Module 9 TCP/IP Layers and Vulnerabilities MModified by :Ahmad Al Ghoul PPhiladelphia University FFaculty Of Administrative & Financial Sciences BBusiness Networking & System Management Department RRoom Number 32406 EE-mail Address: ahmad4_2_69@hotmail.com Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 1 Module Objectives Map the TCP/IP protocol suite to the seven layer Open Systems Interconnection (OSI) communication model Reviewing the Four-Layer DARPA Model Reviewing the TCP/IP Communications Flow Identify the types of attacks that can occur at the Network Interface layer Identify the types of attacks that can occur at the Internet layer Identify the types of attacks that can occur at the Transport layer Identify the types of attacks that can occur at the Application layer Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 2 Basic TCP/IP Principles Computers communicate with each other to request and share information. When one computer communicates with another computer, an application running on the source computer forms a request that can be serviced by an application running on the destination computer. The two applications must be written to understand what is being requested and what is being returned. To communicate across the same network, the two computers must be configured to form similar information packets made up of data bits that can be placed on a network, received by the correct destination computer. To communicate across multiple networks, such as when communicating with another computer across the Internet, the packet must be formed in a manner that will be understood by all of the computers that will receive and forward the information packet. There must also be a unique identifier for the source computer, and a unique identifier for the destination computer to ensure that the communications reaches the correct destination computer. When two computers communicate across the Internet, any number of computers, called routers, must receive the data packet, read the addressing information, and determine if the destination computer is local to that router or if the packet needs to be transmitted to another router for delivery to the destination computer. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 3 Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 4 What Is TCP/IP? TCP/IP is the suite of protocols used to communicate on the Internet. Each protocol of the TCP/IP protocol suite is associated with a layer of the seven-layer OSI communications model, which is an International Organization for Standardization standard. The seven layers are the Physical layer, Data Link layer, Network layer, Transport layer, Session Layer, Presentation Layer, and the Application layer. The TCP/IP protocols are shown with their respective layers Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 5 Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 6 Reviewing the Four-Layer DARPA Model The four-layer DARPA model is a collection of protocols that was originally developed in 1968 by BBN Technologies, which was hired by the Defense Advanced Research Projects Agency (DARPA) to establish a packet switched network between research institutions in the United States. At the time, functionality and performance were of greater concern than security. Rather than breaking communications into seven layers, as the International Organization for Standardization (ISO) Open Systems Interconnection (OSI) model specifies, the DARPA model presents four layers. The next Figure shows the general mapping between the four-layer DARPA model and the seven-layer OSI model. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 7 Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 8 Reviewing the TCP/IP Communications Flow Any time one computer needs to communicate with another, a sequence of steps is followed. For this example, we relate Web browsing to the TCP/IP communications flow. When a user at a computer wants to access a Web page, he or she typically starts a Web browser application and types the name of the Web site he or she wishes to visit. The browser generates a request to have the Web site name resolved to an IP address. The browser then attempts to establish communications with that Web site. The information that is passed from the upper layers of the DARPA model to the lower layers is packaged for delivery by each necessary protocol as it goes down through the TCP/IP stack. When the datagram (One packet, or unit, of information, along with relevant delivery information such as the destination address, that is sent through a packet-switching network.) reaches the destination, the packet is passed up the TCP/IP stack and the process is reversed. Next Figure represents this communications process. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 9 Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 10 When application data is sent from one computer to another: 1. 2. 3. 4. The information is passed from the Application layer to the Transport layer. The Transport layer protocols consider the Application layer information as the payload (or data) that needs to be delivered and create a header that contains information such as source and destination port, to help with delivery of the information to the destination computer. That information is passed to the Internet layer. The Internet layer protocols considers the Transport layer information as the payload that needs to be delivered and create an IP header that contains information such as destination IP addresses, to help with delivery of the datagram to the destination computer. That information is passed to the Network Interface layer. The Network Interface layer protocols consider the Internet layer information as the payload that needs to be delivered and creates a preamble and a frame header, which contains the source and destination MAC addresses, to help with delivery of the datagram to a destination on the local network once it arrives, and trailer information, called a checksum that contains the count of the number of bits in a transmission so that the receiver can ensure the packet did not get damaged in transit. A checksum is an error detection method that is used to determine if a single bit error occurred in transmission. The information is placed on the local network. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 11 At Distension Point 1. 2. 3. 4. When the information reaches the destination computer, the Network Interface layer protocols strip the preamble and checksum from the packets and then pass the payload to the Internet layer. The Internet layer protocols strip the IP header from the packet and pass the payload to the Transport layer. The Transport layer protocol strips the TCP or UDP header and passes the payload to the Application layer. The application that is specified to manage that data receives the data. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 12 TCP/IP Layers and Vulnerabilities After reviewed the four communication layers used with the TCP/IP suite and can identify the information that is contained in an IP datagram, you should consider the types of attacks that might occur at each level. This is not meant to be a comprehensive list; rather it provides you with an understanding of the types of attacks that can occur at different levels. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 13 Identifying Possible Network Interface Layer Attacks Identifying Possible Network Interface Layer Attacks At the Network Interface layer, the packet of information that is placed on the wire is known as a frame. The packet is comprised of three areas: the header, the payload, and the FCS. Because the Network Interface layer is used for communications on a local network, the attacks that occur at this level would be carried out on local networks. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 14 25070 Network Layer Attacks MAC address spoofing. The header contains the MAC address of the source and destination computers and is required to successfully send a directed message from a source computer to a destination computer. Attackers can easily spoof the MAC address of another computer. Any security mechanism based on MAC addresses is vulnerable to this type of attack. Denial of service (DoS). A DoS attack overloads a single system so that it cannot provide the service it is configured to provide. An ARP protocol attack could be launched against a computer to overwhelm it, which would make it unavailable to support the CI-A triad. ARP cache poisoning. The ARP(Address Resolution Protocol. A TCP/IP protocol for determining the hardware address (or physical address) of a node on a local area network connected to the Internet) cache stores MAC (Media Access Control) addresses of computers on the local network that have been contacted within a certain amount of time in memory. If incorrect, or spoofed, entries were added to the ARP cache, then the computer is not able to send information to the correct destination. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 15 Identifying Possible Internet Layer Attacks ( 1 ) At the Internet layer, IP datagrams are formed. The packet is comprised of two areas: the header and the payload. Some of the ways the Internet layer can be exploited to compromise the C-I-A triad include the following: IP address spoofing. If the IP header fields and lengths are known, the IP address in the IP datagram can be easily discovered and spoofed. Any security mechanism based on the source IP address is vulnerable to this attack. Man-in-the-middle attacks. This attack occurs when a hacker places himself or herself between the source and destination computer in such a way that neither notices his or her existence. Meanwhile, the attacker can modify packets or simply view their contents. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 16 Identifying Possible Internet Layer Attacks ( 2 ) DoS. With a DoS attack at this level, simple IP-level protocols and utilities can be exploited to overload a computer, thus breaking the C-I-A triad. Incorrect reassembly of fragmented datagrams. For fragmented datagrams, the Offset field is used with packet reassembly. If the offset is changed, the datagram is reformed incorrectly. This could allow a datagram that would typically not pass through a firewall to gain access to your internal network, and could disrupt the C-I-A triad. Corrupting packets. Because IP datagrams can pass through several computers between the source and destination, the information in the IP header fields is read and sometimes modified, such as when the information reaches a router. If the packet is intercepted, the information in the header can be modified, corrupting the IP datagram. This could cause the datagram to never reach the destination computer, or it could change the protocols and payload information in the datagram. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 17 Identifying Possible Transport Layer Attacks ( 1 ) At the Transport layer, either a UDP header is added to the message or a TCP header is added. The application that is requesting the service determines what protocol will be used. Some of the ways the Transport layer can be exploited to compromise the C-I-A triad include the following: Manipulation of the UDP or TCP ports. By knowing the UDP and TCP header fields and lengths, the ports that are used for communications between a source and destination computer can be identified, and that information can be corrupted or exploited. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 18 Identifying Possible Transport Layer Attacks ( 2 ) DoS. With a DoS attack at this level, simple IP-level protocols and utilities can be exploited to overload a computer, thus breaking the C-I-A triad. For instance, by knowing the steps involved in a three-way TCP handshake, a hacker or cracker might send the packets in the incorrect order and disrupt the availability of one of your servers. An example of this is a SYN flood, where a hacker sends a large number of SYN packets to a server and leaves the session half open. The server leaves these sessions half-open for a prescribed amount of time. If the hacker is successful in opening all available sessions, legitimate traffic will be unable to reach the server. Session hijacking. This kind of attack occurs after a source and destination computer have established a communications link. A third computer disables the ability of one the computers to communicate, and then imitates that computer. Because the connection has already been established, the third computer can disrupt your C-I-A triad. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 19 Identifying Possible Application Layer Attacks (1 ) Application layer attacks can be some of the most difficult to protect against because they take advantage of vulnerabilities in applications and lack of end-user knowledge of computer security. Some of the ways the Application layer can be exploited to compromise the C-I-A triad include the following: E-mail application exploits. Attachments can be added to e-mail messages and delivered to a user's inbox. The user can open the e-mail message and run the application. The attachment might do immediate damage, or might lay dormant and be used later. Similarly, hackers often embed malicious code in Hypertext Markup Language (HTML) formatted messages. Exploits of this nature might take advantage of vulnerability in the client's e-mail application or a lack of user knowledge about e-mail security concerns. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 20 Identifying Possible Application Layer Attacks ( 2 ) Web browser exploits. When a client computer uses a Web browser to connect to a Web server and download a Web page, the content of the Web page can be active. That is, the content is not just static information, but can be executable code. If the code is malicious, it can be used to disrupt the C-I-A triad. FTP client exploits. File Transfer Protocol (FTP) is used to transfer files from one computer to another. When a client has to provide a user name and password for authentication, that information can be sent across the Internet using plain text. The information can be captured at any point along the way. If the client uses the same user name and password as they use to attach to your corporate servers, that information could be obtained by a hacker or cracker and used to access your company's information. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 21