CSC 574 Computer and Network Security. TCP/IP Security

Similar documents
CSCI 680: Computer & Network Security

CSE Computer Security

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

ELEC5616 COMPUTER & NETWORK SECURITY

Network Security. Thierry Sans

Configuring attack detection and prevention 1

CSc 466/566. Computer Security. 18 : Network Security Introduction

CSE 565 Computer Security Fall 2018

Configuring attack detection and prevention 1

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

20-CS Cyber Defense Overview Fall, Network Basics

Internet Protocol and Transmission Control Protocol

9. Security. Safeguard Engine. Safeguard Engine Settings

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

ch02 True/False Indicate whether the statement is true or false.

CSE443 - Introduction to Computer and Network Security Network Security

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

NETWORK SECURITY. Ch. 3: Network Attacks

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Network Security. Network Vulnerabilities

ICS 451: Today's plan

Denial of Service. EJ Jung 11/08/10

CSE543 Computer and Network Security Module: Network Security

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

TCP /IP Fundamentals Mr. Cantu

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

Packet Header Formats

DDoS Testing with XM-2G. Step by Step Guide

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Module: Network Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CS 457 Lecture 11 More IP Networking. Fall 2011

Chapter 2 Advanced TCP/IP

CSC 574 Computer and Network Security. DNS Security

Scribe Notes -- October 31st, 2017

CIT 380: Securing Computer Systems. Network Security Concepts

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

ICS 351: Networking Protocols

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

Network Security. Tadayoshi Kohno

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

A Look Back at Security Problems in the TCP/IP Protocol Suite Review

Chapter 8 roadmap. Network Security

network security s642 computer security adam everspaugh

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Introduction to TCP/IP networking

interface Question 1. a) Applications nslookup/dig Web Application DNS SMTP HTTP layer SIP Transport layer OSPF ICMP IP Network layer

Transport Over IP. CSCI 690 Michael Hutt New York Institute of Technology

CIT 480: Securing Computer Systems

Attack Prevention Technology White Paper

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

IPv4 Lecture 10a. COMPSCI 726 Network Defence and Countermeasures. Muhammad Rizwan Asghar. August 14, 2017

Computer Networks Security: intro. CS Computer Systems Security

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

CSCI-GA Operating Systems. Networking. Hubertus Franke

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

Configuring Flood Protection

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Computer Security: Principles and Practice

Interconnecting Networks with TCP/IP

Applied Networks & Security

Internet Infrastructure

Networking interview questions

IBM i Version 7.3. Security Intrusion detection IBM

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

5. Execute the attack and obtain unauthorized access to the system.

Configuring Advanced Firewall Settings

CSE/EE 461 The Network Layer. Application Presentation Session Transport Network Data Link Physical

Layered Networking and Port Scanning

CS670: Network security

TSIN02 - Internetworking

Denial of Service (DoS)

CSE 565 Computer Security Fall 2018

CSE 127: Computer Security Network Security. Kirill Levchenko

COSC 301 Network Management

User Datagram Protocol

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

CS 356: Computer Network Architectures. Lecture 10: IP Fragmentation, ARP, and ICMP. Xiaowei Yang

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Troubleshooting High CPU Utilization Due to the IP Input Process

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Internet Control Message Protocol (ICMP)

Hands-On Ethical Hacking and Network Defense

History Page. Barracuda NextGen Firewall F

A quick theorical introduction to network scanning. 23rd November 2005

TCP/IP Protocol Suite

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

CSC 4900 Computer Networks: Security Protocols (2)

CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University

A Study on Intrusion Detection Techniques in a TCP/IP Environment

HP High-End Firewalls

Transcription:

CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr)

Network Stack, yet again Application Transport Network Link Physical 2

Networking Fundamentally about transmitting information between two devices Communication is now possible between any two devices anywhere (just about) Lots of abstraction involved (see previous slide) Lots of network components (routers) Standard protocols (e.g., IP, TCP, UDP) Wired and wireless What about ensuring security? 3

Network Security Every machine is connected No barrier to entry Not just limited to dogs as users 4

5

Exploiting the network The Internet is extremely vulnerable to attack it is a huge open system... which adheres to the end-to-end principle smart end-points, dumb network Can you think of any large-scale attacks that would be enabled by this setup? 6

Network Security: The high bits The network is a collection of interconnected computers with resources that must be protected from unwanted inspection or modification while maintaining adequate quality of service. 7

Network Security: The high bits Network Security (one of many possible definitions): Securing the network infrastructure such that the integrity, confidentiality, and availability of the resources is maintained. 8

Steven Bellovin s Security Problems in the TCP/IP Protocol Suite Bellovin s observations about security problems in IP Not really a study of how IP is misused (e.g., IP addresses for authentication), but rather what is inherently bad about the way in which IP is set up A really, really nice overview of the basic ways in which security and the IP design is at odds 9

TCP Header

TCP Sequence Numbers SYN(ISN A ) SYN(ISN B ),ACK(ISN A ) ACK(ISN B ) TCP s three-way handshake : each party selects Initial Sequence Number (ISN) shows both parties are capable of receiving data offers some protection against forgery -- WHY? 11

TCP Sequence Numbers SYN(ISN A ),SRC=A ACK(ISN??? ) SYN(ISN B ),ACK(ISN A ) 12

TCP Sequence Numbers SYN(ISN E ) SYN(ISN B1 ),ACK(ISN E ) SYN(ISN A ),SRC=A ACK(ISN B1+δ ), SRC=A EVIL DATA, SRC=A SYN(ISN B2 ),ACK(ISN A ) In many TCP implementations, ISNs are predictable -- based on time (e.g,. ++ each 1/128 sec) 13

How do we fix this? More rapidly change ISNs Randomize ISNs 14

Source Routing Standard IP Packet Format (RFC791) Source Routing allows sender to specify route Set flag in Flags field Specify routes in Options field 15

Source Routing I like path R2, R5, R4. R2 R4 R5 16

Source Routing Q: What are the security implications of Source Routing? Access control? DoS? Q: What are the possible defenses? A: Block packets with source-routing flag 17

Routing Manipulation RIP - Routing Information Protocol Distance vector routing protocol used for the local network Routers exchange reachability and distance vectors for all the sub-networks within (a typically small) domain Use vectors to decide which route is best Problem: Data (vectors) are not authenticated Forge vectors to cause traffic to be routed through adversary or cause DoS Solutions:? (still an open problem) 18

Internet Control Message Protocol (ICMP) ICMP is used as a control plane for IP messages Ping (connectivity probe) Destination unreachable (error notification) Time-to-live exceeded (error notification) Some ICMP messages cause clients to alter behavior e.g., TCP RSTs on destination unreachable or TTL-exceeded ICMP messages are easy to spoof: no handshake Enables attacker to remotely reset others connections Solution: Verify/sanity check sources and content Filter most of ICMP 19

Ping-of-Death: Background: IP Fragmentation 16-bit Total Length field allows 2 16-1=65,535 byte packets Data link (layer 2) often imposes significantly smaller Maximum Transmission Unit (MTU) (normally 1500 bytes) Fragmentation supports packet sizes greater than MTU and less than 2 16 13-bit Fragment Offset specifies offset of fragmented packet, in units of 8 bytes Receiver reconstructs IP packet from fragments, and delivers it to Transport Layer (layer 4) after reassembly 20

Ping-of-Death Maximum packet size: 65,535 bytes Maximum 13-bit offset is (2 13-1) * 8 = 65,528 In 1996, someone discovered that many operating systems, routers, etc. could be crash/rebooted by sending a single malformed packet If packet with maximum possible offset has more than 7 bytes, IP buffers allocated with 65,535 bytes will be overflowed...causing crashes and reboots Not really ICMP specific, but easy % ping -s 65510 your.host.ip.address Most OSes and firewalls have been hardened against PODs This was a popular pastime of early hackers 21

ARP Spoofing: Background: Ethernet Frames 23

ARP Spoofing: Background: ARP Address Resolution Protocol (ARP): Locates a host s link-layer (MAC) address Problem: How does Alice communicate with Bob over a LAN? Assume Alice (10.0.0.1) knows Bob s (10.0.0.2) IP LANs operate at layer 2 (there is no router inside of the LAN) Messages are sent to the switch, and addressed by a host s link-layer (MAC) address Protocol: Alice broadcasts: Who has 10.0.0.2? Bob responses: I do! And I m at MAC f8:1e:df:ab:33:56. Switch 24

ARP Spoofing Each ARP response overwrites the previous entry in ARP table -- last response wins! Attack: Forge ARP response Effects: Man-in-the-Middle Denial-of-service Also called ARP Poisoning or ARP Flooding 25

ARP Spoofing: Defenses Smart switches that remember MAC addresses Switches that assign hosts to specific ports 26

Port Scanning - Side-channel attack on network protocol and implementation properties - Used to efficiently gather information on target networks - Network topology - Access control policy - Network service availability, versions - Classic network reconnaissance technique - Sometimes a precursor to actual attacks 27

Portscan Types - Connect scan - Use connect syscall to attempt full three-way TCP handshake - Available to unprivileged users, but slow - SYN scan - Use raw sockets to directly inject a TCP SYN packet and wait for SYN-ACK response - Much more efficient - UDP scan - Send UDP packets and wait for ICMP error response 28

Port Knocking - Port knocking: a technique for hiding the existence of server ports from reconnaissance techniques like port scans - Client must issue a secret sequence of packets before being able to connect to a service, like a secret knock - Many variations - Simple: TCP SYN to ordered list of ports before connecting to real port - Can also incorporate rate limiting, multiple protocols, cryptographic challenges, 29

OS Detection - Differences in TCP/IP implementations useful for fingerprinting remote machines - Due to flaws or specification ambiguity - Fingerprints recorded for known systems, collectively form a fingerprint database - Database can be matched against runtime responses to identify a likely remote OS - Both active (nmap) and passive (p0f) classifiers 30

POP/SMTP/FTP Post office protocol - mail retrieval Passwords passed in the clear Solution: SSL, SSH, Kerberos Simple mail transport protocol (SMTP) - email Nothing authenticated: SPAM Nothing hidden: eavesdropping Solution:? File Transfer protocol - file retrieval Passwords passed in the clear Solution: SSL, SSH, Kerberos 31

Lessons Learned? The Internet was built for robust communication Smartness occurs at the end-hosts Does this design support or hinder network security? 32

And if we had to start all over again, could we do better? 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback