Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITIS 6167/8167: Network and Information Security Weichao Wang.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ITIS 6167/8167: Network and Information Security Weichao Wang."— Presentation transcript:

1 ITIS 6167/8167: Network and Information Security Weichao Wang

2 2 Contents ARP protocol and ARP poisoning –How ARP works –ARP poisoning –Security impacts –Mitigation mechanisms IP fragmentation and attacks –IP fragmentation –Attacks –Mitigation mechanisms

3 3

4 4 Ethernet address Layered model of Internet Separation of IP address and physical address How does IP routing works –Example

5 5 IP address –32 bits (IPv4) Ethernet address –48 bits –Different hardware vendors get different chunk of addresses –Can be broadcast or unicast address –Mapping b/w IP and Ethernet address can change

6 6 IP routing needs the mapping b/w IP addresses and physical addresses –Static mapping (proNET or token ring) Physical address = f (IP address) –Dynamic binding More flexible Needs a protocol to accomplish this task – Address Resolution Protocol (ARP)

7 7 Ethernet frame format Preamble and CRC: only used by hardware and users will not see them Frame-type: 0x0800 (IP), 0x0806 (ARP), 0x8035 (RARP) Data part: 46 to 1500 octets

8 8 Example of ethernet packet

9 9 Destination physical address: 02 07 01 00 27 ba Source physical address 08 00 2b 0d 44 a7 Protocol type: 0800 (IP) More details of the packet: this is an ICMP packet

10 10

11 11 ARP protocol Motivation –Ethernet card only needs to recognize ethernet address –Upper layer (IP) only knows IP address –Routing table entry –The user have to map the IP address to physical address

12 12 ARP protocol –Machine A want to send a packet to B, but only know B’s IP address –Machine A broadcast an ARP request with B’s IP address (using broadcast physical address) –All nodes receive the request –B replies with its physical address –Machine A adds the address into its ARP cache –A sends packets to B

13 13

14 14 ARP encapsulation In ethernet, frame type for ARP is 0x0806 ARP packet

15 15 ARP packet format when used with Ethernet

16 16 The format is general enough to work with different physical address and protocol address Details of ARP packet (Fixed length part) –Hardware type (2 bytes): 1 for ethernet –Protocol type (2 bytes): 0x0800 for IP –HLEN (1 byte): hardware address length. 6 for ethernet –PLEN (1 byte): protocol address length. 4 for IP –Operation (2 bytes): 1=ARP req, 2=ARP reply, 3=RARP req, 4=RARP reply

17 17 Varying parts of ARP packets –Sender’s physical address: 6 byte in our example –Sender’s protocol address: 4 byte –Target’s hardware address: 6 byte –Target’s protocol address: 4 byte

18 18 ARP cache –To reduce ARP overhead, the machine keeps a cache for recently got IP-PHY address mapping –Cache has a limited size: replacement policy –ARP entry has a lifetime: why do not we keep it forever??

19 19 How does the node learn ARP information –From received ARP request –From received ARP reply (no matter they have sent a ARP request or not) (depend on OS) –Gratuitous message: both the source and destination address are the same Used to detect IP conflict When physical address changes, use this to notify other nodes after reboot

20 20

21 21 ARP poisoning Potential attack to ARP –There is no protection on the mapping b/w Physical and IP address –An example attack: if ARP cache is poisoned, the packet going to node A will be sent to Node B’s physical address, and node B will get them. –Is this the same as promiscuous mode? Not really

22 22 Two simple and not-so-effective MAC address attacks –Poison a switch by sending out an ethernet packet with the target’s physical address as the source of the packet. The switch tries to learn from the packet. –Problems The real node also sends out packet Static configuration of switches

23 23 Attack 2: –Sends out ARP reply and tries to beat the real node –Problem: the conflict is relatively easy to detect

24 24 ARP cache poisoning –Through ARP poisoning, the packets targeting at node A may be sent to node B –Methods to poison ARP cache ARP request ARP reply Gratuitous packets –Instead of broadcast, we can use unicast to poison node

25 25 Examples of attacks –Send a unicast ARP request to poison ARP cache –Send a unicast ARP reply to poison ARP cache

26 26 Which systems are vulnerable to ARP poisoning? –Windows 9x, NT, 2000, XP –Solaris 8 –Linux Kernel 2.2 and 2.4 –Cisco IOS 12 –Nokia IPSO 3.5

27 27

28 28 Complicated attacks and their impacts Man-in-the-middle attack –Cheat both sides of a connection and get access to the traffic b/w them –The malicious node will forward packets to both sides to avoiding detection –Disable attacker’s ICMP redirect functionality –Microsoft IE certificate can be compromised by this attack

29 29 Hijacking HTTP connections and run a manipulated web server through MiM attacks Escaping firewall –Some companies use IP based authentication and only allow a few IP addresses to get out (HTTP server, mail server) –Through ARP poisoning, you can bypass the firewall

30 30 DoS attacks –After poisoning the ARP cache, discard all packets sent to you –Using a non-existing physical address to poison ARP cache Poisoning a SMTP relaying server to send out junk mails

31 31 Defending against ARP poisoning –Network IDS: detect duplicate IP address or flip-flop of the IP-PHY bindings –Host IDS: maintain a record of IP-PHY bindings, detect abnormal changes of the bindings (arpwatch in UNIX) –Do not use IP-address based authentication

32 32

33 33 IP protocol and fragmentation IP layer provides the fundamental service in Internet: unreliable, connectionless, and best-effort based packet delivery –Unreliable: packet may lost, duplicated, delayed, out of order –Connectionless: every packet is handled independently –Best-effort: no quality guarantee

34 34 IP protocol will –Define the format of IP packet –Routing –Determine Packet processing procedures Error reporting and handling procedures

35 35 IP encapsulation In ethernet, frame type for IP is 0x0800 IP header IP Data

36 36 IP format

37 37 Details of IP packet –Vers: current version is 4 –HLEN: header length in 32 bit word. Usually is 5 (20 byte), max can be 60 bytes (IP options) –Type of services: usually all 0 (best effort), can be used for diffserv and QoS –Total length: 16 bit can represent 64K byte long packet

38 38 Identification, flags, and offset: used for fragmentation and reassemble (later) TTL: time to live: number of routers a packet can pass. –Every router will reduce this value by one. When reach 0, the packet will be discarded. –Can be used to prevent routing loop –Use TTL to implement traceroute

39 39 Type: the high level protocol the IP packet contains: ICMP (0x01), TCP (0x06), UDP (0x11) Header checksum Example: an ICMP packet b/w 128.10.2.3 and 128.10.2.8. Header length is 20 bytes.

40 40

41 41 IP header options –Record route option Intermediate routers will attach their IP address to the packet –Timestamp option Intermediate router attach 32 bit timestamp –Source routing option Strict source routing Loose source routing: allow multiple hops b/w routers

Download ppt "ITIS 6167/8167: Network and Information Security Weichao Wang."

Similar presentations

IPv4 - The Internet Protocol Version 4

IPv4 - The Internet Protocol Version 4
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
ARP: Address Resolution Protocol

ARP: Address Resolution Protocol
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
1 K. Salah Module 5.2: Internet Protocol CO vs. CL protocols IP Features –Fragmentation –Routing IP Datagram Format IPv6.

1 K. Salah Module 5.2: Internet Protocol CO vs. CL protocols IP Features –Fragmentation –Routing IP Datagram Format IPv6.
1 Internetworking Outline Best Effort Service Model Global Addressing Scheme.

1 Internetworking Outline Best Effort Service Model Global Addressing Scheme.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
Spring 2002CS 4611 Internetworking Outline Best Effort Service Model Global Addressing Scheme.

Spring 2002CS 4611 Internetworking Outline Best Effort Service Model Global Addressing Scheme.
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Chapter 20 Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv6.

McGraw-Hill©The McGraw-Hill Companies, Inc., Chapter 20 Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv6.
Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.

Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
IP Routing, Format, Fragmentation Chapters 20-21, 23.

IP Routing, Format, Fragmentation Chapters 20-21, 23.
26-Aug-154/598N: Computer Networks Recap SBC UUNET Comcast Sprint www.yahoo.com www.cnn.com End Users Internet First mile problem Last mile problem.

26-Aug-154/598N: Computer Networks Recap SBC UUNET Comcast Sprint End Users Internet First mile problem Last mile problem.
Mapping Internet Addresses to Physical Addresses (ARP)

Mapping Internet Addresses to Physical Addresses (ARP)
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.

ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.

TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 03_a

TCOM 509 – Internet Protocols (TCP/IP) Lecture 03_a

Similar presentations

Ads by Google