1 / 64

CSCD 434

CSCD 434. Lecture 6 Network Protocol Vulnerabilities Spring 2019. 1. Outline. Today Define General Attacks on Network Protocols Define Why protocols are vulnerable Look at attacks on network protocols TCP, UDP, IP, ICMP, ARP Next time Other protocols BGP/DNS Discussion of Papers.

EllenMixel
Download Presentation

CSCD 434

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCD 434 Lecture 6 Network Protocol Vulnerabilities Spring 2019 1

  2. Outline • Today • Define General Attacks on Network Protocols • Define Why protocols are vulnerable • Look at attacks on network protocols • TCP, UDP, IP, ICMP, ARP • Next time • Other protocols BGP/DNS • Discussion of Papers

  3. History of Network Protocols • Infrastructure protocols were designed when security concerns were almost non-existing • Trust was assumed • Recall early history of Internet • Connected major universities with government labs ... in fact, commercial use was at first prohibited • Main goal for DARPA Internet Program • Share large service machines on ARPANET • Many protocol specifications focused only on operational aspects … overlooked security implications ... • Hey, we're all friends!!

  4. Vulnerabilities in Protocols • During last twenty years, many vulnerabilities have been identified in TCP/IP stacks of most systems • Protocol weaknesses due to: • Design of Protocol and • Daily operation and configuration

  5. TCP/IP Suite Problems • Problems Can you think of some security problems with design of TCP/IP suite? • IP addresses are not validated • Hosts can not be authenticated • Trivial to spoof packets as coming from a trusted host • Remote utilities assumes trust between hosts • Encryption not typically used, and not for headers

  6. Protocol Attacks • What type of network attacks are common in today’s Internet? • Denial of Service (DoS) and Distributed Denial of Service (DdoS) • Man in the Middle Attack • Eavesdropping network traffic • Application Security Attacks • Web Based Attacks • SQL Injection • Crosssite Scripting • Driveby Malware

  7. Protocol Attack Techniques • Sniffing Traffic • Eavesdropping on a network • “Wiretap” programs ... name one program • Wireless networks • Easier to see all the traffic, put NIC into Monitor mode • Wired networks • NIC needs to be in promiscuous mode • Must do ARP spoofing or other attack to get all packets forwarded to you • Can only see traffic from subnet you are tapped into

  8. Protocol Attack Techniques • Flooding or Denial of Service • Preventing legitimate clients from receiving service • Sending too many bogus requests to a server • Tying up server with malformed packets or packets out of sequence

  9. Protocol Attack Techniques • Spoofing • Spoofing is faking parts of a packet • Usually, source IP address • Can do spoofing for many different protocols • Illegal Packets • Unexpected values in some fields • Cause machine to hang or crash • Example: src address and port = dest address and port • Illegal combination of flags in TCP protocol • Huge Ping packet - “Ping of Death” I am a sheep

  10. Which Protocols • TCP/IP Protocol Suite • Application Layer - DNS • Transport Layer - UDP/TCP • Network Layer - IP/ICMP/BGP • Data Link Layer - ARP

  11. TCP/IP Problems • Steve Bellovin • AT&T Bell labs researcher • One of the first to publicize problems in TCP/IP protocols • Wrote his original paper in 1989 • Documented many problems • Some problems no longer relevant Updated Paper - 2004 https://www.cs.columbia.edu/~smb/papers/badesp.pdf Who does this look like? 11

  12. Problems Summary • Steve Bellovin’s Observations • TCP Sequence numbers not random • Can be predicted, leads to IP Spoofing attacks • Trusted Hosts • Used remote Linux utilities to violate trust • Hardly ever used these days .. we won't cover it • ICMP Messages • Used them to perform DoS, routing re-direction • Routing Protocols • RIP, BGP have authentication problems • Domain Name Servers • Not secure

  13. TCP/IP Problems • Look at a few problems • Syn Floods • IP Spoofing/TCP Protocol problems • ICMP Attacks • Arp Cache Poisoning

  14. First .... TCP Review • SYN - First packet in a connection, indicates host wants a connection • ACK - Used throughout entire connection to ACKnowledge previously received packets • FIN - Used to indicate they are FINished sending data, connection can be ended • RST- RST packet sent whenever host receives an unexpected packet, such as an ACK with out ever receiving a SYN. • Resets the connection

  15. TCP Handshake C S SYNC Listening Store data SYNS, ACKC+1 Wait ACKS+1 Connected

  16. TCP Syn Flooding • How does it work?

  17. TCP Layer Attacks Syn Syn Syn Syn Syn Syn • TCP SYN Flooding • Exploit state kept at a server after initial SYN packet • Send SYN and don’t reply with ACK • Server will wait for 75 seconds for ACK • Finite queue size for incomplete connections • Once queue is full doesn’t accept requests

  18. Wireshark CaptureSyn Flood

  19. SYN Flooding C S SYNC1 Listening SYNC2 Store data SYNC3 SYNC4 SYNC5

  20. SYN Flooding • Attacker sends many connection requests • Can be Spoofed source addresses of machines that are not on-line • Victim allocates resources for each request • Connection request exists until timeout • Fixed number of half-open connections • DoS future requests rejected

  21. Syn Flood Solution TCP SYN Cookies •General idea – Client sends SYN ISN (Initial Sequence Number) – Server responds to Client with SYN-ACK cookie sequence number (sqn) = f(src addr, src port, dest addr, dest port, random seed)‏ • Server does not save state – Honest client responds with ACK(sqn+1)‏ – Server checks response – If matches SYN-ACK, establishes connection

  22. More TCP • TCP Uses Flags for State Coordination Gets Sends Gets Comment Syn Syn-Ack Ack – Normal connection Syn/Ack RST – Out of sequence Fin/Ack RST – Out of sequence Uses Sequence numbers and ACK’s to keep track of bytes sent between two hosts 22

  23. TCP Data Injection Session Hijacking

  24. TCP Data Injection Server

  25. TCP Threat: Blind Hijacking • Is it possible for an off-path attacker to inject into a TCP connection even if they can’t see our Traffic? YES: if somehow they can infer or guess the port and sequence numbers

  26. Note #1: attacker needs to hurry, since 1.2.1.2 may send a RST packet and end connection

  27. TCP ISN Prediction Tools • Nice paper on TCP attacks http://osvdb.org/ref/04/04030-SlippingInTheWindow_v1.0.doc • Good Sequence Number prediction tools include: • Mendax – Go to http://www.packetstormsecurity.com • Search for Mendax • Hping3 http://www.hping.org/ • Dsniff http://monkey.org/~dugsong/dsniff/

  28. TCP/IP Spoofing Attacks • Question is • Are these attacks still feasible today, 14 or 15 years later? • Paper in 2015 describes that a surprising number of OS TCP stacks are vulnerable to TCP attacks of various kinds including TCP spoofing https://www.caida.org/~mjl/pubs/blind.pdf

  29. More TCP Attacks • Illegal Packets • Send paket with both SYN and FIN bit set, • Victim host processes SYN flag first, • Generates a reply segment with ACK flag set, and perform a state-transition to state SYN-RCVD • Then processes FIN flag, performs a transition to the state CLOSE-WAIT, and sends the ACK segment back to attacker ... no more packets sent from attacker • Victim connection gets stuck in this state until keep-alive timer expires … another way to do DoS

  30. More TCP Attacks • Illegal Packets • Attackers injects an RST segment into an existing TCP connection, causing it to be closed • The TCP Reset attack possible because ... • TCP endpoint must accept out of order packets that are within range of a window size, and RST flags should be processed immediately • How does this work?

  31. TCP Reset Attack RST • Established TCP Connection from host A to host B • Now, third host, C, spoofs packet that matches source port and IP address of host A, • Destination port and IP address of host B, and current sequence number of active TCP connection between host A and host B • Host C sets RST bit on spoofed packet, so when received by host B, host B immediately closes connection • Results in denial of service, until connection can be reestablished http://kerneltrap.org/node/3072

  32. IP Source Routing Abuse • Routing Information Protocol (RIP)‏ • Used to propagate routing information on local networks • Routers need to exchange information using routing protocols • Typically will exchange information every so many seconds • IP Source routing feature • Allows source machine to specify path packet will take through network 38

  33. Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Internet Protocol • Connectionless • Unreliable • Best effort • Specify Options • Source Route

  34. IP Source Routing Abuse • Example of MITM (Man-In-The-Middle) Attacks • Send bogus routing information trying to impersonate a particular host • Want packets to be sent to the attacker machine • Attacker can intercept packets and gain passwords, credit card numbers or other sensitive information

  35. Steps in Source Route Attack Attack Steps (three hosts, Eve, Alice and Bob)‏ • Eve generates packets with fake source route • Packets claim to come from Alice • Source route includes Eve’s IP Eve looks like a router between Alice and Bob Bob is the destination • Routers between Eve and Bob read source route and deliver packets to Bob via Eve

  36. Steps in Source Route Attack Eve Packet with Route 1. Alice 2. Eve 3. Bob Alice Bob Packet with Route 1. Bob 2. Eve 3. Alice 42

  37. Steps in Source Routing Abuse Attack Steps • Bob responds by sending packets through Eve to Alice • Eve never forwards packets to Alice, doesn’t need to even do a DoS on Alice Comment This attack doesn’t work across the Internet Most gateways block Source Routed packets Yet, not blocked on internal networks Insiders can get away with this type of attack 43

  38. Other Routing Vulnerabilities 44

  39. ICMP • What is ICMP protocol used for? • Internet Control Message Protocol (ICMP)‏ • Mostly ... Used to send error messages • Requested service is not available, or that host or router could not be reached http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

  40. ICMP Messages 0 Echo Reply • 3 Destination Unreachable • 4 Source Quench • 5 Redirect • 8 Echo Request • 11 Time Exceeded • 12 Parameter Problem • 13 Timestamp • 14 Timestamp Reply • 15 Information Request • 16 Information Reply

  41. ICMP Messages • Destination Unreachable message • ICMP message generated by host or its inbound gateway to inform client • Destination is unreachable for some reason • Destination Unreachable message may be generated as a result of • TCP, UDP or another ICMP transmission

  42. ICMP Messages • The Source Quench, • Message requests sender to decrease traffic rate of messages to a router or host • Message may be generated if router or host does not have sufficient buffer space to process the request, or • May occur if router or host's buffer is approaching its limit

  43. ICMP Attacks • Attacks Reported in Bellovin Paper • ICMP Redirect message • Used by gateways to advise hosts of better routes, Some limitations on how its used Must be …. • Tied to existing connection • Must only be sent from first gateway to originating host 49

  44. ICMP Attacks • Attacks Reported in Bellovin Paper • ICMP Redirect message 1. Host C sends a Syn packet to S via A, a router 2. Before packet can get there, Host X, our attacker, sends an ICMP redirect for Host X to C spoofing the address A 3. C now redirects packets to X 4. X forwards packets to S to avoid suspicion 50

More Related