mitnik
TRANSCRIPT
TCP/IPSecurity
TEACHING POINTS• TCP/IP vulnerabilities• Mitnick attack• firewalls• IDS• IPSEC, SSL, VPN
TCP/IP Vulnerabilities• The TCP/IP protocol stack was developed
in a “trusting” environment
• Passwords for telnet, ftp, mail, etc. are sent over the network in the clear or with a known encoding
• Many of the communications protocols rely on the participants being well behaved and “truthful”
Internetworking
Host A Host B
Router K
Internet
Network 1Network 2
Application
Transport
Internet
Network Access
Physical
Application
Transport
Internet
Network Access
PhysicalNetwork Access
Physical
Protocol Data Units
USER DATA
TCP Header
IP Header
Net Header
• Responsible for moving data across Internet
• Send and forget
• Does not guarantee• Delivery• Packets delivered in order sent• Packets delivered undamaged
• Employed on various networking technologies
IP Specifics
IP Header
0 16 31
Options and Padding
Source Address
Destination Address
Total Length
Fragment Offset
Header ChecksumTime to Live Protocol
Identification
Type of Service
Flags
Version IHL
• Provides reliable data transfer between apps running on different hosts
• Divides data into TCP segments and transmits them using IP
• Protects against data loss, corruption, packet reordering and data duplication• Adding checksums (tx)• Sequence Numbers (tx and rx)• Acknowledgement packets (rx)
TCP Specifics
TCP Header
0 16 31
Source Port Destination Port
Sequence Number
Acknowledgement Number
Window
Urgent Pointer
Options and Padding
Checksum
FlagsReservedDataOffset
TCP Header
FLAGS
URG
ACK
PSH
RST
SYN
FIN
Three Way Handshake
SYN SN = X
SYN SN = Y AN = X +1
AN = Y + 1
A B
• The receiving host relies on the sending host to tell the truth about its IP address, port numbers, etc.
• Why would you want to do it?• Obtain root access• Take over an open terminal and login• Exploit applications that use authentication
based on IP addresses
• How do you do it?• Create packets with spoofed IP address
IP Spoofing
• Select target host• Discover a pattern of trust and a trusted
host• Disable trusted host• Sample target’s TCP sequence numbers• Impersonate trusted host• Guess sequence numbers• Connection attempt made to a service that
requires address based authentication• If successful, attack executes simplified
command for back door
IP Spoofing attack - “Cole’s Notes “
• Key to the attack = identify a trusted host
• Disrupt the real trusted host• e.g. TCP SYN flooding (Denial of Service)
• Attacker sends forged packets
• Attacking host never receives ACKs• Sent to real trusted host by routers
• Attacker must predict responses• specifically sequence numbers need to be predicted
IP Spoofing - Considerations
• Kevin Mitnick on Tsutomu Shimomura’s system in 1994
• Used SYN flooding and TCP Hijacking (spoofing)
Famous Attack
Mitnick Attack
Router
internet
1: Scan forTrust Relationship
TargetTrusted Host
Attacker
2: SYN packets(SYN Flood) 3: SYN using spoofed IP
4: SYN-ACK to real host
6: On the now opentrusted connection seta backdoor
5:ACK usingspoofed IP/seq. Num.
• Caught in 1995
• 25-count federal indictment for allegedly copying proprietary software from the computers of cellular telephone manufacturers (Computer fraud)
• 46 months and three years probation
• Released 21 Jan 2000
• Cannot have anything to do with a PC until 20 Jan 2003
What Did He Get?
• Firewalls• monitor network traffic at the point of connection to
external networks• allow or refuse traffic based on a set of rules• restricts the set of services that are allowed to cross the
firewall (in either direction)
• IDS• intrusion detection systems• monitor network traffic at the point of connection to
external networks and/or within local networks• monitor the traffic flows looking for malicious use of the
network services• raises alarms on the detection of misuse
How to Tighten-up
How to Tighten-up• There are newer more secure protocols to
use at many layers of the protocol stack• SSH
• secure shell - replaces telnet, ftp and provides encrypted password exchange and session communications
• IPSec• secure IP headers and payload provide integrity and
confidentiality services between hosts• SSL
• secure socket layer - pki based authentication and key management services to secure a host-to-host connection
• VPN• virtual private networks - secure gateways provide
integrity and confidentiality services between networks
Firewall
Firewall
internet
Attacker
Refuse:•malformed packets•services considered unsafe•services which should notbe available•packets that do not belong to alegitimate connection
Add:•extra authentication services andrules to existing protocols
Intrusion Detection System - IDS
Firewall
internet
Attacker
Monitor:•traffic that looks likescanning attempts•traffic that should not legitimatelybe carried on the internal network•signatures of well known attacks•changes in patterns of user activity
IDS
IDS
TEACHING POINTS• Trojans• TCP/IP vulnerabilities• Mitnick attack• firewalls• IDS• IPSEC, SSL, VPN