ITIS 6167/8167: Network Security

Slides:



Advertisements
Similar presentations
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Advertisements

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Internet Control Message Protocol (ICMP)
ITIS 6167/8167: Network and Information Security Weichao Wang.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
Process-to-Process Delivery:
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
TCP/IP Protocol Suite 1 Chapter 9 Upon completion you will be able to: Internet Control Message Protocol Be familiar with the ICMP message format Know.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
1 Version 3.1 modified by Brierley Module 8 TCP/IP Suite Error and Control Messages.
Page 19/13/2015 Chapter 8 Some conditions that must be met for host to host communication over an internetwork: a default gateway must be properly configured.
Internet Control Message Protocol (ICMP). Objective l IP and ICMP l Why need ICMP? l ICMP Message Format l ICMP fields l Examples: »Ping »Traceroute.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 8 TCP/IP Suite Error and Control Messages.
© 2002, Cisco Systems, Inc. All rights reserved..
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Dr. John P. Abraham Professor UTPA
1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Internet Protocols. Address Resolution IP Addresses are not recognized by hardware. If we know the IP address of a host, how do we find out the hardware.
Chapter 23 Internet Control Message Protocol used to report information and errors IP uses ICMP when it sends an error message ICMP uses IP to transport.
1 An Error Reporting Mechanism (ICMP). 2 IP Semantics IP is best-effort Datagrams can be –Lost –Delayed –Duplicated –Delivered out of order –Corrupted.
1 Chapter 23 Internetworking Part 3 (Control Messages, Error Handling, ICMP)
Lecture 4 Overview. Ethernet Data Link Layer protocol Ethernet (IEEE 802.3) is widely used Supported by a variety of physical layer implementations Multi-access.
CSC 600 Internetworking with TCP/IP Unit 5: IP, IP Routing, and ICMP (ch. 7, ch. 8, ch. 9, ch. 10) Dr. Cheer-Sun Yang Spring 2001.
Cisco 2 - Routers Perrine. J Page 112/19/2015 Chapter 8 TCP/IP Error Message Some of the conditions that must be met in order for host to host communication.
1 Kyung Hee University Chapter 11 User Datagram Protocol.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.
CCNA 2 Router and Routing Basics Module 8 TCP/IP Suite Error and Control Messages.
1 Chapter 23 Internetworking Part 3 (Control Messages, Error Handling, ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Chapter 11 User Datagram Protocol
The Transport Layer Implementation Services Functions Protocols
ICMP The IP provides unreliable and connectionless datagram delivery. The IP protocol has no error-reporting or error-correcting mechanism. The IP protocol.
Introduction to TCP/IP networking
Internet Control Message Protocol (ICMP)
21-2 ICMP(Internet control message protocol)
Chapter 9 ICMP.
Transport Layer.
Error and Control Messages in the Internet Protocol
Understand the OSI Model Part 2
Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
CCNA 2 v3.1 Module 10 Intermediate TCP/IP
Chapter 14 User Datagram Protocol (UDP)
Internet Control Message Protocol (ICMP)
Dr. John P. Abraham Professor UTPA
Internet Control Message Protocol (ICMP)
Internetworking Outline Best Effort Service Model
Process-to-Process Delivery:
Dr. John P. Abraham Professor UTRGV, EDINBURG, TX
Dr. John P. Abraham Professor UTPA
CPEG514 Advanced Computer Networkst
Net 323 D: Networks Protocols
Chapter 15. Internet Protocol
PART 5 Transport Layer.
Internet Control Message Protocol
Process-to-Process Delivery: UDP, TCP
ITIS 6167/8167: Network and Information Security
Networks and Protocols
NET 323D: Networks Protocols
Transport Layer 9/22/2019.
Presentation transcript:

ITIS 6167/8167: Network Security Weichao Wang

Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks

ICMP: Internet Message Control Protocol Motivation IP may fail to deliver data because Destination is unavailable TTL expires Routers become congested Sender needs to know the condition ICMP is a part of IP

Purpose ICMP allows routers or hosts to send error reports or control messages to other routers or hosts ICMP is for reporting but not correction ICMP provides communication b/w IP software modules

Restriction ICMP messages are not generated for errors caused by ICMP messages. Why? ICMP will only be sent to original sources. Why?

ICMP encapsulation It is within the IP packet, but the protocol is considered as a part of IP

ICMP messages Common header Each ICMP message has its own format, but all begin with the same three fields TYPE (1 byte): identify the message CODE (1 byte): more information about the message Checksum (2 byte) When an ICMP message report errors, it always include the IP header and first 64 bits of the original packet

ICMP echo request and reply (ping) Used to test reachability Type 0 and 8 Add identifier (2 byte) and sequence number (2 byte) after the checksum. Used by sender to match the request and reply and measure time An echo request can contain some data part (the content does not matter) The reply always replies with the same data part

Destination unreachable (type 3) When the router cannot forward or deliver the IP packet, it sends a destination unreachable message back to the original source. Codes used 0: network unreachable 1: host unreachable 2: protocol unreachable 3: port unreachable 4: fragment needed but DF (no fragment) set 5: source route fails

More codes of destination unreachable 6: destination network unknown 7: destination host unknown Etc Add 2 byte of zero, and two bytes of the next hop MTU after the checksum. Then attach the IP header and the first 64 bits of data

Source quench (type=4) To deal with congestion and datagram flow control When routers are overrun with traffic, it is called congestion May be caused by difference in line speed May be caused by converge of multiple traffic flows Use source quench to report congestion to the sources There is no ICMP message to achieve the reserve effect. The host will slowly increase the rate when no source quench requests are received. Have been shown that this does not work very well

In the source quench ICMP packet Add 32 bits of zero after the checksum Attach the IP header and the 64 bits of data of the discarded packet

Router redirect (type=5) Routers periodically exchange information. Hosts usually do not Hosts will start with a minimum amount of routing information and learn from routers A router will send an ICMP redirect packet to host if it knows a better path so the host can change its routing table Limited to the host and routers in a directly connected network (same Ethernet segment)

After the type, code and checksum Attach the router’s IP address on the better route Attach the packet’s IP header and first 64 bits

TTL expires (type=11) Can be caused by TTL = 0 or the fragment reassemble expires Attach 32 bits of zero, the IP header, and the first 64 bits of data in the original packet

Timestamp request and reply (type 13, 14) Needs identifier and sequence number to match the request and reply Will contain the sender’s clock reading when the packet is sent, the receiver’s clock when it is received, and when the reply is transmitted.

Information request and reply (type 15, 16) Used to get IP address Have been replaced by RARP and BOOTP Getting subnet mask (type 17, 18) For subnet functionality

Attacks on ICMP ICMP does not contain authentication mechanism The first 64 bits of data is not enough for authentication, and sometimes not enough information will be contained

Attack 1: mapping network topology This is an important part for following attacks. Discover the live hosts for future scan or exploits Can be accomplished by ping Can send ICMP echo request to broadcast address Can send ICMP subnet mask request to better determine the subnet

Smurf attack (attack 2) Ping a broadcast address with a spoofed IP. That node will become a victim All hosts respond to the victim, and that node is overwhelmed Keys: amplification and IP spoofing Many implementations ignore ping to broadcast address these days Similar attacks in TCP, UDP, etc

Ping to death (attack 3) ICMP echo with fragment Maximum ICMP echo packet is 65535 – 20 (IP header) – 8 (ICMP echo header) Fragmentation may bypass this requirement: offset + length > 65535 Reassembled packet cannot be fit into buffer OS may crash

ICMP redirect attack (attack 4) Ask a host to send the packet to the target “router”. Useful for man-in-the-middle attack Winfreeze Windows ICMP redirect: you are the quickest path to node Z Host changes the routing table entry for Z to itself Send packet to itself in an infinite loop

Timestamp attack (attack 5) Mess with the local clock of computer Many random number generator depends on the local clock

Conclusions You don’t need most of ICMP unless you need to troubleshoot your network ICMP is very useful to attackers, rarely useful to legitimate users. Except Path MTU discovery e.g., OS fingerprinting Blocking ICMP by default in critical networks, and logging ICMP messages instead of acting upon them automatically, is safer

UDP: User Datagram Protocol Why we need UDP or TCP IP provides a channel b/w two machines There might be multiple applications on a machine expecting data IP only identifies host, not applications Using process number or handle will not serve the purpose We need another thing to distinguish the applications

TCP and UDP use protocol port number TCP and UDP use protocol port number. Applications bind them to port numbers Some port numbers are reserved or well known ones. While the others are free to assign or use

UDP Transport layer protocol Connectionless service Best-effort delivery as IP Packets can be delayed, lost, or duplicated Packets can arrive out of order Applications accepts full responsibility for errors UDP based applications DNS: DNS server queries Streaming video, VoIP Games

UDP message format

Both source and destination ports have 16 bits (65536) Both source and destination ports have 16 bits (65536). The port number below 1024 are usually reserved. The “length” contains the count of byte in UDP packet, including UDP header and the user data. The minimum length is 8 byte.

Checksum The checksum field is optional. IP header checksum does not cover the data part. So a checksum at higher layer is good. What if the computed checksum is zero? How can we tell the difference? Checksum (pseudo header, UDP header, user data)

UDP pseudo header The UDP checksum also covers a pseudo header Pseudo header is not transmitted or counted in the length Why we need a pseudo header Make sure it is the correct destination Consists of an IP and a port number Real UDP header does not contain IP address

UDP pseudo header Contain 12 bytes Source IP (4), destination IP (4), padding (1), protocol (1 byte with value of 17), and UDP length (2 byte, not include the pseudo header)

UDP multiplexing

UDP ports Small numbers are reserved for special purposes Called well-known ports Same interpretation across the Internet Used by server software Large numbers are not reserved

UDP ports 7: echo 13: daytime 42: name-server (name) 43: NicName (whois) 53: Domain (DNS) 67: BOOTP server 68: BOOTP client 69: TFTP 111: SUN RPC 123: NTP (network time protocol)

UDP attacks Attack on echo service (Fraggle) Broadcast UDP packet to “echo” service All computers reply (amplification) Source IP was spoofed, victim overwhelmed Similar to ICMP smurf attack

UDP Ping-Pong Some service will issue a UDP reply no matter what is the input packet Set the source and destination ports of a UDP packet to be one of the following ports 13: daytime 37: time Will cause a ping-pong effect b/w the source and destination

DoS attack Small request causes large packet reply (games) Battlefield 1942 Quake 1 Unreal Tournament Hosts can be attacked by using these applications as amplifiers, with forged IP address

TCP: Transmission Control Protocol The most loved and hated protocol Various protocols have been developed to replaced it, but not work very well

The need for stream delivery Out of order Packet delay Packet loss Packet duplicate

TCP’s properties Stream orientation Virtual circuit connection TCP thinks data as continuous flow of bits or bytes The sequence of the sent and received data are exactly the same Virtual circuit connection Buffered transfer Application can determine the size of the pieces of the information it wants to transfer Protocol software will divide the information into packets Usually use a packet with a reasonable size Can use “push” option to force transfer without buffering

Unstructured stream TCP does not honor structured data stream It is the application’s responsibility to understand the data structure Full duplex connection: transfer in both directions (can close one direction while keeping the other active) Reliability Positive acknowledgement with retransmission

Layer structure

TCP ports TCP uses ports to identify applications A connection is identified by four items Source IP and protocol port number Destination IP and protocol port number A given TCP port number can be shared by multiple connections on the same machine because they will have different source IP and port numbers

Reserved TCP port number Port number can be 0 to 65535 0 to 1024 are reserved for well known services 7: echo 13: Daytime 21: FTP 22: SSH 23: TELNET 25: SMTP 79: Finger 80: HTTP

TCP segment format

HLEN: length of segment header measured in 32 bits Checksum: over (pseudo header, TCP header, TCP data)