Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Network Security

advertisement 
Computer Security
CS 426
Lecture 33
Network Security (1)
CS426
Fall 2010/Lecture 33
1
Network Protocols Stack
Application
Application protocol
TCP protocol
Transport
p
Application
Transport
p
Network
IP protocol
IP
IP protocol
Network
Link
Data
Link
Network
Access
Data
Link
Link
CS426
Fall 2010/Lecture 33
2
Types
yp of Addresses in Internet
• Media Access Control (MAC) addresses in the network
access layer
– Associated w/ network interface card (NIC)
– 48 bits or 64 bits
• IP addresses for the network layer
y
– 32 bits for IPv4, and 128 bits for IPv6
– E.g., 128.3.23.3
• IP addresses + ports for the transport layer
– E.g., 128.3.23.3:80
• Domain names for the application/human layer
– E.g., www.purdue.edu
CS426
Fall 2010/Lecture 33
3
Routing and Translation of
Addresses
• T
Translation
l ti b
between
t
IP addresses
dd
and
d MAC
addresses
– Address Resolution Protocol (ARP)
(
) for
f IPv4
– Neighbor Discovery Protocol (NDP) for IPv6
• Routing with IP addresses
– TCP, UDP, IP for routing packets, connections
– Border Gateway Protocol for routing table updates
• Translation between IP addresses and domain
names
– Domain
o a Name
a e Syste
System ((DNS)
S)
CS426
Fall 2010/Lecture 33
4
Threats in Networking
g
• Confidentiality
C fid ti lit
– Packet sniffing
• Integrity
– Session hijacking
• Availability
– Denial of service attacks
• Common
– Address translation poisoning attacks
– Routing attacks
CS426
Fall 2010/Lecture 33
5
Concrete Security
y Problems
• ARP iis nott authenticated
th ti t d
– APR spoofing (or ARP poisoning)
• Network packets pass by untrusted hosts
– Packet sniffing
• TCP state can be easy to guess
– TCP spoofing
p
g attack
• Open access
– Vulnerable to DoS attacks
• DNS is not authenticated
– DNS poisoning
i
i attacks
tt k
CS426
Fall 2010/Lecture 33
6
Address Resolution Protocol (ARP)
(
)
• Primarily used to translate IP addresses to Ethernet MAC
addresses
– The device drive for Ethernet NIC needs to do this to send a
packet
• Also used for IP over other LAN technologies, e.g., FDDI,
or IEEE 802.11
• Each host maintains a table of IP to MAC addresses
• Message types:
– ARP request
– ARP reply
– ARP announcement
CS426
Fall 2010/Lecture 33
7
http://www.netrino.com/Embedded-Systems/How-To/ARP-RARP
CS426
Fall 2010/Lecture 33
8
ARP Spoofing
p
g (ARP
(
Poisoning)
g)
• Send fake or 'spoofed'
'spoofed', ARP messages to an Ethernet
LAN.
– To have other machines associate IP addresses with the
attacker’s MAC
• Defenses
– static ARP table
– DHCP snooping (use access control to ensure that hosts only
use the IP addresses assigned to them
them, and that only authorized
DHCP servers are accessible).
– detection: Arpwatch (sending email when updates occur),
• Legitimate use
– redirect a user to a registration page before allow usage of the
network
t
k
CS426
Fall 2010/Lecture 33
9
IP
Internet Protocol
Version
• Connectionless
C
ti l
– Unreliable
– Best effort
Flags
Fragment Offset
Time to Live
Protocol
Header Checksum
• Transfer datagram
– Header
– Data
Header Length
Type of Service
T t l Length
Total
L th
Identification
Source Address of Originating Host
Destination Address of Target Host
Options
P ddi
Padding
IP Data
CS426
Fall 2010/Lecture 33
10
IP Routing
g
Meg
Office gateway
Packet
121.42.33.12
121 42 33 12
Source 121.42.33.12
Destination 132.14.11.51
5
Sequence
Tom
132 14 11 1
132.14.11.1
ISP
132 14 11 51
132.14.11.51
121.42.33.1
• Internet routing uses numeric IP address
• Typical route uses several hops
CS426
Fall 2010/Lecture 33
11
Packet Sniffing
g
• Promiscuous Network Interface Card reads all
packets
– Read all unencrypted
yp
data ((e.g.,
g , “ngrep”)
g p)
– ftp, telnet send passwords in clear!
Eve
Alice
Network
P
Prevention:
ti
E
Encryption
ti
CS426
Bob
(IPSEC TLS)
(IPSEC,
Fall 2010/Lecture 33
12
User Datagram
g
Protocol
• IP provides
id routing
ti
– IP address gets datagram to a specific machine
• UDP separates traffic by port (16-bit number)
– Destination port number gets UDP datagram to
particular application process, e.g., 128.3.23.3:53
– Source port number provides return address
• Minimal guarantees
– No acknowledgment
– No flow control
– No message
g continuation
CS426
Fall 2010/Lecture 33
13
Transmission Control Protocol
• Connection-oriented, preserves order
– Sender
• Break data into packets
• Attach sequence numbers
– Receiver
• Acknowledge receipt; lost packets are resent
• Reassemble packets in correct order
Book
Mail each page
Reassemble book
1
19
5
1
CS426
Fall 2010/Lecture 33
1
14
TCP Sequence
q
Numbers
• Sequence number (32 bits) – has a dual role:
– If the SYN flag is set, then this is the initial sequence number.
The sequence
q
number of the actual first data byte
y is this
sequence number plus 1.
– If the SYN flag is clear, then this is the accumulated sequence
number of the first data byte of this packet for the current session
session.
• Acknowledgment number (32 bits) –
– If the ACK flag is set then this the next sequence number that the
receiver is expecting.
– This acknowledges receipt of all prior bytes (if any).
CS426
Fall 2010/Lecture 33
15
TCP Handshake
C
S
SYN (seq=x)
Listening
Store data
SYN ACK (ack
(ack=x+1
x+1 seq
seq=y)
y)
ACK (ack=y+1,seq=x+1)
CS426
Fall 2010/Lecture 33
Wait
Connected
16
TCP sequence
q
p
prediction attack
• Predict the sequence number used to identify the packets
in a TCP connection, and then counterfeit packets.
• Adversary: do not have full control over the network
network, but
can inject packets with fake source IP addresses
– E.g.,
g , control a computer
p
on the local network
• TCP sequence numbers are used for authenticating
packets
• Initial seq# needs high degree of unpredictability
– If attacker knows initial seq # and amount of traffic sent, can
estimate likely current values
– Some implementations are vulnerable
CS426
Fall 2010/Lecture 33
17
Blind TCP Session Hijacking
j
g
• A, B trusted connection
Server A
– Send packets with predictable seq
numbers
• E impersonates B to A
E
B
– Opens
Ope s connection
co ect o to A to get initial
ta
seq number
– DoS B’s queue
– Sends
S d packets
k
to A that
h resemble
bl
B’s transmission
– E cannot receive,, but mayy execute
commands on A
Attack can be blocked if E is outside firewall.
firewall
CS426
Fall 2010/Lecture 33
18
Risks from Session Hijacking
j
g
• Inject data into an unencrypted server
server-to-server
to server traffic
traffic,
such as an e-mail exchange, DNS zone transfers, etc.
• Inject
j
data into an unencrypted
yp
client-to-server traffic,,
such as ftp file downloads, http responses.
• IP addresses often used for preliminary checks on
fi
firewalls
ll or att th
the service
i llevel.
l
• Hide origin of malicious attacks.
• Carry out MITM attacks on weak cryptographic protocols
protocols.
– often result in warnings to users that get ignored
• Denial of service attacks, such as resetting the
connection.
CS426
Fall 2010/Lecture 33
19
DoS vulnerability caused by
session hijacking
• S
Suppose attacker
tt k can guess seq. number
b for
f an
existing connection:
– Attacker can send Reset packet to
close connection. Results in DoS.
– Naively,
N i l success prob.
b iis 1/232 (32-bit
(32 bit seq. #’
#’s).
)
– Most systems allow for a large window of
acceptable seq
seq. #’s
#s
• Much higher success probability.
• Attack is most effective against long lived
connections, e.g. BGP.
CS426
Fall 2010/Lecture 33
20
Categories of Denial-of-service
Attacks
Stopping services
Exhausting resources
• Process killing
• Spawning processes
to fill the process table
Locally • Process crashing
• System reconfiguration • Filling up the whole
file system
fil
• Saturate comm
b d idth
bandwidth
• Malformed packets to • Packet floods
(Smurf SYN flood
(Smurf,
flood,
Remotely
R
t l crash buggy services
DDoS, etc)
CS426
Fall 2010/Lecture 33
21
SYN Flooding
g
C
S
SYNC1
SYNC2
SYNC3
Listening
Store data
SYNC4
SYNC5
CS426
Fall 2010/Lecture 33
22
SYN Flooding
g
• Attacker sends many connection requests
– Spoofed source addresses
• Victim allocates resources for each request
– Connection requests exist until timeout
– Old implementations have a small and fixed bound on
half-open connections
• Resources exhausted  requests rejected
• No more effective than other channel capacity
capacitybased attack today
CS426
Fall 2010/Lecture 33
23
Smurf DoS Attack
1 ICMP Echo Req
Src: Dos Target
Dest: brdct addr
DoS
Source
3 ICMP Echo Reply
Dest: Dos Target
gateway
DoS
Target
• S
Send
d ping
i requestt tto broadcast
b d
t addr
dd (ICMP E
Echo
h R
Req))
• Lots of responses:
– E
Every h
hostt on target
t
t network
t
k generates
t a ping
i reply
l (ICMP
Echo Reply) to victim
– Ping
g reply
p y stream can overload victim
Prevention: reject external packets to broadcast address
CS426
Fall 2010/Lecture 33
24
Internet Control Message
g Protocol
• Provides feedback about network operation
– Error reporting
– Reachability testing
– Congestion Control
• Example message types
–
–
–
–
–
–
CS426
Destination unreachable
Time-to-live
Time
to live exceeded
Parameter problem
Redirect to better gateway
Echo/echo reply - reachability test
Timestamp request/reply - measure transit delay
Fall 2010/Lecture 33
25
Distributed DoS (DDoS)
(
)
CS426
Fall 2010/Lecture 33
26
Hiding
g DDoS Attacks
• Reflection
R fl ti
– Find big sites with lots of resources, send packets with
spoofed source
so rce address
address, response to victim
ictim
• PING => PING response
• SYN => SYN-ACK
SYN ACK
• Pulsing zombie floods
– each
h zombie
bi active
ti b
briefly,
i fl th
then goes d
dormant;
t
– zombies taking turns attacking
– making tracing difficult
ff
CS426
Fall 2010/Lecture 33
27
Cryptographic
yp g p network protection
p
• Solutions above the transport layer
– Examples: SSL and SSH
– Protect against session hijacking and injected data
– Do not protect against denial-of-service attacks caused by
spoofed packets
• Solutions at network layer
– Use cryptographically random ISNs [RFC 1948]
– More
M
generally:
ll IP
IPsec
– Can protect against
• session hijacking and injection of data
• denial-of-service attacks using session resets
CS426
Fall 2010/Lecture 33
28
Readings
g for This Lecture
• Optional Reading
• Steve Bellovin: A Look Back at
“S
“Security
it P
Problems
bl
iin th
the
TCP/IP Protocol Suite”
CS426
Fall 2010/Lecture 33
29
Coming
g Attractions …
• DNS S
Security
it
CS426
Fall 2010/Lecture 33
30
Related documents
PPT
PPT
PPT
PPT
PPT
PPT
REFERENCE MODELS FOR COMPUTER NETWORKS
REFERENCE MODELS FOR COMPUTER NETWORKS
Security+ Attacks Questions Answered
Security+ Attacks Questions Answered
PPT
PPT
ch08 - Columbus State University
ch08 - Columbus State University
Chapter-2
Chapter-2
dos_nanog
dos_nanog
Slides
Slides
CS3235 Eweek slides for DoS and DDoS
CS3235 Eweek slides for DoS and DDoS
How to Efficiently Communicate When Your Network is Under Attack
How to Efficiently Communicate When Your Network is Under Attack
Download
advertisement