250 likes | 363 Views
Computer System Security CSE 5339/7339. Session 25 November 16, 2004. Contents. Security in Networks Group Work Wing’s presentation. IP Protocol. VERS. HLEN. Service Type. TOTAL LENGTH. IDENTIFICATION. FLAGS. FRAGMENT OFFSET. Unreliable packet delivery service Datagram (IPv4).
E N D
Computer System SecurityCSE 5339/7339 Session 25 November 16, 2004
Contents • Security in Networks • Group Work • Wing’s presentation
IP Protocol VERS HLEN Service Type TOTAL LENGTH IDENTIFICATION FLAGS FRAGMENT OFFSET • Unreliable packet delivery service • Datagram (IPv4) TIME TO LIVE PROTOCOL HEADER CHECKSUM SOURCE ADDRESS DESTINATION ADDRESS OPTIONS (IF ANY) PADDING DATA
Attacks • IP Spoofing • Teardrop attacks
ICMP (Internet Control Message Protocol) • Transmit error messages and unusual situations • Different types of ICMP have slightly different format Type Code CHECKSUM Unused (must be zero) DATA: Header and 1st 64 bits of offending datagram ICMP time-exceeded message
ICMP (Echo request/reply) • Transmit error messages and unusual situations • Different types of ICMP have slightly different format Type Code CHECKSUM Identifier Sequence number DATA (optional) ICMP Echo Request/Reply Message
Ping of Death Attack • Denial of service attack (1st in 1996) • Some systems did not handle oversized IP datagrams properly • An attacker construct an ICMP echo request containing 65,510 data octets and send it to victim • The total size of the resulting datagram would be larger than the 65.535 octet limit specified by IP • System would crash
SMURF • Attacker send echo request message to broadcast address • Attacker also spoofs source address in the request Intermediary Victim Attacker
UDP (User Datagram Protocol) • From one application to another (multiple destinations) • Port positive integer (unique destination) SOURCE PORT DESTINATION PORT LENGTH CHECKSUM (optional) DATA
Attacks on UDP • Fraggle • Trinoo
Fraggle (similar to smurf) • UDP port 7 is used for echo service • An attacker can create a stream of user datagram with random source port and a spoofed source address • Destination port is 7 and destination source is a broadcast address at some intermediate site • The attack can get worse if the source port = 7 • Could be prevented by filtering out UDP echo requests destined for broadcast addresses
Victim’s host spoofed source broadcast destination random source port destination Port = 7 Stream of UDP datagrams Victim’s host spoofed source broadcast destination source Port = 7 destination Port = 7 Stream of UDP datagrams
Trinoo • Distributed denial of service • In smurf and fraggle, trafic comes from a single intermediate node. • Trinoo allows the attacker to flood the victim from hundreds intermediate sites simultaneously • Two programs: master and daemon – installed in many different stolen accounts
attacker master master master master daemon daemon daemon daemon Large number of UDP packets to random ports
TCP SOURCE PORT DESTINATION PORT SEQUENCE NUMBER • Reliable delivery • TCP messages are sent inside IP datagrams Acknowledgment HLEN RESV CODE BITS WINDOW CHECKSUM URGENT POINTER OPTIONS (IF ANY) PADDING DATA
TCP Overview • TCP segments are sent inside IP datagrams • TCP divides a stream of data into chncks that fit in IP datagrams • It ensures that each datagram arrives at its destination • Itthen reassembles the datagrams to produce the original message
TCP Overview (cont.) • TCP uses an acknowledgment-and retransmission scheme • TCP sending software keeps a record of each datagram and waits for an acknowledgment • If no acknowledgment is received during the timeout interval, the datagram is retransmitted
Message 1 (SYN + SEQ) Host B Host A Message 2 (SYN + SEQ + ACK) Message 3 (ACK) Establishing a TCP Connection Using a 3-way handshake Message 1 (FIN + SEQ) Host A Host B Message 2 (ACK) Closing a TCP Connection (one way A to B)
Group Work Discuss possible attacks
Attacks on TCP • SYN Flood • Half-opened connection table • LAND • Spoofed source address = destination address • Source port = destination port • Certain implementations freezing • TRIBE Flood Network (TFN) • Similar to trinoo but more than one attack • UDP flood, smurf, SYN floods, and others
Probes and Scans Ping scan and traceroute (What machines exist on a given network and how they are arranged) Remote OS fingerprinting (What OS each detected host is running) (Different OS respond to invalid packets differently) (Example: FIN to connection that has not been opened) Port Scanning (Which ports are open? port scanner) Open a TCP connection and close it immediately Use half opened connections
Mobile Host Mobile Host Wired Backbone Base Station Base Station Fixed Host Fixed Communication Network Fixed host Base Station Base Station Fixed Host Fixed Host Mobile Host Mobile Host Wired Backbone with Mobile nodes
Mobile IP (Cont.) Foreign Agent Foreign subnet Home Agent Arbitrary Topology of Routers and Links Home subnet Mobile Host visiting A foreign subnet Foreign subnet Mobile Host at Home Foreign Agent
Mobile Host Mobile Host Wireless Multi-hop Backbone Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Wireless Multi-hop Backbone
Hybrid Backbone Mobile Host Mobile Host Wired Backbone Base Station Base Station Mobile Host Fixed Host Fixed Communication Network Fixed host Base Station Base Station Fixed Host Fixed Host Mobile Host Mobile Host Wireless Multi-hop Backbone Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Mobile Host Hybrid backbone