Download EECS 700: Network Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
Document related concepts

Computer network wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Internet protocol suite wikipedia , lookup

AppleTalk wikipedia , lookup

CAN bus wikipedia , lookup

Net bias wikipedia , lookup

Distributed firewall wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

TCP congestion control wikipedia , lookup

Point-to-Point Protocol over Ethernet wikipedia , lookup

I²C wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Serial digital interface wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

RapidIO wikipedia , lookup

Packet switching wikipedia , lookup

IEEE 1355 wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Deep packet inspection wikipedia , lookup

Real-Time Messaging Protocol wikipedia , lookup

Transcript 
ITIS 6167/8167: Network and
Information Security
Weichao Wang
Contents
• IP fragmentation and attacks
– IP protocol
– IP fragmentation
– Attacks
– Mitigation mechanisms
2
3
IP protocol and fragmentation
• IP layer provides the fundamental service
in Internet: unreliable, connectionless, and
best-effort based packet delivery
– Unreliable: packet may lost, duplicated,
delayed, out of order
– Connectionless: every packet is handled
independently
– Best-effort: no quality guarantee
4
• IP protocol will
– Define the format of IP packet
– Routing
– Determine
• Packet processing procedures
• Error reporting and handling procedures
• When the packets can be discarded
5
IP encapsulation
• In ethernet, frame type for IP is 0x0800
IP header
IP Data
6
IP format
7
• Details of IP packet
– Vers: current version is 4
– HLEN: header length in 32 bit word. Usually is 5 (20
byte), max can be 60 bytes (IP options)
– Type of services: usually all 0 (best effort), can be
used for diffserv and QoS.
• 3 bit of precedence, 4 bit of TOS, 1 bit unused
• TOS bit 1 (min delay), 2 (max throughput), 3 (max reliability),
4 (min cost)
– Total length: 16 bit can represent 64K byte long
packet
8
• Identification, flags, and offset: used for
fragmentation and reassemble (later)
• TTL: time to live: number of routers or
seconds a packet can live.
– Every router will reduce this value by one.
When reach 0, the packet will be discarded.
– Can be used to prevent routing loop
– Use TTL to implement traceroute
9
-bash-3.1$ ping -i 7 dell.com
PING dell.com (143.166.224.244) 56(84) bytes of data.
From kcm-edge-15.inet.qwest.net (65.120.164.89)
icmp_seq=1 Time to live exceeded
From kcm-edge-15.inet.qwest.net (65.120.164.89)
icmp_seq=2 Time to live exceeded
10
• Type: the high level protocol the IP packet
contains: ICMP (0x01), TCP (0x06), UDP
(0x11)
• Header checksum:
– calculate only over header
– Re-compute at every hop (why)
• Example: an ICMP packet b/w 128.10.2.3
and 128.10.2.8. Header length is 20 bytes.
11
12
• IP header options
– Record route option
• Intermediate routers will attach their IP address to
the packet
– Timestamp option
• Intermediate router attach 32 bit timestamp
– Source routing option
• Strict source routing
• Loose source routing: allow multiple hops b/w
routers
13
14
• IP fragmentation
• Why do we need it
– MTU: maximum transmission unit
– An IP packet can be as large as 65535 byte
– Different hardware have different MTU:
ethernet 1500, FDDI 4470
15
16
• IP fragmentation
– Routers divide an IP datagram into several
smaller fragments based on MTU
– Fragments use the same header format as
the original datagram
– Each fragment is routed independently
17
• How to fragment
– IDENT: unique number to identify an IP
datagram; fragments with the same identifier
belong to the same IP datagram
– Fragment offset:
• Specify where the data belong in the original
packet
• Multiple of 8
• Use 13 bits (why do we only need 13 bits)
18
• FLAGs:
– Bit 0: reserved
– Bit 1: do not fragment (if this bit is set and the
MTU is not large enough, we send out ICMP
to report this)
– Bit 2: more fragment: this bit is turned off in
the last segment. (why we need this bit: so we
can calculate the length of the original packet)
19
20
• Example:
– Original packet: header + 400 + 400 + 400
– Header 1: FLAG = 001, OFFSET =0
– Header 2: FLAG = 001, OFFSET =400/8=50
– Header 3: FLAG = 000, OFFSET= 800/8=100
21
• Fragment of fragment
– Need to pay special attention of the FLAG bits
• Reassemble
– Reassembled before delivered to higher
layers
– Where to reassemble: router or destination,
why?? (not only efficiency)
– Use a timer to handle lost fragment and
discard the whole packet
22
23
• Malicious activities on fragmentation
– What if we never receive the last piece
– Overlapping fragment
– The reassembled packet is larger than the
allowed IP packet size (how can attackers do
this)
24
• Attack 1: DoS attack
– 1st fragment: offset =0;
– 2nd fragment: offset = 64800;
– Result: now the machine will allocate 64K
memory, and usually will hold it for 15 to 255
seconds.
– Who are vulnerable: Win2K, XP, most
versions of UNIX
25
• Attack 2: TearDrop
– Fist packet:
• payload size N,
• More fragment bit on
– 2nd fragment:
• More fragment bit off
• Offset + payload < N
– If the user assume that the packet should
become longer and longer, may cause
machine crash
26
• Overlapping attacks against Firewall
– Many firewalls inspect packet without reassemble. If
the TCP header is fragmented and the filter rule is
based on TCP, it may fail
– Firewall examine the SYN bit
• Tiny fragment attack: Firewall only check the first fragment.
The minimum fragment is 68 bytes (ICMP requirement), but
the SYN bit maybe fall into the 2nd fragment with IP option.
• Overlapping attack: allow packet overlapping during
reassemble. Then the checked segment may looks ok. But
will be overlapped later.
27
• IP spoofing
– Spoofing
• An attacker sends packet with another node’s IP
address
• Replies will be routed to the victim
– Egress filtering
• Remove packets that cannot come from your
network
– Ingress filtering
• Remove packet from invalid address
28
• Router and Host
– Router usually connects to multiple networks
– Host only connect to one
• Routing table
– Used by routers to determine next hop
– When determining which entry to use, usually use the
one with the longest match
• Next hop routing
– Destination IP address will not change, only the next
hop’s MAC address is used
29
• Default route
– When no other entry matches the routing request
• Routing procedure
– Extract destination IP D and compute the network
prefix N
– Is N the same network
– What is the routing entry with the longest match
– What is the default route
– Report error
30
• Handling income packets
– Host: accept or discard, Do not forward. Why?
– Router:
• Decrease TTL, recompute the checksum
• If TTL = 0; drop the packet and send an error
message to source
31
Related documents
Summer Packet EnteringGrade7
Summer Packet EnteringGrade7
Internet Protocol (IP):
Internet Protocol (IP):
155
155
1-Introduction :
1-Introduction :
1. Assume that for the network represented on the right the routing
1. Assume that for the network represented on the right the routing
Lecture 5
Lecture 5
H37-R38 - Uplift Mighty Prep
H37-R38 - Uplift Mighty Prep
Modern Geometry Review Packet
Modern Geometry Review Packet
2 - UTRGV Faculty Web
2 - UTRGV Faculty Web
Networking1b
Networking1b
IP : Internet Protocol
IP : Internet Protocol
ppt3
ppt3
COP 4930 Computer Network Projects
COP 4930 Computer Network Projects
PPT - Pages
PPT - Pages