Hands-On Network Security: Practical Tools & Methods

Security Training Course

Dr. Charles J. Antonelli The University of Michigan

2012

Hands-On Network Security

Module 3 Network Protocol Attacks

Roadmap

•  Network security   The basic objectives: CIA   Vulnerabilities and defenses for layers 1 - 4

04/12 3 cja 2012

Some notes

•  Focus on IPv4 and Ethernet   IP is the dominant network protocol   IPv6 not yet widely deployed   Ethernet is ubiquitous

•  The basic principles apply to other protocols and other media   As always, the devil is in the details…

04/12 4 cja 2012

You are here…

•  Network security   The basic objectives: CIA   Vulnerabilities and defenses for layers 1 - 4

04/12 5 cja 2012

Network Security: CIA

•  Confidentiality  No eavesdropping  No mis-directed traffic

•  Integrity  What’s received = What’s sent

•  Availability   The network should never go down  Networks should always be fast enough

04/12 6 cja 2012

Availability: Layer 0

•  Never forget the physical environment   Fire   Lightning   Flood   Power failures   Backhoe events   Vandalism   HVAC failure   Etc…

04/12 7 cja 2012

You are here…

•  Network security   The basic objectives: CIA   Vulnerabilities and defenses for layers 1 - 4

04/12 8 cja 2012

Layer 1 CIA issues

•  Confidentiality I   RF is almost always interceptable  Ex: the Pringles can antenna (Instructions)  Ex: 60 GHz point-to-point radio

  Copper is sometimes tappable  Difficulty increases with frequency (to a point)  Equipment isn’t a commodity item

  Fiber is hard to tap  Essentially no leakage radiation

04/12 9 cja 2012

Layer 1 CIA issues

•  Confidentiality II   Electronics are the weak spot  Hubs simply rebroadcast what comes in  Many switches have an “eavesdrop” mode  Some switches have “remote eavesdrop” mode

  Administrative access to equipment must be controlled

  Physical access to equipment must be controlled

04/12 10 cja 2012

Layer 1 CIA issues

•  Integrity   RF is subject to fading and interference  High noise => high BER (bit error rate)  Ex: AA to DBRN microwave link  Ex: RFID jamming (Instructions)

  Cables are usually reliable but…  Attenuation leads to low S/N => high BER  Bad termination leads to reflections

  Vendors usually get the electronics right

04/12 11 cja 2012

Layer 1 CIA issues

•  Availability   Same issues as “Layer 0”  Acts of [malevolent] deities  Acts of malevolent people  Acts of the merely ignorant…

04/12 12 cja 2012

Example: Rogue CCS server

•  We detected a DDoS attack against a central campus CCS address

•  CCS had no machine at that IP address •  ARP data gave us a MAC address •  Switch in the Union said MAC address

was in West Quad •  Switch in West Quad said MAC address

was in the Union

04/12 13 cja 2012

Example: Rogue CCS server

•  On further investigation, we found:  New switch in comm closet in West Quad   Patched into fiber between Union and WQ  Rack-mounted server connected to the switch  Many GB of Warez, photos of unclad persons,

music, movies, etc.   Examination of traffic logs found that it had

been in service for ca. 6 months   The good news: no sniffer was running (we

think…) 04/12 14 cja 2012

Layer 2 vulnerabilities

•  Broadcast storms •  ARP/CAM lifetime mismatch •  ARP spoofing/Gateway spoofing •  MAC spoofing/CAM flooding •  VLAN hopping •  Spanning Tree attacks •  DHCP attacks

04/12 15 cja 2012

Broadcast storms

•  A loop in a LAN can be created accidentally or deliberately

•  Broadcast messages travel around the loop at wire speed

•  => Entire LAN is flooded with broadcasts •  Solutions:

  Spanning tree to eliminate loops

04/12 16 cja 2012

ARP/CAM lifetime mismatch

•  High-volume UDP stream inbound to valid IP •  Target goes off-line but source keeps sending •  Switch CAM table times out in 5 minutes, router’s ARP

cache times out in 4 hours •  => Switch floods traffic out all ports •  Solutions:

  Adjust CAM lifetime to match ARP (everywhere!)   Reduce ARP lifetime to match CAM

 Can cause high router CPU load from excessive ARPing

04/12 17 cja 2012

ARP/gateway spoofing

•  Good guy ARPs for default gateway •  Bad guy replies faster than router •  Bad guy sends gratuitous ARP to router •  => Good guy’s external traffic all passes

through Bad guy’s machine •  Solutions:

  Static ARP and ARP monitoring   “Private VLANs” (maybe)

04/12 18 cja 2012

MAC spoofing/CAM flooding

•  Bad guy floods net with random bogus source MAC addresses (uni- or broadcast)

•  Switch CAM tables fill up and overflow •  => All traffic gets flooded out all ports •  Solutions:

  Static CAM entries (sometimes)   Switch “port security” & broadcast control   SNMP trap on CAM overflow

04/12 19 cja 2012

VLAN hopping I

•  Frames on trunks have 802.1q VLAN tags •  Switches strip tags on incoming frames •  Bad guy pretends to be switch and sets up

trunking to his machine •  => Bad guy has access to all VLANs •  Solutions:

  Turn off dynamic trunking protocol   Limit trunks to required VLANs only

04/12 20 cja 2012

VLAN hopping II

•  Bad guy generates frames with multiple 802.1q headers (multiple encapsulation)

•  Switch only strips one header on ingress •  => Bad guy can send to another VLAN •  Solutions:

  This only works if trunk “native” VLAN is a user VLAN, so use a dedicated native VLAN.

04/12 21 cja 2012

Spanning tree attacks I

•  Bad guy sends lots of BPDU’s •  => Switches keep recalculating, no traffic

gets through •  This also DoS’s the bad guy, unless he

runs the attack remotely…

04/12 22 cja 2012

Spanning tree attacks II

•  Bad guy sends BPDU with priority 0 •  Switches make bad guy the root, or •  Bad guy’s switch becomes the root •  => Bad guy has access to VLAN traffic •  => Traffic flow may be non-optimal (DoS) •  Solutions:

  Shut down access ports with incoming root BPDUs

04/12 23 cja 2012

DHCP attacks

•  Bad guy floods net with DHCP requests •  => DHCP server runs out of addresses

•  Bad guy runs rogue DHCP server •  => Users get bogus addresses, or •  => Users use Bad guy as default gateway

04/12 24 cja 2012

Layer 3/4 vulnerabilities

•  IP spoofing •  Ping of Death and other buffer overflows •  Smurfing •  Zombies & Bots •  ICMP/UDP flooding •  TCP SYN flooding •  Random target scans •  Routing table attacks

04/12 25 cja 2012

IP Spoofing

•  Source address of IP traffic may not be the “real” address of the sender   Some machine do have multiple addresses…

•  Often used with other forms of attack to mask the true location of the attacker

•  Local spoofing mitigated by router ingress ACLs on all LANs and/or RPF checks

•  Remote spoofing can be hard to stop…

04/12 26 cja 2012

Packets of Death, etc.

•  Cisco IOS crashes when ICMP packets are received with certain options set

•  Solaris crashes when SMTP traffic arrives with a multicast source IP address

•  Other buffer overflows can push random info (or crafted code) on CPU stack  Modern buffer overflows usually designed to

cause compromise rather than death

04/12 27 cja 2012

Smurfing

•  Send traffic to LAN directed broadcast address (with spoofed source address)

•  => All machines on LAN reply to the target

•  Solution:   Turn off directed-broadcast forwarding  Newer exploit - Use a bot to send local

broadcasts with a spoofed source address

04/12 28 cja 2012

DNS Multiplication

•  Build bogus domain with large TXT records •  Send requests with spoofed source address

to DNS servers with open recursion turned on

•  All servers reply to the target; large records => fragmentation => hard to filter

•  Solution:   Fix everyone else’s DNS servers…   Turn off open recursion

04/12 29 cja 2012

Zombies and Bots

•  Use worms/viruses to install remote control software in many machines   Typically communicating via rendezvous   Commands may be embedded in ICMP, etc.

•  Add a few layers of indirection between the controller and the distribution medium

•  Result: millions of machines waiting to be told who, how and when to attack.

•  More on this later …

04/12 30 cja 2012

ICMP/UDP Flooding

•  Bombard the target with a one-way stream •  Can be a single source •  Can be multiple sources •  Can be run from a bot net •  Often use fragmented packets

  Harder to filter as frags have no port info •  Solution:

  Monitor traffic for high-volume flows

04/12 31 cja 2012

TCP SYN flooding

•  TCP’s three-way handshake:   A: SYN -> B (I’d like to talk)   B: SYN-ACK -> A (I’m willing to talk)   A: ACK -> B (OK, let’s talk!)

•  TCP half-ack:   A: SYN -> B (I’d like to talk)   B: SYN-ACK -> A (I’m willing to talk)   A: [silence] (Are we talking?)

•  Solution   Limit # buffers in half-open state

04/12 32 cja 2012

Random target scans

•  If destination is unknown, router must ARP   => Worm causes router CPU meltdown

•  If destinations are in multicast space then MSDP entry is needed for each source   => Worm causes router CPU meltdown

•  Networks come on/off line due to attack   => Routing table thrashing causes CPU

meltdown 04/12 33 cja 2012

“Market Research” - MitM

•  Victim installs “Web acceleration” SW  Redirects all web traffic through MitM’s

proxy/cache servers •  Proxy servers also proxy SSL traffic

 Don’t you always accept unknown certs? •  => “Secure” traffic gets logged by MitM

 Didn’t you read the fine print in the license?

04/12 34 cja 2012

Routing attacks

•  Bad guy injects bogus routes into IGP   => DoS, or traffic passing through bad guy

•  Bad guy injects bogus routes into EGP   => Campus/company/country black-holed

•  Bad guy engages in sub-prefix hijacking   => Traffic passes through bad guy

•  Bad guy sends malformed IGP/EGP traffic   => Buffer overflow crashes routing process

04/12 35 cja 2012

Router attacks

•  SNMP Vulnerabilities  Network equipment may have “hidden” R/W

SNMP communities  Routers (and many other devices) crash when

SNMP request with multiple OIDs is received •  Saturation attacks

  ARP overload from random traffic   telnet/ssh scanning  Cache thrashing from random traffic   Broadcast storms

04/12 36 cja 2012

Backbone

Open VLAN Protected VLAN

Secure VLAN

Research Collaboration

Servers

Administrative Staff

Virtual Firewall

04/12 37 cja 2012

Some UMnet tools

•  UMnet Network Information database   https://netinfo.umnet.umich.edu/

•  UMnet Backbone page   http://www.itcom.itd.umich.edu/backbone/umnet/

•  Umnet Cricket Graphs   https://nettools.umnet.umich.edu/cricket-um/grapher.cgi

•  UMnet Intermapper server   http://intermapper.umnet.umich.edu/~admin/map_screen.html

04/12 38 cja 2012

Some Useful References

•  Cisco Internetworking Technology Handbook •  http://www.cisco.com/en/US/docs/internetworking/technology/handbook/

ito_doc.html

•  Cisco Internetwork Design Guide •  http://docwiki.cisco.com/wiki/Internetwork_Design_Guide

04/12 39 cja 2012