Download Attacker

Data Link Layer Security &
Network Layer Security
Lecture 3
Asst.Prof. Supakorn Kungpisdan, Ph.D.
[email protected]
Roadmap
 Data-link Layer Security
 Network Layer Security
NETE4630: Advanced Network Security and Implementation
2
Task: MAC Address Spoofing
 What is MAC address spoofing?
 What is its purpose?
 Suggest a way to perform an attack using MAC
spoofing
 Explain how it works
NETE4630: Advanced Network Security and Implementation
3
MAC Address Spoofing (cont.)
 Replace a CAM table entry of a known MAC address on
another port
 Cause a switch to send the traffic destined for the port of
the attacked computer to the port at which the attacker is
connected
 Cause service disruption and can be used as an MITM
attack with the attacker sniffing the packets destined to the
attached computer
 Can be blocked only in the switches, if the switches have
facilities for that
NETE4630: Advanced Network Security and Implementation
4
Passive Sniffing
 Passive sniffing involves using a sniffer (Ethereal or TCPdump) to
monitor incoming packets
 Passive sniffing relies on a feature of network cards called
promiscuous mode
 When placed in promiscuous mode, a network card will pass all
packets on to the operating system, rather than just those unicast
or broadcast to the host
 However, passive sniffing does not work well in a switched network
 The attacker can sniff traffic within his/her VLAN
NETE4630: Advanced Network Security and Implementation
5
Active Sniffing
 Active sniffing relies on injecting packets into the network
that causes traffic that should not be sent to your system,
to be sent to your system
 Active sniffing is required to bypass the segmentation that
switches provide
 In wireless networks, passive sniffing involves sending no
packets, and monitoring the packets sent by others.
 Active wireless sniffing involves sending out multiple
network probes to identify APs
NETE4630: Advanced Network Security and Implementation
6
ARP Poisoning
 Performing active sniffing on switches Ethernet
NETE4630: Advanced Network Security and Implementation
7
ARP Poisoning (cont.)
 By spoofing the default gateway’s IP address, all hosts on the
subnet will route through the attacker’s machine
 You have to poison the ARP cache of every host on the subnet
 Better if targeting a single host on the network
 Should not spoof the IP of another client
 To perform ARP poisoning,
 # arp –s <victim IP> <our MAC address> pub
 Alternatively, use Cain and Abel
NETE4630: Advanced Network Security and Implementation
8
Cain and Abel
NETE4630: Advanced Network Security and Implementation
9
ARP Flooding (CAM Table Overflow)
 ARP flooding is another ARP Cache Poisoning technique aimed at
network switches
 Some switches will drop into a hub-like mode when the CAM table is
flooded
 CAM (Content Addressable Memory) is a physical part of a switch
 CAM stores information about MAC addresses available on each
physical port and their associated VLAN parameters
 CAM is a normal memory limited in size
 Can also use WinArpAttacker to perform ARP Flood
NETE4630: Advanced Network Security and Implementation
10
ARP Flooding (cont.)
 In 1999, Ian Vitek created a tool called macof, later integrated in
dsniff, which floods with invalid source MAC addresses (up to
155,000/minute)
 This quickly fills up the CAM table of the switch to which the
computer running this tool is connected, and also the adjacent
switches
 The switch is too busy to enforce its port security and broadcasts all
traffic to every port in the network
 Thus making possible a MITM attack – the attacker can start sniffing
network traffic
NETE4630: Advanced Network Security and Implementation
11
DHCP
NETE4630: Advanced Network Security and Implementation
12
DHCP Starvation Attack
 Consuming the IP address space allocated by a DHCP
server
 An attacker broadcasts a large number of DHCP requests
using spoofed MAC addresses
 The DHCP server will lease its IP addresses one by one to
the attacker until it runs out of available IPs for new,
normal clients
 Leads to DoS
NETE4630: Advanced Network Security and Implementation
13
Rogue DHCP Server
 Set up a rogue DHCP server serving clients with false
details
 E.g. giving them its own IP as default router
 Result in all the traffic passing through the attacker’s computer
 Rogue DHCP server can be set up even without DHCP
starvation attack, as clients accept the first DHCPOFFER
they receive
 Both attacks can be accomplished using gobbler
NETE4630: Advanced Network Security and Implementation
14
Preventing DHCP Attacks
 Using port security that do not allow more than X MAC
addresses on one port
 Rogue DHCP is more difficult to prevent
 “Authentication for DHCP Messages” (RFC3118)
 Some smart and expensive switches have “DHCP snooping”
functions which filters DHCP messages from non-trusted hosts
 It contains database of trusted and untrusted interfaces
NETE4630: Advanced Network Security and Implementation
15
DHCP Snooping
 An untrusted interface is an interface that is configured to receive
messages from outside the network or firewall
 A trusted interface is an interface that is configured to receive only
messages from within the network
 An untrusted message is a message that is received from outside
the network or firewall and that can cause traffic attacks within your
network
NETE4630: Advanced Network Security and Implementation
16
DHCP Snooping Binding Table
 DHCP snooping provides security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding
table
 DHCP snooping binding table contains :
 MAC address,
 IP address,
 lease time,
 binding type,
 VLAN number, and
 interface information
that corresponds to the local untrusted interfaces of a switch
NETE4630: Advanced Network Security and Implementation
17
DHCP Snooping (cont.)
 DHCP snooping acts like a firewall between untrusted hosts and
DHCP servers. It is used to prevent rogue DHCP server
 If the DHCPOFFER came from an untrusted interface, the switch
shuts down the port
 The switch trusts the interface to which the authorized DHCP server
is connected
NETE4630: Advanced Network Security and Implementation
18
Enabling DHCP Snooping
NETE4630: Advanced Network Security and Implementation
19
Dynamic ARP Inspection
 Dynamic ARP Inspection (DAI) validates ARP packets in a
network based on IP-to-MAC address bindings stored in a trusted
database, the DHCP snooping binding database
 It intercepts, log, and discards ARP packets with invalid IP-to-MAC
address bindings.
 It checks only inbound packets
 The switch performs these activities:
1. Intercepts all ARP requests and responses on untrusted ports
2. Verifies that each of these intercepted packets has a valid IP-to-MAC
address binding before updating the local ARP cache or before
forwarding the packet to the appropriate destination
3. Drops invalid packets
NETE4630: Advanced Network Security and Implementation
20
DAI (cont.)
http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=8
NETE4630: Advanced Network Security and Implementation
21
DAI In Actions
NETE4630: Advanced Network Security and Implementation
22
DAI in DHCP Environment
 DAI relies on the entries in the DHCP snooping binding database to
verify IP-to-MAC address bindings.
 Configure each secure interface as trusted using the ip arp
inspection trust interface configuration command.
 The trusted interfaces bypass the ARP inspection validation checks,
and all other packets are subject to inspection when they arrive on
untrusted interfaces.
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip arp inspection trust
Switch(config)# ip arp inspection vlan 5-10
NETE4630: Advanced Network Security and Implementation
23
DAI in non-DHCP Environment
 In non-DHCP environments, DAI can validate ARP packets
against user-configured ARP access control lists (ACLs) for
hosts with statically configured IP addresses
 If the ARP packet is received on a trusted interface, the switch
forwards the packet without any checks
Switch(config)# arp access-list arpacl
Switch(config-arp-acl)# permit ip host 10.1.1.11 mac
host 0011.0011.0011
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter arpacl vlan 5
Switch(config)# interface GigabitEthernet1/0/2
Switch(config-if)# no ip arp inspection trust
NETE4630: Advanced Network Security and Implementation
24
DAI Steps
1. By default, all interfaces are untrusted
2. The switch does not check ARP packets that it receives
from the other switch in the trusted interface
3. For untrusted interfaces, the switch intercepts all ARP
requests and responses. It verifies that the intercepted
packets have valid IP-to-MAC address bindings before
updating local cache and before forwarding the packet to
the appropriate destination
 Firstly it checks from ARP access control list
 If no such ACL, check from DHCP snooping database
NETE4630: Advanced Network Security and Implementation
25
Routing Games
 One method to ensure that all traffic on a network will pass through
your host is to change the routing table of the host you wish to
monitor
 Sending a fake route advertisement via the RIP, declaring
yourself as the default gateway
 All outbound traffic will pass though your host then go to the real
default gateway
 But may not receive returned traffic unless you can modify the
default gateway’s routing table
NETE4630: Advanced Network Security and Implementation
26
Wireless Active Attacks
 Active wireless attacks encompass spoofing and DoS
attacks
 Spoofing: Use Netstumbler to identify the MAC address of
the victim and modify one’s MAC address to match it
 DoS: sending multiple control packets to a wireless
network
NETE4630: Advanced Network Security and Implementation
27
Network Layer Security
Supakorn Kungpisdan, Ph.D.
[email protected]
Overview
IP Header Length
(IPID)
IP Packet Format
NETE4630: Advanced Network Security and Implementation
29
Overview




IP, ICMP, and Routing protocols
IP is connectionless, subjected to DoS
ICMP can be used by attackers
Routing protocols are subjected to stack attacks
NETE4630: Advanced Network Security and Implementation
30
IP Attacks





Spoofing
Fragmentation
Passive and Active Fingerprinting
Port Scanning
Redirection
NETE4630: Advanced Network Security and Implementation
31
Local Spoofing
 Attacker and victim are on the same subnet
 Attacker begins with sniffing traffic, find key pieces of
information needed to launch an attack
 Session hijacking is another spoofing technique.
 The attack starts at transport layer
NETE4630: Advanced Network Security and Implementation
32
Blind Spoofing
 Attacker is not on the same local subnet as victim
 Many pieces of information needed to be successful are
not available. The key parameters must be guessed
 Most modern OSes use fairly random sequence numbers
making the attack difficult to launch
NETE4630: Advanced Network Security and Implementation
33
Fragmentation
 Fragmentation is required when transmitting packets to
different networks that have different MTUs
 The idea is to send different data streams to each device
NETE4630: Advanced Network Security and Implementation
34
IP Fragmentation
NETE4630: Advanced Network Security and Implementation
35
Evasion Attack
 Evasion attack: sends packets to an IDS and target that will be rejected by the
IDS and accepted by the target. IDS drops and does not check the packet payload
 An attacker sends the first fragment to an IDS that has a fragmentation timeout of
15 s, while target system has a timeout of 30 s
 Attacker waits more than 15 s but less than 30 s before sending the 2nd fragment.
 The IDS discards the second (inc. the first) segment because the timeout reaches
 However, the target system accepts the second fragment (within the timeout)
 Thus, the IDS will not record this attack
#2
#1
#2
30 s
#1
15 s
NETE4630: Advanced Network Security and Implementation
36
Fragmentation Attacks
 Overlapping fragmentation can offer an attacker a means
of slipping packets past an IDS and firewall
 Sending a packet passing a cisco router to a windowsbased system
 If receiving a duplicated packet,
 Cisco router prefers the last fragment, whereas
 Windows prefers the original fragment
NETE4630: Advanced Network Security and Implementation
37
Fragmentation Attacks (cont.)
#1
#2
#1
#2
Attacker modifies #2
And transmits #2 and #3
#3
Windows and router
accepts #1 and #2
#2
#3
Windows keeps
#1
#2
#3
Router keeps
#1
#2
#3
Same size, same offset
NETE4630: Advanced Network Security and Implementation
38
Fragmentation Attacks (cont.)
 An attacker breaks a message into 3 fragments
 He sends fragment 1 and 2 to both router and windows. Both
accepts the fragments
 He then sends fragment 2 and 3. The retransmitted fragment 2 is of
the same size and offset as the original fragment but different
payload
 Windows keeps the original fragment 2 but the router keeps the
retransmitted one
NETE4630: Advanced Network Security and Implementation
39
Teardrop Attack
 Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, and SynDrop are
some of the tools that can crash machines that have a vulnerability in the IP atack
 There is a fragmentation bug in the IP stack implementation of some old Linux
kernels (2.0), Windows NT, and Windows 95
 Sending malformed packets with fragmentation offset value tweaked so that the
receiving packets overlap
 A reboot solved the problem until the next attack
NETE4630: Advanced Network Security and Implementation
40
Fingerprinting
 Fingerprinting is the act of using peculiarities of IP, TCP, UDP, and
ICMP to determine the operating system
 Not only the OS, but also specific version
 Active VS passive fingerprinting
 Active fingerprinting: sends malformed (or non-RFC-compliant)
packets to the target. Different OSes response to these packets
differently
 Nmap, Xprobe, Scanrand, etc.
NETE4630: Advanced Network Security and Implementation
41
Passive Fingerprinting
 Passive fingerprinting: similar concept, but not injecting traffic into
the network
 Looking at 4 fields
 TTL value
 Don’t Fragment bit (DF)
 Type of Service (TOS)
 Window size
 TTL, DF, and TOS are found in IP header
 Window size is found in TCP header
NETE4630: Advanced Network Security and Implementation
42
Passive Fingerprinting: TTL
 A packet has its TTL reduced each time it is passed though a router
or when it remains in the routers queue too long
 No requirement about the suitable of TTL
 The attacker may assume that the value observed is less than the
original value (no more than 255)
NETE4630: Advanced Network Security and Implementation
43
Passive Fingerprinting: DF and TOS
 DF flag is primary method that systems use to determine
the PMTUD (Path MTU Discovery)
 Many older OSes don’t use this feature
 TOS can be analyzed to determine the OS
 Eventhough it is rarely used on the internet, some developers
will set it into a value other than zero to prevent this fingerprinting
NETE4630: Advanced Network Security and Implementation
44
PMTUD

1.
2.
3.
4.
Path MTU discovery (PMTUD) is a technique in computer networking for
determining the MTU size on the network path between two hosts, usually
with the goal of avoiding IP fragmentation
Path MTU discovery works by setting the DF (Don't Fragment) option bit
in the IP headers of outgoing packets.
Any device along the path whose MTU is smaller than the packet will drop
it, and send back an ICMP Type 3 Code 4 “Destination Unreachable
(Fragmentation Needed and DF was set)" message
The ICMP Type 3 Code 4 message contains its MTU, allowing the source
host to reduce its assumed path MTU appropriately.
The process repeats until the MTU is small enough to traverse the entire
path without fragmentation.
NETE4630: Advanced Network Security and Implementation
45
PMTUD (cont.)
NETE4630: Advanced Network Security and Implementation
46
Passive Fingerprinting: Window Size
 TCP Window specifies the amount of data that can be sent
without having to receive an acknowledgement
 Window size should either be as close as possible to the MTU or
should be some multiple of this value
 Linux 2.0 used a value of 16,384, while version 3 of FreeBSD
used a value of 17,520
 The most up-to-date passive fingerprinting tool is p0f
NETE4630: Advanced Network Security and Implementation
47
Idle Scan: Open Port
NETE4630: Advanced Network Security and Implementation
48
Idle Scan: Close Port
NETE4630: Advanced Network Security and Implementation
49
Idle Scan: Limitations
 The idle host must truly be idle
 Not all OSes use an incrementing IPID
 Some versions of Linux set IPID to zero or generate a random
IPID value
 Several message passes need to be performed to validate
the results
NETE4630: Advanced Network Security and Implementation
50
ICMP Attacks
 ICMP helps with logical errors and diagnostics
 ICMP does not offer authentication
 Thus, ICMP can be used to scan and exploit devices
 Including using ICMP as a backdoor (convert channel),
employing them for echo attacks, to port scan, to redirect traffic,
for OS fingerprinting, and DoS attacks
NETE4630: Advanced Network Security and Implementation
51
Convert Channels
 Convert channels offer attackers a way to have a secure
communications channel by using allowed services
 Convert channels can also work by exploiting flaws or
weaknesses in protocols like ICMP, esp. ping
 ICMP fields used in ping include:
 Type, Code, Identifier, Sequence Number, Optional Data
NETE4630: Advanced Network Security and Implementation
52
ICMP Format
NETE4630: Advanced Network Security and Implementation
53
Convert Channels (cont.)
NETE4630: Advanced Network Security and Implementation
54
Convert Channels (cont.)
NETE4630: Advanced Network Security and Implementation
55
Convert Channels (cont.)
 Some systems like Linux let user add data into the ping
# ping –p 2b2b2b415448300
192.168.123.101
will place the modem hang up string into the ping packet
 Convert channel tools can use ICMP, TCP, or even IGRP.
 Loki, ICMP Backdoor, 007Shell, B0CK
NETE4630: Advanced Network Security and Implementation
56
ICMP Echo Attacks
 Flood target with ping traffic and use up all available
bandwidth
 Smurf exploits ICMP by sending a spoofed ping packet to
the broadcast address and has the source address listed
as the victim
 In 2002, an attacks was launched against core DNS
servers. They had ping enabled
 Results in a large DoS attack that slowed the operation of
primary DNS servers
NETE4630: Advanced Network Security and Implementation
57
Port Scanning
 ICMP can be of great use to an attacker attempting to
discover what ports are open
 ICMP is invaluable since there is no response like with
TCP
 Sending an ICMP packet to a port
 will get no response if the port is open and
 will receive an ICMP type 3 code 3 (Destination Unreachable,
Port Unreachable) packet if the port is closed
NETE4630: Advanced Network Security and Implementation
58
Port Scanning (cont.)
Type 3 (Destination Unreachable)
Code 3 (Port Unreachable)
NETE4630: Advanced Network Security and Implementation
59
ICMP Nuke Attacks
 ICMP Nuke Attack: Using spoofed addresses, an attacker
might disrupt communications between two hosts by
sending “Time Exceeded” (Type 11) or “Destination
Unreachable” (ICMP Type 3) messages to both hosts
 This results in a DoS attack
 Check out ICMP Types and Codes
NETE4630: Advanced Network Security and Implementation
60
ICMP Redirect Attack
 By sending ICMP “redirect” messages, an attacker might force a
router to forward packets destined to one host to the attacker’s IP
address
NETE4630: Advanced Network Security and Implementation
61
Preventing ICMP Redirect Attack
 With Linux, we can force the kernel not to accept redirect
messages for one or all interfaces
root@router# echo 0 >
/proc/sys/net/ipv4/conf/eth0/accept_redirects
NETE4630: Advanced Network Security and Implementation
62
ICMP Flood
 Ping Flood creates a broadcast storm of pings that overwhelm the
target system
 Using Linux, one can flood a host using ping –f.
root@router# ping –f 10.10.10.12 –c 1000
The above command floods the host 10.10.10.12 with 1,000
packets
NETE4630: Advanced Network Security and Implementation
63
Preventing Ping Flood
 Ping flood can be stopped by limiting the number of ICMP
echo-request messages with IPTables:
root@router# iptables –A FORWARD –p icmp –icmptype echo-request –m limit –limit 10/s –j
ACCEPT
root@router# iptables –A FORWARD –p icmp –icmptype echo-request –j DROP
NETE4630: Advanced Network Security and Implementation
64
Ping of Death
 Ping of Death crashed machines by sending ICMP “echo
request” messages in IP packets with larger than the
maximum legal length of 65,535 octets, causing a buffer
overflow to crash the victim’s device (computer, printer,
etc.)
NETE4630: Advanced Network Security and Implementation
65
Routing Protocols Attacks
 Distance-vector and link-state routing protocols are
suffered from attacks especially DoS
 RIP is unauthenticated service; it is vulnerable to DoS
 RIP spoofing works by making fake RIP packets and
sending them to gateways and hosts to change their
routes
 Attacker can also modify the routing information to cause a
redirect through a network, allowing him to sniff passwords
or intercept and change date
NETE4630: Advanced Network Security and Implementation
66
Preventing Address Spoofing
 Do not allow traffic with the internal IP address as source that comes
from the internet
 Log the dropped packets
 Check out router configuration guide at
http://www.nsa.gov/snac/downloads_all.cfm
 RIPv1 sends update in cleartext and no authentication
 RIPv2 has authentication but sends authentication in cleartext
 Suggest to use OSPF with MD5 authentication
 Restrict dynamic routing when possible
 Without this, OSPF may still be vulnerable
 Check out Nemesis (a tool to target OSPF routing) at
http://sourceforge.net/projects/nemesis
NETE4630: Advanced Network Security and Implementation
67
Task
 Research a technique to provide authentication to DHCP
messages e.g. DHCP DISCOVERY and DHCP OFFER
 Have a presentation on June 26, 2011.
 15 minutes per group
NETE4630: Advanced Network Security and Implementation
68
Question?
Next week
OSI Security #3