1. Sniffing and Spoofing

2. Spoofing  Fraudulent authentication one machine as another  ARP spoofing  IP spoofing  DNS spoofing  Web spoofing

3. ARP spoofing  Address resolution Protocol (ARP) IP address  hardware(ethernet) address mapping send ARP packet “who has IP address and what is your hardware address?” ARP cache – table of recent responses  ARP Spoofing 1. Assume IP address “a” of trusted host 2. Respond to ARP packets for address “a” 3. Sending false hardware address (I.e. the fraud’s address) 4. Solution: make ARP cache static (manual updates!?!)

4. ARP Message Formats  ARP packets provide mapping between hardware layer and protocol layer addresses  28 byte header for IPv4 ethernet network 8 bytes of ARP data 20 bytes of ethernet/IP address data  6 ARP messages ARP request and reply ARP reverse request and reply ARP inverse request and reply

5. ARP Request Message  Source contains initiating system’s MAC address and IP address  Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff

6. ARP Reply Message  Source contains replying system’s MAC address and IP address  Destination contains requestor’s MAC address and IP address

7. Types of Attack  Sniffing Attacks  Session Hijacking/MiM  Denial of Service

8. Sniffing on a Hub

9. Switch Sniffing  Normal switched networks Switches relay traffic between two stations based on MAC addresses Stations only see broadcast or multicast traffic  Compromised switched networks Attacker spoofs destination and source addresses Forces all traffic between two stations through its system

10. Unsolicited ARP Reply  Any system can spoof a reply to an ARP request  Receiving system will cache the reply Overwrites existing entry Adds entry if one does not exist  Usually called ARP poisoning

11. Host to Host Exploit

12. Host to Router Exploit

13. Relay Configuration

14. Relay Configuration (cont.)

15. Session Hijacking/MiM  Natural extension of sniffing capability  “Easier” than standard hijacking Don’t have to deal with duplicate/un- sync’d packets arriving at destination and source Avoids packet storms

16. Denial of Service  Spoofing the destination MAC address of a connection will prevent the intended source from receiving/accepting it  Benefits No protocol limitation Eliminates synchronization issues  Examples UDP DoS TCP connection killing instead of using RST ’ s

17. DoS MAC Entries

18. Denial of Service Examples

19. ARP Attack on Web Surfing  Web surfers require gateway router to reach Internet  Method Identify surfer’s MAC address Change their cached gateway MAC address (or DNS MAC address if local) to “something else”

20. ARP Attack on Network-based IDS  Poorly constructed (single homed) IDS network systems relay auditing data/alerts to management/admin consoles  Method Identify local IDS network engine Modify gateway MAC address Modify console/management station address

21. Switch Attacks  Certain attacks may overflow switch ’ s ARP tables  Method A MAC address is composed of six bytes which is equivalent to 2^48 possible addresses See how many randomly generated ARP-replies or ARP requests it takes before the switch “ fails ”

22. Switch Attacks (cont.)  Switches may Fail open- switch actually becomes a hub Fail- no traffic passes through the switch, requiring a hard or soft reboot

23. Network “Bombs”  “Hidden” application installed on a compromised system  Method Passively or actively collects ARP entries Attacker specifies timeout or future time Application transmits false ARP entries to its list

24.  Windows 95  Windows 98  Windows NT  Windows 2000  AIX 4.3  HP 10.2  Linux RedHat 7.0  FreeBSD 4.2  Cisco IOS 11.1  Netgear Vulnerable Systems

25. Not Vulnerable  Sun Solaris 2.8 Appears to resist cache poisoning

26. Countermeasures

27. Firewalls  Most “personal” firewalls are not capable of defending against or correctly identifying attacks below IP level  UNIX ipfw ipf (IP Filter)  Windows environments Network Ice/Black Ice ©

28. Session Encryption  Examples Establishing VPNs between networks or systems Using application-level encryption  Effects Prevents against disclosure attacks Will not prevent against DoS attacks

29. Strong Authentication  Examples One-time passwords Certificates  Effects None on disclosure attacks None on DoS attacks

30. Port Security  Cisco switches set port security ?/? enable Restricts source MAC addresses  Hard coded ones  “Learned” ones Ability to set timeouts Ability to generate traps Ability to “shutdown” violating port

31. Port Security (Cont.)  Issues Only restricts source MAC addresses Will not prevent against ARP relay attacks Will only prevent against ARP source spoofing attacks

32. Hard Coding Addresses  Example Individual systems can hard code the corresponding MAC address of another system/address  Issues Management nightmare Not scalable Not supported by some OS vendors

33. Hard Coding Results Operating System Results Windows 95FAIL Windows 98FAIL Windows NTFAIL Windows 2000FAIL Linux RedHat 7.0YES FreeBSD 4.2YES Solaris 2.8YES

34. Countermeasure Summary Sniffing Session Hijacking Denial of Service Firewalls Session Encryption Strong Authentication Port Security Hard Coding

35. Detection

36. IDS Architecture Issues

37. OS Level Detection Operating System Detection Windows 95NO Windows 98NO Windows NTNO Windows 2000NO Linux RedHat 7.0NO FreeBSD 4.2YES

38. Hypothetical Detection Application  Purpose Track and maintain ARP/IP pairings Identify non-standard ARP-replies versus acceptable ones  Timeout issues OS must withstand corruption itself Fix broken ARP entries of systems  Transmission of correct ARP replies

39. Public Domain Tools  Manipulation Dsniff 2.3 Hunt 1.5 Growing number of others  Local monitoring Arpwatch 1.11

40. Demo Environment

41. Demonstration Tools  rfarp 1.1 Provides ARP relay capability and packet dump for two selected stations Corrects MAC entries upon exiting  farp 1.1b Passive and active collection of ARP messages DoS Attacks on single hosts DoS Attacks on entire collection Arbitrary and manual input of spoofed MAC addresses

42. Bibliography  Finlayson, Mann, Mogul, Theimer, RFC 903 “ A Reverse Address Resolution Protocol, ” June 1984  Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html, Copyright 2000http://www.gncz.cz/kra/index.html  Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996 ftp://ftp.ee.lbl.gov/arpwatch.tar.Z  Plummer, David C., RFC 826 “ An Ethernet Address Resolution Protocol, ” November 1982  Russel, Ryan and Cunningham, Stace, “ Hack Proofing Your Network, ”, Syngress Publishing Inc, Copyright 2000  Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/, Copyright 2000 http://www.monkey.org/~dugsong/

43. IP Spoofing

44. Definitions  An open connection between two computers communicating by TCP/IP is called a socket and is defined by:  Source IP number  Source Port number  Destination IP number  Destination Port number  Initial source SEQ number  Initial destination SEQ number  AN ID # that is increased for each packet 2.6.1.1

45. TCP packet header 16-bit source port number16-bit destination port number 32-bit sequence number 32-bit acknowledgement number lengthunusedflags16-bit window size 16-bit TCP checksum16-bit urgent offset Options (if any) Data (if any)

46. Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = in seq# Ack = NULL Flags = S Src ID = src ID + 1

47. Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = NULL Flags = S Syn / Ack Src ip,Dst ip Src prt, Dst Prt Syn = Dst seq# Ack = src seq# +1 Flags = S+A Dst ID = Dst ID + 1

48. Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = dst seq# +1 Flags = A Src ID = src ID + 1 Syn / Ack Ack

49. Establishing a socket AB SYN (seq a ) SYN/ACK (seq b /ack= seq a +1) ACK (ack= seq b +1)

50. Traditional port scanning targetattacker syn Syn / Ack Ack

51. targetattacker syn Syn / Ack Traditional stealth scanning 1

52. Traditional stealth scanning 2 targetattacker syn Syn / Ack Rst

53. Sequence numbers Are in place to provide easy packet reassembly. Increments each time a packet is sent. Various incrementation schemes exist

54. ID flag  Are in place to identify each tcp session  Is also in some cases used for packet reassembly  The id counter is increased every time a packet is sent  This is valid far all packets including reset packets

55. ID flag prediction  Most unix boxes increments the ID by a random or seudo random number.  Up till today id numbers has not been known to be security critical.  Some Windows tend to increment id# by 1  While some seem to increment id# by 254  This is due to reversed byte ordering of the id# in these operating systems.

56. IP spoofing  3 computers: A, B, C  C sends packet to A, but making A believe that the packets comes from B  How to do it? Easy? Set the source IP address of IP header to the IP address of B  This can be done easily using “raw” ip packets You can make ip packets on your own. So you can also set the source ip address to any value you want

57. Spoofed scanning in theory  By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.  By analyzing this we will know whether a port on the scanned host is open or not  This is done totally blind from the scanned host.

58. Spoofed scanning in theory  Since we know a machine will increase the id# by sending a packet we can by constantly probing the host to see how many packets it has sent between our polls  This is done my monitoring the ID# increment

59. Spoofed scanning in theory  If a port is open on a scanned host the server will respond with a syn/ack  If a port is closed on the scanned host it will respond with a rst

60. Spoofed scanning in theory If a host receives a syn ack from a unknown source it will send a rst packet back If a host receives a rst packet from a unknown source it will NOT send a packet back

61. Internet security threats IP Spoofing: can generate “raw” IP packets directly from application, putting any value into IP source address field receiver can’t tell if source is spoofed e.g.: C pretends to be B A B C src:B dest:A payload

62. Why IP spoofing?  IP address as authentication method It is not as safe as username/password authentication, but used in many cases  E.g. rlogin host Network of workstations. They have the same user database Host detects the IP address of the client. If it is in the trusted list, login is granted without asking username and password  Consequence: Attacker can get access all the information of the spoofed computer on the server

63. How to do IP spoofing?  IP spoofing is Blind Attack Why? Where does the victim send reply to?  It is extremely hard to carry out successful IP spoofing Must create a successful TCP connection with the victim.  How?

64. TCP Connection Establishment Active participant (client) Passive participant (server) SYN, SequenceNum = x SYN + ACK, SequenceNum = y, ACK, Acknowledgment = y + 1 Acknowledgment = x + 1

65. Spoofing TCP connection  A SYN request sent by C to A. C is impersonating B  A will reply to B (not C) by sending SYN/ACK packet Case 1: B receives SYN/ACK and got confused. It replies with NACK. Spoofing fails Case 2: B doesn’t reply to A (hopefully)  C sends ACK to A  Have to guess the SYN SEQ# number A sent to B and reply it with SEQ#+1 Hard but possible

66. TCP SYN attack  in Berkeley implementations, the ISN is incremented by a constant amount (64000) once per 0.5 second, and each time a connection is initiated  it is not hopeless to guess the next ISN to be used by a server  an attacker can impersonate a trusted host (e.g., in case of r commands, authentication is based on source IP address solely) SYN = ISN X, SRC_IP = T SYN = ISN S, ACK(ISN X ) ACK(ISN S ), SRC_IP = T SRC_IP = T, nasty_data attackerserver trusted host (T)

67. Steps of IP spoofing attack  Detecting the trusted system C wants to access A and finds the A trusts B  Blocking the trusted system (B) To let it not response to SYN request from A. How?  DOS attack to B  Guessing the SEQ# of B Must know how TCP generates SEQ# Try to connect to open ports of B right before the attack. Check the SEQ# Predict the next SEQ# according to TCP algorithm given last SEQ# and elapsed time  Making TCP connection  Do Damages

68. Counter Measures  Avoid using IP as authentication method Username/password better  Install firewall Trusted IP usually on the same network Spoofed IP comes from outside network Firewall prevents IP packets from outside the network, especially with source IP inside network Also the attacker’s firewall should prevent packets with source IP different from internal network  IPsec Secure IP using encryption

69. SYN Floods  Simple to execute.  Send many SYNs to target host in quick succession with spoofed IPs.  Target allocates buffer in kernel space, which stays allocated until time out.

71. Reconnaissance with Spoofed IPs  3 basic recon methods Spoofed IPs as Misinformation Port Scanning by IP Seq Number Observation Port Scanning by Indirect Observation

72. Spoofed IP Addresses As Background Noise  An attacker can use spoofed IP addresses to create suspicious traffic that cannot easily be tracked down to the actual attacker. The intent here is not to leverage data from the actual spoofed packets, but to allow the attacker’s real activity, or identity, to be hidden among the false packets. Nmap, perhaps the most common network scanner at the moment, allows the use of numerous ‘decoy’ addresses. Using the –D option in Nmap, such as nmap –O –D 10.1.1.1, 10.1.1.2, actual.attacker.ip.address, 10.1.1.3 10.2.2.1 will allow an attacker to determine the operating system of the host at 10.2.2.1 while making it appear that the system is being scanned by four simultaneous hosts, only one of which (the 3rd sequentially) is the attacker. Nmap

73. Spoofed IPs as Background Noise  Scan from 100 random used IPs and your own.  All must be checked to determine actual scanner.  Ex: -D option in nmap

74. Indirect Reconnaissance of a Target 1) * hosts reply SYN|ACK to SYN if tcp target port is open, reply RST|ACK if tcp target port is closed. 2) * You can know the number of packets that hosts are sending using id ip header field. 3) * hosts reply RST to SYN|ACK, reply nothing to RST. The significance of this is that due to predictable IP IDs, it is possible to remotely determine if a particular host is sending traffic to a third party. Using another of the described tendencies, it is also possible to predict how a host will react to a port scan. If a host is listening on a port, a probe (SYN) to that port will result in a SYN/ACK.

75. Indirect Reconnaissance of a Target

76. IP Sequence Number Observation Step 1Step 2Step 3 A Z A Z T A Z echo response Spoof e d SYN from Z Unknown traffic echo response

77. Indirect Reconnaissance of a Target

78. Introducing our players targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1

79. Why do we need three of them targetattacker Spoof host www.anycompany.com:80 unknowing.com 3vil.org

80. Phase one (sync the id# of spoof) targetattacker Spoof host www.anycompany.com:80 unknowing.com 3vil.org Syn:80

81. Phase one (sync the id# of spoof) targetattacker Spoof host www.anycompany.com:80 unknowing.com 3vil.org Syn/ack

82. Why did we do that  Attacker now knows the spoofs initial ID#

83. Phase2 (spoofing the source) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Syn src = 172.0.0.1 Dst = 192.0.0.1

84. Phase 3 (fooling the respons) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1

85. Phase 3 (fooling the respons) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Rst src == 172.0.0.1 Dst = 192.0.0.1

86. Phase 4 (probing the spoof host) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Syn:80

87. Phase 4 (probing the spoof host) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Syn:80 Syn/ack

88. Case port open Adding the ID counters

89. Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn:80 Spoof host ID =0 172.0.0.1

90. Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn/ack Spoof host ID =1 172.0.0.1

91. Phase2 (spoofing the source) targetattacker Spoof host ID =1 10.0.0.1192.0.0.1 172.0.0.1 Syn src = 172.0.0.1 Dst = 192.0.0.1

92. Phase 3 (fooling the respons) targetattacker 10.0.0.1192.0.0.1 Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1 Spoof host ID =1 172.0.0.1

93. Phase 3 (fooling the respons) targetattacker 10.0.0.1192.0.0.1 Rst src == 172.0.0.1 Dst = 192.0.0.1 Spoof host ID =2 172.0.0.1

94. Phase 4 (probing the spoof host) targetattacker 10.0.0.1192.0.0.1 Syn:80 Spoof host ID =2 172.0.0.1

95. Phase 4 (probing the spoof host) targetattacker 10.0.0.1192.0.0.1 Syn:80 Syn/ack Spoof host ID =3 172.0.0.1

96. Case port closed Adding the ID counters

97. Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn:80 Spoof host ID =0 172.0.0.1

98. Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn/ack Spoof host ID =1 172.0.0.1

99. Phase2 (spoofing the source) targetattacker Spoof host ID =1 10.0.0.1192.0.0.1 172.0.0.1 Syn src = 172.0.0.1 Dst = 192.0.0.1

100. Phase 3 (fooling the respons) targetattacker 10.0.0.1192.0.0.1 Rst src = 192.0.0.1 Dst = 172.0.0.1 Spoof host ID =1 172.0.0.1

101. Phase 4 (probing the spoof host) targetattacker 10.0.0.1192.0.0.1 Syn:80 Spoof host ID =1 172.0.0.1

102. Phase 4 (probing the spoof host) targetattacker 10.0.0.1192.0.0.1 Syn:80 Syn/ack Spoof host ID =2 172.0.0.1

103. The basic technique and its flaws  If the poll host is active it will increase the id# for each connection.  This will result in false positives.  These false positives can be minimized by sending multiple packets for each port.  Then calculating the increase  The port will only show up true if the increase is > (#packets_sent*255)/2

104. Phase2 (spoofing the source) targetattacker Spoof host ID =1 10.0.0.1192.0.0.1 172.0.0.1 (Syn src = 172.0.0.1 Dst = 192.0.0.1) * 20

105. Phase 3 (fooling the respons) targetattacker 10.0.0.1192.0.0.1 Syn /Ack src = 192.0.0.1 Dst = 172.0.0.1 Spoof host ID=1+20 172.0.0.1

106. Summary  By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.  By analysing this we will know whether a port on the scanned host is open or not  This is done totally blind from the scanned host.

107. DoS/DDoS  DoS attacks are as old as the Internet itself  Year 2000 when a complete new quality of DoS attack started (DDoS).  (DDoS) stroke a huge number of prominent web sites including Yahoo, Ebay, Amazon and Buy.com  DDoS Concepts: Distributing the attack across several hosts. Coordinating the attack among many machines. Using the distribution system to thwart all attempts of discovering the origin of the attack.

108. DoS/DDoS Flood Attack Methods  Smurf Attack  TCP SYN Attack  UDP Attack  TCP Attack  ICMP Attack

109. DoS/DDoS TCP SYN Attack  Exploits the three-way handshake

110. “Smurf”

111. DNS Spoofing  Someone else’s domain name -> your computer  Possible damages: Redirected email  Email sent from A to B goes to C instead. C spoofed B’s domain name Redirected web server  Possible attack by exploiting browser’s vulnerability

112. How to do DNS snooping?  C: attacker want to spoof B  A communicates with B  Method 1 Modify C’s name server ns.C  Let it response to “C=?” to “B=C.ip” This is replying something that is not asked for Send DNS request “C=?” to ns.A ns.A asks ns.C ns.C replies “B=C.ip”  Method 2 C sends DNS request “B=?” to ns.A C replies “B=C.ip” to ns.A UDP makes it easier, still need to guess request ID

113. Countermeasures  Paranoid DNS checking Resolved IP address is sent to DNS for reverse resolve to get the hostname Send the hostname to DNS again to get the IP address If two IP addresses match = OK  Secure name server  DNSsec Digitally signed answers

114. Web-spoofing or Phishing or Carding use spoofed emails and fraudulent websites that trick innocent users into divulging private information such as username and passwords credit card numbers, social security numbers, etc. Web Spoofing

115. A typical web spoofing attack

116. Web Spoofing  Web browsing goes through an intermediate attacker  The attacker goes to server and fetch data and send it back to the victim  Attacker is able to monitor all traffic between the victim and server Including forms Even secure connections! Lost privacy  Hard for a ordinary victim to notice anything wrong

117. How it works  Javascript and Plug-ins  Redirect all web traffic to attacker’s machine include the links on the pages  Initiated by visiting a malicious website

118. Countermeasures  Check “lock” button for secure connection. Check if it is indeed the website you are visiting  Check status bar Does it go to somewhere strange?