Download ICMP Nuke Attack

Network Layer Security
Lecture 4
Supakorn Kungpisdan, Ph.D.
[email protected]
Overview
IP Header Length
(IPID)
IP Packet Format
NETE4630: Advanced Network Security and Implementation
2
Overview




IP, ICMP, and Routing protocols
IP is connectionless, subjected to DoS
ICMP can be used by attackers
Routing protocols are subjected to stack attacks
NETE4630: Advanced Network Security and Implementation
3
Roadmap
 Attacking the Network Layer
 Defending the Network Layer
NETE4630: Advanced Network Security and Implementation
4
IP Attacks





Spoofing
Fragmentation
Passive and Active Fingerprinting
Port Scanning
Redirection
NETE4630: Advanced Network Security and Implementation
5
Spoofing
 Local spoofing and blind spoofing
 Local spoofing: attacker and victim are on the same
subnet
 Attacker begins with sniffing traffic, find key pieces of
information needed to launch an attack
 Session hijacking is another spoofing technique.
 The attack starts at transport layer
NETE4630: Advanced Network Security and Implementation
6
Spoofing (cont.)
 Blind spoofing: attacker is not on the same local subnet
as victim
 More sophisticated and advanced attack
 Many pieces of information needed to be successful are
not available. The key parameters must be guessed
 Most modern OSes use fairly random sequence numbers
making the attack difficult to launch
NETE4630: Advanced Network Security and Implementation
7
Fragmentation
 Fragmentation is required when transmitting packets to
different networks that have different MTUs
 The idea is to send different data streams to each device
 Evasion attack: sends packets to an IDS and target that
will be rejected by the IDS and accepted by the target
 IDS drops and does not check the packet payload
 Insertion attack: sends packets to an IDS and target
device that will be accepted by the IDS and rejected by the
target
NETE4630: Advanced Network Security and Implementation
8
IP Fragmentation
NETE4630: Advanced Network Security and Implementation
9
Evasion Attack
 An attacker sends the first fragment to an IDS that has a fragmentation timeout of
15 s, while target system has a timeout of 30 s
 The attacker waits more than 15 s but less than 30 s before sending the second
fragment.
 The IDS discards the second (including the first) segment because the timeout
reaches
 However, the target system accepts the second fragment (within the timeout)
 Thus, the IDS will not record this attack
#2
#1
#2
30 s
#1
15 s
NETE4630: Advanced Network Security and Implementation
10
Fragmentation Attacks
 Overlapping fragmentation can offer an attacker a means
of slipping packets past an IDS and firewall
 Sending a packet passing a cisco router to a windowsbased system
 If receiving a duplicated packet, cisco router prefer the last
fragment, whereas windows prefers the original fragment
NETE4630: Advanced Network Security and Implementation
11
Fragmentation Attacks (cont.)
#1
#2
#1
#2
Attacker modifies #2
And transmits #2 and #3
#3
Windows and router
accepts #1 and #2
#2
#3
Windows keeps
#1
#2
#3
Router keeps
#1
#2
#3
NETE4630: Advanced Network Security and Implementation
12
Fragmentation Attacks (cont.)
 An attacker breaks a message into 3 fragments
 He sends fragment 1 and 2 to both router and windows. Both
accepts the fragments
 He then sends fragment 2 and 3. The retransmitted fragment 2 is of
the same size and offset as the original fragment but different
payload
 Windows keeps the original fragment 2 but the router keeps the
retransmitted one
NETE4630: Advanced Network Security and Implementation
13
Teardrop Attack
 Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, and
SynDrop are some of the tools that can crash machines that have a
vulnerability in the IP atack
 There is a fragmentation bug in the IP stack implementation of some
old Linux kernels (2.0), Windows NT, and Windows 95
 Sending malformed packets with fragmentation offset value tweaked
so that the receiving packets overlap
 A reboot solved the problem until the next attack
NETE4630: Advanced Network Security and Implementation
14
Teardrop Attack (cont.)
NETE4630: Advanced Network Security and Implementation
15
Fingerprinting
 Fingerprinting is the act of using peculiarities of IP, TCP, UDP, and
ICMP to determine the operating system
 Not only the OS, but also specific version
 Active and passive fingerprinting
 Active fingerprinting: sends malformed (or non-RFC-compliant)
packets to the target. Different OSes response to these packets
differently
 Nmap, Xprobe, Scanrand, etc.
NETE4630: Advanced Network Security and Implementation
16
Passive Fingerprinting
 Passive fingerprinting: similar concept, but not injecting traffic into
the network
 Looking at 4 fields
 TTL value
 Don’t Fragment bit (DF)
 Type of Service (TOS)
 Window size
 TTL, DF, and TOS are found in IP header
 Window size is found in TCP header
NETE4630: Advanced Network Security and Implementation
17
Passive Fingerprinting: TTL
 A packet has its TTL reduced each time it is passed though a router
or when it remains in the routers queue too long
 No requirement about the suitable of TTL
 The attacker may assume that the value observed is less than the
original value (no more than 255)
NETE4630: Advanced Network Security and Implementation
18
Passive Fingerprinting: DF and TOS
 DF flag is primary method that systems use to determine
the PMTUD (Path MTU Discovery)
 Many older OSes don’t use this feature
 TOS can be analyzed to determine the OS
 Eventhough it is rarely used on the internet, some
developers will set it into a value other than zero to prevent
this fingerprinting
NETE4630: Advanced Network Security and Implementation
19
PMTUD

1.
2.
3.
4.
Path MTU discovery (PMTUD) is a technique in computer networking for
determining the MTU size on the network path between two hosts, usually
with the goal of avoiding IP fragmentation
Path MTU discovery works by setting the DF (Don't Fragment) option bit
in the IP headers of outgoing packets.
Any device along the path whose MTU is smaller than the packet will drop
it, and send back an ICMP Type 3 Code 4 “Destination Unreachable
(Fragmentation Needed and DF was set)" message
The ICMP Type 3 Code 4 message contains its MTU, allowing the source
host to reduce its assumed path MTU appropriately.
The process repeats until the MTU is small enough to traverse the entire
path without fragmentation.
NETE4630: Advanced Network Security and Implementation
20
PMTUD (cont.)
NETE4630: Advanced Network Security and Implementation
21
Passive Fingerprinting: Window Size
 TCP Window specifies the amount of data that can be sent
without having to receive an acknowledgement
 Window size should either be as close as possible to the MTU or
should be some multiple of this value
 Linux 2.0 used a value of 16,384, while version 3 of FreeBSD
used a value of 17,520
 The most up-to-date passive fingerprinting tool is p0f
 LAB: p0f page 129
NETE4630: Advanced Network Security and Implementation
22
Idle Scan: Open Port
NETE4630: Advanced Network Security and Implementation
23
Idle Scan: Close Port
NETE4630: Advanced Network Security and Implementation
24
Idle Scan: Limitations
 The idle host must truly be idle
 Not all OSes use an incrementing IPID
 Some versions of Linux set IPID to zero or generate a random
IPID value
 Several message passes need to be performed to validate
the results
NETE4630: Advanced Network Security and Implementation
25
ICMP Attacks
 ICMP helps with logical errors and diagnostics
 ICMP does not offer authentication
 Thus, ICMP can be used to scan and exploit devices
 Including using ICMP as a backdoor (convert channel),
employing them for echo attacks, to port scan, to redirect traffic,
for OS fingerprinting, and DoS attacks
NETE4630: Advanced Network Security and Implementation
26
Convert Channels
 Convert channels offer attackers a way to have a secure
communications channel by using allowed services
 Convert channels can also work by exploiting flaws or
weaknesses in protocols like ICMP, esp. ping
 ICMP fields used in ping include:
 Type, Code, Identifier, Sequence Number, Optional Data
NETE4630: Advanced Network Security and Implementation
27
ICMP Format
NETE4630: Advanced Network Security and Implementation
28
Convert Channels (cont.)
NETE4630: Advanced Network Security and Implementation
29
Convert Channels (cont.)
NETE4630: Advanced Network Security and Implementation
30
Convert Channels (cont.)
 Some systems like Linux let user add data into the ping
# ping –p 2b2b2b415448300
192.168.123.101
will place the modem hang up string into the ping packet
 Convert channel tools can use ICMP, TCP, or even IGRP.
 Loki, ICMP Backdoor, 007Shell, B0CK
NETE4630: Advanced Network Security and Implementation
31
ICMP Echo Attacks
 Flood target with ping traffic and use up all available
bandwidth
 Smurf exploits ICMP by sending a spoofed ping packet to
the broadcast address and has the source address listed
as the victim
 In 2002, an attacks was launched against core DNS
servers. They had ping enabled
 Results in a large DoS attack that slowed the operation of
primary DNS servers
NETE4630: Advanced Network Security and Implementation
32
Port Scanning
 ICMP can be of great use to an attacker attempting to
discover what ports are open
 ICMP is invaluable since there is no response like with
TCP
 Sending an ICMP packet to a port
 will get no response if the port is open and
 will receive an ICMP type 3 code 3 (Destination Unreachable,
Port Unreachable) packet if the port is closed
NETE4630: Advanced Network Security and Implementation
33
Port Scanning (cont.)
Type 3 (Destination Unreachable)
Code 3 (Port Unreachable)
NETE4630: Advanced Network Security and Implementation
34
ICMP Nuke Attacks
 ICMP Nuke Attack: Using spoofed addresses, an attacker
might disrupt communications between two hosts by
sending “Time Exceeded” (Type 11) or “Destination
Unreachable” (ICMP Type 3) messages to both hosts
 This results in a DoS attack
 Check out ICMP Types and Codes
NETE4630: Advanced Network Security and Implementation
35
ICMP Redirect Attack
 By sending ICMP “redirect” messages, an attacker might force a
router to forward packets destined to one host to the attacker’s IP
address
NETE4630: Advanced Network Security and Implementation
36
Preventing ICMP Redirect Attack
 With Linux, we can force the kernel not to accept redirect
messages for one or all interfaces
root@router# echo 0 >
/proc/sys/net/ipv4/conf/eth0/accept_redirects
NETE4630: Advanced Network Security and Implementation
37
ICMP Flood
 Ping Flood creates a broadcast storm of pings that overwhelm the
target system
 Using Linux, one can flood a host using ping –f.
root@router# ping –f 10.10.10.12 –c 1000
The above command floods the host 10.10.10.12 with 1,000
packets
NETE4630: Advanced Network Security and Implementation
38
Preventing Ping Flood
 Ping flood can be stopped by limiting the number of ICMP
echo-request messages with IPTables:
root@router# iptables –A FORWARD –p icmp –icmptype echo-request –m limit –limit 10/s –j
ACCEPT
root@router# iptables –A FORWARD –p icmp –icmptype echo-request –j DROP
NETE4630: Advanced Network Security and Implementation
39
Ping of Death
 Ping of Death crashed machines by sending ICMP “echo
request” messages in IP packets with larger than the
maximum legal length of 65,535 octets, causing a buffer
overflow to crash the victim’s device (computer, printer,
etc.)
 A Linux patch for the ping of death was out in 2 hours, 35
minutes, and 10 seconds, and shortly after, patches for
other OSes were available from vendors
NETE4630: Advanced Network Security and Implementation
40
Routing Protocols Attacks
 Misconfigured dynamic routing protocols such as RIP,
BGP, and OSPF may allow attackers to inject routes into
the routing tables of the machines running instances of
those protocols
 This may allow attackers to conduct DoS attacks by
injecting wrong routes or IP sniffing by configuring its
computer to act like a router from the network
NETE4630: Advanced Network Security and Implementation
41
Routing Protocols Attacks (cont.)
 Distance-vector and link-state routing protocols are
suffered from attacks especially DoS
 RIP is unauthenticated service; it is vulnerable to DoS
 Attacker injects miscommunication packets to the network
 RIP spoofing works by making fake RIP packets and
sending them to gateways and hosts to change their
routes
 It sends its routing tables to a broadcast address
 Attacker can also modify the routing information to cause a
redirect through a network, allowing him to sniff passwords
or intercept and change date
NETE4630: Advanced Network Security and Implementation
42
Source Routing Attack
 Source routing is one of the IP options designed to force a
packet to take a specific route through the network
 Using Option field in IP header: LSRR (Loose Source Record
Route) and SSRR (Strict Source Record Route)
NETE4630: Advanced Network Security and Implementation
43
LSR and SSR
 Loose Source Routing is an IP option which can be used for
address translation. LSR is also used to implement mobility in IP
networks.
 LSR uses a source routing option in TCP/IP to record the set of
routers a packet must visit.
 The destination of the packet is replaced with the next router the
packet must visit.
 The name LSR comes from the fact that only part of the path is set
in advance. This is in contrast with Strict Source Routing (SSR), in
which every single step of the route is decided in advance when the
packet is sent.
 SSR defines specific points between source and destination
 No other routers are allowed to handle the datagram
NETE4630: Advanced Network Security and Implementation
44
Source Routing Attack (cont.)
 The use of the LSRR and SSRR options (Loose and Strict
Source and Record Route) is discouraged because they create
security concerns
 Attacker can spoof a source IP as a trusted system and uses
source route to forward packets to a victim
 Any return packet will be sent to the attacker instead of the
trusted host (because the route is fixed, static!!)
 Many routers block packets containing these options.
NETE4630: Advanced Network Security and Implementation
45
Roadmap
 Attacking the Network Layer
 Defending the Network Layer
NETE4630: Advanced Network Security and Implementation
46
Securing IP
 Encryption and authentication are the two best options for
securing IP
 Built in IPv6, but not in IPv4
 IPSec’s greatest security is that it can allow network
managers to apply security without involving end users
 IPSec Tunnel Mode: link encryption
 Need to manage several keys
 IPSec Transport Mode: end-to-end encryption
 Source and destination IPs are not masked
NETE4630: Advanced Network Security and Implementation
47
Securing ICMP
 Disable much of ICMP as possible especially at
routers
 Reject: send an ICMP destination-unreachable back to
the source
 Drop: send no response
NETE4630: Advanced Network Security and Implementation
48
Securing ICMP (cont.)
 From legitimate perspective,
 Rejecting connections allows services to know that
something has failed and to timeout quickly
 Dropping a connection can cause a service to continue
to try and connect until a retransmission value is
exceeded
NETE4630: Advanced Network Security and Implementation
49
Securing ICMP (cont.)
 From security perspective,
 dropping packets gives away less information and
makes it harder for an attacker to enumerate the target
 Rejecting packets can make the router a bigger target
for reflective attacks and leave it vulnerable to spewing
out ICMP messages to a host being attacked by a third
party
NETE4630: Advanced Network Security and Implementation
50
Protecting against IP Spoofing
 Linux kernel has an option named “rp_filter”
 To disable on all interfaces:
 root@router# echo 0 >
/proc/sys/net/ipv4/conf/all/rp_filter
 To disable on one interface e.g. eth0:
 root@router# echo 0 >
/proc/sys/net/ipv4/conf/eth0/rp_filter
 Setting rp_filter to:
 1 enables IP spoofing protection
 0 disables IP spoofing protection
 rp_filter performs Ingress Filtering: packets coming into the
network are filtered if the network sending it should not send packets
from IP address of the originating computer
NETE4630: Advanced Network Security and Implementation
51
Securing Routers and Routing Protocols
 Securing routers and traffic that flows though them is primarily
achieved by using packet filters
 Packet filtering is configured though access control lists (ACLs)
NETE4630: Advanced Network Security and Implementation
52
How ACL Handles Traffic
 Source IP address: Is it from a valid or allowed address?
 Destination IP address: Is this address allowed to receive packets
from this device?
 Source and destination ports: includes TCP, UDP, and ICMP
 TCP flags: includes SYN, FIN, ACK, PSH
 Protocols: includes FTP, Telnet, HTTP, DNS, and POP3
 Direction: Can allow or deny inbound or outbound traffic
 Interface: Can be used to restrict only certain traffic on certain
interfaces
NETE4630: Advanced Network Security and Implementation
53
Preventing Address Spoofing
 Do not allow traffic with the internal IP address as source that comes
from the internet
 Log the dropped packets
 Check out router configuration guide at
http://www.nsa.gov/snac/downloads_all.cfm
 RIPv1 sends update in cleartext and no authentication
 RIPv2 has authentication but sends authentication in cleartext
 Suggest to use OSPF with MD5 authentication
 Restrict dynamic routing when possible
 Without this, OSPF may still be vulnerable
 Check out Nemesis (a tool to target OSPF routing) at
http://sourceforge.net/projects/nemesis
NETE4630: Advanced Network Security and Implementation
54
NSA Security Configuration Guides
http://www.nsa.gov/snac/downloads_all.cfm
NETE4630: Advanced Network Security and Implementation
55
Question?
Next week
Transport Layer Security