Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Monitoring Tool: Wireshark

Published byErick Poole Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Monitoring Tool: Wireshark"— Presentation transcript:

1 CIS3360: Security in Computing Chapter 5 : Network Security I Cliff Zou Spring 2012

2 Network Monitoring Tool: Wireshark
Wireshark is a packet sniffer and protocol analyzer Captures and analyzes frames Supports plugins Usually required to run with administrator privileges Setting the network interface in promiscuous mode captures traffic across the entire LAN segment and not just frames addressed to the machine Freely available on

3  menu  main toolbar  filter toolbar  packet list pane  packet details pane  packet bytes pane  status bar

4 MAC Addresses and ARP 32-bit IP address:
network-layer address used to get datagram to destination IP subnet MAC (or LAN or physical or Ethernet) address: Data link layer address used to get datagram from one interface to another physically-connected interface (same network) 48 bit MAC address (for most LANs) burned in the adapter ROM Some Network interface cards (NICs) can change their MAC

5 ARP: Address Resolution Protocol
Question: how to determine MAC address of host B when knowing B’s IP address? Each IP node (Host, Router) on LAN has ARP table ARP Table: IP/MAC address mappings for some LAN nodes < IP address; MAC address; TTL> TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min) 1A-2F-BB AD LAN 71-65-F7-2B-08-53 58-23-D7-FA-20-B0 0C-C4-11-6F-E3-98

6 CS166: Computer Networks ARP ARP works by broadcasting requests and caching responses for future use The protocol begins with a computer broadcasting a message of the form who has <IP address1> tell <IP address2> When the machine with <IP address1> or an ARP server receives this message, its broadcasts the response <IP address1> is <MAC address> The requestor’s IP address <IP address2> is contained in the link header The Linux and Windows command arp - a displays the ARP table Internet Address Physical Address Type c-07-ac dynamic c-76-b2-d7-1d dynamic c-76-b2-d0-d2 dynamic c-76-b2-d7-1d dynamic c-a3-e dynamic d-92-b6-f1-a9 dynamic IPv6 does not use ARP, and ARP is instead replaced by Neighbor Discovery Protocol.

7 ARP Spoofing The ARP table is updated whenever an ARP response is received Requests are not tracked ARP announcements are not authenticated Machines trust each other A rogue machine can spoof other machines

8 ARP Poisoning (ARP Spoofing)
According to the standard, almost all ARP implementations are stateless An arp cache updates every time that it receives an arp reply… even if it did not send any arp request! It is possible to “poison” an arp cache by sending gratuitous arp replies

9 ARP Caches IP: MAC: 00:11:22:33:44:02 IP: MAC: 00:11:22:33:44:01 Data is at 00:11:22:33:44:01 is at 00:11:22:33:44:02 ARP Cache 00:11:22:33:44:02 ARP Cache 00:11:22:33:44:01

10 Poisoned ARP Caches (man-in-the-middle attack)
00:11:22:33:44:03 Data Data is at 00:11:22:33:44:03 is at 00:11:22:33:44:03 00:11:22:33:44:01 00:11:22:33:44:02 Poisoned ARP Cache 00:11:22:33:44:03 Poisoned ARP Cache 00:11:22:33:44:03

11 ARP Spoofing Using static entries solves the problem but it is almost impossible to manage! Check multiple occurrence of the same MAC i.e., One MAC mapping to multiple IP addresses (see previous slide’s example) Software detection solutions Anti-arpspoof, Xarp, Arpwatch

12 seq=server_seq, ack=client_seq+1
TCP Session Hijacking TCP connection has both sequence number and acknowledge number in each packet. The two ends negotiate what seq. and ack. Numbers to be used in TCP set up stage. seq and ack number size: 232 Makes seq/ack guessing very hard to achieve Very hard to hijack an already setup TCP connection! client server SYN, seq=client_seq SYN/ACK, seq=server_seq, ack=client_seq+1 ACK, seq=client_seq+1 ack=server_seq+1

13 TCP Session Hijacking Possible when an attacker is on the same network segment as the target machine. Attacker can sniff all back/forth tcp packets and know the seq/ack numbers. Attacker can inject a packet with the correct seq/ack numbers with the spoofed IP address. IP spoofing needs low-level packet programming, OS-based socket programming cannot be used!

14 TCP Session Hijacking Due to ARP spoofing

15 TCP Session Hijacking Another way is “coordinated IP spoofing” by using two computers, such as the “Thin pipe / Thick pipe method” introduced in spam lecture: High Speed Broadband connection (HSB) Controls a Low Speed Zombie (LSZ) Assumes no egress filtering at HSB’s ISP Hides IP address of HSB. LSZ is blacklisted. Target SMTP Server HSB LSZ TCP handshake TCP Seq #s SMTP bulk mail (Source IP = LSZ)

16 Denial-of-Service (DoS) Attack
An attempt to make a computer or network resource unavailable to its intended users DoS to the network bandwidth of targeted server DoS to the computing resource of targeted server Memory, CPU DoS to the vulnerability in targeted server Causing server OS crash (buffer overflow bug, logic bug, etc) Causing server program crash (e.g., Apache, Sendmail, SQL) Distributed Denial-of-Service (DDoS) attack Sending attack packets from multiple computers Botnet is the root cause for DDoS attacks

17 Denial-of-Service (DoS) Attack
Format: Real IP-based attack using botnets Attacker does not worry about exposing bots’ IP addresses. TCP flooding, UDP flooding, icmp flooding Spoofed IP-based attack SYN flooding with spoofed IPs. Source address hiding attack Smurf attack

18 Smurf Attack Some contents from this link:
Uses ICMP echo/reply packets with broadcast networks to multiply traffic Requires the ability to send spoofed packets Abuses “bounce-sites” to attack victims Traffic multiplied by a factor of 50 to 200

19 Description of Smurfing Attack
Router broadcasts to all LAN’s computers

20 How to prevent being a “bounce site”
Turn off directed broadcasts to subnets with 5 hosts or more Cisco router: Interface command “no ip directed-broadcast” Use access control lists (if necessary) to prevent ICMP echo requests from entering your network Probably not an elegant solution; makes troubleshooting difficult But many networks are doing this now Encourage vendors to turn off replies for ICMP echos to broadcast addresses Host Requirements RFC-1122 Section states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.” Patches are available for free UNIX-ish operating systems.

21 SYN Flooding Attack An attacker sends a large number of SYN requests to a target's system Target uses too much memory and CPU resources to process these fake connection requests Target’s bandwidth is overwhelmed Usually SYN flood packets use spoofed source IPs No TCP connection is set up (not like the TCP hijacking!) Hide attacking source Make the target very hard to decide which TCP SYN is attack and which TCP SYN is from legitimate users! Image from wikipedia

22 SYN Flood Defense: SYN Cookie
Some contents from: General idea Client sends SYN to server (client_seq number only) Server responds to Client with SYN-ACK cookie Server_sqn = f(src addr, src port, dest addr, dest port, rand) Ack number is normal value: client_seq +1 Server does not save state Honest client responds with ACK(client_ack = server_sqn+1) Server checks response If matches SYN-ACK, establishes connection

23 Cookie=HMAC(t, Ns, SIP, SPort, DIP, DPort)
TCP SYN cookie TCP SYN/ACK server_seq encodes a cookie 32-bit sequence number time mod 32: counter to ensure sequence numbers increase every 64 seconds MSS: encoding of server MSS (can only have 8 settings) Cookie: easy to create and validate, hard to forge Includes timestamp, nonce, 4-tuple 32 t mod 32 MSS Cookie=HMAC(t, Ns, SIP, SPort, DIP, DPort) 5 bits 3 bits

24 seq-number as SYN-cookie, seq-number, ack-number
client sends SYN packet and ACK number to server waits for SYN-ACK from server w/ matching ACK number server responds w/ SYN-ACK packet w/ initial SYN- cookie sequence number Sequence number is cryptographically generated value based on client address, port, and time. sends ACK to server w/ matching sequence number If ACK is to an unopened socket, server validates returned sequence number as SYN- cookie If value is reasonable, a buffer is allocated and socket is opened SYN ack-number SYN-ACK seq-number as SYN-cookie, ack-number NO BUFFER ALLOCATED ACK seq_number ack-number+data SYN-ACK seq-number, ack-number TCP BUFFER ALLOCATED

25 SYN Cookies Limitation
Windows has not adopted SYN cookies Some Linux distributions have used it Maximum segment size can only be 8 possible values Do not allow the use of TCP option field Many TCP option fields have been used by many programs

26 IP Traceback R R A R R R R7 R R4 R5 R6 R R3 R1 R2 V
Find an attack graph Routers record packet forwarding events. Victim walks the network in reverse order querying routers R R3 R1 R2 V

27 Logging Challenges Attack path reconstruction is difficult
Packet may be transformed as it moves through the network Full packet storage is problematic Memory requirements are prohibitive at high line speeds (OC-192 is ~10Mpkt/sec) Extensive packet logs are a privacy risk Traffic repositories may aid eavesdroppers

Download ppt "Network Monitoring Tool: Wireshark"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
8-1 Last time □ Network layer ♦ Introduction forwarding vs. routing ♦ Virtual circuit vs. datagram details connection setup, teardown VC# switching forwarding.

8-1 Last time □ Network layer ♦ Introduction forwarding vs. routing ♦ Virtual circuit vs. datagram details connection setup, teardown VC# switching forwarding.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
MAC Addresses and ARP 32-bit IP address: –network-layer address –used to get datagram to destination IP subnet MAC (or LAN or physical or Ethernet) address:

MAC Addresses and ARP 32-bit IP address: –network-layer address –used to get datagram to destination IP subnet MAC (or LAN or physical or Ethernet) address:
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Similar presentations

Ads by Google