TCP Security Vulnerabilities Phil Cayton CSE 581 2002.

Slides:

Advertisements

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Advertisements

IUT– Network Security Course 1 Network Security Firewalls.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

Computer Security and Penetration Testing

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

1 Reading Log Files. 2 Segment Format

Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Firewalls and Intrusion Detection Systems

IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS Security Engineering Spring 2003 San Jose State University.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Lecture 15 Denial of Service Attacks

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)

1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012.

FIREWALL Mạng máy tính nâng cao-V1.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

IIT Indore © Neminath Hubballi

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Security Problems in the TCP/IP Protocol Suite Presented by: Sandra Daniels, José Nieves, Debbie Rasnick, Gary Tusing.

Transmission Control Protocol TCP. Transport layer function.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

TCP/IP Vulnerabilities

CS426Network Security1 Computer Security CS 426 Network Security (1)

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

CSE 461 Section. Let’s learn things first! Joke Later!

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

CS526Topic 18: Network Security1 Information Security CS 526 Network Security (1)

Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.

Security Problems in the TCP/IP Protocol Suite S.M. Bellovin Presented By, Sammer Zai Computer Vision and Pattern Recognition Laboratory, Hanyang.

Department of Information Engineering1 About your assignment 5 -layers Model Application Layer(HTTP, DNS,...) TCP Layer(add sequence number to packets)

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Bishop: Chapter 26 Network Security Based on notes by Prashanth Reddy Pasham.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.

8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments;

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

DoS/DDoS attack and defense

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).

Telecommunications Networking II Lecture 41d Denial-of-Service Attacks.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

© 2002, Cisco Systems, Inc. All rights reserved..

Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Presentation on ip spoofing BY

1 Lecture A.2: Security Problems in TCP/IP r Reference: Security Problems in the TCP/IP Protocol Suite : by Steve Bellovin r R-services r Source-routing.

An Introduction To ARP Spoofing & Other Attacks

General Classes of TCP/IP Problems

Outline Basics of network security Definitions Sample attacks

Network Security: IP Spoofing and Firewall

IIT Indore © Neminath Hubballi

Intrusion Detection and Hackers Exploits IP Spoofing Attack

Session 20 INST 346 Technologies, Infrastructure and Architecture

Outline Basics of network security Definitions Sample attacks

TCP Connection Management

Presentation transcript:

TCP Security Vulnerabilities Phil Cayton CSE

Papers Reviewed 1.C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, "Analysis of a Denial of Service Attack on TCP" 2.S. Bellovin, "Security Problems in the TCP/IP Protocol Suite" 3.S. Bellovin, "Defending against sequence number attacks" 4.S. Bellovin, "Packets Found on an Internet" 5.R. Morris, "A Weakness in the 4.2BSD Unix TCP/IP Software"

Topics SYN Flooding Sequence Number Prediction Source Routing Attacks Routing Information Protocol Attacks Internet Control Message Protocol Attacks Comprehensive Defenses

SYN Flooding –Attacker sends many connection requests w/ spoofed source addresses to victim –Victim allocates resources for each request Finite # half-open connection requests supported Connection requests exist for TIMEOUT period –Once resources exhausted, all other requests rejected Normal connection est.Syn Flooding attack

SYN Flooding Defenses –System Configuration Improvements Reduce timeout period Increase length of backlog queue to support more connections Disable non-essential services to make a smaller target –Router Configuration Improvements Configure router external interfaces to block packets with source addresses from internal network Configure router internal interfaces to block packets to outside that have source addresses from outside the internal network –Cryptographically sign IP source addresses of all packets Does not prevent SYN Floods Allows for tracing of flood attack back to source Possible deterrent?

SYN Flooding Defenses Firewall as a Relay –Firewall answers on behalf of Destination –Once connection established, firewall predicts seq # and establishes 2 nd connection to Destination –Disadvantage: Adds delay for every packet

SYN Flooding Defenses Firewall as a Semi-transparent Gateway –Forges the 3 rd handshake (ack) from the client to the destination –This moves connection out of backlog queue, freeing resources –If this is attack, no “real” ack will happen Destination will send RST packet terminating connection –If this is actual connection request the eventual ack will be ignored as a duplicate –Disadvantages: Large # illegitimate open connections if system under attack Must very carefully choose timeout periods

SYN Flooding Defenses Attack w/ semi- transparent gateway Legit connection w/ semi- transparent gateway

SYN Flooding Defenses Active Monitor –Program that promiscuously monitors and injects network traffic to/from machines it is protecting –Monitors net for SYN packets not acknowledged after a certain period of time –If it detects problems with a half-open connection it can Send RST packets to the sender to release destination resources Complete the TCP connections by sending the ACK message –Similar to Semi-Transparent gateways

Sequence Number Prediction Normal connection establishment C  S:SYN(ISN C ) S  C:SYN(ISN S ),ACK(ISN C ) C  S:ACK(ISN S ) C  S:data and / or S  C:data

Sequence Number Prediction Attack –Predict the correct sequence number the destination machine will use Not impossible – initiate legitimate connection and then extrapolate next sequence from known granularity & rate of change –Spoof dest. machine X  S:SYN(ISN X ),SRC  T S  T:SYN(ISN S ),ACK(ISN X ) X  S:ACK(ISN S ),SRC  T X  S:ACK(ISN S ),SRC  T,nasty  data

Sequence Number Prediction What about the ACK back to the fake source machine? –Bring it down –SYN Flood it until it throws away packets and will ignore the ACK

Sequence Number Prediction Defenses –Randomize the ISN increment –ISN determined by cryptographic hash function on some secret data –Only trust hosts on the same physical net Train gateways to reject packets that claim, but do not, come from directly connected networks

Source Routing Attacks Attack –If destination hosts use reverse of source route provided in TCP open request to return traffic Fake the source address of a packet Pretend to be a trusted machine on the net Defenses –Train gateways to reject external packets that claim to be from the local net Can backfire if Trusted net  backbone  trusted net –Reject pre-authorized connections if source routing info present –Only accept if only trusted gateways listed in source routing info

Routing Information Protocol (RIP) Attacks Attack –Intruder sends bogus routing information to a target and each of the gateways along the route Impersonates an unused host –Diverts traffic for that host to the intruder’s machine Impersonates a used host –All traffic to that host routed to the intruder’s machine –Intruder inspects packets & resends to host w/ source routing –Allows capturing of unencrypted passwords, data, etc

Routing Information Protocol (RIP) Attacks Defenses –Paranoid gateway Filters packets based on source and/or destination addresses –Don’t accept new routes to local networks Messes with fault-tolerance but detects intrusion attempts –Authenticate RIP packets Difficult in a broadcast protocol Only allows for authentication of prior sender and doesn’t address information from a deceived gateway upstream

Internet Control Message Protocol (ICMP) Attacks Attack –Targeted Denial of Service (DoS) Attacker sends ICMP Redirect message to give a bogus route Attacker sends Destination Unreachable or TTL exceeded messages to reset existing connections Attacker sends fraudulent Subnet Mask Reply messages –Blocks communication with target Defenses –Verify ICMP packet contains a plausible sequence # –Dont modify Global Route Table due to ICMP Redirect messages –Disallow ICMP Redirects? –Check to see if multiple ICMPs from a host agree

Comprehensive Defenses Authentication –Preauthorize connections using session keys DNS provides structure/redundancy to support this Must use encrypted key distribution request/response Encryption –Link-level Encryption Encrypt each packet as it leaves the host Doesn’t work well for broadcast packets Not end-to end, so must have trusted gateways –Multi-point Link Encryption Physical device. Interfaces w/ Key distribution Center for keys –Application Level End-to-End Encryption Lots of overhead, many more correspondent pairs at this level

Comprehensive Defenses Trusted Systems –Reject all source-address authenticated packets –Turn off netstat/finger services –Encode TCP IP Security headers with the processes security level –Only allow connection requests to succeed if at appropriate security level –Only allow packet transfers over links at or above security level –Does not prevent captured traces used against targets –Does not protect against RIP spoofing

Summary Turn off non-essential services that give away information –Finger, Netstat, etc Increase memory of machines & length of backlog queue Use an Active Monitor to try and minimize damage Randomize sequence # increment and/or cryptographically determine ISN

Discussion ?