* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Computer Networks
Computer security wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Network tap wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Computer network wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Internet protocol suite wikipedia , lookup
Airborne Networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Deep packet inspection wikipedia , lookup
Packet switching wikipedia , lookup
1 Computer Networks and their Vulnerabilities Omar Bashir Communications Enabling Technologies, Software Technology Park, Islamabad, PAKISTAN e-mail: [email protected] Coverage • • • • • • • • • Introduction Protocols Switching Techniques LAN Topologies and Technologies WAN Technologies Internetworking Vulnerabilities Attacking Techniques Preventive Measures 2 Motivation Towards Distributed Computing Information based society. Timely creation, effective management, accurate analysis and efficient communication of information is central to all successful activities. Partitioning, replication, and distribution of application components to achieve reliability, efficiency and flexibility. Efficient, cost effective and flexible means of communications. Convergence of data, voice and video communications. 3 4 Principal Catalysts • • • • • • Packet Switching Multi-megabit/Gigabit Networks Desktop Workstations Teleworking/Remote Working Multimedia Mobile Communications 5 Definitions • Computer Network – An interconnected collection of autonomous computers. • Distributed System – A collection of autonomous computers linked by a network, with software designed to produce an integrated computing facility. KEYWORDS: Interconnection, Autonomy and Integrated Operations 6 Autonomy • Computers or hosts are sources and sinks of data • All computers on a computer network are logically equal • No computer can forcibly start, stop or control another computer • Systems employing master/slave relationships not included in computer networks 7 Interconnection • Physical connection to enable communication Logical Link A Logical Link B • Logical connections established for every session on a computer • Logical connections provide communication services to distributed applications Distributed Systems 8 • Application components executing on diverse platforms on a computer network • Computer networking facilities for distributed applications consist of – hardware components • switches, circuits and interface cards/modules – software components • protocol managers, device drivers • part of platform OS and networking devices • Hardware and software components providing communications for a distributed system are termed as its communications sub-system. Communications in Distributed Systems 9 • Distributed systems constructed to isolate communications sub-system from the application components. • Application components virtually communicate with each other by passing messages of arbitrary lengths. • Physically, application components pass these messages to communications subsystems. • Communications subsystems actually communicate messages as packets of data. Communications in Distributed Systems (Contd) Message Application Component A Communications Subsystem Packet 3 Network Packet 2 Application Component B Communications Subsystem Packet 1 10 Communications in Distributed Systems (Contd) 11 • Syntax and semantics of messages defined by the applications. • Packets structured to achieve efficient communication over the underlying network. • Communications sub-system neither deals with the semantics of the messages nor does it differentiate between different applications on the basis of their messages • Several applications on a single platform share the same communications subsystem. Typical Objectives of Computer Networks • • • • 12 Connectivity Resource Sharing Support for Common Services Performance Viewed differently by application programmers, network designers and network service providers Connectivity • A network consists of nodes and links • Nodes that perform communication related task are termed as Interface Message Processors (IMPs). • Nodes that use network are known as hosts. • Combination of IMPs and links are termed as a subnetworks. • Each node should be addressed uniquely. • Two or more subnetworks can be interconnected to form an internetwork. 13 Connectivity Hosts IMP Subnetwork Interconnection of Subnetworks 14 Switching Techniques 15 Circuit Switching • Physical connection established between terminals before data communication commences. • All resources for a connection (in the terminals and intermediate switches) are reserved even when no data is transferred. • Terminals release connection at the end of the session. • Call establishment and release may be expensive. • Good choice in situations where significant amount of data needs to be transferred at a fixed rate. • Resource utilisation may be inefficient if data transfer is bursty. Circuit Switching 16 Circuit Switching 17 Circuit Switching 18 Switching Techniques 19 Message Switching • No physical channel established in advance between terminals. • Transmitter transmits message to the first switch. • The first switch stores the message, checks it for errors and then forwards it to the next switch towards the destination. Therefore known as store and forward networks. • Large buffers required at switches to store messages. • Large messages may tie up a link between two switches for several minutes. Switching Techniques 20 Packet Switching • Contrary to message switching, tight upper limits placed on transmission block size. • Large messages fragmented into packets at source. • Size and structure of packets chosen to allow efficient communication. • Destination host re-assembles appropriate packets to form messages. • Switches determine route for each packet after examining destination host’s address inserted in the packet by the source computer. • Structure Source Destination Payload Packet Switching 21 C A D B B to A A to C C to D B to C Resource Sharing • On a point to point link between two computers, link capacity is never completely utilised. • Link idle time utilised by connecting more computers on the same point to point link. • Switches connecting computers to the link multiplex data from each source. • Common types of multiplexing – Frequency Division Multiplexing (FDM) – Synchronous Time Division Multiplexing (STDM) – Statistical Multiplexing 22 Resource Sharing 23 Support for Common Services 24 • Computer networks provide the means for a set of application processes distributed over interconnected computers to communicate. • Common services required for applications built once and applications written on top of these services. • Each network connection on a computer may support several logical channels. • Channels provide the required communication services, e.g., reliable delivery, best effort delivery, security, etc. Support for Common Services 25 Typical Issues • Identifying common services. • Locating network services, i.e., hosts or IMPs. • Reusing services for emerging applications. HTTP HTTP FTP FTP 26 Principle of Locality of Reference • Temporal Locality of Reference If a pair of computers communicates once, the pair is likely to communicate again in the near future and then periodically. • Physical Locality of Reference A computer tends to communicate most often with other computers that are nearby. 27 Local Area Networks (LANs) • Networks based on physical network technology designed to span distances up to a few thousand meters. • LANs typically share a common medium or a switch. • Computers on a LAN need to gain control of the medium to be able to transmit. • Data link layer divided into – Logical Link Control (LLC) sublayer. – Medium Access Control (MAC) sublayer. 28 LAN Topologies Ring Star Bus LAN Technologies • Ethernet (IEEE 802.3) – Bus topology, Carrier Sense Multiple Access with Collision Detection (CSMA/CD) MAC, 10/100 Mbps – Physical medium : Thick coaxial, thin coaxial, Unshielded Twisted Pair (UTP), optical fibre. • Token Ring (IEEE 802.5) – Ring topology, Token passing MAC, 4/16 Mbps – Physical medium : Shielded Twisted Pair (STP) • Fibre Distributed Data Interface (FDDI) – Dual counter rotating rings, Token passing MAC, 100 Mbps – Physical medium : Optical fibre 29 Wide Area Networks (WANs) 30 • Networks built over technologies that are capable of spanning large distances. • A typical WAN consists of several interconnected switches. • Switches examine the destination address of each packet and determine an appropriate route on the basis of a routing table maintained in each switch. • Routing tables only maintain enough information to be able to forward a packet to the next hop towards the destination. 31 Packet Switches Packet switches are essentially computers, each with a processor, IO ports and memory Ports to connect to other switches Ports to connect to computers A set of interconnected switches and hosts forms a WAN. Connections between switches need not be symmetric. Packet switching is also known as store and forward switching. Packets switched to the same output port need to be buffered in a queue. 1 2 1 2 Queues 2 1 2 1 WAN Technologies 32 • Integrated Services Digital Network (ISDN) – Circuit switched, designed to integrate voice and nonvoice applications – Data rates • Primary Rate Interface (PRI) - up to 2 Mbps • Basic Rate Interface (BRI) - up to 128 kbps • Frame Relay – Connection-oriented WAN technology. – Bandwidth on demand - A channel can use bandwidth not being used by other channels. – Complexity of the protocol reduced by relying on higher level layers to perform error control. WAN Technologies Asynchronous Transfer Mode (ATM) • Connection oriented technology. • Virtual channels to the same endpoints grouped into virtual paths. Switches in the network core manage paths instead of individual channels. • Uses small, fixed-sized packets known as cells. Cell size fixed to 53 bytes. Reduces the complexity of switches. • Classes of service – Constant Bit Rate (CBR) : emulates a dedicate link. – Variable Bit Rate (VBR) : applications generate variable bit rate traffic – Available Bit Rate (ABR) : bit rate changed on feedback from net – Unspecified Bit Rate (UBR) : best effort cell delivery 33 Network Protocols : Layering 34 • Objectives of networking achieved by dividing the communications subsystem into different layers. Application • A simple model. • A layer provides services to the layer above it and uses services provided by the layer below it. • Advantages – Complexity management – Modularity Channel Management Host to Host Connectivity Communication Hardware Network Protocols Layered Communication • Virtual communication between peer layers. • Physical communication between adjacent layers except at the hardware layer. Application Channel Management Host to Host Connectivity Communication Hardware Application Virtual Communication Channel Management Host to Host Connectivity Physical Communication Communication Hardware • Peer layers communicate using protocols. • Protocols define the syntax, semantics and timing for peer layers. 35 36 Network Protocols : Encapsulation • At the transmitter, – A layer takes data from the upper layer and adds control information for the peer layer. – Control information added as the header. – Header + data passed to lower layer. • At the receiver, – Incoming packets processed in a reverse order. – Lower layer removes and interprets the header to determine the operations to be performed. – Remaining data passed to the upper layer. – Ultimately, original data passed to application. 37 Network Protocols : Encapsulation Application Application Data Data Channel Management CMH Channel Management Data CMH Host to Host Connectivity HCH CMH Data Host to Host Connectivity Data HCH Communication Hardware CMH Data Communication Hardware HCH CMH Data Network Protocols : Multiplexing 38 • Computers in a network identified by a unique address. • Applications executing on a computer identified by a unique identifier. • All applications executing on computers over a network can be uniquely identified by the combination of the computer address and the application identifier. • A combination of computer address and application identifier form one end of a logical channel. A pair required to complete the channel. Network Protocols : Multiplexing Several logical channels exist over one physical link. File Service ID : 106 B+106 Host : B A+217 File Client ID : 217 Web Service ID : 108 Network C+108 A+232 Web Client ID : 232 Host : A 39 Host : C Network Protocols Reliability Issues 40 • Error control. – Typical errors • Bit errors • Packet loss – Control techniques • Error correction • Re-transmission • Data reconstruction in some multimedia applications • Sequencing to preserve order of messages. • Flow control to allow fast hosts to communicate with slow hosts. Connection-oriented Protocols 41 • Virtual circuit established between terminals on a packet switched network. • Virtual circuit ensures reliable delivery of packets, – Lost packets or packets with errors are retransmitted. – Packets sequenced at destination. – Timing constraints applied to reduce jitter. • Types of virtual circuits, – Permanent Virtual Circuits (PVCs): Set up by the network administrator and emulate a leased line. – Switched Virtual Circuits (SVCs): Set up by the user application through a signaling process only for the duration of the session. Also known as a virtual call. • Connection has to be re-established in case of failure Connectionless Protocols 42 • No connection is established before data communication. • Each packet or datagram contains the complete destination address for the switches to determine, with the help of routing tables, its routing. • Network makes best effort to transport the packet to destination, but gives no guarantees. – Packets can be lost – Packets from same source to same destination may follow different paths and arrive out of order. – Packets may be duplicated • Packets routed via alternate routes in case of failure of network elements. 43 ISO OSI Reference Model Host A Application Presentation Host B Open System Interconnection Application Presentation Session Session Transport Transport Network Network Data Link Data Link Physical Subnetwork: One or more nodes Network Network Data Link Data Link Physical Physical Physical 44 ISO OSI Reference Model Layer Implementation Description Application Software Presentation Software Session Software Transport Software, OS Network Software, OS Data Link Firmware Physical Hardware Access to OSI Environment, Distributed Services Managing Differences in Data Representations Managing Sessions Between Cooperating Applications End-to-End Reliable Data Transfer Routing, Switching, Hetrogeniety Management Reliable Communication over a Physical Link Transmission of Un-structured Bit Stream over a Medium Internet Protocol Suite 4 Layer Architecture – Application Layer – Transport Layer Application TCP UDP IP Network Access • Transmission Control Protocol (TCP): Reliable Delivery • User Datagram Protocol (UDP): Best Effort Delivery – Network Layer • Internet Protocol : Connectionless (Best Effort) protocol • Viewed as a Virtual Uniform Network that hides the heterogeneity of underlying networks. – Network Access Layer • Combination of technology specific physical and data link layers, e.g.., Ethernet, Token Ring, Frame Relay, etc. 45 Internet Protocol Suite 46 • Internet Protocol (IP) – Performs packet routing through the network. – 32 bit globally unique addresses, combination of network address and the host address. • Transmission Control Protocol (TCP) – Stream-oriented protocol – Uses timers, acknowledgments and sequence numbers to provide end-to-end reliability • User Datagram Protocol (UDP) – Datagram protocol – Light weight as does not use timers, sequence numbers and acknowledgments TCP and UDP provide 16 bit port numbers to applications 47 Internet Protocol Suite Application TCP UDP IP Ethernet Ethernet Virtual Uniform Network IP Eth IP WAN WAN TR Gateway Gateway Application TCP UDP IP Token Ring Token Ring Internetworking 48 • Internetworking is the interconnection of two or more networks. • Internetwork or internet is an arbitrary collection of networks interconnected to provide host to host packet delivery service. • Internets are logical networks built out of a collection of physically heterogeneous networks. • Typical issues – Heterogeneity: Addressing, flow control, MAC methods – Scale: Routing, addressing, naming, performance Internet Routers 49 • Interconnects networks at the network layer. • Maintains a routing table that determines the next hop for the packet received. • Routing tables may be static or dynamic. • Fragments packets if the subnetwork to which the packet is being forwarded supports smaller packets. • Manages a variable defining the life of a packet and drops the packet if its life expires. • While discarding a packet, a notification should be sent to the source host. Typical Vulnerabilities 50 • Interception – Sniffing – Message assembly and information consumption. – Two basic paradigms, • Sniffer sits on the same shared medium as the transmitter or the receiver of message. • Sniffer sits on a different subnetwork but the messages in the environment being sniffed are relayed to the sniffer. • Denial of Service – Disrupting the services offered by a computing environment. – Consuming the resources of the computing infrastructure by directing false service requests. Interception 51 • Detecting and receiving packets of interest. • Assembling packets of interests into messages. • Determining applications that can process intercepted and assembled messages. • Invoking the respective application and providing them the intercepted messages to derive information. Sniffing via Shared Medium 52 • Computers on local area networks share a common medium. • All messages transmitted via the shared network are received by the network interfaces of all computers on that network. – Generally, the network interfaces reject packets not destined to their host computers. • A computer can be programmed to force its network interface to receive all the packets being communicated on the shared network. – This program can be installed as a virus on an unsuspecting host. 53 Sniffing via Shared Medium A 123 1 2 3 Sniffer C B 1 2 D 12 123 12 Relaying Information to be Sniffed to the Sniffer 54 • Sniffer is not connected directly to the target environment. • The target environment is connected to the Internet via a router. • Router can be (maliciously) programmed to route packets on the target environment towards the sniffer. • Once the sniffed, the intercepted information should be routed back to the intended recipient to avoid suspicion. • May work only for target environments based on segmented LANs. 55 Relaying Information to be Sniffed to the Sniffer Sniffer 123 123 1 2 3 Target Environment 3 1 2 1 2 3 3 2 1 Hacking and Reconfiguring 1 2 3 Typical Issues in Sniffing • Sniffing via shared medium – Installing and configuring the sniffer. – Storing intercepted information. – Relaying intercepted information to interested parties. • Email attachments. • Sniffing remotely – Router configuration. – Relay time • Time to destination via sniffer. 56 Possible Defenses 57 • Sniffing on a shared medium – Host process audit. – Email audit. – Host address audit by sniffing to detect the sniffer. • If a separate sniffer computer is deployed. • Remote Sniffing – Determining delays • Application processing delays related to information transfer. • PInG results. – Trace route Denial of Service (DoS) Attacks 58 • Disruption of a specific set of services offered by a computing infrastructure. – Accomplished by consuming the resources of the computing infrastructure by directing false service requests to the target infrastructure. – Target computing infrastructure exhausts its resources while attempting to service these false requests. – Resource starvation makes servicing of legitimate requests. • Resources generally targeted include – Network bandwidth – Router processing capabilities. – Server disk and memory capacities. Categories of DoS Attacks 59 • Two principle classes – Logic attacks. • Designed to exploit existing flaws in the software to cause the target infrastructure to either crash or provide degraded performance. – Flooding attacks. • Overwhelm the target infrastructure by sending large number of spurious requests. • Lack of capability to distinguish between legitimate and illegitimate requests in flooding. • Logic attacks are more lethal than flooding attacks. – Stealhier – Focus on a particular host or group of hosts. SYN Attack 60 • SYN attacks exploit a shortcoming of the TCP connection establishment procedure. – A TCP connection is established after a three way handshake. • The host initiating a connection (A) request sends a SYN packet. • The host receiving the SYN packet (B) acknowledges ‘A’ with a SYN/ACK packet. • ‘A’ replies to ‘B’ with an ACK packet. • Attacker initiates a connection request with a host but never replies to the SYN/ACK packets. • Target reserves some resources for the connection and maintains them for some time. • Generating SYN packets fast enough causes the target to exhaust its resources in maintaining incomplete connections. 61 TCP Connection Establishment and SYN Attack Client 1. SYN Server 2. SYN/ACK 3. ACK SYN SYN/ACK SYN SYN/ACK SYN SYN/ACK SYN SYN/ACK 2 4 3 1 Ping of Death Attack 62 • Exploits the datagram size limitation of IP – An IP datagram cannot have a size greater than 65535 bytes. • In some operating systems, if an IP datagram larger than 65535 bytes is received, the buffers overflow causing the operating system to behave abnormally. • An attacker need not generate a complete a complete IP datagram of 655356 bytes. – The attacker can generate IP fragments that when assembled at the destination can cause this effect. Flooding Attacks 63 • Flooding attacks mostly concentrate on consuming the bandwidth of the target environment while affecting the resources of the attacking environment as well. • Simple DoS attacks (e.g., packet flooding) are easy to detect. • Identity of the attacker can be determined. • DoS attackers apply IP spoofing to hide their true identities. – Falsifying own identity randomly for every datagram. Example: Flooding Attack 64 Distributed DoS (DDoS) Attack 65 • Multiple attackers concentrating their attack of a single host of group of hosts. • Typically an attacker compromises a set of Internet hosts and installs a small attack process on each. – Slave or zombie attackers. • A master controls the zombies to launch coordinated attacks against the target. – Usually flooding attacks. DDoS (Contd.) 66 • Detection – Traffic between the zombies and master is sporadic and short. – Attack traffic voluminous and can be traced back to the specific zombies. – Inability to detect the master does not eliminate the possibility of further attacks even when the zombies have been detected and eliminated. • Detection can be avoided by generating seemingly valid requests for services from the target. 67 DDoS (Contd.) Master Control Plane Slave Slave Slave Slave Slave Slave Attack Plane Victim Multilevel DDoS 68 • Two levels of slaves used under the master to avoid detection. – Master installs zombies and a smaller set of proxy slaves on a different set of hosts. – Master contacts the proxy slaves to initiate attacks from the slaves. • For slaves, proxies are the masters. • Proxies designed to be simple and short-lived entities. – Can delete themselves from their hosts to avoid detection. – Generally only retransmit commands from the master to the designated slaves. • Master then compromises another set of unsuspecting hosts to install a new set of proxies. 69 Multilevel DDoS Master Proxy Slave Slave Proxy Slave Slave Proxy Slave Slave Slave Victim Slave Slave 70 Distributed Reflector DoS (DRDoS) • DDoS coupled with IP spoofing enables DRDoS attacks. – IP spoofing makes it difficult for the victim to isolate the attack traffic. – Also undermines the potential effectiveness of traceback techniques for locating the source of the spoofed attack traffic. • Once an IP spoofed traffic reaches a server, the reply is sent to the spoofed IP address. DRDoS SYN Attack 71 • Attackers generate SYN requests for a number of hosts on the Internet with IP spoofed packets. – IP spoofed address is the IP address of the real victim. • All the hosts receiving the SYN packets are known as reflectors. – Generate SYN/ACK packets for the victim. • Depending upon the number of reflectors, a huge amount of SYN/ACK traffic will be generated on a single host. DRDoS SYN Attack (Contd.) Master SY N SYN AC K SY N C /A Victim Reflector5 SY N/ /ACK Reflector4 CK N/A SY K N SY SY N /A CK Reflector3 N SY Reflector2 Slave N SY Reflector1 Slave N SY SY N Slave N SY CK A / Reflector6 72 73 Characteristics of DRDoS Attacks • Reflectors do not need to serve as amplifiers. – Amplifiers are reflectors that generate greater volume of traffic than they receive. • Traffic incident on the reflectors may be small enough not to be considered a DoS attack. • As the number of servers on hosts run into millions, involvement of even a few of these to reflect traffic on a target can overwhelm the victim. Preventive Measures for DoS Attacks 74 • To prevent DoS, attack traffic needs to be detected and filtered. • Filtering can be performed on the basis of static rules. – Specifying untrusted hosts and processes, and unwanted packets. • Dynamic filtering requires adaptation of the filtering rules to the traffic patterns. • To prevent DoS, filtering closest to the source considered most effective. – Network ingress filtering to block IP spoofed packets. 210.13.12.132 unreachable 215.130.12.132 reachable 211.102.10.11 210.13.12.132 215.130.12.132 Generic Ingress Filtering 75 I1 Router I2 I3 211.102.10.11 reachable 201.231.1.2 192.168.0.2 LAN 201.231.1.0 Non-spoofed packet Spoof ed packet Firewalls 76 • Firewalls are specially programmed routers deployed between a particular LAN and the rest of the Internet. – Considered to be routers as they interwork two or more networks and forward packets from one to the other. – Considered to be firewalls as they filter packets that flow through them • Deny access of LAN to Internet. • Filtering in reverse direction to prevent LAN users access to specific sites on the Internet. • Cooperative security via network ingress filtering. Firewalls 77 Firewalls 78 • Stateless Packet Filters – Filtering decision is based on every packet separately. – Filtering based on host and process addresses. • Stateful Packet Filters – In addition to addresses, stateful packet filters also examine the fields that specify application or higher level protocols being serviced. – Mistaking a valid packet sequence for a illegitimate sequence is a major issue. • Application Level Firewalls – Examine application payload contents to determine illegitimate requests.