1 / 56

Network Layer Security

Network Layer Security. Lecture 4 Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th. Overview. IP Header Length. (IPID). IP Packet Format. Overview. IP, ICMP, and Routing protocols IP is connectionless, subjected to DoS ICMP can be used by attackers

sanjiv
Download Presentation

Network Layer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Layer Security Lecture 4 Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th

  2. NETE4630: Advanced Network Security and Implementation Overview IP Header Length (IPID) IP Packet Format

  3. NETE4630: Advanced Network Security and Implementation Overview • IP, ICMP, and Routing protocols • IP is connectionless, subjected to DoS • ICMP can be used by attackers • Routing protocols are subjected to stack attacks

  4. NETE4630: Advanced Network Security and Implementation Roadmap • Attacking the Network Layer • Defending the Network Layer

  5. NETE4630: Advanced Network Security and Implementation IP Attacks • Spoofing • Fragmentation • Passive and Active Fingerprinting • Port Scanning • Redirection

  6. NETE4630: Advanced Network Security and Implementation Spoofing • Local spoofing and blind spoofing • Local spoofing: attacker and victim are on the same subnet • Attacker begins with sniffing traffic, find key pieces of information needed to launch an attack • Session hijacking is another spoofing technique. • The attack starts at transport layer

  7. NETE4630: Advanced Network Security and Implementation Spoofing (cont.) • Blind spoofing: attacker is not on the same local subnet as victim • More sophisticated and advanced attack • Many pieces of information needed to be successful are not available. The key parameters must be guessed • Most modern OSes use fairly random sequence numbers making the attack difficult to launch

  8. NETE4630: Advanced Network Security and Implementation Fragmentation • Fragmentation is required when transmitting packets to different networks that have different MTUs • The idea is to send different data streams to each device • Evasion attack: sends packets to an IDS and target that will be rejected by the IDS and accepted by the target • IDS drops and does not check the packet payload • Insertion attack: sends packets to an IDS and target device that will be accepted by the IDS and rejected by the target

  9. NETE4630: Advanced Network Security and Implementation IP Fragmentation

  10. NETE4630: Advanced Network Security and Implementation Evasion Attack • An attacker sends the first fragment to an IDS that has a fragmentation timeout of 15 s, while target system has a timeout of 30 s • The attacker waits more than 15 s but less than 30 s before sending the second fragment. • The IDS discards the second (including the first) segment because the timeout reaches • However, the target system accepts the second fragment (within the timeout) • Thus, the IDS will not record this attack #2 #1 #2 #1 30 s 15 s

  11. NETE4630: Advanced Network Security and Implementation Fragmentation Attacks • Overlapping fragmentation can offer an attacker a means of slipping packets past an IDS and firewall • Sending a packet passing a cisco router to a windows-based system • If receiving a duplicated packet, cisco router prefer the last fragment, whereas windows prefers the original fragment

  12. NETE4630: Advanced Network Security and Implementation #1 #2 #3 Windows and router accepts #1 and #2 #1 #2 #2 #3 Attacker modifies #2 And transmits #2 and #3 Windows keeps #1 #2 #3 Router keeps #1 #2 #3 Fragmentation Attacks (cont.)

  13. NETE4630: Advanced Network Security and Implementation Fragmentation Attacks (cont.) • An attacker breaks a message into 3 fragments • He sends fragment 1 and 2 to both router and windows. Both accepts the fragments • He then sends fragment 2 and 3. The retransmitted fragment 2 is of the same size and offset as the original fragment but different payload • Windows keeps the original fragment 2 but the router keeps the retransmitted one

  14. NETE4630: Advanced Network Security and Implementation Teardrop Attack • Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, and SynDrop are some of the tools that can crash machines that have a vulnerability in the IP atack • There is a fragmentation bug in the IP stack implementation of some old Linux kernels (2.0), Windows NT, and Windows 95 • Sending malformed packets with fragmentation offset value tweaked so that the receiving packets overlap • A reboot solved the problem until the next attack

  15. NETE4630: Advanced Network Security and Implementation Teardrop Attack (cont.)

  16. NETE4630: Advanced Network Security and Implementation Fingerprinting • Fingerprinting is the act of using peculiarities of IP, TCP, UDP, and ICMP to determine the operating system • Not only the OS, but also specific version • Active and passive fingerprinting • Active fingerprinting: sends malformed (or non-RFC-compliant) packets to the target. Different OSes response to these packets differently • Nmap, Xprobe, Scanrand, etc.

  17. NETE4630: Advanced Network Security and Implementation Passive Fingerprinting • Passive fingerprinting: similar concept, but not injecting traffic into the network • Looking at 4 fields • TTL value • Don’t Fragment bit (DF) • Type of Service (TOS) • Window size • TTL, DF, and TOS are found in IP header • Window size is found in TCP header

  18. NETE4630: Advanced Network Security and Implementation Passive Fingerprinting: TTL • A packet has its TTL reduced each time it is passed though a router or when it remains in the routers queue too long • No requirement about the suitable of TTL • The attacker may assume that the value observed is less than the original value (no more than 255)

  19. NETE4630: Advanced Network Security and Implementation Passive Fingerprinting: DF and TOS • DF flag is primary method that systems use to determine the PMTUD (Path MTU Discovery) • Many older OSes don’t use this feature • TOS can be analyzed to determine the OS • Eventhough it is rarely used on the internet, some developers will set it into a value other than zero to prevent this fingerprinting

  20. NETE4630: Advanced Network Security and Implementation PMTUD • Path MTU discovery (PMTUD) is a technique in computer networking for determining the MTU size on the network path between two hosts, usually with the goal of avoiding IP fragmentation • Path MTU discovery works by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets. • Any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP Type 3 Code 4 “Destination Unreachable (Fragmentation Needed and DF was set)" message • The ICMP Type 3 Code 4 message contains its MTU, allowing the source host to reduce its assumed path MTU appropriately. • The process repeats until the MTU is small enough to traverse the entire path without fragmentation.

  21. NETE4630: Advanced Network Security and Implementation PMTUD (cont.)

  22. NETE4630: Advanced Network Security and Implementation Passive Fingerprinting: Window Size • TCP Window specifies the amount of data that can be sent without having to receive an acknowledgement • Window size should either be as close as possible to the MTU or should be some multiple of this value • Linux 2.0 used a value of 16,384, while version 3 of FreeBSD used a value of 17,520 • The most up-to-date passive fingerprinting tool is p0f • LAB: p0f page 129

  23. NETE4630: Advanced Network Security and Implementation Idle Scan: Open Port

  24. NETE4630: Advanced Network Security and Implementation Idle Scan: Close Port

  25. NETE4630: Advanced Network Security and Implementation Idle Scan: Limitations • The idle host must truly be idle • Not all OSes use an incrementing IPID • Some versions of Linux set IPID to zero or generate a random IPID value • Several message passes need to be performed to validate the results

  26. NETE4630: Advanced Network Security and Implementation ICMP Attacks • ICMP helps with logical errors and diagnostics • ICMP does not offer authentication • Thus, ICMP can be used to scan and exploit devices • Including using ICMP as a backdoor (convert channel), employing them for echo attacks, to port scan, to redirect traffic, for OS fingerprinting, and DoS attacks

  27. NETE4630: Advanced Network Security and Implementation Convert Channels • Convert channels offer attackers a way to have a secure communications channel by using allowed services • Convert channels can also work by exploiting flaws or weaknesses in protocols like ICMP, esp. ping • ICMP fields used in ping include: • Type, Code, Identifier, Sequence Number, Optional Data

  28. NETE4630: Advanced Network Security and Implementation ICMP Format

  29. NETE4630: Advanced Network Security and Implementation Convert Channels (cont.)

  30. NETE4630: Advanced Network Security and Implementation Convert Channels (cont.)

  31. NETE4630: Advanced Network Security and Implementation Convert Channels (cont.) • Some systems like Linux let user add data into the ping # ping –p 2b2b2b415448300 192.168.123.101 will place the modem hang up string into the ping packet • Convert channel tools can use ICMP, TCP, or even IGRP. • Loki, ICMP Backdoor, 007Shell, B0CK

  32. NETE4630: Advanced Network Security and Implementation ICMP Echo Attacks • Flood target with ping traffic and use up all available bandwidth • Smurf exploits ICMP by sending a spoofed ping packet to the broadcast address and has the source address listed as the victim • In 2002, an attacks was launched against core DNS servers. They had ping enabled • Results in a large DoS attack that slowed the operation of primary DNS servers

  33. NETE4630: Advanced Network Security and Implementation Port Scanning • ICMP can be of great use to an attacker attempting to discover what ports are open • ICMP is invaluable since there is no response like with TCP • Sending an ICMP packet to a port • will get no response if the port is open and • will receive an ICMP type 3 code 3 (Destination Unreachable, Port Unreachable) packet if the port is closed

  34. NETE4630: Advanced Network Security and Implementation Port Scanning (cont.) Type 3 (Destination Unreachable) Code 3 (Port Unreachable)

  35. NETE4630: Advanced Network Security and Implementation ICMP Nuke Attacks • ICMP Nuke Attack: Using spoofed addresses, an attacker might disrupt communications between two hosts by sending “Time Exceeded” (Type 11) or “Destination Unreachable” (ICMP Type 3) messages to both hosts • This results in a DoS attack • Check out ICMP Types and Codes

  36. NETE4630: Advanced Network Security and Implementation ICMP Redirect Attack • By sending ICMP “redirect” messages, an attacker might force a router to forward packets destined to one host to the attacker’s IP address

  37. NETE4630: Advanced Network Security and Implementation Preventing ICMP Redirect Attack • With Linux, we can force the kernel not to accept redirect messages for one or all interfaces root@router# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects

  38. NETE4630: Advanced Network Security and Implementation ICMP Flood • Ping Flood creates a broadcast storm of pings that overwhelm the target system • Using Linux, one can flood a host using ping –f. root@router# ping –f 10.10.10.12 –c 1000 The above command floods the host 10.10.10.12 with 1,000 packets

  39. NETE4630: Advanced Network Security and Implementation Preventing Ping Flood • Ping flood can be stopped by limiting the number of ICMP echo-request messages with IPTables: root@router# iptables –A FORWARD –p icmp –icmp-type echo-request –m limit –limit 10/s –j ACCEPT root@router# iptables –A FORWARD –p icmp –icmp-type echo-request –j DROP

  40. NETE4630: Advanced Network Security and Implementation Ping of Death • Ping of Death crashed machines by sending ICMP “echo request” messages in IP packets with larger than the maximum legal length of 65,535 octets, causing a buffer overflow to crash the victim’s device (computer, printer, etc.) • A Linux patch for the ping of death was out in 2 hours, 35 minutes, and 10 seconds, and shortly after, patches for other OSes were available from vendors

  41. NETE4630: Advanced Network Security and Implementation Routing Protocols Attacks • Misconfigured dynamic routing protocols such as RIP, BGP, and OSPF may allow attackers to inject routes into the routing tables of the machines running instances of those protocols • This may allow attackers to conduct DoS attacks by injecting wrong routes or IP sniffing by configuring its computer to act like a router from the network

  42. NETE4630: Advanced Network Security and Implementation Routing Protocols Attacks (cont.) • Distance-vector and link-state routing protocols are suffered from attacks especially DoS • RIP is unauthenticated service; it is vulnerable to DoS • Attacker injects miscommunication packets to the network • RIP spoofing works by making fake RIP packets and sending them to gateways and hosts to change their routes • It sends its routing tables to a broadcast address • Attacker can also modify the routing information to cause a redirect through a network, allowing him to sniff passwords or intercept and change date

  43. NETE4630: Advanced Network Security and Implementation Source Routing Attack • Source routing is one of the IP options designed to force a packet to take a specific route through the network • Using Option field in IP header: LSRR (Loose Source Record Route) and SSRR (Strict Source Record Route)

  44. NETE4630: Advanced Network Security and Implementation LSR and SSR • Loose Source Routing is an IP option which can be used for address translation. LSR is also used to implement mobility in IP networks. • LSR uses a source routing option in TCP/IP to record the set of routers a packet must visit. • The destination of the packet is replaced with the next router the packet must visit. • The name LSR comes from the fact that only part of the path is set in advance. This is in contrast with Strict Source Routing (SSR), in which every single step of the route is decided in advance when the packet is sent. • SSR defines specific points between source and destination • No other routers are allowed to handle the datagram

  45. NETE4630: Advanced Network Security and Implementation Source Routing Attack (cont.) • The use of the LSRR and SSRR options (Loose and Strict Source and Record Route) is discouraged because they create security concerns • Attacker can spoof a source IP as a trusted system and uses source route to forward packets to a victim • Any return packet will be sent to the attacker instead of the trusted host (because the route is fixed, static!!) • Many routers block packets containing these options.

  46. NETE4630: Advanced Network Security and Implementation Roadmap • Attacking the Network Layer • Defending the Network Layer

  47. NETE4630: Advanced Network Security and Implementation Securing IP • Encryption and authentication are the two best options for securing IP • Built in IPv6, but not in IPv4 • IPSec’s greatest security is that it can allow network managers to apply security without involving end users • IPSec Tunnel Mode: link encryption • Need to manage several keys • IPSec Transport Mode: end-to-end encryption • Source and destination IPs are not masked

  48. NETE4630: Advanced Network Security and Implementation Securing ICMP • Disable much of ICMP as possible especially at routers • Reject: send an ICMP destination-unreachable back to the source • Drop: send no response

  49. NETE4630: Advanced Network Security and Implementation Securing ICMP (cont.) • From legitimate perspective, • Rejecting connections allows services to know that something has failed and to timeout quickly • Dropping a connection can cause a service to continue to try and connect until a retransmission value is exceeded

  50. NETE4630: Advanced Network Security and Implementation Securing ICMP (cont.) • From security perspective, • dropping packets gives away less information and makes it harder for an attacker to enumerate the target • Rejecting packets can make the router a bigger target for reflective attacks and leave it vulnerable to spewing out ICMP messages to a host being attacked by a third party

More Related