Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Protocol Vulnerabilities

Published byLanny Sucianty Kurniawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Network Protocol Vulnerabilities"— Presentation transcript:

1 Network Protocol Vulnerabilities
CSCD 434 Lecture 6 Network Protocol Vulnerabilities Spring 2019 1

2 Outline Today Define General Attacks on Network Protocols
Define Why protocols are vulnerable Look at attacks on network protocols TCP, UDP, IP, ICMP, ARP Next time Other protocols BGP/DNS Discussion of Papers

3 History of Network Protocols
Infrastructure protocols were designed when security concerns were almost non-existing Trust was assumed Recall early history of Internet Connected major universities with government labs ... in fact, commercial use was at first prohibited Main goal for DARPA Internet Program Share large service machines on ARPANET Many protocol specifications focused only on operational aspects … overlooked security implications ... Hey, we're all friends!!

4 Vulnerabilities in Protocols
During last twenty years, many vulnerabilities have been identified in TCP/IP stacks of most systems Protocol weaknesses due to: Design of Protocol and Daily operation and configuration

5 TCP/IP Suite Problems Problems
Can you think of some security problems with design of TCP/IP suite? IP addresses are not validated Hosts can not be authenticated Trivial to spoof packets as coming from a trusted host Remote utilities assumes trust between hosts Encryption not typically used, and not for headers

6 Protocol Attacks What type of network attacks are common in today’s Internet? Denial of Service (DoS) and Distributed Denial of Service (DdoS) Man in the Middle Attack Eavesdropping network traffic Application Security Attacks Web Based Attacks SQL Injection Crosssite Scripting Driveby Malware

7 Protocol Attack Techniques
Sniffing Traffic Eavesdropping on a network “Wiretap” programs ... name one program Wireless networks Easier to see all the traffic, put NIC into Monitor mode Wired networks NIC needs to be in promiscuous mode Must do ARP spoofing or other attack to get all packets forwarded to you Can only see traffic from subnet you are tapped into

8 Protocol Attack Techniques
Flooding or Denial of Service Preventing legitimate clients from receiving service Sending too many bogus requests to a server Tying up server with malformed packets or packets out of sequence

9 Protocol Attack Techniques
Spoofing Spoofing is faking parts of a packet Usually, source IP address Can do spoofing for many different protocols Illegal Packets Unexpected values in some fields Cause machine to hang or crash Example: src address and port = dest address and port Illegal combination of flags in TCP protocol Huge Ping packet - “Ping of Death” I am a sheep

10 Which Protocols TCP/IP Protocol Suite Application Layer - DNS
Transport Layer - UDP/TCP Network Layer IP/ICMP/BGP Data Link Layer - ARP

11 TCP/IP Problems Steve Bellovin AT&T Bell labs researcher
One of the first to publicize problems in TCP/IP protocols Wrote his original paper in 1989 Documented many problems Some problems no longer relevant Updated Paper Who does this look like? 11

12 Problems Summary Steve Bellovin’s Observations
TCP Sequence numbers not random Can be predicted, leads to IP Spoofing attacks Trusted Hosts Used remote Linux utilities to violate trust Hardly ever used these days .. we won't cover it ICMP Messages Used them to perform DoS, routing re-direction Routing Protocols RIP, BGP have authentication problems Domain Name Servers Not secure

13 TCP/IP Problems Look at a few problems Syn Floods
IP Spoofing/TCP Protocol problems ICMP Attacks Arp Cache Poisoning

14 First .... TCP Review SYN - First packet in a connection, indicates host wants a connection ACK - Used throughout entire connection to ACKnowledge previously received packets FIN - Used to indicate they are FINished sending data, connection can be ended RST- RST packet sent whenever host receives an unexpected packet, such as an ACK with out ever receiving a SYN. Resets the connection

15 TCP Handshake C S SYNC Listening Store data SYNS, ACKC+1 Wait ACKS+1
Connected

16 TCP Syn Flooding How does it work?

17 TCP Layer Attacks TCP SYN Flooding
Exploit state kept at a server after initial SYN packet Send SYN and don’t reply with ACK Server will wait for 75 seconds for ACK Finite queue size for incomplete connections Once queue is full doesn’t accept requests

18 Wireshark Capture Syn Flood

19 SYN Flooding C S SYNC1 Listening SYNC2 Store data SYNC3 SYNC4 SYNC5

20 SYN Flooding Attacker sends many connection requests
Can be Spoofed source addresses of machines that are not on-line Victim allocates resources for each request Connection request exists until timeout Fixed number of half-open connections DoS future requests rejected

21 Syn Flood Solution TCP SYN Cookies • General idea
– Client sends SYN ISN (Initial Sequence Number) – Server responds to Client with SYN-ACK cookie sequence number (sqn) = f(src addr, src port, dest addr, dest port, random seed)‏ • Server does not save state – Honest client responds with ACK(sqn+1)‏ – Server checks response – If matches SYN-ACK, establishes connection

22 More TCP TCP Uses Flags for State Coordination Gets Sends Gets Comment
Syn Syn-Ack Ack – Normal connection Syn/Ack RST – Out of sequence Fin/Ack RST – Out of sequence Uses Sequence numbers and ACK’s to keep track of bytes sent between two hosts 22

23 TCP Data Injection Session Hijacking

24

25 TCP Data Injection Server

26

27

28 TCP Threat: Blind Hijacking
Is it possible for an off-path attacker to inject into a TCP connection even if they can’t see our Traffic? YES: if somehow they can infer or guess the port and sequence numbers

29

30 Note #1: attacker needs to hurry, since 1.2.1.2 may send a
RST packet and end connection

31

32

33 TCP ISN Prediction Tools
Nice paper on TCP attacks Good Sequence Number prediction tools include: Mendax – Go to Search for Mendax Hping3 Dsniff

34 TCP/IP Spoofing Attacks
Question is Are these attacks still feasible today, 14 or 15 years later? Paper in 2015 describes that a surprising number of OS TCP stacks are vulnerable to TCP attacks of various kinds including TCP spoofing

35 More TCP Attacks Illegal Packets
Send paket with both SYN and FIN bit set, Victim host processes SYN flag first, Generates a reply segment with ACK flag set, and perform a state-transition to state SYN-RCVD Then processes FIN flag, performs a transition to the state CLOSE-WAIT, and sends the ACK segment back to attacker ... no more packets sent from attacker Victim connection gets stuck in this state until keep- alive timer expires … another way to do DoS

36 More TCP Attacks Illegal Packets
Attackers injects an RST segment into an existing TCP connection, causing it to be closed The TCP Reset attack possible because ... TCP endpoint must accept out of order packets that are within range of a window size, and RST flags should be processed immediately How does this work?

37 TCP Reset Attack Established TCP Connection from host A to host B
RST TCP Reset Attack Established TCP Connection from host A to host B Now, third host, C, spoofs packet that matches source port and IP address of host A, Destination port and IP address of host B, and current sequence number of active TCP connection between host A and host B Host C sets RST bit on spoofed packet, so when received by host B, host B immediately closes connection Results in denial of service, until connection can be reestablished

38 IP Source Routing Abuse
Routing Information Protocol (RIP)‏ Used to propagate routing information on local networks Routers need to exchange information using routing protocols Typically will exchange information every so many seconds IP Source routing feature Allows source machine to specify path packet will take through network 38

39 Internet Protocol Connectionless Unreliable Best effort
Version Header Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset Connectionless Unreliable Best effort Specify Options Source Route

40 IP Source Routing Abuse
Example of MITM (Man-In-The-Middle) Attacks Send bogus routing information trying to impersonate a particular host Want packets to be sent to the attacker machine Attacker can intercept packets and gain passwords, credit card numbers or other sensitive information

41 Steps in Source Route Attack
Attack Steps (three hosts, Eve, Alice and Bob)‏ Eve generates packets with fake source route Packets claim to come from Alice Source route includes Eve’s IP Eve looks like a router between Alice and Bob Bob is the destination Routers between Eve and Bob read source route and deliver packets to Bob via Eve

42 Steps in Source Route Attack
Eve Packet with Route 1. Alice 2. Eve 3. Bob Alice Bob Packet with Route 1. Bob 2. Eve 3. Alice 42

43 Steps in Source Routing Abuse
Attack Steps Bob responds by sending packets through Eve to Alice Eve never forwards packets to Alice, doesn’t need to even do a DoS on Alice Comment This attack doesn’t work across the Internet Most gateways block Source Routed packets Yet, not blocked on internal networks Insiders can get away with this type of attack 43

44 Other Routing Vulnerabilities
44

45 ICMP What is ICMP protocol used for?
Internet Control Message Protocol (ICMP)‏ Mostly ... Used to send error messages Requested service is not available, or that host or router could not be reached ge_Protocol

46 ICMP Messages 0 Echo Reply • 3 Destination Unreachable
• 4 Source Quench • 5 Redirect • 8 Echo Request • 11 Time Exceeded • 12 Parameter Problem • 13 Timestamp • 14 Timestamp Reply • 15 Information Request • 16 Information Reply

47 ICMP Messages Destination Unreachable message
ICMP message generated by host or its inbound gateway to inform client Destination is unreachable for some reason Destination Unreachable message may be generated as a result of TCP, UDP or another ICMP transmission

48 ICMP Messages The Source Quench,
Message requests sender to decrease traffic rate of messages to a router or host Message may be generated if router or host does not have sufficient buffer space to process the request, or May occur if router or host's buffer is approaching its limit

49 ICMP Attacks Attacks Reported in Bellovin Paper ICMP Redirect message
Used by gateways to advise hosts of better routes, Some limitations on how its used Must be …. Tied to existing connection Must only be sent from first gateway to originating host 49 49

50 ICMP Attacks Attacks Reported in Bellovin Paper ICMP Redirect message
1. Host C sends a Syn packet to S via A, a router 2. Before packet can get there, Host X, our attacker, sends an ICMP redirect for Host X to C spoofing the address A 3. C now redirects packets to X 4. X forwards packets to S to avoid suspicion 50 50

51 ICMP Redirect Forwards Packets Server S Host X IP: XX New route
Thru XX from AA New route Router A Host C IP: AA Normal route IP: CC

52 ICMP Attacks ICMP Current Attacks ICMP Redirect
Still a threat if not ignored Current recommendation is to turn off redirects on CISCO routers Routing protocol takes care of best paths, hosts should ignore ICMP redirect messages 52

53 ICMP Attacks More Current Attacks
Other ways ICMP is used to compromise ICMP Source Quench Slows down transmission of traffic essentially performing a partial DoS on itself ICMP DoS Attacker could use either ICMP Time exceeded or Destination unreachable messages. Both messages can cause host to drop a connection Attacker can simply forge one of these ICMP messages, and send it to one or both communicating hosts ... their connection will then be broken 53

54 ICMP Attacks More Attacks SMURF Attack
Generate ping stream (ICMP echo request) to‏ Network broadcast address Spoofed source IP set to victim host • Every host on ping target network will generate ping reply (ICMP echo reply)‏ • Amplified ping reply stream can easily overwhelm victim’s network connection 54

55 Smurf Attack

56 ARP Cache Poisoning What's the problem? No authentication !!!!!
Ethernet, designed without ANY authentication technology whatsoever So it is trivial for ANY computer with access to an Ethernet LAN, Re-route any other computer's traffic through itself simply by impersonating one or more other computers One computer can re-route ALL of the LAN's traffic through itself Monitor and edit or alter anything sent to or received from any other machine on the local network.

57 ARP Cache Poisoning How Does ARP Work Normally?
Packet comes in through router, has IP Address If no known MAC address in ARP table Sends broadcast to all LAN computers Asks which computer has IP address of a packet Broadcasts ARP Request received by every computer on Ethernet LAN Each computer checks to see whether IP is its own Computer finding a match will send an ARP Reply back to the requesting device

58 ARP Cache Poisoning Yet Another MIMA
How is the Cache Poisoned? Receipt of an ARP reply, Causes receiving computer to add newly received information to its ARP cache If a computer receives SPOOFED ARP REPLY from attacking computer claiming it was assigned IP belonged to some other computer Computer would trustingly and blindly REPLACE its current correct entry with misleading replacement! And, sending ARP reply to computer being hijacked, would replace ARP entry for that computer Subsequent traffic would instead be sent to the attacking computer

59 ARP Cache Poisoning Replace both ARP entries with Charlie’s MAC address and gain access to all Alice and Bob’s traffic

60 Solutions for ARP Cache Poisoning
No Universal defense • Use static ARP entries – Cannot be updated – Spoofed ARP replies are ignored. – ARP table needs a static entry for each machine on the network. – Large overhead • Deploying these tables • Keep the table up-to-date

61 Solutions for ARP Cache Poisoning
Arpwatch – A free UNIX program listens for ARP replies on a network – Build a table of IP/MAC associations and store it in a file – When a MAC/IP pair changes, an is sent to an administrator • RARP (Reverse ARP)‏ – Requests the IP of a known MAC. – Detect MAC cloning. – Cloning can be detected, if multiple replies are received for a single RARP

62 ARP Cache Poisoning Tools ettercap http://ettercap.sf.net
Sniffing Hijacking Filtering SSH v.1 sniffing (transparent attack)‏ dsniff SSH v.1 sniffing (proxy attack)‏

63 Conclusion TCP/IP was never designed to be a secure protocol
Architecture flaw sequence numbers have no security properties IP addresses - no authentication Supporting protocols can be subverted ICMP, DNS, BGP Some problems have been fixed Less address authentication being used More crypto protocols for remote login, , web browsers

64 End Next time Lab this week is Nmap and Reconnaisance 64

Download ppt "Network Protocol Vulnerabilities"

Similar presentations

ARP Spoofing.

ARP Spoofing.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)

CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)
1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012.

1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012.

Similar presentations

Ads by Google