Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Network Security PowerPoint

advertisement 
ECE509
Cyber Security :
Concept, Theory, and
Practice
Network Security
Spring 2014
Outline
•
•
•
•
•
Review Layered Network Architecture
Network Layer protocols
Transport Layer Protocols
Application Layer Protocols
Layer 2 Protocols
OSI Reference Model
• The layers
–
–
–
–
–
–
–
7: Application, e.g., HTTP, SMTP, FTP
6: Presentation
5: Session
4: Transport, e.g. TCP, UDP
3: Network, e.g. IP, IPX
2: Data link, e.g., Ethernet frames, ATM cells
1: Physical, e.g., Ethernet media, ATM media
• Standard software engineering reasons for
thinking about a layered design
Layers Limit Need for Intelligence
• Intermediate devices only need to process
the packet headers up to the level they
understand
Ether
Hdr
IP
Hdr
TCP
Hdr
HTTP
Hdr
Data
Various network devices
• Hosts and servers – Operate at Layer 7
(application)
• Proxies – Operate at Layer 7
• Firewalls – Operate between Layers 2 and 7.
From the outside world make changes at Layers 2
(in transparent mode) or 3 (in routing mode)
• Routers – Operate at Layer 3 (network)
• Switches or Hubs – Operate at Layer 2 (data link)
• Gateways – Operate at Layer 2
Relevant Network Layers
*From http://www.erg.abdn.ac.uk/users/gorry/course/images/ftp-tcp-enet.gif
IPv4
• 32 bit Addressing scheme
– Host address, format "A.B.C.D" where each letter is a byte. e.g.,
192.168.1.1
– Network address, e.g., 192.168.1.0/24 or 192.168.1.0 255.255.255.0
• Class A network : A.0.0.0
– Zeroes are used to indicate that any number could be in that position
• Class B network: A.B.0.0
• Class C network: A.B.C.0
• Multicast (class D)
– 224.0.0.0 to 239.255.255.255
• Class E (experimental, reserved, i.e., wasted)
– 240.0.0.0 to 254.255.255.255
– Private non-routable networks
• 192.168.0.0/24
• 172.16.0.0/12
• 10.0.0.0/8
– Loopback network
– 127.0.0.0, Typically only 127.0.0.1 is used
IP Header
Source [http://en.wikipedia.org/wiki/IPv4_header#Header]
Address spoofing
• Sender can put any source address in
packets he sends:
– Can be used to send unwelcome return traffic
to the spoofed address
– Can be used to bypass filters to get
unwelcome traffic to the destination
• Reverse Path verification can be used by
routers to broadly catch some spoofers
Defending Against IP Spoofing
• Ingress filtering
– Forbid inbound broadcasts from the Internet into your
networks
– Forbid inbound packets from non-routable networks
• Egress filtering
– Prevent stations in networks you control from spoofing IPs
from other networks by dropping their outbound packets
» Make your network a less attractive and useful target
for attackers that want to launch other attacks
» Be a good Internet citizen (reputation is important)
– Drop outbound broadcasts
• Reference
– RFC 2267 - "Network Ingress Filtering: Defeating Denial of
Service Attacks which Employ IP Source Address Spoofing".
Fragmentation
• May need to fragment an IP packet if one data link along
the way cannot handle the packet size
– Perhaps path is a mix of different types of communication media
– Perhaps unexpected encapsulation makes the packet larger than
the source expected
– Hosts try to understand Maximum Transmission Unit (MTU) to
avoid the need for fragmentation (which causes a performance
hit)
– MTU on Ethernet 1500bytes
• Any device along the way can fragment
– Identification field identifies all elements of the same fragment
– Fragmentation stored in the MF (more fragments) and fragment
offset fields
– Devices can reassemble too
– But generally the destination does the reassembly
Example of Fragmentation
•
For example, if a 4,500 byte data payload is inserted into an IP packet with no options
(thus total length is 4,520 bytes) and is transmitted over a link with an MTU of 2,500
bytes then it will be broken up into two fragments:
•
Now, let's say the MTU drops to 1,500 bytes.
Fragmentation Flaws
• Split packet to fool simple firewall and IDS
– Intermediate content observers must do reassembly
• Overlapping fragments
– Can be used to trick IDS by hiding, e.g. a “get /etc/password”
request
– Different clients reassemble overlapping fragments differently
– Just drop overlapping fragments
• Bad fragment offsets exploit poor stack implementations
– E.g. Teardrop attack, negative offsets or overlarge offsets cause
buffer overflows
– Firewalls can check for well formed packets.
• Resource attacks on re-assemblers
– Send all but one fragment for many packets
• More: An Analysis of Fragmentation Attacks
http://www.ouah.org/fragma.html
How TearDrop Works?
• Send a packet with:
– offset = 0
– payload size N
– More Fragments bit on
• Second packet:
– More Fragments bit off
– offset + payload size <N
– fits entirely inside first packet.
• OS tries to reassemble it
First
Second
Which one of these is a safe way to deal with
overlapping fragments?
a) first see if they are valid fragments, then grab
any new data
b) copy them in the reassembly buffer, making
sure not to write outside the buffer
c) ignore them because they are malicious
d) first see if they are valid fragments, wait until all
fragments arrive, validate them again, and
assemble them
e) a), b) or d) can work with varying efficiency
If you are programming a firewall, you will want
to allow or deny datagrams based on header
information. Which one of these should you do,
for safety’s sake?
a) deny fragments with zero length
b) deny fragments where headers are
fragmented
c) deny fragments where the offset+size of
datagram > 65535 bytes
How do you suggest preventing a DoS due to all your buffers
being used for fragments that are parts of datagrams that will
never be complete?
a) expire and delete each datagram after a certain delay
a) expire and delete all datagrams with a given fragment ID
whenever any of the datagrams has been held longer
than a certain delay
b) whenever you run out of space, delete the oldest
fragment
a) whenever you run out of space, delete all datagrams
with the fragment ID of the oldest fragment
When should you attempt reassembly of
fragments?
a) once you have them all
b) as you get them
a) before you expire and delete datagram
fragments
a) whenever you get a datagram with the
“More Fragments” bit set to zero
UDP Client/Server
Programming
• C:
– http://www.cs.ucsb.edu/~almeroth/classes/W0
1.176B/hw2/examples/
• Java:
– http://www.cs.uic.edu/~troy/spring05/cs450/so
ckets/socket.html
Common Terminology
• NIST: National Institute of Standards and
Technology
• CAN: Candidate Vulnerabilities
• CVE: Common Vulnerabilities and
Exposures
• CVSS: Common Vulnerabilities Scoring
System
• IETF: Internet Engineering Task Force
• RFC: Request for Comments
• STD: Internet Standard
• IANA: Internet Assigned Numbers Authority
Address Resolution Protocol (ARP)
• Used to discover mapping of neighboring
Ethernet MAC to IP addresses.
– Need to find MAC for 192.168.1.3 which is in
your interfaces subnetwork
– Broadcast an ARP request on the link
– Hopefully receive an ARP reply giving the
correct MAC
– The device stores this information in an ARP
cache or ARP table
ARP cache poisoning
• Bootstrap problem with respect to security. Anyone can
send an ARP reply
– The Ingredients to ARP Poison,
http://www.governmentsecurity.org/articles/TheIngredientstoARP
Poison.php
• Classic Man-in-the-middle attack
– Send ARP reply messages to device so they think your machine
is someone else
– Better than simple sniffing because packets will get to your
regardless of sniffing.
• Solutions
– Encrypt all traffic
– Monitoring programs like arpwatch to detect mapping changes
• Which might be valid due to DHCP
Transport layer
• UDP
• Best effort delivery
• Connectionless
• TCP
• Reliable
• Establishes connections and monitors deliveries
UDP/TCP Header
Source Port
Destination Port
UDP Length
UDP checksum
Destination Port
Source Port
Sequence Number
Acknowledgement number
HDR
Len
U A P R S F
R C S S Y I
G K H T N N
Window Size
Urgent Pointer
Checksum
Options (0 or more words)
UDP - Datagram Transport
• User Datagram Protocol (UDP)
–
–
–
–
–
A best-effort delivery, no guarantee, no ACK
Lower overhead than TCP
Good for best-effort traffic like periodic updates
No long lived connection overhead on the endpoints
Connectionless
• Some folks implement their own reliable protocol over UDP to
get “better performance” or “less overhead” than TCP
– Such efforts don’t generally pan out
• TFTP, DNS, VOIP, P2P Data protocols use UDP
• Data channels of some multimedia protocols, e.g., H.323 also
use UDP
Ports
• Ports dynamically address (“bind”) IP packets to a process
• Port range 0 - 65535
• Both TCP and UDP use ports for
o Transport address selection
o To identify which service or application to
communicate
o Multiplexing
o To allow multiple
o connections per host
• Relationship with Socket
Ports (cont'd)
• Applications are associated with ports (generally just
destination ports)
• IANA organizes port assignments
http://www.iana.org/
• Server listening on destination port
– TCP and UDP have distinct ports, but services usually
use the same number for both
• Source ports generally dynamically selected
– Ports under 1024 are considered well-known ports
– Would not expect source ports to come from the wellknown range
• Scanners probe for listening ports to understand the services
running on various machines
• Most Operating Systems allow only privileged processes to
open the ports below 1024
• HTTP 80 TCP
• SMTP 25 TCP
• DNS 53 UDP
• HTTPS 443 TCP
Transport Flow
• Transport Flow :: a sequence of packets sent between
a source/destination pair and following the same route
through the network.
• <src_ip, dst_ip, src_port, dst_port,>
• Total combinations 232 X 232 X 216 X 216 = 296
• What's the problem with this BIG number?
• With a computer operating at 212 instructions per
second, and assume the year has 225 seconds, it
will take 262 number of years to finish
– assuming each combination can be done in one
instruction; unrealistic assumption.
UDP Issues
• All lower layer issues, with similar attacks
•
•
•
•
•
IP spoofing
IP and link layer broadcast (amplification)
IP fragmentation
ARP spoofing
Link layer
• New possibilities
• Network services and applications can be contacted
and attacked with UDP packets that exploit the lower
level issues
• Traffic amplifying applications
UDP Amplifier Attack
• Fraggle
– Broadcast UDP packet sent to the "echo"
service
– All computers reply (amplification)
– Source IP was spoofed, victim is
overwhelmed
UDP Ping-Pong
• Chargen service replies with a UDP
packet to any incoming packet
• Spoof a packet from host A's chargen
service to host B's chargen service
– Computers keep replying to each other as fast
as they can
• Variants use the echo service on one of
the hosts
– Or even the same host (CVE-1999-0103)
• a.k.a. UDP bomb, UDP packet storm
UDP Ping-Pong (Cont'd)
• Any service or application that issues a
UDP reply no matter what is the input
packet (e.g., error message) is vulnerable
– daytime (port 13)
– time (port 37)
• Do you know of another UDP service that
answers no matter what?
Example Hosts Vulnerable to UDP PingPong
• Routers and firewalls!
• Cisco IOS 11.x had chargen and echo enabled by default
– Date
 Other services
– Quote of the day (RFC 865)
– Active Users (RFC 866)
– Daytime (RFC 867)
– UDP Kerberos v5 (port 464)
– Any service that responds (e.g. with an error message) to
any packet
Amplification Using UDP
Packets
• Key: Applications that reply with large
packets to small requests
– e.g., games
• BattleField 1942
• Quake 1 (CAN-1999-1066)
• Unreal Tournament
• Hosts can be attacked by using these
applications as amplifiers, with forged
source IP packets
Exploits Through UDP
• Resource Exhaustion
– Windows 98 and Windows 2000 Java clients
allow remote attackers to cause a denial of
service via a Java applet that opens a large
number of UDP sockets, which prevents the
host from establishing any additional UDP
connections, and possibly causes a crash.
• CAN-2001-0324
• Sniffing and Spoofing
– NAI Sniffer Agent allows remote attackers to
gain privileges on the agent by sniffing the
initial UDP authentication packets and
Exploits Through UDP (more)
• Exploitation of other flaws (anonymous)
– Interactions between the CIFS Browser Protocol and
NetBIOS as implemented in Microsoft Windows 95,
98, NT, and 2000 allow remote attackers to modify
dynamic NetBIOS name cache entries via a spoofed
Browse Frame Request in a unicast or UDP
broadcast datagram.
• CAN-2000-1079
• Traffic amplifiers
– DNS allows remote attackers to use DNS name
servers as traffic amplifiers via a UDP DNS query with
a spoofed source address, which produces more
traffic to the victim than was sent by the attacker.
• CVE-1999-1379
Exploits Through UDP (more)
• Self-connection
– Quake 2 server allows remote attackers to
cause a denial of service via a spoofed UDP
packet with a source address of 127.0.0.1,
which causes the server to attempt to connect
to itself.
• CAN-1999-1230
• Similar to UDP bomb
Egress filtering is useful for:
a) stopping outbound IP spoofing
a) stopping inbound IP spoofing
a) preventing Smurf attacks
a) preventing ARP cache poisoning
a) all of the above
Egress filtering prevents part of outbound IP
spoofing. A host can still spoof the IP
address of another host on the same
network, because it’s a valid IP address.
Discussion and Conclusion
• UDP does not in itself introduce new vulnerabilities, but
makes the exploitation of IP layer vulnerabilities easy.
– Makes applications more difficult to design to prevent
amplification and ping-pong effects
• When is UDP needed?
• DNS
– Normal hosts query DNS servers using UDP in practice
» UDP also used for other DNS functions (more on this
later)
• Streaming video, Voice-over-IP
• Is your LAN used to attack a third party via
UDP?
• Did some computers in your LAN get compromised?
TCP - Reliable Streams
• Transmission Control Protocol (TCP)
– Guarantees reliable, ordered stream of traffic
– Such guarantees impose overhead
– A fair amount of state is required on both ends
– Connection oriented
• Similar to packages requiring signatures at delivery
• Most Internet protocols use TCP, e.g.,
HTTP, FTP, SSH, H.323 control channels
Initial Vulnerability
– Establishing connections
– SYN flood attack
– Is this packet relevant?
– Initial sequence number predictability
– RST attacks
– TCP Scanning
– Tcptraceroute
– Refers to the network,TCP is “Stateless”
– Phone conversations require a network path to be
established
– TCP doesn’t change network paths
– Each packet is independent of others
– Clients and servers maintain states, which
makes them vulnerable to resource
exhaustion attacks
TCP Header
Destination Port
Source Port
Sequence Number
Acknowledgement number
HDR
Len
U A P R S F
R C S S Y I
G K H T N N
Window Size
Urgent Pointer
Checksum
Options (0 or more words)
TCP Flags
• one-bit
• Synchronize flag [SYN]
– Used to initiate a TCP connection
• Acknowledgement flag [ACK]
– Used to confirm received data
• Finish flag [FIN]
– Used to shut down the connection
• Push flag [PSH]
– Do not buffer data on receiver side – send directly to application level
• Urgent flag [URG]
– Used to signify data with a higher priority than the other traffic
• I.e Ctrl+C interrupt during an FTP transfer
• Reset flag [RST]
– Tells receiver to tear down connection immediately
TCP Connections
A client A wants to set up a TCP connection
to a server B
 A sends SYN with its sequence number X
 B replies with its own SYN and sequence number Y
and an ACK of A’s sequence number X+1
 A sends data with its sequence number X+1 and
ACK’s B’s sequence number Y+1
• This establishes that packets can be sent
both ways and provides the proof to both
hosts.
TCP SYN Scans
• If someone sends you a SYN packet for a
port that’s closed, you are supposed to
respond with a packet with RST and ACK
flags (“I got your message but I don’t
want to talk to you”).
• Sending SYN packets to find out which
ports are open on which machines is
known as port scanning
– Source IP address may be spoofed to hide
the true source
• Only 1 in x is from the real source
TCP ACK Scans
• Bypass firewalls that only allow
“established” connections (fancy way to
say that they block incoming packets with
the “SYN” flag)
– Doesn't work if the firewall builds a table of
outgoing connections
• e.g., Network Address Translation, a.k.a. IP
masquerading
• Response is a RST packet whether the
port is closed or open
• Allows attackers to find out which IP
addresses are in use, similar in function to
an ICMP ping
TCP FIN Scans
• RFC says:
– open port, do not respond
– closed port, respond with RST/FIN
• Some implementations respond with a
RST on open ports
• Another way to map services on a host
Defending Scans
• Issue: spoofed IP addresses
– Option 1: Don't reply
• "Stealth" does not increase bandwidth consumption
– Option 2: "Active" defense
• In a SYN scan, if you send a SYN/ACK for every packet, you
could force the attacker to complete the connection to gain
information
– Makes it more difficult to spoof the source IP
– Slows down scanners
» But if 1 in 100 packets is not spoofed, it slows down your
server 100 times more than the scanner!
– However:
» Increases traffic, bandwidth consumption
» May have undesired effects
» Replies sent to spoofed IP addresses
» Are you unwittingly attacking them?
SYN flood
•
•
A resource DoS attack focused on the TCP three-way
handshake
Denial of service when an attacker sends many SYN
packets to create multiple connections without ever
sending an ACK to complete the connection, aka SYN
flood.
– This leaves B with a bunch of half open connections that are filling up
memory
– Firewalls adapted by setting limits on the number of such half open
connections.
– Keeping track of each half-open connection takes up resources
TCP Reliability
• A TCP connection is a stream
• Each TCP packet contains a stream
segment
• A sequence number is associated to each
byte
• Packets have a single field for the sequence
number
– e.g., refers to the sequence number of a specific byte,
according to a convention described in the RFC
• An ACK is required for each byte
• If an ACK is not received in a certain amount of
time, data is retransmitted
• An ACK packet serves as an ACK for all bytes up
to the byte indicated by the ACK's sequence
TCP Flow Control
• How much can a sender send at a time?
• The more can be sent, the more efficient the
network is
– Fewer header bytes, media contention delays, etc...
• TCP "Window"
• With every ACK, the receiver indicates how many
more bytes it is prepared to receive
Acknowledgement Number
Maximum Window
Sequence Number
Window
TCP Stream
Increasing numbers
Congestion Control
20
Congestion
avoidance
15
Congestion
window
Threshold
10
5
Congestion occurs
Slow
start
0
Round-trip times
Protection against SYN Attacks
• Client sends SYN
• Server responds to Client with SYN-ACK
cookie
– sqn = f(src addr, src port, dest addr, dest port,
rand)
– Normal TCP response but server does not save
state
• Honest client responds with ACK(sqn)
• Server checks response
– If matches SYN-ACK, establishes connection
• “rand” is top 5 bits of 32-bit time counter
• Server checks client response against recent values
SYN Cookies (cont'd)
• Difference between server's ISN and client's
ISN
– top 5 bits: t mod 32, where t is a 32-bit time
counter that increases every 64 seconds;
– next 3 bits: an encoding of an MSS selected by
the server in response to the client's MSS;
– bottom 24 bits: a server-selected secret function
of the client IP address and port number, the
server IP address and port number, and t.
TCP Sequence Numbers
• Every new connection gets a new initial sequence
number (ISN)
• For both sides of the connection
• ISNs are exchanged (jargon: streams are "synchronized") in the
initial SYN handshake
• Is this a real random number?
• TCP packets with sequence numbers outside the
window are ignored
• This makes attacks on TCP applications harder than if they used
UDP
• Sequence numbers allow reconstruction of correct
order of packets
• How to hijack a TCP connection?
Finding the Sequence Number
• Sniffing
• MAC address man-in-the-middle attack
• Source-routed IP packets (to setup a M.I.M.
attack)
• ICMP redirects
• If the above is not possible, try to predict the
initial sequence number
– Connect yourself, examine how sequence
numbers are generated (e.g., last one + 128
000)
– Make a guess based on observations
ISN Vulnerability
• Predictable
• Symantec Raptor Firewall 6.5 and 6.5.3,
Enterprise Firewall 6.5.2 and 7.0, VelociRaptor
Models 500/700/1000 and 1100/1200/1300, and
Gateway Security 5110/5200/5300 generate easily
predictable initial sequence numbers (ISN), which
allows remote attackers to spoof connections.
– CAN-2002-1463
• Cisco switches and routers running IOS 12.1 and
earlier produce predictable TCP Initial Sequence
Numbers (ISNs), which allows remote attackers to
spoof or hijack TCP connections.
– CVE-2001-0288
TCP RST Flag
• TCP reset (RST) flag is used to abort TCP
connections, usually to signify an
irrecoverable error
– Receiver deletes the connection, frees data
structures
• RST messages are accepted only if they
fit inside the sequence number window
– Prevents delayed RST messages from
previous connections to affect the current
connection
TCP RST Attack
• Send a RST (TCP RESET flag) packet
with a spoofed IP address to either side of
a valid connection
• Need to guess a sequence number inside the
appropriate window
– Or sniff traffic to know which number to use
• The range can be guessed fairly efficiently for RST
attacks
• Sequence numbers: 32 bits
• Window size: up to 16 bits
• Number of guesses 32-16 = 16 bit address space
– 65535 RST attempts, ~ 4 min on DSL connection
– Faster connection or zombies, faster RST
Hijacking a TCP Session
• Idea: all that’s required to mess up someone else’s
TCP session is guessing or knowing the sequence numbers
for their connection.
– Only need to fall within the needed range, exact guess not
needed
• Attackers needs
– Ability to forge TCP/IP packets.
– Initial sequence number
– Knowledge that a TCP connection has started (but not the
ability to see it)
– When the TCP connection started
– Ability to redirect responses to you
OR continue the conversation without responses to you while
achieving your goal
• Thought to be too hard, but exists in the wild.
• Send a spoofed IP packet, with a TCP payload that inserts
data to blast the legitimate client off the net!
Question
• Which is more difficult to attack?
a) UDP
b) TCP
c) ICMP
d) IP reassembly
Question
• Applications that encrypt their data and
validation checksum and use TCP, such
as SSL (https) in browsers, are vulnerable
to:
a) RESET attacks
b) Data injection attacks
c) Session hijacking
d) Eavesdropping attacks
e) IP fragmentation attacks
Question
UDP Ping-Pong is possible due to:
a) IP fragmentation attacks
b) Initial sequence number spoofing
c) MAC address spoofing
d) IP address spoofing
Question
• To offer resistance to brute force RST
attacks, you could:
a) Use application-level encryption
b) Use the largest TCP window possible
c) Use a small TCP window
d) Use unpredictable initial sequence numbers
Question
• A SYN flood attack works by:
a) Making computers drop established
connections
b) Preventing new connections by consuming
server resources
c) Injecting data in established connections
d) Creating a loop between services
Question
• UDP is attractive as an exploitation vector
because
a) It's fast
b) It consumes resources to keep track of
connections
c) It can change routing tables
d) It's anonymous through IP spoofing
Network Address Translation (NAT)
Relates to Lab 7.
Module about private networks and NAT.
68
Private Network
• Private IP network is an IP network that is not directly
connected to the Internet
• IP addresses in a private network can be assigned arbitrarily.
– Not registered and not guaranteed to be globally unique
• Generally, private networks use addresses from the following
experimental address ranges (non-routable addresses):
– 10.0.0.0 – 10.255.255.255
– 172.16.0.0 – 172.31.255.255
– 192.168.0.0 – 192.168.255.255
69
Private Addresses
H1
10.0.1.2
H3
H2
H4
10.0.1.2
10.0.1.3
10.0.1.1
10.0.1.3
10.0.1.1
Private network 1
Private network 1
Internet
R1
128.195.4.119
128.143.71.21
R2
213.168.112.3
H5
70
Network Address Translation (NAT)
• NAT is a router function where IP addresses (and possibly
port numbers) of IP datagrams are replaced at the boundary
of a private network
• NAT is a method that enables hosts on private networks to
communicate with hosts on the Internet
• NAT is run on routers that connect private networks to the
public Internet, to replace the IP address-port pair of an IP
packet with another IP address-port pair.
71
Basic operation of NAT
• NAT device has address translation table
72
Pooling of IP addresses
• Scenario: Corporate network has many hosts but only a
small number of public IP addresses
• NAT solution:
– Corporate network is managed with a private address
space
– NAT device, located at the boundary between the
corporate network and the public Internet, manages a pool
of public IP addresses
– When a host from the corporate network sends an IP
datagram to a host in the public Internet, the NAT device
picks a public IP address from the address pool, and binds
this address to the private address of the host
73
Pooling of IP addresses
Private
network
Internet
Source
= 10.0.1.2
Destination = 213.168.112.3
Source
= 128.143.71.21
Destination = 213.168.112.3
NAT
device
private address: 10.0.1.2
public address:
H1
public address:
213.168.112.3
H5
Private
Address
Public
Address
10.0.1.2
Pool of addresses: 128.143.71.0-128.143.71.30
74
Supporting migration between network service
providers
• Scenario: In CIDR, the IP addresses in a corporate network are obtained
from the service provider. Changing the service provider requires
changing all IP addresses in the network.
• NAT solution:
– Assign private addresses to the hosts of the corporate network
– NAT device has static address translation entries which bind the
private address of a host to the public address.
– Migration to a new network service provider merely requires an update
of the NAT device. The migration is not noticeable to the hosts on the
network.
Note:
– The difference to the use of NAT with IP address pooling is that the
mapping of public and private IP addresses is static.
75
Supporting migration between network service
providers
76
IP masquerading
• Also called: Network address and port translation
(NAPT), port address translation (PAT).
• Scenario: Single public IP address is mapped to multiple
hosts in a private network.
• NAT solution:
– Assign private addresses to the hosts of the corporate
network
– NAT device modifies the port numbers for outgoing traffic
77
IP masquerading
78
Load balancing of servers
• Scenario: Balance the load on a set of identical servers,
which are accessible from a single IP address
• NAT solution:
– Here, the servers are assigned private addresses
– NAT device acts as a proxy for requests to the server from
the public network
– The NAT device changes the destination IP address of
arriving packets to one of the private addresses for a
server
– A sensible strategy for balancing the load of the servers is
to assign the addresses of the servers in a round-robin
fashion.
79
Load balancing of servers
80
Concerns about NAT
• Performance:
– Modifying the IP header by changing the IP address
requires that NAT boxes recalculate the IP header
checksum
– Modifying port number requires that NAT boxes recalculate
TCP checksum
• Fragmentation
– Care must be taken that a datagram that is fragmented
before it reaches the NAT device, is not assigned a
different IP address or different port numbers for each of
the fragments.
81
Concerns about NAT
• End-to-end connectivity:
– NAT destroys universal end-to-end reachability of hosts on
the Internet.
– A host in the public Internet often cannot initiate
communication to a host in a private network.
– The problem is worse, when two hosts that are in a private
network need to communicate with each other.
82
Concerns about NAT
• IP address in application data:
– Applications that carry IP addresses in the payload of the
application data generally do not work across a privatepublic network boundary.
– Some NAT devices inspect the payload of widely used
application layer protocols and, if an IP address is detected
in the application-layer header or the application payload,
translate the address according to the address translation
table.
83
NAT and FTP
• Normal FTP operation
84
NAT and FTP
• NAT device with FTP support
85
NAT and FTP
• FTP in passive mode and NAT.
86
Configuring NAT in Linux
• Linux uses the Netfilter/iptable package to add filtering rules
to the IP module
To application
From application
filter
INPUT
nat
OUTPUT
filter
OUTPUT
Yes
Destination
is local?
nat
PREROUTING
(DNAT)
Incoming
datagram
No
filter
FORWARD
nat
POSTROUTING
(SNAT)
Outgoing
datagram
87
Configuring NAT with iptable
• First example:
iptables –t nat –A POSTROUTING –s 10.0.1.2
–j SNAT --to-source 128.143.71.21
• Pooling of IP addresses:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.128.71.0–128.143.71.30
• ISP migration:
iptables –t nat –R POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.195.4.0–128.195.4.254
• IP masquerading:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–o eth1 –j MASQUERADE
• Load balancing:
iptables -t nat -A PREROUTING -i eth1 -j DNAT --todestination 10.0.1.2-10.0.1.4
88
Dynamic Host Configuration Protocol
(DHCP)
89
Dynamic Assignment of IP addresses
• Dynamic assignment of IP addresses is desirable for several
reasons:
– IP addresses are assigned on-demand
– Avoid manual IP configuration
– Support mobility of laptops
90
Solutions for dynamic assignment of IP addresses
• Reverse Address Resolution Protocol (RARP)
– Works similar to ARP
– Broadcast a request for the IP address associated
with a given MAC address
– RARP server responds with an IP address
– Only assigns IP address (not the default router and
subnetmask)
IP address
(32 bit)
ARP
RARP
Ethernet MAC
address
(48 bit)
91
BOOTP
• BOOTstrap Protocol (BOOTP)
• From 1985
• Host can configure its IP parameters at boot time.
• 3 services.
– IP address assignment.
– Detection of the IP address for a serving machine.
– The name of a file to be loaded and executed by the client machine
(boot file name)
– Not only assign IP address, but also default router, network mask, etc.
– Sent as UDP messages (UDP Port 67 (server) and 68 (host))
– Use limited broadcast address (255.255.255.255):
• These addresses are never forwarded
92
Network Address Translation
• NAT, a.k.a. masquerading, allows sharing
an Internet connection through a single IP
address
• IP addresses and checksums are replaced
on-the-fly
• NAT maintains a table of mappings:
– Internal IP, port <=> External IP, port
– Incoming packets are translated back if
there's an existing mapping, dropped
otherwise
– Mappings are added only for outgoing
Question
• What will happen if someone tries to do a
SYN TCP scan from inside a NAT firewall?
a) Victims won't know who did the scan and
can't retaliate
b) Victims will be under a SYN flood attack
c) The NAT mapping table will overflow,
possibly preventing other users from
accessing the web
Application Protocols
• Single connection protocols
– Use a single connection, e.g. HTTP, SMTP
• Dynamic Multi-connection Protocols, e.g. FTP
and H.323
– Have a well known control channel
– Negotiate ports and/or addresses on the control
channel for subsidiary data channels
– Dynamically open the negotiated data channels
• Protocol suites, e.g. Netbios and DNS
Spoofing Applications
• Often times ridiculously easy
• Fake Client
– Telnet to an SMTP server and enter mail
from whoever you want
– Authenticating email servers
• Require a password
• Require a mail download before server takes
send requests
• Fake server
– Phishing: misdirect user to bogus server
Internet Control Message Protocol
(ICMP)
• RFC 792
• Used for diagnostics
–
–
–
–
–
–
–
Destination unreachable
Time exceeded, TTL hit 0
Parameter problem, bad header field
Source quench, throttling mechanism rarely used
Redirect, feedback on potential bad route
Echo Request and Echo reply, ping
Timestamp request and Timestamp reply,
performance ping
• Can use information to help map out a network
– Some people block ICMP from outside domain
ICMP Header
PING OF DEATH
• ICMP echo with fragmented packets
• Maximum legal size of an ICMP echo packet:
65535 - 20 - 8 = 65507
• Fragmentation allows bypassing the
maximum size:
(offset + size) > 65535
• Reassembled packet would be larger than 65535
bytes
• OS crashes
• Really a problem with reassembly, ICMP just
used for convenience
• Same attack with different IP protocols
Ping Flood
• Denial of Service attack
• Overwhelming the victim with ICMP
Echo Request packets (ping)
• Attacker has more bandwidth
• How to defend?
– Filter incoming ICMP Echo Request
packets
– Compromised way, filter large PING
packets
Smurf Attack
• An amplification DoS attack
– A relatively small amount of information sent is
expanded to a large amount of data
• Send ICMP echo request to IP broadcast
addresses. Spoof the victim's address as the
source
• The echo request receivers dutifully send echo
replies to the victim overwhelming it
• Fraggle is a UDP variant of the same attack
aiming at ports 7 and 19
Question
• What is the best strategy against Smurf attacks?
a) block incoming pings to broadcast addresses
at the firewall or router
b) block all ICMP echo traffic at the firewall or
router
c) install an IDS
d) complain to the vendor, asking for a patch
e) strike back at the attacker by spoofing her IP
address in another Smurf
Other ICMP Abuse
• Tribe, a.k.a. The "Tribe Flood Network"
distributed denial of service attack tool
• Use ICMP echo request and reply as a
covert communication channel to issue
commands to infected computers
• Attackers reversed the normal usage of reply and
request messages
• Reply messages used to issue commands and
bypass firewalls
• http://staff.washington.edu/dittrich/misc/tfn.
analysis
Question
• Name the packets that can’t be used
to scan a network (all by themselves):
a) echo request
b) echo reply
c) timestamp request
d) network mask request
e) source quench
Question
• Which application/protocol will be
affected if you disallow ICMP
unreachable messages?
a) MTU discovery
b) TraceRoute
c) DNS
d) ARP
e) Nothing
Question
• If you receive an ICMP network
redirect message, which attack could
possibly be attempted against you?
a) Man-in-the-middle
b) DoS
Question
• Which ICMP attack resembles the Fraggle
attack?
• Which other services could be used
instead of the "echo" service?
Answers
• Smurf
• All the "small services"
– daytime
– chargen (RFC 864) (port 19)
– quote of the day (RFC 865)
– ...
• Quote of the day may be enabled by
people thinking it's cool or cute
Dynamic Host Configuration Protocol
(DHCP)
Relates to Lab 7.
Module about dynamic assignment of IP addresses with DHCP.
109
Dynamic Assignment of IP addresses
• Dynamic assignment of IP addresses is desirable for several
reasons:
– IP addresses are assigned on-demand
– Avoid manual IP configuration
– Support mobility of laptops
110
Solutions for dynamic assignment of IP addresses
• Reverse Address Resolution Protocol (RARP)
– Works similar to ARP
– Broadcast a request for the IP address associated
with a given MAC address
– RARP server responds with an IP address
– Only assigns IP address (not the default router and
subnetmask)
IP address
(32 bit)
ARP
RARP
Ethernet MAC
address
(48 bit)
111
BOOTP
• BOOTstrap Protocol (BOOTP)
• From 1985
• Host can configure its IP parameters at boot time.
• 3 services.
– IP address assignment.
– Detection of the IP address for a serving machine.
– The name of a file to be loaded and executed by the client machine
(boot file name)
– Not only assign IP address, but also default router, network mask, etc.
– Sent as UDP messages (UDP Port 67 (server) and 68 (host))
– Use limited broadcast address (255.255.255.255):
• These addresses are never forwarded
112
DHCP
• Dynamic Host Configuration Protocol (DHCP)
– From 1993
– An extension of BOOTP, very similar to DHCP
– Same port numbers as BOOTP
– Extensions:
• Supports temporary allocation (“leases”) of IP
addresses
• DHCP client can acquire all IP configuration parameters
needed to operate
– DHCP is the preferred mechanism for dynamic assignment
of IP addresses
– DHCP can interoperate with BOOTP clients.
113
BOOTP Interaction
(a)
(c)
(b)
• BOOTP can be used for
downloading memory
image for diskless
workstations
• Assignment of IP addresses
to hosts is static
114
DHCP Interaction (simplified)
115
BOOTP/DHCP Message Format
OpCode
Hardware Type
Number of Seconds
Hardware Address
Hop Count
Length
Unused (in BOOTP)
Flags (in DHCP)
Transaction ID
Client IP address
Your IP address
Server IP address
Gateway IP address
Client hardware address (16 bytes)
Server host name (64 bytes)
Boot file name (128 bytes)
Options
(There are >100 different options)
116
Message Fields
•
•
•
•
code: Indicates a request or a reply
– 1 Request
– 2 Reply
HWtype: The type of hardware, for example:
– 1 Ethernet
– 6 IEEE 802 networks
length: Hardware address length in bytes. E.g., Ethernet and token-ring both use 6
bytes.
hops: The client sets this to 0. It is incremented by a router that relays the request
to another server and is used to identify loops. RFC 951 suggests that a value of 3
indicates a loop.
117
Contd.
•
•
•
Transaction ID: A random number used to match this boot request with the response it
generates.
Seconds: Set by the client. It is the elapsed time in seconds since the client started its boot
process.
Flags field: The most significant bit of the flags field is used as a broadcast flag. All other bits
must be set to zero, and are reserved for future use. Normally, DHCP servers attempt to
deliver DHCP messages directly to a client using unicast delivery. The destination address in
the IP header is set to the DHCP your IP address and the MAC address is set to the DHCP
client hardware address. If a host is unable to receive a unicast IP datagram until it knows its
IP address, then this broadcast bit must be set (=1) to indicate to the server that the DHCP
reply must be sent as an IP and MAC broadcast. Otherwise this bit must be set to zero.
118
Contd.
•
•
•
•
•
Client IP address: Set by the client. Either its known IP address, or 0.0.0.0.
Your IP address: Set by the server if the client IP address field was0.0.0.0.
Server IP address: Set by the server.
Router IP address: This is the address of a BOOTP relay agent, not a
general IP router to be used by the client. It is set by the forwarding agent
when BOOTP forwarding is being used
Client hardware address: Set by the client. DHCP defines a client identifier
option that is used for client identification. If this option is not used the client
is identified by its MAC address.
119
Contd.
•
•
•
Server host name: Optional server host name terminated by X'00'.
Boot file name: The client either leaves this null or specifies a generic name, such
as router, indicating the type of boot file to be used. In a DHCPDISCOVER request
this is set to null. The server returns a fully qualified directory path name in a
DHCPOFFER request. The value is terminated by X'00'.
Options: Subnet Mask, Name Server, Hostname, Domain Name, Forward On/Off,
Default IP TTL, Broadcast Address, Static Route, Ethernet Encapsulation, X
Window Manager, X Window Font, DHCP Msg Type, DHCP Renewal Time, DHCP
Rebinding, Time SMTP-Server, SMTP-Server, Client FQDN, Printer Name, …
120
DHCP Message Type
• Message type is sent as an
option.
Value
Message Type
1
DHCPDISCOVER
2
DHCPOFFER
3
DHCPREQUEST
4
DHCPDECLINE
5
DHCPACK
6
DHCPNAK
7
DHCPRELEASE
8
DHCPINFORM
121
Message Types
•
•
•
DHCPDISCOVER: Broadcast by a client to find available DHCP servers.
DHCPOFFER: Response from a server to a DHCPDISCOVER and offering IP
address and other parameters.
DHCPREQUEST: Message from a client to servers that does one of the following:
– Requests the parameters offered by one of the servers and declines all other
offers.
– Verifies a previously allocated address after a system or network change (a
reboot for example).
– Requests the extension of a lease on a particular address.
122
Contd.
•
•
•
•
•
•
DHCPACK: Acknowledgement from server to client with parameters,
including IP address.
DHCPNACK: Negative acknowledgement from server to client, indicating that the client's
lease has expired or that a requested IP address is incorrect.
DHCPDECLINE: Message from client to server indicating that the offered address is already
in use.
DHCPRELEASE: Message from client to server canceling remainder of a lease and
relinquishing network address.
DHCPINFORM: Message from a client that already has an IP address (manually configured
for example), requesting further configuration parameters from the DHCP server.
123
DHCP Operation
•
DCHP DISCOVER
DCHP OFFER
124
DHCP Operation
DCHP DISCOVER
At this time, the DHCP
client can start to use the IP
address
Renewing a Lease
(sent when 50% of lease
has expired)
If DHCP server sends
DHCPNACK, then
address is released.
125
DHCP Operation
DCHP RELEASE
At this time, the DHCP
client has released the IP
address
126
Client Server Interactions
•
•
The client broadcasts a DHCPDISCOVER message on its local physical subnet.
– The DHCPDISCOVER message may include some options such as network
address suggestion or lease duration.
Each server may respond with a DHCPOFFER message that includes an available
network address (your IP address) and other configuration options.
– The servers record the address as offered to the client to prevent the same
address being offered to other clients in the event of further DHCPDISCOVER
messages being received before the first client has completed its configuration.
127
Contd.
• The client receives one or more DHCPOFFER messages from one or
more servers.
– The client chooses one based on the configuration parameters offered
and broadcasts a DHCPREQUEST message that includes the server
identifier option to indicate which message it has selected and the
requested IP address option, taken from your IP address in the
selected offer.
– In the event that no offers are received, if the client has knowledge of a
previous network address, the client may reuse that address if its lease
is still valid, until the lease expires.
128
Contd.
• The servers receive the DHCPREQUEST broadcast from the client.
– Those servers not selected by the DHCPREQUEST message
use the message as notification that the client has declined that
server's offer.
– The server selected in the DHCPREQUEST message commits
the binding for the client to persistent storage and responds with
a DHCPACK message containing the configuration parameters
for the requesting client.
129
Contd.
• The combination of client hardware and assigned network
address constitute a unique identifier for the client's lease and
are used by both the client and server to identify a lease
referred to in any DHCP messages.
• The your IP address field in the DHCPACK messages is filled
in with the selected network address.
130
Contd.
• The client receives the DHCPACK message with configuration
parameters.
– The client performs a final check on the parameters, for example with
ARP for allocated network address, and notes the duration of the lease
and the lease identification cookie specified in the DHCPACK
message. At this point, the client is configured.
– If the client detects a problem with the parameters in the DHCPACK
message (the address is already in use on the network, for example),
the client sends a DHCPDECLINE message to the server and restarts
the configuration process.
131
Contd.
• The client should wait a minimum of ten seconds before restarting the
configuration process to avoid excessive network traffic in case of looping.
• On receipt of a DHCPDECLINE, the server must mark the offered address
as unavailable (and possibly inform the system administrator that there is
a configuration problem).
• If the client receives a DHCPNAK message, the client restarts the
configuration process.
132
Contd.
• The client may choose to relinquish its lease on a network
address by sending a DHCPRELEASE message to the
server.
• The client identifies the lease to be released by including its
network address and its hardware address.
133
Lease Renewal
• When a server sends the DHCPACK to a client with IP address and
configuration parameters, it also registers the start of the lease time for
that address.
• This lease time is passed to the client as one of the options in the
DHCPACK message, together with two timer values, T1 and T2.
• The client is rightfully entitled to use the given address for the duration of
the lease time.
134
Contd.
• On applying the receive configuration, the client also starts the timers T1
and T2. At this time, the client is in the BOUND state.
• Times T1 and T2 are options configurable by the server but T1 must be
less than T2, and T2 must be less than the lease time.
• According to RFC 2132, T1 defaults to (0.5 * lease time) and T2 defaults
to (0.875 * lease time).
135
Contd.
•
•
•
•
When timer T1 expires, the client will send a DHCPREQUEST (unicast) to the
server that offered the address, asking to extend the lease for the given
configuration. The client is now in the RENEWING state
The server would usually respond with a DHCPACK message indicating the new
lease time, and timers T1 and T2 are reset at the client accordingly.
The server also resets its record of the lease time.
Under normal circumstances, an active client would continually renew its lease in
this way indefinitely, without the lease ever expiring.
136
Contd.
• If no DHCPACK is received until timer T2 expires, the client
enters the REBINDING state.
• Client now broadcasts a DHCPREQUEST message to extend
its lease.
• This request can be confirmed by a DHCPACK message from
any DHCP server on the network.
137
Contd.
• If the client does not receive a DHCPACK message after its
lease has expired, it has to stop using its current TCP/IP
configuration.
• The client may then return to the INIT state, issuing a
DHCPDISCOVER broadcast to try and obtain any valid
address.
138
Reusing a Previously allocated address
•
•
•
The client broadcasts a DHCPREQUEST message on its local subnet.
– The DHCPREQUEST message includes the client's previously used network
address.
If the client’s lease is still current, the server with knowledge of the client's
configuration parameters responds with a DHCPACK message to the client,
renewing the lease at the same time.
– The client must then proceed to test for the IP address.
If the client's lease has expired, the server with knowledge of the client responds
with DHCPNACK.
– The client then must initiate a new IP address allocation process.
139
DHCP Pros
•
•
•
It relieves the network administrator of a great deal of manual configuration work.
The ability for a device to be moved from network to network and to automatically
obtain valid configuration parameters for the current network can be of great
benefit to mobile users.
Because IP addresses are only allocated when clients are actually active, it is
possible, by the use of reasonably short lease times and the fact that mobile
clients do not need to be allocated more than one address, to reduce the total
number of addresses in use in an organization.
140
DHCP Cons
• Uses UDP, an unreliable and insecure protocol.
• DNS cannot be used for DHCP configured hosts.
141
DHCP
• Built on older BOOTP protocol (which was built on even older
RARP protocol)
– Used by diskless Suns
• Enables dynamic allocation of IP address and related
information
• Runs over UDP
• No security considered in the design, obvious problems
– Bogus DHCP servers handing out addresses of attackers
choice
– Bogus clients grabbing addresses
• IETF attempted to add DHCP authentication but rather late in
the game to do this.
• Other solutions
– Physically secure networks
– Use IPSec
Domain Name Service
(DNS)
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
14
3
Outline
•
•
•
•
•
Fall 2002
What is DNS?
What services does it provide?
How does it operate?
Message format
Types of messages
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
14
4
What is DNS?
• DNS is a host name to IP address
translation service
• DNS is
 a distributed database implemented in a
hierarchy of name servers
 an application level protocol for message
exchange between clients and servers
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
14
5
Why DNS?
• It is easier to remember a host name than it is to
remember an IP address.
• An name has more meaning to a user than a 4
byte number.
• Applications such as FTP, HTTP, email, etc., all
require the user to input a destination.
• The user generally enters a host name.
• The application takes the host name supplied by
the user and forwards it to DNS for translation to
an IP address.
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
14
6
DNS Services
• Besides the address translation service,
DNS also provides the following services:
 Host aliasing: a host with a complicated name
can have one or more aliases that are simpler
to remember,e.g., relay1.westcoast.media.com -> media.com. The longer
name is the canonical hostname, the shorter
the alias hostname.
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
14
7
DNS Services (cont’d)
 Mail server aliasing: same as above, aliases
can exist for long canonical host names.
 Load Balancing: a set of servers can have
one name mapped onto several machines.
DNS provides the full list of names to the end
user’s application which generally takes the
first one in the list. DNS rotates the names on
the list.
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
14
8
How does it work?
• DNS works by exchanging messages
between client and server machines.
• A client application will pass the
destination host name to the DNS process
(in Unix referred to as the
gethostbyname() routine) to get the IP
address.
• The application then sits and waits for the
response to return.
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
14
9
DNS
Why not centralize DNS?
• single point of failure
• traffic volume
• distant centralized
database
• maintenance
doesn’t scale!
150
Distributed, Hierarchical Database
Root DNS Servers
com DNS servers
yahoo.com
amazon.com
DNS servers DNS servers
org DNS servers
pbs.org
DNS servers
edu DNS servers
poly.edu
umass.edu
DNS serversDNS servers
Client wants IP for www.amazon.com; 1st approx:
• client queries a root server to find com DNS server
• client queries com DNS server to get amazon.com DNS
server
• client queries amazon.com DNS server to get IP
address for www.amazon.com
15
1
DNS: Root name servers
• contacted by local name server that can not resolve name
• root name server:
 contacts authoritative name server if name mapping not known
 gets mapping
 returns mapping to local name server
a Verisign, Dulles, VA
c Cogent, Herndon, VA (also LA)
d U Maryland College Park, MD
g US DoD Vienna, VA
h ARL Aberdeen, MD
j Verisign, ( 21 locations)
e NASA Mt View, CA
f Internet Software C. Palo Alto,
k RIPE London (also 16 other locations)
i Autonomica, Stockholm (plus
28 other locations)
m WIDE Tokyo (also Seoul,
Paris, SF)
CA (and 36 other locations)
13 root name
servers worldwide
b USC-ISI Marina del Rey, CA
l ICANN Los Angeles, CA
152
TLD and Authoritative Servers
• Top-level domain (TLD) servers:
 responsible for com, org, net, edu, etc, and all toplevel country domains uk, fr, ca, jp.
 Network Solutions maintains servers for com TLD
 Educause for edu TLD
• Authoritative DNS servers:
 organization’s DNS servers, providing authoritative
hostname to IP mappings for organization’s
servers (e.g., Web, mail).
 can be maintained by organization or service
provider
153
Local Name Server
• does not strictly belong to hierarchy
• each ISP (residential ISP, company,
university) has one.
 also called “default name server”
• when host makes DNS query, query is
sent to its local DNS server
 acts as proxy, forwards query into hierarchy
154
2:
Ap
plic
DNS Queries
• Recursive:
 The client machine sends a request to the local name
server, which, if it does not find the address in its
database, sends a request to the root name server,
which, in turn, will route the query to an intermediate
or authoritative name server. Note that the root name
server can contain some hostname to IP address
mappings. The intermediate name server always
knows who the authoritative name server is.
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
15
5
DNS Queries (cont’d)
• Iterative:
 The local server queries the root server. If
address not in its database, will have the
name/address of an intermediate or
authoritative name server and forward that
information to the local name server so that it
can directly communicate with the
intermediate or authoritative name server.
This is to prevent the overloading of the root
servers that handle millions of requests.
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
15
6
DNS name resolution example
root DNS
server
2
3
• Host at cis.poly.edu
wants IP address for
gaia.cs.umass.edu
iterated query:
r
r
contacted server
replies with name of
server to contact
“I don’t know this
name, but ask this
server”
4
TLD DNS
server
5
local DNS server
dns.poly.edu
1
7
8
6
authoritative DNS server
dns.cs.umass.edu
requesting host
cis.poly.edu
gaia.cs.umass.edu
157
DNS name resolution example
root DNS
server
recursive query:
r
r
2
puts burden of name
resolution on contacted
name server
heavy load?
3
6
7
TLD DNS
server
local DNS server
dns.poly.edu
1
5
4
8
authoritative DNS server
dns.cs.umass.edu
requesting host
cis.poly.edu
gaia.cs.umass.edu
158
DNS: caching and updating records
• once (any) name server learns mapping, it caches
mapping
 cache entries timeout (disappear) after some
time
 TLD servers typically cached in local name
servers
 Thus root name servers not often visited
• update/notify mechanisms under design by IETF
 RFC 2136
 http://www.ietf.org/html.charters/dnsind-charter.html
159
Operation of DNS
• DNS uses caching to increase the speed
with which it does the translation.
• The DNS data is stored in the database in
the form of resource records (RR). The
RRs are directly inserted in the DNS
messages.
• The RRs are a 4 tuple that consist of:
{name, value, type, TTL}.
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
16
0
RRs
• TTL: time to live, used to indicate when an RR
can be removed from the DNS cache.
• Type =
 A - then NAME is a hostname and Value its IP
address
 NS - then NAME is a domain name and Value is the
IP address of an authoritative name server
 CNAME - then NAME is an alias for a host and Value
is the canonical name for the host
 MX - then NAME is an alias for an email host and
Value is the the canonical name for the email server
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
16
1
DNS records
DNS: distributed db storing resource records (RR)
RR format:
(name, value, type, ttl)
o Type=A
o name is hostname
o value is IP address
o Type=CNAME
o name is alias name for some
“canonical” (the real) name,
eg., www.ibm.com is really
servereast.backup2.ibm.com
value is canonical name
o
o Type=NS
o name is domain (eg.,
foo.com)
o value is hostname of
authoritative name
server for this
domain
o Type=MX
o value is name of mailserver
associated with name
162
DNS protocol, messages
DNS protocol : query and reply messages, both with
same message format
msg header
r
r
identification: 16 bit # for
query, reply to query uses
same #
flags:
 query or reply
 recursion desired
 recursion available
 reply is authoritative
163
DNS protocol, messages
Name, type fields
for a query
RRs in response
to query
records for
authoritative
servers
additional
“helpful”
info that may be
used
164
Message Fields
• Identification - identifies a query and is
copied in the reply message to match it to
the query at the client side.
• Flags - one bit flag set to indicate whether
the message is a query or a reply. Another
bit to identify if reply is from an
authoritative sender or not. A third bit is
used to indicate that recursion method is
desired.
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
16
5
Fields cont’d
• Questions - contains the name that is being
queried and the type, ie type A or MX.
• Answers - contains the RRs for the name(s) that
were requested
• Authority - contains records of authoritative
servers
• Additional Info - e.g., if type of query is MX, then
this info can be a Type - A RR containing the IP
address of the canonical hostname
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
16
6
Inserting records into DNS
• example: new startup “Network Utopia”
• register name networkuptopia.com at DNS registrar
(e.g., Network Solutions)
 provide names, IP addresses of authoritative name server
(primary and secondary)
 registrar inserts two RRs into com TLD server:
(networkutopia.com, dns1.networkutopia.com, NS)
(dns1.networkutopia.com, 212.212.212.1, A)
• create authoritative server Type A record for
www.networkuptopia.com; Type MX record for
networkutopia.com
167
Summary
• DNS provides a mechanism for
maintaining the user friendliness of the
Internet by hiding some of the operational
details.
• DNS servers have to be created manually.
Recently an update protocol was
introduced that allows DNS to exchange
data for additions and deletions.
Fall 2002
Ch 8- DNS© Jörg Liebeherr and Magda El Zarki, 2002
16
8
Domain Name System (DNS)
• Hierarchical service to resolve domain names to IP addresses.
– The name space is divided into non-overlapping zones
– E.g., consider fengshui.ece.arizona.edu.
– DNS servers in the chain. One for .edu, one for
.arizona.edu, and one for .ece.arizona.edu
– In theory, subdivision can go down to 127 levels deep,
and each label can contain up to 63 characters, as long
as the whole domain name does not exceed a total length
of 255.
• Can have primary and secondary DNS servers per zone. Use
TCP based zone transfer to keep up to date
• Like DHCP, no security designed in
– But at least the DNS server is not automatically discovered
– Although this information can be dynamically set via DHCP
• Queries and responses use UDP.
– Packet interception attacks
– Name chaining attacks
– Untrustworthy, trustworthy servers
Domain Name System
• Hierarchical Name Space
root
org
wisc
edu
net
standford
ece
fengshui
com
arizona
uk
cmu
cs
cn
mit
DNS Root Name Servers
• Root name servers
• Local name servers
contact root servers
when they cannot
resolve a name
Caching
• DNS responses are cached
– Quick response for repeated translations
– Other queries may reuse some parts of lookup
• NS records for domains
• DNS negative queries are cached
– Don’t have to repeat past mistakes
– E.g. misspellings, search strings in resolv.conf
• Cached data periodically times out
– Lifetime (TTL) of data controlled by owner of data
– TTL passed with every record
DNS in Real World
Subsequent Lookup Example
fengshui.ece.arizona.edu
Resolver
Cache
Forwarder
Ipaddress =
150.135.219.16
Local
8
Client
root & edu
DNS server
arizona.edu
DNS server
DNS server
ece.arizona.edu
DNS server
DNS Lookup Example
www.ece.arizona.edu
Ipaddress =
150.135.221.16
Local
8
Client
root & edu
DNS server
arizona.edu
DNS server
DNS server
ece.arizona.edu
DNS server
DNS Flow
Zone administrator
Zone file
Dynamic
updates
master
Caching forwarder
slaves
resolver
DNS Vulnerabilities
Impersonating master
Corrupting data
Cache
Impersonation
Cache
impersonation
Zone administrator
Zone file
Dynamic
updates
master
Caching
forwarder
slaves
resolver
Unauthorized updates
Server Protection
Cache
polluted by
Cache pollution
by
data
Spoofing
Data
spoofing
DATA Protection
Inherent DNS Vulnerabilities
• Users/hosts typically trust the hostaddress mapping provided by DNS
• Problems
– Zone transfers can provide useful list of
target hosts
– Interception of requests or compromise of
DNS servers can result in bogus responses
– Solution – authenticated
requests/responses
DNS Protocol Vulnerabilities
• DNS data can be spoofed and corrupted on its way between
server and resolver or forwarder
• The DNS protocol does not allow you to check the validity of
DNS data
• Exploited by bugs in resolver implementation (predictable
transaction ID)
• Polluted caching forwarders can cause harm for quite some time
(TTL)
• Corrupted DNS data might end up in caches and stay there for a
long time
• How does a slave (secondary) knows it is talking to the
proper master (primary)?
Attack Scenario
DNS Spoofing
Alice
1
2
Alice
ISP's Cache
Trudy
3
4
DNS
server
for .com
• 1: look up bob.com. 2: Query for bob.com. 3: Trudy's forged answer:
“bob.com is 11.22.33.44” (poisoned cache). 4: Real answer (rejected,
too late)
• In message 3, IP spoofing is used (source address == DNS server for
.com)
• However, DNS requests carry a sequence number
– So message 2 has a seq # that message 3 has to carry!
– How to guess it?
DNS Spoofing (real attack)
• To learn the seq #, Trudy registers a domain herself
– e.g., trudy-the-intruder.com
• And Trudy runs a DNS server for it on her PC
– e.g., dns.trudy-the-intruder.com
• Then it goes like
1. lookup foobar.trudy-the-intruder.com
(to force it into ISP's cache
2. Lookup www.trudy-the-intruder.com
(to ISP's next sequence #)
3. Reply for www.trudy-the-intruder.com
(carry ISP's next sequence # n)
4. lookup bob.com (to force ISP to query
the com server in step 5)
5.Legitimate query for bob.com with seq
# n+1
6.Trudy's forged answer: Bob is 11.22.33.44
sequence number = n+1
7.Real answer (Rejected, too late)
6' Actually, Trudy sends several 6's with successive
numbers, n+2, n+3, n+4, ...
Attack
• Gain control of DNS service for domain
• Select target machine in domain
• Find trust relationships
– SNMP, finger can help find active sessions,
etc.
– Example: target trusts host1
• Connect
– Attempt rlogin from compromised machine
– Target contacts reverse DNS server with IP
addr
– Use modified reverse DNS to say addr is
Defense against this attack
• Double-check reverse DNS
– Modify rlogind, rshd to query DNS server
– See if symbolic addr maps to numeric addr
• Use another service besides DNS
– Network Information Service (NIS, or YP)
– Only works if attacker cannot control NIS …
• Authenticate entries in DNS tables
– Relies on some form of PKI?
– Next lecture …
DNSSEC
• Seeks to solve the trust issues of DNS
• Uses a key hierarchy for verification
• Has been under development for a
decade and still not really deployed
• Provides authentication, not
confidentiality
• DNS Threat Analysis in RFC 3833.
Vulnerability of Routing Protocols
• Routing Protocols
– RIP
– OSPF
– BGP
• ICMP
• Transport Layer
– UDP
– TCP
• Application Layer
IPv4 Routing
Protocols
• Network routing requires switches and
routers to be aware of the other devices in
the network to know where to send packets.
• Each router shares its knowledge about the
network with the other devices
• All routers then have a basic understanding
of the network and know how to forward
packets.
Basic IPv4 Routing - Static routing.
•
Used by hosts and some firewalls and routers.
–
–
–
–
Routing table consists of entries of
» Network, Next hop address, metric, interface
May have routing table per incoming interface
To route a packet, take the destination address and find the
best match network in the table. In case of a tie look at the
metric
» Use the corresponding next hop address and
interface to send the packet on.
» The next hop address is on the same link as this
device, so you use the next hop’s data-link address,
e.g. Ethernet MAC address
Decrement “time to live” field in IP header at each hop.
Drop packet when it reaches 0
» Attempt to avoid routing loops
» As Internet got bigger, TTL fields got set bigger. 225
maximum
Dynamic Routing Protocols
• For scaling, discover topology and routing rather than
statically constructing routing tables
– RIP: Routing Information Protocol
– Open Shortest Path First (OSPF): Used for routing within
an administrative domain
– Border Gateway Protocol (BGP): Used for routing
between administrative domains. Can encode nontechnical transit constraints, e.g. Domain X will only carry
traffic of paying customers
• Receives full paths from neighbors, so it avoids counts to infinity.
Attack Damages on Routing Protocols
•
starvation: data traffic destined for a node is forwarded to a part of the network that cannot deliver it
•
network congestion: more data traffic is forwarded through some portion of the network than would otherwise
need to carry the traffic,
•
blackhole: large amounts of traffic are directed as to be forwarded through one router that cannot handle the
increased level of traffic and drops many/most/all packets
•
delay: data traffic destined for a node is forwarded along a path that is in some way inferior to the path it would
otherwise take
•
looping: data traffic is forwarded along a path that loops, so that the data is never delivered,
•
eavesdrop: data traffic is forwarded through some router or network that would otherwise not see the traffic,
affording an opportunity to see the data,
•
partition: some portion of the network believes that it is partitioned from the rest of the network when it is not,
•
cut: some portion of the network believes that it has no route to some network that is in fact connected,
•
churn: the forwarding in the network changes at a rapid pace, resulting in large variations in the data delivery
patterns (and adversely affecting congestion control techniques),
•
instability: routing protocol becomes unstable so that convergence on a global forwarding state is not achieved,
•
overload: the routing protocol messages themselves become a significant portion of the traffic the network carries.
•
resource exhaustion: the routing protocol messages themselves cause exhaustion of critical router resources, such
as table space and queues.
RIP v1/v2
• Routing decisions are based on number of
hops
• Works only within the AS
• Supports only 15 hops
• RIPv1 communicates only it's own
information
– RIPv2 can communicate other routers'
information
• RIPv1 has no authentication
– RIPv2 support up to 16 char password, but
clear txt
RIP Attack
• By sending wrong routing information the
connection can be diverted to the intruder
• Identify RIP Router by performing a Scan
» nmap –v –sU –p 520
• Case: On April 27, 1997, a router from MAI Network services in Virginia
absorbed about 50,000 network addresses which caused much of the internet to be
disconnected from 20 minutes to 3 hours
OSPF
• OSPF stands for Open Shortest Path First
– TCP/IP Internet routing protocol
– Classified as an Interior Gateway Protocol
(IGP) - distributes routing information between
routers belonging to a single AS - intra-AS
routing protocol
– It’s an authenticated link state protocol
running directly on top of IP
– Every node calculates the paths independently
Link State Protocol
•
•
•
•
Each router is responsible for meeting neighbours and learning their
names
Distance-vector routing protocol works by sharing its knowledge of the
entire network with its neighbours, link-state routing works by having the
routers tell every router on the network about its closest neighbours.
Each router constructs a packet called a Link State Advertisement (LSA)
LSAs are reliably “flooded” to all routers; everyone gets the same
consistent information
– The entire routing table is not distributed from any router, only the part of the table
containing its neighbors.
•
Each router computes the best routes on its own
-- no need to trust your neighbor’s calculations.
Areas
• A set of networks are grouped together into
area (generalization of an IP subnetted
network).
– Each area runs a separate copy of link-state
routing algorithm
– Has its own link-state database
– Area’s topology unknown to outside and vise
versa
– Separated in order to reduce a routing traffic
Classification of
Routers
• Internal Routers - routers with all directly
connected networks belonging to the same
area
• Area Border Routers - routers that are
attaches to multiple areas
• AS Boundary routers - routers that
exchange routing information with routers
belonging to other AS
Classification of Routers (cont’d)
• Designated Routers (DR) and Backup
Designated Routers (BDR)
– Instead of each router exchanging database
information with every other router on the
segment, every router exchanges information
with the DR and BDR
• elected via the Hello protocol based on
OSPF priority and/or RID (default is 1)
OSPF Packets
• Hello Packet - sent out on each
functioning router interface. Used to
discover and maintain neighbour
relationships
• Database Description Packet exchanged when an adjacency is being
initialized. Describe the contents of the
topological database
OSPF Packets (cont’d)
• Link State Packets
– The Link State Request packet - after exchanging
Database Description packets, may find that parts of
its topological database are out of date. Request the
pieces of the neighbour's database that are more up to
date
– The Link State Update packet - implement the
flooding of link state advertisements
– Link State Acknowledgement Packets - to make the
flooding of link state advertisements reliable
Authentication
• All OSPF protocol exchanges are authenticated.
– configurable on a per-interface basis.
•
Authentication types 0, 1 and 2 are defined as
follows:
AuType Description
0
Null authentication
1
Simple password
2
Cryptographic authentication
OSPF Operation
• Determine neighbouring routers by transmitting “hello”
packets
• When a router receives “hello” packet – “relationship”
is established and information is exchanged
• When it is determined that more than 1 router is present
within an area, DR and BDR are selected
• All other routers establish relationship with DR and BDR to
exchange db information (OSPF request and response
messages are used)
• Routers run shortest path algorithm
• Once network up and running, the routers periodically send
“hello” packets to verify that all links are active
Attacks on OSPF
• Eavesdropping: The routing data carried in OSPF is carried in
clear-text, so eavesdropping is a possible attack against routing data
confidentiality.
• Message Replay: In general, OSPF with Cryptographic
Authentication provides a sufficient mechanism for replay
protection of its messages. Nonetheless, there are still some
scenarios in which an outsider attacker can successfully replay
OSPF messages; these are illustrated over the next sections.
• Message Insertion: OSPF with Cryptographic Authentication
enabled is not vulnerable to message insertion from outsiders. In the
case of an insider or in the absence of Cryptographic Authentication,
message insertion becomes a trivial operation even for a remote
attacker.
Attacks on OSPF (Cont'd)
• Message Deletion: OSPF provides a certain degree of protection
against message deletion. The receiver itself cannot detect if a
message has been deleted or not, but the sender will detect a deleted
Link State Update (LSU) message since it will not receive any
OSPF Link State Acknowledgment message for it. There is no
acknowledging mechanism for Hello messages, but the deletion of
some, generally four or more, consecutive Hello messages
belonging to the same router will cause "adjacency breaking" and
thus be easily detected by all the parties involved.
• Message Modification: OSPF with Cryptographic Authentication
provides protection against modification of messages. In the case of
an insider or in the absence of Cryptographic Authentication
message modification becomes possible.
Attacks on OSPF (Cont'd)
• Man-In-The-Middle: OSPF with Cryptographic Authentication
provides protection against man-in-the-middle attacks. In the case of
an insider or in the absence of Cryptographic Authentication, the
protocol becomes exposed to man-in-the-middle attacks through the
lower network layers - such as ARP spoofing - on all OSPF peers
that are one hop apart; while OSPF peers connected over virtual
links are exposed to Layer 3 man-in-the-middle attacks too.
• Denial-of-Service: While bogus routing information data can
represent a Denial of Service attack on the end systems that are
trying to transmit data through the network and on the network
infrastructure itself, certain bogus information can represent a more
specific Denial of Service on the OSPF routing protocol itself. For
example, it is possible to reach the limits of the Link State Database
of a victim with External LSAs or with bogus LSA headers during
the Link State Database Exchange phase.
Attack Scenario 1
• Max Age attack
– Attacker sends LSA packets with maxage set.
– LSA flushed from all the routers reached by
the flooding mechanism.
– The original router that sent this LSA (owner )
then contests the sudden change in age by
generating a refresh message (age=0, higher
sequence number) in a process called "fightback".
– Attacker continually interjects packets with the
maxage value for a given routing entity which
causes network confusion and may contribute
to a DOS condition.
Attack Scenario 2
• Sequence++ attack
– Attacker continually injects a larger LSA
sequence number, which indicates to the
network that it has a fresher route.
– The original router contests this in the "fight
back" process by sending it’s own LSA
with an even newer sequence number than
the attackers sequence number.
– Unstable network is created and could
contribute to a DOS condition.
Attack Scenario 3
• Max sequence attack
– A subverted router modifies the contents of any LSA it
receives at will, sets its sequence number to 0x7fffffff and
floods it back to the sender. Based on the sequence
number, all other routers will accept this bad LSA as newer
and replace the good LSA in the topological database.
– When the LSA’s true originator receives the bad LSA, it
will generate a corrected LSA with sequence number
0x80000001. However, due to the bug, it will not flush the
bad LSA before transmitting the new LSA, which is thus
rejected by the other routers as older.
– The bad LSA will remain in the system until it naturally ages
out, in a maximum of one hour.
Inter-domain Routing Protocol: BGP
Dallas
UA

desktop at UofA
Denver
Internet
Chicago
www.google.com
Autonomous System (AS, or domain)
Hierarchical Internet Routing:
 Intra-domain: OSPF, IS-IS, EIGRP, and RIP
 Inter-domain: BGP (Border Gateway Protocol)

208
A Simplified Model of BGP
• Autonomous System: node
• Nodes exchange entire path information

Messages are “triggered” by topology changes.
Z’s route to A:
Route via C = (C B A)
Route via F = (F C B A)
(B A)
(C B A)
C
Z
(A)
B
A
dest.
F
209
BGP Vulnerability Analysis
• Exercise
Related documents
Questions for Unit-7
Questions for Unit-7
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
What Is DNS, And Why Do I Care
What Is DNS, And Why Do I Care
CSIS-116: Exam 1
CSIS-116: Exam 1
View File
View File
Assignment-2_old Paper
Assignment-2_old Paper
Matching game to review for Exam II
Matching game to review for Exam II
Basic Server Roles: File Services Role: The File Services Role has
Basic Server Roles: File Services Role: The File Services Role has
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Download
advertisement