5Network Protocols: Layering Each layer adds a header.ApplicationTCPIPLink
6Repetition: Capturing Data on a Network Develop a threat model before deploying Network Security MonitoringInternal / External AttackerWireless / Wired / …Develop Monitoring zoningDemilitarized zoneWireless zoneIntranet zones
7Repetition: Capturing Data on a Network Wired monitoringHubsSPAN portsTapsInline devices
8Repetition: Capturing Data on a Network HubsBroadcasts incoming data on all interfaces.Be careful about NIC capacity (10/100/1000 Mb/sec)Be careful about hub qualityAre inexpensive, but can introduce collisions on the links where the hub sits.
9Repetition: Capturing Data on a Network Switched Port Analyzer (SPAN)A.k.a. Port mirroring, Port monitoring.SPAN port located on enterprise class switches.Copy traffic between certain ports to SPAN port.ConfigurableEasy access to traffic.Can make mistakes with configuration.Under heavy load, SPAN port might not get all traffic.SPAN only allows monitoring of a single switch.
10Repetition: Capturing Data on a Network Test Access Port (TAP)Networking device specifically designed for monitoring applications.Typically four ports:RouterFirewallMonitor traffic on remaining ports.One port sees incoming, the other outgoing traffic.Moderately high costs.
11Repetition: Capturing Data on a Network Specialized inline devices:Server or hardware deviceFiltering bridgesServer with OpenBSD and two NICs
12Link Layer Network Interface Cards (NIC) Unique Medium Access Control (MAC) numberFormat 48b written as twelve hex bytes.First 6 identify vendor.Last 6 serial number.NICs either select based on MAC address or are in promiscuous mode (capture every packet).
13Link Layer Address Resolution Protocol (ARP) Resolves IP addresses to MAC addressesRFC 826
14Link Layer: ARP Resolution Protocol Assume node A with IP address and MAC 00:01:02:03:04:05 wants to talk to IP addressSends out a broadcast who-has request:00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-hasAll devices on the link capture the packet and pass it to the IP layer.is the only one to answer:a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply is-at a0:a0:a0:a0:a0:a0A caches the value in its arp cache.
17Link Layer ForensicsNetwork monitoring tools such as Argus or Ethereal log MAC addresses.
18Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address.However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing)Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.
19Link Layer ForensicsARP cache can be viewed on Windows NT/2000/XP with arp –a command.
20ATM ATM ATM forensics is similar. uses fiber optic cables and ATM switches.encapsulates data into ATM cells.number identifies the circuit that ATM has established between two computers.ATMARP allows machines to discover MAC addresses.ATMARP has a central server that responds to ARP requests.ATM forensics is similar.
21Link Layer Evidence Sniffers in promiscuous mode. Intruders also use sniffers.Typically monitor traffic to / from compromised system.Sometimes they monitor themselves coming back to look at the sniffer logs.Intruders sometimes encrypt their traffic.But the sniffers still see the packets, they just cannot read them.Installing sniffers can violate the wire-tapping and other laws and is resource-intensive.FreeBSD / OpenBSD seem to be the best platforms.
22Link Layer Evidence Sniffer location: On compromised machine. Evidence not trustworthy.Nearby host.Switched Port Analyzer (SPAN)Copies network traffic from one switch port to anotherOnly copy valid ethernet packets.Do not duplicate all error information.Copying process has lower priority and some packets might not be mirrored.Misses out on traffic on the local link.
23Link Layer Evidence Sniffer configuration Can capture entire frames. Or only first part.Tcpdump default setting.
24Link Layer Evidence Some organizations log ARP information. Routers keep ARP tables.show ip arpAll hosts keep ARP tables.DHCP often assigns addresses only to computers with known MAC.
25Link Layer EvidenceAn employee received harassing from a host on the employer’s network with IP addressDHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c.This MAC belonged to a network printer.The router’s ARP table showed that the IP address was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing)Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.
26Link Layer Evidence Analyze and filter log files: Keyword searches E.g. for USER, PASS, loginNicknames, channel namesFiltersReconstructionE.g. contents of web-mail inbox.
27Link Layer Evidence NetIntercept Screenshot An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence
28ARP Package RFC 826 ARP package : 0-1: Hardware type (0x0001 – Ethernet)2-3: Protocol type (0x0800 – IP)4: Number of bytes in hardware address (6 for MAC)5: Number of bytes in protocol address (4 for IP)6-7: Opcode: 1 for ARP request, 2 for an ARP reply8-13: Source MAC14-17: Source IP18-23: Target MAC24-27: Target IP
30Monitoring Tools Arpwatch monitors ethernet activity and keeps a database of ethernet/ip address pairings.
31Attacks on ARP Package Generators for various OS. Allow an attacker to subvert a chosen protocolhping2 for Windows.*NIX, XWindows:packitIP Sorceryand many, many more.Use to create arbitrary packages
32Attacks on ARP Switch Flooding Switches contain a switch address table.Switch address table associates ports with MAC addresses.Switch flooding creates many false entries.Switches fail in two different modes:Fail open:Switch converts into a hub.This allows to monitor traffic through the switch from any port.Fail closed:Switch stops functioning.Denial of Service (DoS) attack
33Attacks on ARP ARP Poisoning: attacker switch victim Outside world router
34Attacks on ARPARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LANattackerswitchvictimOutsideworldrouter
35Attacks on ARPARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC addressattackerswitchvictimOutsideworldrouter
36Attacks on ARPARP Poisoning: Switch now takes packet from victim and forwards it to attacker.attackerswitchvictimOutsideworldrouter
37Attacks on ARPARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router.attackerswitchvictimOutsideworldrouter
39RARP RARP (Reverse Address Resolution Protocol) Used to allow diskless systems to obtain a static IP address.System requests an IP address from another machine (with its MAC-address).Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table.Administrator needs to place table in a gateway.RARP-daemon (RARP-d) responds to RARP requests.
40RARP RARP vulnerability Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.
41RARP Package Package Format as in ARP: 0-1: Hardware type (0x0001 – Ethernet)2-3: Protocol type (0x0800 – IP)4: Number of bytes in hardware address (6 for MAC)5: Number of bytes in protocol address (4 for IP)6-7: Opcode: 1 for ARP request, 2 for an ARP reply8-13: Source MAC14-17: Source IP18-23: Target MAC24-27: Target IP
42IP Uses IP addresses of source and destination. IP datagrams are moved from hop to hop.“Best Effort” service.Corrupted datagrams are detected and dropped.
43IP Addresses contain IP address and port number. IPv4 addresses are 32 bit longsIPv6 addresses are 8*16 bits long.
44IP: ICMP Internet Control Message Protocol Created to deal with non-transient problems. For exampleFragmentation is necessary, but the No Frag flag is set.UPD datagram sent to a non-listening port.Ping.Used to detect network connectivity before it became too useful for attack reconnaissance.Does not use ports.Allows broadcasting.More on ICMP later
45IP: ICMP ICMP error messages should not be sent: For any but the first fragment.A source address of broadcast or loopback address.Are probably malicious, anyway.Otherwise: ICMP messages could proliferate and throttle a network
46IP: ICMP ICMP errors are not sent: In response to an ICMP error message.Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong.A destination broadcast address.Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.
47Transport Layer: TCP and UDP Transmission Control Protocol (TCP)ReliableConnection-Oriented.SlowUser Datagram Protocol (UDP)UnreliableConnectionless.Fast.
48TCP Only supports unicasting. Full duplex connection. Message numbers to prevent loss of messages.
49TCP: Three Way Handshake Initiator to responder: SynsResponder to initator: Acks, SyntInitiator to responder: AcktSets up two connections with initial message numbers s and t.
50TCP: Three Way Handshake 20:13: IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S : (0) win <mss 1460,nop,nop,sackOK> (DF)20:13: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S : (0) ack win <mss 1460> (DF)20:13: IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win (DF)Sequence numberFlagWindow: number of bytes accepted
51TCP: Terminating Connections Graceful shutdownParty 1 to Party 2: FinParty 2 to Party 1: AckParty 2 to Party 1: FinParty 1 to Party 2: AckAbrupt shutdownParty 1 to Party 2: Res
52TCP: Shutting down a connection 20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win (DF)
53TCP Exchanging Data Each packet has a sequence number. (One for each direction.)Initial sequence numbers are created during initial three way handshake.NMap uses the creation of these sequence numbers to determine the OS.OS are now much better with truly random sequence numbers.
54TCP Exchanging DataParty that receives packet sends an acknowledgement.Acknowledgement consists inAck flag.Sequence number of the next package to be expected.(TCPDump shows number of bytes acknowledged).
55TCP Exchanging DataIf a package is lost, then the ack sequence number will not change:“Duplicate acknowledgement”Depending on settings, sender will resend, after at most three stationary ack numbers.Also, senders resend after timeout.
56TCP Exchanging Data20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 4 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 3:4(1) ack 4 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win (DF)20:48: IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win (DF)20:48: IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win (DF)
57TCP flags Part of TCP header F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start sessionR : RST - Reset; drop a connectionP : PUSH - Push; packet is sent immediatelyA : ACK - AcknowledgementU : URG - UrgentE : ECE - Explicit Congestion Notification EchoW : CWR - Congestion Window Reduced
64UDP “Send and pray” No connection. No special header like TCP. Protocol field in the IP header is 0x11Another field in the IP header contains UDP specific header information
65FragmentationIP datagram can come across smaller maximum transmission units than its own size.Resender chops up the IP datagram into many IP datagrams, the fragments.
66Fragmentation Fragments are reassembled at the destination. Fragments carry:Fragment identifierOffset in original data portionLength of data payload in fragmentFlag that indicates whether or not this is the final fragment.
67Fragmentation Example Large Echo Request ping -l 1480 126.96.36.199 Assume MTU is 1500
72Fragmentationping –l12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu.137 > : udp 5012:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag12:02: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp (frag
73Fragmentation DF (Don’t Fragment) Flag If forwarding node finds that the datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable – need to fragment.Useful to find minimum MTU on a link.
74Fragmentation Fragmentation has security implications Stateless firewalls look only at individual packages.Protocol header is only in the first fragment.“Stealth attacks / scans” have evil payload only in the second and following fragments.
75Fragments: Teardrop and Friends Fragments with overlapping offset fields.Many contemporary OS crashed, hang, rebooted.Jolt2Single fragment with non-zero offset.Receiving system allocates resources to reconstruct a datagram that never arrives.
76Fragments: Teardrop and Friends Create fragments that seem to come from a GB datagram.Trusting OS tries to allocate memory and dies.Ping of DeathWin95 allowed to send a ping that was just a tad too long. Receiving host would crash.Unnamed AttacksMissing fragments lead to resource allocation.
77ICMP Protocols like TCP can send error messages themselves. Stateless protocols like UDP need another mechanism to send error messages.Host uses ICMP forSimple replies and requestsInform other hosts of some kind of error condition.E.g.: To throttle delivery rate, receiving host can use the ICMP source quench message.E.g.: Router can send “admin prohibited” ICMP message.
78ICMP ICMP has no port numbers. No acks, no message delivery guarantee Allows broadcastingICMP types atassignments/icmp-parametersFirst Byte of package is TypeSecond Byte of package is Code
79ICMP Attackers can use ICMP for scanning: Mapping a network. Detect availability of target.Detect OS through the way that host responds.
80ICMPTireless MapperSends ICMP echo requests messages to all possible IP addressesMany IDS might not capture this scan if the number of packages per hour is small.Therefore: Firewalls should filter incoming ping requests.
81ICMPEfficient MapperUse the ICMP echo request with a broadcast address.Ping
82ICMPClever MapperUse a different ICMP message such as ICMP address mask.Determines the class of the network
83ICMP: Normal activity Normal messages: Host unreachable Port unreachableAdmin prohibitedNeed to fragmentTime exceeded in transit
84ICMP: Normal activity Host unreachable Router at target host’s network sends such a message.This gives out info to an attacker.Some routers (Cisco) allow an access control list entry:no ip unreachable
85ICMP: Normal activity Port unreachable target.host > sending.host: icmp: target.host udp port ntp unreachable (DF)Used for UDPTCP has the RESET message to inform sender.
86ICMP: Normal activity Unreachable - Admin Prohibited Router informs sender that this type of message cannot be forwarded.Router decision based on access control list.Message leaks information to outside scanner.
87ICMP: Normal activity Need to Frag Router informs sender that DF is set, but that the package is larger than the MTU.
88ICMP: Normal activity Time Exceeded In-Transit Packages contain Time To Live (TTL) value.Each router handling a package decrements the TTL value.If TTL is zero, router discards package and sends the Time Exceeded In-Transit message to the sender.
89ICMP: Normal activityICMP messages contain additional date in the package.In particular: IP header followed by eight bytes of protocol header and data of the original datagram.Not all OS implementations do this in exactly the same way.Nmap used this for OS fingerprinting.Lately, all TCP/IP stack implementations have been fixed to remove OS idiosyncracies.
90Malicious ICMP: Smurf Attack Smurf attack on victimStep 1: Send ICMP echo request to a broadcast address with spoofed IP ofStep 2: Router allows in ICMP echo request to broadcast addressStep 3: All live hosts respond with ICMP echo reply to real machine with source IP
91Malicious ICMP: Smurf Attack ISMP Smurf AttackDenial of Service Attack.Effort of Attacker << Effort of Victim.Uses ICMP replies from network as an amplifier.Works well if victim has a slow connection.
92Malicious ICMP: Tribal Flood Network Based on SmurfCreates zombies out of compromised machinesCompromised machines use a trigger to start bombarding a victim with requestsMany variations on this theme
93Malicious ICMP: Winfreeze (obsolete) Uses the ICMP redirect message.Legal use is to update routing information.Flood of redirect message causes the victim (Win95 / Win98) to redirect traffic to itself via random hosts.Victim spends too much time updating routing table.
94Malicious ICMP: Loki Uses ICMP packages for covert channel A compromised host with a Loki server responds to requests from a Loki client.Requests are sent via ping messages with data embedded in ICMP pings.Originally used bytes 6 and 7.
95Malicious ICMP: Simple Counter-Measures Limit ICMP messages at the firewall.Leads to inefficiencies, such as trying a TCP connection to a host that is down.Need to admit path MTU discovery.Log those that are let through.
96Harmless Behavior: TCP Destination Host not Listening on Requested PortReceiver acknowledges and resets at the same time.Destination Host does not ExistRouter sends with the ICMP: Host xxx.yyy unreachable
97Harmless Behavior: TCP Destination Port BlockedRouter responds with an icmp message:icmp: xxx.yyy unreachable – admin prohibited filterRouter does not respond.Sender retries up to a protocol dependent maximum number of retries time
98Harmless Behavior: UDP Destination Host not Listening on Requested PortDestination host sends icmp message:icmp: xxx.yyy port domain unreachableOr: destination host does not respond.Sender will possibly retry several times
99Harmless Behavior: Windows Tracert tracert (traceroute) uses ICMP pingsTracing host sends ICMP echo request with TTL = 1.Then tracing host sends ICMP echo request with TTL = 2, etc.First router responds to first request.If not destination, then with icmp: time exceeded in transit messageSecond router responds to second request, etc.
100Harmless Behavior: Unix Tracert traceroute uses UDP to random ephemeral port.Tracing host sends UDP package with TTL = 1.Then tracing host sends UDP package with TTL = 2, etc.First router responds to first request.If not destination, then with icmp: time exceeded in transit messageSecond router responds to second request, etc.Target responds with a port unreachable message.
101FTP Uses TCP Active / Passive FTP Both use port 21 to issue FTP commands.Active FTP:Uses port 20 for data.FTP server establishes connection to client
102FTP: Active FTP Example: Command channel between server8.engr.scu.edu.21 and Bobadilla.1628Dir command creates a new connection between server9.engr.scu.edu.20 and Bobadilla.5001
103FTPThe opening of a connection from the outside to an ephemeral port is dangerous.Passive FTP: The client initiates the data connection to port 20.
104Malicious TCP Use: Mitnick Attack (obsolete) SYN floodGoal is to disconnect victim from the net.Throws hundreds / thousands of SYN packetsReturn address is spoofed.Recipient’s stack of connections waiting to be established is flooded.Still works with DDoS attack.
105Malicious TCP Use: Mitnick Attack (obsolete) Identify Trust RelationshipsExtensive network mapping.Nbtstat/finger, showmount, rpcinfo -r, …Rpcinfo provides information about the remote procedure call services and their ports
106Malicious TCP Use: Mitnick Attack (obsolete) Initiate a number of TCP connections to the host.Send SYN packet. Receive SYN/ACK packet. Send RES so that victim is not flooded.Observe the sequence number values between different connections.Can they be predicted?
115Malicious TCP Use: Mitnick Attack (obsolete) Attacker terminates connection with a FIN exchangeBFIN ACK FIN ACKVictim trusts everyoneAttacker
116Malicious TCP Use: Mitnick Attack (obsolete) To wake up B, attacker sends it a bunch of RES to free B from the SYN flood.BRESVictim trusts everyoneAttacker
117Malicious TCP Use: Mitnick Attack (obsolete) Attacker now starts a new connection with the victim.BYak yak yakVictim trusts everyoneAttacker
118Malicious TCP Use: Mitnick Attack Detection Network based intrusion detection (NID) can find the original site mapping.NID can find the reconnaissance by finding “finger” “showmount” etc. commands.Directed to the same port (111).This is a dangerous port.Frequent.
119Malicious TCP Use: Mitnick Attack Detection Host scans log instances where a single system accesses multiple hosts at the same time.Host-based Intrusion Detection (HID) can find access to a single port.HID / Tripwire could find changes to .rhosts.
120Malicious TCP Use: Mitnick Attack Detection Computer Forensics can detect the attack byLogging network traffic.Examining MAC of important files (.rhosts)
121Malicious TCP Use: Mitnick Attack Prevention Router-based Firewall blocks certain type of traffic.Network mapping.SYN flooding.Access to dangerous ports.Host-based firewall blocksSecurity policyDisallows reconnaissance tools.Enforces better authentication.
122Domain Name Servers Provide mapping from host names to IP addresses. DNS resolution processClient sends a gethostbyname message to the local domain name server.Local domain name server sends back ip address.Uses UDP (almost exclusively)
123DNS: Resolution protocol Client to local DNS server gethostbynameLocal DNS server sends forwards request to root server.Root server returns with name of remote DNS server.Local DNS server queries remote DNS server.Remote DNS server answers with IP address.Local DNS server gives data to client.
124DNS Use caching to prevent overload by root servers. DNS records have a TTLResponding DNS server sets TTL.Receiving DNS server caches record for TTL time.
125DNS: Reverse Lookup IP-address to host-name Query for send to in-addr.arpa
126DNS: Master - Slave Name Servers Each domain has a single master DNS server.Add slaves for redundancy.Slave server periodically contacts master to see whether there are changes.Older BIND download all data from domain, even if only one record has changed.
127DNS Zone TransferSlave server restarts zone transfer from master to slaveUses TCP, port 53.Attackers like zone transferGives all IP addresses and names in subnet.Newer versions of BIND limit transfers based on IP address.
128DNS: Abuse for Reconnaissance nslookup: Get name servers.
129DNS: Abuse for Reconnaissance HINFO: host information.
130DNS: Abuse for Reconnaissance List the zone map information.> ls –d engr.scu.edu in nslookup
131DNS: Abuses and Problems DNS cache poisoningAffects BIND versions beforeBased on lack of authenticationSome BIND versions cache every DNS data they see.
132DNS Cache Poisoning Attack on Hillary Clinton’s Run for Senate Website Traffic to (IP address ) redirected to (IP address )
133DNS Cache PoisoningStep 1: Evil sends a bogus query to the victim’s name server that contains data at
134DNS Cache PoisoningStep 2: Name server accepts the bogus information (even though it is contained in a query).Step 3: Victim requests IP address of hillary2000.org and is directed to hillaryno.com.Vulnerability arises from lack of authentication and of using queries to update entries at the queried server.
135DNS Cache Poisoning Birthday Attack Attacker sends large number of queries to a vulnerable name server asking for hillary2000.Attacker sends an equal number of phony replies (with the poisoned data).Name server will generate requests to resolve hillary2000.With high probability, one of the phony answers will have the same transaction number as the name server’s query.
137DNS Cache PoisoningRedirect traffic to a fake Pay-Pal or other e-commerce site.Set-up Man in the Middle AttacksDefenses:Domain Owner has to rely on the DNS system.ISP name server admin needs to protect byUpdating BIND or replacing it with djbdnsTwo name servers, one for the public domain information to the outside, another for internal use.End user has to rely on the DNS system.
139Static RoutingIP Layer searches the routing table in the following orderSearch for a matching destination host addressSearch for a matching destination network addressSearch for a default entry
140Routing Static routes are typically added during the boot process. Administrative changes with a “routing” command.ICMP routing discovery messages
141Routing ChangesA host might have inefficient entries in the routing table.ICMP Router Discovery Protocol (IRDP)ICMP redirect messagesICMP routing discovery messagesIRDP needs to be enabled.
142Routing Changes A B C D ICMP Redirect Message A sends message to D. Routing table says to send to B first.ABCD
143Routing Changes A B C D ICMP Redirect Message B forwards to C B informs A that there is a direct route to CABCD
144Routing Changes A B C D ICMP Redirect Message C forwards package to target.A updates routing table.ABCD
145IRDP DoS ExploitAttacker (E) sends spoofed IRDP message to AA updates routing table to reflect bogus default value.A looses connectivityE?ABD
146IRDP Windows ExploitWindows (95, 98, 2000) and some Solaris systems are vulnerable.If a Windows hosts runs a Dynamic Host Configuration Protocol (DHCP) client, it obtains its default route from the DHCP server.ICMP router advertisement can be spoofed.First router advertisement is checked for correct IP address.Second router advertisement is erroneously not.
147IRDP Windows ExploitAttacker sends two ICMP router advertisements to victim.Victim updates its default gateway to IP determined by attacker.Use for man in the middle attacks or DoS.
148ARP PoisoningAddress resolution protocol associates MAC addresses with IP addresses.Four MessagesARP Request: “Who has this IP?”ARP Reply: “I have this IP. My MAC is …”Reverse ARP Request: “Who has that MAC?”Reverse ARP Request Reply: “I have that MAC, my IP is …”
149ARP PoisoningARP is very efficient, but does not do any authentication.Many OS still accept ARP replies even without making an ARP request.ARP poisoning: Spoofing an ARP package with false ARP data.
150ARP Poisoning Denial of Service: Spoofed ARP message can associate the default gateway address with a non-existing MAC.Traffic to the outside is no longer picked up.
151ARP Poisoning Man in the Middle Intercept traffic between devices A and B.A has IP IA and MAC MA.B has IP IB and MAC MB.Attacker has machine C with MAC MC.Attacker sends an ARP reply to B: IA is at MC.B updates its ARP cache entry: IA is at MC.Attacker sends an ARP reply to A: IB is at MC.A updates its ARP cache entry: IB is at MC.A sends traffic to IB on a level 1 frame to MC.C intercepts the package and forwards it to MB.Traffic from A to B (and vice versa) now flows through C.
152ARP Poisoning MAC flooding Switches maintain a MAC to port table. Traffic only flows to destination.Attacker sends lots of bogus ARP data to switch.Switch’s ARP table is flooded.Switches either stop functioning (DoS attack) or drop to hub mode.Switch in hub mode forwards a package to all ports.Allows traffic to be sniffed.
153ARP Poisoning Small networks: Could use a static ARP table. Disables ARP messaging.All ARP entries need to be put in by hand and maintained.Will not work with DHCP.Maintenance becomes quickly impossible with larger size of network.Some Win OS will still accept and use dynamic ARP updates, even if all routes are statically encoded.
154ARP Poisoning Large Networks All networks Use Port Security features on higher-end switches.Allow only one MAC address.Prevents hackers from embedding their MAC address more than once.All networksMonitor ARP traffic (ARP monitoring tool)
155IP Options IP options enhance the IP protocol. SecurityStream IdentificationInternet TimestampLoose Source RoutingStrict Source RoutingRecord RouteThese are security risks
156IP Route OptionsLoose Source Routing specifies a route that includes a list of required nodes.Strict Source Routing specifies the beginning of a route (up to 9 nodes) completely.Record Route: does not alter the routing but requires that all nodes are recorded.
157Detecting IP Source Routing IP header is larger than 20BIP option field has a hex value of83: loose source routing89: strict source routingip & 0x0f > 5 and (ip = 0x83 or ip = 89)
158Source Route ExploitSpoofing host requires source routing through a host trusted by the victim.Victim decides that the traffic comes from a trusted host.Therefore: firewalls need to disable source-routing or network admin needs to disable trust relationships.
159Internet Group Management Protocol (IGMP) Defined by RFC 1112.IGMP messages use IP Protocol 2IGMP are used to join and leave multicast groups.
160TCP/IP Related Evidence Sniffer LogsA computer intrusion left a program called router behind. Investigation of the binary code revealed that it was a Portuguese language sniffer storing data in a given file.The sniffer file contained log entries of log-ins from Brazil to a non-authenticated account as well as further activities.
161TCP/IP Related Evidence Authentication, Server LogsMaury Travis Case:During a series of homicides in St. Louis, a reporter received a letter with the location of an additional victim.The FBI determined that the map was from Expedia.com.The web server logs showed that only one IP address requested that particular map around the time that the letter was sent.
162TCP/IP Related Evidence The IP address belonged to an ISP.The ISP logs showed that this IP address was registered to Maury Travis. The telephone number from the connection was made also belonged to Maury Travis.A (warranted) search of Maury Travis’ home found a torture chamber and videotapes of Maury torturing and killing victims.Maury killed himself while in custody. The total number of victims is unknown.
163TCP/IP Related Evidence Internet dial-up logs are created by RADIUS and TACACS authentication servers.These servers are also used for VPN concentrators.Kerberos logs authentication requests.…
164TCP/IP Related Evidence Application LogsWhen someone defaces web servers, they usually view them shortly before and after defacement.The web logs might contain evidence of someone checking for vulnerabilities before defacement.With the IP address that they used.
165TCP/IP Related Evidence Application LogsMail servers log details of message.Example: An spoofer makes a typo.Logs contains entries with backspaces, …OS log connections.Network devices log.