* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download The Future of Computing: Challenges and Opportunities
Survey
Document related concepts
Deep packet inspection wikipedia , lookup
TCP congestion control wikipedia , lookup
Wireless security wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Computer network wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer security wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Airborne Networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Network tap wikipedia , lookup
Internet protocol suite wikipedia , lookup
Routing in delay-tolerant networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Transcript
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini Network Performance • Gilder’s Law – George Gilder projected that the total bandwidth of communication systems triples every twelve months • Ethernet: 10Mbps 10Gbps (1000 times) • CPU clock frequency: 25MHz 2.5GHz (100 times) • Metcalfe's Law – Robert Metcalfe projected that the value of a network is proportional to the square of the number of nodes • Phone, Internet CS 450/650 – Lecture 22: Network Security 2 Internet • Internet is the collection of networks and routers – form a single cooperative virtual network – spans the entire globe • The Internet relies on the combination of the Transmission Control Protocol and the Internet Protocol or TCP/IP – The majority of Internet traffic is carried using TCP/IP packets CS 450/650 – Lecture 22: Network Security 3 ISO OSI Network Model Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link Data Link Physical Physical LAN CS 450/650 – Lecture 22: Network Security Internet LAN 4 TCP/IP smtp sftp ssh Transmission Control Protocol (TCP) Internet Protocol (IP) Ethernet CS 450/650 – Lecture 22: Network Security Token ring 5 TCP/IP Packets Physical Header IP Header CS 450/650 – Lecture 22: Network Security TCP Header message 6 Addressing • MAC (Media Access Control) address – Every host connected to a network has a network interface card (NIC) with a unique physical address • IP address – IPv4 32 bits (192.168.48.6) – IPv6 128 bits CS 450/650 – Lecture 22: Network Security 7 Routing • Routers • Routing Tables CS 450/650 – Lecture 22: Network Security 8 IP Protocol • Best-effort packet delivery service • Datagram (IPv4) VERS HLEN Service Type IDENTIFICATION TIME TO LIVE TOTAL LENGTH FLAGS PROTOCOL FRAGMENT OFFSET HEADER CHECKSUM SOURCE ADDRESS DESTINATION ADDRESS OPTIONS (IF ANY) PADDING DATA CS 450/650 – Lecture 22: Network Security 9 Internet Control Message Protocol • Transmit error messages and unusual situations • Different types of ICMP have slightly different format Type Code CHECKSUM Unused (must be zero) DATA: Header and 1st 64 bits of offending datagram ICMP time-exceeded message CS 450/650 – Lecture 22: Network Security 10 ICMP (Echo request/reply) • Transmit error messages and unusual situations • Different types of ICMP have slightly different format Type Code Identifier CHECKSUM Sequence number DATA (optional) ICMP Echo Request/Reply Message CS 450/650 – Lecture 22: Network Security 11 Ping of Death Attack • Denial of service attack (1st in 1996) • Some systems did not handle oversized IP datagrams properly • An attacker construct an ICMP echo request containing 65,510 data octets and send it to victim • Total size of resulting datagram would be larger than 65,535 octet limit specified by IP – System would crash CS 450/650 – Lecture 22: Network Security 12 SMURF • Attacker send echo request message to broadcast address • Attacker also spoofs source address in the request Intermediary Attacker CS 450/650 – Lecture 22: Network Security Victim 13 UDP (User Datagram Protocol) • From one application to another – multiple destinations • Port positive integer – unique destination SOURCE PORT DESTINATION PORT LENGTH CHECKSUM (optional) DATA CS 450/650 – Lecture 22: Network Security 14 Attacks on UDP • Fraggle • Trinoo CS 450/650 – Lecture 22: Network Security 15 Fraggle (similar to smurf) • UDP port 7 is used for echo service • An attacker can create a stream of user datagram with random source port and a spoofed source address • Destination port is 7 and destination source is a broadcast address at some intermediate site • The attack can get worse if the source port = 7 • Could be prevented by filtering out UDP echo requests destined for broadcast addresses CS 450/650 – Lecture 22: Network Security 16 Fraggle attack Victim’s host spoofed broadcast random source destination source port destination Port = 7 Stream of UDP datagrams Victim’s host spoofed broadcast source destination source Port = 7 destination Port = 7 Stream of UDP datagrams CS 450/650 – Lecture 22: Network Security 17 Trinoo • Distributed denial of service • In smurf and fraggle, trafic comes from a single intermediate node • Trinoo allows attacker to flood the victim from hundreds intermediate sites simultaneously • Two programs: – master and – daemon • installed in many different stolen accounts CS 450/650 – Lecture 22: Network Security 18 Trinoo attack attacker master daemon daemon master master master daemon daemon Large number of UDP packets to random ports CS 450/650 – Lecture 22: Network Security 19 TCP • Reliable delivery • TCP messages are sent inside IP datagrams SOURCE PORT DESTINATION PORT SEQUENCE NUMBER Acknowledgment HLEN RESV CODE BITS CHECKSUM WINDOW URGENT POINTER OPTIONS (IF ANY) PADDING DATA CS 450/650 – Lecture 22: Network Security 20 TCP Overview • TCP segments are sent inside IP datagrams • TCP divides a stream of data into chunks that fit in IP datagrams • It ensures that each datagram arrives at its destination • It then reassembles the datagrams to produce the original message CS 450/650 – Lecture 22: Network Security 21 TCP Overview (cont.) • TCP uses an acknowledgment-and retransmission scheme • TCP sending software keeps a record of each datagram and waits for an acknowledgment – If no acknowledgment is received during the timeout interval, the datagram is retransmitted CS 450/650 – Lecture 22: Network Security 22 TCP communication Message 1 (SYN + SEQ) Message 2 (SYN + SEQ + ACK) Host A Host B Message 3 (ACK) Establishing a TCP Connection Using a 3-way handshake Message 1 (FIN + SEQ) Host A Message 2 (ACK) Host B Closing a TCP Connection (one way A to B) CS 450/650 – Lecture 22: Network Security 23 Attacks on TCP • SYN Flood – Half-opened connection table • LAND – Spoofed source address = destination address – Source port = destination port – Certain implementations freezing • TRIBE Flood Network (TFN) – Similar to trinoo but more than one attack – UDP flood, smurf, SYN floods, and others CS 450/650 – Lecture 22: Network Security 24 Probes and Scans • Ping scan and traceroute – What machines exist on a given network and how they are arranged • Remote OS fingerprinting – What OS each detected host is running – Different OS respond to invalid packets differently – Example: FIN to connection that has not been opened CS 450/650 – Lecture 22: Network Security 25 Probes and Scans • Port Scanning – Which ports are open? port scanner • Open a TCP connection and close it immediately • Use half opened connections CS 450/650 – Lecture 22: Network Security 26