410 likes | 433 Views
ITIS 6167/8167: Network and Information Security. Weichao Wang. Contents. ARP protocol and ARP poisoning How ARP works ARP poisoning Security impacts Mitigation mechanisms IP fragmentation and attacks IP fragmentation Attacks Mitigation mechanisms. Ethernet address.
E N D
ITIS 6167/8167: Network and Information Security Weichao Wang
Contents • ARP protocol and ARP poisoning • How ARP works • ARP poisoning • Security impacts • Mitigation mechanisms • IP fragmentation and attacks • IP fragmentation • Attacks • Mitigation mechanisms
Ethernet address • Layered model of Internet • Separation of IP address and physical address • How does IP routing works • Example
IP address • 32 bits (IPv4) • Ethernet address • 48 bits • Different hardware vendors get different chunk of addresses • Can be broadcast or unicast address • Mapping b/w IP and Ethernet address can change
IP routing needs the mapping b/w IP addresses and physical addresses • Static mapping (proNET or token ring) • Physical address = f (IP address) • Dynamic binding • More flexible • Needs a protocol to accomplish this task – Address Resolution Protocol (ARP)
Ethernet frame format Preamble and CRC: only used by hardware and users will not see them Frame-type: 0x0800 (IP), 0x0806 (ARP), 0x8035 (RARP) Data part: 46 to 1500 octets
Destination physical address: 02 07 01 00 27 ba • Source physical address 08 00 2b 0d 44 a7 • Protocol type: 0800 (IP) • More details of the packet: this is an ICMP packet
ARP protocol • Motivation • Ethernet card only needs to recognize ethernet address • Upper layer (IP) only knows IP address • Routing table entry • The user have to map the IP address to physical address
ARP protocol • Machine A want to send a packet to B, but only know B’s IP address • Machine A broadcast an ARP request with B’s IP address (using broadcast physical address) • All nodes receive the request • B replies with its physical address • Machine A adds the address into its ARP cache • A sends packets to B
ARP encapsulation • In ethernet, frame type for ARP is 0x0806 ARP packet
The format is general enough to work with different physical address and protocol address • Details of ARP packet (Fixed length part) • Hardware type (2 bytes): 1 for ethernet • Protocol type (2 bytes): 0x0800 for IP • HLEN (1 byte): hardware address length. 6 for ethernet • PLEN (1 byte): protocol address length. 4 for IP • Operation (2 bytes): 1=ARP req, 2=ARP reply, 3=RARP req, 4=RARP reply
Varying parts of ARP packets • Sender’s physical address: 6 byte in our example • Sender’s protocol address: 4 byte • Target’s hardware address: 6 byte • Target’s protocol address: 4 byte
ARP cache • To reduce ARP overhead, the machine keeps a cache for recently got IP-PHY address mapping • Cache has a limited size: replacement policy • ARP entry has a lifetime: why do not we keep it forever??
How does the node learn ARP information • From received ARP request • From received ARP reply (no matter they have sent a ARP request or not) (depend on OS) • Gratuitous message: both the source and destination address are the same • Used to detect IP conflict • When physical address changes, use this to notify other nodes after reboot
ARP poisoning • Potential attack to ARP • There is no protection on the mapping b/w Physical and IP address • An example attack: if ARP cache is poisoned, the packet going to node A will be sent to Node B’s physical address, and node B will get them. • Is this the same as promiscuous mode? Not really
Two simple and not-so-effective MAC address attacks • Poison a switch by sending out an ethernet packet with the target’s physical address as the source of the packet. The switch tries to learn from the packet. • Problems • The real node also sends out packet • Static configuration of switches
Attack 2: • Sends out ARP reply and tries to beat the real node • Problem: the conflict is relatively easy to detect
ARP cache poisoning • Through ARP poisoning, the packets targeting at node A may be sent to node B • Methods to poison ARP cache • ARP request • ARP reply • Gratuitous packets • Instead of broadcast, we can use unicast to poison node
Examples of attacks • Send a unicast ARP request to poison ARP cache • Send a unicast ARP reply to poison ARP cache
Which systems are vulnerable to ARP poisoning? • Windows 9x, NT, 2000, XP • Solaris 8 • Linux Kernel 2.2 and 2.4 • Cisco IOS 12 • Nokia IPSO 3.5
Complicated attacks and their impacts • Man-in-the-middle attack • Cheat both sides of a connection and get access to the traffic b/w them • The malicious node will forward packets to both sides to avoiding detection • Disable attacker’s ICMP redirect functionality • Microsoft IE certificate can be compromised by this attack
Hijacking HTTP connections and run a manipulated web server through MiM attacks • Escaping firewall • Some companies use IP based authentication and only allow a few IP addresses to get out (HTTP server, mail server) • Through ARP poisoning, you can bypass the firewall
DoS attacks • After poisoning the ARP cache, discard all packets sent to you • Using a non-existing physical address to poison ARP cache • Poisoning a SMTP relaying server to send out junk mails
Defending against ARP poisoning • Network IDS: detect duplicate IP address or flip-flop of the IP-PHY bindings • Host IDS: maintain a record of IP-PHY bindings, detect abnormal changes of the bindings (arpwatch in UNIX) • Do not use IP-address based authentication
IP protocol and fragmentation • IP layer provides the fundamental service in Internet: unreliable, connectionless, and best-effort based packet delivery • Unreliable: packet may lost, duplicated, delayed, out of order • Connectionless: every packet is handled independently • Best-effort: no quality guarantee
IP protocol will • Define the format of IP packet • Routing • Determine • Packet processing procedures • Error reporting and handling procedures
IP encapsulation • In ethernet, frame type for IP is 0x0800 IP header IP Data
Details of IP packet • Vers: current version is 4 • HLEN: header length in 32 bit word. Usually is 5 (20 byte), max can be 60 bytes (IP options) • Type of services: usually all 0 (best effort), can be used for diffserv and QoS • Total length: 16 bit can represent 64K byte long packet
Identification, flags, and offset: used for fragmentation and reassemble (later) • TTL: time to live: number of routers a packet can pass. • Every router will reduce this value by one. When reach 0, the packet will be discarded. • Can be used to prevent routing loop • Use TTL to implement traceroute
Type: the high level protocol the IP packet contains: ICMP (0x01), TCP (0x06), UDP (0x11) • Header checksum • Example: an ICMP packet b/w 128.10.2.3 and 128.10.2.8. Header length is 20 bytes.
IP header options • Record route option • Intermediate routers will attach their IP address to the packet • Timestamp option • Intermediate router attach 32 bit timestamp • Source routing option • Strict source routing • Loose source routing: allow multiple hops b/w routers