ece509 cyber security : concept, theory, and...
TRANSCRIPT
3/6/14
1
ECE509 Cyber Security :
Concept, Theory, and Practice
Network Security Spring 2014
Outline
• Review Layered Network Architecture • Network Layer protocols • Transport Layer Protocols • Application Layer Protocols • Layer 2 Protocols
3/6/14
2
OSI Reference Model • The layers
– 7: Application, e.g., HTTP, SMTP, FTP – 6: Presentation – 5: Session – 4: Transport, e.g. TCP, UDP – 3: Network, e.g. IP, IPX – 2: Data link, e.g., Ethernet frames, ATM cells – 1: Physical, e.g., Ethernet media, ATM media
• Standard software engineering reasons for
thinking about a layered design
Layers Limit Need for Intelligence
• Intermediate devices only need to process the packet headers up to the level they understand
Ether Hdr
IP Hdr
TCP Hdr
HTTP Hdr
Data
3/6/14
3
Various network devices • Hosts and servers – Operate at Layer 7
(application) • Proxies – Operate at Layer 7 • Firewalls – Operate between Layers 2 and 7.
From the outside world make changes at Layers 2 (in transparent mode) or 3 (in routing mode)
• Routers – Operate at Layer 3 (network) • Switches or Hubs – Operate at Layer 2 (data link) • Gateways – Operate at Layer 2
Relevant Network Layers
*From http://www.erg.abdn.ac.uk/users/gorry/course/images/ftp-tcp-enet.gif
3/6/14
4
IPv4 • 32 bit Addressing scheme
– Host address, format "A.B.C.D" where each letter is a byte. e.g., 192.168.1.1
– Network address, e.g., 192.168.1.0/24 or 192.168.1.0 255.255.255.0 • Class A network : A.0.0.0
– Zeroes are used to indicate that any number could be in that position • Class B network: A.B.0.0 • Class C network: A.B.C.0 • Multicast (class D)
– 224.0.0.0 to 239.255.255.255 • Class E (experimental, reserved, i.e., wasted)
– 240.0.0.0 to 254.255.255.255 – Private non-routable networks
• 192.168.0.0/24 • 172.16.0.0/12 • 10.0.0.0/8
– Loopback network – 127.0.0.0, Typically only 127.0.0.1 is used
IP Header
Source [http://en.wikipedia.org/wiki/IPv4_header#Header]
3/6/14
5
Address spoofing
• Sender can put any source address in packets he sends: – Can be used to send unwelcome return traffic
to the spoofed address – Can be used to bypass filters to get
unwelcome traffic to the destination • Reverse Path verification can be used by
routers to broadly catch some spoofers
Defending Against IP Spoofing • Ingress filtering
– Forbid inbound broadcasts from the Internet into your networks
– Forbid inbound packets from non-routable networks
• Egress filtering – Prevent stations in networks you control from spoofing IPs
from other networks by dropping their outbound packets » Make your network a less attractive and useful target
for attackers that want to launch other attacks » Be a good Internet citizen (reputation is important)
– Drop outbound broadcasts
• Reference – RFC 2267 - "Network Ingress Filtering: Defeating Denial of
Service Attacks which Employ IP Source Address Spoofing"."
3/6/14
6
Fragmentation • May need to fragment an IP packet if one data link along
the way cannot handle the packet size – Perhaps path is a mix of different types of communication media – Perhaps unexpected encapsulation makes the packet larger than
the source expected – Hosts try to understand Maximum Transmission Unit (MTU) to
avoid the need for fragmentation (which causes a performance hit)
– MTU on Ethernet 1500bytes • Any device along the way can fragment
– Identification field identifies all elements of the same fragment – Fragmentation stored in the MF (more fragments) and fragment
offset fields – Devices can reassemble too – But generally the destination does the reassembly
Example of Fragmentation • For example, if a 4,500 byte data payload is inserted into an IP packet with no options
(thus total length is 4,520 bytes) and is transmitted over a link with an MTU of 2,500 bytes then it will be broken up into two fragments:
• Now, let's say the MTU drops to 1,500 bytes.
3/6/14
7
Fragmentation Flaws • Split packet to fool simple firewall and IDS
– Intermediate content observers must do reassembly • Overlapping fragments
– Can be used to trick IDS by hiding, e.g. a “get /etc/password” request
– Different clients reassemble overlapping fragments differently – Just drop overlapping fragments
• Bad fragment offsets exploit poor stack implementations – E.g. Teardrop attack, negative offsets or overlarge offsets cause
buffer overflows – Firewalls can check for well formed packets.
• Resource attacks on re-assemblers – Send all but one fragment for many packets
• More: An Analysis of Fragmentation Attacks http://www.ouah.org/fragma.html
How TearDrop Works? • Send a packet with:
– offset = 0 – payload size N – More Fragments bit on
• Second packet: – More Fragments bit off – offset + payload size <N – fits entirely inside first packet.
• OS tries to reassemble it
First Second
3/6/14
8
Which one of these is a safe way to deal with overlapping fragments? a) first see if they are valid fragments, then grab
any new data b) copy them in the reassembly buffer, making
sure not to write outside the buffer c) ignore them because they are malicious d) first see if they are valid fragments, wait until all
fragments arrive, validate them again, and assemble them
e) a), b) or d) can work with varying efficiency
If you are programming a firewall, you will want to allow or deny datagrams based on header information. Which one of these should you do, for safety’s sake? a) deny fragments with zero length
b) deny fragments where headers are
fragmented
c) deny fragments where the offset+size of datagram > 65535 bytes
3/6/14
9
How do you suggest preventing a DoS due to all your buffers being used for fragments that are parts of datagrams that will never be complete? a) expire and delete each datagram after a certain delay b) expire and delete all datagrams with a given fragment ID
whenever any of the datagrams has been held longer than a certain delay
c) whenever you run out of space, delete the oldest fragment
d) whenever you run out of space, delete all datagrams
with the fragment ID of the oldest fragment
When should you attempt reassembly of fragments? a) once you have them all
b) as you get them c) before you expire and delete datagram
fragments d) whenever you get a datagram with the “More Fragments” bit set to zero
3/6/14
10
UDP Client/Server Programming
• C: – http://www.cs.ucsb.edu/~almeroth/classes/
W01.176B/hw2/examples/ • Java:
– http://www.cs.uic.edu/~troy/spring05/cs450/sockets/socket.html
Common Terminology • NIST: National Institute of Standards and
Technology • CAN: Candidate Vulnerabilities • CVE: Common Vulnerabilities and
Exposures • CVSS: Common Vulnerabilities Scoring
System • IETF: Internet Engineering Task Force • RFC: Request for Comments • STD: Internet Standard • IANA: Internet Assigned Numbers Authority
3/6/14
11
Address Resolution Protocol (ARP)
• Used to discover mapping of neighboring Ethernet MAC to IP addresses. – Need to find MAC for 192.168.1.3 which is in
your interfaces subnetwork – Broadcast an ARP request on the link – Hopefully receive an ARP reply giving the
correct MAC – The device stores this information in an ARP
cache or ARP table
ARP cache poisoning • Bootstrap problem with respect to security. Anyone can
send an ARP reply – The Ingredients to ARP Poison,
http://www.governmentsecurity.org/articles/TheIngredientstoARPPoison.php
• Classic Man-in-the-middle attack – Send ARP reply messages to device so they think your machine
is someone else – Better than simple sniffing because packets will get to your
regardless of sniffing. • Solutions
– Encrypt all traffic – Monitoring programs like arpwatch to detect mapping changes
• Which might be valid due to DHCP
3/6/14
12
Transport layer • UDP
• Best effort delivery • Connectionless
• TCP • Reliable • Establishes connections and monitors deliveries
UDP/TCP Header Source Port Destination Port
UDP Length UDP checksum
Source Port Destination Port
Sequence Number
Acknowledgement number
HDR Len
U R G
A C K
P S H
R S T
S Y N
F I N
Window Size
Checksum Urgent Pointer Options (0 or more words)
3/6/14
13
UDP - Datagram Transport • User Datagram Protocol (UDP)
– A best-effort delivery, no guarantee, no ACK – Lower overhead than TCP – Good for best-effort traffic like periodic updates – No long lived connection overhead on the endpoints – Connectionless
• Some folks implement their own reliable protocol over UDP to get “better performance” or “less overhead” than TCP – Such efforts don’t generally pan out
• TFTP, DNS, VOIP, P2P Data protocols use UDP • Data channels of some multimedia protocols, e.g., H.323 also
use UDP
Ports • Ports dynamically address (“bind”) IP packets to a process • Port range 0 - 65535 • Both TCP and UDP use ports for
o Transport address selection o To identify which service or application to
communicate o Multiplexing
o To allow multiple o connections per host
• Relationship with Socket
3/6/14
14
Ports (cont'd) • Applications are associated with ports (generally just
destination ports) • IANA organizes port assignments
http://www.iana.org/ • Server listening on destination port
– TCP and UDP have distinct ports, but services usually use the same number for both
• Source ports generally dynamically selected – Ports under 1024 are considered well-known ports – Would not expect source ports to come from the well-
known range • Scanners probe for listening ports to understand the services
running on various machines • Most Operating Systems allow only privileged processes to
open the ports below 1024 • HTTP 80 TCP • SMTP 25 TCP • DNS 53 UDP • HTTPS 443 TCP
Transport Flow • Transport Flow :: a sequence of packets sent between
a source/destination pair and following the same route through the network.
• <src_ip, dst_ip, src_port, dst_port,> • Total combinations 232 X 232 X 216 X 216 = 296
• What's the problem with this BIG number? • With a computer operating at 212 instructions per
second, and assume the year has 225 seconds, it will take 262 number of years to finish – assuming each combination can be done in one
instruction; unrealistic assumption.
3/6/14
15
UDP Issues • All lower layer issues, with similar attacks
• IP spoofing • IP and link layer broadcast (amplification) • IP fragmentation • ARP spoofing • Link layer
• New possibilities • Network services and applications can be contacted
and attacked with UDP packets that exploit the lower level issues
• Traffic amplifying applications
UDP Amplifier Attack
• Fraggle – Broadcast UDP packet sent to the "echo"
service – All computers reply (amplification) – Source IP was spoofed, victim is
overwhelmed
3/6/14
16
UDP Ping-Pong
• Chargen service replies with a UDP packet to any incoming packet
• Spoof a packet from host A's chargen service to host B's chargen service – Computers keep replying to each other as fast
as they can • Variants use the echo service on one of
the hosts – Or even the same host (CVE-1999-0103)
• a.k.a. UDP bomb, UDP packet storm
UDP Ping-Pong (Cont'd)
• Any service or application that issues a UDP reply no matter what is the input packet (e.g., error message) is vulnerable – daytime (port 13) – time (port 37)
• Do you know of another UDP service that answers no matter what?
3/6/14
17
Example Hosts Vulnerable to UDP Ping-Pong • Routers and firewalls! • Cisco IOS 11.x had chargen and echo enabled by default
– Date § Other services
– Quote of the day (RFC 865) – Active Users (RFC 866) – Daytime (RFC 867) – UDP Kerberos v5 (port 464) – Any service that responds (e.g. with an error message) to
any packet
Amplification Using UDP Packets
• Key: Applications that reply with large packets to small requests – e.g., games
• BattleField 1942 • Quake 1 (CAN-1999-1066) • Unreal Tournament
• Hosts can be attacked by using these applications as amplifiers, with forged source IP packets
3/6/14
18
Exploits Through UDP • Resource Exhaustion
– Windows 98 and Windows 2000 Java clients allow remote attackers to cause a denial of service via a Java applet that opens a large number of UDP sockets, which prevents the host from establishing any additional UDP connections, and possibly causes a crash.
• CAN-2001-0324
• Sniffing and Spoofing – NAI Sniffer Agent allows remote attackers to
gain privileges on the agent by sniffing the initial UDP authentication packets and spoofing commands.
• CAN-2000-1159
Exploits Through UDP (more) • Exploitation of other flaws (anonymous)
– Interactions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram.
• CAN-2000-1079
• Traffic amplifiers – DNS allows remote attackers to use DNS name
servers as traffic amplifiers via a UDP DNS query with a spoofed source address, which produces more traffic to the victim than was sent by the attacker.
• CVE-1999-1379
3/6/14
19
Exploits Through UDP (more)
• Self-connection – Quake 2 server allows remote attackers to
cause a denial of service via a spoofed UDP packet with a source address of 127.0.0.1, which causes the server to attempt to connect to itself.
• CAN-1999-1230 • Similar to UDP bomb
Egress filtering is useful for: a) stopping outbound IP spoofing b) stopping inbound IP spoofing c) preventing Smurf attacks d) preventing ARP cache poisoning e) all of the above
3/6/14
20
Egress filtering prevents part of outbound IP spoofing. A host can still spoof the IP address of another host on the same network, because it’s a valid IP address.
Discussion and Conclusion • UDP does not in itself introduce new vulnerabilities, but
makes the exploitation of IP layer vulnerabilities easy. – Makes applications more difficult to design to prevent
amplification and ping-pong effects • When is UDP needed?
• DNS – Normal hosts query DNS servers using UDP in practice
» UDP also used for other DNS functions (more on this later)
• Streaming video, Voice-over-IP
• Is your LAN used to attack a third party via UDP?
• Did some computers in your LAN get compromised?
3/6/14
21
TCP - Reliable Streams • Transmission Control Protocol (TCP)
– Guarantees reliable, ordered stream of traffic – Such guarantees impose overhead – A fair amount of state is required on both ends – Connection oriented
• Similar to packages requiring signatures at delivery
• Most Internet protocols use TCP, e.g., HTTP, FTP, SSH, H.323 control channels
Initial Vulnerability – Establishing connections
– SYN flood attack
– Is this packet relevant? – Initial sequence number predictability – RST attacks
– TCP Scanning – Tcptraceroute
– Refers to the network,TCP is “Stateless” – Phone conversations require a network path to be
established – TCP doesn’t change network paths – Each packet is independent of others
– Clients and servers maintain states, which makes them vulnerable to resource exhaustion attacks
3/6/14
22
TCP Header
Source Port Destination Port
Sequence Number
Acknowledgement number
HDR Len
U R G
A C K
P S H
R S T
S Y N
F I N
Window Size
Checksum Urgent Pointer Options (0 or more words)
TCP Flags • one-bit • Synchronize flag [SYN]
– Used to initiate a TCP connection
• Acknowledgement flag [ACK] – Used to confirm received data
• Finish flag [FIN] – Used to shut down the connection
• Push flag [PSH] – Do not buffer data on receiver side – send directly to application level
• Urgent flag [URG] – Used to signify data with a higher priority than the other traffic
• I.e Ctrl+C interrupt during an FTP transfer
• Reset flag [RST] – Tells receiver to tear down connection immediately
3/6/14
23
TCP Connections A client A wants to set up a TCP connection to a server B
w A sends SYN with its sequence number X w B replies with its own SYN and sequence number Y
and an ACK of A’s sequence number X+1 w A sends data with its sequence number X+1 and
ACK’s B’s sequence number Y+1
• This establishes that packets can be sent
both ways and provides the proof to both hosts.
TCP SYN Scans
• If someone sends you a SYN packet for a port that’s closed, you are supposed to respond with a packet with RST and ACK flags (“I got your message but I don’t want to talk to you”).
• Sending SYN packets to find out which ports are open on which machines is known as port scanning – Source IP address may be spoofed to hide the
true source • Only 1 in x is from the real source
3/6/14
24
TCP ACK Scans • Bypass firewalls that only allow “established” connections (fancy way to say that they block incoming packets with the “SYN” flag) – Doesn't work if the firewall builds a table of
outgoing connections • e.g., Network Address Translation, a.k.a. IP
masquerading
• Response is a RST packet whether the port is closed or open
• Allows attackers to find out which IP addresses are in use, similar in function to an ICMP ping
TCP FIN Scans
• RFC says: – open port, do not respond – closed port, respond with RST/FIN
• Some implementations respond with a RST on open ports
• Another way to map services on a host
3/6/14
25
Defending Scans • Issue: spoofed IP addresses
– Option 1: Don't reply • "Stealth" does not increase bandwidth consumption
– Option 2: "Active" defense • In a SYN scan, if you send a SYN/ACK for every packet, you
could force the attacker to complete the connection to gain information
– Makes it more difficult to spoof the source IP – Slows down scanners
» But if 1 in 100 packets is not spoofed, it slows down your server 100 times more than the scanner!
– However: » Increases traffic, bandwidth consumption » May have undesired effects » Replies sent to spoofed IP addresses » Are you unwittingly attacking them?
SYN flood • A resource DoS attack focused on the TCP three-way
handshake • Denial of service when an attacker sends many SYN
packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood. – This leaves B with a bunch of half open connections that are filling up
memory – Firewalls adapted by setting limits on the number of such half open
connections. – Keeping track of each half-open connection takes up resources
3/6/14
26
TCP Reliability • A TCP connection is a stream • Each TCP packet contains a stream
segment • A sequence number is associated to each
byte • Packets have a single field for the sequence
number – e.g., refers to the sequence number of a specific byte,
according to a convention described in the RFC
• An ACK is required for each byte • If an ACK is not received in a certain amount of
time, data is retransmitted • An ACK packet serves as an ACK for all bytes up
to the byte indicated by the ACK's sequence number
• Receiver uses sequence numbers to correctly reorder segments and remove duplicates
TCP Flow Control • How much can a sender send at a time?
• The more can be sent, the more efficient the network is
– Fewer header bytes, media contention delays, etc...
• TCP "Window" • With every ACK, the receiver indicates how many
more bytes it is prepared to receive
TCP Stream
Acknowledgement Number Maximum Window Sequence Number
Window
Increasing numbers
3/6/14
27
Congestion Control
Congestion window
10
5
15
20
0
Round-trip times
Slow start
Congestion avoidance
Congestion occurs
Threshold
Protection against SYN Attacks • Client sends SYN • Server responds to Client with SYN-ACK
cookie – sqn = f(src addr, src port, dest addr, dest port,
rand) – Normal TCP response but server does not save
state • Honest client responds with ACK(sqn) • Server checks response
– If matches SYN-ACK, establishes connection • “rand” is top 5 bits of 32-bit time counter • Server checks client response against recent values
See http://cr.yp.to/syncookies.html
3/6/14
28
SYN Cookies (cont'd) • Difference between server's ISN and client's
ISN – top 5 bits: t mod 32, where t is a 32-bit time
counter that increases every 64 seconds; – next 3 bits: an encoding of an MSS selected by
the server in response to the client's MSS; – bottom 24 bits: a server-selected secret function
of the client IP address and port number, the server IP address and port number, and t.
TCP Sequence Numbers • Every new connection gets a new initial sequence
number (ISN) • For both sides of the connection • ISNs are exchanged (jargon: streams are "synchronized") in the
initial SYN handshake • Is this a real random number?
• TCP packets with sequence numbers outside the window are ignored
• This makes attacks on TCP applications harder than if they used UDP
• Sequence numbers allow reconstruction of correct order of packets
• How to hijack a TCP connection?
3/6/14
29
Finding the Sequence Number • Sniffing • MAC address man-in-the-middle attack • Source-routed IP packets (to setup a M.I.M.
attack) • ICMP redirects • If the above is not possible, try to predict
the initial sequence number – Connect yourself, examine how sequence
numbers are generated (e.g., last one + 128 000)
– Make a guess based on observations
ISN Vulnerability
• Predictable • Symantec Raptor Firewall 6.5 and 6.5.3,
Enterprise Firewall 6.5.2 and 7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 generate easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.
– CAN-2002-1463 • Cisco switches and routers running IOS 12.1 and
earlier produce predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections.
– CVE-2001-0288
3/6/14
30
TCP RST Flag
• TCP reset (RST) flag is used to abort TCP connections, usually to signify an irrecoverable error – Receiver deletes the connection, frees data
structures • RST messages are accepted only if they
fit inside the sequence number window – Prevents delayed RST messages from
previous connections to affect the current connection
TCP RST Attack • Send a RST (TCP RESET flag) packet
with a spoofed IP address to either side of a valid connection
• Need to guess a sequence number inside the appropriate window
– Or sniff traffic to know which number to use • The range can be guessed fairly efficiently for RST
attacks • Sequence numbers: 32 bits • Window size: up to 16 bits • Number of guesses 32-16 = 16 bit address space
– 65535 RST attempts, ~ 4 min on DSL connection – Faster connection or zombies, faster RST – This is the brute force RST attack
3/6/14
31
Hijacking a TCP Session • Idea: all that’s required to mess up someone else’s
TCP session is guessing or knowing the sequence numbers for their connection.
– Only need to fall within the needed range, exact guess not needed
• Attackers needs – Ability to forge TCP/IP packets. – Initial sequence number – Knowledge that a TCP connection has started (but not the
ability to see it) – When the TCP connection started – Ability to redirect responses to you
OR continue the conversation without responses to you while achieving your goal
• Thought to be too hard, but exists in the wild. • Send a spoofed IP packet, with a TCP payload that inserts
data to blast the legitimate client off the net!
Question
• Which is more difficult to attack? a) UDP
b) TCP c) ICMP d) IP reassembly
3/6/14
32
Question
• Applications that encrypt their data and validation checksum and use TCP, such as SSL (https) in browsers, are vulnerable to:
a) RESET attacks b) Data injection attacks c) Session hijacking d) Eavesdropping attacks e) IP fragmentation attacks
Question
UDP Ping-Pong is possible due to: a) IP fragmentation attacks b) Initial sequence number spoofing c) MAC address spoofing d) IP address spoofing
3/6/14
33
Question
• To offer resistance to brute force RST attacks, you could: a) Use application-level encryption b) Use the largest TCP window possible c) Use a small TCP window d) Use unpredictable initial sequence numbers
Question
• A SYN flood attack works by: a) Making computers drop established
connections b) Preventing new connections by consuming
server resources c) Injecting data in established connections d) Creating a loop between services
3/6/14
34
Question
• UDP is attractive as an exploitation vector because a) It's fast b) It consumes resources to keep track of
connections c) It can change routing tables d) It's anonymous through IP spoofing
Network Address Translation
• NAT, a.k.a. masquerading, allows sharing an Internet connection through a single IP address
• IP addresses and checksums are replaced on-the-fly
• NAT maintains a table of mappings: – Internal IP, port <=> External IP, port – Incoming packets are translated back if
there's an existing mapping, dropped otherwise
– Mappings are added only for outgoing packets
3/6/14
35
Question
• What will happen if someone tries to do a SYN TCP scan from inside a NAT firewall? a) Victims won't know who did the scan and
can't retaliate b) Victims will be under a SYN flood attack c) The NAT mapping table will overflow,
possibly preventing other users from accessing the web
Application Protocols • Single connection protocols
– Use a single connection, e.g. HTTP, SMTP • Dynamic Multi-connection Protocols, e.g. FTP
and H.323 – Have a well known control channel – Negotiate ports and/or addresses on the control
channel for subsidiary data channels – Dynamically open the negotiated data channels
• Protocol suites, e.g. Netbios and DNS
3/6/14
36
Spoofing Applications • Often times ridiculously easy • Fake Client
– Telnet to an SMTP server and enter mail from whoever you want
– Authenticating email servers • Require a password • Require a mail download before server takes
send requests
• Fake server – Phishing: misdirect user to bogus server
Internet Control Message Protocol (ICMP)
• RFC 792 • Used for diagnostics
– Destination unreachable – Time exceeded, TTL hit 0 – Parameter problem, bad header field – Source quench, throttling mechanism rarely used – Redirect, feedback on potential bad route – Echo Request and Echo reply, ping – Timestamp request and Timestamp reply,
performance ping • Can use information to help map out a network
– Some people block ICMP from outside domain
3/6/14
37
ICMP Header
2 14 36 5 0710 912 1114 13 81518 1720 1922 21 162326 2528 2730 29 24312 14 36 5 0710 912 1114 13 81518 1720 1922 21 162326 2528 2730 29 24312 14 36 5 0710 912 1114 13 81518 1720 1922 21 162326 2528 2730 29 2431
Type Code Header Checksum
Option 1
Option 2
PING OF DEATH • ICMP echo with fragmented packets
• Maximum legal size of an ICMP echo packet: 65535 - 20 - 8 = 65507
• Fragmentation allows bypassing the maximum size: (offset + size) > 65535
• Reassembled packet would be larger than 65535 bytes
• OS crashes • Really a problem with reassembly, ICMP just
used for convenience • Same attack with different IP protocols
3/6/14
38
Ping Flood
• Denial of Service attack • Overwhelming the victim with ICMP
Echo Request packets (ping) • Attacker has more bandwidth • How to defend?
– Filter incoming ICMP Echo Request packets
– Compromised way, filter large PING packets
Smurf Attack
• An amplification DoS attack – A relatively small amount of information sent is
expanded to a large amount of data • Send ICMP echo request to IP broadcast
addresses. Spoof the victim's address as the source
• The echo request receivers dutifully send echo replies to the victim overwhelming it
• Fraggle is a UDP variant of the same attack aiming at ports 7 and 19
3/6/14
39
Question
• What is the best strategy against Smurf attacks? a) block incoming pings to broadcast addresses at the firewall or router b) block all ICMP echo traffic at the firewall or router c) install an IDS d) complain to the vendor, asking for a patch e) strike back at the attacker by spoofing her IP address in another Smurf
Other ICMP Abuse • Tribe, a.k.a. The "Tribe Flood Network"
distributed denial of service attack tool • Use ICMP echo request and reply as a
covert communication channel to issue commands to infected computers
• Attackers reversed the normal usage of reply and request messages
• Reply messages used to issue commands and bypass firewalls
• http://staff.washington.edu/dittrich/misc/tfn.analysis
3/6/14
40
Question
• Name the packets that can’t be used to scan a network (all by themselves): a) echo request b) echo reply c) timestamp request d) network mask request e) source quench
Question
• Which application/protocol will be affected if you disallow ICMP unreachable messages? a) MTU discovery b) TraceRoute c) DNS d) ARP e) Nothing
3/6/14
41
Question
• If you receive an ICMP network redirect message, which attack could possibly be attempted against you? a) Man-in-the-middle b) DoS
Question
• Which ICMP attack resembles the Fraggle attack?
• Which other services could be used instead of the "echo" service?
3/6/14
42
Answers
• Smurf • All the "small services"
– daytime – chargen (RFC 864) (port 19) – quote of the day (RFC 865) – ...
• Quote of the day may be enabled by people thinking it's cool or cute