Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012.

Published bySolomon Franklin Modified over 8 years ago

Similar presentations

Presentation on theme: "1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012."— Presentation transcript:

1 1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012

2 Outline Today – Define General Attacks on Network Protocols – Define Why protocols are vulnerable – Look at attacks on network protocols TCP, UDP, IP, ICMP, ARP – Next time Other protocols BGP/DNS Discussion of Papers

3 History of Network Protocols Infrastructure protocols were designed when security concerns were almost non-existing Trust was assumed Recall early history of Internet Connected major universities with government labs... in fact, commercial use was at first prohibited Main goal for DARPA Internet Program – Share large service machines on ARPANET Many protocol specifications focused only on operational aspects protocols Overlooked security implications... Hey, we're all friends!!

4 Vulnerabilities in Protocols During last twenty years, many vulnerabilities have been identified in the TCP/IP stacks of a number of systems Protocol weaknesses due to: – Design of a given Protocol and – Daily operation and configuration

5 Protocol Attack Techniques Sniffing Traffic – Eavesdropping on a network – “Wiretap” programs... name one program – Wireless networks Easy to see all the traffic, put NIC into Monitor mode – Wired networks NIC needs to be in promiscuous mode Must do ARP spoofing or other attack to get all packets forwarded to you – Can only see traffic from subnet you are tapped into

6 Protocol Attack Techniques Flooding or Denial of Service – Preventing legitimate clients from receiving service – Sending too many bogus requests to a server – Tying up server with malformed packets or packets out of sequence

7 Protocol Attack Techniques Spoofing – Spoofing is faking parts of a packet – Usually, the address of the source – Can do spoofing for many different protocols Illegal Packets – Unexpected values in some of the fields – Cause machine to hang or crash Example: src address and port = dest address and port Illegal combination of flags in TCP protocol Huge Ping packet - “Ping of Death”

8 Which Protocols TCP/IP Protocol Suite – Application Layer - DNS – Transport Layer - UDP/TCP – Network Layer - IP/ICMP/BGP – Data Link Layer - ARP

9 9 TCP/IP Problems Steve Bellovin – AT&T Bell labs researcher – One of the first to publicize problems in the TCP/IP protocols – Wrote his original paper in 1989 – Documented many problems – Some problems no longer relevant

10 10 Problems Summary Steve Bellovin – TCP Sequence numbers not random Can be predicted, leads to IP Spoofing attacks – Trusted Hosts Used remote Linux utilities to violate trust Hardly ever used these days.. we won't cover it – ICMP Messages Used them to perform DoS, routing re-direction – Routing Protocols RIP, BGP have authentication problems – Domain Name Servers Not secure

11 11 TCP/IP Problems Look at a few of problems – IP Spoofing/TCP Protocol problems – ICMP Attacks – Arp Cache Poisoning

12 TCP/IP Suite Problems Problems – Can you think of some problems with design of TCP/IP suite? – IP addresses are not validated – Hosts can not be authenticated – Trivial to spoof packets as coming from a trusted host – Remote utilities assumes trust between hosts – Encryption not typically used, and not for headers

13 First.... TCP Review SYN - First packet in a connection, indicates host wants a connection ACK - Used throughout entire connection to ACKnowledge previously received packets FIN - Used to indicate they are FINished sending data, connection can be ended RST- RST packet sent whenever host receives an unexpected packet, such as an ACK with out ever receiving a SYN. Resets the connection

14 TCP Handshake C S SYN C SYN S, ACK C+1 ACK S+1 Listening Store data Wait Connected

15 TCP Syn Flooding How does it work?

16 TCP Layer Attacks TCP SYN Flooding – Exploit state allocated at server after initial SYN packet – Send SYN and don’t reply with ACK – Server will wait for 75 seconds for ACK – Finite queue size for incomplete connections (1024)‏ – Once queue is full doesn’t accept requests

17 SYN Flooding C S SYN C1 Listening Store data SYN C2 SYN C3 SYN C4 SYN C5

18 SYN Flooding Attacker sends many connection requests – Spoofed source addresses of machines that are not on-line Victim allocates resources for each request – Connection request exists until timeout – Fixed bound on half-open connections DoS  future requests rejected

19 Syn Flood Solution TCP SYN cookies General idea – Client sends SYN w/ ACK number – Server responds to Client with SYN-ACK cookie sqn = f(src addr, src port, dest addr, dest port, random seed)‏ Server does not save state – Honest client responds with ACK(sqn+1)‏ – Server checks response – If matches SYN-ACK, establishes connection

20 20 More TCP TCP Uses Flags for State Coordination Gets Sends Gets Comment Syn Syn-Ack Ack – Normal connection Syn/Ack RST – Out of sequence Fin/Ack RST – Out of sequence

21 21 Steps in a TCP/IP Spoof Attack Steps in general – Eve – Evil machine, Alice and Bob – Innocent machines, Eve will violate trust of Alice and Bob Alice and Bob have a trusted relationship – Eve must figure out how ISN of Bob’s machine changes – She is going to spoof Alice’s IP address and pretend she is Alice – Eve also needs to prevent Alice from sending a TCP Reset which will drop the connection to Bob – Eve will then establish a real connection with Bob

22 22 Steps in a TCP/IP Spoof Attack Steps in detail – Eve – Evil machine, Alice and Bob – Innocent machines 1.Eve sends many Syn packets to Bob without spoofing. Uses her real IP address Try to determine rate at which ISN’s from Bob’s machine are changing with time 2. Eve launches DoS attack against Alice. Syn flood Alice is overwhelmed for a time with traffic This prevents Alice from sending a Reset to Bob which would result in Bob dropping spoofed connection Why would Alice send a Reset to Bob?

23 23 Steps in an TCP/IP Spoof Attack Alice Eve Bob 1. Many TCP connections, get ISN sequence 2. DoS against Alice, Syn flood

24 24 Steps in a TCP/IP Spoof Attack Steps in detail 3. Eve initiates a connection to Bob using Alice’s IP address 4. Bob responds with Syn-Ack and his ISN This gets routed to Alice which normally would have responded with a RST, But, she is busy with syn-attack 5. Using info from Step 1., Eve sends Ack to Bob with ISN B + 1 using Alice’s IP Address Eve won’t see Bob’s response and ISN B to Alice If guess is correct, she begins TCP connection pretending to be Alice

25 25 Steps in an TCP/IP Spoof Attack Alice Eve Bob 1. Many TCP connections, ISN sequence 2. DoS against Alice, Syn flood 3. Sends Syn (A,ISN A )‏ ‏ 4. Sends Ack (A,ISN A +1), Syn (B, ISN B )‏ 5. Sends Ack (B,ISN B +1)‏

26 TCP Sequence Numbers Need high degree of unpredictability If attacker knows initial seq number and amount of traffic sent, can estimate likely current values Send a flood of packets with likely seq numbers Attacker can inject packets into existing connection Most systems allow for a large window of acceptable sequence numbers  Much higher success probability

27 TCP ISN Prediction Tools Nice paper on TCP attacks http://osvdb.org/ref/04/04030-SlippingInTheWindow_v1.0.doc Good Sequence Number prediction tools include: – Mendax – Go to http://www.packetstormsecurity.nl Search for Mendax – Dsniff http://monkey.org/~dugsong/dsniff/ Spoofit.h http://www.isk.kth.se/~waseem/DK/lab/spoofit.h

28 TCP/IP Spoofing Attacks Question is – Are these attacks still feasible today, 14 or 15 years later? See question in Assignment 2

29 More TCP Attacks Illegal Packets – Send s egment with both the SYN and FIN bit set Victim host processes SYN flag first, – Generates a reply segment with the corresponding – ACK flag set, and perform a state-transition to the state SYN-RCVD – Then processes FIN flag, performs a transition to the state CLOSE-WAIT, and sends the ACK segment back to attacker... no more packets sent from attacker – Victim connection gets stuck in this state until keep-alive timer expires

30 More TCP Attacks Illegal Packets – Attackers inject an RST segment into an existing TCP connection, causing it to be closed. – The TCP Reset attack possible because – TCP endpoint must accept out of order packets that are within range of a window size, and fact that Reset flags should be processed immediately – How would this work?

31 TCP Reset Attack Established TCP connection from host A to host B – Now, third host, C, spoofs packet that matches source port and IP address of host A, – Destination port and IP address of host B, and current sequence number of active TCP connection between host A and host B Host C sets RST bit on spoofed packet, so when received by host B, host B immediately terminates the connection This results in a denial of service, until connection can be reestablished http://kerneltrap.org/node/3072

32 32 IP Source Routing Abuse Routing Information Protocol (RIP)‏ – Used to propagate routing information on local networks – Routers need to exchange information using routing protocols – Typically will exchange information every so many seconds – IP Source routing feature Allows source machine to specify path packet will take through network

33 Internet Protocol Connectionless – Unreliable – Best effort Datagram is – Header – Data Specify Options – Source Route VersionHeader Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset

34 34 IP Source Routing Abuse Attack in general - Example of MITM (Man-In-The-Middle) Attacks Send bogus routing information trying to impersonate a particular host Want packets to be sent to the attacker machine Attacker can intercept packets and gain passwords, credit card numbers or other sensitive information

35 35 Steps in Source Route Attack Attack Steps (Same players, Eve, Alice and Bob)‏ 1.Eve generates packets with fake source route 2.Packets claim to come from Alice 3.Source route includes Eve’s IP Eve looks like a router between Alice and Bob 4.Bob is the destination 5.Routers between Eve and Bob read source route and deliver packets to Bob via Eve

36 36 Steps in Source Route Attack Alice Eve Bob Packet with Route 1. Alice 2. Eve 3. Bob Packet with Route 1. Bob 2. Eve 3. Alice

37 37 Steps in Source Routing Abuse Attack Steps 1.Bob responds by sending packets through Eve to Alice 2.Eve never forwards packets to Alice, doesn’t need to even do a DoS on Alice Comment This attack doesn’t work across the Internet Most gateways block Source Routed packets Yet, not blocked on internal networks Insiders can get away with this type of attack

38 38 Other Routing Vulnerabilities

39 ICMP What is the ICMP protocol used for? – Internet Control Message Protocol (ICMP)‏ – Mostly... Used to send error messages – Requested service is not available, or that host or router could not be reached http://en.wikipedia.org/wiki/Internet_Control_Messa ge_Protocol

40 ICMP Messages 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 8 Echo Request 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply

41 ICMP Messages Destination Unreachable message – ICMP message generated by host or its inbound gateway to inform client – Destination is unreachable for some reason – Destination Unreachable message may be generated as a result of a TCP, UDP or another ICMP transmission

42 ICMP Messages The Source Quench, – Message requests sender to decrease traffic rate of messages to a router or host – Message may be generated if router or host does not have sufficient buffer space to process the request, or – May occur if router or host's buffer is approaching its limit

43 43 ICMP Attacks Attacks Reported in Bellovin Paper – ICMP Redirect message Used by gateways to advise hosts of better routes Abused in same way as RIP However more constraints on its use – Tied to existing connection – Must only be sent from first gateway to originating host

44 44 ICMP Attacks Attacks Reported in Bellovin Paper – ICMP Redirect message 1. Host C sends a Syn packet to S via A, a router 2. Before packet can get there, Host X, our attacker sends an ICMP redirect for Host X to C spoofing the address A 3. C now redirects packets to X 4. X forwards packets to S to avoid suspicion

45

46 46 ICMP Attacks ICMP Current Attacks – ICMP Redirect Still a threat if not ignored Current recommendation is to turn off redirects on CISCO routers Routing protocol takes care of best paths, hosts should ignore ICMP redirect messages

47 47 ICMP Attacks More Current Attacks Other ways ICMP is used to compromise ICMP Source Quench – Slows down transmission of traffic essentially performing a partial DoS on itself ICMP DoS Attacker could use either ICMP Time exceeded or Destination unreachable messages. Both messages can cause host to drop a connection Attacker can simply forge one of these ICMP messages, and send it to one or both communicating hosts... their connection will then be broken

48 48 ICMP Attacks More Attacks SMURF Attack Generate ping stream (ICMP echo request)‏ Network broadcast address Spoofed source IP set to victim host Every host on ping target network will generate ping reply (ICMP echo reply)‏ Amplified ping reply stream can easily overwhelm victim’s network connection

49 Smurf Attack

50 ARP Cache Poisoning What's the problem? – No authentication !!!!! – Ethernet, designed without ANY authentication technology whatsoever – So it is trivial for ANY computer with access to an Ethernet LAN, Re-route any other computer's traffic through itself simply by impersonating one or more other computers One computer can re-route ALL of the LAN's traffic through itself Monitor and edit or alter anything sent to or received from any other machine on the local network.

51 ARP Cache Poisoning How Does ARP Work Normally? – Packet comes in through router, has IP Address – If no known MAC address in ARP table – Sends broadcast to all of the computers on the LAN Asks which computer has IP address of packet gateway is trying to forward Broadcasts ARP Request received by every computer on the Ethernet LAN Each computer checks to see whether IP is its own Computer finding a match will send an ARP Reply back to the requesting device

52 ARP Cache Poisoning How is the Cache Poisoned? – Receipt of an ARP reply, Causes receiving computer to add newly received information to its ARP cache – If gateway computer receives SPOOFED ARP REPLY from attacking computer claiming it was assigned IP belonged to some other computer Gateway would trustingly and blindly REPLACE its current correct entry with misleading replacement! And, sending ARP reply to computer being hijacked, would replace ARP entry for gateway computer – Subsequent traffic bound for gateway would instead be sent to the attacking computer

53 ARP Cache Poisoning Replace both ARP entries with Attacker MAC address and gain access to all Green's traffic

54 Solutions for ARP Cache Poisoning No Universal defense. Use static ARP entries – Cannot be updated – Spoofed ARP replies are ignored. – ARP table needs a static entry for each machine on the network. – Large overhead Deploying these tables Keep the table up-to-date

55 Solutions for ARP Cache Poisoning Arpwatch – A free UNIX program listens for ARP replies on a network – Build a table of IP/MAC associations and store it in a file – When a MAC/IP pair changes, an email is sent to an administrator RARP (Reverse ARP)‏ – Requests the IP of a known MAC. – Detect MAC cloning. – Cloning can be detected, if multiple replies are received for a single RARP

56 ARP Cache Poisoning Tools ettercap http://ettercap.sf.net Poisoning Sniffing Hijacking Filtering SSH v.1 sniffing (transparent attack)‏ dsniff http://www.monkey.org/~dugsong/dsniff Poisoning Sniffing SSH v.1 sniffing (proxy attack)‏

57 57 Conclusion TCP/IP was never designed to be a secure protocol – Architecture flaw sequence numbers have no security properties – IP addresses - no authentication – Supporting protocols can be subverted ICMP, DNS, BGP S o m e p r o b l e m s h a v e b e e n f i x e d – Less address authentication being used – More crypto protocols for remote login, e-mail, web browsers

58 58 End Next time – There will be a lab next week – Finish network protocol vulnerabilities – Read papers, do the questions

Download ppt "1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012."

Similar presentations

ARP Spoofing.

ARP Spoofing.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Similar presentations

Ads by Google