1
Network Vulnerabilities 2Monday, November 15, 2010
Sources: S&M Ch. 5; Hacking TAOE Ch 0x400;Kurose & Ross, Computer Networking (the source of many illustrations)
Skoudis, Counter Hack … ReoloadedSources: Randy Shull’s Fall ‘05 CS242 Computer Networks slides;
Daniel Bilar’s Fall’06 CS342 slides on Network Attacks;
CS342 Computer Security
Department of Computer ScienceWellesley College
Daniel Bilar s Fall 06 CS342 slides on Network Attacks;Daniel Bilar’s Fall’07 CS242 slides;
Examples
HTTP, FTP, SMTP, POP3 IMAP, DNS
UDP, TCP
Network Layer: Internet Protocol (IP)
IP
Ethernet, 802.11 WiFi
You are here!
20-2
Network layer serviceso The transport layer is
responsible for application to application.
o The network layer is responsible for host to host.
o Determine the path taken by packets.
20-3
o Forwards packets from one router to the next in the path.
o Internet Protocol (IP) service model is best-effort delivery, but it makes no guarantees. Can drop packets!
Major IP components
20-4
Grouping related hosts
o The Internet is an “inter-network”o Used to connect (sub)networks together, not hostso Needs a way to address a network (i.e., group of hosts)
host host host
LAN 1
... host host host
LAN 2
...
router router routerWAN WAN
LAN = Local Area NetworkWAN = Wide Area Network
20-5
Scalability challenge
o Suppose hosts had arbitrary addresseso Then every router would need a lot of informationo …to know how to direct packets toward the host
1.2.3.4 5.6.7.8 2.4.6.8 1.2.3.5 5.6.7.9 2.4.6.9
host host host
LAN 1
... host host host
LAN 2
...
router router routerWAN WAN
1.2.3.4
1.2.3.5
forwarding table 20-6
2
Classless Inter-Domain Routing (CIDR)
IP Address : 12.4.0.0 IP Mask: 255.254.0.0
00001100 00000100 00000000 00000000Address
Use two 32-bit numbers to represent a network. Network number = IP address + Mask
11111111 11111110 00000000 00000000Mask
for hosts Network Prefix
Written as 12.4.0.0/15
20-7
Scalability: Address Aggregation
Provider is given 201.10.0.0/21
Provider
201.10.0.0/22 201.10.4.0/24 201.10.5.0/24 201.10.6.0/23
Routers in the rest of the Internet just need to know how to reach 201.10.0.0/21. The provider can direct the IP packets to the appropriate customer.
20-8
CIDR: Hierarchal Address Allocation
12.0.0.0/1612 1 0 0/16
:
o Prefixes are key to Internet scalabilityo Address allocated in contiguous chunks (prefixes)o Routing protocols and packet forwarding based on prefixeso Today, routing tables contain ~150,000-200,000 prefixes
12.0.0.0/8
12.254.0.0/16
12.1.0.0/1612.2.0.0/1612.3.0.0/16
:::
12.3.0.0/2412.3.1.0/24
::
12.3.254.0/24
12.253.0.0/1912.253.32.0/1912.253.64.0/1912.253.96.0/1912.253.128.0/1912.253.160.0/19
:::
20-9
CIDR: Address aggregation
“Send me anything
200.23.16.0/23
Organization 0
Organization 1
Hierarchical addressing allows efficient advertisement of routing information:
Send me anythingwith addresses beginning 200.23.16.0/20”
200.23.18.0/23
200.23.30.0/23
Fly-By-Night-ISP
Organization 7Internet
ISPs-R-Us “Send me anythingwith addresses beginning 199.31.0.0/16”
200.23.20.0/23Organization 2
...
...
20-10
CIDR: More specific addressSuppose Organization 1 moves to ISPs-R-Us:
“Send me anythingwith addresses
200.23.16.0/23
Organization 0
with addresses beginning 200.23.16.0/20”
200.23.18.0/23
200.23.30.0/23
Fly-By-Night-ISP
Organization 7Internet
Organization 1
ISPs-R-Us “Send me anythingwith addresses beginning 199.31.0.0/16or 200.23.18.0/23”
200.23.20.0/23Organization 2
...
...
20-11
IPv4 datagram format
IPv4 vs. Ipv6
20 bytesw/o options
deluxe oreconomy?
decremented
for breakinglarge datagramsinto fragments
header + data
decrementedby each router;TTL = 0 marksend of the line
demultiplexing:TCP (6), UDP (17)
recalculated ateach router;corrupted packetsdiscarded
20-12
3
Time-to-Live (TTL)
o Potential robustness problemo Forwarding loops can cause packets to cycle forevero Confusing if the packet arrives much later
o Time-to-live field in packet headero TTL field decremented by each router on the patho Packet is discarded when TTL field reaches 0…o …and “time exceeded” message is sent to the source
20-13
Major IP components
20-14
ICMP (Internet Control Message Protocol)
IP t k “f db k” m ss so IP network “feedback” messages
o Used to report problems with delivery of IP packets within IP networks, also for queries
o Encapsulated in an IP packet
o Not authenticated!
20-15
Basic ICMP Message TypesType Code Desc Query/Error
0 0 Echo reply e.g. ping Q
3 1 Host unreachable E
3 3 Port unreachable (see traceroute) E
8 0 Echo request e.g. ping Q
11 0 Time-to-live is zero during transit Eg(see traceroute)
Message types: 40 assigned, 255 possible, ~ 25 in use
20-16
ICMP: traceroute
o Trace route attempts to measure delay from source to each router along an Internet path towards destination.
o Traceroute sends ordinary messages to dest with TTLs of 1, 2, 3, and times them until notified of their demise The host where
3 probes
3 probes
3 probes
… and times them until notified of their demise. The host where the message expires phones home (type 11 code 0) with the sad news. Sends three packets for each TTL value.
o One of the datagrams will eventually make it all the way to the destination host. Because this datagram contains a UDP segment with an unlikely port number, the destination host sends a port unreachable port ICMP message (type 3 code 3) back to the source. When the source receives this ICMP message, it knows it does not need to send additional probe packets.
20-17
Traceroute from gaia.cs.umass.edu
1 cs-gw (128.119.240.254) 1 ms 1 ms 2 ms2 border1-rt-fa5-1-0.gw.umass.edu (128.119.3.145) 1 ms 1 ms 2 ms3 cht-vbns.gw.umass.edu (128.119.3.130) 6 ms 5 ms 5 ms4 jn1-at1-0-0-19.wor.vbns.net (204.147.132.129) 16 ms 11 ms 13 ms 5 jn1-so7-0-0-0.wae.vbns.net (204.147.136.136) 21 ms 18 ms 18 ms 6 abilene-vbns.abilene.ucaid.edu (198.32.11.9) 22 ms 18 ms 22 ms7 nycm-wash.abilene.ucaid.edu (198.32.8.46) 22 ms 22 ms 22 ms
3 delay measurements
trans-oceanicy ( )8 62.40.103.253 (62.40.103.253) 104 ms 109 ms 106 ms9 de2-1.de1.de.geant.net (62.40.96.129) 109 ms 102 ms 104 ms10 de.fr1.fr.geant.net (62.40.96.50) 113 ms 121 ms 114 ms11 renater-gw.fr1.fr.geant.net (62.40.103.54) 112 ms 114 ms 112 ms12 nio-n2.cssi.renater.fr (193.51.206.13) 111 ms 114 ms 116 ms13 nice.cssi.renater.fr (195.220.98.102) 123 ms 125 ms 124 ms14 r3t2-nice.cssi.renater.fr (195.220.98.110) 126 ms 126 ms 124 ms15 eurecom-valbonne.r3t2.ft.net (193.48.50.54) 135 ms 128 ms 133 ms16 194.214.211.25 (194.214.211.25) 126 ms 128 ms 126 ms17 * * *18 * * *19 fantasia.eurecom.fr (193.55.113.142) 132 ms 128 ms 136 ms
no response
trans c an clink
20-18
4
ICMP: echo (a.k.a. ping)o Source host sends an echo request (“ping”, type 8 code 0)
o The destination host replies to source IP of request with echo reply (“pong”, type 0 code 0)
o Data received in the echo message must be returned in the echo reply.
o How can this be abused? (ping flood!)
[fturbak@puma ~] ping cardinal.wellesley.eduPING cardinal.wellesley.edu (149.130.136.43) 56(84) bytes of data.64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=1 ttl=64
time=1.01 ms64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=2 ttl=64
time=0.466 ms64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=3 ttl=64
time=0.390 ms64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=4 ttl=64
time=0.292 ms
20-19
IP Spoofing
o Nothing prevents you from physically mailing a letter with an invalid return address, or someone else’s, or your own.
o Likewise, packets can be inserted in the network with invalid or other IP addresses.
Any node can send packets pretending to be from any IP dd ssaddress.
Attacker might not get replies if spoofing a host on a different subnet.
For some attacks this is not important. For others, like TCP hijacking attacks, it is important.
20-20
Smurf: OverviewEcho request with spoofed source address 172.20.20.250 to 192.168.1.255 (broadcast address of subnet 192.168.1.x)
All live hosts at subnet 192.168.1.x respond with echo reply .. to 172.20.20.50
20-21
Bandwidth DoS Attacks: Smurf, Fraggle, UDP Flood
o One level of indirectiono Goal: Overwhelm the victim, leading to Denial of Service (DoS)o Attack: Ping a broadcast address, with the (spoofed) IP of a
victim as source address. All hosts on the network respond to the victim. If large subnet allows broadcasting, can get large number of responses – e.g. ~64K for 16 bit subnet. M h i R fl ti ( lifi ti ) IP fi d t l o Mechanism: Reflection (amplification), IP spoofing and protocol vulnerabilityo implementation can be “patched” by violating the protocol
specification, to ignore pings to broadcast addresses
o Fraggle is similar, using UDP echo service instead of ICMP.
o UDP Flood: send UDP packet to random victim port; generates ICMP “desination unreachable” packet to forgedsource address
20-22
Bandwidth DoS Attack: UDP Ping-Pong
o Attack: Spoof a packet from Victim1's chargen service to Victim2's echo servicechargen service replies with a
UDP packet to any incoming packet
o Goal: Computers keep l i t h th
Victim 1 Victim 2
replying to each other as fast as they can
Attacker
20-23
Evolution of DoS Attacks: DDoS
o Food DDoS: Distributed Denial Of Service
o Attack against bandwidth and/or resources (like before) using two (or more) levels of indirection!
Attacker: used to coordinateattackHandler: controls subservient computersAgents: Actually do the attack
20-24
5
DDoS examplesTRINOO
Sends UDP floods to random destination port numbers on victim
TFNSends UDP flood, TCP SYN Flood, ICMP Echo Flood, or a SMURF
AttackMaster communicates to daemon using ICMP echo reply, changes IP
identification number and payload of ICMP echo reply to identify type of attack to launchyp
TFN2kFirst DDOS for windows. Communication between master and agents
can be encrypted over TCP, UDP, or ICMP with no identifying ports
STACHELDRAHTCombination of Trinoo and TFN
Authority on analysis of DDoS is Diettrich at University of Washington http://staff.washington.edu/dittrich/misc/ddos
20-25
Major IP components
20-26
IP fragmentation and reassembly
o Some link-layer protocols carry “big” packets; some do not.
o The maximum amount of data a link-layer packet can hold is called its maximum transfer unit
Fragmentation 1 large datagram in3 smaller datagrams
(MTU).o What to do when a packet
arriving at in link is too big to fit into the out link?
Reassembly atdestination
20-27
Fragmentation details
IDx
offset0
fragflag0
length4000
ID ff tf fllength
One large datagram becomesseveral smaller datagrams
Suppose a 4000 byte datagram arriving at a router’s incoming link is to be shipped out an outgoing link whose MTU equals 1500 bytes.
IDx
offset0
fragflag1
length1500
IDx
offset185
fragflag1
length1500
IDx
offset370
fragflag0
length1040
.
20-28
Fragmentation Ripe for Exploits
o Have to keep track of all fragments until packet is reassembled
o Resource allocation is necessary before all validation is possible
o Lots of fragments from different packets can exhaust available memory; perfect grounds for resource exhaustion attacks.
o Implementation is tricky. Incorrect implementations can be coaxed into crashing machine (another kind of Denial of Service attack).
o What do you do if you never get the last missing piece?o What do you do when you get packets out-of-order?o This is a legitimate situation as per RFCso What do you do if you get overlapping fragments?o What do you do if the last byte of a fragment would go over the
maximum size of an IP packet, i.e., if the size of all reassembled fragments is larger than the maximum size of an IP packet?
20-29
Implementation Attack: Ping of Deatho Attack: Send ICMP echo with fragmented packets :ping -L 65510 <victim IP address>
o Maximum legal size of an ICMP echo packet: 65535 - 20 - 8 = 65507
o Fragmentation allows bypassing the maximum size:( ffs t si ) > 65535(offset + size) > 65535
o Reassembled packet would be larger than 65535 bytes
o Goal: OS crash
See http://insecure.org/sploits/ping-o-death.html
20-30
6
Implementation Attack: Teardrop
o IP packet can be broken, is called ‘fragmentation’Fragmented (i.e. broken) packet is reassembled using offset fieldso Attack: Send fragments that overlapo Goal: Crash, reboot and hang machine
Normal fragment concatenation: Overlapping fragments:
20-31
Teardrop: MechanismDeep in the protocol implementation
if (prev != NULL && offset < prev->end)// if there are overlapping fragments
{i = prev->end - offset;
In ip_fragment.c@531 (ca. 1997)
i = prev >end offset;offset += i; /* ptr into datagram */ptr += i; /* ptr into fragment data */
//advance to the end of the previous fragment}
end
FirstSecond
prev->endoffset (before)
offset (after)Copy this
Teardrop Attack
o Create second fragment that fits entirely within first, so offset now points outside of the second datagram's buffer!
o Program calculates the number of bytes to copy• fp->len = end - offset;
V l i d b ! C it h b f b t i • Very large unsigned number! Can write huge number of bytes in places they’re not supposed to be, causing machine to crash.
FirstSecond
prev->end
offset
end
Direct:
Attack classifications
o Effecto Bandwidth depletion: Flood the victim
network with unwanted traffic that prevents legitimate traffic from reaching the victim system
o Resource depletion: Tie up the resources of a victim host or crash victim.
Reflector:o Vectoro Direct: attacking host sends directly to
victim machineo Reflector (indirect): Intermediate nodes
are used as attack hosts
o Mechanismo Protocol designo Protocol implementation
20-34
Major IP components
20-35
Routing Protocols
AS1 AS2AS3
o For scalability reasons, networks are decomposed into Autonomous Systems (ASes). ISP may have one or many of these.
o The forwarding tables that routers use to forward packets are determined by two kinds of routing protocols:
• Intra-AS routing protocols (e.g., RIP, OPSF) for internal dests.• Inter-AS routing protocols (e.g., BGP) for external dests.
20-36
7
BGP: AS Advertisementso BGP allows subnet to advertise “I am here” to rest of Internet.“
o BGP determines “good” routes to subnets based on reachabilityinformation and policy.
o When AS2 advertises a prefix to AS1:• AS2 promises it will forward datagrams towards that prefix.• AS2 can aggregate prefixes in its advertisement
AS2 advertises to AS1:Destination: 138.16.64/24AS-PATH: AS2NEXT-HOP: IP address of 2a’s
interface to AS3.
AS1 advertises to AS3:Destination: 138.16.64/24AS-PATH: AS1; AS2NEXT-HOP: IP address of 1c’s
interface to AS3.
20-37
BGP Routing Policy
A
B
C
WX
Y
legend:
customer network:
providernetwork
o Inter-AS routing determined by a combination of performance and policy. o Suppose X does not want to route from B via X to C. Then it will not
advertise to B a route to Co Suppose A advertises path AW to B and B advertises path BAW to X.
Should B advertise path BAW to C?• No way! B wants to route only to/from its customers! B gets no
“revenue” for routing CBAW since neither W nor C are B’s customers • Instead, B wants to force C to route to w via A
20-38
BGP InsecuritiesProblem: ISPs can share bad BGP advertisements with rest of Interneto Dec. 24, 2004: TTNet in Turkey accidentally pretends to be entire
Internet. All traffic is routed there, but can’t be handled, so there are widespread Intenet outages.
o Jan 22, 2006: ConEdison accidentally “steals” several net prefixes by making false BGP advertisements.
o Feb 26, 2008: Pakistan Telecommunication Authority orders country’s ISPs to block YouTube for anti-Islamic video. They create BGP advertisements that redirecte YouTube’s IP address to nonexistantadvertisements that redirecte YouTube s IP address to nonexistantdestinations. These advertisements are given to service provider, Hong Kong’s PCCW, which doesn’t validate it, and shares it with other ISPs. Since they were more precise than YouTube’s own advertisements, they take precedence and effectively block YouTube from world(“YouTube outage underscores big Internet problem”, http://www.infoworld.com/print/32702 ; renesys blog , http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml;)
o Thus far, BGP-caused outages have been accidental, but similar attacks from governments and criminals possible.
20-39
Daniel’s Bilar’s Summaryo The ‘glue’ of the Internet (TCP/IP protocol and associated
services like DNS) was predicated towards communication (and limited recovery from random errors, i.e. noise)
o Security (confidentiality, authentication, recovery from deliberate errors, i.e attacks) was an afterthought
o As such, strong assumptions were made while designing, implementing and running the protocols
This makes attacks against the TCP/IP protocol and implementation, as well as network services such as DNS, relatively easy and feasible
20-40
Examples
HTTP, FTP, SMTP, POP3 IMAP, DNS
UDP, TCP
Link Layer
IP
Ethernet, 802.11 WiFiYou are here!
20-41
The link layer
o The transport layerprovides communication of segments between two processes.
o The network layerprovides communication of pdatagrams between two hosts.
o The link layer provides communication of framesbetween two network nodes (routers or hosts) connected by a link (i.e. can communicat directly with each other).
20-42
8
Link layer protocols Lots of them, including Ethernet, 802.11 wireless LAN
(WiFi), token ring, PPP, HDLC, and ATM. Different links in a path may use different protocols. Responsibilities include one or more of following:
framing,li k
20-43
link access reliable delivery flow control bit-level error detection
(and possibly error correction). half-duplex vs. full-duplex.
Adapters
o The link-layer protocol is implemented in an adapter, a board containing RAM, DSP chips, host bus interface, and a link interface.
20-44
Multiple Access Protocols
Key technical problem: when two or more nodes transmit frames at the same time, the frames collide and both transmissions are lost.There are several
20-45
There are several solutions to this problem, which involve detecting collisions and retransmitting. See CS242 for details.
LAN Addressing
o LANs transmit frames over a broadcast channel using LAN addresses.
o On the receiving end,o If a destination address
matches the node’s LAN address it extracts the
23-46
address, it extracts the network-layer datagram and passes it up the protocol stack.
o If the destination address doesn’t match, the node discards the frame.
MAC addresso A LAN node’s MAC (Medium Access
Control) address (a.k.a physical, Ethernet or LAN) properly belongs its adapter.
o Generally 48 bits long, the address is intended to be permanent unique ID burnt into the adapter’s ROM. (But we’ll see that in practice it’s h bl !) changeable!)
o LAN addresses have a flat structure(portable), as opposed to the IP hierarchical structure (routable).
o For Ethernet and token-passing LANs, broadcast MAC address is string of 48 1s: FF-FF-FF-FF-FF-FF.
o IEEE manages address space –allocates 1st 24 bits to manufacturers, who can use last 24 bits
20-47
MAC Address vs. IP Addresso MAC addresses “Physical address”, Layer 2
o Hard-coded in ROM of network interface cardo Similar to social security number (almost unique, immutable)o .. but flat name space of 48 bits (e.g., 00-0E-9B-6E-49-76)o Stays the same when host moveso Used to get packet between interfaces on same networko Used to get packet between interfaces on same network
o IP addresses “Logical address”, Layer 3o Can be configured manually or learned dynamicallyo Similar to postal mailing address (change of address is easy)o Hierarchical name space of 32 bits (e.g., 12.178.66.9)o May change depending on where the host is attachedo Used to get a packet to any destination IP subnet
20-48
9
Example: MAC/IP addresses
1A-2F-BB-76-09-AD
LAN
137.196.7.78
137.196.7.23137.196.7.14
= NIC adapterwith MAC address58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
137.196.7.88
137.196.7.0/24
20-49
ARP: Address Resolution Protocol
o Each IP node (host, router) on LAN has ARP table
o ARP table: IP/MAC address mappings for some LAN nodes
< IP address; MAC address; TTL>
Question: how to determineMAC address of Bknowing B’s IP address?
137.196.7.78
o TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min)
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
137.196.7.23137.196.7.14
137.196.7.88
20-50
ARP protocol: Same LAN (network)
o A wants to send datagram to B, and B’s MAC address not in A’s ARP table.
o A broadcasts ARP query packet, containing B's IP address o dest MAC address =
o A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) o soft state: information o dest MAC address =
FF-FF-FF-FF-FF-FFo all machines on LAN
receive ARP queryo B receives ARP packet,
replies to A with its (B's) MAC address
o frame sent to A’s MAC address (unicast)
that times out (goes away) unless refreshed
o ARP is “plug-and-play”:o nodes create their ARP
tables without intervention from net administrator
20-51
Addressing: routing to another LAN
1A-23-F9-CD-06-9B
E6-E9-00-17-BB-4B
111.111.111.111
A74-29-9C-E8-FF-55
222.222.222.221
88-B2-2F-54-1A-0F
send datagram from A to B via R assume A knows B’s IP address
R
222.222.222.220111.111.111.110
CC-49-DE-D0-AB-7D
111.111.111.112
B222.222.222.222
49-BD-D2-C7-56-2A
two ARP tables in router R, one for each IP network (LAN) Should A address the message to B’s physical address,
49-BD-D2-C7-56-2A?
20-52
o A creates IP datagram with source A, destination B o A uses ARP to get R’s MAC address for 111.111.111.110o A creates link-layer frame with R's MAC address as dest,
frame contains A-to-B IP datagramo A’s NIC sends frame o R’s NIC receives frame o R removes IP datagram from Ethernet frame, sees its
destined to Bo R uses ARP to get B’s MAC address go R creates frame containing A-to-B IP datagram sends to B
R
1A-23-F9-CD-06-9B
222.222.222.220
111.111.111.110
E6-E9-00-17-BB-4B
CC-49-DE-D0-AB-7D
111.111.111.112
111.111.111.111
A74-29-9C-E8-FF-55
222.222.222.221
88-B2-2F-54-1A-0F
B222.222.222.222
49-BD-D2-C7-56-2A
20-53
Dynamic Host Configuration Protocol (DHCP)
20-54
10
DHCP: Bootstrappingo Host doesn’t have an IP address yet
o So, host doesn’t know what source address to use
o Host doesn’t know who to ask for an IP addresso So, host doesn’t know what destination address to use
o Solution: Shout to discover server who can helpo Broadcast a server-discovery message
o Server sends a reply offering an address
host host host...
DHCP server
20-55
DHCP client-server interaction
20-56
Network address translation (NAT)Used to set up small LAN network behind a single IP address(home/small business)
20-57
NAT problemso Port numbers are meant for addressing processes, not for
addressing hosts.
o Routers are suppose to process packets only up to layer 3.
o Nat protocol violates the so-called “end-to-end argument”; that is, hosts should be talking directly with each other, without interfering nodes modifying IP addresses and port numbers.f g m fy g p m
o Interferes with P2P applications --- peers behind a NAT cannot act as server and accept TCP connections.
20-58
Ethernet Invented in mid 1970s by Bob Metcalfe and David Boggs at
Xerox PARC. Ethernet has dominated the LAN market because:
First LAN technology to be widely deployed. Generally cheaper and simpler than its competitors (token
rings, ATM, FDDI = Fiber Distributed Data Interface), Always managed to maintain comparable data rates with
emerging technologies: 10Mbps – 10 Gbpsm g g g p p
Metcalfe’s Ethernetsketch
20-59
Ethernet frame structureMAC addresses, 6 bytes each; receiving adapter discards unless it matches dest. addressor broadcast address (except if in permiscuous mode for sniffing!)
Our friend from previous lecture4 bytes; if error detected, framedropped
Seven bytes of10101010 and onebyte of 10101011;used to synchronizesender & receiver clock rates
Carries IP datagram; hasMTU of 1500 bytes and minimum of 46 (if less, itis stuffed)
Two bytes used for multiplexed network-layer protocols;who do I pass thedata up to? Usually IP,But could also be AppleTalk, Novell IPX,DecNet, …
20-60
11
Physical Layer: Buses In early Ethernet implementations, nodes were “tapped into”
coaxial cable
Remained popular through mid 90s
All nodes in same collision domain (can collide with each other)
Limitation in bus length (often only up to 100 meters)
Cable problems can cut off one part of network from another Cable problems can cut off one part of network from another.
20-61
Physical Layer: Repeaters Distance limitation in local-area networks
Electrical signal becomes weaker as it travels Propagation delays interfere with collision detection
Repeaters join LANs together Analog electronic device Continuously monitors electrical signals on each LAN Transmits an amplified copy
Repeater
Example: Without repeater, 10Base2 is limited to 30 nodes and 185 meters. Up to four repeaters can be used to create a bus up to 925 meters.
20-62
Physical Layer: Hubs Hub is an unsophisticated broadcast device;
when bit received on any link, broadcast it to all links at same rate.
Often (but not always) amplifies signal,so can act like a repeater.
Operates at the physical layer; does notexamine frames or buffer them.
Permits star topology in which each host connected separately to hub, p gy p y ,reducing impact of wire problems.
Multiple hubs can be usedto form a tree.
hub hub hub
hub
20-63
Limitations of Repeaters and Hubs One large collision domain
Every bit is sent everywhere So, aggregate throughput is limited E.g., three departments each get 10 Mbps independently … and then connect via a hub and must share 10 Mbps
C t s t lti l LAN t h l i s Cannot support multiple LAN technologies Does not buffer or interpret frames So, can’t interconnect between different rates or formats,
e.g., 10 Mbps Ethernet and 100 Mbps Ethernet
Limitations on maximum nodes and distances Does not circumvent the limitations of shared media
20-64
Link Layer: Switches Unlike “dumb” hubs, switches are smart and active,
examine incoming frame’s MAC address, selectively forward frame to one-or-more outgoing links
when frame is to be forwarded on link, uses CSMA/CD to access link buffers frames, allowing links with different bandwidths Also called bridges; sometimes “switch” used when connecting hosts
and “bridge” used when connecting LANs.
transparent transparent hosts are unaware of presence of switches
concurrent communication Host A can talk to C,
while B talks to D, without collisions!
plug-and-play, self-learning switches do not need
to be configured
switch
A
B
C
D
20-65
Switches: Traffic Isolation Breaks subnet into LAN segments Filters packets
Frame only forwarded to the necessary segments
Segments become separate collision domains
hub hub hub
switch/bridge
collision domain collision domain
collision domain
20-66
12
Switch Table
Q: how does switch know that A’ reachable via interface 4, B’ reachable via interface 5?
A: each switch has a switch table, each entry:
A
BC’
1 23
45
6
(MAC address of host, interface to reach host, time stamp)
looks like a routing table! Q: how are entries created,
maintained in switch table? Self-learning rather than
routing protocols or manual configuration.
A’B’
C
switch with six interfaces(1,2,3,4,5,6)
5
20-67
Switch: self-learning
switch learns which hosts can be reached through which interfaces when frame received,
switch “learns” location of sender: incoming LAN
A
BC’
1 23
45
6
A A’
Source: ADest: A’
segment records sender/location
pair in switch tableA’B’
C
5
MAC addr interface TTL
Switch table (initially empty)
A 1 60
20-68
Switch: frame filtering/forwardingWhen frame received:
1. record link associated with sending host2. index switch table using MAC dest address3. if entry found for destination
then {then {if dest on segment from which frame arrived
then drop the frameelse forward the frame on interface indicated
} else flood forward on all but the interface
on which the frame arrived
20-69
Self-learning, forwarding: example
A
BC’
1 23
45
6
A A’
Source: ADest: A’
A A’A A’A A’A A’A A’
o frame destination unknown:flood
d ti ti A l ti k
A’B’
C
5
MAC addr interface TTL
Switch table (initially empty)
A 1 60
A’ A
destination A location known:
A’ 4 60
selective send
20-70
Interconnecting switches
o switches can be connected together
A
B
S1
C DF
S2
S4
S3
IB
Q: sending from A to G - how does S1 know to forward frame destined to F via S4 and S3?
A: self learning! (works exactly the same as in single-switch case!)
C D
EHG
20-71
Self-learning multi-switch exampleSuppose C sends frame to I, I responds to C
A
S1 S2
S4
S3
1
2
3
1
2 31
12 2
33
44 4
Q: show switch tables and packet forwarding in S1, S2, S3, S4
B CD
E
FH
IG
20-72
13
Switches: Advantages Over Hubs/Repeaters Only forwards frames as needed
Filters frames to avoid unnecessary load on segments Sends frames only to segments that need to see them
Extends the geographic span of the network Separate collision domains allow longer distances
Improves privacy by limiting scope of frames Improves privacy by limiting scope of frames Hosts can “snoop” the traffic traversing their segment but
not all the rest of the traffic
Applies carrier sense and collision detection Does not transmit when the link is busy Applies exponential back-off after a collision
Joins segments using different technologies E.g., can join 10 Mbps Ethernet and 100 Mbps Ethernet
20-73
Switches: Disadvantages Over Hubs/Repeaters
Delay in forwarding frames Bridge/switch must receive and parse the frame and perform
a look-up to decide where to forward Storing and forwarding the packet introduces delay
Need to learn where to forward frames Bridge/switch needs to construct a forwarding table Bridge/switch needs to construct a forwarding table Ideally, without intervention from network administrators
Higher cost More complicated devices that cost more money
20-74
Key Vulnerability of Link/Physical Layers: Sniffing
20-75
Wireless Sniffing in a HotelWireless access points in public places are often unsecured.
20-76
Wireless Sniffing in a Dormitory Even though many dorm rooms have wired internet access, students prefer the convenience of wireless access. But this isoften much less secure!
20-77
Switch prevents simple sniffing
20-78
14
ARP spoofing foils switch protection
20-79
Sniffing Defenses
Wired world:
o Use switches rather than hubs. But still problems
• ARP spoofing/cache poisoning
• MAC flooding (overflow ARP table, causing switch to actlike hub instead).
o Encrypt traffic – e.g. SSH, SSL/TLS, etc.
Wireless world:
o Encrypt traffic
• Wired Equivalent Privacy (WEP) is easily crackable
• Wi-Fi Protected Access (WPA) is much stronger
20-80
Scanning for Access Points
Old days: war dialing to find modems connected to intranet networks
Today: war driving to find unsecured access points, especially rogue access points connected to organization intranet
20-81
War DrivingWorld Wide War DriveWar Driving in Wellesley
2001 2002 % Change
WEP Disabled 69.86% 72.07% +2.21%
SSIDs Default 29.53% 35.24% +5.71%
WEP Disabled
AND SSID
Default
26.64% 31.44% +4.8
Default SSIDs 31 of 55 56.4%
WEP disabled 41 of 55 74.5%
Outfitted with a Sony Viao, a Lucent Orinoco wireless network, a MaxRad antenna, and Netstumbler software, we jumped into a car with the antenna on the roof and were on our way to find some networks.
Reema Siyam ‘03 Erin Stadler ‘03
20-82
Wireless Protection
Require supplicant to authenticate by MAC address and/or password(but MAC addresses can be spoofed).
Put wireless access points outsideorganization firewall.
20-83