link-layer - uw computer sciences user...
TRANSCRIPT
todayCrypto exercise in-class
Link layer (in-)security
IP, TCP (in-)security
exercisecrypto
Internet
backbone
ISP1 ISP2
Localareanetwork(LAN)
Internet
Ethernet
802.11BGP(bordergatewayprotocol)
DNS(domainnamesystem)
Alice
Bob
TCP/IP
Internetprotocolstack
Application HTTP,FTP,SMTP,SSH,etc.
Transport TCP,UDP
Network IP,ICMP,IGMP
Link 802x(802.11,Ethernet)
Application
Transport
Network
Link
Application
Transport
Network
Link
Network
Link
Internetprotocolstack
Application
TCP
IP
Ethernet
userdata
userdataApplhdr
userdataApplhdr
TCPhdr
userdataApplhdr
TCPhdr
IPhdr
userdataApplhdr
TCPhdr
IPhdrENethdr
ENettlr
TCPsegment
IPdatagram
Ethernetframe
14 20 20
46to1500bytes
Addressresolutionprotocol
IProuting:FigureoutwheretosendanIPpacketbasedondestinationaddress.
LinklayerandIPmustcooperatetoroutepackets
ARPenablesthiscooperationbymappingIPstoMACs
32-bitIPaddress
48-bitMACaddress
ARP
ARPcaches
• HostsmaintaincacheofARPdata– justatablemappingbetweenIPsandMACs
ARPhasnoauthentication
• Easytosniffpacketson(non-switched)ethernet
• Whatelsecanwedo?
EasyDenialofService(DoS):SendARPreplyassociatinggateway192.168.1.1withanon-usedMACaddress
ARPhasnoauthentication
• Easytosniffpacketson(non-switched)ethernet
• Whatelsecanwedo?
192.168.1.2MAC2
192.168.1.3MAC3
192.168.1.1MAC1
ActiveMan-in-the-Middle:
ARPreplytoMAC2192.168.1.1->MAC3
ARPreplytoMAC1192.168.1.2->MAC3
Nowtraffic“routed”throughmaliciousbox
802.11(wifi)
http://technet.microsoft.com/en-us/library/cc757419(WS.10).aspx
STA=stationAP=accesspoint
BSS=basicservicesetDS=distributionserviceESS=extendedserviceset
SSID(servicesetidentifier)identifiesthe802.11network
TypicalWiFimodes:UnsecuredWirelessProtectedAccess(WPA2)-passwordauthenticated,encrypted
802.11association
AP
Proberequest
SSID:“linksys”,BSSID:MAC1
AuthrequestMAC1
Authresponse
AssociaterequestMAC1
Associateresponse
802.11association AP
802.11association
Proberequest
AuthrequestMAC2
MAC1
MAC2SSID:“linksys”,BSSID:MAC1SSID:“linksys”,BSSID:MAC2
ChooseoneofMAC1,MAC2
…
TwoAPsforsamenetworkAP1
AP2
802.11eviltwinsBasicidea: -AttackerpretendstobeanAPtointercepttrafficorcollectdata
EviltwinMAC1
MAC2
Proberequest
SSID:“linksys”,BSSID:MAC1
AuthrequestMAC2
SSID:“linksys”,BSSID:MAC2ChooseoneofMAC1,MAC2
…
Basicattack:rogueAPAP1
ParrotARdroneDroneisaWiFiaccesspointUsesunsecured802.11connection(WiFi)ControlledfromiPadoriPhonewithanappUsesMACaddressforsecurity
Internetprotocolstack
Application
TCP
IP
Ethernet
userdata
userdataApplhdr
userdataApplhdr
TCPhdr
userdataApplhdr
TCPhdr
IPhdr
userdataApplhdr
TCPhdr
IPhdrENethdr
ENettlr
TCPsegment
IPdatagram
Ethernetframe
14 20 20
46to1500bytes
IPprotocol(IPv4)
• Connectionless– nostate
• Unreliable– noguarantees
• ICMP(InternetControlMessageProtocol)– errormessages,etc.
– oftenusedbytoolssuchasping,traceroute
IPv4
dataENethdr
ENettlr
EthernetframecontainingIPdatagram
IPhdr
4-bitversion
4-bithdrlen
8-bittypeofservice
16-bitidentification
16-bittotallength(inbytes)
3-bitflags
13-bitfragmentationoffset
8-bittimetolive(TTL)
8-bitprotocol
16-bitheaderchecksum
32-bitsourceIPaddress
32-bitdestinationIPaddress
options(optional)
backbone
SecurityissueswithIP
ISP1 ISP2
Routinghasissues,we’llgettothatlaterWhatelse? -Nosourceaddressauthenticationingeneral
5.6.7.8
1.2.3.4
DenialofService(DoS)attacks
ISP1 ISP2
1.2.3.4
5.6.7.8
Backbone
Goal:preventlegitimateusersfromaccessingvictim(1.2.3.4)
ICMPpingflood
8-bitcode
ICMP (InternetControlMessageProtocol)
ICMPmessageIPhdr
8-bittype
16-bitchecksum
ICMPhdr
4-bytemoreofheader(dependsontype)
message…
DenialofService(DoS)attacks
ISP1 ISP2
1.2.3.4
5.6.7.8
Backbone
Goalistopreventlegitimateusersfromaccessingvictim(1.2.3.4)
ICMPpingflood- AttackersendsICMPpingsasfastaspossibletovictim- WhenwillthisworkasaDoS?- Howcanthisbeprevented? Ingressfilteringnearvictim
Attackerresources>victim’s
DenialofService(DoS)attacks
ISP1 ISP2
1.2.3.4
5.6.7.8
Backbone
Howcanattackeravoidingressfiltering?
AttackercansendpacketwithfakesourceIP“spoofed”packetPacketwillgetroutedcorrectlyReplieswillnot
source:8.7.3.4dest:1.2.3.4
SendIPpacketwith from5.6.7.8
ISP3
8.7.3.4
Filterbasedonsourcemaybeincorrect
DoSreflectionattacks
ISP1 ISP2
Noteavalidpacketsendsareplyto8.7.3.4 -Attackercanbounceanattackagainst8.7.3.4off1.2.3.4 -“Frame”1.2.3.4 -Single-packetexploit(1.2.3.4inforeigncountry)
1.2.3.4
5.6.7.8
Backbone
ISP3
8.7.3.4
DenialofService(DoS)attacks
ISP1 ISP2
1.2.3.4
5.6.7.8
Backbone
DoSworksbetterwhenthereisasymmetrybetweenvictimandattacker- Attackerusesfewresourcestocausevictimto
consumelotsofresources
DenialofService(DoS)attacks
ISP1 ISP21.2.3.4
5.6.7.8
Backbone
DoSworksbetterwhenthereisasymmetrybetweenvictimandattacker- Attackerusesfewresourcestocausevictimto
consumelotsofresources
Oldexample:SmurfattackRouterallowsattackertosendbroadcastICMPpingonnetwork.AttackerspoofsSRCaddresstobe1.2.3.4
DenialofService(DoS)attacks
ISP1 ISP2
1.2.3.4
5.6.7.8
Backbone
Morerecent:DNSreflectionattacksSendDNSrequestw/spoofedtargetIP(~65byterequest)DNSrepliessenttotarget(~512byteresponse)
ISP3
8.7.3.4
ShortDNSrequest
LongerDNSreply
DoSworksbetterwhenthereisasymmetrybetweenvictimandattacker- Attackerusesfewresourcestocausevictimto
consumelotsofresources
recap
In-class exercise / Hybrid encryption, digital signatures, PBKDF
Network Security / ARP cache poisoning, MitM, DoS / WiFi Evil Twins / IP (in-security)
Exit slips / 1 thing you learned / 1 thing you didn't understand