• Home

  • Documents

  • Network Defense COEN 250. Network Protocols: Layering Complexity of networking leads to layered...

If you can't read please download the document

Network Defense COEN 250. Network Protocols: Layering Complexity of networking leads to layered architectures. TCP/IP stack has four levels. OSI has

Tags:

Embed Size (px)

Citation preview

  • Slide 1

Network Defense COEN 250 Slide 2 Network Protocols: Layering Complexity of networking leads to layered architectures. TCP/IP stack has four levels. OSI has seven. Slide 3 Network Protocols: Layering Slide 4 Each layer adds a header. Application TCP IP Link Slide 5 Data Link Layer Sits on top of physical layer, which provides Hardware specification Encoding and signaling Data transmission and reception Topology and physical network design Example Data Link Layers: Ethernet Token Ring FDDI Wi-Fi (802.11) Divided into two sublayers Logical Link Control Media Access Control (MAC) Slide 6 Link Layer Address Resolution Network Interface Cards (NIC) Unique Medium Access Control (MAC) number Now typically changeable In order to accommodate device change when using authentication through MAC address Format 48b written as twelve hex bytes. First 6 identify vendor. Last 6 serial number. NICs either select based on MAC address or are in promiscuous mode (capture every packet). Slide 7 Link Layer Address Resolution Address Resolution Protocol (ARP) Resolves IP addresses to MAC addresses RFC 826 Slide 8 Link Layer: ARP Resolution Protocol Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 All devices on the link capture the packet and pass it to the IP layer. 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 A caches the value in its arp cache. Slide 9 Link Layer: ARP Resolution Protocol ARP requests: Slide 10 Link Layer: ARP Resolution Protocol Slide 11 Link Layer Intrusion Detection Network monitoring tools such as Argus or Ethereal log MAC addresses. Slide 12 Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack. Slide 13 Link Layer Intrusion Detection ARP cache can be viewed on Windows NT/2000/XP with arp a command. Slide 14 Link Layer Intrusion Detection Some organizations log ARP information. Routers keep ARP tables. show ip arp All hosts keep ARP tables. DHCP often assigns addresses only to computers with known MAC. Slide 15 Link Layer Intrusion Detection An employee received harassing e-mail from a host on the employers network with IP address 192.168.1.65. DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The routers ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing) Although this MAC was not on the organizations list, there were only a few Apple computers on the network and the culprit was soon found. Slide 16 Link Layer Intrusion Detection Analyze and filter log files: Keyword searches E.g. for USER, PASS, login Nicknames, channel names Filters Reconstruction E.g. contents of web-mail inbox. Slide 17 Link Layer Intrusion Detection NetIntercept Screenshot An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence Slide 18 ARP Package RFC 826 ARP package : 0-1: Hardware type (0x0001 Ethernet) 2-3: Protocol type (0x0800 IP) 4: Number of bytes in hardware address (6 for MAC) 5: Number of bytes in protocol address (4 for IP) 6-7: Opcode: 1 for ARP request, 2 for an ARP reply 8-13: Source MAC 14-17: Source IP 18-23: Target MAC 24-27: Target IP Slide 19 ARP Package Ethereal deassembly of ARP package Slide 20 Monitoring Tools Arpwatch monitors ethernet activity and keeps a database of ethernet/ip address pairings. Slide 21 Attacks on ARP Package Generators for various OS. Allow an attacker to subvert a chosen protocol hping2 for Windows. *NIX, XWindows: packit http://sourceforge.net/projects/packitgui/ http://sourceforge.net/projects/packitgui/ IP Sorcery and many, many more. Use to create arbitrary packages Slide 22 Attacks on ARP Switch Flooding Switches contain a switch address table. Switch address table associates ports with MAC addresses. Switch flooding creates many false entries. Switches fail in two different modes: Fail open: Switch converts into a hub. This allows to monitor traffic through the switch from any port. Fail closed: Switch stops functioning. Denial of Service (DoS) attack Slide 23 Attacks on ARP ARP Poisoning: victim attacker switch router Outside world Slide 24 Attacks on ARP ARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LAN victim attacker switch router Outside world Slide 25 Attacks on ARP ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address victim attacker switch router Outside world Slide 26 Attacks on ARP ARP Poisoning: Switch now takes packet from victim and forwards it to attacker. victim attacker switch router Outside world Slide 27 Attacks on ARP ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router. victim attacker switch router Outside world Slide 28 Attacks on ARP http://www.watchguard.com/ Slide 29 RARP RARP (Reverse Address Resolution Protocol) Used to allow diskless systems to obtain a static IP address. System requests an IP address from another machine (with its MAC-address). Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table. Administrator needs to place table in a gateway. RARP-daemon (RARP-d) responds to RARP requests. Slide 30 RARP RARP vulnerability Use RARP together with ARP spoofing to request an IP address and take part in communications over the network. Slide 31 RARP Package Package Format as in ARP: 0-1: Hardware type (0x0001 Ethernet) 2-3: Protocol type (0x0800 IP) 4: Number of bytes in hardware address (6 for MAC) 5: Number of bytes in protocol address (4 for IP) 6-7: Opcode: 1 for ARP request, 2 for an ARP reply 8-13: Source MAC 14-17: Source IP 18-23: Target MAC 24-27: Target IP Slide 32 IP Uses IP addresses of source and destination. IP datagrams are moved from hop to hop. Best Effort service. Corrupted datagrams are detected and dropped. Slide 33 IP Addresses contain IP address and port number. IPv4 addresses are 32 bit longs IPv6 addresses are 8*16 bits long. Slide 34 DHCP Dynamic Host Configuration Protocol Evolved from TCP/IP Boot Protocol BOOTP Solves problem of disk-less workstations Boot process: First obtain IP address Then download OS etc. BOOTP client sends broadcast to UDP port 67 (BOOTREQUEST) BOOTP server listens on that port Replies to client by either Use clients hardware address to create ARP entry Use broadcast Client downloads OS (using e.g. TFTP) Slide 35 DHCP Assigns addresses Manual allocation (just as BOOTP) Single point of administration Automatic Allocation DHCP assigns address to a given device automatically from a pool of addresses Dynamic Allocation DHCP assigns an address from a pool of addresses for the length of a lease Addresses are reused and shared Clients need to renew a lease periodically If clients are rebooting, but still have an active lease, they reconfirm their lease during reboot. If renewal fails, clients will rebind to any active DHCP server Clients can release a DHCP assigned IP address Slide 36 DHCP Attacks Denial of Service Attacker sends DHCP requests, using up all IP address in pool Attacker uses random MAC addresses Switches can limit the number of MAC addresses used on a given link and prevent this attack Slide 37 DHCP Attacks Man in the Middle Attack: Default Gateway Attacker assigns DHCP addresses by Attacker disables DHCP server and then operates own DHCP server Attacker runs faster DHCP server Attacker specifies itself as default gateway Attacker redirects traffic from victim through itself Slide 38 DHCP Attacks Man in the Middle Attack: DNS Redirection Attacker assigns DHCP addresses Attacker specifies itself as the DNS server Attacker only redirects traffic to selected IP addresses Banking, Shopping, Slide 39 IP: ICMP Internet Control Message Protocol Created to deal with non-transient problems. For example Fragmentation is necessary, but the No Frag flag is set. UPD datagram sent to a non-listening port. Ping. Used to detect network connectivity before it became too useful for attack reconnaissance. Does not use ports. Allows broadcasting. More on ICMP later Slide 40 IP: ICMP ICMP error messages should not be sent: For any but the first fragment. A source address of broadcast or loopback address. Are probably malicious, anyway. Otherwise: ICMP messages could proliferate and throttle a network Slide 41 IP: ICMP ICMP errors are not sent: In response to an ICMP error message. Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong. A destination broadcast address. Dont answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network. Slide 42 Transport Layer: TCP and UDP Transmission Control Protocol (TCP) Reliable Connection-Oriented. Slow User Datagram Protocol (UDP) Unreliable Connectionless. Fast. Slide 43 TCP Only supports unicasting. Full duplex connection. Message numbers to prevent loss of messages. Slide 44 TCP: Three Way Handshake Initiator to responder: Syn s Responder to initator: Ack s, Syn t Initiator to responder: Ack t Sets up two connections with initial message numbers s and t. Slide 45 TCP: Three Way Handshake 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 (DF) 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 (DF) 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23:. ack 1 win 17520 (DF) Sequence number Flag Window: number of bytes accepted Slide 46 TCP: Terminating Connections Graceful shutdown Party 1 to Party 2: Fin Party 2 to Party 1: Ack Party 2 to Party 1: Fin Party 1 to Party 2: Ack Abrupt shutdown Party 1 to Party 2: Res Slide 47 TCP: Shutting down a connection 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23:. ack 23 win 16940 (DF) 20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF) 20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23:. ack 24 win 16940 (DF) 20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF) 20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570:. ack 6 win 32767 (DF) Slide 48 TCP Exchanging Data Each packet has a sequence number. (One for each direction.) Initial sequence numbers are created during initial three way handshake. NMap uses the creation of these sequence numbers to determine the OS. OS are now much better with truly random sequence numbers. Slide 49 TCP Exchanging Data Party that receives packet sends an acknowledgement. Acknowledgement consists in Ack flag. Sequence number of the next package to be expected. (TCPDump shows number of bytes acknowledged). Slide 50 TCP Exchanging Data If a package is lost, then the ack sequence number will not change: Duplicate acknowledgement Depending on settings, sender will resend, after at most three stationary ack numbers. Also, senders resend after timeout. Slide 51 TCP Exchanging Data 20:48:45.087563 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23:. ack 4 win 16959 (DF) 20:48:45.087583 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF) 20:48:45.096443 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF) 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23:. ack 23 win 16940 (DF) Slide 52 TCP flags Part of TCP header F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start session R : RST - Reset; drop a connection P : PUSH - Push; packet is sent immediately A : ACK - Acknowledgement U : URG - Urgent E : ECE - Explicit Congestion Notification Echo W : CWR - Congestion Window Reduced Slide 53 TCP Example with Ethereal Slide 54 First Syn message Slide 55 TCP Example with Ethereal This is the Syn-ack packet with sequence number 68 8d 5c ad and ack number 10 3f 21 1e Slide 56 TCP Example with Ethereal Syn number 10 3f 21 1e Ack number 68 8d 5c ae Slide 57 TCP Example with Ethereal Slide 58 Slide 59 UDP Send and pray No connection. No special header like TCP. Protocol field in the IP header is 0x11 Another field in the IP header contains UDP specific header information Slide 60 Fragmentation IP datagram can come across smaller maximum transmission units than its own size. Resender chops up the IP datagram into many IP datagrams, the fragments. Slide 61 Fragmentation Fragments are reassembled at the destination. Fragments carry: Fragment identifier Offset in original data portion Length of data payload in fragment Flag that indicates whether or not this is the final fragment. Slide 62 Fragmentation Example Large Echo Request ping -l 1480 129.218.19.198 Assume MTU is 1500 Slide 63 Fragmentation Slide 64 Fragmentation: First Fragment Slide 65 Fragmentation: Second Fragment Slide 66 Fragmentation: Last Fragment Slide 67 Fragmentation ping l 65500 129.218.19.198 12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag 10712:1472@0+) 12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@1472+) 12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@2944+) 12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50 12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@4416+) 12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@5888+) 12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@7360+) 12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@8832+) 12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@10304+) 12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@11776+) 12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@13248+) 12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@14720+) Slide 68 Fragmentation DF (Dont Fragment) Flag If forwarding node finds that the datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable need to fragment. Useful to find minimum MTU on a link. Slide 69 Fragmentation Fragmentation has security implications Stateless firewalls look only at individual packages. Protocol header is only in the first fragment. Stealth attacks / scans have evil payload only in the second and following fragments. Slide 70 Fragments: Teardrop and Friends Teardrop (1997) Fragments with overlapping offset fields. Many contemporary OS crashed, hang, rebooted. Jolt2 Single fragment with non-zero offset. Receiving system allocates resources to reconstruct a datagram that never arrives. Slide 71 Fragments: Teardrop and Friends Create fragments that seem to come from a GB datagram. Trusting OS tries to allocate memory and dies. Ping of Death Win95 allowed to send a ping that was just a tad too long. Receiving host would crash. Unnamed Attacks Missing fragments lead to resource allocation. Slide 72 ICMP Protocols like TCP can send error messages themselves. Stateless protocols like UDP need another mechanism to send error messages. Host uses ICMP for Simple replies and requests Inform other hosts of some kind of error condition. E.g.: To throttle delivery rate, receiving host can use the ICMP source quench message. E.g.: Router can send admin prohibited ICMP message. Slide 73 ICMP ICMP has no port numbers. No acks, no message delivery guarantee Allows broadcasting ICMP types at http://www.iana.org/ assignments/icmp-parameters First Byte of package is Type Second Byte of package is Code Slide 74 ICMP Attackers can use ICMP for scanning: Mapping a network. Detect availability of target. Detect OS through the way that host responds. Slide 75 ICMP Tireless Mapper Sends ICMP echo requests messages to all possible IP addresses Many IDS might not capture this scan if the number of packages per hour is small. Therefore: Firewalls should filter incoming ping requests. Slide 76 ICMP Efficient Mapper Use the ICMP echo request with a broadcast address. Ping 129.210.19.255 Slide 77 ICMP Clever Mapper Use a different ICMP message such as ICMP address mask. Determines the class of the network Slide 78 ICMP: Normal activity Normal messages: Host unreachable Port unreachable Admin prohibited Need to fragment Time exceeded in transit Slide 79 ICMP: Normal activity Host unreachable Router at target hosts network sends such a message. This gives out info to an attacker. Some routers (Cisco) allow an access control list entry: no ip unreachable Slide 80 ICMP: Normal activity Port unreachable target.host > sending.host: icmp: target.host udp port ntp unreachable (DF) Used for UDP TCP has the RESET message to inform sender. Slide 81 ICMP: Normal activity Unreachable - Admin Prohibited Router informs sender that this type of message cannot be forwarded. Router decision based on access control list. Message leaks information to outside scanner. Slide 82 ICMP: Normal activity Need to Frag Router informs sender that DF is set, but that the package is larger than the MTU. Slide 83 ICMP: Normal activity Time Exceeded In-Transit Packages contain Time To Live (TTL) value. Each router handling a package decrements the TTL value. If TTL is zero, router discards package and sends the Time Exceeded In-Transit message to the sender. Slide 84 ICMP: Normal activity ICMP messages contain additional date in the package. In particular: IP header followed by eight bytes of protocol header and data of the original datagram. Not all OS implementations do this in exactly the same way. Nmap used this for OS fingerprinting. Lately, all TCP/IP stack implementations have been fixed to remove OS idiosyncracies. Slide 85 Malicious ICMP: Smurf Attack Smurf attack on victim 129.219.19.198 Step 1: Send ICMP echo request to a broadcast address with spoofed IP of 129.219.19.198 Step 2: Router allows in ICMP echo request to broadcast address Step 3: All live hosts respond with ICMP echo reply to real machine with source IP 129.219.19.198 Slide 86 Malicious ICMP: Smurf Attack ISMP Smurf Attack Denial of Service Attack. Effort of Attacker Malicious TCP Use: Mitnick Attack (obsolete) Attacker sends another TCP packet with payload: rsh victim echo ++ >>.rhosts Victim trusts B B Attacker Bad stuff Slide 109 Malicious TCP Use: Mitnick Attack (obsolete) Now victim trusts everyone. Victim trusts everyone. B Attacker Slide 110 Malicious TCP Use: Mitnick Attack (obsolete) Attacker terminates connection with a FIN exchange Victim trusts everyone B Attacker FIN ACK Slide 111 Malicious TCP Use: Mitnick Attack (obsolete) To wake up B, attacker sends it a bunch of RES to free B from the SYN flood. Victim trusts everyone B Attacker RES Slide 112 Malicious TCP Use: Mitnick Attack (obsolete) Attacker now starts a new connection with the victim. Victim trusts everyone B Attacker Yak yak yak Slide 113 Malicious TCP Use: Mitnick Attack Detection Network based intrusion detection (NID) can find the original site mapping. NID can find the reconnaissance by finding finger showmount etc. commands. Directed to the same port (111). This is a dangerous port. Frequent. Slide 114 Malicious TCP Use: Mitnick Attack Detection Host scans log instances where a single system accesses multiple hosts at the same time. Host-based Intrusion Detection (HID) can find access to a single port. HID / Tripwire could find changes to.rhosts. Slide 115 Malicious TCP Use: Mitnick Attack Detection Computer Forensics can detect the attack by Logging network traffic. Examining MAC of important files (.rhosts) Slide 116 Malicious TCP Use: Mitnick Attack Prevention Router-based Firewall blocks certain type of traffic. Network mapping. SYN flooding. Access to dangerous ports. Host-based firewall blocks Access to dangerous ports. Security policy Disallows reconnaissance tools. Enforces better authentication. Slide 117 Domain Name Servers Provide mapping from host names to IP addresses. DNS resolution process Client sends a gethostbyname message to the local domain name server. Local domain name server sends back ip address. Uses UDP (almost exclusively) Slide 118 DNS: Resolution protocol 1. Client to local DNS server gethostbyname 2. Local DNS server sends forwards request to root server. 3. Root server returns with name of remote DNS server. 4. Local DNS server queries remote DNS server. 5. Remote DNS server answers with IP address. 6. Local DNS server gives data to client. Slide 119 DNS Use caching to prevent overload by root servers. DNS records have a TTL Responding DNS server sets TTL. Receiving DNS server caches record for TTL time. Slide 120 DNS: Reverse Lookup IP-address to host-name Query for 1.2.3.4 send to 4.3.2.1.in- addr.arpa Slide 121 DNS: Master - Slave Name Servers Each domain has a single master DNS server. Add slaves for redundancy. Slave server periodically contacts master to see whether there are changes. Older BIND download all data from domain, even if only one record has changed. Slide 122 DNS Zone Transfer Slave server restarts zone transfer from master to slave Uses TCP, port 53. Attackers like zone transfer Gives all IP addresses and names in subnet. Newer versions of BIND limit transfers based on IP address. Slide 123 DNS: Abuse for Reconnaissance nslookup: Get name servers. Slide 124 DNS: Abuse for Reconnaissance HINFO: host information. Slide 125 DNS: Abuse for Reconnaissance List the zone map information. > ls d engr.scu.edu in nslookup Slide 126 DNS: Abuses and Problems DNS cache poisoning Affects BIND versions before 8.1.1. Based on lack of authentication Some BIND versions cache every DNS data they see. Slide 127 DNS Cache Poisoning Attack on Hillary Clintons Run for Senate Website Traffic to www.hillary2000.org (IP address 206.245.150.74) redirected to www.hillaryno.com (IP address 206.245.150.74.) Slide 128 DNS Cache Poisoning Step 1: Evil sends a bogus query to the victims name server that contains data www.hillary2000.org at 206.245.150.74 Slide 129 DNS Cache Poisoning Step 2: Name server accepts the bogus information (even though it is contained in a query). Step 3: Victim requests IP address of hillary2000.org and is directed to hillaryno.com. Vulnerability arises from lack of authentication and of using queries to update entries at the queried server. Slide 130 DNS Cache Poisoning Birthday Attack Attacker sends large number of queries to a vulnerable name server asking for hillary2000. Attacker sends an equal number of phony replies (with the poisoned data). Name server will generate requests to resolve hillary2000. With high probability, one of the phony answers will have the same transaction number as the name servers query. Slide 131 DNS: The Bind Birthday Attack Slide 132 DNS Cache Poisoning Redirect traffic to a fake Pay-Pal or other e- commerce site. Set-up Man in the Middle Attacks Defenses: Domain Owner has to rely on the DNS system. ISP name server admin needs to protect by Updating BIND or replacing it with djbdns Two name servers, one for the public domain information to the outside, another for internal use. End user has to rely on the DNS system. Slide 133 Routing Local Routing Table: netstat -r Slide 134 Static Routing IP Layer searches the routing table in the following order Search for a matching destination host address Search for a matching destination network address Search for a default entry Slide 135 Routing Static routes are typically added during the boot process. Administrative changes with a routing command. ICMP routing discovery messages Slide 136 Routing Changes A host might have inefficient entries in the routing table. ICMP Router Discovery Protocol (IRDP) ICMP redirect messages ICMP routing discovery messages IRDP needs to be enabled. Slide 137 Routing Changes ICMP Redirect Message A sends message to D. Routing table says to send to B first. Slide 138 Routing Changes ICMP Redirect Message B forwards to C B informs A that there is a direct route to C ICMP Redirect Message Slide 139 Routing Changes ICMP Redirect Message C forwards package to target. A updates routing table. Slide 140 IRDP DoS Exploit Attacker (E) sends spoofed IRDP message to A A updates routing table to reflect bogus default value. A looses connectivity Slide 141 IRDP Windows Exploit Windows (95, 98, 2000) and some Solaris systems are vulnerable. If a Windows hosts runs a Dynamic Host Configuration Protocol (DHCP) client, it obtains its default route from the DHCP server. ICMP router advertisement can be spoofed. First router advertisement is checked for correct IP address. Second router advertisement is erroneously not. Slide 142 IRDP Windows Exploit Attacker sends two ICMP router advertisements to victim. Victim updates its default gateway to IP determined by attacker. Use for man in the middle attacks or DoS. Slide 143 IP Options IP options enhance the IP protocol. Security Stream Identification Internet Timestamp Loose Source Routing Strict Source Routing Record Route These are security risks Slide 144 IP Route Options Loose Source Routing specifies a route that includes a list of required nodes. Strict Source Routing specifies the beginning of a route (up to 9 nodes) completely. Record Route: does not alter the routing but requires that all nodes are recorded. Slide 145 Detecting IP Source Routing IP header is larger than 20B IP option field has a hex value of 83: loose source routing 89: strict source routing ip[0] & 0x0f > 5 and (ip[20] = 0x83 or ip[20] = 89) Slide 146 Source Route Exploit Spoofing host requires source routing through a host trusted by the victim. Victim decides that the traffic comes from a trusted host. Therefore: firewalls need to disable source-routing or network admin needs to disable trust relationships. Slide 147 Network Address Translation Allows many internal IP addresses appearing to be few external IP addresses Local hosts have typically non-routable addresses Function: Local machine connects to NAT box as gateway NAT box assigns connection a routable IP address and port Outside host answers to latter address. NAT box forwards requests to local machine From: http://www.californiasw.com/Knowledge-centerhttp://www.californiasw.com/Knowledge-center /whitepaper/vxworks.html Slide 148 Internet Group Management Protocol (IGMP) Defined by RFC 1112. IGMP messages use IP Protocol 2 IGMP are used to join and leave multicast groups. Slide 149 IPSec Security layer based on IPv6 Implemented as Bump In The Stack Architecture Upper layer protocols TCP/UDP IP IPSec Data link layer Implemented in the IP layer Slide 150 IPSec Provides authentication of source IP address Provides message integrity and encryption Take COEN 350 Slide 151 SNMP: Simple Network Management Protocol Allows remote managing and managing TCP/IP devices Example Vulnerability SNMP default accounts public and private When queried, will return SNMP information Can be used for network mapping Might spell out passwords Slide 152 Network Authentication Threats Passive Sniffing Malicious Mallory can read messages between Alice and Bob. Spoofing Malicious Mallory can create messages that seem to come from either Alice or Bob. Standard Attack Modes: Breaking Cryptography Man-in-the-Middle Replay Attacks Reflection Attack (Open several connections) Slide 153 Man In the Middle Attack Bucket Brigade Attack Attacker reroutes traffic through itself. Example: Victim connects to attacker:80, thinking that attacker is bank.com:80 Attacker displays login screen from bank.com to victim Attacker goes to bank.com Slide 154 Man In the Middle Attack Bucket Brigade Attack Victim to Bank.com (intercepted by black hat) Black Hat to Bank.com Bank.com to black hat Login Please Victim: Login sue user Black hat to victim Login Please Black hat to bank Login sue user Victim to black hat Password is fiddlesticks Bank to Black Hat Password Please Black Hat to Victim Password Please Black Hat to Bank Password is fiddlesticks Slide 155 Man In the Middle Attack Bucket Brigade Attack Could be prevented with SSL But only if victims browser ascertains certificate of bank Slide 156 Replay Attack Remote authentication protocol Instead of sending password, user sends password encrypted Attacker sniffs password exchange and now knows what to send. Slide 157 Reflection Attack Simple, mutual authentication protocol based on capability to encrypt a challenge Session 1 Trudy: I am Alice. R A. Session 1 Bob: R B. E K (R A ). Session 2 Trudy: I am Alice. R B. Session 2 Bob: R B. E K (R B ). Session 1 Trudy: Hi Bob. E K (R B ). Session 1 Bob: Hi Alice. Alice: I am Alice. R A Bob: R B. E K (R A ). Alice: Hi Bob. E K (R B ). Bob: Hi Alice. Slide 158 Reflection Attack Reflection Attack: Session 1 Trudy: I am Alice. R A. Session 1 Bob: R B. E K (R A ). Session 2 Trudy: I am Alice. R B. Session 2 Bob: R B. E K (R B ). Session 1 Trudy: Hi Bob. E K (R B ). Session 1 Bob: Hi Alice. Slide 159 Protecting Networks Terms of Trade Border Router First / last router under control of system administration. DMZ Demilitarized zone. Security is low, since not protected by firewall. Locate webservers and other services there that generate potentially unsafe traffic. Firewall Filters packages based on a variety of rules. Slide 160 IDS Intrusion Detection System. NIDS: glean intrusion signatures from traffic. HIDS: monitor activity at a host on which they are located. VPN Virtual private network Screened subnet Area protected by an internal firewall. Protecting Networks Terms of Trade Slide 161 Configuration Management Known vulnerabilities account for most of actually perpetrated exploits. For most of them, patches were available, but not installed. CM tries to enforce uniform security policies. Backdoors An entrance into the system that avoids perimeter defenses. Protecting Networks Terms of Trade Slide 162 Defense in Depth Rule 1: Multitude of security measures. Do not relay on one security mechanism. Slide 163 Defense in Depth Example: External tcp packet passes: Internet Perimeter Router Internet perimeter firewall DMZ firewall Network IPS NetFlow Analyzes connections on network Antivirus Scanner on host Host IPS Slide 164 Firewalls Firewalls are perimeter defense: Keep the bad stuff outside, enjoy life inside. Slide 165 Filtering Signature Any distinctive characteristic that identifies something (with a high degree of probability) Signature Types Atomic Signatures Single packet, single event, single activity is examined. Stateful Signatures State: Needed when analyzing multiple pieces of information that are not available at the same time. Slide 166 Filtering Atomic vs. Stateful Signatures LAND attack Attacker sends TCP-SYN packet with same source and destination address. Caused TCP stacks to crash. Can be discovered looking at a single packet. Search for string etc/password in a URL Attacker fragments the packet so that the string is not in either fragment. State is needed in order to recognize the attack. Slide 167 Filtering Signature Triggers Pattern Detection Simple string search Search for string etc/passwords ARP Protocol decoders search for string only in protocol fields. ARP request with source address FF:FF:FF:FF:FF:FF Anomaly Detection Traffic going to an unusual port. Protocol compliance for http traffic Behavior Detection Abnormally large / small fragmented packets Search for RPC requests that do not initially utilize the PortMapper Slide 168 Filtering Signature Actions Generating an alert Dropping / preventing an activity Logging the activity Resetting a TCP connection Blocking future activity Allow activity Slide 169 Packet Filtering Static Packet Filtering Allow or deny access to packets based on internal characteristics. access list 111 deny ip host 205.205.205.205.1 any access list 111 permit tcp host 205.205.205.205.1 any access list 111 deny icmp any any echo-request access list 111 permit icmp any any packet-to-big access list 111 deny icmp any any Cisco extended ACL Slide 170 Static Packet Filtering Difficult to design efficient rules. Easy to get the rules tables wrong and allow bad traffic. Security risks People can piggy-back bad messages in harmless ones. http traffic is known to be used as a backdoor. Loki uses unused fields in normal TCP packets. Fragmentation allows the filter to look only at a fragment Most only look at the first fragment Slide 171 Static Packet Filtering Configuring a packet filter: Security Policy: what is allowed, what is not allowed. Allowable types of packets must be specified logically, in terms of logical expression on packet fields. Expressions need to be rewritten in the firewall vendors language. Slide 172 Static Packet Filtering Example Security Policy: Allow inbound mail messages (SMTP, port 25), but only to gateway. Block host faucet. actionOur hostportTheir hostport comment block**faucet* We dont trust these people. allow OUR-GW 25** Connection to our SMTP server Slide 173 Static Packet Filtering Example If no rule applies, then the packet is dropped. Without additional rules, our rule set would drop all non-mail packets. There would also be no replies. Beware of a rule like this (intended to allow acks) Based solely on outside hosts port number. Port 25 is usually the mail port. But there is no guarantee. actionOur hostportTheir hostport comment allow***25 Connection to their SMTP port Slide 174 Static Packet Filtering Example Expand rule set to allow connection with the outside: actionOur hostportTheir hostport Flagcomment block**faucet* allowOUR-GW25** allow(our host)**25 Our packets to their port allow*25**ACK Their replies Specify the names of all machines allowed to send mail to the outside here. Slide 175 Static Packet Filtering Combating Address Spoofing At a minimum: Dont allow inside source addresses coming in. Dont allow outside source addresses going out. Block source routing at the border routers. Slide 176 Static Packet Filtering Routing Information If a node is unreachable from the outside then the node is almost (but not quite) as safe as a node disconnected from the net. Internal routers should not advertise paths to such nodes to the outside. Filter routes learned from the outside: Protects against subversion by route confusion. Route squatting: Use internal addresses that belong to a different domain. The nodes are de facto unreachable from the outside. Use non-announced addresses. (e.g. 10.x.x.x) But beware, when companies merge, these addresses tend to be incompatible. So pick addresses in unpopular address ranges. Slide 177 Static Packet Filtering Performance Packet filtering is done at the border. No degradation for the internal network. Typically, connection to ISP is the bottleneck. However: Degradation depends on the number of rules applied. Can be mitigated by careful ordering of rules. Slide 178 Application Level Filtering Packet filters only look at The source address The destination address TCP / UDP port numbers TCP / UDP flags. Application filters deals with the details of the service they are checking. E.g. a mail application filter looks at RFC 822 headers. MIME attachments. Might identify virus infected attachments. Slide 179 Application Level Filtering Snort: Allows to set up rules that pass a packet on to another service. Commercial firewalls Include application level filters for many products. Use non-disclosure agreement to obtain proprietary protocols Slide 180 Dynamic Packet Filtering Stateful Firewall Still look at each packet. Maintains a state of each connection. Implements connection filtering. Dynamically adjust a filtering table of current connections. Implementation Adjust the filtering rules dynamically. E.g.: We started an HTTP connection to a given host. Now HTTP packages from that host are allowed. OR: Terminate the connection at the firewall and then have the firewall call the ultimate destination (proxying). Slide 181 Proxy Firewalls Proxies act on behalf of a client. Proxy firewall Reverse Proxy Receives packages on one card. Processes requests. Translates them into internal requests on other card. Receives answers from inside and translates to the outside. Slide 182 Proxy Firewalls Proxy firewall Forward Proxy Receives requests from the inside. Processes requests. Translates them into requests to the outside on other card. Receives answers from outside and translates to the inside. Acts on behalf of inside machine that is protected from the vagaries of the internet. Slide 183 Proxy Firewalls Application level proxies work at the level of application. Circuit-level proxies does not understand the application makes filtering decisions by validating and monitoring sessions. Slide 184 Possible Configurations Dual Homed Host Internal Network Internet Dual-homed host acting as firewall Slide 185 Possible Configurations Screened Host Architecture Internal Network Internet Router only allows traffic to bastion host (screening router) Bastion host sits on internal network Bastion host works as proxy Slide 186 Possible Configurations Screened Subnet Internal Network Internet Exterior Router a.k.a. access router Bastion host sits on perimeter network Perimeter Network Interior Router a.k.a. choke router Slide 187 Possible Configurations Attach bastion host(s) to perimeter network (DMZ) Two possibilities to allow access to internet for internal hosts Use exterior and interior router to filter packages Use bastion host as proxy Slide 188 Possible Configurations O.K. to have many bastion hosts O.K. to merge interior and exterior router O.K. to merge bastion host and exterior router Performance of bastion host might not be sufficient O.K. to have many interior subnetworks. O.K. to have many exterior routers O.K. to have multiple perimeter networks NOT O.K. to merge bastion host and interior router Bastion host becomes single point of failure NOT O.K. to use multiple interior routers Need to maintain same policy on all interior routers Slide 189 Securing Public Web Servers Isolate the web server webserver internal network internet firewall SQL serverfirewall Only SQL Protocol permitted Slide 190 Firewall Settings for DNS Use a bastion host to host fake DNS server True DNS server on the interior network DNS query proceeds with DNS proxying: Local DNS client goes to local DNS server (interior network) Local DNS server sends query to bastion host (perimeter network) Bastion host forwards query to internet DNS system Internet DNS system answers question to bastion host Bastion host forwards to real DNS server Real DNS server forwards to local DNS client Slide 191 Hiding DNS Server Internal Network Internet Exterior Router a.k.a. access router Fake DNS server Perimeter Network Interior Router a.k.a. choke router True DNS server Local DNS client Slide 192 Firewall Settings for DNS Fake DNS server provides basic hostname and IP addresses for Machines in the perimeter network Machines in the interior network that someone on the outside needs to connect to. Fake information on machines that can contact the outside world directly. Slide 193 Firewall Settings for DNS Packet filtering on internal router needs to allow: DNS queries from the internal server to the bastion host server USP packets from port 53 from an internal host to port 53 bastion host TCP packets from ephemeral port on internal host to port 53 on bastion host Responses from bastion host to the internal server UDP packets from port 53 on bastion host to port 53 on internal server TCP packets with ACK bit set from port 53 on the bastion host to ephemeral ports on internal server DNS queries from bastion host DNS clients to internal server UDP and TCP packets from ephemeral ports on bastion host to port 53 on internal server Responses from internal server to bastion host DNS clients UDP and TCP packets with ACK bit from port 53 on the internal server to ephemeral ports on bastion host Slide 194 Hiding DNS Server Internal Network Internet Exterior Router a.k.a. access router Fake DNS server Perimeter Network Interior Router a.k.a. choke router True DNS server Local DNS client Slide 195 Application Inspection Dynamic Firewalls allow selective inspection of applications: http ftp dns icmp Slide 196 Application Inspection DNS example (Cisco ASA DNS inspection) Guarantees that the ID of the DNS machine matches the ID of the DNS query Allows translation of DNS packets using NAT Reassembles DNS packets to verify its length. Slide 197 Application Inspection SMTP (Cisco ASA protection) Protects against SMTP-based attacks by restricting the types of SMTP commands. Illegal command is modified and forwarded. Typically, receiver replies with an SMTP error 500 (command not recognized) Checks size, Slide 198 Virtual Private Networks Slide 199 VPN uses connections over an existing public network Connection secured with encryption Host to Host Host to Gateway Gateway to Gateway Slide 200 Virtual Private Networks Slide 201 Encryption can be done at Application level. Transport level. Network level. Data link level. Slide 202 Virtual Private Networks VPN Technologies Application Level Pretty Good Privacy Secure Shell (SSH) Transport Level Secure Socket Layer Does not protect the package, but its content. Typically runs at the application level of the OS, so OS does not need to be changed. Network Level IPSec Encrypts package itself. Encrypted package receives a new package header. IPSec protects port address, but not destination address. OS need to be changed (but only once: Win2000, WinXP) Data Link Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP) Encrypts packets on the data layer. L2TP (Layer 2 Tunneling) Slide 203 Virtual Private Networks Alternatives are dedicated point-to-point connections such as a private T1 line. Most secure. Most expensive. Takes time to set-up.


presentation layering

presentation layering

Documents
‘Layering Cardiff’

‘Layering Cardiff’

Documents
COEN 351 Internet Security. Network Layer Security Application Layer Security System Security

COEN 351 Internet Security. Network Layer Security Application Layer Security System Security

Documents
COEN 252 Computer Forensics Network Protocols. Network Protocols: Layering TCP/IP stack has four levels. OSI has seven

COEN 252 Computer Forensics Network Protocols. Network Protocols: Layering TCP/IP stack has four levels. OSI has seven

Documents
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort

Documents
Layering as Optimization Decomposition a cal Theory of Network Archietectures

Layering as Optimization Decomposition a cal Theory of Network Archietectures

Documents
BLOOD SIMPLE Joel Coen and Ethan Coen …screenplaysandscripts.com/script_files/B/Blood_Simple.pdf"BLOOD SIMPLE" By Joel Coen and Ethan Coen LANDSCAPES An opening voice-over plays

BLOOD SIMPLE Joel Coen and Ethan Coen …screenplaysandscripts.com/script_files/B/Blood_Simple.pdf"BLOOD SIMPLE" By Joel Coen and Ethan Coen LANDSCAPES An opening voice-over plays

Documents
Protocol Layering

Protocol Layering

Documents
Coen Boards

Coen Boards

Documents
FENCING - COEN

FENCING - COEN

Documents
System and Network Security Practices COEN 351 E-Commerce Security

System and Network Security Practices COEN 351 E-Commerce Security

Documents
Shellac Layering

Shellac Layering

Documents
Layering and the network layer CS168, Fall 2014 Sylvia Ratnasamy cs168/fa14/ cs168/fa14

Layering and the network layer CS168, Fall 2014 Sylvia Ratnasamy cs168/fa14/ cs168/fa14

Documents
Irmãos coen

Irmãos coen

Documents
Layering images

Layering images

Documents
Layering As Optimization Decomposition: A Mathematical ...chiangm/tutorial.pdf · Layering As Optimization Decomposition: A Mathematical Theory of Network Architectures Mung Chiang

Layering As Optimization Decomposition: A Mathematical ...chiangm/tutorial.pdf · Layering As Optimization Decomposition: A Mathematical Theory of Network Architectures Mung Chiang

Documents
HAIL, CÆSAR! Written by Joel Coen & Ethan Coen

HAIL, CÆSAR! Written by Joel Coen & Ethan Coen

Documents
Slides for protocol layering and network applications

Slides for protocol layering and network applications

Engineering
Network operator processes - Investment aspects "Layering" of investments

Network operator processes - Investment aspects "Layering" of investments

Documents
Joel Coen (1954) and Ethan Coen (1957)

Joel Coen (1954) and Ethan Coen (1957)

Documents
Nokia - 3G Network Layering 900 & 2100 Sharing Session - 15June2015

Nokia - 3G Network Layering 900 & 2100 Sharing Session - 15June2015

Documents
Content layering

Content layering

Marketing
A survey on cross layering in wireless sensor network

A survey on cross layering in wireless sensor network

Documents
Air Layering

Air Layering

Documents
Layering system

Layering system

Documents
COEN 350: Network Security

COEN 350: Network Security

Documents
layering theme

layering theme

Education
Network Applications 9/14/2009. 2 Outline Recap r ISO/OSI Layering and Internet Layering r Application layer overview r Examples

Network Applications 9/14/2009. 2 Outline Recap r ISO/OSI Layering and Internet Layering r Application layer overview r Examples

Documents
2G Strategy Network Implementation PS Paging Layering 20131217

2G Strategy Network Implementation PS Paging Layering 20131217

Documents
Layering and Division - Wakefield FFA...Types of artifi cial layering that growers use include: • Simple layering. • Compound layering. • Air layering. • Mound layering. •

Layering and Division - Wakefield FFA...Types of artifi cial layering that growers use include: • Simple layering. • Compound layering. • Air layering. • Mound layering. •

Documents