Slide 1 Isaac Ghansah Attacks on TCP/IP. slide 2 Internet Infrastructure local network Internet service provider (ISP) backbone ISP local network uTCP/IP.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.
CCNA – Network Fundamentals
Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Firewalls and Intrusion Detection Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Slide 1 Vitaly Shmatikov CS 378 Attacks on TCP/IP.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Gursharan Singh Tatla Transport Layer 16-May
CS 356 Systems Security Spring Dr. Indrajit Ray
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host IP treats a computer as an endpoint of communication Best.
Process-to-Process Delivery:
OSI Model Routing Connection-oriented/Connectionless Network Services.
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)
1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
Chapter 6: Packet Filtering
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Network Services Networking for Home & Small Business.
1 7-Oct-15 OSI transport layer CCNA Exploration Semester 1 Chapter 4.
Chapter 4 TCP/IP Overview Connecting People To Information.
TCP/IP TCP/IP LAYERED PROTOCOL TCP/IP'S APPLICATION LAYER TRANSPORT LAYER NETWORK LAYER NETWORK ACCESS LAYER (DATA LINK LAYER)
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
TCP/IP Transport and Application (Topic 6)
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
TCP/IP Vulnerabilities
CS426Network Security1 Computer Security CS 426 Network Security (1)
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
CS526Topic 18: Network Security1 Information Security CS 526 Network Security (1)
Networking Basics CCNA 1 Chapter 11.
1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.
Lesson 7: Network Security and Attacks. Computer Security Operational Model Protection = Prevention+ (Detection + Response) Access Controls Encryption.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
TCP Security Vulnerabilities Phil Cayton CSE
8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments;
Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.
© 2002, Cisco Systems, Inc. All rights reserved..
McGraw-Hill Chapter 23 Process-to-Process Delivery: UDP, TCP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
1 14-Jun-16 S Ward Abingdon and Witney College CCNA Exploration Semester 1 OSI transport layer CCNA Exploration Semester 1 Chapter 4.
@Yuan Xue CS 285 Network Security Internet Security and DoS Yuan Xue Fall 2011.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI transport layer CCNA Exploration Semester 1 – Chapter 4.
Executive Director and Endowed Chair
Introduction to TCP/IP
The Internet! Layers, TCP, UDP, IP DDoS Reflection Attacks IPSEC, ARP
or call for office visit,
0x1A Great Papers in Computer Security
Process-to-Process Delivery:
Process-to-Process Delivery: UDP, TCP
Transport Layer 9/22/2019.
Presentation transcript:

slide 1 Isaac Ghansah Attacks on TCP/IP

slide 2 Internet Infrastructure local network Internet service provider (ISP) backbone ISP local network uTCP/IP for packet routing and connections uBorder Gateway Protocol (BGP) for route discovery uDomain Name System (DNS) for IP address discovery

slide 3 OSI Protocol Stack application presentation session transport network data link physical IP TCP , Web, NFS RPC Ethernet

slide 4 Data Formats Application data data TCP header data TCP header data TCP header data TCP header IP header data TCP header IP header Ethernet header Ethernet trailer application layer transport layer network layer data link layer message segment packet frame

slide 5 TCP (Transmission Control Protocol) uSender: break data into packets Sequence number is attached to every packet uReceiver: reassemble packets in correct order Acknowledge receipt; lost packets are re-sent uConnection state maintained on both sides book remember received pages and reassemble mail each page

slide 6 IP (Internet Protocol) uConnectionless Unreliable, “best-effort” protocol uUses numeric addresses for routing Typically several hops in the route Alice’s computer Alice’s ISP Bob’s ISP Bob’s computer Packet Source Dest Seq

slide 7 ICMP (Control Message Protocol) uProvides feedback about network operation “Out-of-band” messages carried in IP packets Error reporting, congestion control, reachability, etc. uExample messages: Destination unreachable Time exceeded Parameter problem Redirect to better gateway Reachability test (echo / echo reply) Message transit delay (timestamp request / reply)

slide 8 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are public Smurf attacks uTCP connection requires state SYN flooding uTCP state is easy to guess TCP spoofing and connection hijacking

slide 9 network Packet Sniffing uMany applications send data unencrypted ftp, telnet send passwords in the clear uNetwork interface card (NIC) in “promiscuous mode” reads all passing data Solution: encryption (e.g., IPSec), improved routing

slide 10 Smurf Attack gateway victim 1 ICMP Echo Req Src: victim’s address Dest: broadcast address Looks like a legitimate “Are you alive?” ping request from the victim Every host on the network generates a ping (ICMP Echo Reply) to victim Stream of ping replies overwhelms victim Solution: reject external packets to broadcast addresses

slide 11 “Ping of Death” uIf an old Windows machine received an ICMP packet with a payload longer than 64K, machine would crash or reboot Programming error in older versions of Windows Packets of this length are illegal, so programmers of Windows code did not account for them Solution: patch OS, filter out ICMP packets

slide 12 TCP Handshake CS SYN C SYN S, ACK C ACK S Listening… Store data (connection state, etc.) Wait Connected

slide 13 SYN Flooding Attack S SYN C1 Listening… Store data SYN C2 SYN C3 SYN C4 SYN C5 … and more data … and more

slide 14 SYN Flooding Explained uAttacker sends many connection requests with spoofed source addresses uVictim allocates resources for each request Connection state maintained until timeout Fixed bound on half-open connections uOnce resources exhausted, requests from legitimate clients are denied uThis is a classic denial of service (DoS) attack Common pattern: it costs nothing to TCP initiator to send a connection request, but TCP responder must allocate state for each request (asymmetry!)

slide 15 Preventing Denial of Service uDoS is caused by asymmetric state allocation If responder opens a state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses uCookies ensure that the responder is stateless until initiator produced at least 2 messages Responder’s state (IP addresses and ports of the con- nection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator

slide 16 SYN Cookies [Bernstein & Schenk] CS SYN C Listening… Does not store state F(source addr, source port, dest addr, dest port, coarse time, server secret) SYN S, ACK C sequence # = cookie Cookie must be unforgeable and tamper-proof (why?) Client should not be able to invert a cookie (why?) F=Rijndael or crypto hash Recompute cookie, compare with with the one received, only establish connection if they match ACK S (cookie) Compatible with standard TCP; simply a “weird” sequence number scheme More info:

slide 17 Anti-Spoofing Cookies: Basic Pattern uClient sends request (message #1) to server uTypical protocol: Server sets up connection, responds with message #2 Client may complete session or not (potential DoS) uCookie version: Server sends hashed connection data back –Send message #2 later, after client confirms he is listening Client confirms by returning hashed data –If source IP address is bogus, attacker can’t confirm Need an extra step to send postponed message #2 –Ok in TCP since the extra step (SYN-ACK) is already there

slide 18 Another Defense: Random Deletion SYN C uIf SYN queue is full, delete random entry Legitimate connections have a chance to complete Fake addresses will be eventually deleted uEasy to implement half-open connections

slide 19 TCP Connection Spoofing uEach TCP connection has an associated state Sequence number, port number uTCP state is easy to guess Port numbers are standard, sequence numbers are often predictable Can inject packets into existing connections uIf attacker knows initial sequence number and amount of traffic, can guess likely current number Send a flood of packets with likely sequence numbers

slide 20 “Blind” IP Spoofing Attack Trusted connection between Alice and Bob uses predictable sequence numbers Alice Bob  SYN-flood Bob’s queue  Send packets to Alice that resemble Bob’s packets  Open connection to Alice to get initial sequence number uCan’t receive packets sent to Bob, but maybe can penetrate Alice’s computer if Alice uses IP address-based authentication For example, rlogin and many other remote access programs uses address-based authentication

slide 21 DoS by Connection Reset uIf attacker can guess current sequence number for an existing connection, can send Reset packet to close it With 32-bit sequence numbers, probability of guessing correctly is 1/2 32 (not practical) Most systems accept large windows of sequence numbers  much higher probability of success –Need large windows to handle massive packet losses uEspecially effective against long-lived connections For example, BGP (Border Gateway Protocol)

slide 22 User Datagram Protocol (UDP) uUDP is a connectionless protocol Simply send datagram to application process at the specified port of the IP address Source port number provides return address Applications: media streaming, broadcast uNo acknowledgement, no flow control, no message continuation uDenial of service by UDP data flood

slide 23 Countermeasures uAbove transport layer: SSL/TLS and SSH Protects against connection hijacking and injected data Does not protect against DoS by spoofed packets uAbove transport layer: Kerberos Provides authentication, protects against spoofing Does not protect against connection hijacking uNetwork (IP) layer: IPSec Protects against hijacking, injection, DoS using connection resets, IP address spoofing We will study IPSec in some detail

slide 24 DNS Attacks uDomain Name System (DNS) is a distributed database mapping host names to IP addresses For example,  www.cs.utexas.edu Network services trust host-address mappings returned in response to DNS queries –But DNS responses are not authenticated! uIf attacker takes over DNS server, can respond with addresses of attacker-controlled machines Some DNS services have known buffer overflows uCan use “zone transfer” requests to download a chunk of DNS database and map out the network

slide 25 Reverse DNS Spoofing uTrusted access is often based on host names E.g., permit all hosts in.rhosts to run remote shell uNetwork requests such as rsh or rlogin arrive from numeric source addresses System performs reverse DNS lookup to determine requester’s host name and checks if it’s in.rhosts uIf attacker can spoof the answer to reverse DNS query, he can fool target machine into thinking that request comes from an authorized host No authentication for DNS responses and typically no double-checking (numeric  symbolic  numeric)

slide 26 Reading Assignment u“IP Spoofing Demystified” from Phrack magazine u“SYN cookies” by Bernstein Both are online on the course website uOptional: Joncheray’s paper about TCP connection hijacking