4Network Protocols: Layering Each layer adds a header.ApplicationTCPIPLink
5Data Link Layer Sits on top of physical layer, which provides Hardware specificationEncoding and signalingData transmission and receptionTopology and physical network designExample Data Link Layers:EthernetToken RingFDDIWi-Fi (802.11)Divided into two sublayersLogical Link ControlMedia Access Control (MAC)
6Link Layer Address Resolution Network Interface Cards (NIC)Unique Medium Access Control (MAC) numberNow typically changeableIn order to accommodate device change when using authentication through MAC addressFormat 48b written as twelve hex bytes.First 6 identify vendor.Last 6 serial number.NICs either select based on MAC address or are in promiscuous mode (capture every packet).
7Link Layer Address Resolution Address Resolution Protocol (ARP)Resolves IP addresses to MAC addressesRFC 826
8Link Layer: ARP Resolution Protocol Assume node A with IP address and MAC 00:01:02:03:04:05 wants to talk to IP addressSends out a broadcast who-has request:00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-hasAll devices on the link capture the packet and pass it to the IP layer.is the only one to answer:a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply is-at a0:a0:a0:a0:a0:a0A caches the value in its arp cache.
11Link Layer Intrusion Detection Network monitoring tools such as Argus or Ethereal log MAC addresses.
12Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address.However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing)Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.
13Link Layer Intrusion Detection ARP cache can be viewed on Windows NT/2000/XP with arp –a command.
14Link Layer Intrusion Detection Some organizations log ARP information.Routers keep ARP tables.show ip arpAll hosts keep ARP tables.DHCP often assigns addresses only to computers with known MAC.
15Link Layer Intrusion Detection An employee received harassing from a host on the employer’s network with IP addressDHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c.This MAC belonged to a network printer.The router’s ARP table showed that the IP address was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing)Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.
16Link Layer Intrusion Detection Analyze and filter log files:Keyword searchesE.g. for USER, PASS, loginNicknames, channel namesFiltersReconstructionE.g. contents of web-mail inbox.
17Link Layer Intrusion Detection NetIntercept ScreenshotAn example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence
18ARP Package RFC 826 ARP package : 0-1: Hardware type (0x0001 – Ethernet)2-3: Protocol type (0x0800 – IP)4: Number of bytes in hardware address (6 for MAC)5: Number of bytes in protocol address (4 for IP)6-7: Opcode: 1 for ARP request, 2 for an ARP reply8-13: Source MAC14-17: Source IP18-23: Target MAC24-27: Target IP
20Monitoring Tools Arpwatch monitors ethernet activity and keeps a database of ethernet/ip address pairings.
21Attacks on ARP Package Generators for various OS. Allow an attacker to subvert a chosen protocolhping2 for Windows.*NIX, XWindows:packitIP Sorceryand many, many more.Use to create arbitrary packages
22Attacks on ARP Switch Flooding Switches contain a switch address table.Switch address table associates ports with MAC addresses.Switch flooding creates many false entries.Switches fail in two different modes:Fail open:Switch converts into a hub.This allows to monitor traffic through the switch from any port.Fail closed:Switch stops functioning.Denial of Service (DoS) attack
23Attacks on ARP ARP Poisoning: attacker switch victim Outside world router
24Attacks on ARPARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LANattackerswitchvictimOutsideworldrouter
25Attacks on ARPARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC addressattackerswitchvictimOutsideworldrouter
26Attacks on ARPARP Poisoning: Switch now takes packet from victim and forwards it to attacker.attackerswitchvictimOutsideworldrouter
27Attacks on ARPARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router.attackerswitchvictimOutsideworldrouter
29RARP RARP (Reverse Address Resolution Protocol) Used to allow diskless systems to obtain a static IP address.System requests an IP address from another machine (with its MAC-address).Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table.Administrator needs to place table in a gateway.RARP-daemon (RARP-d) responds to RARP requests.
30RARP RARP vulnerability Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.
31RARP Package Package Format as in ARP: 0-1: Hardware type (0x0001 – Ethernet)2-3: Protocol type (0x0800 – IP)4: Number of bytes in hardware address (6 for MAC)5: Number of bytes in protocol address (4 for IP)6-7: Opcode: 1 for ARP request, 2 for an ARP reply8-13: Source MAC14-17: Source IP18-23: Target MAC24-27: Target IP
32IP Uses IP addresses of source and destination. IP datagrams are moved from hop to hop.“Best Effort” service.Corrupted datagrams are detected and dropped.
33IP Addresses contain IP address and port number. IPv4 addresses are 32 bit longsIPv6 addresses are 8*16 bits long.
34DHCP Dynamic Host Configuration Protocol Evolved from TCP/IP Boot Protocol BOOTPSolves problem of disk-less workstationsBoot process:First obtain IP addressThen download OS etc.BOOTP client sends broadcast to UDP port 67 (BOOTREQUEST)BOOTP server listens on that portReplies to client by eitherUse client’s hardware address to create ARP entryUse broadcastClient downloads OS (using e.g. TFTP)
35DHCP Assigns addresses Manual allocation (just as BOOTP) Single point of administrationAutomatic AllocationDHCP assigns address to a given device automatically from a pool of addressesDynamic AllocationDHCP assigns an address from a pool of addresses for the length of a leaseAddresses are reused and sharedClients need to renew a lease periodicallyIf clients are rebooting, but still have an active lease, they reconfirm their lease during reboot.If renewal fails, clients will rebind to any active DHCP serverClients can release a DHCP assigned IP address
36DHCP Attacks Denial of Service Attacker sends DHCP requests, using up all IP address in poolAttacker uses random MAC addressesSwitches can limit the number of MAC addresses used on a given link and prevent this attack
37DHCP Attacks Man in the Middle Attack: Default Gateway Attacker assigns DHCP addresses byAttacker disables DHCP server and then operates own DHCP serverAttacker runs faster DHCP serverAttacker specifies itself as default gatewayAttacker redirects traffic from victim through itself
38DHCP Attacks Man in the Middle Attack: DNS Redirection Attacker assigns DHCP addressesAttacker specifies itself as the DNS serverAttacker only redirects traffic to selected IP addressesBanking, Shopping, …
39IP: ICMP Internet Control Message Protocol Created to deal with non-transient problems. For exampleFragmentation is necessary, but the No Frag flag is set.UPD datagram sent to a non-listening port.Ping.Used to detect network connectivity before it became too useful for attack reconnaissance.Does not use ports.Allows broadcasting.More on ICMP later
40IP: ICMP ICMP error messages should not be sent: For any but the first fragment.A source address of broadcast or loopback address.Are probably malicious, anyway.Otherwise: ICMP messages could proliferate and throttle a network
41IP: ICMP ICMP errors are not sent: In response to an ICMP error message.Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong.A destination broadcast address.Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.
42Transport Layer: TCP and UDP Transmission Control Protocol (TCP)ReliableConnection-Oriented.SlowUser Datagram Protocol (UDP)UnreliableConnectionless.Fast.
43TCP Only supports unicasting. Full duplex connection. Message numbers to prevent loss of messages.
44TCP: Three Way Handshake Initiator to responder: SynsResponder to initator: Acks, SyntInitiator to responder: AcktSets up two connections with initial message numbers s and t.
45TCP: Three Way Handshake 20:13: IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S : (0) win <mss 1460,nop,nop,sackOK> (DF)20:13: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S : (0) ack win <mss 1460> (DF)20:13: IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win (DF)Sequence numberFlagWindow: number of bytes accepted
46TCP: Terminating Connections Graceful shutdownParty 1 to Party 2: FinParty 2 to Party 1: AckParty 2 to Party 1: FinParty 1 to Party 2: AckAbrupt shutdownParty 1 to Party 2: Res
47TCP: Shutting down a connection 20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win (DF)
48TCP Exchanging Data Each packet has a sequence number. (One for each direction.)Initial sequence numbers are created during initial three way handshake.NMap uses the creation of these sequence numbers to determine the OS.OS are now much better with truly random sequence numbers.
49TCP Exchanging DataParty that receives packet sends an acknowledgement.Acknowledgement consists inAck flag.Sequence number of the next package to be expected.(TCPDump shows number of bytes acknowledged).
50TCP Exchanging DataIf a package is lost, then the ack sequence number will not change:“Duplicate acknowledgement”Depending on settings, sender will resend, after at most three stationary ack numbers.Also, senders resend after timeout.
51TCP Exchanging Data20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 4 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 3:4(1) ack 4 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win (DF)
52TCP flags Part of TCP header F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start sessionR : RST - Reset; drop a connectionP : PUSH - Push; packet is sent immediatelyA : ACK - AcknowledgementU : URG - UrgentE : ECE - Explicit Congestion Notification EchoW : CWR - Congestion Window Reduced
59UDP “Send and pray” No connection. No special header like TCP. Protocol field in the IP header is 0x11Another field in the IP header contains UDP specific header information
60FragmentationIP datagram can come across smaller maximum transmission units than its own size.Resender chops up the IP datagram into many IP datagrams, the fragments.
61Fragmentation Fragments are reassembled at the destination. Fragments carry:Fragment identifierOffset in original data portionLength of data payload in fragmentFlag that indicates whether or not this is the final fragment.
62Fragmentation Example Large Echo Request ping -l 1480 184.108.40.206 Assume MTU is 1500
67Fragmentationping –l12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu.137 > : udp 5012:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag
68Fragmentation DF (Don’t Fragment) Flag If forwarding node finds that the datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable – need to fragment.Useful to find minimum MTU on a link.
69Fragmentation Fragmentation has security implications Stateless firewalls look only at individual packages.Protocol header is only in the first fragment.“Stealth attacks / scans” have evil payload only in the second and following fragments.
70Fragments: Teardrop and Friends Fragments with overlapping offset fields.Many contemporary OS crashed, hang, rebooted.Jolt2Single fragment with non-zero offset.Receiving system allocates resources to reconstruct a datagram that never arrives.
71Fragments: Teardrop and Friends Create fragments that seem to come from a GB datagram.Trusting OS tries to allocate memory and dies.Ping of DeathWin95 allowed to send a ping that was just a tad too long. Receiving host would crash.Unnamed AttacksMissing fragments lead to resource allocation.
72ICMP Protocols like TCP can send error messages themselves. Stateless protocols like UDP need another mechanism to send error messages.Host uses ICMP forSimple replies and requestsInform other hosts of some kind of error condition.E.g.: To throttle delivery rate, receiving host can use the ICMP source quench message.E.g.: Router can send “admin prohibited” ICMP message.
73ICMP ICMP has no port numbers. No acks, no message delivery guarantee Allows broadcastingICMP types atassignments/icmp-parametersFirst Byte of package is TypeSecond Byte of package is Code
74ICMP Attackers can use ICMP for scanning: Mapping a network. Detect availability of target.Detect OS through the way that host responds.
75ICMPTireless MapperSends ICMP echo requests messages to all possible IP addressesMany IDS might not capture this scan if the number of packages per hour is small.Therefore: Firewalls should filter incoming ping requests.
76ICMPEfficient MapperUse the ICMP echo request with a broadcast address.Ping
77ICMPClever MapperUse a different ICMP message such as ICMP address mask.Determines the class of the network
78ICMP: Normal activity Normal messages: Host unreachable Port unreachableAdmin prohibitedNeed to fragmentTime exceeded in transit
79ICMP: Normal activity Host unreachable Router at target host’s network sends such a message.This gives out info to an attacker.Some routers (Cisco) allow an access control list entry:no ip unreachable
80ICMP: Normal activity Port unreachable target.host > sending.host: icmp: target.host udp port ntp unreachable (DF)Used for UDPTCP has the RESET message to inform sender.
81ICMP: Normal activity Unreachable - Admin Prohibited Router informs sender that this type of message cannot be forwarded.Router decision based on access control list.Message leaks information to outside scanner.
82ICMP: Normal activity Need to Frag Router informs sender that DF is set, but that the package is larger than the MTU.
83ICMP: Normal activity Time Exceeded In-Transit Packages contain Time To Live (TTL) value.Each router handling a package decrements the TTL value.If TTL is zero, router discards package and sends the Time Exceeded In-Transit message to the sender.
84ICMP: Normal activityICMP messages contain additional date in the package.In particular: IP header followed by eight bytes of protocol header and data of the original datagram.Not all OS implementations do this in exactly the same way.Nmap used this for OS fingerprinting.Lately, all TCP/IP stack implementations have been fixed to remove OS idiosyncracies.
85Malicious ICMP: Smurf Attack Smurf attack on victimStep 1: Send ICMP echo request to a broadcast address with spoofed IP ofStep 2: Router allows in ICMP echo request to broadcast addressStep 3: All live hosts respond with ICMP echo reply to real machine with source IP
86Malicious ICMP: Smurf Attack ISMP Smurf AttackDenial of Service Attack.Effort of Attacker << Effort of Victim.Uses ICMP replies from network as an amplifier.Works well if victim has a slow connection.
87Malicious ICMP: Tribal Flood Network Based on SmurfCreates zombies out of compromised machinesCompromised machines use a trigger to start bombarding a victim with requestsMany variations on this theme
88Malicious ICMP: Winfreeze (obsolete) Uses the ICMP redirect message.Legal use is to update routing information.Flood of redirect message causes the victim (Win95 / Win98) to redirect traffic to itself via random hosts.Victim spends too much time updating routing table.
89Malicious ICMP: Loki Uses ICMP packages for covert channel A compromised host with a Loki server responds to requests from a Loki client.Requests are sent via ping messages with data embedded in ICMP pings.Originally used bytes 6 and 7.
90Malicious ICMP: Simple Counter-Measures Limit ICMP messages at the firewall.Leads to inefficiencies, such as trying a TCP connection to a host that is down.Need to admit path MTU discovery.Log those that are let through.
91Harmless Behavior: TCP Destination Host not Listening on Requested PortReceiver acknowledges and resets at the same time.Destination Host does not ExistRouter sends with the ICMP: Host xxx.yyy unreachable
92Harmless Behavior: TCP Destination Port BlockedRouter responds with an icmp message:icmp: xxx.yyy unreachable – admin prohibited filterRouter does not respond.Sender retries up to a protocol dependent maximum number of retries time
93Harmless Behavior: UDP Destination Host not Listening on Requested PortDestination host sends icmp message:icmp: xxx.yyy port domain unreachableOr: destination host does not respond.Sender will possibly retry several times
94Harmless Behavior: Windows Tracert tracert (traceroute) uses ICMP pingsTracing host sends ICMP echo request with TTL = 1.Then tracing host sends ICMP echo request with TTL = 2, etc.First router responds to first request.If not destination, then with icmp: time exceeded in transit messageSecond router responds to second request, etc.
95Harmless Behavior: Unix Tracert traceroute uses UDP to random ephemeral port.Tracing host sends UDP package with TTL = 1.Then tracing host sends UDP package with TTL = 2, etc.First router responds to first request.If not destination, then with icmp: time exceeded in transit messageSecond router responds to second request, etc.Target responds with a port unreachable message.
96FTP Uses TCP Active / Passive FTP Both use port 21 to issue FTP commands.Active FTP:Uses port 20 for data.FTP server establishes connection to client
97FTP: Active FTP Example: Command channel between server8.engr.scu.edu.21 and Bobadilla.1628Dir command creates a new connection between server9.engr.scu.edu.20 and Bobadilla.5001
98FTPThe opening of a connection from the outside to an ephemeral port is dangerous.Passive FTP: The client initiates the data connection to port 20.
99Malicious TCP Use: Mitnick Attack (obsolete) SYN floodGoal is to disconnect victim from the net.Throws hundreds / thousands of SYN packetsReturn address is spoofed.Recipient’s stack of connections waiting to be established is flooded.Still works with DDoS attack.
100Malicious TCP Use: Mitnick Attack (obsolete) Identify Trust RelationshipsExtensive network mapping.Nbtstat/finger, showmount, rpcinfo -r, …Rpcinfo provides information about the remote procedure call services and their ports
101Malicious TCP Use: Mitnick Attack (obsolete) Initiate a number of TCP connections to the host.Send SYN packet. Receive SYN/ACK packet. Send RES so that victim is not flooded.Observe the sequence number values between different connections.Can they be predicted?
110Malicious TCP Use: Mitnick Attack (obsolete) Attacker terminates connection with a FIN exchangeBFIN ACK FIN ACKVictim trusts everyoneAttacker
111Malicious TCP Use: Mitnick Attack (obsolete) To wake up B, attacker sends it a bunch of RES to free B from the SYN flood.BRESVictim trusts everyoneAttacker
112Malicious TCP Use: Mitnick Attack (obsolete) Attacker now starts a new connection with the victim.BYak yak yakVictim trusts everyoneAttacker
113Malicious TCP Use: Mitnick Attack Detection Network based intrusion detection (NID) can find the original site mapping.NID can find the reconnaissance by finding “finger” “showmount” etc. commands.Directed to the same port (111).This is a dangerous port.Frequent.
114Malicious TCP Use: Mitnick Attack Detection Host scans log instances where a single system accesses multiple hosts at the same time.Host-based Intrusion Detection (HID) can find access to a single port.HID / Tripwire could find changes to .rhosts.
115Malicious TCP Use: Mitnick Attack Detection Computer Forensics can detect the attack byLogging network traffic.Examining MAC of important files (.rhosts)
116Malicious TCP Use: Mitnick Attack Prevention Router-based Firewall blocks certain type of traffic.Network mapping.SYN flooding.Access to dangerous ports.Host-based firewall blocksSecurity policyDisallows reconnaissance tools.Enforces better authentication.
117Domain Name Servers Provide mapping from host names to IP addresses. DNS resolution processClient sends a gethostbyname message to the local domain name server.Local domain name server sends back ip address.Uses UDP (almost exclusively)
118DNS: Resolution protocol Client to local DNS server gethostbynameLocal DNS server sends forwards request to root server.Root server returns with name of remote DNS server.Local DNS server queries remote DNS server.Remote DNS server answers with IP address.Local DNS server gives data to client.
119DNS Use caching to prevent overload by root servers. DNS records have a TTLResponding DNS server sets TTL.Receiving DNS server caches record for TTL time.
120DNS: Reverse Lookup IP-address to host-name Query for send to in-addr.arpa
121DNS: Master - Slave Name Servers Each domain has a single master DNS server.Add slaves for redundancy.Slave server periodically contacts master to see whether there are changes.Older BIND download all data from domain, even if only one record has changed.
122DNS Zone TransferSlave server restarts zone transfer from master to slaveUses TCP, port 53.Attackers like zone transferGives all IP addresses and names in subnet.Newer versions of BIND limit transfers based on IP address.
123DNS: Abuse for Reconnaissance nslookup: Get name servers.
124DNS: Abuse for Reconnaissance HINFO: host information.
125DNS: Abuse for Reconnaissance List the zone map information.> ls –d engr.scu.edu in nslookup
126DNS: Abuses and Problems DNS cache poisoningAffects BIND versions beforeBased on lack of authenticationSome BIND versions cache every DNS data they see.
127DNS Cache Poisoning Attack on Hillary Clinton’s Run for Senate Website Traffic to (IP address ) redirected to (IP address )
128DNS Cache PoisoningStep 1: Evil sends a bogus query to the victim’s name server that contains data at
129DNS Cache PoisoningStep 2: Name server accepts the bogus information (even though it is contained in a query).Step 3: Victim requests IP address of hillary2000.org and is directed to hillaryno.com.Vulnerability arises from lack of authentication and of using queries to update entries at the queried server.
130DNS Cache Poisoning Birthday Attack Attacker sends large number of queries to a vulnerable name server asking for hillary2000.Attacker sends an equal number of phony replies (with the poisoned data).Name server will generate requests to resolve hillary2000.With high probability, one of the phony answers will have the same transaction number as the name server’s query.
132DNS Cache PoisoningRedirect traffic to a fake Pay-Pal or other e-commerce site.Set-up Man in the Middle AttacksDefenses:Domain Owner has to rely on the DNS system.ISP name server admin needs to protect byUpdating BIND or replacing it with djbdnsTwo name servers, one for the public domain information to the outside, another for internal use.End user has to rely on the DNS system.
134Static RoutingIP Layer searches the routing table in the following orderSearch for a matching destination host addressSearch for a matching destination network addressSearch for a default entry
135Routing Static routes are typically added during the boot process. Administrative changes with a “routing” command.ICMP routing discovery messages
136Routing ChangesA host might have inefficient entries in the routing table.ICMP Router Discovery Protocol (IRDP)ICMP redirect messagesICMP routing discovery messagesIRDP needs to be enabled.
137Routing Changes A B C D ICMP Redirect Message A sends message to D. Routing table says to send to B first.ABCD
138Routing Changes A B C D ICMP Redirect Message B forwards to C B informs A that there is a direct route to CABCD
139Routing Changes A B C D ICMP Redirect Message C forwards package to target.A updates routing table.ABCD
140IRDP DoS ExploitAttacker (E) sends spoofed IRDP message to AA updates routing table to reflect bogus default value.A looses connectivityE?ABD
141IRDP Windows ExploitWindows (95, 98, 2000) and some Solaris systems are vulnerable.If a Windows hosts runs a Dynamic Host Configuration Protocol (DHCP) client, it obtains its default route from the DHCP server.ICMP router advertisement can be spoofed.First router advertisement is checked for correct IP address.Second router advertisement is erroneously not.
142IRDP Windows ExploitAttacker sends two ICMP router advertisements to victim.Victim updates its default gateway to IP determined by attacker.Use for man in the middle attacks or DoS.
143IP Options IP options enhance the IP protocol. SecurityStream IdentificationInternet TimestampLoose Source RoutingStrict Source RoutingRecord RouteThese are security risks
144IP Route OptionsLoose Source Routing specifies a route that includes a list of required nodes.Strict Source Routing specifies the beginning of a route (up to 9 nodes) completely.Record Route: does not alter the routing but requires that all nodes are recorded.
145Detecting IP Source Routing IP header is larger than 20BIP option field has a hex value of83: loose source routing89: strict source routingip & 0x0f > 5 and (ip = 0x83 or ip = 89)
146Source Route ExploitSpoofing host requires source routing through a host trusted by the victim.Victim decides that the traffic comes from a trusted host.Therefore: firewalls need to disable source-routing or network admin needs to disable trust relationships.
147Network Address Translation Allows many internal IP addresses appearing to be few external IP addressesLocal hosts have typically non-routable addressesFunction:Local machine connects to NAT box as gatewayNAT box assigns connection a routable IP address and portOutside host answers to latter address.NAT box forwards requests to local machineFrom:/whitepaper/vxworks.html
148Internet Group Management Protocol (IGMP) Defined by RFC 1112.IGMP messages use IP Protocol 2IGMP are used to join and leave multicast groups.
149IPSec Security layer based on IPv6 Implemented as Bump In The Stack ArchitectureUpper layer protocolsTCP/UDPIPIPSecData link layerImplemented in the IP layer
150IPSec Provides authentication of source IP address Provides message integrity and encryptionTake COEN 350
151SNMP: Simple Network Management Protocol Allows remote managing and managing TCP/IP devicesExample VulnerabilitySNMP default accounts public and privateWhen queried, will return SNMP informationCan be used for network mappingMight spell out passwords
152Network Authentication Threats Passive SniffingMalicious Mallory can read messages between Alice and Bob.SpoofingMalicious Mallory can create messages that seem to come from either Alice or Bob.Standard Attack Modes:Breaking CryptographyMan-in-the-MiddleReplay AttacksReflection Attack (Open several connections)
153Man In the Middle Attack Bucket Brigade Attack Attacker reroutes traffic through itself.Example:Victim connects to attacker:80, thinking that attacker is bank.com:80Attacker displays login screen from bank.com to victimAttacker goes to bank.com
154Man In the Middle Attack Bucket Brigade Attack Bank to Black HatPassword PleaseBank.com to black hatLogin PleaseBlack Hat to BankPassword is “fiddlesticks”Black hat to bankLogin sue userBlack hat to victimLogin PleaseBlack Hat to VictimPassword PleaseVictim to black hatPassword is “fiddlesticks”Black Hat to Bank.comVictim to Bank.com(intercepted by black hat)Victim: Login sue user
155Man In the Middle Attack Bucket Brigade Attack Could be prevented with SSLBut only if victim’s browser ascertains certificate of bank
156Replay Attack Remote authentication protocol Instead of sending password, user sends password encryptedAttacker sniffs password exchange and now knows what to send.
157Reflection AttackSimple, mutual authentication protocol based on capability to encrypt a challengeSession 1 Trudy: I am Alice. RA.Session 1 Bob: RB. EK(RA).Session 2 Trudy: I am Alice. RB.Session 2 Bob: RB’. EK(RB).Session 1 Trudy: Hi Bob. EK(RB).Session 1 Bob: Hi Alice.Alice: I am Alice. RABob: RB. EK(RA).Alice: Hi Bob. EK(RB).Bob: Hi Alice.
158Reflection Attack Reflection Attack: Session 1 Trudy: I am Alice. RA. Session 1 Bob: RB. EK(RA).Session 2 Trudy: I am Alice. RB.Session 2 Bob: RB’. EK(RB).Session 1 Trudy: Hi Bob. EK(RB).Session 1 Bob: Hi Alice.
159Protecting Networks Terms of Trade Border RouterFirst / last router under control of system administration.DMZDemilitarized zone.Security is low, since not protected by firewall. Locate webservers and other services there that generate potentially unsafe traffic.FirewallFilters packages based on a variety of rules.
160Protecting Networks Terms of Trade IDSIntrusion Detection System.NIDS: glean intrusion signatures from traffic.HIDS: monitor activity at a host on which they are located.VPNVirtual private networkScreened subnetArea protected by an internal firewall.
161Protecting Networks Terms of Trade Configuration ManagementKnown vulnerabilities account for most of actually perpetrated exploits.For most of them, patches were available, but not installed.CM tries to enforce uniform security policies.BackdoorsAn entrance into the system that avoids perimeter defenses.
162Defense in Depth Rule 1: Multitude of security measures. Do not relay on one security mechanism.
163Defense in Depth Example: External tcp packet passes: Internet Perimeter RouterInternet perimeter firewallDMZ firewallNetwork IPSNetFlowAnalyzes connections on networkAntivirus Scanner on hostHost IPS
164Firewalls Firewalls are perimeter defense: Keep the bad stuff outside, enjoy life inside.
165FilteringSignatureAny distinctive characteristic that identifies something (with a high degree of probability)Signature TypesAtomic SignaturesSingle packet, single event, single activity is examined.Stateful SignaturesState: Needed when analyzing multiple pieces of information that are not available at the same time.
166Filtering Atomic vs. Stateful Signatures LAND attack Attacker sends TCP-SYN packet with same source and destination address.Caused TCP stacks to crash.Can be discovered looking at a single packet.Search for string “etc/password” in a URLAttacker fragments the packet so that the string is not in either fragment.State is needed in order to recognize the attack.
167Filtering Signature Triggers Pattern Detection Anomaly Detection Simple string searchSearch for string “etc/passwords” ARPProtocol decoders search for string only in protocol fields.ARP request with source address FF:FF:FF:FF:FF:FFAnomaly DetectionTraffic going to an unusual port.Protocol compliance for http trafficBehavior DetectionAbnormally large / small fragmented packetsSearch for RPC requests that do not initially utilize the PortMapper
168Filtering Signature Actions Generating an alert Dropping / preventing an activityLogging the activityResetting a TCP connectionBlocking future activityAllow activity
169Packet Filtering Static Packet Filtering Allow or deny access to packets based on internal characteristics.access list 111 deny ip host anyaccess list 111 permit tcp host anyaccess list 111 deny icmp any any echo-requestaccess list 111 permit icmp any any packet-to-bigaccess list 111 deny icmp any anyCisco extended ACL
170Static Packet Filtering Difficult to design efficient rules.Easy to get the rules tables wrong and allow bad traffic.Security risksPeople can piggy-back bad messages in harmless ones.http traffic is known to be used as a backdoor.Loki uses unused fields in normal TCP packets.Fragmentation allows the filter to look only at a fragmentMost only look at the first fragment
171Static Packet Filtering Configuring a packet filter:Security Policy: what is allowed, what is not allowed.Allowable types of packets must be specified logically, in terms of logical expression on packet fields.Expressions need to be rewritten in the firewall vendor’s language.
172Static Packet Filtering ExampleSecurity Policy:Allow inbound mail messages (SMTP, port 25), but only to gateway.Block host faucet.actionOur hostportTheir hostcommentblock*faucetWe don’t trust these people.allowOUR-GW25Connection to our SMTP server
173Static Packet Filtering ExampleIf no rule applies, then the packet is dropped.Without additional rules, our rule set would drop all non-mail packets. There would also be no replies.Beware of a rule like this (intended to allow acks)Based solely on outside host’s port number.Port 25 is usually the mail port.But there is no guarantee.actionOur hostportTheir hostcommentallow*25Connection to their SMTP port
174Static Packet Filtering ExampleExpand rule set to allow connection with the outside:actionOur hostportTheir hostFlagcommentblock*faucetallowOUR-GW25(our host)Our packets to their portACKTheir repliesSpecify the names of all machines allowed to send mail to the outside here.
175Static Packet Filtering Combating Address SpoofingAt a minimum:Don’t allow inside source addresses coming in.Don’t allow outside source addresses going out.Block source routing at the border routers.
176Static Packet Filtering Routing InformationIf a node is unreachable from the outside then the node is almost (but not quite) as safe as a node disconnected from the net.Internal routers should not advertise paths to such nodes to the outside.Filter routes learned from the outside:Protects against subversion by route confusion.Route squatting:Use internal addresses that belong to a different domain.The nodes are de facto unreachable from the outside.Use non-announced addresses. (e.g. 10.x.x.x)But beware, when companies merge, these addresses tend to be incompatible.So pick addresses in unpopular address ranges.
177Static Packet Filtering PerformancePacket filtering is done at the border.No degradation for the internal network.Typically, connection to ISP is the bottleneck.However:Degradation depends on the number of rules applied.Can be mitigated by careful ordering of rules.
178Application Level Filtering Packet filters only look atThe source addressThe destination addressTCP / UDP port numbersTCP / UDP flags.Application filters deals with the details of the service they are checking.E.g. a mail application filter looks atRFC 822 headers.MIME attachments.Might identify virus infected attachments.
179Application Level Filtering Snort:Allows to set up rules that pass a packet on to another service.Commercial firewallsInclude application level filters for many products.Use non-disclosure agreement to obtain proprietary protocols
180Dynamic Packet Filtering Stateful FirewallStill look at each packet.Maintains a state of each connection.Implements connection filtering.Dynamically adjust a filtering table of current connections.ImplementationAdjust the filtering rules dynamically.E.g.: We started an HTTP connection to a given host.Now HTTP packages from that host are allowed.OR: Terminate the connection at the firewall and then have the firewall call the ultimate destination (proxying).
181Proxy Firewalls Proxies act on behalf of a client. Proxy firewall Reverse ProxyReceives packages on one card.Processes requests.Translates them into internal requests on other card.Receives answers from inside and translates to the outside.
182Proxy Firewalls Proxy firewall Forward Proxy Receives requests from the inside.Processes requests.Translates them into requests to the outside on other card.Receives answers from outside and translates to the inside.Acts on behalf of inside machine that is protected from the vagaries of the internet.
183Proxy FirewallsApplication level proxies work at the level of application.Circuit-level proxiesdoes not understand the applicationmakes filtering decisions by validating and monitoring sessions.
184Possible Configurations Dual Homed Host InternetDual-homed hostacting as firewallInternal Network
185Possible Configurations Screened Host Architecture InternetRouter only allows traffic to bastion host (screening router)Bastion host sits on internal networkBastion host works as proxyInternal Network
187Possible Configurations Attach bastion host(s) to perimeter network (DMZ)Two possibilities to allow access to internet for internal hostsUse exterior and interior router to filter packagesUse bastion host as proxy
188Possible Configurations O.K. to have many bastion hostsO.K. to merge interior and exterior routerO.K. to merge bastion host and exterior routerPerformance of bastion host might not be sufficientO.K. to have many interior subnetworks.O.K. to have many exterior routersO.K. to have multiple perimeter networksNOT O.K. to merge bastion host and interior routerBastion host becomes single point of failureNOT O.K. to use multiple interior routersNeed to maintain same policy on all interior routers
189Securing Public Web Servers Isolate the web serverinternetfirewallinternal networkOnly SQL Protocol permittedwebserverSQL serverfirewall
190Firewall Settings for DNS Use a bastion host to host fake DNS serverTrue DNS server on the interior networkDNS query proceeds with DNS proxying:Local DNS client goes to local DNS server (interior network)Local DNS server sends query to bastion host (perimeter network)Bastion host forwards query to internet DNS systemInternet DNS system answers question to bastion hostBastion host forwards to real DNS serverReal DNS server forwards to local DNS client
191Hiding DNS Server Internet Exterior Router a.k.a. access router Fake DNS serverPerimeter NetworkInterior Routera.k.a. choke routerTrue DNS serverInternal NetworkLocalDNS client
192Firewall Settings for DNS Fake DNS server provides basic hostname and IP addresses forMachines in the perimeter networkMachines in the interior network that someone on the outside needs to connect to.Fake information on machines that can contact the outside world directly.
193Firewall Settings for DNS Packet filtering on internal router needs to allow:DNS queries from the internal server to the bastion host serverUSP packets from port 53 from an internal host to port 53 bastion hostTCP packets from ephemeral port on internal host to port 53 on bastion hostResponses from bastion host to the internal serverUDP packets from port 53 on bastion host to port 53 on internal serverTCP packets with ACK bit set from port 53 on the bastion host to ephemeral ports on internal serverDNS queries from bastion host DNS clients to internal serverUDP and TCP packets from ephemeral ports on bastion host to port 53 on internal serverResponses from internal server to bastion host DNS clientsUDP and TCP packets with ACK bit from port 53 on the internal server to ephemeral ports on bastion host
194Hiding DNS Server Internet Exterior Router a.k.a. access router Fake DNS serverPerimeter NetworkInterior Routera.k.a. choke routerTrue DNS serverInternal NetworkLocalDNS client
195Application Inspection Dynamic Firewalls allow selective inspection of applications:httpftpdnsicmp…
196Application Inspection DNS example (Cisco ASA DNS inspection)Guarantees that the ID of the DNS machine matches the ID of the DNS queryAllows translation of DNS packets using NATReassembles DNS packets to verify its length.
197Application Inspection SMTP (Cisco ASA protection)Protects against SMTP-based attacks by restricting the types of SMTP commands.Illegal command is modified and forwarded.Typically, receiver replies with an SMTP error 500 (command not recognized)Checks size, …
201Virtual Private Networks Encryption can be done atApplication level.Transport level.Network level.Data link level.
202Virtual Private Networks VPN Technologies Application LevelPretty Good PrivacySecure Shell (SSH)Transport LevelSecure Socket LayerDoes not protect the package, but its content.Typically runs at the application level of the OS, so OS does not need to be changed.Network LevelIPSecEncrypts package itself.Encrypted package receives a new package header.IPSec protects port address, but not destination address.OS need to be changed (but only once: Win2000, WinXP)Data LinkLayer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP)Encrypts packets on the data layer.L2TP (Layer 2 Tunneling)
203Virtual Private Networks Alternatives are dedicated point-to-point connections such as a private T1 line.Most secure.Most expensive.Takes time to set-up.