Network Security Evil ICMP, Careless TCP & Boring Security Analyses Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018
Part I Internet Control Message Protocol (ICMP)
Why ICMP No method to obtain node information Is router or host alive? IP unreliable, connectionless datagram delivery Efficient use of network resources Best effort service to send from source to destination No error control Error has occurred and IP protocol has no built-in mechanism to notify the original host. What if router must discard datagram because it cannot find route to final destination. What if final destination discard some fragements because they don t arrive within the time limit. 3
ICMP ICMP addresses most of IP deficiencies. ICMP allows routers/hosts to exchange error or control messages. ICMP provides communication for the IP layer between different machines. Destination of an ICMP message is the ICMP software module. ICMP is a network layer protocol, but its messages are first encapsulated into IP datagrams. 4
Error Reporting vs. Error Correction ICMP can only report an error to the original source Up to the source to deal with it. ICMP cannot be used to inform intermediate routers Source has responsibility of routers problem. Why restrict ICMP messages to original source? Except for record route option, datagrams only contains source/destinations addresses. No global knowledge of routes. 5
ICMP Messages ICMP Messages Error-reporting Query 1. Destination unreachable 2. Source Quench 3. Time Exceeded 4. Parameter problem 5. Redirection 1. Echo request or reply 2. Timestamp 3. Address mask 4. Router solicitation & advertisement 6
General Format of ICMP Messages Data section in Error messages carries information to find the original packet that had the error. Optional parameters all set to 0. Query message carries extra information based on type of the query. Optional parameters := identifier (2 bytes) + sequence number (2 bytes). 7
ICMP Error Reporting 8
Error Reporting Issues No ICMP error message for: A datagram carrying an ICMP error message (why?). A fragmented datagram that is not the first fragment. A datagram having a multicast address. A datagram with a special address such as 127.0.0.0 or 0.0.0.0. 9
Destination Unreachable When a router cannot route a datagram the datagram is discarded and the router sends a destination unreachable message back to source host. When a host cannot deliver a datagram, the datagram is discarded and the destination host sends a destination unreachable message back to source host. 10
Destination Unreachable Codes 0: Network unreachable 1: Host is unreachable 2: Protocol is unreachable 3: Port is unreachable 4: Fragmentation is required 5: Source routing not feasible 6: Network unknown 7: Host unknown 8: Source host isolated 9: Dest Network admin prohibited 10: Dest Host admin prohibited 11: Network unreachable for type of service 12: Host unreachable for type of service 13: Communication administratively prohibited 14: Host precedence violation 15: Precedence was cutoff 11
Source Quench IP do not provide a flow-control mechanism Source never knows if routers of destination is congested. A source-quench message informs the source that a datagram has been discarded due to congestion in a router or the destination host. The source is informed that the packet was dropped. The source must slow down. There is no mechanism for telling source that congestion is relieved and transmission can resume at previous rate. If transmission is many-to-one, the destination may drop packets from slower sending host but not those from faster (congestion causing) senders. 12
Time Exceeded Message If a router receives a datagram with TTL = 0 Discard the datagram. ICMP Code = 0 If a host does not receive all fragments of a datagram within a certain time of receiving the first fragment. Discard all fragments ICMP Code = 1 13
ICMP Redirection ICMP redirect is an error message sent by a router to the sender. Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform the sending host that it should forward subsequent packets to that same destination through a different gateway. In theory a host with multiple gateways could have one default route and learn more optimal specific routes over time by way of ICMP redirects. 14
Rules of the Road The outgoing and incoming interface must be the same. The IP source address in the packet is on the same logical IP network as the next-hop IP address. The route used for the outgoing packet must not be an ICMP redirect or a default route. The packet does not contain an IP source route option. The gateway must be configured to send redirects. 15
ICMP Query 16
Echo Request & Echo Reply Designed for diagnosis purposes Used to test the reachability of a specific host/router. Receivers of echo request send back an echo reply. Echo Optional Data: An echo request can also contain optional data (the content does not matter) An echo reply always returns exactly the same data as was received in the request. Tools: ping program (Packet INternet Groper) 17
Address Mask Used by a host to obtain its IP address mask. Algorithm: Host sends a mask request to its router if it does know a router. If not, host broadcasts request and then the router replies. 18
Router Solicitation Users need to know addresses of routers. Before a host is able to send a message to a host outside its own subnet, it must be able to identify the address of the immediate router. Request broadcast by host to obtain the operating routes. Routers reply with all routers they are aware of including themselves (Sometimes reply without request). 19
Part II ICMP Security
Type I: Reconnaissance & Scanning Reconnaissance refers to the overall act of learning information about a target network. Motivations: To understand the environment of the target. To gather information about the target so as to plan the attack approach. 21
Mapping Network Topology Goal: to discover the live hosts in a target network. Hows: Sending individual ICMP echo (e.g. ping). Sending ICMP echo requests to the broadcast addresses of a network. Sending an ICMP address mask request to host to determine the subnet mask. Sending ICMP echo requests to network and broadcast address of subnetworks. 22
Inverse Mapping Goal: to map internal networks or hosts that are protected or not directly reachable from the Internet. Hows: Attacker sends an ICMP reply message to a range of IP addresses presumably behind a filtering device. Upon receiving the series of ICMP reply messages, since the filtering device does not keep state of the list of ICMP requests, it will allow these packets to their destination. If there is an internal router, the router will respond with ICMP Host Unreachable for every host that it cannot reach. Now the attacker has knowledge of all hosts which are present behind the filtering device. 23
Type II: Man-in-the-Middle Attacks 24
ICMP Route Redirect Steps: Attacker manages to take over a secondary gateway R1 of the source host. Attacker sends a TCP open packet to source host acting as destination host. While a reply is in transit from the source host to the destination host through gateway R2, the attacker sends an ICMP route redirect message to source host spoofing as R2. Source host will accept the route change control message as valid. 25
Bonus on ICMP Route Redirect Winfreez(e) in Windows (outdated): ICMP Redirect: Yourself is the quickest link to host H1 (for instance). The victim changes its routing table for H1 to itself. The victim sends packets to itself in an infinite loop. 26
ICMP Router Discovery Messages Steps: Host boots up and issues a router solicitation message to find out the default router on the network. Attacker listens in to the message and spoofs a reply to that host. The default route of the host is now set to the attacker s IP address that the attacker has included in his reply. Now the attacker could employ either sniffing, man-in-the-middle attack for all traffic outbound through the attacker s machine. 27
Type III: Denial-of-Service (DoS) Denial of service (DoS) is the intentional degradation or blocking of computer or network resources. There is a prevailing wisdom that says as long As you have more bandwidth than the attacker, you shouldn't have too many problems. 28
Smurfing Attacks 1/2 Using the Amplification Principle. 29
Smurfing Attacks 2/2 First, hacker creates many ICMP echo requests that fake the victim's address. Then, he or she pings them to many broadcast addresses of different networks. As a result, all Internet-connected devices of these nets receive the requests. And consequently, each of them sends an ICMP echo reply back to the victim. In the end, the victim has to face with a massive number of echo replies that can flood the whole system, making it quickly overloaded and come to a standstill or even crashed. 30
Ping of Death A ping of death involves sending a malformed or otherwise malicious ping to a computer. Maximum size for a ping is of 65,536 bytes. If the target host is not properly patched, the OS will freeze or reboot after receiving just an oversized packet. 31
Part III Transmission Control Protocol (TCP)
TCP Handshake C S SYN: SN C rand C AN C 0 Listening SYN/ACK: SN S rand S AN S SN C Store SN C, SN S ACK: SN SN C +1 AN SN S Wait Established 33
TCP Handshake The client sends a SYN (synchronize) packet to the server, which has a random sequence number. The server sends back a SYN-ACK packet, containing a random sequence number and an ACK number acknowledging the client s sequence number. The client sends an ACK number to the server, acknowledging the server s sequence number. The sequence numbers on both ends are synchronized. Both ends can now send and receive data independently. 34
TCP Basic Security Problems Network packets pass by untrusted hosts Eavesdropping, packet sniffing Especially easy when attacker controls a machine close to victim (e.g. WiFi routers) TCP state easily obtained by eavesdropping Enables spoofing and session hijacking Denial of Service (DoS) vulnerabilities 35
TCP SYN Attack The attack exploits the fact that servers wait the establishment of half open TCP connections. Stored States 36
TCP SYN Attack in Action The attacker starts by flooding bogus SYN packets with spoofed source addresses. The spoofed source address causes the target to respond to the SYN with a SYN-ACK to an unsuspecting or nonexistent source machine. The target then waits for an ACK packet from the source to complete the connection. The ACK never comes. The incomplete handshake ties up the connection table with a pending connection request that never completes. The table will quickly fill up and consume all available resources with bogus requests. The result is a denial of service since, once a table is full, the target server is unable to service legitimate requests. 37
TCP Sequence Number Prediction Implicit Assumption: The random sequence numbers cannot be guessed, and thus ensuring some kind of security. Seriousness: Compromise IP-based authentication mechanisms. 38
Part IV Security Analyses
Reminder Attacker Attack Vulnerability Attack Result Script Kiddie Cracker Elite Read Manipulate Spoof Flood Redirect Composite Hardware Software Configuration Policy Usage Increased Access Info Disclosure Info Corruption Theft of Service Denial of Service Objective Notoriety Wealth Acceptance Fear Politics 40
Analysis Qualitative Features Member of class: refer to the class to which the attack belongs. Attack Result: cite the most common attack result from the list. Typical use: explain the most common use of a particular attack. TCP/IP Layers: cite the layers exploited in the attack. Protection: lists the security technology that stops or helps to stop a given attack. ( Detection) 41
Analysis Quantitative Features Each feature is rated on a 1 to 5 scale. Higher numbers are always better for the attacker and worse for you. Detection difficulty: refer to the approximate difficulty a network staff with midlevel competence will have in detecting the attack. Ease of use: refer to how hard the attack is to execute. Frequency: refer to how common the attack is in the area of the network in which it is most effective. Impact: a measurement of the damage caused by the successful execution of the attack. 42
Overall Rating It refers to how this attack stacks up against others. Overall Rating = (Detection Difficulty * 1) + (Ease of Use * 2) + (Frequency * 3) + (Impact * 4). This formula produces a range from 10 (shouting nasty words at the network with the hope it will crash) to 50 (I won't even say). Again, higher numbers are always better for the attacker and worse for you. 43
Example 1: Attack Name ICMP Mapping Network Topology Member of Class Read Attack Result Disclosure of information Typical Use Learn IPs at victim network TCP/IP Layers 3 Protection None (firewall can limit the mapping though) Detection Difficulty 4 Ease of use 5 Frequency 5 Impact 2 Overall Rating 37 44
Example 2: Attack Name MAC Spoofing Member of Class Spoof Attack Result Increased access and disclosure of information Typical Use Steal a trusted system s MAC address. TCP/IP Layers 2 Protection Static CAM on a switch Detection Difficulty 3 Ease of use 5 Frequency 1 Impact 3 Overall Rating 28 45