1 / 49

CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012

School of Computer Science. CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012. Wednesday, Feb. 15, 2012. Announcement. Assignment due date: Feb 22, Wed. (Not Feb 20, Mon) No class on Feb. 20 Quiz on Feb 22, Wednesday. Review.

tarmon
Download Presentation

CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. School of Computer Science CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012 Wednesday, Feb. 15, 2012 CS 445 – Internet Security

  2. Announcement • Assignment due date: • Feb 22, Wed. (Not Feb 20, Mon) • No class on Feb. 20 • Quiz on Feb 22, Wednesday CS 445 – Internet Security

  3. Review CS 445 – Internet Security

  4. A bridge connecting two LANs CS 445 – Internet Security

  5. Packet Sniffing (Passive) • A Packet sniffer is computer software or hardware that can intercept and log traffic passing over a network. • In hub, all frames can be collected • In switch, only the frames between specific source and destinations are collected PK Hub PK Switch PK PK PK PK CS 445 – Internet Security

  6. Network layer • OSI Layer 3 • end to end (source to destination) packet delivery • data link layer is responsible for node to node (hop to hop) packet delivery • Functions • Logical addressing (IP) • Translating logical address (IP) into physical addresses (MAC address) (ARP) • Determines the route from source to destination (routing algorithms: OSPF, RIP, BGP) • Forwarding packets from router’s input to output port CS 445 – Internet Security

  7. Traditional addressing scheme • Classful addressing • Used the concept of classes (A, B, C, D, E) • Historical • e.g. which class? • 1100 0001 --- • 14.23.120.8 • 252.5.15.111 Netid (yellow), prefix Hostid, suffix CS 445 – Internet Security

  8. 1. Classless addressing • Mask • /n indicated n-bits for netid (x.y.z.t/n) • n can be any value from 0 to 32 • It defines, the first addr, last addr, and # of addr • First address: set the rightmost (32 − n) bits to 0s • Last address: set the rightmost (32 − n) bits to 1s • # of addresses: 232−n • E.g.: 205.16.37.39/28 • 11001101 00010000 00100101 00100111 • 11001101 00010000 00100101 00100000 (205.16.37.32) • 11001101 00010000 00100101 00101111 (205.16.37.47) • The value of n is 28  numberof addresses is 232−28 or 16 • First address: special purpose (used by routers) CS 445 – Internet Security

  9. 2. NAT: Network Address Translation • Local network uses just one IP address as far as outside world is concerned: • devices inside local net not explicitly addressable, visible by outside world (a security plus). • Internal devices are assigned private addresses • Multiplexing done by port numbers • Private IP Addresses If a network address cannot be obtained via DHCP, an address from 169.254.1.0 to 169.254.254.255 is assigned randomly. CS 445 – Internet Security

  10. IPv6 Notation • Hexadecimal colon notation • 16 bytes divided into 8 sections, each 2 bytes long • Abbreviation • Still too long • Many are zero • Leading zeros can be dropped • Consecutive runs of 0s can be omitted (allowed only once) CS 445 – Internet Security

  11. IP Packet Header (v4) 0100 Bit 0 Bit 31 Version (4 bits) Header Length (4 bits) Type of Service (8 bits) Total Length (16 bits) Identification (16 bits) Flags Fragment Offset (13 bits) Time to Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP, 17=UCP Header Checksum (16 bits) Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Padding Data Field (variable) Options: timestamp, record route taken, specify list of routers to visit, etc. CS 445 – Internet Security

  12. Computer Networks Overview Layer 3 (Network layer) Continued

  13. If (packet size > MTU) Fragmentation At the source or routers Reassembled only at final destination fragmentation: in: one large datagram out: 3 smaller datagrams reassembly IP Fragmentation & Reassembly CS 445 – Internet Security

  14. 4000 length =1060 length =1500 length =4020 length =1500 ID =x ID =x ID =x ID =x fragflag =1 fragflag =0 fragflag =0 fragflag =1 offset =185 offset =370 offset =0 offset =0 One large datagram becomes three smaller datagrams 1480 1480 1040 IP Fragmentation and Reassembly Example • 4000 byte datagram • MTU = 1500 bytes (Ethernet) • Note: IP header = 20 bytes 1480 bytes in data field offset (starting location in 8-byte units)=1480/8 CS 445 – Internet Security

  15. Network Layer ICMP

  16. Internet Control Message Protocol (ICMP) for Supervisory Messages • Used by hosts & routers to communicate network-level information ??? Router “Host Unreachable” Error Message ICMP Message IP Header “Echo” “Echo Reply” CS 445 – Internet Security

  17. IP Packet with an ICMP Message Data Field • ICMP and IP • An ICMP message is delivered (encapsulated) in the data field of an IP packet • ICMP message: type, code plus first 8 bytes of IP datagram causing error • Type: General category of supervisory message • Code: Subcategory of type (set to zero if there is no code) Bit 0 Bit 31 IP Header (Usually 20 Bytes) Type (8 bits) Code (8 bits) Depends on Type and Code Depends on Type and Code CS 445 – Internet Security

  18. ICMP: Internet Control Message Protocol TypeCodedescription 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header CS 445 – Internet Security

  19. Source sends series of UDP segments to dest First has TTL =1 Second has TTL=2, etc. When n-th datagram arrives to n-th router: Router discards datagram (TTL=0) And sends to source an ICMP message (type 11, code 0) When ICMP message arrives, source calculates RTT Traceroute does this 3 times On windows, “tracert” ICMP and Traceroute CS 445 – Internet Security

  20. Network Layer ARP

  21. Application Presentation Session Transport Network Data Link Physical MAC address vs. IP address • A computer has two addresses • MAC address (Data Link Layer) works only in LAN • To send it across multiple LAN, you need to use IP address (Network Layer) • If you know only your destination’s IP address, how can you find out its MAC address? • Without MAC address, you can’t deliver it CS 445 – Internet Security

  22. ARP: Address Resolution Protocol • Each IP node (Host, Router) on LAN has ARP table • ARP Table: IP/MAC address mappings for some LAN nodes < IP address; MAC address; TTL> • It is kept for limited time to allow dynamic change. (typically 20 min) • Question: How do you fill up the ARP table? • Broadcast IP address • The target with correct IP address responds CS 445 – Internet Security

  23. Network Layer Routing Protocols

  24. Autonomous System (AS) • A collection of IP networks and routers under the control of one entity, typically an Internet service provider or a very large organization • A unique AS number is allocated to each AS • 32-bit number (was 16-bit until 2007) • http://www.cidr-report.org/as2.0/autnums.html • Over 35,000 Ases • Search ASN for my IP • http://whois.arin.net/ui CS 445 – Internet Security

  25. UNLV Network http://bgplay.routeviews.org (prefix: 131.216.0.0/16) CS 445 – Internet Security

  26. Routing Algorithms in the Internet Within an AS Interior Gateway Protocol (IGP): OSPF, RIP based on Performance OSPF is link state algorithm – complete topology information is disseminated Between ASes Exterior Gateway Protocol (EGP): BGP Based on Policy. Not link state algorithm. Why not? Can’t store all destinations in routing tables Number of hosts in Internet: 888,239,420 in Jan 2012 http://www.isc.org/solutions/survey routing table exchange would swamp links! Routers in different AS can run different IGP

  27. BGP Routing Table Size (IPv4) Source: http://bgp.potaroo.net/ CS 445 – Internet Security

  28. BGP Routing Table Size (IPv6) AS 6447 CS 445 – Internet Security

  29. Hands-on: Useful commands • Open a command shell on a Windows machine, and try the following commands • ipconfig /all • IP and MAC addresses • arp –a • browse the arp table • route print or netstat –r • browse the route table CS 445 – Internet Security

  30. Attacks in Network Layer

  31. Attacks in Network Layer • Network scanning • Ping sweeping: find live systems • Network mapping • Anonymous scanning with IP sequence number predictability • Avoiding detection • IP fragmentation attack • IP address spoofing attack • Killing the target • Denial-of-service attack CS 445 – Internet Security

  32. 1. Ping Sweeping • Most port scanners determine if an address is in use before scanning it • Ping sweeping • Sending ICMP echo request to a wide range of IP addresses • If the target replies, a system is on the network • If it does not reply, the system • may not be on the network • The system has turned off ICMP service • Firewall may be blocking ICMP • Ping sweep can be easily detected by properly configured IDS (Intrusion Detection System) CS 445 – Internet Security

  33. 2. Network Mapping • Network topology • Internet connectivity – DMZ, perimeter networks • Internal network (with access from modem or wireless access point) • Attacker can better plan an attack by understanding the topology of the target network • The layout of routers and hosts can show vulnerabilities • Or at least let the attacker know where the potential targets are • Cheops-ng • http://cheops-ng.sourceforge.net • Zenmap • http://nmap.org/zenmap/ CS 445 – Internet Security

  34. 2. Network Mapping - Cheops-ng CS 445 – Internet Security

  35. 2. Network Mapping - ZenMap http://nmap.org/download.html CS 445 – Internet Security

  36. 3. Stealthy scanning • nmap (more later) has a stealthy scanning mode • Nmap scans a target for open ports • Using the real IP address is dangerous to attacker • Attacker wants to spoof the source IP address to prevent trace back • But then, the reply won’t return to the attacker! • What can the attacker do? • Use the ID field predictability to infer the reply CS 445 – Internet Security

  37. IP Packet (v4) 0100 Bit 0 Bit 31 Version (4 bits) Header Length (4 bits) Type of Service (8 bits) Total Length (16 bits) Identification (16 bits) Flags Fragment Offset (13 bits) Time to Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP, 17=TCP Header Checksum (16 bits) Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Padding Data Field (variable) Options: timestamp, record route taken, specify list of routers to visit, etc. CS 445 – Internet Security

  38. 3. Stealthy scanning - IP Identification Field • The IP Identification field • Used for packet fragmentation to group all fragments together for packet reassembly • Has a unique value, which can be assigned randomly or incrementally • If incremental, each packet gets a value that is one bigger than previous packet’s value • TCP 3-way handshaking process • SYN (Clients sends to a server) • SYN-ACK (Server replies if the TCP port is open) • ACK (Client confirms) CS 445 – Internet Security

  39. 3. Stealthy scanning – step 1 Target 3. Remember ID = X 2. SYN-ACK with ID = X 1. SYN Intermediary CS 445 – Internet Security

  40. 3. Stealthy scanning – step 2 Target 4. Spoofed SYN to TCP Port p 5. SYN-ACK From Port p 6. RST, ID=X+1 7. SYN 8. SYN-ACK Intermediary CS 445 – Internet Security

  41. So what? • Consider step 6 • RST is sent only when it receives SYN-ACK • If it doesn’t receive a packet, no reply is sent • Okay, so? • Step 7 is important to the attacker. • Attacker sends a packet again to the intermediary • The reply will have ID value of either X+1 or X+2 • If X+2, intermediary sent RST, so the port is open • If X+1, intermediary didn’t send RST, so the port is closed • Note • The IP value of the intermediary must be predictable. That is, it should not be busy, otherwise the ID value will increase unpredictably. Nmap calls this “idle” scanning. • Defense? CS 445 – Internet Security

  42. 4. IP Fragmentation Attacks • Useful in avoiding detection by some network-based Intrusion Detection Systems (IDS) • Can be used for scanning and exploiting • The principles are described in “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998 • http://www.creangel.com/papers/Eluding%20Network%20Intrusion%20Detection.pdf CS 445 – Internet Security

  43. length =1060 length =1500 length =4020 length =1500 ID =x ID =x ID =x ID =x fragflag =1 fragflag =0 fragflag =0 fragflag =1 offset =370 offset =0 offset =0 offset =185 One large datagram becomes three smaller datagrams IP Fragmentation and Reassembly 4000 Example • 4000 byte datagram • MTU = 1500 bytes • Note: IP header = 20 bytes 1480 1480 bytes in data field 1480 offset (starting location in 8-byte units)=1480/8 1040 CS 445 – Internet Security

  44. Attack detection at IDS • Consider an attack • “cat /etc/passwd” • IDS will match the string “/etc/passwd” • How can the attacker avoid detection? • Use fragmentation because IDS may look at only each fragment IDS cat /etc/passwd Attacker target Network CS 445 – Internet Security

  45. How can she use IP fragmentation? • Tiny fragment attack • Break a string into smaller pieces • “cat /etc/p” + “asswd” • Fragment overlap attack • Break into pieces, and make them overlap to hide original content • “cat /etc/paqxyhs” + “sswd” (with offset 11) • See RFC 1858, Security Considerations for IP Fragment Filtering CS 445 – Internet Security

  46. IP Fragment Attack Tools • Fragrouter • Written by Dug Song, • All packets entering one interface go out the other interface fragmented • The attacker can specify how fragmentation will occur • Fragment size, out of order, etc • An improved version: FragRoute released in 2002 CS 445 – Internet Security

  47. Fragroute CS 445 – Internet Security

  48. Handling Reassembly • How do OSes handle overlapped fragments? • Different OS reassemble packets differently • Examples • Earliest fragments can’t be overlapped • The fragment with the lowest offset will overwrite others, regardless of arrival time • Complete overlap or partial overlap are handled differently in different Oss • The same set of IP fragments may have very different result in different OSes, which may be harmful or harmless CS 445 – Internet Security

  49. Wrapping up • We studied • Network Layer overview • Attacks in Network layer • Next class • Transport layer CS 445 – Internet Security

More Related