Network Defense

Network Defense

COEN 250

Network Protocols: Layering

Complexity of networking leads to layered architectures.TCP/IP stack has four levels.OSI has seven.


Each layer adds a header.ApplicationTCP IPLink

Data Link Layer Sits on top of physical layer, which provides

Hardware specification Encoding and signaling Data transmission and reception Topology and physical network design

Example Data Link Layers: Ethernet Token Ring FDDI Wi-Fi (802.11)

Divided into two sublayers Logical Link Control Media Access Control (MAC)

Link Layer Address Resolution Network Interface Cards (NIC)

Unique Medium Access Control (MAC) number Now typically changeable

In order to accommodate device change when using authentication through MAC address

Format 48b written as twelve hex bytes. First 6 identify vendor. Last 6 serial number.

NICs either select based on MAC address or are in promiscuous mode (capture every packet).

Link Layer Address Resolution

Address Resolution Protocol (ARP) Resolves IP addresses to MAC addresses RFC 826

Link Layer: ARP Resolution Protocol

Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101.

Sends out a broadcast who-has request:00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101

All devices on the link capture the packet and pass it to the IP layer.

10.10.10.101 is the only one to answer:a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply

10.10.10.101 is-at a0:a0:a0:a0:a0:a0 A caches the value in its arp cache.


ARP requests:

Link Layer Intrusion Detection

Network monitoring tools such as Argus or Ethereal log MAC addresses.

Link Layer Forensics

Example:Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing)Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.


ARP cache can be viewed on Windows NT/2000/XP with arp –a command.


Some organizations log ARP information. Routers keep ARP tables.

show ip arp All hosts keep ARP tables. DHCP often assigns addresses only to

computers with known MAC.

Link Layer Intrusion DetectionAn employee received harassing e-mail from a host on the employer’s network with IP address 192.168.1.65. DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c.This MAC belonged to a network printer.The router’s ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing) Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.


Analyze and filter log files:Keyword searches

E.g. for USER, PASS, login Nicknames, channel names

FiltersReconstruction

E.g. contents of web-mail inbox.

Link Layer Intrusion DetectionNetIntercept Screenshot

An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence

ARP Package

RFC 826 ARP package :

0-1: Hardware type (0x0001 – Ethernet) 2-3: Protocol type (0x0800 – IP) 4: Number of bytes in hardware address (6 for MAC) 5: Number of bytes in protocol address (4 for IP) 6-7: Opcode: 1 for ARP request, 2 for an ARP reply 8-13: Source MAC 14-17: Source IP 18-23: Target MAC 24-27: Target IP

ARP Package

Ethereal deassembly of ARP package

Monitoring Tools

Arpwatchmonitors ethernet activity and keeps a

database of ethernet/ip address pairings.

Attacks on ARP

Package Generators for various OS.Allow an attacker to subvert a chosen protocol

hping2 for Windows. *NIX, XWindows:

packit http://sourceforge.net/projects/packitgui/

IP Sorcery and many, many more.

Use to create arbitrary packages

http://sourceforge.net/projects/packitgui/

Attacks on ARP Switch Flooding

Switches contain a switch address table. Switch address table associates ports with MAC addresses.

Switch flooding creates many false entries. Switches fail in two different modes:

Fail open: Switch converts into a hub.

This allows to monitor traffic through the switch from any port.

Fail closed: Switch stops functioning.

Denial of Service (DoS) attack

Attacks on ARP

ARP Poisoning:

victim

attacker

switch

router

Outsideworld

http://upload.wikimedia.org/wikipedia/en/thumb/a/a5/Router.jpg/250px-Router.jpg

http://images.google.com/imgres?imgurl=http://www.micronet.info/Download/Photo/switch/SP1679.jpg&imgrefurl=http://www.micronet.info/Products/switch/SP1679.asp&h=450&w=709&sz=75&tbnid=KgIFRdxitMdE4M:&tbnh=87&tbnw=138&hl=en&start=3&prev=/images%3Fq%3Dswitch%26svnum%3D10%26hl%3Den%26lr%3D%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official_s%26sa%3DG

http://www.hatsinthebelfry.com/Merchant2/graphics/00000001/a9509cowboy-325.JPG

Attacks on ARP ARP Poisoning: Attacker configures IP forwarding to

send packets to the default router for the LAN

victim

attacker

switch

router

Outsideworld




Attacks on ARP

ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address

victim

attacker

switch

router

Outsideworld




Attacks on ARP

ARP Poisoning: Switch now takes packet from victim and forwards it to attacker.

victim

attacker

switch

router

Outsideworld




Attacks on ARP

ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router.

victim

attacker

switch

router

Outsideworld




Attacks on ARP

http://www.watchguard.com/

RARP RARP (Reverse Address Resolution Protocol) Used to allow diskless systems to obtain a static

IP address. System requests an IP address from another machine

(with its MAC-address). Responder either uses DNS with name-to-Ethernet

address or looks up a MAC to IP ARP table. Administrator needs to place table in a gateway.

RARP-daemon (RARP-d) responds to RARP requests.

RARP

RARP vulnerabilityUse RARP together with ARP spoofing to

request an IP address and take part in communications over the network.

RARP Package

Package Format as in ARP: 0-1: Hardware type (0x0001 – Ethernet) 2-3: Protocol type (0x0800 – IP) 4: Number of bytes in hardware address (6 for MAC) 5: Number of bytes in protocol address (4 for IP) 6-7: Opcode: 1 for ARP request, 2 for an ARP reply 8-13: Source MAC 14-17: Source IP 18-23: Target MAC 24-27: Target IP

IP Uses IP addresses of source and

destination. IP datagrams are moved from hop to hop. “Best Effort” service. Corrupted datagrams are detected and

dropped.

IP Addresses contain IP address and port

number. IPv4 addresses are 32 bit longs IPv6 addresses are 8*16 bits long.

DHCP Dynamic Host Configuration Protocol Evolved from TCP/IP Boot Protocol BOOTP

Solves problem of disk-less workstations Boot process:

First obtain IP address Then download OS etc.

BOOTP client sends broadcast to UDP port 67 (BOOTREQUEST)

BOOTP server listens on that port Replies to client by either

Use client’s hardware address to create ARP entry Use broadcast

Client downloads OS (using e.g. TFTP)

DHCP Assigns addresses

Manual allocation (just as BOOTP) Single point of administration

Automatic Allocation DHCP assigns address to a given device automatically from a pool

of addresses Dynamic Allocation

DHCP assigns an address from a pool of addresses for the length of a lease

Addresses are reused and shared Clients need to renew a lease periodically If clients are rebooting, but still have an active lease, they reconfirm

their lease during reboot. If renewal fails, clients will rebind to any active DHCP server Clients can release a DHCP assigned IP address

DHCP

AttacksDenial of Service

Attacker sends DHCP requests, using up all IP address in pool

Attacker uses random MAC addresses Switches can limit the number of MAC addresses

used on a given link and prevent this attack

DHCP

AttacksMan in the Middle Attack: Default Gateway

Attacker assigns DHCP addresses by Attacker disables DHCP server and then operates own

DHCP server Attacker runs faster DHCP server

Attacker specifies itself as default gateway Attacker redirects traffic from victim through itself

DHCP

AttacksMan in the Middle Attack: DNS Redirection

Attacker assigns DHCP addresses Attacker specifies itself as the DNS server Attacker only redirects traffic to selected IP

addresses Banking, Shopping, …

IP: ICMP

Internet Control Message Protocol Created to deal with non-transient problems. For

example Fragmentation is necessary, but the No Frag flag is set. UPD datagram sent to a non-listening port. Ping.

Used to detect network connectivity before it became too useful for attack reconnaissance.

Does not use ports. Allows broadcasting. More on ICMP later

IP: ICMP

ICMP error messages should not be sent:For any but the first fragment.A source address of broadcast or loopback

address. Are probably malicious, anyway.

Otherwise: ICMP messages could proliferate and throttle a network

IP: ICMP

ICMP errors are not sent: In response to an ICMP error message.

Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong.

A destination broadcast address. Don’t answer with destination unreachable for a

broadcast. Otherwise, this makes it trivial to scan a network.

Transport Layer: TCP and UDP

Transmission Control Protocol (TCP)ReliableConnection-Oriented.Slow

User Datagram Protocol (UDP)UnreliableConnectionless.Fast.

TCP

Only supports unicasting. Full duplex connection. Message numbers to prevent loss of

messages.

TCP:Three Way Handshake Initiator to responder: Syns

Responder to initator: Acks, Synt

Initiator to responder: Ackt

Sets up two connections with initial message numbers s and t.

TCP:Three Way Handshake

20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF)

20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF)

Sequence numberFlagWindow: number of bytes accepted

TCP:Terminating Connections Graceful shutdown

Party 1 to Party 2: FinParty 2 to Party 1: AckParty 2 to Party 1: FinParty 1 to Party 2: Ack

Abrupt shutdownParty 1 to Party 2: Res

TCP:Shutting down a connection

20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF)

20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF)

20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF)


20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF)


20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF)

20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767 (DF)

TCPExchanging Data Each packet has a sequence number.

(One for each direction.) Initial sequence numbers are created during

initial three way handshake.NMap uses the creation of these sequence

numbers to determine the OS.OS are now much better with truly random

sequence numbers.

TCP Exchanging Data Party that receives packet sends an

acknowledgement. Acknowledgement consists in

Ack flag.Sequence number of the next package to be

expected.(TCPDump shows number of bytes

acknowledged).

TCP Exchanging Data If a package is lost, then the ack sequence

number will not change:“Duplicate acknowledgement”

Depending on settings, sender will resend, after at most three stationary ack numbers.

Also, senders resend after timeout.

TCP Exchanging Data 20:48:45.087563 IP Bobadilla.scu.edu.1570 >

server8.engr.scu.edu.23: . ack 4 win 16959 (DF) 20:48:45.087583 IP Bobadilla.scu.edu.1570 >

server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF) 20:48:45.096443 IP server8.engr.scu.edu.23 >

Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF) 20:48:45.221851 IP Bobadilla.scu.edu.1570 >

server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) 20:48:45.226300 IP server8.engr.scu.edu.23 >

Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) 20:48:45.231650 IP server8.engr.scu.edu.23 >

Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) 20:48:45.231666 IP Bobadilla.scu.edu.1570 >

server8.engr.scu.edu.23: . ack 23 win 16940 (DF)

TCP flags

Part of TCP header F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start session R : RST - Reset; drop a connection P : PUSH - Push; packet is sent immediately A : ACK - Acknowledgement U : URG - Urgent E : ECE - Explicit Congestion Notification Echo W : CWR - Congestion Window Reduced

TCP Example with Ethereal


First Syn message


This is the Syn-ack packet with sequence number 68 8d 5c ad and ack number 10 3f 21 1e


Syn number 10 3f 21 1eAck number 68 8d 5c ae

UDP

“Send and pray” No connection. No special header like TCP. Protocol field in the IP header is 0x11 Another field in the IP header contains

UDP specific header information

Fragmentation

IP datagram can come across smaller maximum transmission units than its own size.

Resender chops up the IP datagram into many IP datagrams, the fragments.

Fragmentation

Fragments are reassembled at the destination.

Fragments carry: Fragment identifierOffset in original data portionLength of data payload in fragmentFlag that indicates whether or not this is the

final fragment.

Fragmentation

Example Large Echo Request ping -l 1480 129.218.19.198 Assume MTU is 1500

Fragmentation

Fragmentation: First Fragment

Fragmentation: Second Fragment

Fragmentation: Last Fragment

Fragmentation

ping –l 65500 129.218.19.198

12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag 10712:1472@0+)

12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@1472+)12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@2944+)12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50 12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@4416+)12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@5888+)12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@7360+)12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@8832+)12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@10304+)12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@11776+)12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@13248+)12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@14720+)

Fragmentation

DF (Don’t Fragment) Flag If forwarding node finds that the datagram

needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable – need to fragment.

Useful to find minimum MTU on a link.

Fragmentation

Fragmentation has security implicationsStateless firewalls look only at individual

packages.Protocol header is only in the first fragment.“Stealth attacks / scans” have evil payload

only in the second and following fragments.

Fragments:Teardrop and Friends Teardrop (1997)

Fragments with overlapping offset fields.Many contemporary OS crashed, hang,

rebooted. Jolt2

Single fragment with non-zero offset.Receiving system allocates resources to

reconstruct a datagram that never arrives.

Fragments:Teardrop and Friends

Create fragments that seem to come from a GB datagram. Trusting OS tries to allocate memory and dies.

Ping of Death Win95 allowed to send a ping that was just a

tad too long. Receiving host would crash. Unnamed Attacks

Missing fragments lead to resource allocation.

ICMP

Protocols like TCP can send error messages themselves.

Stateless protocols like UDP need another mechanism to send error messages.

Host uses ICMP for Simple replies and requests Inform other hosts of some kind of error

condition. E.g.: To throttle delivery rate, receiving host can use

the ICMP source quench message. E.g.: Router can send “admin prohibited” ICMP

message.

ICMP ICMP has no port numbers. No acks, no message delivery guarantee Allows broadcasting ICMP types at http://www.iana.org/

assignments/icmp-parameters First Byte of package is Type Second Byte of package is Code

ICMP

Attackers can use ICMP for scanning:Mapping a network.Detect availability of target.Detect OS through the way that host

responds.

ICMP

Tireless Mapper Sends ICMP echo requests messages to all possible

IP addresses Many IDS might not capture this scan if the number of

packages per hour is small. Therefore: Firewalls should filter incoming ping

requests.

ICMP

Efficient Mapper Use the ICMP echo request with a broadcast

address. Ping 129.210.19.255

ICMP

Clever Mapper Use a different ICMP message such as

ICMP address mask. Determines the class of the network

ICMP: Normal activity

Normal messages: Host unreachable Port unreachable Admin prohibited Need to fragment Time exceeded in transit


Host unreachable Router at target host’s network sends such

a message. This gives out info to an attacker.

Some routers (Cisco) allow an access control list entry:

no ip unreachable


Port unreachable target.host > sending.host: icmp:

target.host udp port ntp unreachable (DF) Used for UDP TCP has the RESET message to inform

sender.


Unreachable - Admin Prohibited Router informs sender that this type of

message cannot be forwarded.Router decision based on access control list.Message leaks information to outside

scanner.


Need to Frag Router informs sender that DF is set, but

that the package is larger than the MTU.


Time Exceeded In-Transit Packages contain Time To Live (TTL)

value. Each router handling a package

decrements the TTL value. If TTL is zero, router discards package and

sends the Time Exceeded In-Transit message to the sender.


ICMP messages contain additional date in the package. In particular: IP header followed by eight

bytes of protocol header and data of the original datagram.

Not all OS implementations do this in exactly the same way.

Nmap used this for OS fingerprinting. Lately, all TCP/IP stack implementations have

been fixed to remove OS idiosyncracies.

Malicious ICMP: Smurf Attack

Smurf attack on victim 129.219.19.198 Step 1: Send ICMP echo request to a broadcast

address with spoofed IP of 129.219.19.198 Step 2: Router allows in ICMP echo request to

broadcast address Step 3: All live hosts respond with ICMP echo

reply to real machine with source IP 129.219.19.198

Malicious ICMP: Smurf Attack

ISMP Smurf AttackDenial of Service Attack.Effort of Attacker << Effort of Victim.Uses ICMP replies from network as an

amplifier.Works well if victim has a slow connection.

Malicious ICMP: Tribal Flood Network Based on Smurf Creates zombies out of compromised

machines Compromised machines use a trigger to

start bombarding a victim with requests Many variations on this theme

Malicious ICMP:Winfreeze (obsolete) Uses the ICMP redirect message. Legal use is to update routing information. Flood of redirect message causes the

victim (Win95 / Win98) to redirect traffic to itself via random hosts.

Victim spends too much time updating routing table.

Malicious ICMP: Loki

Uses ICMP packages for covert channel A compromised host with a Loki server

responds to requests from a Loki client. Requests are sent via ping messages with

data embedded in ICMP pings. Originally used bytes 6 and 7.

http://sourceforge.net/projects/loki-lib/

http://sourceforge.net/projects/loki-lib/

Malicious ICMP: Simple Counter-Measures Limit ICMP messages at the firewall. Leads to inefficiencies, such as trying a

TCP connection to a host that is down. Need to admit path MTU discovery. Log those that are let through.

Harmless Behavior: TCP

Destination Host not Listening on Requested PortReceiver acknowledges and resets at the

same time. Destination Host does not Exist

Router sends with the ICMP: Host xxx.yyy unreachable

Harmless Behavior: TCP

Destination Port BlockedRouter responds with an icmp message:

icmp: xxx.yyy unreachable – admin prohibited filterRouter does not respond.

Sender retries up to a protocol dependent maximum number of retries time

Harmless Behavior: UDP

Destination Host not Listening on Requested PortDestination host sends icmp message:

icmp: xxx.yyy port domain unreachableOr: destination host does not respond.

Sender will possibly retry several times

Harmless Behavior: Windows Tracert tracert (traceroute) uses ICMP pings

Tracing host sends ICMP echo request with TTL = 1. Then tracing host sends ICMP echo request with TTL

= 2, etc. First router responds to first request.

If not destination, then with icmp: time exceeded in transit message

Second router responds to second request, etc.

Harmless Behavior: Unix Tracert traceroute uses UDP to random ephemeral port.

Tracing host sends UDP package with TTL = 1. Then tracing host sends UDP package with TTL = 2,

etc. First router responds to first request.

If not destination, then with icmp: time exceeded in transit message

Second router responds to second request, etc.

Target responds with a port unreachable message.

FTP

Uses TCP Active / Passive FTP Both use port 21 to issue FTP commands. Active FTP:

Uses port 20 for data.FTP server establishes connection to client

FTP: Active FTP Example: Command channel between server8.engr.scu.edu.21 and

Bobadilla.1628 Dir command creates a new connection between

server9.engr.scu.edu.20 and Bobadilla.5001

FTP

The opening of a connection from the outside to an ephemeral port is dangerous.

Passive FTP: The client initiates the data connection to port 20.

Malicious TCP Use: Mitnick Attack (obsolete) SYN flood

Goal is to disconnect victim from the net.Throws hundreds / thousands of SYN packets Return address is spoofed.Recipient’s stack of connections waiting to be

established is flooded.Still works with DDoS attack.

Malicious TCP Use: Mitnick Attack (obsolete) Identify Trust Relationships

Extensive network mapping.Nbtstat/finger, showmount, rpcinfo -r, …Rpcinfo provides information about the remote

procedure call services and their ports

Malicious TCP Use: Mitnick Attack (obsolete) Initiate a number of TCP connections to

the host.Send SYN packet. Receive SYN/ACK packet.

Send RES so that victim is not flooded.Observe the sequence number values

between different connections.Can they be predicted?

Malicious TCP Use: Mitnick Attack (obsolete)

Victim trusts B

B

Attacker

http://www.lausd.k12.ca.us/Norwood_EL/educationpics/images/computer_gif.jpg



Malicious TCP Use: Mitnick Attack (obsolete) Attacker can predict the sequence number

that victim expects.

Victim trusts B

B

Attacker

Malicious TCP Use: Mitnick Attack (obsolete) Attacker SYN floods B. B cannot respond.

Victim trusts B

B

Attacker

Malicious TCP Use: Mitnick Attack (obsolete) Attacker takes over B’s identity. Spoofs packet from B to Victim.

Victim trusts B

B

AttackerSYN

Malicious TCP Use: Mitnick Attack (obsolete) Victim responds with SYN / ACK to B. B cannot respond.

Victim trusts B

B

Attacker

ACK / SYN

Malicious TCP Use: Mitnick Attack (obsolete) Attacker sends the ACK with the guessed

sequence number to victim

Victim trusts B

B

Attacker

ACK

Malicious TCP Use: Mitnick Attack (obsolete) Attacker sends another TCP packet with

payload: rsh victim “echo ++ >> .rhosts”

Victim trusts B

B

AttackerBad stuff

Malicious TCP Use: Mitnick Attack (obsolete) Now victim trusts everyone.

Victim trusts everyone.

B

Attacker

Malicious TCP Use: Mitnick Attack (obsolete) Attacker terminates connection with a FIN

exchange

Victim trusts everyone

B

AttackerFIN ACK FIN ACK

Malicious TCP Use: Mitnick Attack (obsolete) To wake up B, attacker sends it a bunch of

RES to free B from the SYN flood.


B

Attacker

RESRESRES

Malicious TCP Use: Mitnick Attack (obsolete) Attacker now starts a new connection with

the victim.


B

AttackerYak yak yak

Malicious TCP Use: Mitnick Attack Detection Network based intrusion detection (NID) can find

the original site mapping. NID can find the reconnaissance by finding

“finger” “showmount” etc. commands. Directed to the same port (111). This is a dangerous port. Frequent.

Malicious TCP Use: Mitnick Attack Detection Host scans log instances where a single

system accesses multiple hosts at the same time.

Host-based Intrusion Detection (HID) can find access to a single port.

HID / Tripwire could find changes to .rhosts.

Malicious TCP Use: Mitnick Attack DetectionComputer Forensics can detect the attack

by Logging network traffic. Examining MAC of important files (.rhosts)

Malicious TCP Use: Mitnick Attack Prevention Router-based Firewall blocks certain type of

traffic. Network mapping. SYN flooding. Access to dangerous ports.

Host-based firewall blocks Access to dangerous ports.

Security policy Disallows reconnaissance tools. Enforces better authentication.

Domain Name Servers

Provide mapping from host names to IP addresses.

DNS resolution processClient sends a gethostbyname message to the

local domain name server.Local domain name server sends back ip

address. Uses UDP (almost exclusively)

DNS: Resolution protocol1. Client to local DNS server gethostbyname2. Local DNS server sends forwards request to root server.3. Root server returns with name of remote DNS server.4. Local DNS server queries remote DNS server.5. Remote DNS server answers with IP address.6. Local DNS server gives data to client.

DNS

Use caching to prevent overload by root servers.

DNS records have a TTL Responding DNS server sets TTL.Receiving DNS server caches record for TTL

time.

DNS: Reverse Lookup

IP-address to host-name Query for 1.2.3.4 send to 4.3.2.1.in-

addr.arpa

DNS: Master - Slave Name Servers

Each domain has a single master DNS server.

Add slaves for redundancy. Slave server periodically contacts

master to see whether there are changes.

Older BIND download all data from domain, even if only one record has changed.

DNSZone Transfer Slave server restarts zone transfer from

master to slave Uses TCP, port 53. Attackers like zone transfer

Gives all IP addresses and names in subnet.Newer versions of BIND limit transfers based

on IP address.

DNS:Abuse for Reconnaissance nslookup: Get name servers.

DNS:Abuse for Reconnaissance HINFO: host information.

DNS:Abuse for Reconnaissance List the zone map information. > ls –d engr.scu.edu in nslookup

DNS:Abuses and Problems DNS cache poisoning Affects BIND versions before 8.1.1. Based on lack of authentication Some BIND versions cache every DNS

data they see.

DNS Cache Poisoning

Attack on Hillary Clinton’s Run for Senate Website

Traffic to www.hillary2000.org (IP address 206.245.150.74) redirected to www.hillaryno.com (IP address 206.245.150.74.)

DNS Cache Poisoning

Step 1: Evil sends a bogus query to the victim’s name server that contains data www.hillary2000.org at 206.245.150.74

DNS Cache Poisoning

Step 2: Name server accepts the bogus information (even though it is contained in a query).

Step 3: Victim requests IP address of hillary2000.org and is directed to hillaryno.com.

Vulnerability arises from lack of authentication and of using queries to update entries at the queried server.

DNS Cache Poisoning

Birthday Attack Attacker sends large number of queries to a vulnerable

name server asking for hillary2000. Attacker sends an equal number of phony replies (with

the poisoned data). Name server will generate requests to resolve

hillary2000. With high probability, one of the phony answers will have

the same transaction number as the name server’s query.

DNS: The Bind Birthday Attack

DNS Cache Poisoning Redirect traffic to a fake Pay-Pal or other e-

commerce site. Set-up Man in the Middle Attacks Defenses:

Domain Owner has to rely on the DNS system. ISP name server admin needs to protect by

Updating BIND or replacing it with djbdns Two name servers, one for the public domain information to the

outside, another for internal use. End user has to rely on the DNS system.

Routing

Local Routing Table: netstat -r

Static Routing

IP Layer searches the routing table in the following orderSearch for a matching destination host

addressSearch for a matching destination network

addressSearch for a default entry

Routing

Static routes are typically added during the boot process.

Administrative changes with a “routing” command.

ICMP routing discovery messages

Routing Changes

A host might have inefficient entries in the routing table.

ICMP Router Discovery Protocol (IRDP) ICMP redirect messages ICMP routing discovery messages

IRDP needs to be enabled.

Routing Changes

ICMP Redirect MessageA sends message to D. Routing table says to send to B first.

Routing Changes

ICMP Redirect MessageB forwards to CB informs A that there is a direct route to C

ICMP Redirect Message

Routing Changes

ICMP Redirect MessageC forwards package to target.A updates routing table.

IRDP DoS Exploit

Attacker (E) sends spoofed IRDP message to A A updates routing table to reflect bogus default value. A looses connectivity

IRDP Windows Exploit Windows (95, 98, 2000) and some Solaris systems are

vulnerable. If a Windows hosts runs a Dynamic Host Configuration

Protocol (DHCP) client, it obtains its default route from the DHCP server.

ICMP router advertisement can be spoofed. First router advertisement is checked for correct IP

address. Second router advertisement is erroneously not.

IRDP Windows Exploit

Attacker sends two ICMP router advertisements to victim.

Victim updates its default gateway to IP determined by attacker.

Use for man in the middle attacks or DoS.

IP Options

IP options enhance the IP protocol.SecurityStream Identification Internet TimestampLoose Source RoutingStrict Source RoutingRecord Route

These are security risks

IP Route Options

Loose Source Routing specifies a route that includes a list of required nodes.

Strict Source Routing specifies the beginning of a route (up to 9 nodes) completely.

Record Route: does not alter the routing but requires that all nodes are recorded.

Detecting IP Source Routing

IP header is larger than 20B IP option field has a hex value of

83: loose source routing89: strict source routing

ip[0] & 0x0f > 5 and (ip[20] = 0x83 or ip[20] = 89)

Source Route Exploit

Spoofing host requires source routing through a host trusted by the victim.

Victim decides that the traffic comes from a trusted host.

Therefore: firewalls need to disable source-routing or network admin needs to disable trust relationships.

Network Address Translation Allows many internal IP addresses

appearing to be few external IP addresses Local hosts have typically non-routable

addresses Function:

Local machine connects to NAT box as gateway

NAT box assigns connection a routable IP address and port

Outside host answers to latter address. NAT box forwards requests to local

machine

From: http://www.californiasw.com/Knowledge-center

/whitepaper/vxworks.html

Internet Group Management Protocol (IGMP) Defined by RFC 1112. IGMP messages use IP Protocol 2 IGMP are used to join and leave multicast

groups.

IPSec

Security layer based on IPv6 Implemented as Bump In The Stack

Architecture Upper layer protocols TCP/UDP IP IPSec Data link layer

Implemented in the IP layer

IPSec

Provides authentication of source IP address

Provides message integrity and encryption

Take COEN 350

SNMP: Simple Network Management Protocol Allows remote managing and managing

TCP/IP devicesExample Vulnerability

SNMP default accounts public and private When queried, will return SNMP information

Can be used for network mapping Might spell out passwords

Network AuthenticationThreats

Passive Sniffing Malicious Mallory can read messages between Alice and

Bob. Spoofing

Malicious Mallory can create messages that seem to come from either Alice or Bob.

Standard Attack Modes: Breaking Cryptography Man-in-the-Middle Replay Attacks Reflection Attack (Open several connections)

Man In the Middle AttackBucket Brigade Attack

Attacker reroutes traffic through itself. Example:

Victim connects to attacker:80, thinking that attacker is bank.com:80

Attacker displays login screen from bank.com to victim

Attacker goes to bank.com


Victim to Bank.com

(intercepted by black hat)

Black Hat to Bank.comBank.com to black hat

Login PleaseVictim: Login sue userBlack hat to victim

Login Please

Black hat to bank

Login sue userVictim to black hat

Password is “fiddlesticks”

Bank to Black Hat

Password PleaseBlack Hat to Victim

Password Please

Black Hat to Bank

Password is “fiddlesticks”


Could be prevented with SSLBut only if victim’s browser ascertains

certificate of bank

Replay Attack

Remote authentication protocol Instead of sending password, user sends

password encrypted Attacker sniffs password exchange and

now knows what to send.

Reflection Attack

Simple, mutual authentication protocol based on capability to encrypt a challenge

Session 1 Trudy: I am Alice. RA.

Session 1 Bob: RB. EK(RA).

Session 2 Trudy: I am Alice. RB.

Session 2 Bob: RB’. EK(RB).

Session 1 Trudy: Hi Bob. EK(RB).

Session 1 Bob: Hi Alice.

Alice: I am Alice. RA

Bob: RB. EK(RA).

Alice: Hi Bob. EK(RB).

Bob: Hi Alice.

Reflection Attack

Reflection Attack: Session 1 Trudy: I am Alice. RA.

Session 1 Bob: RB. EK(RA).

Session 2 Trudy: I am Alice. RB.

Session 2 Bob: RB’. EK(RB).

Session 1 Trudy: Hi Bob. EK(RB).

Session 1 Bob: Hi Alice.

Protecting NetworksTerms of Trade

Border Router First / last router under control

of system administration. DMZ

Demilitarized zone. Security is low, since not

protected by firewall. Locate webservers and other services there that generate potentially unsafe traffic.

Firewall Filters packages based on a

variety of rules.

IDS Intrusion Detection System.

NIDS: glean intrusion signatures from traffic.

HIDS: monitor activity at a host on which they are located.

VPN Virtual private network

Screened subnet Area protected by an internal

firewall.


Configuration Management Known vulnerabilities account for

most of actually perpetrated exploits.

For most of them, patches were available, but not installed.

CM tries to enforce uniform security policies.

Backdoors An entrance into the system that

avoids perimeter defenses.


Defense in Depth Rule 1: Multitude of security measures.

Do not relay on one security mechanism.

Defense in Depth

Example: External tcp packet passes: Internet Perimeter Router Internet perimeter firewall DMZ firewall Network IPS NetFlow

Analyzes connections on network Antivirus Scanner on host Host IPS

Firewalls

Firewalls are perimeter defense: Keep the bad stuff outside, enjoy life inside.

Filtering

SignatureAny distinctive characteristic that identifies

something (with a high degree of probability)

Signature Types Atomic Signatures

Single packet, single event, single activity is examined.

Stateful Signatures State: Needed when analyzing multiple pieces of

information that are not available at the same time.

Filtering

Atomic vs. Stateful Signatures LAND attack

Attacker sends TCP-SYN packet with same source and destination address.

Caused TCP stacks to crash. Can be discovered looking at a single packet.

Search for string “etc/password” in a URL Attacker fragments the packet so that the string is not in

either fragment. State is needed in order to recognize the attack.

Filtering Signature Triggers

Pattern Detection Simple string search

Search for string “etc/passwords” ARP Protocol decoders search for string only in protocol

fields. ARP request with source address FF:FF:FF:FF:FF:FF

Anomaly Detection Traffic going to an unusual port. Protocol compliance for http traffic

Behavior Detection Abnormally large / small fragmented packets Search for RPC requests that do not initially utilize the

PortMapper

Filtering

Signature ActionsGenerating an alertDropping / preventing an activityLogging the activityResetting a TCP connectionBlocking future activityAllow activity

Packet Filtering

Static Packet FilteringAllow or deny access to packets based on

internal characteristics.

access list 111 deny ip host 205.205.205.205.1 any access list 111 permit tcp host 205.205.205.205.1 any access list 111 deny icmp any any echo-request access list 111 permit icmp any any packet-to-big access list 111 deny icmp any any

Cisco extended ACL

Static Packet Filtering

Difficult to design efficient rules. Easy to get the rules tables wrong and allow bad

traffic. Security risks

People can piggy-back bad messages in harmless ones.

http traffic is known to be used as a backdoor. Loki uses unused fields in normal TCP packets.

Fragmentation allows the filter to look only at a fragment

Most only look at the first fragment


Configuring a packet filter:Security Policy: what is allowed, what is not

allowed.Allowable types of packets must be specified

logically, in terms of logical expression on packet fields.

Expressions need to be rewritten in the firewall vendor’s language.


Example Security Policy:

Allow inbound mail messages (SMTP, port 25), but only to gateway.

Block host faucet.

action Our host port Their host port comment

block * * faucet * We don’t trust these people.

allow OUR-GW 25 * * Connection to our SMTP server

Static Packet Filtering Example

If no rule applies, then the packet is dropped. Without additional rules, our rule set would drop all non-mail packets.

There would also be no replies. Beware of a rule like this (intended to allow acks)

Based solely on outside host’s port number. Port 25 is usually the mail port. But there is no guarantee.

action Our host port Their host port comment

allow * * * 25 Connection to their SMTP port


Example Expand rule set to allow connection with the outside:

action Our host port Their host port Flag comment

block * * faucet *

allow OUR-GW 25 * *

allow (our host) * * 25 Our packets to their port

allow * 25 * * ACK Their replies

Specify the names of all machines allowed to send mail to the outside here.


Combating Address SpoofingAt a minimum:

Don’t allow inside source addresses coming in. Don’t allow outside source addresses going out. Block source routing at the border routers.

Static Packet Filtering Routing Information

If a node is unreachable from the outside then the node is almost (but not quite) as safe as a node disconnected from the net.

Internal routers should not advertise paths to such nodes to the outside.

Filter routes learned from the outside: Protects against subversion by route confusion. Route squatting:

Use internal addresses that belong to a different domain. The nodes are de facto unreachable from the outside. Use non-announced addresses. (e.g. 10.x.x.x)

But beware, when companies merge, these addresses tend to be incompatible.

So pick addresses in unpopular address ranges.


PerformancePacket filtering is done at the border.

No degradation for the internal network.Typically, connection to ISP is the bottleneck.However:

Degradation depends on the number of rules applied.

Can be mitigated by careful ordering of rules.

Application Level Filtering Packet filters only look at

The source address The destination address TCP / UDP port numbers TCP / UDP flags.

Application filters deals with the details of the service they are checking. E.g. a mail application filter looks at

RFC 822 headers. MIME attachments. Might identify virus infected attachments.

Application Level Filtering

Snort:Allows to set up rules that pass a packet on to

another service. Commercial firewalls

Include application level filters for many products.

Use non-disclosure agreement to obtain proprietary protocols

Dynamic Packet Filtering Stateful Firewall Still look at each packet. Maintains a state of each connection.

Implements connection filtering. Dynamically adjust a filtering table of current connections. Implementation

Adjust the filtering rules dynamically. E.g.: We started an HTTP connection to a given host. Now HTTP packages from that host are allowed.

OR: Terminate the connection at the firewall and then have the firewall call the ultimate destination (proxying).

Proxy Firewalls Proxies act on behalf of a client. Proxy firewall

Reverse Proxy Receives packages on one card. Processes requests. Translates them into internal requests on other card. Receives answers from inside and translates to the outside.

Proxy Firewalls

Proxy firewall Forward Proxy

Receives requests from the inside. Processes requests. Translates them into requests to

the outside on other card. Receives answers from outside

and translates to the inside. Acts on behalf of inside machine

that is protected from the vagaries of the internet.

Proxy Firewalls

Application level proxies work at the level of application.

Circuit-level proxies does not understand the applicationmakes filtering decisions by validating and

monitoring sessions.

Possible ConfigurationsDual Homed Host

Internal Network

Internet

Dual-homed host

acting as firewall

Possible ConfigurationsScreened Host Architecture

Internal Network

Internet

Router only allows traffic to bastion host (screening router)

Bastion host sits on internal network

Bastion host works as proxy

Possible ConfigurationsScreened Subnet

Internal Network

Internet

Exterior Router

a.k.a. access routerBastion host sits on perimeter network

Perimeter Network

Interior Router

a.k.a. choke router

Possible Configurations

Attach bastion host(s) to perimeter network (DMZ)

Two possibilities to allow access to internet for internal hostsUse exterior and interior router to filter

packagesUse bastion host as proxy

Possible Configurations O.K. to have many bastion hosts O.K. to merge interior and exterior router O.K. to merge bastion host and exterior router

Performance of bastion host might not be sufficient O.K. to have many interior subnetworks. O.K. to have many exterior routers O.K. to have multiple perimeter networks NOT O.K. to merge bastion host and interior router

Bastion host becomes single point of failure NOT O.K. to use multiple interior routers

Need to maintain same policy on all interior routers

Securing Public Web Servers

Isolate the web server

webserver

internal network

internet

firewall

SQL server firewall

Only SQL Protocol permitted

Firewall Settings for DNS Use a bastion host to host fake DNS server

True DNS server on the interior network DNS query proceeds with DNS proxying:

Local DNS client goes to local DNS server (interior network) Local DNS server sends query to bastion host (perimeter

network) Bastion host forwards query to internet DNS system Internet DNS system answers question to bastion host Bastion host forwards to real DNS server Real DNS server forwards to local DNS client

Hiding DNS Server

Internal Network

Internet

Exterior Router

a.k.a. access routerFake DNS server

Perimeter Network

Interior Router

a.k.a. choke router

True DNS server

Local

DNS client

Firewall Settings for DNS

Fake DNS server provides basic hostname and IP addresses forMachines in the perimeter networkMachines in the interior network that someone

on the outside needs to connect to.Fake information on machines that can

contact the outside world directly.

Firewall Settings for DNS Packet filtering on internal router needs to allow:

DNS queries from the internal server to the bastion host server USP packets from port 53 from an internal host to port 53 bastion

host TCP packets from ephemeral port on internal host to port 53 on

bastion host Responses from bastion host to the internal server

UDP packets from port 53 on bastion host to port 53 on internal server

TCP packets with ACK bit set from port 53 on the bastion host to ephemeral ports on internal server

DNS queries from bastion host DNS clients to internal server UDP and TCP packets from ephemeral ports on bastion host to port

53 on internal server Responses from internal server to bastion host DNS clients

UDP and TCP packets with ACK bit from port 53 on the internal server to ephemeral ports on bastion host

Hiding DNS Server

Internal Network

Internet

Exterior Router

a.k.a. access routerFake DNS server

Perimeter Network

Interior Router

a.k.a. choke router

True DNS server

Local

DNS client

Application Inspection

Dynamic Firewalls allow selective inspection of applications:http ftpdns icmp…


DNS example (Cisco ASA DNS inspection)Guarantees that the ID of the DNS machine

matches the ID of the DNS queryAllows translation of DNS packets using NATReassembles DNS packets to verify its length.


SMTP (Cisco ASA protection)Protects against SMTP-based attacks by

restricting the types of SMTP commands. Illegal command is modified and forwarded. Typically, receiver replies with an SMTP error 500

(command not recognized)Checks size, …

Virtual Private Networks


VPN uses connections over an existing public network

Connection secured with encryptionHost to HostHost to GatewayGateway to Gateway


Encryption can be done atApplication level.Transport level.Network level.Data link level.

Virtual Private NetworksVPN Technologies

Application Level Pretty Good Privacy Secure Shell (SSH)

Transport Level Secure Socket Layer

Does not protect the package, but its content. Typically runs at the application level of the OS, so OS does not need to be

changed. Network Level

IPSec Encrypts package itself. Encrypted package receives a new package header.

IPSec protects port address, but not destination address. OS need to be changed (but only once: Win2000, WinXP)

Data Link Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP)

Encrypts packets on the data layer. L2TP (Layer 2 Tunneling)


Alternatives are dedicated point-to-point connections such as a private T1 line.Most secure.Most expensive.Takes time to set-up.

Network Defense

Documents

Transcript of Network Defense