Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

EECS 700: Network Security

advertisement 
ITIS 6167/8167: Network and
Information Security
Weichao Wang
Contents
• ARP protocol and ARP poisoning
– How ARP works
– ARP poisoning
– Security impacts
– Mitigation mechanisms
• IP fragmentation and attacks
– IP fragmentation
– Attacks
– Mitigation mechanisms
2
3
Ethernet address
• Layered model of Internet
• Separation of IP address and physical
address
• How does IP routing works
– Example
4
• IP address
– 32 bits (IPv4)
• Ethernet address
– 48 bits
– Different hardware vendors get different
chunk of addresses
– Can be broadcast or unicast address
– Mapping b/w IP and Ethernet address can
change
5
• IP routing needs the mapping b/w IP
addresses and physical addresses
– Static mapping (proNET or token ring)
• Physical address = f (IP address)
– Dynamic binding
• More flexible
• Needs a protocol to accomplish this task –
Address Resolution Protocol (ARP)
6
• Ethernet frame format
Preamble and CRC: only used by hardware and
users will not see them
Frame-type: 0x0800 (IP), 0x0806 (ARP), 0x8035
(RARP)
Data part: 46 to 1500 octets
7
Example of ethernet packet
8
• Destination physical address:
02 07 01 00 27 ba
• Source physical address
08 00 2b 0d 44 a7
• Protocol type: 0800 (IP)
• More details of the packet: this is an ICMP
packet
9
10
ARP protocol
• Motivation
– Ethernet card only needs to recognize
ethernet address
– Upper layer (IP) only knows IP address
– Routing table entry
– The user have to map the IP address to
physical address
11
• ARP protocol
– Machine A want to send a packet to B, but only know
B’s IP address
– Machine A broadcast an ARP request with B’s IP
address (using broadcast physical address)
– All nodes receive the request
– B replies with its physical address
– Machine A adds the address into its ARP cache
– A sends packets to B
12
13
ARP encapsulation
• In ethernet, frame type for ARP is 0x0806
ARP packet
14
ARP packet format when used with Ethernet
15
• The format is general enough to work with
different physical address and protocol address
• Details of ARP packet (Fixed length part)
– Hardware type (2 bytes): 1 for ethernet
– Protocol type (2 bytes): 0x0800 for IP
– HLEN (1 byte): hardware address length. 6 for
ethernet
– PLEN (1 byte): protocol address length. 4 for IP
– Operation (2 bytes): 1=ARP req, 2=ARP reply,
3=RARP req, 4=RARP reply
16
• Varying parts of ARP packets
– Sender’s physical address: 6 byte in our
example
– Sender’s protocol address: 4 byte
– Target’s hardware address: 6 byte
– Target’s protocol address: 4 byte
17
• ARP cache
– To reduce ARP overhead, the machine keeps
a cache for recently got IP-PHY address
mapping
– Cache has a limited size: replacement policy
– ARP entry has a lifetime: why do not we keep
it forever??
18
• How does the node learn ARP information
– From received ARP request
– From received ARP reply (no matter they
have sent a ARP request or not) (depend on
OS)
– Gratuitous message: both the source and
destination address are the same
• Used to detect IP conflict
• When physical address changes, use this to notify
other nodes after reboot
19
20
ARP poisoning
• Potential attack to ARP
– There is no protection on the mapping b/w
Physical and IP address
– An example attack: if ARP cache is poisoned,
the packet going to node A will be sent to
Node B’s physical address, and node B will
get them.
– Is this the same as promiscuous mode? Not
really
21
• Two simple and not-so-effective MAC
address attacks
– Poison a switch by sending out an ethernet
packet with the target’s physical address as
the source of the packet. The switch tries to
learn from the packet.
– Problems
• The real node also sends out packet
• Static configuration of switches
22
• Attack 2:
– Sends out ARP reply and tries to beat the real
node
– Problem: the conflict is relatively easy to
detect
23
• ARP cache poisoning
– Through ARP poisoning, the packets targeting
at node A may be sent to node B
– Methods to poison ARP cache
• ARP request
• ARP reply
• Gratuitous packets
– Instead of broadcast, we can use unicast to
poison node
24
• Examples of attacks
– Send a unicast ARP request to poison ARP
cache
– Send a unicast ARP reply to poison ARP
cache
25
• Which systems are vulnerable to ARP
poisoning?
– Windows 9x, NT, 2000, XP
– Solaris 8
– Linux Kernel 2.2 and 2.4
– Cisco IOS 12
– Nokia IPSO 3.5
26
27
• Complicated attacks and their impacts
• Man-in-the-middle attack
– Cheat both sides of a connection and get
access to the traffic b/w them
– The malicious node will forward packets to
both sides to avoiding detection
– Disable attacker’s ICMP redirect functionality
– Microsoft IE certificate can be compromised
by this attack
28
• Hijacking HTTP connections and run a
manipulated web server through MiM
attacks
• Escaping firewall
– Some companies use IP based authentication
and only allow a few IP addresses to get out
(HTTP server, mail server)
– Through ARP poisoning, you can bypass the
firewall
29
• DoS attacks
– After poisoning the ARP cache, discard all
packets sent to you
– Using a non-existing physical address to
poison ARP cache
• Poisoning a SMTP relaying server to send
out junk mails
30
• Defending against ARP poisoning
– Network IDS: detect duplicate IP address or
flip-flop of the IP-PHY bindings
– Host IDS: maintain a record of IP-PHY
bindings, detect abnormal changes of the
bindings (arpwatch in UNIX)
– Do not use IP-address based authentication
31
32
IP protocol and fragmentation
• IP layer provides the fundamental service
in Internet: unreliable, connectionless, and
best-effort based packet delivery
– Unreliable: packet may lost, duplicated,
delayed, out of order
– Connectionless: every packet is handled
independently
– Best-effort: no quality guarantee
33
• IP protocol will
– Define the format of IP packet
– Routing
– Determine
• Packet processing procedures
• Error reporting and handling procedures
34
IP encapsulation
• In ethernet, frame type for IP is 0x0800
IP header
IP Data
35
IP format
36
• Details of IP packet
– Vers: current version is 4
– HLEN: header length in 32 bit word. Usually is
5 (20 byte), max can be 60 bytes (IP options)
– Type of services: usually all 0 (best effort),
can be used for diffserv and QoS
– Total length: 16 bit can represent 64K byte
long packet
37
• Identification, flags, and offset: used for
fragmentation and reassemble (later)
• TTL: time to live: number of routers a
packet can pass.
– Every router will reduce this value by one.
When reach 0, the packet will be discarded.
– Can be used to prevent routing loop
– Use TTL to implement traceroute
38
• Type: the high level protocol the IP packet
contains: ICMP (0x01), TCP (0x06), UDP
(0x11)
• Header checksum
• Example: an ICMP packet b/w 128.10.2.3
and 128.10.2.8. Header length is 20 bytes.
39
40
• IP header options
– Record route option
• Intermediate routers will attach their IP address to
the packet
– Timestamp option
• Intermediate router attach 32 bit timestamp
– Source routing option
• Strict source routing
• Loose source routing: allow multiple hops b/w
routers
41
Related documents
PresentationTopicARPattack
PresentationTopicARPattack
TAP 206- 4: Motion under gravity
TAP 206- 4: Motion under gravity
7. Refer to the exhibit. Which value will be configured for Default
7. Refer to the exhibit. Which value will be configured for Default
Dimensional Analysis work sheet I
Dimensional Analysis work sheet I
Project-2 Overview
Project-2 Overview
Lab work 6 - Home - Computer Networks Course
Lab work 6 - Home - Computer Networks Course
STATEMENT OF WORK (SOW)
STATEMENT OF WORK (SOW)
CIS 617 - NETWORKS & COMMUNICATION
CIS 617 - NETWORKS & COMMUNICATION
File - Itassignments
File - Itassignments
Download
advertisement