Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
CS225 – Computer Security
1
Network Security
slides modified from Zhiyun Qian
2
History of Network Security
• Initiallybuiltforcommunicationbetweenresearchinstitutions– ARPANET (TCP/IP)– FirstpacketsentfromUCLAtoSRI
• Internetdesignedwithoutsecurityinmind– IncludingkeyprotocolssuchasTCP/IP– Gettingittoworkisalreadyanamazingjob
• Hardtoretrofitsecurityintoexistingprotocols– Haveto remainbackward-compatible
• E.g.,TCP/IPusedbyeverymachinenow– Solutionsoftenarepatchesorrequireanadditionallayerofindirection
How the Internet looks like in 2005
3
4
Common network security attacks and their countermeasures
• Packetsniffingandspoofing– Encryption(SSH,SSL,HTTPS)
• Findingawayintothenetwork– Firewalls
• DenialofService– Ingressfiltering,IDS
Quick overview of TCP/IP
• Example:
• Networktrafficisbrokendowninto“packets”containinginformationat4mainlayers
5
Layer 4 : ApplicationLayer 3 : Transport (TCP)Layer 2 : Network (IP)Layer 1 : Link/Physical
Hosting a web server at TCP port 80
TCP/IP network Layers
6
TCP/IP network Layers
7
src port, dst port
src IP, dst IP
src MAC addr, dst MAC addr
IP Layer• Responsibleforendtoendtransmission• Sendsdatainindividualpackets• Maximumsizeofpacketisdeterminedbythenetworks
– Fragmentediftoolarge• Unreliable
– Packetsmightbelost,corrupted,duplicated,deliveredoutoforder
IP addresses• 4bytes(IPv4)
– e.g.163.1.125.98– Eachdevicenormallygetsone(ormore)– Intheorythereareabout4billionavailable
• But…– Basicallyuseduptoday– Therefore,16bytesarenowusedinIPv6(stillnotfullyfunctionaltoday)
Routing• Howdoesadeviceknowwheretosendapacket?
– AlldevicesneedtoknowwhatIPaddressesareondirectlyattachednetworks
– Ifthedestinationisonalocalnetwork,senditdirectlythere
Routing (cont.)• Ifthedestinationaddressisn’tlocal
– Mostnon-routerdevicesjustsendeverythingtoasinglelocalrouter(gateway)
– RoutersneedtoknowwhichnetworkcorrespondstoeachpossibleIPaddress
Allocation of addresses• ControlledcentrallybyICANN
– Fairlystrictrulesonfurtherdelegationtoavoidwastage• Havetodemonstrateactualneedforthem
• Organizationsthatgotinearlyhavebiggerallocationsthantheyreallyneed
IP packets• Sourceanddestinationaddresses• Protocolnumber
– 1=ICMP,6=TCP,17=UDP• Variousoptions
– e.g.tocontrolfragmentation• Timetolive(TTL)
– Preventroutingloops
IP Datagram
Vers Len TOS Total LengthIdentification Flags Fragment Offset
TTL Protocol Header ChecksumSource Internet Address
Destination Internet AddressOptions... Padding
Data...
0 4 8 16 19 24 31
Field PurposeVers IP version numberLenLength of IP header (4 octet units)TOS Type of ServiceT. Length Length of entire datagram (octets)Ident. IP datagram ID (for frag/reassembly)Flags Don’t/More fragmentsFrag Off Fragment Offset
Field PurposeTTLTime To Live - Max # of hopsProtocol Higher level protocol (1=ICMP,
6=TCP, 17=UDP)Checksum Checksum for the IP headerSource IA Originator’s Internet AddressDest. IAFinal Destination Internet AddressOptions Source route, time stamp, etc.Data... Higher level protocol data
You just need to know the IP addresses, TTL and protocol #
Problem with IP address• Sourceaddressinapacketcanbefilledarbitrarilybyahost(thinkofUSPSmail)– Lackofauthenticationofpacketsources– Manyvulnerabilitiesarisebecauseofthis
Let’s hang out tomorrow night?SrcIP:Alice DstIP:Bob
No, I Hate you! SrcIP:Bob DstIP:Alice
IP header
Payload
Of course! SrcIP:Bob DstIP:Alice
UDP
• ThinlayerontopofIP(alternativetoTCP)• Addspacketlength+checksum
– Guardagainstcorruptedpackets• Alsosourceanddestinationports
– Portsareusedtoassociateapacketwithaspecificapplicationateachend
• Stillunreliable:– Duplication,loss,out-of-orderness possible
UDP datagram
Destination PortSource Port
Application data
0 16 31
ChecksumLength
Field PurposeSource Port16-bit port number identifying originating applicationDestination Port16-bit port number identifying destination applicationLength Length of UDP datagram (UDP header + data)Checksum Checksum of IP pseudo header, UDP header, and data
Typical applications of UDP– Wherepacketlossetc isbetterhandledbytheapplicationthanthenetworkstack
– WheretheoverheadofsettingupaTCPconnectionisn’twanted
• DNS• VoIP• Somegames
IP Spoofing against UDP• Needtoguesstheportnumber…
19
Let’s hang out tomorrow night?SrcIP:Alice DstIP:Bob
No, I Hate you! SrcIP:Alice DstIP:Bob
IP header
Payload
SrcPort:123 DstPort:53
UDP header SrcPort:53 DstPort:???
DNS Protocol – Application Layer Protocol
• Mappingbetweendomainname(humanreadable)andIPaddresses
20
DNS Poisoning Attack
• AttackercanspoofitssourceIPasnameserver’sIP
21
How can the attacker know when to send spoofed packet?
TCP• Reliable,full-duplex,connection-oriented,streamdelivery– Interfacepresentedtotheapplicationdoesn’trequiredatainindividualpackets
– Dataisguaranteedtoarrive,andinthecorrectorderwithoutduplicates• Ortheconnectionwillbedropped
– Imposessignificantoverheads
Applications of TCP• Mostthings!
– HTTP,FTP,SMTP…
• Savestheapplicationalotofwork,sousedunlessthere’sagoodreasonnotto
TCP implementation• Connectionsareestablishedusingathree-wayhandshake
• Dataisdividedupintopacketsbytheoperatingsystem• Packetsarenumbered,andreceivedpacketsareacknowledged
• Connectionsareexplicitlyclosed– (ormayabnormallyterminate)
TCP Packets• Source+destinationports• Sequencenumber• Acknowledgementnumber• Checksum• Variousoptions
TCP Segment
Destination Port
Acknowledgment Number
Options... PaddingData...
0 4 10 16 19 24 31Source Port
WindowLen
Sequence Number
Reserved FlagsUrgent PointerChecksum
Field PurposeSource Port Identifies originating applicationDestination Port Identifies destination applicationSequence NumberSequence number of first octet in the segmentAcknowledgment # Sequence number of the next expected octet (if ACK flag set)Len Length of TCP header in 4 octet unitsFlags TCP flags: SYN, FIN, RST, PSH, ACK, URGWindow Number of octets from ACK that sender will acceptChecksum Checksum of IP pseudo-header + TCP header + dataUrgent Pointer Pointer to end of “urgent data”Options Special TCP options such as MSS and Window Scale
You just need to know port numbers, seq and ack are added
TCP : Data transferHostClient
Send Packet 1Start Timer
Retransmit Packet1Start Timer
Packet should arrive ACK should be sent
ACK would normallyArrive at this time
Receive Packet 1Send AXK 1
Time Expires
Receive ACK 1Cancel Timer
Packet LostTimer
Timer
IP Spoofing against TCP• Needtoguesstheportnumber,sequencenumber,andacknowledgementnumber!
28
Let’s hang out tomorrow night?SrcIP:Alice DstIP:Bob
No, I Hate you! SrcIP:Bob DstIP:Alice
IP header
Payload
SrcPort:123 DstPort:53
TCP header
SrcPort:53 DstPort:???
Seq:123456 ACK:67890
Seq:??? ACK:???
Common Threat Models in Networks (targeting confidentiality and integrity)
• PassiveEavesdropper– Read(andatmostInsert)
• Man-in-the-middle(MITM)– On thecommunicationpath(compromisedrouter)– ArbitraryRead/Writecapability(modify,drop,etc.)
• Off-Pathattacker(noreadcapability)
29
Passive Eavesdropper• Read(atmostinsert)• CananattackerlaunchDNSpoisoningattack?
30
IP Spoofing against UDP (review)• Needtoguesstheportnumber…
31
Let’s hang out tomorrow night?SrcIP:Alice DstIP:Bob
No, I Hate you! SrcIP:Alice DstIP:Bob
IP header
Payload
SrcPort:123 DstPort:53
UDP header SrcPort:53 DstPort:???
Man-in-the-middle (MITM)• ArbitraryRead/Writecapability(modify,drop,etc.)• CananattackerlaunchDNSpoisoningattack?
32
Off-Path Attacker• Noread.Caninsert.• CananattackerlaunchDNSpoisoningattack?
33
34
Common network security attacks and their countermeasures
• Packetsniffingandspoofing– Encryption(SSH,SSL,HTTPS)
• Findingawayintothenetwork– Firewalls
• DenialofService– Ingressfiltering,IDS
Finding a way into the network --Scanning
35
Host 192.168.2.1 appears to be up.MAC Address: 00:04:E2:34:B6:CE (SMC Networks)Host 192.168.2.79 appears to be up.MAC Address: 00:11:11:5B:7A:CD (Intel)Host 192.168.2.82 appears to be up.MAC Address: 00:10:5A:0D:F6:D7 (3com)Host 192.168.2.198 appears to be up.MAC Address: 00:10:DC:55:89:27 (Micro-star International)Host 192.168.2.199 appears to be up.MAC Address: 00:C0:4F:36:33:91 (Dell Computer)Host 192.168.2.200 appears to be up.MAC Address: 00:0C:41:22:CC:01 (The Linksys Group)Host 192.168.2.251 appears to be up.MAC Address: 00:0F:66:75:3D:75 (Cisco-Linksys)
Does That Matter?• Thenumberofcomputersanorganizationhasroughlycorrespondstothenumberofpeopleinit
• Howlargeisyourcompetitor?• (HowmanycomputersdoesGooglehaveinitsdatacenters?Theywon’tsay.)
36
Does That Matter?• Iftheyidentifyaservicethathasaknownvulnerability(e.g.,bufferoverflow),theycanlaunchthecorrespondingexploit
37
$ nmap -Pn www.cs.ucr.edu
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-17 20:03 UTCNmap scan report for www.cs.ucr.edu (169.235.30.15)Host is up (0.00033s latency).rDNS record for 169.235.30.15: thoth.cs.ucr.eduNot shown: 996 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind5666/tcp open nrpe
38
Firewalls• Basicproblem– manynetworkapplicationsandprotocolshavesecurityproblemsthatarefixedovertime– Difficultforuserstokeepupwithchangesandkeephostsecure
– Solution• Administratorslimitaccesstoendhostsbyusingafirewall• Firewalliskeptup-to-datebyadministrators
39
Firewalls• Afirewallislikeacastlewithadrawbridge
– Onlyonepointofaccessintothenetwork– Thiscanbegoodorbad
• Canbehardwareorsoftware– Ex.Somerouterscomewithfirewallfunctionality– ipfw,ipchains,pfonUnixsystems,WindowsXPandMacOSXhavebuiltinfirewalls
40
Firewalls• Usedtofilterpacketsbasedonacombinationoffeatures
– Thesearecalledpacketfilteringfirewalls• Thereareothertypestoo,buttheywillnotbediscussed
– Ex.Droppacketswithdestinationportof23(Telnet)– CanuseanycombinationofIP/UDP/TCPheaderinformation
• Butwhydon’twejustturnTelnetoff?
41
Firewalls
• HereiswhatacomputerwithadefaultWindowsinstalllookslike:– 135/tcp open loc-srv– 139/tcp open netbios-ssn– 445/tcp open microsoft-ds– 1025/tcp open NFS-or-IIS– 3389/tcp open ms-term-serv– 5000/tcp open UPnP
42
Common network security attacks and their countermeasures
• Packetsniffingandspoofing– Encryption(SSH,SSL,HTTPS)
• Findingawayintothenetwork– Firewalls
• DenialofService– Ingressfiltering,IDS
43
Denial of Service
• Purpose:Makeanetworkserviceunusable,usuallybyoverloadingtheserverornetwork
• Manydifferentkindsof DoS attacks– SYNflooding– SMURF– Distributedattacks
TCP Three-way handshake
44
Remembers X
Remembers YChecks Ack=X+1
Checks Ack=Y+1
SYNSeq=X, Ack = 0
SYN-ACKSeq=Y, Ack = X+1
ACKSeq=X+1, Ack = Y+1
45
Denial of Service• SYNfloodingattack• SendSYNpacketswithbogussourceaddress
– Why?• ServerrespondswithSYNACKandkeepsstateaboutTCPhalf-openconnection– Eventually,servermemoryisexhaustedwiththisstate
46
Denial of Service
47
Denial of Service• SMURF
– SourceIPaddressofabroadcastpingisforged– Largenumberofmachinesrespondbacktovictim,overloadingit
48
Denial of Service
Internet
Perpetrator Victim
ICMP echo (spoofed source address of victim)Sent to IP broadcast address
ICMP echo reply
State Holding Attack
16
Firewall AttackerInside
Assumestateful TCPpolicy
State Holding Attack
16
Firewall AttackerInside
SynSyn
Syn...
1.SynFlood
Assumestateful TCPpolicy
State Holding Attack
16
Firewall AttackerInside
SynSyn
Syn...
1.SynFlood
2.ExhaustResources
Assumestateful TCPpolicy
State Holding Attack
16
Firewall AttackerInside
SynSyn
Syn...
1.SynFlood
2.ExhaustResources
3.SneakPacket
Assumestateful TCPpolicy