* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download EECS 700: Network Security
Survey
Document related concepts
Computer network wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Internet protocol suite wikipedia , lookup
Distributed firewall wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
TCP congestion control wikipedia , lookup
Point-to-Point Protocol over Ethernet wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Serial digital interface wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Packet switching wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Transcript
ITIS 6167/8167: Network and Information Security Weichao Wang Contents • IP fragmentation and attacks – IP protocol – IP fragmentation – Attacks – Mitigation mechanisms 2 3 IP protocol and fragmentation • IP layer provides the fundamental service in Internet: unreliable, connectionless, and best-effort based packet delivery – Unreliable: packet may lost, duplicated, delayed, out of order – Connectionless: every packet is handled independently – Best-effort: no quality guarantee 4 • IP protocol will – Define the format of IP packet – Routing – Determine • Packet processing procedures • Error reporting and handling procedures • When the packets can be discarded 5 IP encapsulation • In ethernet, frame type for IP is 0x0800 IP header IP Data 6 IP format 7 • Details of IP packet – Vers: current version is 4 – HLEN: header length in 32 bit word. Usually is 5 (20 byte), max can be 60 bytes (IP options) – Type of services: usually all 0 (best effort), can be used for diffserv and QoS. • 3 bit of precedence, 4 bit of TOS, 1 bit unused • TOS bit 1 (min delay), 2 (max throughput), 3 (max reliability), 4 (min cost) – Total length: 16 bit can represent 64K byte long packet 8 • Identification, flags, and offset: used for fragmentation and reassemble (later) • TTL: time to live: number of routers or seconds a packet can live. – Every router will reduce this value by one. When reach 0, the packet will be discarded. – Can be used to prevent routing loop – Use TTL to implement traceroute 9 -bash-3.1$ ping -i 7 dell.com PING dell.com (143.166.224.244) 56(84) bytes of data. From kcm-edge-15.inet.qwest.net (65.120.164.89) icmp_seq=1 Time to live exceeded From kcm-edge-15.inet.qwest.net (65.120.164.89) icmp_seq=2 Time to live exceeded 10 • Type: the high level protocol the IP packet contains: ICMP (0x01), TCP (0x06), UDP (0x11) • Header checksum: – calculate only over header – Re-compute at every hop (why) • Example: an ICMP packet b/w 128.10.2.3 and 128.10.2.8. Header length is 20 bytes. 11 12 • IP header options – Record route option • Intermediate routers will attach their IP address to the packet – Timestamp option • Intermediate router attach 32 bit timestamp – Source routing option • Strict source routing • Loose source routing: allow multiple hops b/w routers 13 14 • IP fragmentation • Why do we need it – MTU: maximum transmission unit – An IP packet can be as large as 65535 byte – Different hardware have different MTU: ethernet 1500, FDDI 4470 15 16 • IP fragmentation – Routers divide an IP datagram into several smaller fragments based on MTU – Fragments use the same header format as the original datagram – Each fragment is routed independently 17 • How to fragment – IDENT: unique number to identify an IP datagram; fragments with the same identifier belong to the same IP datagram – Fragment offset: • Specify where the data belong in the original packet • Multiple of 8 • Use 13 bits (why do we only need 13 bits) 18 • FLAGs: – Bit 0: reserved – Bit 1: do not fragment (if this bit is set and the MTU is not large enough, we send out ICMP to report this) – Bit 2: more fragment: this bit is turned off in the last segment. (why we need this bit: so we can calculate the length of the original packet) 19 20 • Example: – Original packet: header + 400 + 400 + 400 – Header 1: FLAG = 001, OFFSET =0 – Header 2: FLAG = 001, OFFSET =400/8=50 – Header 3: FLAG = 000, OFFSET= 800/8=100 21 • Fragment of fragment – Need to pay special attention of the FLAG bits • Reassemble – Reassembled before delivered to higher layers – Where to reassemble: router or destination, why?? (not only efficiency) – Use a timer to handle lost fragment and discard the whole packet 22 23 • Malicious activities on fragmentation – What if we never receive the last piece – Overlapping fragment – The reassembled packet is larger than the allowed IP packet size (how can attackers do this) 24 • Attack 1: DoS attack – 1st fragment: offset =0; – 2nd fragment: offset = 64800; – Result: now the machine will allocate 64K memory, and usually will hold it for 15 to 255 seconds. – Who are vulnerable: Win2K, XP, most versions of UNIX 25 • Attack 2: TearDrop – Fist packet: • payload size N, • More fragment bit on – 2nd fragment: • More fragment bit off • Offset + payload < N – If the user assume that the packet should become longer and longer, may cause machine crash 26 • Overlapping attacks against Firewall – Many firewalls inspect packet without reassemble. If the TCP header is fragmented and the filter rule is based on TCP, it may fail – Firewall examine the SYN bit • Tiny fragment attack: Firewall only check the first fragment. The minimum fragment is 68 bytes (ICMP requirement), but the SYN bit maybe fall into the 2nd fragment with IP option. • Overlapping attack: allow packet overlapping during reassemble. Then the checked segment may looks ok. But will be overlapped later. 27 • IP spoofing – Spoofing • An attacker sends packet with another node’s IP address • Replies will be routed to the victim – Egress filtering • Remove packets that cannot come from your network – Ingress filtering • Remove packet from invalid address 28 • Router and Host – Router usually connects to multiple networks – Host only connect to one • Routing table – Used by routers to determine next hop – When determining which entry to use, usually use the one with the longest match • Next hop routing – Destination IP address will not change, only the next hop’s MAC address is used 29 • Default route – When no other entry matches the routing request • Routing procedure – Extract destination IP D and compute the network prefix N – Is N the same network – What is the routing entry with the longest match – What is the default route – Report error 30 • Handling income packets – Host: accept or discard, Do not forward. Why? – Router: • Decrease TTL, recompute the checksum • If TTL = 0; drop the packet and send an error message to source 31