Network Security. Network Vulnerabilities

Transcription

1 Network Security Network Vulnerabilities 1

2 Attacks and the OSI Stack Stack layer Services Protocols Application; Presentation; Session Transport DNS SMTP TCP Network Routers IP Logic Physical Switches Hubs 2

3 IP Addresses IP addresses identify the network and the machine in the network. Example: the address : x identifies the network. y.y.y.22 identifies the machine in the network. The network mask identifies the network dimension (256) and the addresses of the directly accessible machines. The network mask can be retrieved by a ICMP (Address Mask Request) request or by using DHCP. 3

4 Network addresses The address of the network interface. Unique identifiers with 48 bit. The first 24 bit identify the manufacture. Media Access Control (MAC) address IP addresses 32 bit ~ 4 million million addresses Usually described by 4 separate decimal numbers divided by dots to

5 Address Translation Address Resolution Protocol (ARP): Layer 3 Protocol (network) Translates an IP address into a MAC address ARP Query Who has the ? Answer to ARP Reply is at 00:0e:81:10:19:FC. ARP caches: registers old answers. when the answers are too old they are removed. 5

6 Routers Internet Router IP address Network mask Default router Router switch switch 6

7 Routers Internet IP address Network mask Default router IP datagram Dest: Router Router switch Direct delivery switch

8 Routers Internet IP address Network mask Default router IP datagram Dest: Router Router switch Default Router + direct delivery switch 8

9 Used Protocol Layers Application Layer Application Layer PDU Application Layer Transport Layer Transport Layer PDU Transport Layer Internet Layer Router Internet Layer Internet Layer IP Datagram IP Datagram Network Interface Ethernet Frame Network Interface Ethernet Frame Network Interface Physical Network Physical Network 9

10 Routers Internet IP address Network mask Default router IP datagram Dest: Router Router switch switch Default Router + next router + next router +. 10

11 Used Protocol Layer Application Layer Application Layer PDU Application Layer Transport Layer Transport Layer PDU Transport Layer Internet Layer Router Internet Router Internet Internet Layer IP Datagram IP Datagram IP Datagram Network Interface Ethernet Frame NI NI Network Interface Ethernet Frame Physical Network Physical Network Physical Network 11

12 Private Addresses Some network ranges were reserved for private addressing (IETF RFC 1918): to (1 network, 2 24 machines), to (16 networks, 2 16 machines, total), to (256 network, 2 8 machines each). Packages with these addresses (origin or destination) are never sent outside the network itself An attempt to solve the lack of IP addresses. Security? I the previous example, the router has the IP address and two private addresses: e : Operates a router between two private networks. 12

13 (Layer 1) Physical Layer: Hubs Topics: Behavior Problems Sniffers and anti-sniffers 13

14 Hubs: Behavior Information broadcast Threats: Information Leakage (sniffers). Easy to install more devices. Easy management, but, any one can connect himself there; Even if the Hub is physically secure. 14

15 Sniffers Usually network adapters operate in a non promiscuous mode Network adaptors only listen to what is sent to there MAC Sniffers work in a promiscuous mode Read frames with any MAC. Some sniffer tools: Tcpdump Ethereal (Wireshark) Snort 15

16 Identifying sniffers AntiSniff Correct IP, Incorrect MAC (Answer, does not answer) Linux any MAC NetBSD IP = broadcast Windows Mac = ff:00:00:00:00:00 Constant DNS queries from the sniffer machine Tcpdum, ethereal ARP Method A machine caches ARPs, so send a non-broadcast ARP (with our correct MAC). Then send a broadcast Ping with the right IP but wrong MAC; Only a machine which has our correct MAC address from the sniffed ARP will respond, i.e. the sniffer machine! Latency Method Time needed to answer to one packet vs response time for n packets. 16

17 Preventing Sniffing Solutions: Prevent the use of network adapters in promiscuous mode Use of switches (but! it costs) use encryption One-time passwords, e.g. SecurID, S/Key 17

18 (Layer 2) Data Link Topics: More on Ethernet and IP addressing. Switches Behavior ARP spoofing e MAC flooding 18

19 Switches: Behavior Switches only send the data to the destination address A table with the MAC in each of the ports is constructed When a frame reaches the switch: Searches the port where the device with that MAC is at. Sends the frame to that port. Switches operate at the layer 2 (data link). Switches reduce the sniffing problem The network adapter only sees what is meant for it. 19

20 ARP Vulnerabilities Non solicited ARP responses: Sent by a rightful machine upon connecting. Not sent as a response to a request. Associates a MAC to an IP. ARP spoofing: An attacker can send a wrongful non requested ARP message. ARP messages are in no way signed, thus it is easy to falsify message from any given MAC. 20

21 ARP Tables - OK IP MAC 00:0e:81:10:17:d1 IP address MAC address :0e:81:10:19:FC :1f:42:12:04:72 Attacker IP MAC 00:1f:42:12:04:72 IP MAC 00:0e:81:10:19:FC switch IP address MAC address :0e:81:10:17:d :1f:42:12:04:72 21

22 ARP Tables Poisoning IP MAC 00:0e:81:10:17:d1 IP address MAC address :1f:42:12:04: :1f:42:12:04:72 Attacker IP MAC 00:1f:42:12:04:72 IP MAC 00:0e:81:10:19:FC (1) Non solicited ARP is at 00:1f:42:12:04:72 switch IP address MAC address :1f:42:12:04: :1f:42:12:04:72 (2) Non solicited ARP is at 00:1f:42:12:04:72 22

23 ARP Tables Poisoned IP MAC 00:0e:81:10:17:d1 IP datagram Dest: MAC: 00:1f:42:12:04:72 IP address MAC address :1f:42:12:04: :1f:42:12:04:72 Attacker IP MAC 00:1f:42:12:04:72 IP MAC 00:0e:81:10:19:FC switch IP address MAC address :1f:42:12:04: :1f:42:12:04:72 Attacker table IP address MAC address :0e:81:10:19:FC :0e:81:10:17:d1 23

24 Results from ARP Spoofing The attacker has the correct table But the devices and have poisoned ARP tables. All the data sent from to is redirected to the attacker (Layer 2). The attacker may redirect the data to the intended receiver. The attacked machines nor the switch are able to detect the attack. Tool example: dsniff auditing and penetration testing tool set. In conclusion : Switches do not eliminate the sniffing problem. 24

25 MAC Flooding The attacker sends several, unsolicited ARP messages. Each ARP message with a different MAC. When the table is filled up: Some switches stop accepting new connections (DoS). Some switches revert to a Hub mode: Allowing standard sniffers to work again! Device MAC address :0e:81:10:19:FC 4 00:0e:81:32:96:af :0e:81:32:96:b0 4 00:0e:81:32:96:b1 4 00:0e:81:32:97:a4 switch 25

26 Preventive Measures: Place the switches in safe location To prevent unlawful/unauthorized usage/access. Switches should fail in a secure fashion New threat: DoS. Notify the system administration. Arpwatch Monitor the ARP to IP translation. Alert the system administration. Use of switches with fixed tables Loss of flexibility. 26

27 (Layer 3) Network Layer Topics: Routers and routing. IP Addresses. Other topics. 27

28 Routers and Routing Routers support the indirect delivery of IP datagrams. Routing tables are used A datagram cans usually se sent: directly to the final destination. to the next router in the destination direction. to the default router. 28

29 Network Layer attacks - I IP spoofing: IP Packets are not authenticated. The attacker can fill the origin address fill of a IP packet with any value, thus it is unsecure to base a access control policy base on the IP address. An attacker is able to replay, delay, reorder, modify or inject an IP packet. Personification threats, integrity tampering, and unlawful use are still possible. Users have little to no guarantee concerning the routing path taken by the packets: information leak threat. packet integrity threat. DoS threat. 29

30 Network Layer attacks - II Routes update security An attacker might corrupt the routing tables by sending routingupdate messages. RIPv1 and IGRP do not have authentication. ICMP redirect packets. DoS, man in the middle, etc. 30

31 (Layer 4) Transport Layer Topics: TCP/IP handshake TCP hijacking DoS TCP DoS ICMP DoS Solutions 31

32 TCP/IP Handshake (Layer 4) 32

33 TCP connection hijacking Explores the de-synchronization between 2 hosts (A & B) A and B have a out of synchronization connection To the point that the data segments are out of the sliding window All the data segments sent are discarded by the receiver This generates a high amount of ACK packets Which can be used to detect the de-synchronization The actual communication is know performed data segments created by the attacker These are created with the correct synchronization values De-synchronization: During the creation of a TCP/IP connection Cutting an already established connection Practicability: The attacker must be in the middle of the communication Man-in-the-middle attack 33

34 TCP Connection hijacking Solutions (1/3) Predicting the sequence number A ttacker à S: SYN(ISN A ), SRC=B S erver à B: SYN(ISN S ), ACK(ISN A +1) A ttacker à S: ACK(ISN S +1), SRC=B How to counteract? Random generation of the ISN Windows NT 4.0 OS increments (+10) the ISN every ms Unix OS incremented the ISN also with a time dependent algorithm. Defensive attitude Avoid any host-based authentication based on the IP address. 34

35 TCP Connection hijacking Solutions (2/3) Personalization Random sequence numbers Firewalls Filter/discard data segments with source-routing Use IP masquerading for unsecure connection nodes Detect bursts of invalid segments Be suspicious of host-based authentication Used in several services (r-tools, NFS, etc.) Use TCP wrappers Additional control Logging Use additional authentication mechanisms 35

36 TCP Connection hijacking Solutions (3/3) Connection hijacking Added integrity control capable of prevent an intrusion attack the integrity control should be related with the origin of the data Machine, user, etc. Can be performed at the IP level or higher IPsec, SSL, SSH, etc. 36

37 DoS attack: SYN flooding (1/2) Consists in overloading a core with incomplete TCP/IP connection requests X à A: SYN A à X: SYN+ACK X à A: ACK Typically the attacker uses IP spoofing Forging one or more unused IP address Often TCP is insensitive (when in the SYN_RECVD state) to ICMP error messages: host unreachable or port unreachable Easy to temporarily block Forging random IP addresses Less powerful attack Harder to block 37

38 DoS attack: SYN flooding (2/2) Explored vulnerabilities No authentication in the SYN segments The server needs to reserve more resources that the client/attacker Impact on the attacked machine Storage of the connection requests until they are eliminated by timeout TCP connection in the SYN_RECVD state Periodical re-sending of the SYN+ACK packet The amount of connection requests per port are limited: The subsequent requests are discarded Rightful requests may be discarded due to the existence of false connection requests 38

39 SYN flooding Solutions I No definite solution for IPv4 Modifying TCP for the servers Bigger request queues, lower timeouts Random Drop SYN cookies ISN is sent ciphered in the SYN+ACK (cookie) and returned in the ACK The server retains no information. Others modifications... Cooperation with the firewalls Relay or semi-gateway Attack detectors 39

40 Firewall Handshake Relay 40

41 Firewall - Gateway 41

42 Firewall Passive gateway 42

43 Broadcast Broadcast addresses: Any packet with a destination address ending with.255 in a network with a netmask is sent to all the machines in that network. Equally works in networks with different dimensions. Facilitates management, but what about security? 43

44 ICMP ICMP = Internet Control Message Protocol. Layer 4 Protocol (as TCP). Mandatory in all IP networks. Used to send and receive the error messages from IP E.g. ICMP Echo Request (Ping): ICMP Packet Echo IP datagram Src: Dest: ICMP Packet Echo Reply IP datagram Src: Dest:

45 ICMP SMURF attack (DoS) Attacker ICMP Packet Echo Request IP datagram Src: Dest: Victim ICMP Packet Echo ICMP Reply Packet Echo ICMP Reply Packet IP datagram Echo Reply Src: IP datagram Dest: Src: IP datagram Dest: Src: Dest: ICMP Packet Echo Reply IP datagram Src: Dest:

46 Denial of Service (DoS) with: CHARGEN & ECHO Two diagnostic services from UNIX Over TCP or UDP This attacks uses IP address spoofing X send a datagram to B, saying it coming from A (spoofing) A origin port is ECHO B destination port is CHARGEN Impact on the attacked machines A and B go into a escalading and endless message exchange ping-pong Defensive posture Restrict the use/availability of diagnostic services Detect and avoid IP spoofing Restrict the access to networks with broadcasting 46

47 DoS: Exploring flaws Protocol have flaws at the implementation level Ping-of-Death attack Ping l target.ip.address 20 bytes + 8 bytes > (actual buffer size) Teardrop attack Overlapping IP fragment Protocol do not predict absurd scenarios Land attack The same source and destination address E.g. in the TCP SYN packet» Windows XP SP2 is vulnerable to this attack 47

48 DNS: Domain Name System Translate Domain Names to IP addresses Reverse Translation in- addr.arpa Mail Server Localization smtp.ist.utl.pt Other name translations 48

49 49 Global Hierarchy

50 DNS: Entities A DNS name is comprised by several names separated by. A DNS zone is a group of IP addresses managed by a single DNS authority, usually with a different name. A DNS authority has usually a single registar but may have more for performance and fault tolerance 13 Registars for the root domain. Top- level domains.com,.edu,.pt, etc. Each registar has a database with Resource Records 50

51 Resource Records A Translate names to IP addresses AAAA - Translate names to IPv6 addresses PTR Reverse translation MX Translate address to MTA (Mail Transfer Agent) NS Contains the IP of the hierarchical DNS registar. 51

52 Resouce Records (dig) $ dig ;; ANSWER SECTION: Resource Record: Name TTL IN A rdata IN A ;; AUTHORITY SECTION: ist.utl.pt IN NS ns.utl.pt. ist.utl.pt IN NS ns1.ist.utl.pt. ist.utl.pt IN NS ns2.ist.utl.pt. ;; ADDITIONAL SECTION: ns.utl.pt IN A ns1.ist.utl.pt IN A ns1.ist.utl.pt IN AAAA 2001:690:2100:1::53:1 ns2.ist.utl.pt IN A Resource Record Set: Name TTL IN NS Useful information for attackers 52

53 53

54 DNS: Arquitectura File Corruption Manager Cache Poisoning Non authorized updates Zone File Master Master Masquerading Caching Server Cache Masquerading Dynamic Updates Slaves Slaves Resolver 54

55 Kaminsky Attack (Cronology) Fev/2008 Dan Kamisky reports the problem 8/Jul/2008 Patch for several systems 21/Jul/2008 Public knowledge 8/Aug/2008 Details on Blackhat 28/Aug/2008 Memorandum for the adoption of DNSSEC in.gov 55

56 Kasminsky (description) Id : Query: X.Y.W.Z Id : Query: X.Y.W.Z Id Cache For all 2^16 Ids: : ns: AT.TA.CK.ER Current solution: Random src port; requires search in a 2^32 space 56