ITIS 6167/8167: Network and Information Security Weichao Wang.

Slides:



Advertisements
Similar presentations
IPv4 - The Internet Protocol Version 4
Advertisements

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
ARP: Address Resolution Protocol
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
1 K. Salah Module 5.2: Internet Protocol CO vs. CL protocols IP Features –Fragmentation –Routing IP Datagram Format IPv6.
1 Internetworking Outline Best Effort Service Model Global Addressing Scheme.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
CS335 Networking & Network Administration Tuesday, May 11, 2010.
Spring 2002CS 4611 Internetworking Outline Best Effort Service Model Global Addressing Scheme.
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
McGraw-Hill©The McGraw-Hill Companies, Inc., Chapter 20 Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv6.
Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
IP Routing, Format, Fragmentation Chapters 20-21, 23.
26-Aug-154/598N: Computer Networks Recap SBC UUNET Comcast Sprint End Users Internet First mile problem Last mile problem.
Mapping Internet Addresses to Physical Addresses (ARP)
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 03_a
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
TCP/IP Protocol Suite Networks and Protocols Prepared by: TGK First Prepared on: Last Modified on: Quality checked by: Copyright 2009 Asia Pacific Institute.
Chap 9 TCP/IP Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology
CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Protocols 1 Objective: Build a protocol foundation for Client / Server programming in an Internet Environment Note: RFCs available from
1 IP : Internet Protocol Computer Network System Sirak Kaewjamnong.
Internet Protocol --- Connectionless Datagram Delivery Linda Wu (CMPT )
Chapter 81 Internet Protocol (IP) Our greatest glory is not in never failing, but in rising up every time we fail. - Ralph Waldo Emerson.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
CS 4396 Computer Networks Lab
Jan 15, 2008CS573: Network Protocols and Standards1 The Internet Protocol: Related Protocols and Standards (IP datagram, addressing, ARP) Network Protocols.
Internet Protocols (chapter 18) CSE 3213 Fall 2011.
Lecture 4 Overview. Ethernet Data Link Layer protocol Ethernet (IEEE 802.3) is widely used Supported by a variety of physical layer implementations Multi-access.
CSC 600 Internetworking with TCP/IP Unit 5: IP, IP Routing, and ICMP (ch. 7, ch. 8, ch. 9, ch. 10) Dr. Cheer-Sun Yang Spring 2001.
1 Connectivity with ARP and RARP. 2 There needs to be a mapping between the layer 2 and layer 3 addresses (i.e. IP to Ethernet). Mapping should be dynamic.
1 Chapter 4: Internetworking (Internet Protocol) Dr. Rocky K. C. Chang 16 March 2004.
1 Internetworking: IP Packet Switching Reading: (except Implementation; pp )
IP Protocol CSE TCP/IP Concepts Connectionless Operation Internetworking involves connectionless operation at the level of the Internet Protocol.
1 Internetworking Outline Best Effort Service Model Global Addressing Scheme.
ADDRESS MAPPING ADDRESS MAPPING The delivery of a packet to a host or a router requires two levels of addressing: logical and physical. We need to be able.
Network Layer Protocols COMP 3270 Computer Networks Computing Science Thompson Rivers University.
Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Packet Switch Network Server client IP Ether IPTCPData.
Lecture 13 IP V4 & IP V6. Figure Protocols at network layer.
© 2003, Cisco Systems, Inc. All rights reserved.
Behrouz A. Forouzan TCP/IP Protocol Suite, 3rd Ed.
IP: Addressing, ARP, Routing
Introduction to TCP/IP networking
TCP/IP Transmission Control Protocol / Internet Protocol
IP - The Internet Protocol
Computer Networks 9/17/2018 Computer Networks.
CS 457 – Lecture 10 Internetworking and IP
ITIS 6167/8167: Network Security
IP - The Internet Protocol
Advanced Computer Networks
ARP: Address Resolution Protocol
IP : Internet Protocol Surasak Sanguanpong
Internetworking Outline Best Effort Service Model
Net 323 D: Networks Protocols
ARP: Address Resolution Protocol
IP - The Internet Protocol
Ch 17 - Binding Protocol Addresses
ITIS 6167/8167: Network and Information Security
IP - The Internet Protocol
Presentation transcript:

ITIS 6167/8167: Network and Information Security Weichao Wang

2 Contents ARP protocol and ARP poisoning –How ARP works –ARP poisoning –Security impacts –Mitigation mechanisms IP fragmentation and attacks –IP fragmentation –Attacks –Mitigation mechanisms

3

4 Ethernet address Layered model of Internet Separation of IP address and physical address How does IP routing works –Example

5 IP address –32 bits (IPv4) Ethernet address –48 bits –Different hardware vendors get different chunk of addresses –Can be broadcast or unicast address –Mapping b/w IP and Ethernet address can change

6 IP routing needs the mapping b/w IP addresses and physical addresses –Static mapping (proNET or token ring) Physical address = f (IP address) –Dynamic binding More flexible Needs a protocol to accomplish this task – Address Resolution Protocol (ARP)

7 Ethernet frame format Preamble and CRC: only used by hardware and users will not see them Frame-type: 0x0800 (IP), 0x0806 (ARP), 0x8035 (RARP) Data part: 46 to 1500 octets

8 Example of ethernet packet

9 Destination physical address: ba Source physical address b 0d 44 a7 Protocol type: 0800 (IP) More details of the packet: this is an ICMP packet

10

11 ARP protocol Motivation –Ethernet card only needs to recognize ethernet address –Upper layer (IP) only knows IP address –Routing table entry –The user have to map the IP address to physical address

12 ARP protocol –Machine A want to send a packet to B, but only know B’s IP address –Machine A broadcast an ARP request with B’s IP address (using broadcast physical address) –All nodes receive the request –B replies with its physical address –Machine A adds the address into its ARP cache –A sends packets to B

13

14 ARP encapsulation In ethernet, frame type for ARP is 0x0806 ARP packet

15 ARP packet format when used with Ethernet

16 The format is general enough to work with different physical address and protocol address Details of ARP packet (Fixed length part) –Hardware type (2 bytes): 1 for ethernet –Protocol type (2 bytes): 0x0800 for IP –HLEN (1 byte): hardware address length. 6 for ethernet –PLEN (1 byte): protocol address length. 4 for IP –Operation (2 bytes): 1=ARP req, 2=ARP reply, 3=RARP req, 4=RARP reply

17 Varying parts of ARP packets –Sender’s physical address: 6 byte in our example –Sender’s protocol address: 4 byte –Target’s hardware address: 6 byte –Target’s protocol address: 4 byte

18 ARP cache –To reduce ARP overhead, the machine keeps a cache for recently got IP-PHY address mapping –Cache has a limited size: replacement policy –ARP entry has a lifetime: why do not we keep it forever??

19 How does the node learn ARP information –From received ARP request –From received ARP reply (no matter they have sent a ARP request or not) (depend on OS) –Gratuitous message: both the source and destination address are the same Used to detect IP conflict When physical address changes, use this to notify other nodes after reboot

20

21 ARP poisoning Potential attack to ARP –There is no protection on the mapping b/w Physical and IP address –An example attack: if ARP cache is poisoned, the packet going to node A will be sent to Node B’s physical address, and node B will get them. –Is this the same as promiscuous mode? Not really

22 Two simple and not-so-effective MAC address attacks –Poison a switch by sending out an ethernet packet with the target’s physical address as the source of the packet. The switch tries to learn from the packet. –Problems The real node also sends out packet Static configuration of switches

23 Attack 2: –Sends out ARP reply and tries to beat the real node –Problem: the conflict is relatively easy to detect

24 ARP cache poisoning –Through ARP poisoning, the packets targeting at node A may be sent to node B –Methods to poison ARP cache ARP request ARP reply Gratuitous packets –Instead of broadcast, we can use unicast to poison node

25 Examples of attacks –Send a unicast ARP request to poison ARP cache –Send a unicast ARP reply to poison ARP cache

26 Which systems are vulnerable to ARP poisoning? –Windows 9x, NT, 2000, XP –Solaris 8 –Linux Kernel 2.2 and 2.4 –Cisco IOS 12 –Nokia IPSO 3.5

27

28 Complicated attacks and their impacts Man-in-the-middle attack –Cheat both sides of a connection and get access to the traffic b/w them –The malicious node will forward packets to both sides to avoiding detection –Disable attacker’s ICMP redirect functionality –Microsoft IE certificate can be compromised by this attack

29 Hijacking HTTP connections and run a manipulated web server through MiM attacks Escaping firewall –Some companies use IP based authentication and only allow a few IP addresses to get out (HTTP server, mail server) –Through ARP poisoning, you can bypass the firewall

30 DoS attacks –After poisoning the ARP cache, discard all packets sent to you –Using a non-existing physical address to poison ARP cache Poisoning a SMTP relaying server to send out junk mails

31 Defending against ARP poisoning –Network IDS: detect duplicate IP address or flip-flop of the IP-PHY bindings –Host IDS: maintain a record of IP-PHY bindings, detect abnormal changes of the bindings (arpwatch in UNIX) –Do not use IP-address based authentication

32

33 IP protocol and fragmentation IP layer provides the fundamental service in Internet: unreliable, connectionless, and best-effort based packet delivery –Unreliable: packet may lost, duplicated, delayed, out of order –Connectionless: every packet is handled independently –Best-effort: no quality guarantee

34 IP protocol will –Define the format of IP packet –Routing –Determine Packet processing procedures Error reporting and handling procedures

35 IP encapsulation In ethernet, frame type for IP is 0x0800 IP header IP Data

36 IP format

37 Details of IP packet –Vers: current version is 4 –HLEN: header length in 32 bit word. Usually is 5 (20 byte), max can be 60 bytes (IP options) –Type of services: usually all 0 (best effort), can be used for diffserv and QoS –Total length: 16 bit can represent 64K byte long packet

38 Identification, flags, and offset: used for fragmentation and reassemble (later) TTL: time to live: number of routers a packet can pass. –Every router will reduce this value by one. When reach 0, the packet will be discarded. –Can be used to prevent routing loop –Use TTL to implement traceroute

39 Type: the high level protocol the IP packet contains: ICMP (0x01), TCP (0x06), UDP (0x11) Header checksum Example: an ICMP packet b/w and Header length is 20 bytes.

40

41 IP header options –Record route option Intermediate routers will attach their IP address to the packet –Timestamp option Intermediate router attach 32 bit timestamp –Source routing option Strict source routing Loose source routing: allow multiple hops b/w routers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.