1.51k likes | 1.53k Views
Network Defense. COEN 250. Network Protocols: Layering. Complexity of networking leads to layered architectures. TCP/IP stack has four levels. OSI has seven. Network Protocols: Layering. Network Protocols: Layering. Each layer adds a header. Application TCP IP Link. Link Layer.
E N D
Network Defense COEN 250
Network Protocols: Layering • Complexity of networking leads to layered architectures. • TCP/IP stack has four levels. • OSI has seven.
Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link
Link Layer • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Format 48b written as twelve hex bytes. • First 6 identify vendor. • Last 6 serial number. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).
Link Layer • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826
Link Layer: ARP Resolution Protocol • Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 • All devices on the link capture the packet and pass it to the IP layer. • 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.
Link Layer: ARP Resolution Protocol ARP requests:
Link Layer Forensics Network monitoring tools such as Argus or Ethereal log MAC addresses.
Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.
Link Layer Forensics • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.
Link Layer Evidence • Some organizations log ARP information. • Routers keep ARP tables. • show ip arp • All hosts keep ARP tables. • DHCP often assigns addresses only to computers with known MAC.
Link Layer Evidence An employee received harassing e-mail from a host on the employer’s network with IP address 192.168.1.65. DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The router’s ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing) Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.
Link Layer Evidence • Analyze and filter log files: • Keyword searches • E.g. for USER, PASS, login • Nicknames, channel names • Filters • Reconstruction • E.g. contents of web-mail inbox.
Link Layer Evidence NetIntercept Screenshot An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence
ARP Package • RFC 826 • ARP package : • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP
ARP Package Ethereal deassembly of ARP package
Monitoring Tools • Arpwatch • monitors ethernet activity and keeps a database of ethernet/ip address pairings.
Attacks on ARP • Package Generators for various OS. • Allow an attacker to subvert a chosen protocol • hping2 for Windows. • *NIX, XWindows: • packit • http://sourceforge.net/projects/packitgui/ • IP Sorcery • and many, many more. • Use to create arbitrary packages
Attacks on ARP • Switch Flooding • Switches contain a switch address table. • Switch address table associates ports with MAC addresses. • Switch flooding creates many false entries. • Switches fail in two different modes: • Fail open: • Switch converts into a hub. • This allows to monitor traffic through the switch from any port. • Fail closed: • Switch stops functioning. • Denial of Service (DoS) attack
Attacks on ARP • ARP Poisoning: attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LAN attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Switch now takes packet from victim and forwards it to attacker. attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router. attacker switch victim Outside world router
Attacks on ARP http://www.watchguard.com/
RARP • RARP (Reverse Address Resolution Protocol) • Used to allow diskless systems to obtain a static IP address. • System requests an IP address from another machine (with its MAC-address). • Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table. • Administrator needs to place table in a gateway. • RARP-daemon (RARP-d) responds to RARP requests.
RARP • RARP vulnerability • Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.
RARP Package • Package Format as in ARP: • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP
IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.
IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • IPv6 addresses are 8*16 bits long.
IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. For example • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping. • Used to detect network connectivity before it became too useful for attack reconnaissance. • Does not use ports. • Allows broadcasting. • More on ICMP later
IP: ICMP • ICMP error messages should not be sent: • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway. • Otherwise: ICMP messages could proliferate and throttle a network
IP: ICMP • ICMP errors are not sent: • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.
Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.
TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.
TCP:Three Way Handshake • Initiator to responder: Syns • Responder to initator: Acks, Synt • Initiator to responder: Ackt • Sets up two connections with initial message numbers s and t.
TCP:Three Way Handshake • 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) • 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF) • 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF) Sequence number Flag Window: number of bytes accepted
TCP:Terminating Connections • Graceful shutdown • Party 1 to Party 2: Fin • Party 2 to Party 1: Ack • Party 2 to Party 1: Fin • Party 1 to Party 2: Ack • Abrupt shutdown • Party 1 to Party 2: Res
TCP:Shutting down a connection • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF) • 20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF) • 20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win 16940 (DF) • 20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF) • 20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767 (DF)
TCPExchanging Data • Each packet has a sequence number. • (One for each direction.) • Initial sequence numbers are created during initial three way handshake. • NMap uses the creation of these sequence numbers to determine the OS. • OS are now much better with truly random sequence numbers.
TCP Exchanging Data • Party that receives packet sends an acknowledgement. • Acknowledgement consists in • Ack flag. • Sequence number of the next package to be expected. • (TCPDump shows number of bytes acknowledged).
TCP Exchanging Data • If a package is lost, then the ack sequence number will not change: • “Duplicate acknowledgement” • Depending on settings, sender will resend, after at most three stationary ack numbers. • Also, senders resend after timeout.
TCP Exchanging Data • 20:48:45.087563 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 4 win 16959 (DF) • 20:48:45.087583 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF) • 20:48:45.096443 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF) • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF)
TCP flags • Part of TCP header • F : FIN - Finish; end of session • S : SYN - Synchronize; indicates request to start session • R : RST - Reset; drop a connection • P : PUSH - Push; packet is sent immediately • A : ACK - Acknowledgement • U : URG - Urgent • E : ECE - Explicit Congestion Notification Echo • W : CWR - Congestion Window Reduced
TCP Example with Ethereal First Syn message
TCP Example with Ethereal This is the Syn-ack packet with sequence number 68 8d 5c ad and ack number 10 3f 21 1e
TCP Example with Ethereal Syn number 10 3f 21 1e Ack number 68 8d 5c ae