620 likes | 976 Views
Network Layer Security. Lecture 4 Supakorn Kungpisdan supakorn@mut.ac.th. Overview. IP, ICMP, and Routing protocols IP is connectionless, subjected to DoS ICMP can be used by attackers Routing protocols are subjected to stack attacks. Roadmap. Attacking the Network Layer
E N D
Network Layer Security Lecture 4 Supakorn Kungpisdan supakorn@mut.ac.th NETE4630
Overview • IP, ICMP, and Routing protocols • IP is connectionless, subjected to DoS • ICMP can be used by attackers • Routing protocols are subjected to stack attacks NETE4630
Roadmap • Attacking the Network Layer • Defending the Network Layer NETE4630
IP Attacks • Spoofing • Fragmentation • Passive and Active Fingerprinting • Port Scanning • Redirection NETE4630
Spoofing • Local spoofing and blind spoofing • Local spoofing: attacker and victim are on the same subnet • Attacker begins with sniffing traffic, find key pieces of information needed to launch an attack • Session hijacking is another spoofing technique. • The attack starts at transport layer NETE4630
Spoofing (cont.) • Blind spoofing: attacker is not on the same local subnet as victim • More sophisticated and advanced attack • Many pieces of information needed to be successful are not available. The key parameters must be guessed • Most modern OSes use fairly random sequence numbers making the attack difficult to launch NETE4630
Fragmentation • Fragmentation is required when transmitting packets to different networks that have different MTUs • Evasion attack: sends packets to an IDS and target that will be rejected by the IDS and accepted by the target • The idea is to send different data streams to each device • Insertion attack: sends packets to an IDS and target device that will be accepted by the IDS and rejected by the target NETE4630
IP Fragmentation NETE4630
Evasion Attack • An attacker sends the first fragment to an IDS that has a fragmentation timeout of 15 s, while target system has a timeout of 30 s • The attacker waits more than 15 s but less than 30 s before sending the second fragment. • The IDS discards the second (including the first) segment because the timeout reaches • However, the target system accepts the second fragment (within the timeout) • Thus, the IDS will not record this attack NETE4630
Fragmentation Attacks • Overlapping fragmentation can offer an attacker a means of slipping packets past an IDS and firewall • Sending a packet passing a cisco router to a windows-based system • If receiving a duplicated packet, cisco router prefer the last fragment, whereas windows prefers the original fragment NETE4630
Fragmentation Attacks (cont.) • An attacker breaks a message into 3 fragments • He sends fragment 1 and 2 to both router and windows. Both accepts the fragments • He then sends fragment 2 and 3. the retransmitted fragment 2 is of the same size and offset as the original fragment but different payload • Windows keeps the original fragment 2 but the router keeps the retransmitted one NETE4630
#1 #2 #3 Windows and router accepts #1 and #2 #1 #2 #2 #3 Attacker modifies #2 And transmits #2 and #3 Windows keeps #1 #2 #3 Router keeps #1 #2 #3 Fragmentation Attacks (cont.) NETE4630
Teardrop Attack • Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, and SynDrop are some of the tools that can crash machines that have a vulnerability in the IP atack • There is a fragmentation bug in the IP stack implementation of some old Linux kernels (2.0), Windows NT, and Windows 95 • Sending malformed packets with fragmentation offset value tweaked so that the receiving packets overlap • A reboot solved the problem until the next attack NETE4630
Teardrop Attack (cont.) NETE4630
Fingerprinting • Fingerprinting is the act of using peculiarities of IP, TCP, UDP, and ICMP to determine the operating system • Not only the OS, but also specific version • Active and passive fingerprinting • Active fingerprinting: sends malformed (or non-RFC-compliant) packets to the target. Different OSes response to these packets differently • Nmap, Xprobe, Scanrand, etc. NETE4630
Passive Fingerprinting • Passive fingerprinting: similar concept, but not injecting traffic into the network • Looking at 4 fields • TTL value • Don’t Fragment bit (DF) • Type of Service (TOS) • Window size • TTL, DF, and TOS are found in IP header • Window size is found in TCP header NETE4630
Passive Fingerprinting: TTL • A packet has its TTL reduced each time it is passed though a router or when it remains in the routers queue too long • No requirement about the suitable of TTL • The attacker may assume that the value observed is less than the original value (no more than 255) NETE4630
Passive Fingerprinting: DF and TOS • DF flag is primary method that systems use to determine the PMTUD (Path MTU Discovery) • Many older OSes don’t use this feature • TOS can be analyzed to determine the OS • Eventhough it is rarely used on the internet, some developers will set it into a value other than zero to prevent this fingerprinting NETE4630
PMTUD • Path MTU discovery works by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets. • Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP Type 3 Code 4 “Destination Unreachable (Fragmentation Needed and DF was set" message containing its MTU, allowing the source host to reduce its assumed path MTU appropriately. • The process repeats until the MTU is small enough to traverse the entire path without fragmentation. NETE4630
PMTUD (cont.) NETE4630
Passive Fingerprinting: Window Size • TCP Window specifies the amount of data that can be sent without having to receive an acknowledgement • Window size should either be as close as possible to the MTU or should be some multiple of this value • Linux 2.0 used a value of 16,384, while version 3 of FreeBSD used a value of 17,520 • The most up-to-date passive fingerprinting tool is p0f • LAB: p0f page 129 NETE4630
Idle Scan: Open Port NETE4630
Idle Scan: Close Port NETE4630
Idle Scan: Limitations • The idle host must truly be idle • Not all OSes use an incrementing IPID • Some versions of Linux set IPID to zero or generate a random IPID value • Several message passes need to be performed to validate the results NETE4630
ICMP Attacks • ICMP helps with logical errors and diagnostics • ICMP does not offer authentication • Thus, ICMP can be used to scan and exploit devices • Including using ICMP as a backdoor (convert channel), employing them for echo attacks, to port scan, to redirect traffic, for OS fingerprinting, and DoS attacks NETE4630
Convert Channels • Convert channels offer attackers a way to have a secure communications channel by using allowed services • Convert channels can also work by exploiting flaws or weaknesses in protocols like ICMP, esp. ping • ICMP fields used in ping include: • Type, Code, Identifier, Sequence Number, Optional Data NETE4630
ICMP Format NETE4630
Convert Channels (cont.) NETE4630
Convert Channels (cont.) NETE4630
Convert Channels (cont.) • Some systems like Linux let user add data into the ping # ping –p 2b2b2b415448300 192.168.123.101 will place the modem hang up string into the ping packet • Convert channel tools can use ICMP, TCP, or even IGRP. • Loki, ICMP Backdoor, 007Shell, B0CK NETE4630
ICMP Echo Attacks • Flood target with ping traffic and use up all available bandwidth • Smurf exploits ICMP by sending a spoofed ping packet to the broadcast address and has the source address listed as the victim • In 2002, an attacks was launched against core DNS servers. They had ping enabled • Results in a large DoS attack that slowed the operation of primary DNS servers NETE4630
Port Scanning • ICMP can be of great use to an attacker attempting to discover what ports are open • ICMP is invaluable since there is no response like with TCP • Sending an ICMP packet to a port • will get no response if the port is open and • will receive an ICMP type 3 code 3 packet if the port is closed NETE4630
Port Scanning (cont.) Type 3 (Destination Unreachable) Code 3 (Port Unreachable) NETE4630
ICMP Nuke Attacks • Using spoofed addresses, an attacker might disrupt communications between two hosts by sending “Time Exceeded” (Type 11) or “Destination Unreachable” (ICMP Type 3) messages to both hosts, resulting in a DoS attack • Check out ICMP Types and Codes • ICMP Nuke Attack sends the target an ICMP packet with destination unreachable type 3 messages. The target then breaks communication with existing connections NETE4630
ICMP Redirect Attack • By sending ICMP “redirect” messages, an attacker might force a router to forward packets destined to one host to the attacker’s IP address NETE4630
Preventing ICMP Redirect Attack • With Linux, we can force the kernel not to accept redirect messages for one or all interfaces root@router# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects NETE4630
ICMP Flood • Ping Flood creates a broadcast storm of pings that overwhelm the target system • Using Linux, one can flood a host using ping –f. root@router# ping –f 10.10.10.12 –c 1000 The above command floods the host 10.10.10.12 with 1,000 packets NETE4630
Preventing Ping Flood • Ping flood can be stopped by limiting the number of ICMP echo-request messages with IPTables: root@router# iptables –A FORWARD –p icmp –icmp-type echo-request –m limit –limit 10/s –j ACCEPT root@router# iptables –A FORWARD –p icmp –icmp-type echo-request –j DROP NETE4630
Ping of Death • Ping of Death crashed machines by sending ICMP “echo request” messages in IP packets with larger than the maximum legal length of 65,535 octets, causing a buffer overflow to crash the victim’s device (computer, printer, etc.) • A Linux patch for the ping of death was out in 2 hours, 35 minutes, and 10 seconds, and shortly after, patches for other OSes were available from vendors NETE4630
Routing Protocols Attacks • Misconfigured dynamic routing protocols such as RIP, BGP, and OSPF may allow attackers to inject routes into the routing tables of the machines running instances of those protocols • This may allow attackers to conduct DoS attacks by injecting wrong routes or IP sniffing by configuring its computer to act like a router from the network NETE4630
Routing Protocols Attacks (cont.) • Distance-vector and link-state routing protocols are suffered from attacks especially DoS • RIP is unauthenticated service; it is vulnerable to DoS • Attacker injects miscommunication packets to the network • RIP spoofing works by making fake RIP packets and sending them to gateways and hosts to change their routes • It sends its routing tables to a broadcast address • Attacker can also modify the routing information to cause a redirect through a network, allowing him to sniff passwords or intercept and change date NETE4630
Router and Routing Attacks • Hit-and-run attacks • Hard to detect and isolate • Require an attacker to only inject one or more bad packets but cause lasting damaging effects • Persistent attacks • Attacker continuously inject attack packets in order to inflict significant damages • Suit for link-state protocols • Resilient to hit-and-run attacks NETE4630
Source Routing Attack • Source routing is one of the IP options designed to force a packet to take a specific route through the network • Using Option field in IP header: LSRR and SSRR NETE4630
LSR and SSR • Loose Source Routing is an IP option which can be used for address translation. LSR is also used to implement mobility in IP networks. • LSR uses a source routing option in TCP/IP to record the set of routers a packet must visit. • The destination of the packet is replaced with the next router the packet must visit. • The name LSR comes from the fact that only part of the path is set in advance. This is in contrast with Strict Source Routing (SSR), in which every single step of the route is decided in advance when the packet is sent. • SSR defines specific points between source and destination • No other routers are allowed to handle the datagram
Source Routing Attack (cont.) • The use of the LSRR and SSRR options (Loose and Strict Source and Record Route) is discouraged because they create security concerns • Attacker can spoof a source IP as a trusted system and uses source route to forward packets to a victim • Any return packet will be sent to the attacker instead of the trusted host • Many routers block packets containing these options.
Roadmap • Attacking the Network Layer • Defending the Network Layer NETE4630
Securing IP • Encryption and authentication are the two best options for securing IP • Built in IPv6, but not in IPv4 • IPSec’s greatest security is that it can allow network managers to apply security without involving end users • IPSec Tunnel Mode: link encryption • Need to manage several keys • IPSec Transport Mode: end-to-end encryption • Source and destination IPs are not masked NETE4630
Securing ICMP • Disable much of ICMP as possible especially at routers • Reject: send an ICMP destination-unreachable back to the source • Drop: send no response • Rejecting a connection allows services to know that something has failed and to timeout quickly • Dropping a connection causes a service to try to connect until a retransmission value is exceeded NETE4630
Securing ICMP (cont.) • From legitimate perspective, • rejecting connections allows services to know that something has failed and to timeout quickly • Dropping a connection can cause a service to continue to try and connect until a retransmission value is exceeded NETE4630
Securing ICMP (cont.) • From security perspective, • dropping packets gives away less information and makes it harder for an attacker to enumerate the target • Rejecting packets can make the router a bigger target for reflective attacks and leave it vulnerable to spewing out ICMP messages to a host being attacked by a third party