Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Similar documents
Operational Security Capabilities for IP Network Infrastructure

ICMP (Internet Control Message Protocol)

Network Layer (4): ICMP

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Configuring attack detection and prevention 1

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

Configuring attack detection and prevention 1

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

ELEC5616 COMPUTER & NETWORK SECURITY

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Internet Control Message Protocol (ICMP)

ICS 451: Today's plan

CS 161 Computer Security

Module 7 Internet And Internet Protocol Suite

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

HP High-End Firewalls

Network Security. Tadayoshi Kohno

Attack Prevention Technology White Paper

Denial of Service (DoS) attacks and countermeasures

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

To make a difference between logical address (IP address), which is used at the network layer, and physical address (MAC address),which is used at

Different Layers Lecture 20

DDoS Testing with XM-2G. Step by Step Guide

Router Architecture Overview

20-CS Cyber Defense Overview Fall, Network Basics

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

IBM i Version 7.3. Security Intrusion detection IBM

CSC 574 Computer and Network Security. TCP/IP Security

CSE 565 Computer Security Fall 2018

4. Basic IP Support Protocols

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Using ICMP to Troubleshoot TCP/IP Networks

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

NETWORK SECURITY. Ch. 3: Network Attacks

Chapter 4: Network Layer

HP High-End Firewalls

Configuring IP Services

CS 457 Lecture 11 More IP Networking. Fall 2011

Denial of Service. EJ Jung 11/08/10

Configuring IP Services

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

TSIN02 - Internetworking

MESSAGES error-reporting messages and query messages. problems processes IP packet specific information

Topics for This Week

Network layer: Overview. Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing

Network layer: Overview. Network Layer Functions

Introduction to Internetworking

Computer Networking Introduction

Network Security. Thierry Sans

Network Layer: Internet Protocol

CSCD58 WINTER 2018 WEEK 6 - NETWORK LAYER PART 1. Brian Harrington. February 13, University of Toronto Scarborough

CHAPTER-2 IP CONCEPTS

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

CSc 466/566. Computer Security. 18 : Network Security Introduction

(ICMP), RFC

Configuring IP Services

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

ICMP (Internet Control Message Protocol)

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

CIS 551 / TCOM 401 Computer and Network Security

Internet Control Message Protocol (ICMP), RFC 792. Prof. Lin Weiguo Copyleft 2009~2017, School of Computing, CUC

inside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN

Last time. Network layer. Introduction. Virtual circuit vs. datagram details. IP: the Internet Protocol. forwarding vs. routing

CCNA Exploration Network Fundamentals. Chapter 06 Addressing the Network IPv4

Operational Security Capabilities for IP Network Infrastructure. Internet-Draft March 30, 2008 Intended status: Informational Expires: October 1, 2008

CS519: Computer Networks. Lecture 2: Feb 2, 2004 IP (Internet Protocol)

Vorlesung Kommunikationsnetze

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

Subnets. IP datagram format. The Internet Network layer. IP Fragmentation and Reassembly. IP Fragmentation & Reassembly. IP Addressing: introduction

History Page. Barracuda NextGen Firewall F

Configuring Flood Protection

Internet Control Message Protocol

internet technologies and standards

Lecture 4 - Network Layer. Transport Layer. Outline. Introduction. Notes. Notes. Notes. Notes. Networks and Security. Jacob Aae Mikkelsen

IP: Addressing, ARP, Routing

CSC 4900 Computer Networks: Routing Protocols

Chapter 8 roadmap. Network Security

Network Layer. The Network Layer. Contents Connection-Oriented and Connectionless Service. Recall:

Network Layer. Recall: The network layer is responsible for the routing of packets The network layer is responsible for congestion control

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

KillTest ᦝ䬺 䬽䭶䭱䮱䮍䭪䎃䎃䎃ᦝ䬺 䬽䭼䯃䮚䮀 㗴 㓸 NZZV ]]] QORRZKYZ PV ٶ瀂䐘މ悹伥濴瀦濮瀃瀆ݕ 濴瀦

DDoS PREVENTION TECHNIQUE

Internet Protocol and Transmission Control Protocol

TSIN02 - Internetworking

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

Internet Technology 3/23/2016

A Framework for Optimizing IP over Ethernet Naming System

Authors: Mark Handley, Vern Paxson, Christian Kreibich

Problems of IP. Unreliable connectionless service. Cannot acquire status information from routers and other hosts

Configuring Routes on the ACE

K2289: Using advanced tcpdump filters

ICS 351: Networking Protocols

Network Security. Network Vulnerabilities

Internet Protocols (chapter 18)

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

Transcription:

Network Security Evil ICMP, Careless TCP & Boring Security Analyses Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Part I Internet Control Message Protocol (ICMP)

Why ICMP No method to obtain node information Is router or host alive? IP unreliable, connectionless datagram delivery Efficient use of network resources Best effort service to send from source to destination No error control Error has occurred and IP protocol has no built-in mechanism to notify the original host. What if router must discard datagram because it cannot find route to final destination. What if final destination discard some fragements because they don t arrive within the time limit. 3

ICMP ICMP addresses most of IP deficiencies. ICMP allows routers/hosts to exchange error or control messages. ICMP provides communication for the IP layer between different machines. Destination of an ICMP message is the ICMP software module. ICMP is a network layer protocol, but its messages are first encapsulated into IP datagrams. 4

Error Reporting vs. Error Correction ICMP can only report an error to the original source Up to the source to deal with it. ICMP cannot be used to inform intermediate routers Source has responsibility of routers problem. Why restrict ICMP messages to original source? Except for record route option, datagrams only contains source/destinations addresses. No global knowledge of routes. 5

ICMP Messages ICMP Messages Error-reporting Query 1. Destination unreachable 2. Source Quench 3. Time Exceeded 4. Parameter problem 5. Redirection 1. Echo request or reply 2. Timestamp 3. Address mask 4. Router solicitation & advertisement 6

General Format of ICMP Messages Data section in Error messages carries information to find the original packet that had the error. Optional parameters all set to 0. Query message carries extra information based on type of the query. Optional parameters := identifier (2 bytes) + sequence number (2 bytes). 7

ICMP Error Reporting 8

Error Reporting Issues No ICMP error message for: A datagram carrying an ICMP error message (why?). A fragmented datagram that is not the first fragment. A datagram having a multicast address. A datagram with a special address such as 127.0.0.0 or 0.0.0.0. 9

Destination Unreachable When a router cannot route a datagram the datagram is discarded and the router sends a destination unreachable message back to source host. When a host cannot deliver a datagram, the datagram is discarded and the destination host sends a destination unreachable message back to source host. 10

Destination Unreachable Codes 0: Network unreachable 1: Host is unreachable 2: Protocol is unreachable 3: Port is unreachable 4: Fragmentation is required 5: Source routing not feasible 6: Network unknown 7: Host unknown 8: Source host isolated 9: Dest Network admin prohibited 10: Dest Host admin prohibited 11: Network unreachable for type of service 12: Host unreachable for type of service 13: Communication administratively prohibited 14: Host precedence violation 15: Precedence was cutoff 11

Source Quench IP do not provide a flow-control mechanism Source never knows if routers of destination is congested. A source-quench message informs the source that a datagram has been discarded due to congestion in a router or the destination host. The source is informed that the packet was dropped. The source must slow down. There is no mechanism for telling source that congestion is relieved and transmission can resume at previous rate. If transmission is many-to-one, the destination may drop packets from slower sending host but not those from faster (congestion causing) senders. 12

Time Exceeded Message If a router receives a datagram with TTL = 0 Discard the datagram. ICMP Code = 0 If a host does not receive all fragments of a datagram within a certain time of receiving the first fragment. Discard all fragments ICMP Code = 1 13

ICMP Redirection ICMP redirect is an error message sent by a router to the sender. Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform the sending host that it should forward subsequent packets to that same destination through a different gateway. In theory a host with multiple gateways could have one default route and learn more optimal specific routes over time by way of ICMP redirects. 14

Rules of the Road The outgoing and incoming interface must be the same. The IP source address in the packet is on the same logical IP network as the next-hop IP address. The route used for the outgoing packet must not be an ICMP redirect or a default route. The packet does not contain an IP source route option. The gateway must be configured to send redirects. 15

ICMP Query 16

Echo Request & Echo Reply Designed for diagnosis purposes Used to test the reachability of a specific host/router. Receivers of echo request send back an echo reply. Echo Optional Data: An echo request can also contain optional data (the content does not matter) An echo reply always returns exactly the same data as was received in the request. Tools: ping program (Packet INternet Groper) 17

Address Mask Used by a host to obtain its IP address mask. Algorithm: Host sends a mask request to its router if it does know a router. If not, host broadcasts request and then the router replies. 18

Router Solicitation Users need to know addresses of routers. Before a host is able to send a message to a host outside its own subnet, it must be able to identify the address of the immediate router. Request broadcast by host to obtain the operating routes. Routers reply with all routers they are aware of including themselves (Sometimes reply without request). 19

Part II ICMP Security

Type I: Reconnaissance & Scanning Reconnaissance refers to the overall act of learning information about a target network. Motivations: To understand the environment of the target. To gather information about the target so as to plan the attack approach. 21

Mapping Network Topology Goal: to discover the live hosts in a target network. Hows: Sending individual ICMP echo (e.g. ping). Sending ICMP echo requests to the broadcast addresses of a network. Sending an ICMP address mask request to host to determine the subnet mask. Sending ICMP echo requests to network and broadcast address of subnetworks. 22

Inverse Mapping Goal: to map internal networks or hosts that are protected or not directly reachable from the Internet. Hows: Attacker sends an ICMP reply message to a range of IP addresses presumably behind a filtering device. Upon receiving the series of ICMP reply messages, since the filtering device does not keep state of the list of ICMP requests, it will allow these packets to their destination. If there is an internal router, the router will respond with ICMP Host Unreachable for every host that it cannot reach. Now the attacker has knowledge of all hosts which are present behind the filtering device. 23

Type II: Man-in-the-Middle Attacks 24

ICMP Route Redirect Steps: Attacker manages to take over a secondary gateway R1 of the source host. Attacker sends a TCP open packet to source host acting as destination host. While a reply is in transit from the source host to the destination host through gateway R2, the attacker sends an ICMP route redirect message to source host spoofing as R2. Source host will accept the route change control message as valid. 25

Bonus on ICMP Route Redirect Winfreez(e) in Windows (outdated): ICMP Redirect: Yourself is the quickest link to host H1 (for instance). The victim changes its routing table for H1 to itself. The victim sends packets to itself in an infinite loop. 26

ICMP Router Discovery Messages Steps: Host boots up and issues a router solicitation message to find out the default router on the network. Attacker listens in to the message and spoofs a reply to that host. The default route of the host is now set to the attacker s IP address that the attacker has included in his reply. Now the attacker could employ either sniffing, man-in-the-middle attack for all traffic outbound through the attacker s machine. 27

Type III: Denial-of-Service (DoS) Denial of service (DoS) is the intentional degradation or blocking of computer or network resources. There is a prevailing wisdom that says as long As you have more bandwidth than the attacker, you shouldn't have too many problems. 28

Smurfing Attacks 1/2 Using the Amplification Principle. 29

Smurfing Attacks 2/2 First, hacker creates many ICMP echo requests that fake the victim's address. Then, he or she pings them to many broadcast addresses of different networks. As a result, all Internet-connected devices of these nets receive the requests. And consequently, each of them sends an ICMP echo reply back to the victim. In the end, the victim has to face with a massive number of echo replies that can flood the whole system, making it quickly overloaded and come to a standstill or even crashed. 30

Ping of Death A ping of death involves sending a malformed or otherwise malicious ping to a computer. Maximum size for a ping is of 65,536 bytes. If the target host is not properly patched, the OS will freeze or reboot after receiving just an oversized packet. 31

Part III Transmission Control Protocol (TCP)

TCP Handshake C S SYN: SN C rand C AN C 0 Listening SYN/ACK: SN S rand S AN S SN C Store SN C, SN S ACK: SN SN C +1 AN SN S Wait Established 33

TCP Handshake The client sends a SYN (synchronize) packet to the server, which has a random sequence number. The server sends back a SYN-ACK packet, containing a random sequence number and an ACK number acknowledging the client s sequence number. The client sends an ACK number to the server, acknowledging the server s sequence number. The sequence numbers on both ends are synchronized. Both ends can now send and receive data independently. 34

TCP Basic Security Problems Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a machine close to victim (e.g. WiFi routers) TCP state easily obtained by eavesdropping Enables spoofing and session hijacking Denial of Service (DoS) vulnerabilities 35

TCP SYN Attack The attack exploits the fact that servers wait the establishment of half open TCP connections. Stored States 36

TCP SYN Attack in Action The attacker starts by flooding bogus SYN packets with spoofed source addresses. The spoofed source address causes the target to respond to the SYN with a SYN-ACK to an unsuspecting or nonexistent source machine. The target then waits for an ACK packet from the source to complete the connection. The ACK never comes. The incomplete handshake ties up the connection table with a pending connection request that never completes. The table will quickly fill up and consume all available resources with bogus requests. The result is a denial of service since, once a table is full, the target server is unable to service legitimate requests. 37

TCP Sequence Number Prediction Implicit Assumption: The random sequence numbers cannot be guessed, and thus ensuring some kind of security. Seriousness: Compromise IP-based authentication mechanisms. 38

Part IV Security Analyses

Reminder Attacker Attack Vulnerability Attack Result Script Kiddie Cracker Elite Read Manipulate Spoof Flood Redirect Composite Hardware Software Configuration Policy Usage Increased Access Info Disclosure Info Corruption Theft of Service Denial of Service Objective Notoriety Wealth Acceptance Fear Politics 40

Analysis Qualitative Features Member of class: refer to the class to which the attack belongs. Attack Result: cite the most common attack result from the list. Typical use: explain the most common use of a particular attack. TCP/IP Layers: cite the layers exploited in the attack. Protection: lists the security technology that stops or helps to stop a given attack. ( Detection) 41

Analysis Quantitative Features Each feature is rated on a 1 to 5 scale. Higher numbers are always better for the attacker and worse for you. Detection difficulty: refer to the approximate difficulty a network staff with midlevel competence will have in detecting the attack. Ease of use: refer to how hard the attack is to execute. Frequency: refer to how common the attack is in the area of the network in which it is most effective. Impact: a measurement of the damage caused by the successful execution of the attack. 42

Overall Rating It refers to how this attack stacks up against others. Overall Rating = (Detection Difficulty * 1) + (Ease of Use * 2) + (Frequency * 3) + (Impact * 4). This formula produces a range from 10 (shouting nasty words at the network with the hope it will crash) to 50 (I won't even say). Again, higher numbers are always better for the attacker and worse for you. 43

Example 1: Attack Name ICMP Mapping Network Topology Member of Class Read Attack Result Disclosure of information Typical Use Learn IPs at victim network TCP/IP Layers 3 Protection None (firewall can limit the mapping though) Detection Difficulty 4 Ease of use 5 Frequency 5 Impact 2 Overall Rating 37 44

Example 2: Attack Name MAC Spoofing Member of Class Spoof Attack Result Increased access and disclosure of information Typical Use Steal a trusted system s MAC address. TCP/IP Layers 2 Protection Static CAM on a switch Detection Difficulty 3 Ease of use 5 Frequency 1 Impact 3 Overall Rating 28 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback