Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Similar documents
ICS 451: Today's plan

Network Layer (4): ICMP

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Operational Security Capabilities for IP Network Infrastructure

Configuring Routes on the ACE

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

ICMP (Internet Control Message Protocol)

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

ICMP (Internet Control Message Protocol)

CS 457 Lecture 11 More IP Networking. Fall 2011

Internet Control Message Protocol (ICMP)

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Internet Protocol. Outline Introduction to Internet Protocol Header and address formats ICMP Tools CS 640 1

CS519: Computer Networks. Lecture 2: Feb 2, 2004 IP (Internet Protocol)

Module 7 Internet And Internet Protocol Suite

Problems of IP. Unreliable connectionless service. Cannot acquire status information from routers and other hosts

Master Course Computer Networks IN2097

Topics for This Week

TSIN02 - Internetworking

Configuring attack detection and prevention 1

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Network Layer: Internet Protocol

DDoS Testing with XM-2G. Step by Step Guide

Each ICMP message contains three fields that define its purpose and provide a checksum. They are TYPE, CODE, and CHECKSUM fields.

(ICMP), RFC

To make a difference between logical address (IP address), which is used at the network layer, and physical address (MAC address),which is used at

MESSAGES error-reporting messages and query messages. problems processes IP packet specific information

The Internetworking Problem. Internetworking. A Translation-based Solution

Internet Control Message Protocol (ICMP), RFC 792. Prof. Lin Weiguo Copyleft 2009~2017, School of Computing, CUC

Configuring IP Services

Subnets. IP datagram format. The Internet Network layer. IP Fragmentation and Reassembly. IP Fragmentation & Reassembly. IP Addressing: introduction

Configuring attack detection and prevention 1

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

inside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN

Internet Protocols (chapter 18)

ICS 351: Networking Protocols

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

CS 356: Computer Network Architectures. Lecture 10: IP Fragmentation, ARP, and ICMP. Xiaowei Yang

Attack Prevention Technology White Paper

internet technologies and standards

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Lecture 3. The Network Layer (cont d) Network Layer 1-1

Firewall Stateful Inspection of ICMP

Outline. SC/CSE 3213 Winter Sebastian Magierowski York University. ICMP ARP DHCP NAT (not a control protocol) L9: Control Protocols

Using ICMP to Troubleshoot TCP/IP Networks

IP : Internet Protocol

Lecture 4 The Network Layer. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Computer Networks ICS 651. IP Routing RIP OSPF BGP MPLS Internet Control Message Protocol IP Path MTU Discovery

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Packet Header Formats

TSIN02 - Internetworking

Denial of Service. EJ Jung 11/08/10

Dongsoo S. Kim Electrical and Computer Engineering Indiana U. Purdue U. Indianapolis

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

Network layer: Overview. Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

TCP/IP Protocol Suite

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

4. Basic IP Support Protocols

Network layer: Overview. Network Layer Functions

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Computer Network Fundamentals Spring Week 4 Network Layer Andreas Terzis

Network Layer. The Network Layer. Contents Connection-Oriented and Connectionless Service. Recall:

Network Layer. Recall: The network layer is responsible for the routing of packets The network layer is responsible for congestion control

Configuring Advanced Firewall Settings

CIS-331 Final Exam Spring 2016 Total of 120 Points. Version 1

Lecture 8. Network Layer (cont d) Network Layer 1-1

LECTURE 8. Mobile IP

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

EP2120 Internetworking/Internetteknik IK2218 Internets Protokoll och Principer

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

IPv4. Christian Grothoff.

CSCI-1680 Network Layer: IP & Forwarding Rodrigo Fonseca

Configuring IP Services

Aside: Interaction with Link Layer Computer Networking. Caching ARP Entries. ARP Cache Example

K2289: Using advanced tcpdump filters

IPv4 and IPv6 Commands

THE "TRIBE FLOOD NETWORK 2000" DISTRIBUTED DENIAL OF SERVICE ATTACK TOOL

Telecom Systems Chae Y. Lee. Contents. Overview. Issues. Addressing ARP. Adapting Datagram Size Notes

Introduction to Internetworking

Table of Contents 1 System Maintaining and Debugging 1-1

History Page. Barracuda NextGen Firewall F

ROUTING INTRODUCTION TO IP, IP ROUTING PROTOCOLS AND PROXY ARP

Lab Two Using Wireshark to Discover IP NAME:

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Department of Computer Science and Engineering. COSC 4213: Computer Networks II (Fall 2005) Instructor: N. Vlajic Date: November 3, 2005

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Computer Networks Security: intro. CS Computer Systems Security

CSc 466/566. Computer Security. 18 : Network Security Introduction

Information Network Systems The network layer. Stephan Sigg

Operation Manual IP Addressing and IP Performance H3C S5500-SI Series Ethernet Switches. Table of Contents

CMPE 80N: Introduction to Networking and the Internet

CSCD58 WINTER 2018 WEEK 6 - NETWORK LAYER PART 1. Brian Harrington. February 13, University of Toronto Scarborough

Configuring IP Services

Internet Control Message Protocol (ICMP)

Transcription:

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Why ICMP? UDP and TDP are not designed to report errors Provide a simple way to report errors between hosts/routers and hosts

Layer 2 Protocol ICMP is encapsulated in IP It does not have ports. The receiving host may not response to the sender. No guarantee of delivery.

ICMP Packet 4byte header (type, code, and header check sum) followed by a message type code ICMP Check Sum Data

Messages A host may send a quench message to notify a sender to throttle down the delivery rate. A router may send ICMP to inform a sender of some problem. A router may respond unreachable ICMP message if a destination host cannot respond. ICMP sent by routers may be used for reconnaissance purpose!

Mapping Techniques Explore live hosts for attack target RingZero trojan scans TCP ports 3128, 80, and 8080 including inactive hosts > not very efficient ICMP echo request TCP Ack Scan (respond RST)

Tireless Mapper Scanner sends ICMP echo requests to each possible subnet addresses scanner.net > 192.168.117.233: icmp: echo request scanner.net > 192.168.117.13: icmp: echo request scanner.net > 192.168.117.23: icmp: echo request scanner.net > 192.168.117.216: icmp: echo request IDS will not issue an alert for individual echo request IDS can examine more generic scan activity: single source to multiple destination within a period

Efficient Mapper Send ICMP echo request to broadcast address 192.168.1.255 192.168.1.0 (BSD implementation) All live hosts in the subnet should respond. scanner.net > 192.168.1.255: icmp: echo request scanner.net > 192.168.1.0: icmp: echo request scanner.net > 192.168.2.255: icmp: echo request scanner.net > 192.168.2.0: icmp: echo request

Clever Mapper What if class C subnet is further divided into smaller networks? Send to ICMP echo request to each of their broadcast addresses scanner.net > 192.168.44.0: icmp: echo request scanner.net > 192.168.44.255: icmp: echo request scanner.net > 192.168.44.63: icmp: echo request scanner.net > 192.168.44.64: icmp: echo request scanner.net > 192.168.44.127: icmp: echo request scanner.net > 192.168.44.128: icmp: echo request scanner.net > 192.168.44.191: icmp: echo request scanner.net > 192.168.44.192: icmp: echo request The 192.168.44 subnet is divided into 4 smaller networks each of which contains 64 addresses.

Cerebral Mapper Use ICMP address mask request Reconnoiter host address range in a subnet scanner.net > router.com: icmp: address mask request (DF) router.com > scanner.net: icmp: address mask is 0xffffff00 (DF)

Normal ICMP Traffic Host Unreachable Port Unreachable Admin Prohibited Need to Frag Time Exceeded In Transit Embedded Information I ICMP Error Messages

Host Unreachable An attempt to send traffic to a target host which may be down somehow router > sending.host: icmp: host target.host unreachable

Port Unreachable A target host responds to the sending host that it is not listening on a port. In the following, the target is not listening on ntp port (UDP network time protocol port): Target.host > sending.host: icmp: target.host udp port ntp unreachable (DF)

Admin Prohibited The router has access control and responds sender admin prohibited ICM message. router > sending.host: icmp: host target.host unreachable admin prohibited

Need to Frag A DF flag set on a IP packet that needs be fragmented. router > sending.host: icmp: target.host unreachable need to frag (mtu 1500)

Time Exceeded In Transit Packet dropped because of TTL router > sending.host: icmp: time exceeded in-transit

Embedded Information in ICMP Error Messages In case of errors, ICMP will include 28 bytes of the offending IP This extra information can be used for classifying OS used in nmap. Type Code Checksum Message IP header + 8 bytes payload (28 bytes totally)

Malicious ICMP Traffic Port/host scan DoS/dDoS Covert channels

Smurf Attack 1. ICMP echo request to broadcast addresses with victim s IP address 2. Router allows in ICMP echo request to broadcast addresses 3. All live hosts respond ICMP echo reply to the victim

Tribe Flood Network TFN attack enlists the help of many distributed hosts (daemon or zombie) to flood a victim. ICMP echo reply TFN master TFN daemon hosts Daemon hosts Flood victim Victim

WinFreeze Cause susceptible Windows host to attack itself (selfmutilation) In the following the victim will apply all the changes in its routing table! router > victim.com: redirect 149.161.239.104 to host victim.com router > victim.com: redirect 48.161.239.104 to host victim.com router > victim.com: redirect 149.1.239.104 to host victim.com router > victim.com: redirect 149.161.23.104 to host victim.com router > victim.com: redirect 149.161.239.10 to host victim.com router > victim.com: redirect 149.1.239.104 to host victim.com router > victim.com: redirect 19.161.239.104 to host victim.com

Loki Use ICMP as a tunneling protocol for a covert channel Client/server architecture A compromised host running Loki server will respond Loki clients server information such as /etc/passwd

Unsolicited ICMP Echo Replies IP Spoofing TFN Loki

ICMP Messages From hosts Protocol unreachable Port unreachable IP reassembly time exceeded Parameter problem Echo reply Timestamp reply Address mask reply From routers Fragmentation needed but don t fragment bit set Admin prohibited Time exceeded in transit Host unreachable

ICMP Messages Admin prohibited: can assist in examining what type of traffic the site blocks Address mask reply: the subnet mask of the network on which the responding host resides Time exceeded in transit: used in traceroute to discover routers and network topology Protocol unreachable: can be used to inversely map a host s listening protocols Port unreachable: can be used to inversely map a live host s listening UDP ports Fragmentation needed but don t fragment bit set: can be used to deter4mine the MTU of links for use in attacks that use fragments

To Block or Not to Block Unrequited ICMP Echo Requests Blocking inbound echo request Loki and TFN used echo reply! Windows tracert not working Inbound ICMP exceeded in transit used in tracert UNIX traceroute uses UDP. Fine! Inefficiency Blocking all inbound ICMP traffic may result in a sending host to keep trying until time out if the receiver is unreachable Broken Path MTU Discovery A sending host may need to find out MTU. Blocking inbound ICMP traffic means sending packets larger than MTU with DF will be dropped silently! Bottom line : Make sure to allow host unreachable and need to frag ICMP inbound traffic to your network!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback