Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 6: Network Attacks II

Published byBryce Lindsey Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 6: Network Attacks II"— Presentation transcript:

1 Lecture 6: Network Attacks II
CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lectures by Keith Ross, and Gene Tsudik

2 Course Admin HW/Lab 1 HW/Lab 2 posted Lab sessions active this Friday
Graded Solution has been provided To be returned today HW/Lab 2 posted Covers Lecture 5 and 6 Due Oct 19 Lab sessions active this Friday

3 Course Admin Traveling again next week
At ACM CCS (we are presenting our paper there) in Denver, Co Guest lecture by TA and some of my PhD students Topic integral to the course Please attend. It is mandatory 

4 Lecture 6 - Network Attacks II
Outline Various forms of Network Attacks Sniffing Spoofing and Hijacking DoS/DDoS DNS Attacks Lecture 6 - Network Attacks II

5 Attacks & Hacker Tools Before talking about defenses,
need to look at network from attacker’s perspective Reconnaissance Network mapping Port scanning Sniffing IP address spoofing Session hijacking DoS DDoS Lecture 6 - Network Attacks II

6 Review of interconnection devices
Hubs Switches Routers Lecture 6 - Network Attacks II

7 Hubs Hubs are essentially physical-layer repeaters:
bits coming from one link go out all other links at the same rate no frame buffering no CSMA/CD at hub: adapters detect collisions provides net management functionality twisted pair hub Lecture 6 - Network Attacks II

8 Sniffing Attacker is inside firewall Grab and file away: Requirements
Attacker’s host connected to shared medium NIC should be in “promiscuous mode” processes all frames that come to NIC Sniffer has two components Capture Packet analysis Grab and file away: userids and passwords credit card numbers secret conversations Island hopping attack: Take over single machine (eg virus) Install sniffer, observe passwords, take over more machines, install sniffers Lecture 6 - Network Attacks II

9 Passive sniffing Easy to sniff: Popular sniffers 802.11 traffic
Ethernet traffic passing through a hub Any packets sent to hub is broadcast to all interfaces Not true for a switch Popular sniffers Wireshark tcpdump (for unix) Snort (sniffing and intrusion detection) Lecture 6 - Network Attacks II

10 Active Sniffing through a switch
How does attacker sniff packets sent to/from the victim? switch attacker victim Have to get victim’s packets to attacker! Lecture 6 - Network Attacks II

11 Sniffing through a switch: flooding switch memory approach
Host sends flood of frames with random source MAC addresses Switch’s forwarding table gets filled with bogus MAC addresses When “good packet arrives,” dest MAC address not in switch memory Switch broadcasts real packets to all links Sniff all the broadcast packets Lecture 6 - Network Attacks II

12 Sniffing through LAN: poison victim’s ARP table approach
Idea: have client’s traffic diverted to attacker (0) Sniff all frames that arrive. Configure so that IP packets arriving from victim are forwarded to default router attacker (1) Send fake ARP response, mapping router IP address to attacker’s MAC address (3) Packets are forwarded from attacker’s host to default router switch victim outside world (2) Victim sends traffic destined to outside world. Poisoned ARP table causes traffic to be sent to attacker default router for LAN Lecture 6 - Network Attacks II

13 Powerful sniffing tools
Dsniff and ettercap Flooding switch memory ARP poisoning Lecture 6 - Network Attacks II

14 Sniffing defenses Encrypt data: IPsec, SSL, PGP, SSH
Get rid of hubs: complete migration to switched network Use encryption for wireless Configure switches with MAC addresses Turn off self learning (knowing mappings between ports and MAC addresses) Eliminates flooding problem Intrusion detection systems: Lookout for large numbers of ARP replies Honeypot Create fake account and send password over network Identify attacker when it uses the password Lecture 6 - Network Attacks II

15 Attacks & Hacker Tools Before talking about defenses,
need to look at network from attacker’s perspective Reconnaissance Network mapping Port scanning Sniffing IP address spoofing Session hijacking DoS DDoS Lecture 6 - Network Attacks II

16 IP address spoofing (1) Attacker doesn’t want actions traced back
SA: DA: Attacker doesn’t want actions traced back Simply re-configure IP address in Windows or Unix. Or enter spoofed address in an application e.g., decoy packets with Nmap Lecture 6 - Network Attacks II

17 IP address spoofing (2) But attacker cannot interact with victim.
SA: DA: attacker victim SA: DA: But attacker cannot interact with victim. Unless attacker is on path between victim and spoofed address. Lecture 6 - Network Attacks II

18 IP spoofing with TCP? Can an attacker make a TCP connection to server with a spoofed IP address? Not easy: SYNACK and any subsequent packets sent to spoofed address. If attacker can guess initial sequence number, can attempt to send commands Send ACK with spoofed IP and correct seq #, say, one second after SYN But TCP uses random initial sequence numbers. Lecture 6 - Network Attacks II

19 Defense: Ingress and egress filtering
x Egress filtering x Ingress filtering Internet privately administered 222.22/16 Lecture 6 - Network Attacks II

20 Ingress Filtering: Upstream ISP (1)
12.12/24 BGP update: 12.12/24, 34.34/24 regional ISP 34.34/24 tier-1 ISP 56.56/24 BGP update: 56.56/24, 78.78/24 regional ISP 78.78/24 Lecture 6 - Network Attacks II

21 Ingress Filtering: Upstream ISP (2)
12.12/24 Filter all but 12.12/24 and 34.34/24 BGP update: 12.12/24, 34.34/24 34.34/24 Filter all but 56.56/24 and 78.78/24 56.56/24 BGP update: 56.56/24, 78.78/24 78.78/24 Lecture 6 - Network Attacks II

22 Ingress Filtering: Upstream ISP (3)
12.12/24 Filter all but 12.12/24 and 34.34/24 regional ISP x 34.34/24 tier-1 ISP Filter all but 56.56/24 and 78.78/24 56.56/24 regional ISP 78.78/24 Lecture 6 - Network Attacks II

23 Ingress Filtering: Upstream ISP (3)
12.12/24 Filter all but 12.12/24 and 34.34/24 spoofed packet gets through! regional ISP 34.34/24 tier-1 ISP Filter all but 56.56/24 and 78.78/24 56.56/24 regional ISP 78.78/24 Lecture 6 - Network Attacks II

24 Ingress filtering: summary
Effectiveness depends on widespread deployment at ISPs Deployment in upstream ISPs helps, but does not eliminate IP spoofing Filtering can impact router forwarding performance Even if universally deployed at access, hacker can still spoof another address in its access network 12.12/24 See RFC 2827 “Network Ingress Filtering: Defeating DDoS” Lecture 6 - Network Attacks II

25 Attacks & Hacker Tools Before talking about defenses,
need to look at network from attacker’s perspective Reconnaissance Network mapping Port scanning Sniffing IP address spoofing Session hijacking DoS DDoS Lecture 6 - Network Attacks II

26 Session hijacking Take control of one side of a TCP connection
Marriage of sniffing and spoofing Alice telnet “hi, I’m Alice” Alice Bob Attacker Lecture 6 - Network Attacks II

27 Session hijacking: The details
Attacker is on segment where traffic passes from Alice to Bob Attacker sniffs packets Sees TCP packets between Bob and Alice and their sequence numbers Attacker jumps in, sending TCP packets to Bob; source IP address = Alice’s IP address Bob now obeys commands sent by attacker, thinking they were sent by Alice Principal defense: encyrption + MAC Attacker does not have keys to encrypt/authenticate and insert meaningful traffic Lecture 6 - Network Attacks II

28 Session hijacking: limitation
2. to resync, Alice sends segment with correct seq # 1. weird ACK # for data never sent Bob Alice 3. “thanks bob” Bob is getting segments from attacker and Alice. Source IP address same, but seq #’s different. Bob likely drops connection. Attacker’s solution: Send unsolicited ARP replies to Alice and Bob with non-existent MAC addresses Overwrite IP-to-MAC ARP tables Alice’s segments will not reach Bob and vice-versa But attacker continues to hear Bob’s segments, communicates with Bob Attacker Lecture 6 - Network Attacks II

29 Session Hijacking Tools:
Hunt Provides ARP poisoning Netcat General purpose widget Very popular Lecture 6 - Network Attacks II

30 Denial-of-Service Prevent access by legitimate users or stop critical system processes Connection flooding attack Overwhelming connection queue with SYN flood Bandwidth flooding attack: Overwhelming communications link with packets Strength in flooding attack lies in volume rather than content Implementation Vulnerability attack: Send a few crafted messages to target app that has vulnerability Malicious messages called the “exploit” Remotely stopping or crashing services Lecture 6 - Network Attacks II

31 DoS and DDoS DoS: DDoS Good book: source of attack small # of nodes
source IP typically spoofed DDoS From thousands of nodes IP addresses often not spoofed Good book: Internet Denial of Service by J. Merkovic, D. Dittrich, P. Reiher, 2005 Lecture 6 - Network Attacks II

32 Interlude: IP datagram format
32 bits total datagram length (bytes) header length (bytes) head. len type of service ver length for fragmentation/ reassembly “type” of data fragment offset 16-bit identifier flgs max number remaining hops (decremented at each router) time to live upper layer Internet checksum 32 bit source IP address 32 bit destination IP address upper layer protocol to deliver payload to Options (if any) data (variable length, typically a TCP or UDP segment) Lecture 6 - Network Attacks II

33 IP Fragmentation and Reassembly
ID =x offset =0 fragflag length =4000 =1 =1500 =185 =370 =1040 One large datagram becomes several smaller datagrams Example 4000 byte datagram MTU = 1500 bytes 1480 bytes in data field Assume 20 bytes of header 4000 bytes = 20 bytes header bytes payload MTU = 1500 bytes = 20 bytes header bytes payload No of fragments = ceiling(3980/1480) = 3 First fragment = 1480 bytes payload  1500 bytes datagram (offset 0 specifies 1st fragment) Second fragment = 1480 bytes payload  1500 bytes datagram (offset 1480/8 = 185 specifies 2nd fragment) Third fragment = 1020 bytes payload  1040 bytes datagram (offset 1480*2/8 = 370 specifies 3rd fragment) Offset helps the receiver to order the fragments and reconstruct the full datagram offset = 1480/8 Lecture 6 - Network Attacks II

34 DoS: examples of vulnerability attacks see http://www. cert
Land: sends spoofed packet with source and dest address/port the same Ping of death: sends oversized ping packet Jolt2: sends a stream of fragments, none of which have offset of 0. Rebuilding consumes all processor capacity. Teardrop, Newtear, Bonk, Syndrop: tools send overlapping segments, that is, fragment offsets incorrect. Patches fix the problem, but malformed packet attacks continue to be discovered. Lecture 6 - Network Attacks II

35 LAND Local Area Network Denial
Spoofed SYN packet with source and destination both being the victim On receipt, victim’s machine keep on responding to itself in a loop Causes the victim to crash Many OSs are vulnerable, e.g., Windows 95, NT, XP SP2 Mac OS MacTCP Lecture 6 - Network Attacks II

36 Ping of Death ICMP Echo Request (Ping) is 56 bytes
If a ping message is more than bytes (max for IP packet), this can cause some machines to crash Older windows systems Solution: patch OS, filter out ICMP packets Lecture 6 - Network Attacks II

37 “Teardrop”, “Bonk” and kins
TCP/IP fragments contain Offset field Attacker sets Offset field to: overlapping values Bad/old implementation of TCP/IP stack crashes when attempting to re-assemble the fragments … or to very large values Target system crashes Solution: use up-to-date TCP/IP implementation

38 Connection flooding: Overwhelming connection queue w/ SYN flood
Recall client sends SYN packet with initial seq. number when initiating a connection. TCP on server machine allocates memory on its connection queue, to track the status of the new half-open connection. For each half-open connection, server waits for ACK segment, using a timeout that is often > 1 minute Attack: Send many SYN packets, filling connection queue with half-open connections. Can spoof source IP address! When connection queue is exhausted, no new connections can be initiated by legit users. Need to know of open port on victim’s machine: Port scanning. Lecture 6 - Network Attacks II

39 SYN Flooding Attack S SYNC1 Listening… Spawn a new thread,
store connection data SYNC2 SYNC3 … and more SYNC4 … and more … and more SYNC5 … and more … and more

40 SYN Flooding Explained
Attacker sends many connection requests (SYNs) with spoofed source addresses Victim allocates resources for each request New thread, connection state maintained until timeout Fixed bound on half-open connections Once resources exhausted, requests from legitimate clients are denied This is a classic denial of service attack Common pattern: it costs nothing to TCP client to send a connection request, but TCP server must spawn a thread for each request - asymmetry! What’s another example of this behavior?

41 SYN flood Issue amateur attack: attacker victim Alice
SYNs with Source IP = Alice attacker Connection queue freed up with RST segment SYN-ACKs victim RST Alice Expert attack: Use multiple source IP addresses, each from unresponsive addresses. Lecture 6 - Network Attacks II

42 Preventing Denial of Service (SYN Flood)
DoS is caused by asymmetric state allocation If server opens new state for each connection attempt, attacker can initiate many connections from bogus or forged IP addresses Cookies allow server to remain stateless until client produces: Server state (IP addresses and ports) stored in a cookie and originally sent to client When client responds, cookie is verified

43 SYN flood defense: SYN cookies (1)
SYN with ISNA SYN-ACK with ISNB= cookie Host A Host B When SYN segment arrives, host B calculates function (hash) based on: Source and destination IP addresses and port numbers, and a secret number Host B uses resulting “cookie” for its initial seq # (ISN) in SYNACK Host B does not allocate anything to half-open connection: Does not remember A’s ISN Does not remember cookie Lecture 6 - Network Attacks II

44 SYN Cookies (2) C S [Bernstein and Schenk] SYNC SYNS, ACKC
Listening… Does not store state Compatible with standard TCP; simply a “weird” sequence number scheme SYNS, ACKC sequence # = cookie Cookie must be unforgeable and tamper-proof (why?) Client should not be able to invert a cookie (why?) F(source addr, source port, dest addr, dest port, coarse time, server secret) F=Rijndael or crypto hash ACKS(cookie) Recompute cookie, compare with with the one received, only establish connection if they match More info:

45 SYN cookies (3) If SYN is legitimate Host A returns ACK
Host B computes same function, verifies function = ACK # in ACK segment Host B creates socket for connection Legit connection established without the need for half-open connections If SYN-flood attack with spoofed IP address No ACK comes back to B for connection. No problem: B is not waiting for an ACK What if Host A sends only ACK (no SYN)? Will host B establish a connection? Lecture 6 - Network Attacks II

46 Overwhelming link bandwidth with packets
Attack traffic can be made similar to legitimate traffic, hindering detection. Flow of traffic must consume target’s bandwidth resources. Attacker needs to engage more than one machine => DDoS May be easier to get target to fill-up its upstream bandwidth: async access Example: attacking BitTorrent seeds Lecture 6 - Network Attacks II

47 Distributed DoS: DDos Attacker takes over many machines,
called “bots”. Potential bots are machines with vulnerabilities. bot bot attacker Internet victim bot bot processes wait for command from attacker to flood a target bot Lecture 6 - Network Attacks II

48 DDoS: Reflection attack
DNS server request reply request DNS server reply request attacker reply victim DNS server request reply Source IP = victim’s IP DNS server Lecture 6 - Network Attacks II

49 “Smurf” Attack victim router
Looks like a legitimate “Are you alive?” ping request from the victim Stream of ping replies overwhelms victim 1 ICMP Echo Req Src: victim’s address Dest: broadcast address victim router Every host on the network generates a ping reply (ICMP Echo Reply) to victim Solution: reject external packets to broadcast addresses

50 DDoS: Reflection attack
Spoof source IP address = victim’s IP Goal: generate lengthy or numerous replies for short requests: amplification Without amplification: would it make sense? January 2001 attack: requests for large DNS record generated Mbps of traffic Reflection attack can be also be done with Web and other services Lecture 6 - Network Attacks II

51 DDoS Defenses CAPTCHAs Signature and anomaly detection and filtering
Rate limiting Limit # of packets sent from source to dest CAPTCHAs Could be useful against application level attacks (e.g., against web servers) Don’t let your systems become bots Keep systems patched up Employ egress anti-spoof filtering on external router. Filter dangerous packets Vulnerability attacks Intrusion prevention systems Lecture 6 - Network Attacks II

52 DNS attacks Reflector attack: already discussed Denying DNS service
Leverage DNS for attacks on arbitrary targets Denying DNS service Stop DNS root servers Stop top-level-domain servers (e.g. .com domain) Stop local (default name servers) Use fake DNS replies to redirect user Poisoning DNS: Insert false resource records into various DNS caches False records contain IP addresses operated by attackers Lecture 6 - Network Attacks II

53 DNS attack: redirecting
network attacker client local DNS server hub or WiFi 1 2 Issues: Must spoof IP address: set to local DNS server (easy) Must match reply ID with request ID (easy) May need to stop reply from the local DNS server (harder) Client sends DNS query to its local DNS server; sniffed by attacker Attacker responds with bogus DNS reply Lecture 6 - Network Attacks II

54 Poisoning DNS Cache (1) Poisoning: Attempt to put bogus records into DNS name server caches Bogus records could point to attacker nodes Attacker nodes could phish But unsolicited replies are not accepted at a name server. Name servers use IDs in DNS messages to match replies to queries So can’t just insert a record into a name server by sending a DNS reply message. But can send a reply to a request. Lecture 6 - Network Attacks II

55 Poisoning local DNS server (2)
Server (eg, Berkeley) Attacker in Australia: 1. DNS query uab.edu=? 3. DNS reply uab.edu= 2. iterative DNS queries authoritative DNS for uab.edu Goal: Put bogus IP address for uab.edu in local Berkeley DNS server 1) Attacker queries local DNS server 2) Local DNS makes iterative queries 3) Attacker waits for some time; sends a bogus reply, spoofing authoritative server for uab.edu. Lecture 6 - Network Attacks II

56 Poisoning local DNS server (3)
authoritative DNS for uab.edu 1. DNS query uab.edu=? Poisoned local DNS server (eg, Berkeley) 2. DNS query uab.edu=? Attacker in Australia DNS response can provide IP address of malicious server! Lecture 6 - Network Attacks II

57 DNS Poisoning (4) Issues:
Attacker may need to stop upstream name server from responding So that server under attack doesn’t get suspicious Ping of death, DoS, overflows, etc Lecture 6 - Network Attacks II

58 DNS attacks: Summary DNS is a critical component of the Internet infrastructure But is surprisingly robust: DDoS attacks against root servers have been largely unsuccessful Poisoning and redirection attacks are difficult unless you can sniff DNS requests And even so, may need to stop DNS servers from replying DNS can be leveraged for reflection attacks against non-DNS nodes Lecture 6 - Network Attacks II

Download ppt "Lecture 6: Network Attacks II"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
4: Network Layer4a-1 IP Addressing: introduction r IP address: 32-bit identifier for host, router interface r interface: connection between host, router.

4: Network Layer4a-1 IP Addressing: introduction r IP address: 32-bit identifier for host, router interface r interface: connection between host, router.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Slide 1 Vitaly Shmatikov CS 378 Attacks on TCP/IP.

Slide 1 Vitaly Shmatikov CS 378 Attacks on TCP/IP.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.

11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Slide 1 Isaac Ghansah Attacks on TCP/IP. slide 2 Internet Infrastructure local network Internet service provider (ISP) backbone ISP local network uTCP/IP.

Slide 1 Isaac Ghansah Attacks on TCP/IP. slide 2 Internet Infrastructure local network Internet service provider (ISP) backbone ISP local network uTCP/IP.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,

Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Similar presentations

Ads by Google