1

Network Vulnerabilities 2Monday, November 15, 2010

Sources: S&M Ch. 5; Hacking TAOE Ch 0x400;Kurose & Ross, Computer Networking (the source of many illustrations)

Skoudis, Counter Hack … ReoloadedSources: Randy Shull’s Fall ‘05 CS242 Computer Networks slides;

Daniel Bilar’s Fall’06 CS342 slides on Network Attacks;

CS342 Computer Security

Department of Computer ScienceWellesley College

Daniel Bilar s Fall 06 CS342 slides on Network Attacks;Daniel Bilar’s Fall’07 CS242 slides;

Examples

HTTP, FTP, SMTP, POP3 IMAP, DNS

UDP, TCP

Network Layer: Internet Protocol (IP)

IP

Ethernet, 802.11 WiFi

You are here!

20-2

Network layer serviceso The transport layer is

responsible for application to application.

o The network layer is responsible for host to host.

o Determine the path taken by packets.

20-3

o Forwards packets from one router to the next in the path.

o Internet Protocol (IP) service model is best-effort delivery, but it makes no guarantees. Can drop packets!

Major IP components

20-4

Grouping related hosts

o The Internet is an “inter-network”o Used to connect (sub)networks together, not hostso Needs a way to address a network (i.e., group of hosts)

host host host

LAN 1

... host host host

LAN 2

...

router router routerWAN WAN

LAN = Local Area NetworkWAN = Wide Area Network

20-5

Scalability challenge

o Suppose hosts had arbitrary addresseso Then every router would need a lot of informationo …to know how to direct packets toward the host

1.2.3.4 5.6.7.8 2.4.6.8 1.2.3.5 5.6.7.9 2.4.6.9

host host host

LAN 1

... host host host

LAN 2

...

router router routerWAN WAN

1.2.3.4

1.2.3.5

forwarding table 20-6

2

Classless Inter-Domain Routing (CIDR)

IP Address : 12.4.0.0 IP Mask: 255.254.0.0

00001100 00000100 00000000 00000000Address

Use two 32-bit numbers to represent a network. Network number = IP address + Mask

11111111 11111110 00000000 00000000Mask

for hosts Network Prefix

Written as 12.4.0.0/15

20-7

Scalability: Address Aggregation

Provider is given 201.10.0.0/21

Provider

201.10.0.0/22 201.10.4.0/24 201.10.5.0/24 201.10.6.0/23

Routers in the rest of the Internet just need to know how to reach 201.10.0.0/21. The provider can direct the IP packets to the appropriate customer.

20-8

CIDR: Hierarchal Address Allocation

12.0.0.0/1612 1 0 0/16

:

o Prefixes are key to Internet scalabilityo Address allocated in contiguous chunks (prefixes)o Routing protocols and packet forwarding based on prefixeso Today, routing tables contain ~150,000-200,000 prefixes

12.0.0.0/8

12.254.0.0/16

12.1.0.0/1612.2.0.0/1612.3.0.0/16

:::

12.3.0.0/2412.3.1.0/24

::

12.3.254.0/24

12.253.0.0/1912.253.32.0/1912.253.64.0/1912.253.96.0/1912.253.128.0/1912.253.160.0/19

:::

20-9

CIDR: Address aggregation

“Send me anything

200.23.16.0/23

Organization 0

Organization 1

Hierarchical addressing allows efficient advertisement of routing information:

Send me anythingwith addresses beginning 200.23.16.0/20”

200.23.18.0/23

200.23.30.0/23

Fly-By-Night-ISP

Organization 7Internet

ISPs-R-Us “Send me anythingwith addresses beginning 199.31.0.0/16”

200.23.20.0/23Organization 2

...

...

20-10

CIDR: More specific addressSuppose Organization 1 moves to ISPs-R-Us:

“Send me anythingwith addresses

200.23.16.0/23

Organization 0

with addresses beginning 200.23.16.0/20”

200.23.18.0/23

200.23.30.0/23

Fly-By-Night-ISP

Organization 7Internet

Organization 1

ISPs-R-Us “Send me anythingwith addresses beginning 199.31.0.0/16or 200.23.18.0/23”

200.23.20.0/23Organization 2

...

...

20-11

IPv4 datagram format

IPv4 vs. Ipv6

20 bytesw/o options

deluxe oreconomy?

decremented

for breakinglarge datagramsinto fragments

header + data

decrementedby each router;TTL = 0 marksend of the line

demultiplexing:TCP (6), UDP (17)

recalculated ateach router;corrupted packetsdiscarded

20-12

3

Time-to-Live (TTL)

o Potential robustness problemo Forwarding loops can cause packets to cycle forevero Confusing if the packet arrives much later

o Time-to-live field in packet headero TTL field decremented by each router on the patho Packet is discarded when TTL field reaches 0…o …and “time exceeded” message is sent to the source

20-13

Major IP components

20-14

ICMP (Internet Control Message Protocol)

IP t k “f db k” m ss so IP network “feedback” messages

o Used to report problems with delivery of IP packets within IP networks, also for queries

o Encapsulated in an IP packet

o Not authenticated!

20-15

Basic ICMP Message TypesType Code Desc Query/Error

0 0 Echo reply e.g. ping Q

3 1 Host unreachable E

3 3 Port unreachable (see traceroute) E

8 0 Echo request e.g. ping Q

11 0 Time-to-live is zero during transit Eg(see traceroute)

Message types: 40 assigned, 255 possible, ~ 25 in use

20-16

ICMP: traceroute

o Trace route attempts to measure delay from source to each router along an Internet path towards destination.

o Traceroute sends ordinary messages to dest with TTLs of 1, 2, 3, and times them until notified of their demise The host where

3 probes

3 probes

3 probes

… and times them until notified of their demise. The host where the message expires phones home (type 11 code 0) with the sad news. Sends three packets for each TTL value.

o One of the datagrams will eventually make it all the way to the destination host. Because this datagram contains a UDP segment with an unlikely port number, the destination host sends a port unreachable port ICMP message (type 3 code 3) back to the source. When the source receives this ICMP message, it knows it does not need to send additional probe packets.

20-17

Traceroute from gaia.cs.umass.edu

1 cs-gw (128.119.240.254) 1 ms 1 ms 2 ms2 border1-rt-fa5-1-0.gw.umass.edu (128.119.3.145) 1 ms 1 ms 2 ms3 cht-vbns.gw.umass.edu (128.119.3.130) 6 ms 5 ms 5 ms4 jn1-at1-0-0-19.wor.vbns.net (204.147.132.129) 16 ms 11 ms 13 ms 5 jn1-so7-0-0-0.wae.vbns.net (204.147.136.136) 21 ms 18 ms 18 ms 6 abilene-vbns.abilene.ucaid.edu (198.32.11.9) 22 ms 18 ms 22 ms7 nycm-wash.abilene.ucaid.edu (198.32.8.46) 22 ms 22 ms 22 ms

3 delay measurements

trans-oceanicy ( )8 62.40.103.253 (62.40.103.253) 104 ms 109 ms 106 ms9 de2-1.de1.de.geant.net (62.40.96.129) 109 ms 102 ms 104 ms10 de.fr1.fr.geant.net (62.40.96.50) 113 ms 121 ms 114 ms11 renater-gw.fr1.fr.geant.net (62.40.103.54) 112 ms 114 ms 112 ms12 nio-n2.cssi.renater.fr (193.51.206.13) 111 ms 114 ms 116 ms13 nice.cssi.renater.fr (195.220.98.102) 123 ms 125 ms 124 ms14 r3t2-nice.cssi.renater.fr (195.220.98.110) 126 ms 126 ms 124 ms15 eurecom-valbonne.r3t2.ft.net (193.48.50.54) 135 ms 128 ms 133 ms16 194.214.211.25 (194.214.211.25) 126 ms 128 ms 126 ms17 * * *18 * * *19 fantasia.eurecom.fr (193.55.113.142) 132 ms 128 ms 136 ms

no response

trans c an clink

20-18

4

ICMP: echo (a.k.a. ping)o Source host sends an echo request (“ping”, type 8 code 0)

o The destination host replies to source IP of request with echo reply (“pong”, type 0 code 0)

o Data received in the echo message must be returned in the echo reply.

o How can this be abused? (ping flood!)

[fturbak@puma ~] ping cardinal.wellesley.eduPING cardinal.wellesley.edu (149.130.136.43) 56(84) bytes of data.64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=1 ttl=64

time=1.01 ms64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=2 ttl=64

time=0.466 ms64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=3 ttl=64

time=0.390 ms64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=4 ttl=64

time=0.292 ms

20-19

IP Spoofing

o Nothing prevents you from physically mailing a letter with an invalid return address, or someone else’s, or your own.

o Likewise, packets can be inserted in the network with invalid or other IP addresses.

Any node can send packets pretending to be from any IP dd ssaddress.

Attacker might not get replies if spoofing a host on a different subnet.

For some attacks this is not important. For others, like TCP hijacking attacks, it is important.

20-20

Smurf: OverviewEcho request with spoofed source address 172.20.20.250 to 192.168.1.255 (broadcast address of subnet 192.168.1.x)

All live hosts at subnet 192.168.1.x respond with echo reply .. to 172.20.20.50

20-21

Bandwidth DoS Attacks: Smurf, Fraggle, UDP Flood

o One level of indirectiono Goal: Overwhelm the victim, leading to Denial of Service (DoS)o Attack: Ping a broadcast address, with the (spoofed) IP of a

victim as source address. All hosts on the network respond to the victim. If large subnet allows broadcasting, can get large number of responses – e.g. ~64K for 16 bit subnet. M h i R fl ti ( lifi ti ) IP fi d t l o Mechanism: Reflection (amplification), IP spoofing and protocol vulnerabilityo implementation can be “patched” by violating the protocol

specification, to ignore pings to broadcast addresses

o Fraggle is similar, using UDP echo service instead of ICMP.

o UDP Flood: send UDP packet to random victim port; generates ICMP “desination unreachable” packet to forgedsource address

20-22

Bandwidth DoS Attack: UDP Ping-Pong

o Attack: Spoof a packet from Victim1's chargen service to Victim2's echo servicechargen service replies with a

UDP packet to any incoming packet

o Goal: Computers keep l i t h th

Victim 1 Victim 2

replying to each other as fast as they can

Attacker

20-23

Evolution of DoS Attacks: DDoS

o Food DDoS: Distributed Denial Of Service

o Attack against bandwidth and/or resources (like before) using two (or more) levels of indirection!

Attacker: used to coordinateattackHandler: controls subservient computersAgents: Actually do the attack

20-24

5

DDoS examplesTRINOO

Sends UDP floods to random destination port numbers on victim

TFNSends UDP flood, TCP SYN Flood, ICMP Echo Flood, or a SMURF

AttackMaster communicates to daemon using ICMP echo reply, changes IP

identification number and payload of ICMP echo reply to identify type of attack to launchyp

TFN2kFirst DDOS for windows. Communication between master and agents

can be encrypted over TCP, UDP, or ICMP with no identifying ports

STACHELDRAHTCombination of Trinoo and TFN

Authority on analysis of DDoS is Diettrich at University of Washington http://staff.washington.edu/dittrich/misc/ddos

20-25

Major IP components

20-26

IP fragmentation and reassembly

o Some link-layer protocols carry “big” packets; some do not.

o The maximum amount of data a link-layer packet can hold is called its maximum transfer unit

Fragmentation 1 large datagram in3 smaller datagrams

(MTU).o What to do when a packet

arriving at in link is too big to fit into the out link?

Reassembly atdestination

20-27

Fragmentation details

IDx

offset0

fragflag0

length4000

ID ff tf fllength

One large datagram becomesseveral smaller datagrams

Suppose a 4000 byte datagram arriving at a router’s incoming link is to be shipped out an outgoing link whose MTU equals 1500 bytes.

IDx

offset0

fragflag1

length1500

IDx

offset185

fragflag1

length1500

IDx

offset370

fragflag0

length1040

.

20-28

Fragmentation Ripe for Exploits

o Have to keep track of all fragments until packet is reassembled

o Resource allocation is necessary before all validation is possible

o Lots of fragments from different packets can exhaust available memory; perfect grounds for resource exhaustion attacks.

o Implementation is tricky. Incorrect implementations can be coaxed into crashing machine (another kind of Denial of Service attack).

o What do you do if you never get the last missing piece?o What do you do when you get packets out-of-order?o This is a legitimate situation as per RFCso What do you do if you get overlapping fragments?o What do you do if the last byte of a fragment would go over the

maximum size of an IP packet, i.e., if the size of all reassembled fragments is larger than the maximum size of an IP packet?

20-29

Implementation Attack: Ping of Deatho Attack: Send ICMP echo with fragmented packets :ping -L 65510 <victim IP address>

o Maximum legal size of an ICMP echo packet: 65535 - 20 - 8 = 65507

o Fragmentation allows bypassing the maximum size:( ffs t si ) > 65535(offset + size) > 65535

o Reassembled packet would be larger than 65535 bytes

o Goal: OS crash

See http://insecure.org/sploits/ping-o-death.html

20-30

6

Implementation Attack: Teardrop

o IP packet can be broken, is called ‘fragmentation’Fragmented (i.e. broken) packet is reassembled using offset fieldso Attack: Send fragments that overlapo Goal: Crash, reboot and hang machine

Normal fragment concatenation: Overlapping fragments:

20-31

Teardrop: MechanismDeep in the protocol implementation

if (prev != NULL && offset < prev->end)// if there are overlapping fragments

{i = prev->end - offset;

In ip_fragment.c@531 (ca. 1997)

i = prev >end offset;offset += i; /* ptr into datagram */ptr += i; /* ptr into fragment data */

//advance to the end of the previous fragment}

end

FirstSecond

prev->endoffset (before)

offset (after)Copy this

Teardrop Attack

o Create second fragment that fits entirely within first, so offset now points outside of the second datagram's buffer!

o Program calculates the number of bytes to copy• fp->len = end - offset;

V l i d b ! C it h b f b t i • Very large unsigned number! Can write huge number of bytes in places they’re not supposed to be, causing machine to crash.

FirstSecond

prev->end

offset

end

Direct:

Attack classifications

o Effecto Bandwidth depletion: Flood the victim

network with unwanted traffic that prevents legitimate traffic from reaching the victim system

o Resource depletion: Tie up the resources of a victim host or crash victim.

Reflector:o Vectoro Direct: attacking host sends directly to

victim machineo Reflector (indirect): Intermediate nodes

are used as attack hosts

o Mechanismo Protocol designo Protocol implementation

20-34

Major IP components

20-35

Routing Protocols

AS1 AS2AS3

o For scalability reasons, networks are decomposed into Autonomous Systems (ASes). ISP may have one or many of these.

o The forwarding tables that routers use to forward packets are determined by two kinds of routing protocols:

• Intra-AS routing protocols (e.g., RIP, OPSF) for internal dests.• Inter-AS routing protocols (e.g., BGP) for external dests.

20-36

7

BGP: AS Advertisementso BGP allows subnet to advertise “I am here” to rest of Internet.“

o BGP determines “good” routes to subnets based on reachabilityinformation and policy.

o When AS2 advertises a prefix to AS1:• AS2 promises it will forward datagrams towards that prefix.• AS2 can aggregate prefixes in its advertisement

AS2 advertises to AS1:Destination: 138.16.64/24AS-PATH: AS2NEXT-HOP: IP address of 2a’s

interface to AS3.

AS1 advertises to AS3:Destination: 138.16.64/24AS-PATH: AS1; AS2NEXT-HOP: IP address of 1c’s

interface to AS3.

20-37

BGP Routing Policy

A

B

C

WX

Y

legend:

customer network:

providernetwork

o Inter-AS routing determined by a combination of performance and policy. o Suppose X does not want to route from B via X to C. Then it will not

advertise to B a route to Co Suppose A advertises path AW to B and B advertises path BAW to X.

Should B advertise path BAW to C?• No way! B wants to route only to/from its customers! B gets no

“revenue” for routing CBAW since neither W nor C are B’s customers • Instead, B wants to force C to route to w via A

20-38

BGP InsecuritiesProblem: ISPs can share bad BGP advertisements with rest of Interneto Dec. 24, 2004: TTNet in Turkey accidentally pretends to be entire

Internet. All traffic is routed there, but can’t be handled, so there are widespread Intenet outages.

o Jan 22, 2006: ConEdison accidentally “steals” several net prefixes by making false BGP advertisements.

o Feb 26, 2008: Pakistan Telecommunication Authority orders country’s ISPs to block YouTube for anti-Islamic video. They create BGP advertisements that redirecte YouTube’s IP address to nonexistantadvertisements that redirecte YouTube s IP address to nonexistantdestinations. These advertisements are given to service provider, Hong Kong’s PCCW, which doesn’t validate it, and shares it with other ISPs. Since they were more precise than YouTube’s own advertisements, they take precedence and effectively block YouTube from world(“YouTube outage underscores big Internet problem”, http://www.infoworld.com/print/32702 ; renesys blog , http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml;)

o Thus far, BGP-caused outages have been accidental, but similar attacks from governments and criminals possible.

20-39

Daniel’s Bilar’s Summaryo The ‘glue’ of the Internet (TCP/IP protocol and associated

services like DNS) was predicated towards communication (and limited recovery from random errors, i.e. noise)

o Security (confidentiality, authentication, recovery from deliberate errors, i.e attacks) was an afterthought

o As such, strong assumptions were made while designing, implementing and running the protocols

This makes attacks against the TCP/IP protocol and implementation, as well as network services such as DNS, relatively easy and feasible

20-40

Examples

HTTP, FTP, SMTP, POP3 IMAP, DNS

UDP, TCP

Link Layer

IP

Ethernet, 802.11 WiFiYou are here!

20-41

The link layer

o The transport layerprovides communication of segments between two processes.

o The network layerprovides communication of pdatagrams between two hosts.

o The link layer provides communication of framesbetween two network nodes (routers or hosts) connected by a link (i.e. can communicat directly with each other).

20-42

8

Link layer protocols Lots of them, including Ethernet, 802.11 wireless LAN

(WiFi), token ring, PPP, HDLC, and ATM. Different links in a path may use different protocols. Responsibilities include one or more of following:

framing,li k

20-43

link access reliable delivery flow control bit-level error detection

(and possibly error correction). half-duplex vs. full-duplex.

Adapters

o The link-layer protocol is implemented in an adapter, a board containing RAM, DSP chips, host bus interface, and a link interface.

20-44

Multiple Access Protocols

Key technical problem: when two or more nodes transmit frames at the same time, the frames collide and both transmissions are lost.There are several

20-45

There are several solutions to this problem, which involve detecting collisions and retransmitting. See CS242 for details.

LAN Addressing

o LANs transmit frames over a broadcast channel using LAN addresses.

o On the receiving end,o If a destination address

matches the node’s LAN address it extracts the

23-46

address, it extracts the network-layer datagram and passes it up the protocol stack.

o If the destination address doesn’t match, the node discards the frame.

MAC addresso A LAN node’s MAC (Medium Access

Control) address (a.k.a physical, Ethernet or LAN) properly belongs its adapter.

o Generally 48 bits long, the address is intended to be permanent unique ID burnt into the adapter’s ROM. (But we’ll see that in practice it’s h bl !) changeable!)

o LAN addresses have a flat structure(portable), as opposed to the IP hierarchical structure (routable).

o For Ethernet and token-passing LANs, broadcast MAC address is string of 48 1s: FF-FF-FF-FF-FF-FF.

o IEEE manages address space –allocates 1st 24 bits to manufacturers, who can use last 24 bits

20-47

MAC Address vs. IP Addresso MAC addresses “Physical address”, Layer 2

o Hard-coded in ROM of network interface cardo Similar to social security number (almost unique, immutable)o .. but flat name space of 48 bits (e.g., 00-0E-9B-6E-49-76)o Stays the same when host moveso Used to get packet between interfaces on same networko Used to get packet between interfaces on same network

o IP addresses “Logical address”, Layer 3o Can be configured manually or learned dynamicallyo Similar to postal mailing address (change of address is easy)o Hierarchical name space of 32 bits (e.g., 12.178.66.9)o May change depending on where the host is attachedo Used to get a packet to any destination IP subnet

20-48

9

Example: MAC/IP addresses

1A-2F-BB-76-09-AD

LAN

137.196.7.78

137.196.7.23137.196.7.14

= NIC adapterwith MAC address58-23-D7-FA-20-B0

0C-C4-11-6F-E3-98

71-65-F7-2B-08-53

LAN

137.196.7.88

137.196.7.0/24

20-49

ARP: Address Resolution Protocol

o Each IP node (host, router) on LAN has ARP table

o ARP table: IP/MAC address mappings for some LAN nodes

< IP address; MAC address; TTL>

Question: how to determineMAC address of Bknowing B’s IP address?

137.196.7.78

o TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min)

1A-2F-BB-76-09-AD

58-23-D7-FA-20-B0

0C-C4-11-6F-E3-98

71-65-F7-2B-08-53

LAN

137.196.7.23137.196.7.14

137.196.7.88

20-50

ARP protocol: Same LAN (network)

o A wants to send datagram to B, and B’s MAC address not in A’s ARP table.

o A broadcasts ARP query packet, containing B's IP address o dest MAC address =

o A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) o soft state: information o dest MAC address =

FF-FF-FF-FF-FF-FFo all machines on LAN

receive ARP queryo B receives ARP packet,

replies to A with its (B's) MAC address

o frame sent to A’s MAC address (unicast)

that times out (goes away) unless refreshed

o ARP is “plug-and-play”:o nodes create their ARP

tables without intervention from net administrator

20-51

Addressing: routing to another LAN

1A-23-F9-CD-06-9B

E6-E9-00-17-BB-4B

111.111.111.111

A74-29-9C-E8-FF-55

222.222.222.221

88-B2-2F-54-1A-0F

send datagram from A to B via R assume A knows B’s IP address

R

222.222.222.220111.111.111.110

CC-49-DE-D0-AB-7D

111.111.111.112

B222.222.222.222

49-BD-D2-C7-56-2A

two ARP tables in router R, one for each IP network (LAN) Should A address the message to B’s physical address,

49-BD-D2-C7-56-2A?

20-52

o A creates IP datagram with source A, destination B o A uses ARP to get R’s MAC address for 111.111.111.110o A creates link-layer frame with R's MAC address as dest,

frame contains A-to-B IP datagramo A’s NIC sends frame o R’s NIC receives frame o R removes IP datagram from Ethernet frame, sees its

destined to Bo R uses ARP to get B’s MAC address go R creates frame containing A-to-B IP datagram sends to B

R

1A-23-F9-CD-06-9B

222.222.222.220

111.111.111.110

E6-E9-00-17-BB-4B

CC-49-DE-D0-AB-7D

111.111.111.112

111.111.111.111

A74-29-9C-E8-FF-55

222.222.222.221

88-B2-2F-54-1A-0F

B222.222.222.222

49-BD-D2-C7-56-2A

20-53

Dynamic Host Configuration Protocol (DHCP)

20-54

10

DHCP: Bootstrappingo Host doesn’t have an IP address yet

o So, host doesn’t know what source address to use

o Host doesn’t know who to ask for an IP addresso So, host doesn’t know what destination address to use

o Solution: Shout to discover server who can helpo Broadcast a server-discovery message

o Server sends a reply offering an address

host host host...

DHCP server

20-55

DHCP client-server interaction

20-56

Network address translation (NAT)Used to set up small LAN network behind a single IP address(home/small business)

20-57

NAT problemso Port numbers are meant for addressing processes, not for

addressing hosts.

o Routers are suppose to process packets only up to layer 3.

o Nat protocol violates the so-called “end-to-end argument”; that is, hosts should be talking directly with each other, without interfering nodes modifying IP addresses and port numbers.f g m fy g p m

o Interferes with P2P applications --- peers behind a NAT cannot act as server and accept TCP connections.

20-58

Ethernet Invented in mid 1970s by Bob Metcalfe and David Boggs at

Xerox PARC. Ethernet has dominated the LAN market because:

First LAN technology to be widely deployed. Generally cheaper and simpler than its competitors (token

rings, ATM, FDDI = Fiber Distributed Data Interface), Always managed to maintain comparable data rates with

emerging technologies: 10Mbps – 10 Gbpsm g g g p p

Metcalfe’s Ethernetsketch

20-59

Ethernet frame structureMAC addresses, 6 bytes each; receiving adapter discards unless it matches dest. addressor broadcast address (except if in permiscuous mode for sniffing!)

Our friend from previous lecture4 bytes; if error detected, framedropped

Seven bytes of10101010 and onebyte of 10101011;used to synchronizesender & receiver clock rates

Carries IP datagram; hasMTU of 1500 bytes and minimum of 46 (if less, itis stuffed)

Two bytes used for multiplexed network-layer protocols;who do I pass thedata up to? Usually IP,But could also be AppleTalk, Novell IPX,DecNet, …

20-60

11

Physical Layer: Buses In early Ethernet implementations, nodes were “tapped into”

coaxial cable

Remained popular through mid 90s

All nodes in same collision domain (can collide with each other)

Limitation in bus length (often only up to 100 meters)

Cable problems can cut off one part of network from another Cable problems can cut off one part of network from another.

20-61

Physical Layer: Repeaters Distance limitation in local-area networks

Electrical signal becomes weaker as it travels Propagation delays interfere with collision detection

Repeaters join LANs together Analog electronic device Continuously monitors electrical signals on each LAN Transmits an amplified copy

Repeater

Example: Without repeater, 10Base2 is limited to 30 nodes and 185 meters. Up to four repeaters can be used to create a bus up to 925 meters.

20-62

Physical Layer: Hubs Hub is an unsophisticated broadcast device;

when bit received on any link, broadcast it to all links at same rate.

Often (but not always) amplifies signal,so can act like a repeater.

Operates at the physical layer; does notexamine frames or buffer them.

Permits star topology in which each host connected separately to hub, p gy p y ,reducing impact of wire problems.

Multiple hubs can be usedto form a tree.

hub hub hub

hub

20-63

Limitations of Repeaters and Hubs One large collision domain

Every bit is sent everywhere So, aggregate throughput is limited E.g., three departments each get 10 Mbps independently … and then connect via a hub and must share 10 Mbps

C t s t lti l LAN t h l i s Cannot support multiple LAN technologies Does not buffer or interpret frames So, can’t interconnect between different rates or formats,

e.g., 10 Mbps Ethernet and 100 Mbps Ethernet

Limitations on maximum nodes and distances Does not circumvent the limitations of shared media

20-64

Link Layer: Switches Unlike “dumb” hubs, switches are smart and active,

examine incoming frame’s MAC address, selectively forward frame to one-or-more outgoing links

when frame is to be forwarded on link, uses CSMA/CD to access link buffers frames, allowing links with different bandwidths Also called bridges; sometimes “switch” used when connecting hosts

and “bridge” used when connecting LANs.

transparent transparent hosts are unaware of presence of switches

concurrent communication Host A can talk to C,

while B talks to D, without collisions!

plug-and-play, self-learning switches do not need

to be configured

switch

A

B

C

D

20-65

Switches: Traffic Isolation Breaks subnet into LAN segments Filters packets

Frame only forwarded to the necessary segments

Segments become separate collision domains

hub hub hub

switch/bridge

collision domain collision domain

collision domain

20-66

12

Switch Table

Q: how does switch know that A’ reachable via interface 4, B’ reachable via interface 5?

A: each switch has a switch table, each entry:

A

BC’

1 23

45

6

(MAC address of host, interface to reach host, time stamp)

looks like a routing table! Q: how are entries created,

maintained in switch table? Self-learning rather than

routing protocols or manual configuration.

A’B’

C

switch with six interfaces(1,2,3,4,5,6)

5

20-67

Switch: self-learning

switch learns which hosts can be reached through which interfaces when frame received,

switch “learns” location of sender: incoming LAN

A

BC’

1 23

45

6

A A’

Source: ADest: A’

segment records sender/location

pair in switch tableA’B’

C

5

MAC addr interface TTL

Switch table (initially empty)

A 1 60

20-68

Switch: frame filtering/forwardingWhen frame received:

1. record link associated with sending host2. index switch table using MAC dest address3. if entry found for destination

then {then {if dest on segment from which frame arrived

then drop the frameelse forward the frame on interface indicated

} else flood forward on all but the interface

on which the frame arrived

20-69

Self-learning, forwarding: example

A

BC’

1 23

45

6

A A’

Source: ADest: A’

A A’A A’A A’A A’A A’

o frame destination unknown:flood

d ti ti A l ti k

A’B’

C

5

MAC addr interface TTL

Switch table (initially empty)

A 1 60

A’ A

destination A location known:

A’ 4 60

selective send

20-70

Interconnecting switches

o switches can be connected together

A

B

S1

C DF

S2

S4

S3

IB

Q: sending from A to G - how does S1 know to forward frame destined to F via S4 and S3?

A: self learning! (works exactly the same as in single-switch case!)

C D

EHG

20-71

Self-learning multi-switch exampleSuppose C sends frame to I, I responds to C

A

S1 S2

S4

S3

1

2

3

1

2 31

12 2

33

44 4

Q: show switch tables and packet forwarding in S1, S2, S3, S4

B CD

E

FH

IG

20-72

13

Switches: Advantages Over Hubs/Repeaters Only forwards frames as needed

Filters frames to avoid unnecessary load on segments Sends frames only to segments that need to see them

Extends the geographic span of the network Separate collision domains allow longer distances

Improves privacy by limiting scope of frames Improves privacy by limiting scope of frames Hosts can “snoop” the traffic traversing their segment but

not all the rest of the traffic

Applies carrier sense and collision detection Does not transmit when the link is busy Applies exponential back-off after a collision

Joins segments using different technologies E.g., can join 10 Mbps Ethernet and 100 Mbps Ethernet

20-73

Switches: Disadvantages Over Hubs/Repeaters

Delay in forwarding frames Bridge/switch must receive and parse the frame and perform

a look-up to decide where to forward Storing and forwarding the packet introduces delay

Need to learn where to forward frames Bridge/switch needs to construct a forwarding table Bridge/switch needs to construct a forwarding table Ideally, without intervention from network administrators

Higher cost More complicated devices that cost more money

20-74

Key Vulnerability of Link/Physical Layers: Sniffing

20-75

Wireless Sniffing in a HotelWireless access points in public places are often unsecured.

20-76

Wireless Sniffing in a Dormitory Even though many dorm rooms have wired internet access, students prefer the convenience of wireless access. But this isoften much less secure!

20-77

Switch prevents simple sniffing

20-78

14

ARP spoofing foils switch protection

20-79

Sniffing Defenses

Wired world:

o Use switches rather than hubs. But still problems

• ARP spoofing/cache poisoning

• MAC flooding (overflow ARP table, causing switch to actlike hub instead).

o Encrypt traffic – e.g. SSH, SSL/TLS, etc.

Wireless world:

o Encrypt traffic

• Wired Equivalent Privacy (WEP) is easily crackable

• Wi-Fi Protected Access (WPA) is much stronger

20-80

Scanning for Access Points

Old days: war dialing to find modems connected to intranet networks

Today: war driving to find unsecured access points, especially rogue access points connected to organization intranet

20-81

War DrivingWorld Wide War DriveWar Driving in Wellesley

2001 2002 % Change

WEP Disabled 69.86% 72.07% +2.21%

SSIDs Default 29.53% 35.24% +5.71%

WEP Disabled

AND SSID

Default

26.64% 31.44% +4.8

Default SSIDs 31 of 55 56.4%

WEP disabled 41 of 55 74.5%

Outfitted with a Sony Viao, a Lucent Orinoco wireless network, a MaxRad antenna, and Netstumbler software, we jumped into a car with the antenna on the roof and were on our way to find some networks.

Reema Siyam ‘03 Erin Stadler ‘03

20-82

Wireless Protection

Require supplicant to authenticate by MAC address and/or password(but MAC addresses can be spoofed).

Put wireless access points outsideorganization firewall.

20-83