CS 161 Computer Security

Similar documents
Network Attacks. CS Computer Security Profs. Vern Paxson & David Wagner

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

ELEC5616 COMPUTER & NETWORK SECURITY

Network Security Issues, Part 1

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

NETWORK SECURITY. Ch. 3: Network Attacks

CSc 466/566. Computer Security. 18 : Network Security Introduction

Hands-On Ethical Hacking and Network Defense

ch02 True/False Indicate whether the statement is true or false.

Internet Protocol and Transmission Control Protocol

ICS 451: Today's plan

Network Attacks. CS Computer Security. Once again thanks to Vern Paxson and David Wagner

CSE 565 Computer Security Fall 2018

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

CS670: Network security

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Transport Layer TCP & UDP Week 7. Module : Computer Networks Lecturers : Lucy White Office : 324

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Chapter 2 Advanced TCP/IP

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

20-CS Cyber Defense Overview Fall, Network Basics

CCNA Exploration Network Fundamentals. Chapter 04 OSI Transport Layer

Transport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol

Networking interview questions

HP High-End Firewalls

AN exam March

Networking Technologies and Applications

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Different Layers Lecture 20

CS164 Final Exam Winter 2013

CIS 5373 Systems Security

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

CSE 565 Computer Security Fall 2018

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

IP: Addressing, ARP, Routing

CIT 380: Securing Computer Systems. Network Security Concepts

Networking and Health Information Exchange: ISO Open System Interconnection (OSI)

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

Guide To TCP/IP, Second Edition UDP Header Source Port Number (16 bits) IP HEADER Protocol Field = 17 Destination Port Number (16 bit) 15 16

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Defeating All Man-in-the-Middle Attacks

CS Paul Krzyzanowski

Network Security. Thierry Sans

EITF25 Internet Techniques and Applications L7: Internet. Stefan Höst

Guide to TCP/IP, Third Edition. Chapter 8: The Dynamic Host Configuration Protocol

OSI Transport Layer. objectives

Detecting the Auto-configuration Attacks on IPv4 and IPv6 Networks

EE 610 Part 2: Encapsulation and network utilities

A Framework for Optimizing IP over Ethernet Naming System

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

Computer Science 461 Midterm Exam March 14, :00-10:50am

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

TCP /IP Fundamentals Mr. Cantu

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Business Data Networks and Security 10th Edition by Panko Test Bank

Transport Layer (TCP/UDP)

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

CSE 127: Computer Security Network Security. Kirill Levchenko

Configuring attack detection and prevention 1

Network Model. Why a Layered Model? All People Seem To Need Data Processing

A Study on Intrusion Detection Techniques in a TCP/IP Environment

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Internet Networking recitation #

Port Mirroring in CounterACT. CounterACT Technical Note

network security s642 computer security adam everspaugh

Mobile Communications Mobility Support in Network Layer

IPV6 SIMPLE SECURITY CAPABILITIES.

CS 161 Computer Security

EE 122: Network Security

Communications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage

Quick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003

Outline. CS5984 Mobile Computing. Host Mobility Problem 1/2. Host Mobility Problem 2/2. Host Mobility Problem Solutions. Network Layer Solutions Model

Mobile IP Overview. Based on IP so any media that can support IP can also support Mobile IP

Configuring attack detection and prevention 1

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

BGP Security. Kevin s Attic for Security Research

Outline. CS6504 Mobile Computing. Host Mobility Problem 1/2. Host Mobility Problem 2/2. Dr. Ayman Abdel-Hamid. Mobile IPv4.

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

Man-In-The-Browser Attacks. Daniel Tomescu

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

Information Network Systems The network layer. Stephan Sigg

Securing ARP and DHCP for mitigating link layer attacks

CSE 123A Computer Netwrking

CCNA 1 v3.11 Module 11 TCP/IP Transport and Application Layers

Computer Security and Privacy

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Business Data Communications and Networking

Cisco CCIE Security Written.

QUIZ: Longest Matching Prefix

Networking Overview. CS Computer Security Profs. Vern Paxson & David Wagner

CSE 123b Communications Software

Quick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Network Security. Introduction to networks. Radboud University, The Netherlands. Autumn 2015

Transcription:

Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 7 Week of March 5, 2018 Question 1 DHCP (5 min) Professor Raluca gets home after a tiring day writing papers and singing karaoke. She opens up her laptop and would like to submit them to a conference. From a networking and web perspective, what are the steps involved in submitting her paper? Raluca s computer needs to connect to the wifi. What messages are exchanged in the 4 part handshake in order to achieve this? Raluca s computer sends:. This message is broadcasted / unicasted. Choose one and explain: A DHCP server replies with a DHCP Offer. What does this message contain? What can a malicious attacker do at this step? Keep in mind that an attacker on the same subnet can hear the discovery message. Raluca s computer sends:. This message is broadcasted / unicasted. Choose one and explain: The server then responds with:. Solution: DHCP discover, broadcast. New host does not have an IP address and does not know what destination address to use. The DHCP Offer message includes IP address, DNS server, gateway router, and lease time. Attacker can race the actual server; if they win, they can replace the DNS server and/or gateway router. Substitute a fake DNS server: Redirect any of a hosts lookups to a machine of attackers choice. Substitute a fake gateway router: Intercept all of a hosts off-subnet traffic (even if not preceded by a DNS lookup). Relay contents back and forth between host and remote server and modify however attacker chooses. An invisible Man In The Middle (MITM): Victim host has no way of knowing its happening (Cant necessarily alarm on peculiarity of receiving multiple DHCP replies, since that can happen benignly) DHCP request, broadcast. Multiple DHCP servers can send out DHCP offers, but the client only accepts one. The broadcast tells the other DHCP servers which offer Page 1 of 7

the client has accepted, and the rest of them can withdraw their offers that were not accepted and return the offered addresses to the pool of available addresses. DHCP ACK. Discussion 7 Page 2 of 7 CS 161 Sp 18

Question 2 Back to L4 Basics (10 min) The transmission control protocol (TCP) and user datagram protocol (UDP) are two of the primary protocols of the Internet protocol suite. (a) How do TCP and UDP relate to IP (Internet protocol)? Which of these protocols are encapsulated within (or layered atop) one another? Could all three be used simultaneously? Solution: TCP and UDP both exist within the transport layer, which is one layer above IP (network layer). Either can be encapsulated in IP, referred to as TCP/IP and UDP/IP. TCP and UDP are alternatives; neither would normally be encapsulated within the other. (b) What are the differences between TCP and UDP? Which is considered best effort? What does that mean? Solution: TCP provides a connection-oriented, reliable, bytestream service. It includes sophisticated rate-control enabling it to achieve high performance but also respond to changes in network capacity. UDP provides a datagram-oriented, unreliable service. (Datagrams are essentially individual packets.) The main benefit of UDP is that it is lightweight. Best effort refers to a delivery service that simply makes a single attempt to deliver a packet, but with no guarantees. IP provides such a service, and because UDP simply encapsulates its datagrams directly into IP packets with very little additional delivery properties, it, too, provides best effort service. (c) Which is easier to spoof, and why? Solution: Spoofing a UDP packet requires determining the correct port numbers to use, but no more. Spoofing a TCP packet requires both correct port numbers and also correct sequence numbers, making it significantly more difficult. Discussion 7 Page 3 of 7 CS 161 Sp 18

Client (port P C ) Server (port P S ) SYN SYN-ACK 1. Client sends initial SYN with sequence number A (usually random). 2. Server sends SYN-ACK with sequence number B (also usually random) and ACK A + 1. ACK DATA A DATA B DATA C... 3. Client sends ACK with sequence number A + 1 and ACK B + 1. 4. Client sends DATA A of length L A with sequence number A + 1 and ACK B + 1. 5. Server sends DATA B of length L B with sequence number B + 1 and ACK A + 1 + L A. 6. Client sends DATA C of length L C with sequence number A + 1 + L A and ACK B + 1 + L B. 7. Data exchange continues until both sides are done sending data. Figure 1: TCP handshake and initial data transfer Question 3 Attack On TCP (35 min) (a) Assume that the next transmission in this connection will be DATA D from the server to the client. What will this packet look like? Sequence number: B + 1 + L B ACK: A + 1 + L A + L C Source port: P S Destination port: P C Length: L D Flags: None (b) You should be familiar with the concept and capabilities of a man-in-the-middle as an attacker who CAN observe and CAN intercept traffic. There are two other types of relevant attackers in this scenario: 1. On-path attacker: CAN observe traffic but CANNOT intercept it. 2. Off-path attacker: CANNOT observe traffic and CANNOT intercept it. Carol is an on-path attacker. Can Carol do anything malicious to the connection? If so, what can she do? Solution: Yes, Carol can leverage the information she learns from your traffic to hijack the session. In part (a), we identified the values of all of the fields of concern expected in the next data transmission in the connection. Say Carol wants to spoof a Discussion 7 Page 4 of 7 CS 161 Sp 18

packet from the server to the client; Carol can create a packet with the source IP as the server s IP, the destination IP as the client s IP, and the payload as whatever she wants. To spoof traffic in the other direction, she swaps the sequence number/ack, source port/destination port, and source IP/destination IP. The recipient of this data cannot distinguish it from legitimate traffic, so she has effectively hijacked the session from her victim, allowing her to inject arbitrary data. Discussion 7 Page 5 of 7 CS 161 Sp 18

(c) David is an off-path attacker. Can David do anything malicious to the connection? If so, what can he do? Solution: No, there isn t much he can do. In part (b), we demonstrated that we are effectively defenseless against an attacker that knows the sequence numbers and the port numbers of the connection. An off-path attacker, however, does not have the power to observe the traffic and find these parameters. Even without prior knowledge of these parameters, though, an off-path attacker may attempt to guess them. In a typical TCP client-server connection, the client s port is an ephemeral port, with a maximum potential range of [0, 2 16 1] (this varies, so we make an overestimation). The server s port is usually a wellknown port for a specific service, such as port 80 for HTTP, which makes it much easier to guess. The sequence number and acknowledgement numbers are in the range [0, 2 32 1]. Thus, an attacker has a rough 1 chance of successfully 2 80 brute forcing the correct parameters. If, for some reason, the initial sequence numbers are not properly randomized, David may be able to make educated guesses on the sequence numbers and significantly decrease the range of possibilities. However, assuming that they are properly randomized, this attack is theoretically possible but largely improbable. We call this attack blind hijacking, as David has no concrete information when attempting to hijack the session. (d) The client starts getting responses from the server that don t make any sense. Inferring that David is attempting to hijack the connection, the client then immediately sends the server a RST packet, which terminates the ongoing connection. Is the client now safe? Solution: No, the client is not completely safe. In part (c), we found that the space of 2 80 possibilities was too large for David to effectively guess. Now, we consider the possibility that David attempts to create a new connection under his control instead of hijacking an existing connection. This operates under the assumption that the server trusts the client s IP address as an identifier of the client. If the server requires a secondary form of authentication, such as a session cookie, this attack is not plausible. If David attempts to start a new connection, he can choose the source port (the ephemeral port) and the source sequence number to be whatever values he wants. The values of these parameters for any subsequent transmissions in the connection will then be predictable. The server s port remains a well-known port; the only remaining unknown is the acknowledgement number. Because Discussion 7 Page 6 of 7 CS 161 Sp 18

David is still an off-path attacker, he still has to guess this field, with an overall probability of of success, which we note is much higher than the blind 1 2 32 hijacking approach. Note that there s now a time constraint on David s attack: if the client receives a response from the server based on his spoofed SYN, it will send a RST and terminate the connection, putting David back at step 1. We call this attack blind spoofing, as David has no concrete information when attempting to spoof a new session. Discussion 7 Page 7 of 7 CS 161 Sp 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback