1 figure 3-13: internet protocol (ip) ip addresses and security ip address spoofing: sending a...
DESCRIPTION
2 Figure 3-17: IP Address Spoofing Trusted Server Victim Server Trust Relationship 2. Attack Packet Spoofed Source IP Address Attacker’s Identity is Not Revealed Attacker’s Client PC Server Accepts Attack PacketTRANSCRIPT
1
Figure 3-13: Internet Protocol (IP)
IP Addresses and Security IP address spoofing: Sending a message with a
false IP address (Figure 3-17)
Gives sender anonymity so that attacker cannot be identified
Can exploit trust between hosts if spoofed IP address is that of a host the victim host trusts
2
Figure 3-17: IP Address Spoofing
Trusted Server60.168.4.6
Victim Server60.168.47.47
1. Trust Relationship
2. Attack Packet
Spoofed Source IP Address60.168.4.6
Attacker’s Identity is Not Revealed
Attacker’s Client PC1.34.150.37
3. Server Accepts Attack Packet
3
Figure 3-13: Internet Protocol (IP)(Study Figure)
IP Addresses and Security LAND attack: send victim a packet with victim’s
IP address in both source and destination address fields and the same port number for the source and destination (Figure 3-18). In 1997, many computers, switches, routers, and even printers, crashed when they received such a packet.
4
Figure 3-18: LAND Attack Based on IP Address Spoofing
Victim
60.168.47.47 Port 23 Open
Crashes
From: 60.168.47.47:23 To: 60.168.47.47:23Attacker
1.34.150.37
Source and Destination IP Addresses are the Same
Source and Destination Port Numbers are the Same
5
Figure 3-13: Internet Protocol (IP)(Study Figure)
Other IP Header Fields Protocol field: Identifies content of IP data field
Firewalls need this information to know how to process the packet
Time-to-Live field Each router decrements the TTL value by
one Router decrementing TTL field to zero
discards the packet
6
Figure 3-13: Internet Protocol (IP)(Study Figure)
Other IP Header Fields Time-to-Live field
Router also sends an error advisement message to the sender
The packet containing this message reveals the sender’s IP address to the attacker
Traceroute uses TTL to map the route to a host (Figure 3-19) Tracert on Windows machines
7
Figure 3-19: Tracert Program in Windows
8
Figure 3-13: Internet Protocol (IP)(Study Figure)
Other IP Header Fields Header Length field and Options
With no options, Header Length is 5 Expressed in units of 32 bits So, 20 bytes
Many options are dangerous So if Header Length is More Than 5, be
Suspicious Some firms drop all packets with options
9
Figure 3-13: Internet Protocol (IP)(Study Figure)
Other IP Header Fields Length Field
Gives length of entire packet Maximum is 65,536 bytes Ping-of-Death attack sent IP packets with
longer data fields Many systems crashed
10
Figure 3-20: Ping-of-Death Attack
Victim 60.168.47.47
Crashes
IP Packet Containing ICMP Echo Message That is Illegally Long
Attacker 1.34.150.37
11
Figure 3-13: Internet Protocol (IP)(Study Figure)
Other IP Header Fields Fragmentation
Routers may fragment IP packets (really, packet data fields) en route All fragments have same Identification field value Fragment offset values allows fragments to be
ordered More fragments is 0 in the last fragment
Harms packet inspection: TCP header, etc. only in first packet in series Cannot filter on TCP header, etc. in subsequent
packets
12
Figure 3-22: TCP Header is Only in the First Fragment of a Fragmented IP Packet
5. Firewall 60.168.47.47
Can Only Filter TCP
Header in First Fragment
Attacker 1.34.150.37
1. Fragmented IP Packet
2. Second Fragment
4. TCP Data Field
NoTCP Header
IP Header
TCP Data Field
2. First Fragment
IP Header
3. TCP Header Only in First Fragment
13
Figure 3-13: Internet Protocol (IP)(Study Figure)
Other IP Header Fields Fragmentation
Teardrop attack: Crafted fragmented packet does not make sense when reassembled
Some firewalls drop all fragmented packets, which are rare today
14
Figure 3-21: Teardrop Denial-of-Service Attack
Victim 60.168.47.47
CrashesAttack Pretends to be Fragmented
IP Packet When Reassembled, “Packet” does not Make Sense.
Gaps and Overlaps
Attacker 1.34.150.37
“Defragmented” IP Packet”
Gap Overlap
15
Figure 3-24: IP Packet with a TCP Segment Data Field
Source Port Number (16 bits) Destination Port Number (16 bits)
Bit 0 Bit 31
Acknowledgment Number (32 bits)
Sequence Number (32 bits)
TCP Checksum (16 bits)
Window Size(16 bits)
Flag Fields(6 bits)
Reserved(6 bits)
HeaderLength(4 bits)
Urgent Pointer (16 bits)
IP Header (Usually 20 Bytes)