing Games • One method to ensure that all traffic on a network will pass through your host is to change the routing table of the host you wish to monitor • Sending a fake route advertisement via the RIP, declaring yourself as the default gateway • All outbound traffic will pass though your host then go to the real default gateway • But may not receive returned traffic unless you can modify the default gateway’s routing table 30 NETE4630 Cracking WEP • WEP is based on RC4 cipher • RC4 is a stream cipher • RC4 itself is very secure; it is employed by the military for use in highly sensitive operations • However vendors made a mistake while implementing the WEP protocol – They reuse the Initialization Vector 31 NETE4630 RC4 Operation 32 NETE4630 Wireless Active Attacks • Active wireless attack encompass spoofing and DoS attacks • Spoofing: Use Netstumbler to identify the MAC address of the victim and modify one’s MAC address to match it • DoS: sending multiple control packets to a wireless network 33 NETE4630 Jamming Attacks • Jamming attacks rely on using radio frequency to interfere with wireless transmissions • This will effectively perform a DoS attack on the wireless network 34 NETE4630 MITM Attacks • Setting your wireless card up in an identical configuration as an existing hotspot (including spoofed SSID) • A client is unable to distinguish the legitimate AP from your spoofed AP without running additional authentication protocols on top of the wireless media. 35 NETE4630 Roadmap • Attacking Data Link Layer • Defending Your Network from Sniffers • Employing Detection Techniques 36 NETE4630 Using Encryption • The use of encryption, assuming its mechanism is valid, will thwart any attacker attempting to passively monitor the network • IPSec and OpenVPN • However, these technologies are not widely used on the internet outside of large enterprises • SSH, SSL, PGP, S/MIME 37 NETE4630 Secure Shell (SSH) • A cryptographic secure replacement of the standard UNIX Telnet, Remote Login (rlogin), Remote Shell (RSH), and Remote Copy Protocol (RCP) commands • It consists of both a client and a server that use public-key cryptography to provide session encryption • OpenSSH, PuTTY 38 NETE4630 Roadmap • Attacking Data Link Layer • Defending Your Network from Sniffers • Employing Detection Techniques 39 NETE4630 Local Detection • Many OS provide a mechanism to determine whether a network interface is running in promiscuous mode • Using ifconfig command on UNIX • However, if the host is compromised, an attacker may replace ifconfig command with the one that does not report interfaces in promiscuous mode 40 NETE4630 Local Detection (cont.) 41 NETE4630 Network Detection: DNS Lookups • Performing reverse DNS lookup possibly can find a sniffing host – Forward DNS lookup: resolve IP from given hostname – Reverse DNS lookup: resolve hostname from given IP • Additional network traffic is generated; mainly the DNS query to look up the network address. – It is possible to monitor the network for hosts that are performing a large number of address lookups alone • Alternatively, we can generate a false network connection from a non-active address. Then we can monitor the network for DNS queries that attempt to resolve the faked address, giving away the sniffing host 42 NETE4630 Network Detection: Latency • Detect latency variation in the host’s response to network traffic (i.e. ping) 1. Start with probing (by pinging) a suspected host initially, then sample the response time 2. Generate a large amount of network traffic 3. Probe the host again and sample the response time • If the response time changes significantly, the host may potentially be a monitoring host 43 NETE4630 Network Detection: Driver Bugs • In some Linux OS, there is a bug in a common Ethernet driver • If the host is running in promiscuous mode, the OS failed to perform Ethernet address checks • Normally, packets that did not correspond to the host’s MAC address would have been dropped at the data-link layer. • If the host is running in promiscuous mode, it will not drop the packet with invalid MAC address 44 NETE4630 Network Detection: Driver Bugs (cont.) • To determine whether the host was in promiscuous mode by sending an ICMP ping request to the host, with a valid IP address and an invalid Ethernet address. • If the host responded to this ping request, it was determined to be running in promiscuous mode 45 NETE4630 To Read • Hack-The-Stack: Page 104-123 • Quiz: 5% 46 NETE4630 Question? Next week Network Layer Security NETE4630 47