Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer System Security CSE 5339/7339 Session 25 November 16, 2004 Computer Science and Engineering Contents Security in Networks Group Work Wing’s presentation Computer Science and Engineering IP Protocol Unreliable packet delivery service Datagram (IPv4) VERS HLEN Service Type IDENTIFICATION TIME TO LIVE TOTAL LENGTH FLAGS PROTOCOL FRAGMENT OFFSET HEADER CHECKSUM SOURCE ADDRESS DESTINATION ADDRESS OPTIONS (IF ANY) PADDING DATA Computer Science and Engineering Attacks IP Spoofing Teardrop attacks Computer Science and Engineering ICMP (Internet Control Message Protocol) Transmit error messages and unusual situations Different types of ICMP have slightly different format Type Code CHECKSUM Unused (must be zero) DATA: Header and 1st 64 bits of offending datagram ICMP time-exceeded message Computer Science and Engineering ICMP (Echo request/reply) Transmit error messages and unusual situations Different types of ICMP have slightly different format Type Code Identifier CHECKSUM Sequence number DATA (optional) ICMP Echo Request/Reply Message Computer Science and Engineering Ping of Death Attack Denial of service attack (1st in 1996) Some systems did not handle oversized IP datagrams properly An attacker construct an ICMP echo request containing 65,510 data octets and send it to victim The total size of the resulting datagram would be larger than the 65.535 octet limit specified by IP System would crash Computer Science and Engineering SMURF Attacker send echo request message to broadcast address Attacker also spoofs source address in the request Intermediary Attacker Victim Computer Science and Engineering UDP (User Datagram Protocol) From one application to another (multiple destinations) Port positive integer (unique destination) SOURCE PORT DESTINATION PORT LENGTH CHECKSUM (optional) DATA Computer Science and Engineering Attacks on UDP Fraggle Trinoo Computer Science and Engineering Fraggle (similar to smurf) UDP port 7 is used for echo service An attacker can create a stream of user datagram with random source port and a spoofed source address Destination port is 7 and destination source is a broadcast address at some intermediate site The attack can get worse if the source port = 7 Could be prevented by filtering out UDP echo requests destined for broadcast addresses Computer Science and Engineering Victim’s host spoofed source broadcast random destination source port destination Port = 7 Stream of UDP datagrams Victim’s host spoofed source broadcast destination source Port = 7 destination Port = 7 Stream of UDP datagrams Computer Science and Engineering Trinoo Distributed denial of service In smurf and fraggle, trafic comes from a single intermediate node. Trinoo allows the attacker to flood the victim from hundreds intermediate sites simultaneously Two programs: master and daemon – installed in many different stolen accounts Computer Science and Engineering attacker master daemon daemon master master master daemon daemon Large number of UDP packets to random ports Computer Science and Engineering TCP Reliable delivery TCP messages are sent inside IP datagrams SOURCE PORT DESTINATION PORT SEQUENCE NUMBER Acknowledgment HLEN RESV CODE BITS CHECKSUM WINDOW URGENT POINTER OPTIONS (IF ANY) PADDING DATA Computer Science and Engineering TCP Overview TCP segments are sent inside IP datagrams TCP divides a stream of data into chncks that fit in IP datagrams It ensures that each datagram arrives at its destination Itthen reassembles the datagrams to produce the original message Computer Science and Engineering TCP Overview (cont.) TCP uses an acknowledgment-and retransmission scheme TCP sending software keeps a record of each datagram and waits for an acknowledgment If no acknowledgment is received during the timeout interval, the datagram is retransmitted Computer Science and Engineering Message 1 (SYN + SEQ) Host A Message 2 (SYN + SEQ + ACK) Host B Message 3 (ACK) Establishing a TCP Connection Using a 3-way handshake Message 1 (FIN + SEQ) Host A Host B Message 2 (ACK) Closing a TCP Connection (one way A to B) Computer Science and Engineering Group Work Discuss possible attacks Computer Science and Engineering Attacks on TCP SYN Flood Half-opened connection table LAND Spoofed source address = destination address Source port = destination port Certain implementations freezing TRIBE Flood Network (TFN) Similar to trinoo but more than one attack UDP flood, smurf, SYN floods, and others Computer Science and Engineering Probes and Scans Ping scan and traceroute (What machines exist on a given network and how they are arranged) Remote OS fingerprinting (What OS each detected host is running) (Different OS respond to invalid packets differently) (Example: FIN to connection that has not been opened) Port Scanning (Which ports are open? port scanner) Open a TCP connection and close it immediately Use half opened connections Computer Science and Engineering Wired Backbone with Mobile nodes Mobile Host Mobile Host Wired Backbone Base Station Base Station Fixed host Fixed Host Fixed Communication Network Base Station Base Station Fixed Host Fixed Host Mobile Host Mobile Host Computer Science and Engineering Mobile IP (Cont.) Foreign Agent Foreign subnet Mobile Host visiting A foreign subnet Foreign subnet Foreign Agent Arbitrary Topology of Routers and Links Home Agent Home subnet Mobile Host at Home Computer Science and Engineering Wireless Multi-hop Backbone Mobile Host Mobile Host Wireless Multi-hop Backbone Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Computer Science and Engineering Hybrid backbone Hybrid Backbone Mobile Host Mobile Host Wired Backbone Base Station Fixed host Base Station Fixed Communication Network Mobile Host Fixed Host Base Station Base Station Fixed Host Fixed Host Mobile Host Mobile Host Wireless Multi-hop Backbone Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Computer Science and Engineering