computer networks ii - cs.uwm.edu

Computer Networks II


The Network Layer


The Internet Protocol (IP) is the network-layer protocol used toroute packets in a WAN.

I Connectionless: each packet is transported independentlyfrom other packets

I Not reliable: delivery on a best effort basis; noacknowledgments

I Packets may be lost, reordered, corrupted, or duplicated


I gateway - a designated machine in a LAN that connects theLAN to the rest of the network. Connected to routers.

I router - intermediate network nodes that handle the routing ofpackets in a WAN.

I Either drops, delivers or forwards packets.I Uses routing tables to determine next hop for packets.I Routers are more sophisticated than switches. They are

connected to multiple networks, use routing tables, neverbroadcasts.


Routing IP Packets

Suppose node A is sending a packet to node B.

I If A and B are part of the same LAN- packet is routed directly on LAN. ARP is used to determineB’s MAC address.

I If A and B are on different LANs- packet is sent to the gateway in A’s LAN.- gateway forwards packet to a router. Routers find path tothe gateway in B’s LAN.- packet is then forwarded from the gateway to B.


IP Addresses and Packets

I Each network node has a unique IP address.I IPv4: 32-bit addresses; IPv6: 128-bit addressesI Address subdivided into network, subnet, and host;

e.g., 128.148.32.110


Internet Control Message Protocol (ICMP)

I Used for network testing and debugging.

I ICMP packets carry various types of messages incl:Echo requests, echo response, time exceeded, destinationunreachable.

I Tools based on ICMPPing: sends series of echo request messages and providesstatistics on roundtrip times and packet lossTraceroute: sends series ICMP packets with increasing TTLvalue to discover routes


IP Vulnerabilities

I Unencrypted transmission- Eavesdropping possible at any intermediate host duringrouting

I No source authentication- Sender can spoof source address, making it difficult to tracepacket back to attacker

I No integrity checking- Entire packet, header and payload, can be modified while enroute to destination, enabling content forgeries, redirections,and man-in-the-middle attacks

I No bandwidth constraints- Large number of packets can be injected into network tolaunch a denial-of-service attack.


Demo of Wireshark used for packet sniffing.


The Transport Layer


Ports

At the transport layer, each machine still has its own IP address.Additionally, it is thought of as having a collection of ports.

I A port can be a source port or a destination port of acommunication with another machine.

I Each port is assigned a 16-bit port number.

I Each port is meant to be associated with a particular service.e.g. FTP (20 and 21), SSH (22), TELNET (23), SMTP (25),SSL (443) and HTTP (80)


First Protocol: Transmission Control Protocol (TCP)

Recall that IP is a network layer protocol for routing packets in aWAN. It is

I connectionless

I unreliable

Packets may be lost, reordered, corrupted, or duplicated.

TCP is a transport layer protocol that guarantees that informationarrives intact and in order.

HOW?


I Establish a TCP connection- This includes the initialization of sequence numbers.

I Source marks packets with sequence numbers.- The first packet contains the initial sequence number.Subsequent packets increment the number. Thus, thedestination port can determine if the packets arrive out oforder and rearrange them accordingly.

I Destination acknowledges it has received packets.- This allows the source to determine if some packets aremissing and re-sends them.


Additionally,

I TCP supports checksums.- This mildly ensures that the data is correct.

I TCP uses flow control.- It manages the amount of data that a source can send tothe destination so the latter won’t be overwhelmed.

I TCP employs congestion control.- Adjusts data transmission rate to prevent networkcongestion.


Establishing a TCP connection

TCP connections are established through a three way handshake.The server is generally the passive listener, waiting for a connectionrequest.

I The client requests a connection by sending out a SYN packet.

I The server responds by sending a SYN/ACK packet,indicating an acknowledgment for the connection.

I The client responds by sending an ACK to the server thusestablishing connection.


TCP Congestion Control

During the mid-80s it was discovered that uncontrolled TCPmessages were causing large scale network congestion.Today, TCP uses ACK packets or lack thereof to keep track of flowcontrol and network congestion.

I Most TCP congestion avoidance algorithms avoid congestionby modifying a congestion window (cwnd). As morecumulative ACKs are received.

I It begins with an extremely low cwnd.

I As more ACKs are received, it rapidly increases the value ofcwnd to reach the network’s bottleneck capacity.

I Then it shifts to a collision detection algorithm which slowlyprobes the network for additional bandwidth.


Second Protocol: User Datagram Protocol (UDP)

UDP does not guarantee the order nor correctness of the packetdeliveries.

I Its packets are called datagrams.

I No elaborate set-up needed. (e.g., no handshakes, nosequence numbers, etc.)

I Checking for missing packets are left to the application.

I Since it is much simpler, UDP is significantly faster than TCP.Hence, it is the protocol used in time-sensitive applicationswhere data integrity is not as important as speed (e.g., VoIP).


Optimistic TCP ACK Attack

An optimistic ACK attack makes the congestion controlmechanism of TCP to work against itself.

I It begins with a client sending out ACKs for packets it hasntyet received.

Effect: The server thinks the client received the packets veryquickly – network must have a lot of backwidth!

I The server increases cwnd. It sends more packets out.

I This leads to the attacker providing more optimistic ACKs,and eventually the server uses up the available bandwidth.

When played out across multiple servers, this can createInternet-wide congestion.


True fix: redesign the TCP protocol.

Countermeasure:

I Limit traffic per client at the server level.

I Promptly block traffic from clients whose traffic patternresemble a DoS attempt.


Spoofing a TCP Session

I Attacker launches a DoS attack on a client victim. This willallow the attacker to use the client’s IP address.

I The attacker sends a SYN packet to the target server,spoofing the source IP address to be that of the client victim.

I After waiting a short period of time for the server to send aSYN-ACK packet, the attacker concludes the TCP handshakeby sending an ACK packet, where the relevant seq-acknumbers are guessed.

I The attacker can now have a TCP session with the server,masquerading as the client victim.


TCP Session Hijacking and ACK Storms

When an attacker is on the same network segment as the clientvictim and server, he can completely hijack an existing TCPsession.

I Attacker uses a packet sniffer to determine the sequencenumbers of the packets used in the current TCP session.

I Attacker can now inject his own packet (using the appropriatesequence numbers) to the server using a spoofed source IPaddress of the client victim.

I To be more effective, use in conjuction with ARP spoofing soattacker is the “man-in-the-middle”. It can now pretend to bethe client victim!

I If a complete takeover is not done, this can still create a ACKstorms where client and server are sending ACKs back andforth to synchronize their sequence numbers.

Countermeasures: Use of encryption and authentication .


SYN Flood Attacks

A SYN Flood Attack is a type of Denial-of-Service (DOS) attack.Recall how the TCP session is initiated:

If the client never sends the concluding ACK, the server waits for acertain time-out period and then discards the session.


In a SYN Flood attack,

I An attacker sends a large number of SYN packets to theserver, most likely with different spoofed IP source addresses.

I The server sends the SYN/ACK replies.

I No ACK replies will be sent back to the server. Thus, theserver’s memory fills up with sequence numbers that it isremembering in order to match up with the ”half-opened”TCP sessions.

The wasted memory ultimately blocks out other legitimate TCPsession requests.


SYN cookies: a cryptographic solution

I due to Daniel Bernstein

I Main idea: when a server sends out a SYN/ACK reply, itattaches some extra information (“cookie”) so that there is noneed to store this TCP session request in memory.

I When the client sends its ACK reply, the cookie is attached tothe reply.

I The server does a SYN cookie check. If all is well, the serverinitiates the TCP session.


What’s inside the 32-bit SYN cookie:

I The first 5 bits records a timestamp.

I The next 3 bits are an encoded value representing themaximum segment size of transmission.

I The final 24 bits are a (cryptographic) MAC of the server andclient IP addresses, the server and client port numbers andthe previously used timestamp, computed using a secret key.


The SYN cookie check:

I Using the first 5 bits, the server checks if the connection hasexpired.

I The server computes the MAC value using the IP and portinfo from the ACK packet and compares it with the MACvalue in the cookie.

I It decodes the middle 3 bits to finish reconstructing the SYNqueue entry.

** Finally, note that the sequence numbers can be retrieved fromthe Seq-Ack numbers stored in the ACK packet.

Limitations: SYN cookies are not widely adopted (e.g., WIndows).SYN cookies do not allow the use of TCP option fields, etc.


Other DoS attacks

Ping Flooding

I A powerful machine attacks a weaker machine by sending itmassive amounts of ICMP echo request (Ping) packets.

I The victim responds with ICMP echo replies.

I This flood of request and reply packets overwhelms thevictim’s network connection.

Countermeasure: If a server is relatively weak, ignore ping requestsaltogether to avoid ping floods.


Ping of Death (mid-1990’s)A ping packet (ignoring the IP header) is normally 32 bytes in size.An IPv4 packet is at most 216 − 1 = 65, 535 bytes in size.

I In this attack, an attacker sends an ICMP echo request (Ping)packet whose size is larger than the maximum IP packet size.

I This causes the packet to be fragmented.

I When the target reassembles the packet, it would end up witha packet larger than the allowed IP packet size. This cancause buffer overflow problems!

Countermeasure: Include checks in the reassembly process on thepacket size. If it exceeds max size, ignore packet. Sometimes,these checks are done at the firewalls.


The Smurf AttackMany networks feature a broadcast address by which a user cansend a packet that is received by every IP address on the network.

I In a smurf attack, ICMP Echo request packets are sent to thebroadcast address where the source address is that of a targetcomputer.

I Every machine in the network then sends an ICMP reply tothe target.

I Thus, one ICMP request packet is amplified by the number ofmachines that reply to the packet.

Countermeasure: Hosts and routers should be configured so thatthey ignore broadcast requests. Additionally, routers should notforward packets directed to broadcast addresses.


IP Traceback

Goal: Determine the origin of packets used in DDoS attacks.

Basic technique: Track the sequence of routers used by thepackets.

I packet marking: each router appends its address to the end ofevery packet that goes through it.- high overhead on routers- may need to fragment packets if no space is available

I node sampling: uses only a single field in the IP packet.- only one router address can be recorded in an IP packet.- each router overwrites the field of each packet with its ownaddress with probability p.- with enough packets, a victim can determine the set ofrouters used between attacker and victim.- to reconstruct actual path, make use of the fact that morepackets will be marked by the nearest routers to the victim.


computer networks ii - cs.uwm.edu

Documents