cs225 –computer securitycsong/cs255/l/network.pdf•packet sniffing and spoofing –encryption...
TRANSCRIPT
-
CS225 – Computer Security
1
Network Security
slides modified from Zhiyun Qian
-
2
History of Network Security
• Initiallybuiltforcommunicationbetweenresearchinstitutions– ARPANET (TCP/IP)– FirstpacketsentfromUCLAtoSRI
• Internetdesignedwithoutsecurityinmind– IncludingkeyprotocolssuchasTCP/IP– Gettingittoworkisalreadyanamazingjob
• Hardtoretrofitsecurityintoexistingprotocols– Haveto remainbackward-compatible
• E.g.,TCP/IPusedbyeverymachinenow– Solutionsoftenarepatchesorrequireanadditionallayerofindirection
-
How the Internet looks like in 2005
3
-
4
Common network security attacks and their countermeasures
• Packetsniffingandspoofing– Encryption(SSH,SSL,HTTPS)
• Findingawayintothenetwork– Firewalls
• DenialofService– Ingressfiltering,IDS
-
Quick overview of TCP/IP
• Example:
• Networktrafficisbrokendowninto“packets”containinginformationat4mainlayers
5
Layer 4 : ApplicationLayer 3 : Transport (TCP)Layer 2 : Network (IP)Layer 1 : Link/Physical
Hosting a web server at TCP port 80
-
TCP/IP network Layers
6
-
TCP/IP network Layers
7
src port, dst port
src IP, dst IP
src MAC addr, dst MAC addr
-
IP Layer• Responsibleforendtoendtransmission• Sendsdatainindividualpackets• Maximumsizeofpacketisdeterminedbythenetworks
– Fragmentediftoolarge• Unreliable
– Packetsmightbelost,corrupted,duplicated,deliveredoutoforder
-
IP addresses• 4bytes(IPv4)
– e.g.163.1.125.98– Eachdevicenormallygetsone(ormore)– Intheorythereareabout4billionavailable
• But…– Basicallyuseduptoday– Therefore,16bytesarenowusedinIPv6(stillnotfullyfunctionaltoday)
-
Routing• Howdoesadeviceknowwheretosendapacket?
– AlldevicesneedtoknowwhatIPaddressesareondirectlyattachednetworks
– Ifthedestinationisonalocalnetwork,senditdirectlythere
-
Routing (cont.)• Ifthedestinationaddressisn’tlocal
– Mostnon-routerdevicesjustsendeverythingtoasinglelocalrouter(gateway)
– RoutersneedtoknowwhichnetworkcorrespondstoeachpossibleIPaddress
-
Allocation of addresses• ControlledcentrallybyICANN
– Fairlystrictrulesonfurtherdelegationtoavoidwastage• Havetodemonstrateactualneedforthem
• Organizationsthatgotinearlyhavebiggerallocationsthantheyreallyneed
-
IP packets• Sourceanddestinationaddresses• Protocolnumber
– 1=ICMP,6=TCP,17=UDP• Variousoptions
– e.g.tocontrolfragmentation• Timetolive(TTL)
– Preventroutingloops
-
IP Datagram
Vers Len TOS Total LengthIdentification Flags Fragment Offset
TTL Protocol Header ChecksumSource Internet Address
Destination Internet AddressOptions... Padding
Data...
0 4 8 16 19 24 31
Field PurposeVers IP version numberLenLength of IP header (4 octet units)TOS Type of ServiceT. Length Length of entire datagram (octets)Ident. IP datagram ID (for frag/reassembly)Flags Don’t/More fragmentsFrag Off Fragment Offset
Field PurposeTTLTime To Live - Max # of hopsProtocol Higher level protocol (1=ICMP,
6=TCP, 17=UDP)Checksum Checksum for the IP headerSource IA Originator’s Internet AddressDest. IAFinal Destination Internet AddressOptions Source route, time stamp, etc.Data... Higher level protocol data
You just need to know the IP addresses, TTL and protocol #
-
Problem with IP address• Sourceaddressinapacketcanbefilledarbitrarilybyahost(thinkofUSPSmail)– Lackofauthenticationofpacketsources– Manyvulnerabilitiesarisebecauseofthis
Let’s hang out tomorrow night?SrcIP:Alice DstIP:Bob
No, I Hate you! SrcIP:Bob DstIP:Alice
IP header
Payload
Of course! SrcIP:Bob DstIP:Alice
-
UDP
• ThinlayerontopofIP(alternativetoTCP)• Addspacketlength+checksum
– Guardagainstcorruptedpackets• Alsosourceanddestinationports
– Portsareusedtoassociateapacketwithaspecificapplicationateachend
• Stillunreliable:– Duplication,loss,out-of-orderness possible
-
UDP datagram
Destination PortSource Port
Application data
0 16 31
ChecksumLength
Field PurposeSource Port16-bit port number identifying originating applicationDestination Port16-bit port number identifying destination applicationLength Length of UDP datagram (UDP header + data)Checksum Checksum of IP pseudo header, UDP header, and data
-
Typical applications of UDP– Wherepacketlossetc isbetterhandledbytheapplicationthanthenetworkstack
– WheretheoverheadofsettingupaTCPconnectionisn’twanted
• DNS• VoIP• Somegames
-
IP Spoofing against UDP• Needtoguesstheportnumber…
19
Let’s hang out tomorrow night?SrcIP:Alice DstIP:Bob
No, I Hate you! SrcIP:Alice DstIP:Bob
IP header
Payload
SrcPort:123 DstPort:53
UDP header SrcPort:53 DstPort:???
-
DNS Protocol – Application Layer Protocol
• Mappingbetweendomainname(humanreadable)andIPaddresses
20
-
DNS Poisoning Attack
• AttackercanspoofitssourceIPasnameserver’sIP
21
How can the attacker know when to send spoofed packet?
-
TCP• Reliable,full-duplex,connection-oriented,streamdelivery– Interfacepresentedtotheapplicationdoesn’trequiredatainindividualpackets
– Dataisguaranteedtoarrive,andinthecorrectorderwithoutduplicates• Ortheconnectionwillbedropped
– Imposessignificantoverheads
-
Applications of TCP• Mostthings!
– HTTP,FTP,SMTP…
• Savestheapplicationalotofwork,sousedunlessthere’sagoodreasonnotto
-
TCP implementation• Connectionsareestablishedusingathree-wayhandshake
• Dataisdividedupintopacketsbytheoperatingsystem• Packetsarenumbered,andreceivedpacketsareacknowledged
• Connectionsareexplicitlyclosed– (ormayabnormallyterminate)
-
TCP Packets• Source+destinationports• Sequencenumber• Acknowledgementnumber• Checksum• Variousoptions
-
TCP Segment
Destination Port
Acknowledgment Number
Options... PaddingData...
0 4 10 16 19 24 31Source Port
WindowLen
Sequence Number
Reserved FlagsUrgent PointerChecksum
Field PurposeSource Port Identifies originating applicationDestination Port Identifies destination applicationSequence NumberSequence number of first octet in the segmentAcknowledgment # Sequence number of the next expected octet (if ACK flag set)Len Length of TCP header in 4 octet unitsFlags TCP flags: SYN, FIN, RST, PSH, ACK, URGWindow Number of octets from ACK that sender will acceptChecksum Checksum of IP pseudo-header + TCP header + dataUrgent Pointer Pointer to end of “urgent data”Options Special TCP options such as MSS and Window Scale
You just need to know port numbers, seq and ack are added
-
TCP : Data transferHostClient
Send Packet 1Start Timer
Retransmit Packet1Start Timer
Packet should arrive ACK should be sent
ACK would normallyArrive at this time
Receive Packet 1Send AXK 1
Time Expires
Receive ACK 1Cancel Timer
Packet LostTimer
Timer
-
IP Spoofing against TCP• Needtoguesstheportnumber,sequencenumber,andacknowledgementnumber!
28
Let’s hang out tomorrow night?SrcIP:Alice DstIP:Bob
No, I Hate you! SrcIP:Bob DstIP:Alice
IP header
Payload
SrcPort:123 DstPort:53
TCP header
SrcPort:53 DstPort:???
Seq:123456 ACK:67890
Seq:??? ACK:???
-
Common Threat Models in Networks (targeting confidentiality and integrity)
• PassiveEavesdropper– Read(andatmostInsert)
• Man-in-the-middle(MITM)– On thecommunicationpath(compromisedrouter)– ArbitraryRead/Writecapability(modify,drop,etc.)
• Off-Pathattacker(noreadcapability)
29
-
Passive Eavesdropper• Read(atmostinsert)• CananattackerlaunchDNSpoisoningattack?
30
-
IP Spoofing against UDP (review)• Needtoguesstheportnumber…
31
Let’s hang out tomorrow night?SrcIP:Alice DstIP:Bob
No, I Hate you! SrcIP:Alice DstIP:Bob
IP header
Payload
SrcPort:123 DstPort:53
UDP header SrcPort:53 DstPort:???
-
Man-in-the-middle (MITM)• ArbitraryRead/Writecapability(modify,drop,etc.)• CananattackerlaunchDNSpoisoningattack?
32
-
Off-Path Attacker• Noread.Caninsert.• CananattackerlaunchDNSpoisoningattack?
33
-
34
Common network security attacks and their countermeasures
• Packetsniffingandspoofing– Encryption(SSH,SSL,HTTPS)
• Findingawayintothenetwork– Firewalls
• DenialofService– Ingressfiltering,IDS
-
Finding a way into the network --Scanning
35
Host 192.168.2.1 appears to be up.MAC Address: 00:04:E2:34:B6:CE (SMC Networks)Host 192.168.2.79 appears to be up.MAC Address: 00:11:11:5B:7A:CD (Intel)Host 192.168.2.82 appears to be up.MAC Address: 00:10:5A:0D:F6:D7 (3com)Host 192.168.2.198 appears to be up.MAC Address: 00:10:DC:55:89:27 (Micro-star International)Host 192.168.2.199 appears to be up.MAC Address: 00:C0:4F:36:33:91 (Dell Computer)Host 192.168.2.200 appears to be up.MAC Address: 00:0C:41:22:CC:01 (The Linksys Group)Host 192.168.2.251 appears to be up.MAC Address: 00:0F:66:75:3D:75 (Cisco-Linksys)
-
Does That Matter?• Thenumberofcomputersanorganizationhasroughlycorrespondstothenumberofpeopleinit
• Howlargeisyourcompetitor?• (HowmanycomputersdoesGooglehaveinitsdatacenters?Theywon’tsay.)
36
-
Does That Matter?• Iftheyidentifyaservicethathasaknownvulnerability(e.g.,bufferoverflow),theycanlaunchthecorrespondingexploit
37
$ nmap -Pn www.cs.ucr.edu
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-17 20:03 UTCNmap scan report for www.cs.ucr.edu (169.235.30.15)Host is up (0.00033s latency).rDNS record for 169.235.30.15: thoth.cs.ucr.eduNot shown: 996 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind5666/tcp open nrpe
-
38
Firewalls• Basicproblem– manynetworkapplicationsandprotocolshavesecurityproblemsthatarefixedovertime– Difficultforuserstokeepupwithchangesandkeephostsecure
– Solution• Administratorslimitaccesstoendhostsbyusingafirewall• Firewalliskeptup-to-datebyadministrators
-
39
Firewalls• Afirewallislikeacastlewithadrawbridge
– Onlyonepointofaccessintothenetwork– Thiscanbegoodorbad
• Canbehardwareorsoftware– Ex.Somerouterscomewithfirewallfunctionality– ipfw,ipchains,pfonUnixsystems,WindowsXPandMacOSXhavebuiltinfirewalls
-
40
Firewalls• Usedtofilterpacketsbasedonacombinationoffeatures
– Thesearecalledpacketfilteringfirewalls• Thereareothertypestoo,buttheywillnotbediscussed
– Ex.Droppacketswithdestinationportof23(Telnet)– CanuseanycombinationofIP/UDP/TCPheaderinformation
• Butwhydon’twejustturnTelnetoff?
-
41
Firewalls
• HereiswhatacomputerwithadefaultWindowsinstalllookslike:– 135/tcp open loc-srv– 139/tcp open netbios-ssn– 445/tcp open microsoft-ds– 1025/tcp open NFS-or-IIS– 3389/tcp open ms-term-serv– 5000/tcp open UPnP
-
42
Common network security attacks and their countermeasures
• Packetsniffingandspoofing– Encryption(SSH,SSL,HTTPS)
• Findingawayintothenetwork– Firewalls
• DenialofService– Ingressfiltering,IDS
-
43
Denial of Service
• Purpose:Makeanetworkserviceunusable,usuallybyoverloadingtheserverornetwork
• Manydifferentkindsof DoS attacks– SYNflooding– SMURF– Distributedattacks
-
TCP Three-way handshake
44
Remembers X
Remembers YChecks Ack=X+1
Checks Ack=Y+1
SYNSeq=X, Ack = 0
SYN-ACKSeq=Y, Ack = X+1
ACKSeq=X+1, Ack = Y+1
-
45
Denial of Service• SYNfloodingattack• SendSYNpacketswithbogussourceaddress
– Why?• ServerrespondswithSYNACKandkeepsstateaboutTCPhalf-openconnection– Eventually,servermemoryisexhaustedwiththisstate
-
46
Denial of Service
-
47
Denial of Service• SMURF
– SourceIPaddressofabroadcastpingisforged– Largenumberofmachinesrespondbacktovictim,overloadingit
-
48
Denial of Service
Internet
Perpetrator Victim
ICMP echo (spoofed source address of victim)Sent to IP broadcast address
ICMP echo reply
-
State Holding Attack
16
Firewall AttackerInside
Assumestateful TCPpolicy
-
State Holding Attack
16
Firewall AttackerInside
SynSyn
Syn...
1.SynFlood
Assumestateful TCPpolicy
-
State Holding Attack
16
Firewall AttackerInside
SynSyn
Syn...
1.SynFlood
2.ExhaustResources
Assumestateful TCPpolicy
-
State Holding Attack
16
Firewall AttackerInside
SynSyn
Syn...
1.SynFlood
2.ExhaustResources
3.SneakPacket
Assumestateful TCPpolicy