Computer Security 2014 – Ymir Vigfusson Some slides borrowed from Amir Masoumzadeh’s INFSCI 1075, Dan

Slides:



Advertisements
Similar presentations
Module X Session Hijacking
Advertisements

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
Computer Security and Penetration Testing
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Network Attacks Mark Shtern.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
CSCE 515: Computer Network Programming TCP Details Wenyuan Xu Department of Computer Science and Engineering.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lecture 8 Modeling & Simulation of Communication Networks.
Port Scanning.
ITIS 6167/8167: Network Security Weichao Wang. 2 OS detection through TCP/IP fingerprint DNS and its security.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
IIT Indore © Neminath Hubballi
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
Chapter 6: Packet Filtering
DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.
DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
A day in the life: scenario
Link Layer 5-1 Link layer, LAN s: outline 5.1 introduction, services 5.2 error detection, correction 5.3 multiple access protocols 5.4 LANs  addressing,
1 John Magee 11 July 2013 CS 101 Lecture 11: How do you “visit” a web page, revisted Slides adapted from Kurose and Ross, Computer Networking 5/e Source.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
5: Link Layer Part Link Layer r 5.1 Introduction and services r 5.2 Error detection and correction r 5.3Multiple access protocols r 5.4 Link-Layer.
Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.
CS426Network Security1 Computer Security CS 426 Network Security (1)
Chapter 2 Scanning Last modified Determining If The System Is Alive.
Link Layer5-1 Synthesis: a day in the life of a web request  journey down protocol stack complete!  application, transport, network, link  putting-it-all-together:
CSCI 3335: C OMPUTER N ETWORKS A DAY IN THE LIFE OF A WEB REQUEST Vamsi Paruchuri University of Central Arkansas
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
CHAPTER 9 Sniffing.
Lesson 7: Network Security and Attacks. Computer Security Operational Model Protection = Prevention+ (Detection + Response) Access Controls Encryption.
Link Layer5-1 Synthesis: a “day” in the life of a web request  journey down protocol stack!  application, transport, network, link  putting-it-all-together:
TCP Security Vulnerabilities Phil Cayton CSE
Computer Security 2014 – Ymir Vigfusson Some slides borrowed from Amir Masoumzadeh’s INFSCI 1075, Dan
Chapter 5 Link Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Scanning.
5: DataLink Layer5-1 Virtualization of networks Virtualization of resources: powerful abstraction in systems engineering: r computing examples: virtual.
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified
Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:
Final Examination of Internet Communication Protocol.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: interne t interface DNS server IP:
Two Transport Protocols Available Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Provides unreliable transfer Requires minimal – Overhead.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
TCP Sliding Windows For each TCP connection each hosts keep two Sliding Windows, send sliding window, and receive sliding window to make sure the correct.
Network and System Security Risk Assessment
Introduction to Information Security
Virtualization of networks
Port Scanning James Tate II
A Typical Connection Scenario
CS 280: Summary: A day in the life of a web request
Course Review 2015 Computer networks 赵振刚
CS4622: Computer Networking
Chapter 6 The Data Link layer
TCP XMAS.
Chapters 1~5 Overview Computer Networking: A Top Down Approach 6th edition Jim Kurose, Keith Ross Addison-Wesley Prof. Hong Liu for ECE369 Adapted from.
Synthesis A day in the life of a web request
TCP Connection Management
Presentation transcript:

Computer Security 2014 – Ymir Vigfusson Some slides borrowed from Amir Masoumzadeh’s INFSCI 1075, Dan

2  The Internet is a series of tubes  Dark clouds are Autonomous Systems (AS)  Backbone routers use the BGP protocol  Messages are exchanged using TCP/IP Backbone ISP

3 What we care about the most in the course

4  The end-to-end principle  No need to understand application logic in a network except at end hosts. Cleaner design. Application Transport Network Link Application protocol TCP protocol IP protocol Data Link IP Network Access IP protocol Data Link Application Transport Network Link

5  Implementation of different layers Application Transport (TCP, UDP) Network (IP) Link Layer Application message - data TCPdataTCPdataTCPdata TCP Header dataTCPIP IP Header dataTCPIPETHETF Link (Ethernet) Header Link (Ethernet) Trailer segment packet frame message

6 protocol software client LAN1 adapter Host A data (1) dataPHETH1 (4) dataPHETH2 (6) data (8) dataPHETH2 (5) LAN2 frame protocol software LAN1 adapter LAN2 adapter Router dataPH (3) ETH1 dataPHETH1 (2) internet packet LAN1 frame (7) dataPHETH2 protocol software server LAN2 adapter Host B PH: Internet packet header (IP + TCP) FH: LAN frame header

7  Link layer (Layer 2) uses MAC addresses for naming  Network layer (Layer 3) uses IP addresses instead  How do we translate between these on a LAN?  Answer: ARP is a simple protocol for precisely that

8  What could possibly go wrong?  After a response, contents ARP reply is temporarily cached by those who heard it ▪ Even if nobody requested it (fixed in some OSes)

9  ARP has no authentication, fully trusting  Hackers exploit it to:  Snoop on traffic (“sniff“) to learn about passwords  Pretend to be someone else (“spoof“) to get more access  Redirect traffic (“man-in-the-middle“) to hijack sessions

10 Source PortDest port SEQ Number ACK Number Other stuff URGURG PSRPSR ACKACK PSHPSH SYNSYN FINFIN TCP Header

11  A regular TCP 3-way handshake  Client sends SYN packet with random client seq. number  Server responds with SYNACK and both server and client seq. number (the latter incremented by one)  Client sends ACK Credit: Amir Masoumzadeh

12  Can forge TCP packets as appearing to have been sent from another IP address  Can open up a connection, but need to guess seq. numb  Blinded: Attacker does not see responses  Victim may send RST packets on spurious connection  Limited damage attackers can do here, especially if a connection is required  Unblinded: You can snoop packets coming back  NSA has (had?) unique capabilities to do this  Status today  Backbones have some protections: they filter packets that definitely are in the wrong place (ingress/egress filtering)

13  TCP is stateful  For every incoming SYN, we send SYNACK and maintain partial connection state while we wait for ACK  What if an attacker send tons of SYN packets?  How can we defend ourselves?  Idea: SYN Cookies (DJ Bernstein)  Encode state in server seq. number  timestamp | MSS | hash(IPs,ports)  Server can both verify that cookie was created by it earlier, and recover state

14  Hackers want to know what ports are open  Possibly compromise services running on ports (e.g. Apache running on port 80)  Complete TCP handshake for all common ports  Accurate, but not stealthy  Appears in all logs Credit: Amir Masoumzadeh

15  Can set various flags in the packet for stealth  URG, ACK, PSH, RST, SYN, FIN  X-Mas scan: set all the flags! RST means port is closed  Null scan: set no flags. RST means port is closed  TCP ACK: An RST packet back means port is open  Window scan: Send ACK. 0 window iff closed (some OSes)

16  “Idle scan“ – covert scanning!  Spoofs packets from a zombie to the target  Checks if the IP ID counter has increased in follow-up packets to zombie ▪ If increased, port must be open on target!

17  Different OSes implement underspecified parts in TCP/IP stack differently  E.g. Linux differs from BSD (now in OS X and Windows)  Can prod machines, infer what vendor and OS version is running on a given IP address  Can be more passive by observing regular traffic ▪ TCP SYN cookies, time-to-live values, TCP window sizes, OOB,...  Important once you have access inside an organization  Therefore IDS/IPS software tend to recognize attempts

18 Credit: Amir Masoumzadeh

19  Customers don‘t remember  Customers certainly won‘t remember „ “  Same goes for IPs of all websites  DNS was invented in 1984 to allow names to be associated with IP addresses  Names given hierarchically („domains“)

20  DNS servers are given authority for subtrees

21  So how does a client actually use DNS? 1. Program calls gethostbyname(„syndis.is“) 2. gethostbyname parses /etc/resolv.conf 3. A packet is sent to asking about the domain

22  [UDP Src ]  [UDP Dst ]  Yo, what‘s „syndis.is“ ? DNS Client Local DNS  [UDP Src ]  [UDP Dst ]  Hey, it‘s [Transaction ID 64153]

23  [UDP Src ]  [UDP Dst ]  Yo, what‘s „syndis.is“ ? DNS Client Local DNS  [UDP Src ]  [UDP Dst ]  Hey, it‘s  [UDP Src ]  [UDP Dst ]  Hey, it‘s Upstream DNS [Transaction ID 64153]  [UDP Src ]  [UDP Dst ]  Yo, what‘s „syndis.is“ ?

24 Hax0r t1me 10:54: > :21345 [1au]A? (42) (DF) 10:54: > :53735 [1au] A? (43) (DF) 10:54: > :19315 [1au] A? (45) (DF) 10:54: > :43129 [1au] A? (42) (DF)  What‘s wrong? Local DNS

25 [UDP Src ] [UDP Dst ] Yo, what‘s „syndis.is“ ? Hax0r t1me DNS Client [UDP Src ] [UDP Dst ] Yo, what‘s „syndis.is“ ? [UDP Src ] [UDP Dst ] Yo, what‘s „syndis.is“ ? Local DNS [UDP Src ][ID 64153] [UDP Dst ] Yo, what‘s „syndis.is“ ? [UDP Src ][ID 23172] [UDP Dst ] Yo, what‘s „syndis.is“ ? [UDP Src ][ID 59774] [UDP Dst ] Yo, what‘s „syndis.is“ ? [UDP Src ][ID 12345] [UDP Dst ] Hey, it‘s [UDP Src ][ID 12346] [UDP Dst ] Hey, it‘s [UDP Src ][ID 12347] [UDP Dst ] Hey, it‘s Can we guess the right transaction ID?

26  Transaction IDs are 16 bits  We trigger N recursive queries at local DNS  Each query has a random transaction ID  We spoof N responses back to local DNS  Each response has a random transaction ID  We succeed if some response matches some query  How likely is this to happen?

27  23 people in a room  How likely that two people share the same birthday? Roughly: Answer: 50.7%!

28

29  DNS Cache is poisoned  DNS Clients may be redirected to malicious sites. ▪ I can haz your credit card  Several fixes available  TTL ▪ The DNS Kaminsky attack in 2008 showed how this didn‘t work  Randomize UDP source ports as well (like in djbdns)  DNSSec  DNSCurve ala djbdns  DNS 0x20  Birthday attacks happen in other crypto!

30  Helgi and Pétur have prepared a demo of an attack  Goal: Show how a hacker can steal passwords  A key tool being used:

31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.