Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 480: Securing Computer Systems

Published byJoy Butler Modified over 6 years ago

Similar presentations

Presentation on theme: "CIT 480: Securing Computer Systems"— Presentation transcript:

1 CIT 480: Securing Computer Systems
TCP/IP Security

2 Topics Internet Protocol (IP) IP Spoofing and Other Vulnerabilities
ICMP Transmission Control Protocol (TCP) TCP Session Hijacking UDP

3 Internet Protocol (IP)
Connectionless Packets may be lost, reordered, corrupted, or duplicated Each packet is transported independently from other packets IP packets Encapsulate TCP and UDP packets Unreliable Delivery on a best effort basis Encapsulated into link-layer frames No acknowledgments Data link frame IP packet TCP or UDP packet

4 IP Addresses 32-bit integers that identify machine on net
Dotted decimal notation: ii.jj.kk.ll DNS translates names to IP addresses 1 byte 32 bits = 4 bytes IPv6 addresses are 128-bit integers written like 2001:0db8:0000:0000:0000:ff00:0042:8329

5 IPv4 address allocation map from http://internetcensus2012. bitbucket

6 Network Address Translation
Uses public IP addr to represent private IP. Translates source IP in outgoing packets. Translates dest IP in incoming packets. Router keeps table of translations.

7 IP Address Geolocation
ISPs get blocks of IP addresses from ARIN. ARIN database records where IP addresses are. Application layer and time data may help reveal details. Check for your location.

8 IP Header Figure 3.1 from TCP/IP Illustrated, Vol 1.

9 IP Routing A router bridges two or more networks Routing table
Operates at the network layer. Maintains tables to forward packets to the appropriate network. Forwarding decisions based solely on the destination address. Routing table Maps ranges of IP addresses to LANs or other gateway routers.

10 IP Routing Same IP address at each hop used to route data packet.
New MAC address at each hop Same IP address at each hop used to route data packet.

11 IP Vulnerabilities Unencrypted transmission No source authentication
Eavesdropping possible at any intermediate host during routing. No source authentication Sender can spoof source address, making it difficult to trace packet back to attacker. No integrity checking Entire packet, header and payload, can be modified while en route to destination, enabling content forgeries, redirections, and man-in-the-middle attacks. No bandwidth constraints Large number of packets can be sent to DoS target.

12 IP Spoofing Two basic forms of IP Spoofing
IP Spoofing is an attempt by an intruder to send packets from one IP address that appear to originate at another. If victim trusts spoofed IP, then attacker trusted. Tracking down attack leads to spoofed IP. Two basic forms of IP Spoofing Blind Spoofing can be used from any source. Non-Blind Spoofing must be on same subnet.

13 Blind Spoofing Attacker cannot see response packets, but
Some attacks, like DoS do not want to receive response packets, and Some responses can be guessed sufficiently accurately to carry on conversation, such as TCP hijacking attacks.

14 Network Tests with ICMP
Internet Control Message Protocol (ICMP) Used for network testing and debugging. Simple messages encapsulated in single IP packets. Considered a network layer protocol. ICMP-based Network Testing Tools ping: sends echo request messages and provides statistics on roundtrip times and packet loss. traceroute: sends series of ICMP packets with increasing TTL value to discover routes.

15 ICMP DoS Attacks Ping of death Smurf
ICMP specifies messages must fit a single IP packet (64KB). Send a ping packet that exceeds maximum size using IP fragmentation. Reassembled packet caused several operating systems to crash due to a buffer overflow. Smurf Ping a broadcast address using a spoofed source address. Large number of responses sent to target whose address was spoofed.

16 Smurf Attack Attacker Victim Amplifying Network echo response
echo request echo response Attacker Victim echo response

17 TCP: Transmission Control Protocol
Connection-oriented Must establish connection before sending data. 3-way handshake. Reliable byte-stream TCP decides how to divide stream into packets. ACK, timeout, retransmit, reordering. 16-bit source and destination ports. FTP(21), HTTP(80), POP(110), SMTP(25)

18 TCP Reliability Breaks data into best-sized chunks.
After sending segment, maintains timer; if no ACK within time limit, resends segment. Sends ACK on receipt of packets. Discards pkts on bad checkum of header and data. Receiver resequences TCP segments, based on sequence numbers, allowing data to be reassembled correctly no matter what order. Receiver discards duplicate segments. Flow control: only sends as much data as receiver can process.

19 TCP Header Figure 17.2 from TCP/IP Illustrated, Vol 1.

20 TCP Connection Establishment
Figure 2.2, UNIX Network Programming TCP 3-Way Handshake

21 SYN Floods Create many half-open connections to target
Send SYN packet Ignore SYN+ACK response (May spoof invalid source IP address for each SYN) Target connection table fills up, resulting in DoS 3 minute timeout for final ACK all new TCP connections refused Defenses Micro-connections (allocate few resources til see ACK) SYN cookies store state in TCP ISN, not on server

22 TCP Connection Termination

23 TCP Session Killing RST FIN Need one valid TCP sequence number.
Send RST segment with spoofed IP address and valid sequence number. May need to send multiple RST’s in case host receives TCP segment with your chosen sequence number before your RST segment. FIN Need valid TCP sequence + ACK numbers. Send FIN+ACK segment with spoofed IP address to terminate session. Receive FIN packet in response, verifying kill if successful.

24 TCP Session Hijacking A TCP session hijacking attack is when an attacker takes control of an existing TCP session. The attacker must be able to Spoof IP address of one side of connection. Predict TCP sequence numbers. Gives threat access to authenticated sessions. Defenses: Random initial TCP sequence numbers. Use encrypted protocols like SSH, so attacker cannot interact with system due to inability to send properly encrypted traffic.

25 TCP Session Hijacking Steps
Guess TCP sequence numbers used in current session between two hosts. Create desynchronized state so neither side of connection can talk to the other. Send packet with correct SN + ACK with spoofed client IP address to server, containing attack.

26 ACK Storm Noisy side effect of TCP session hijacking.
Both client and server ACK unacceptable packets with expected sequence number. Each ACK is also unacceptable and generates another ACK response. If network drops packet, no response made. ACK storms create network congestion, leading to many dropped packets.

27 Covert Channels in TCP/IP
Covert channels enable communication using techniques not meant for information exchange. Possible techniques include: Timing of packets (temporal channel). Size of packets. Unused header fields (header bit modulation). Hiding data in packet body. Covert channels may be able to be detected by Too many packets of certain protocols (ICMP, DNS) Too large packets from certain protocols Multiple response packets for protocols like ICMP, DNS Covert channel tools include Loki (backdoor shell over ICMP or DNS) Ping Tunnel (ptunnel) OzymanDNS

28 Port Knocking Port knocking is a method of opening ports by making connections to a set of unused ports in a specified sequence. Fairly secure against brute force attacks since there are 65536k combinations, where k is the number of ports knocked Susceptible to replay attacks. If a port knock is sniffed, then attacker can replay the knock. Used to hide ports from network scans. Can be used by defenders and attackers. Port knocking proceeds as follows: Client wants to connect to port n on server, port n on server is blocked Client tries to connect to ports a, b, c and d, not receiving any response while doing so, since the firewall blocks all responses A port knocking daemon on the server keeps track of all the attempts Once the correct knocking sequence is received it opens port n.

29 User Datagram Protocol (UDP)
Stateless, unreliable layer 4 protocol. Runs on top of IP. Trades reliability for speed. Applications Streaming audio/video. TFTP (builds simple state on top of UDP.) DNS.

30 UDP Header Figure 11.2 from TCP/IP Illustrated, Vol 1.

31 Key Points IP addresses seen by recipient unlike MAC IP spoofing
NAT hides many IP addresses behind one. IP spoofing Blind: do not see responses. Non-blind: use sniffer to see responses. Technical DoS: ping of death, smurf, SYN flood TCP session hijacking seizes authenticated session Guess TCP sequence numbers based on ISN. Desynchronize existing TCP session. Threat resynchronizes with server, seizing control. Cannot hijack encrypted sessions like ssh.

32 References Carna Botnet, Internet Census 2012, Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. Richard Stevens, TCP/IP Illustrated, Vol. 1, Addison-Wesley, 1994.

Download ppt "CIT 480: Securing Computer Systems"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.

Cisco 2 - Routers Perrine. J Page 14/30/2015 Chapter 10 TCP/IP Protocol Suite The function of the TCP/IP protocol stack is to transfer information from.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.

Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Transport Layer TCP and UDP IS250 Spring 2010

Transport Layer TCP and UDP IS250 Spring 2010
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Process-to-Process Delivery:

Process-to-Process Delivery:
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh 90-91 spring.

ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.

1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.

Similar presentations

Ads by Google