CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University

Similar documents
CSc 466/566. Computer Security. 18 : Network Security Introduction

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

ELEC5616 COMPUTER & NETWORK SECURITY

Network Security. Thierry Sans

TCP /IP Fundamentals Mr. Cantu

ICS 451: Today's plan

Network Security. Tadayoshi Kohno

interface Question 1. a) Applications nslookup/dig Web Application DNS SMTP HTTP layer SIP Transport layer OSPF ICMP IP Network layer

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

Networking: Network layer

Networks Fall This exam consists of 10 problems on the following 13 pages.

CHAPTER-2 IP CONCEPTS

Interconnecting Networks with TCP/IP

ECE4110 Internetwork Programming. Introduction and Overview

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Internet Control Message Protocol (ICMP)

DDoS Testing with XM-2G. Step by Step Guide

Hands-On Ethical Hacking and Network Defense

Different Layers Lecture 20

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

20-CS Cyber Defense Overview Fall, Network Basics

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Introduction to TCP/IP networking

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

Network Administra0on

Computer and Network Security

CSCI Networking Name:

CPSC156a: The Internet Co-Evolution of Technology and Society. Lecture 4: September 16, 2003 Internet Layers and the Web

Paper solution Subject: Computer Networks (TE Computer pattern) Marks : 30 Date: 5/2/2015

IP Protocols. ALTTC/Oct

(ICMP), RFC

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

ICS 351: Networking Protocols

Need For Protocol Architecture

Need For Protocol Architecture

Lecture 3. The Network Layer (cont d) Network Layer 1-1

Just enough TCP/IP. Protocol Overview. Connection Types in TCP/IP. Control Mechanisms. Borrowed from my ITS475/575 class the ITL

Basic Internetworking (IP)

Introduction to routing in the Internet

CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Network Based Cyber A1acks John E. Savage Brown University

The Interconnection Structure of. The Internet. EECC694 - Shaaban

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

internet technologies and standards

Internet Control Message Protocol (ICMP), RFC 792. Prof. Lin Weiguo Copyleft 2009~2017, School of Computing, CUC

CS 356: Computer Network Architectures. Lecture 10: IP Fragmentation, ARP, and ICMP. Xiaowei Yang

Internet Protocol. Outline Introduction to Internet Protocol Header and address formats ICMP Tools CS 640 1

Lecture 11: IP routing, IP protocols

Introduction to Computer Networks

network security s642 computer security adam everspaugh

Network Layer (4): ICMP

Applied Networks & Security

CSE 565 Computer Security Fall 2018

Chapter 4: Network Layer

Transport: How Applications Communicate

Router Architecture Overview

CSCI-GA Operating Systems. Networking. Hubertus Franke

Vorlesung Kommunikationsnetze

4. The transport layer

Chapter 8 roadmap. Network Security

Internet. Organization Addresses TCP/IP Protocol stack Forwarding. 1. Use of a globally unique address space based on Internet Addresses

Packet Header Formats

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

TCP/IP Networking. Part 4: Network and Transport Layer Protocols

Sirindhorn International Institute of Technology Thammasat University

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

Chapter 09 Network Protocols

Networking interview questions

Fundamentals of Computer Networking AE6382

H

Internet Infrastructure

CS670: Network security

CSC 574 Computer and Network Security. TCP/IP Security

Introduction to Information Science and Technology 2017 Networking II. Sören Schwertfeger 师泽仁

Dongsoo S. Kim Electrical and Computer Engineering Indiana U. Purdue U. Indianapolis

NT1210 Introduction to Networking. Unit 10

Topics for This Week

Master Course Computer Networks IN2097

Review of Important Networking Concepts

Transport Over IP. CSCI 690 Michael Hutt New York Institute of Technology

Network Security. Introduction to networks. Radboud University, The Netherlands. Autumn 2015

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

Last time. Network layer. Introduction. Virtual circuit vs. datagram details. IP: the Internet Protocol. forwarding vs. routing

CSE/ISE 311: Systems Administra5on Basic Network Organiza5on

CSCI-1680 Network Layer: IP & Forwarding Rodrigo Fonseca

Network and Security: Introduction

Introduction to routing in the Internet

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

COMMON LOWER-LAYER PROTOCOLS

Lecture 8. Network Layer (cont d) Network Layer 1-1

The Internet. 9.1 Introduction. The Internet is a global network that supports a variety of interpersonal and interactive multimedia applications.

Internetworking/Internetteknik, Examination 2G1305 Date: August 18 th 2004 at 9:00 13:00 SOLUTIONS

Transcription:

CSCI 1800 Cybersecurity and Interna4onal Rela4ons Design and Opera-on of the Internet John E. Savage Brown University

Outline Network security The link layer The network layer The transport layer Denial of service ahacks Lect06 2/12/2018 JE Savage 2

The Internet The Internet is a collec4on of networks. Networks connect hosts, i.e. individual computers. They may be local, area-wide, enterprise-wide, or na4onal. Protocols govern data transmission on network Protocol defines acceptable way to package informa4on Specify source, des4na4on, & content and (ouen) do error checking Ethernet (1973) local protocol based on collision detec4on Internet protocol (1974) decomposes data streams into packets and sends them via packet switching. Protocols are layered, one communica4ng to next Lect06 2/12/2018 JE Savage 3

Conceptual Internet Layers Physical Layer At level of wires, cables, radio physical data transmission Link Layer Logical level, organizes data into blocks, choose routes. Internet or network Layer Makes best effort to move packets. Transport Layer TCP (reliable) and UDP (no guarantees) protocols are here Applica4on Layer Applica4ons protocols are here. They include HTTP and HTTPs for browsers, DNS for naming, SMTP & IMAP for email, SSL for secure communica4on, and VoIP for phone service Lect06 2/12/2018 JE Savage 4

Internet Packet Encapsula4on by Layer Applica4on Data Applica4on Layer UDP also used here TCP header Applica4on Data Transport Layer IP header IP Data Internet Layer Frame header IP Frame Data header Frame footer Link Layer Lect06 2/12/2018 JE Savage 5

Sending Data via Protocol Layers Source: Wikipedia Lect06 2/12/2018 JE Savage 6

Network Security Goals - CIA 4 Confiden4ality Keep content private Integrity Ensure that content is not altered Availability Ensure content is available Assurance Enforce data flow policies, e.g. at firewall Authen4city Authen4cate users via signatures Anonymity Guarantee anonymity when needed Lect06 2/12/2018 JE Savage 7

Ethernet At the Physical Layer Data organized into frames. Each has Header of 175 bytes (8 bits/byte) Payload of 46 to 1,500 bytes Footer contains a 4-byte checksum What is the role of the checksum? If a host wants to send a frame: Waits un4l no signals heard & transmits one bit of one frame Listens for collisions between its bit and bits of others. If collision detected, wait a random 4me and retransmit If no collisions detected during packet transit 4me, success. Transmits remaining bits in frame in same manner. Lect06 2/12/2018 JE Savage 8

Ethernet Hubs and Switches Ethernet hub connects mul4ple hosts All hosts hear messages sent by others Ethernet switch connects mul4ple hosts It has mul4ple hubs. Only hosts on a hub can hear one another. Messages are sent from host on one hub to host on another hub by switching packets to that hub. Lect06 2/12/2018 JE Savage 9

Media Access Control Addresses Each device network interface has a MAC address. A network interface is the place on a host at which it connects to a network. A MAC address is generally a unique 48-bit string assigned by a manufacturer. Although on modern computers, it can be changed under souware control. MAC addresses are used by Ethernet switches. Lect06 2/12/2018 JE Savage 10

Address Resolu4on Protocol (ARP) A link-layer protocol for local area network (LAN) ARP uses host s hardware address (usually a MAC address) to determine its network layer (IP) address A host asks other hosts on its LAN to reply with its MAC address if it has the requested IP address. Spoofing is possible here. Alice makes request to Eve Eve gives Alice her MAC address for Bob s IP address Bob makes a request to Eve Eve gives Bob her MAC address for Alice s IP address Now communica4on between Alice & Bob is via Eve Lect06 2/12/2018 JE Savage 11

The Internet Protocol (IP) IP makes best effort to send packets between source and des4na4on addresses. Addresses are 32-bits (IPv4) or 128-bits (IPv6). 2 32 = 4 2 30 or about 4 10 9 2 128 = 64 2 120 or about 64 10 36 Name Server Routers Lect06 2/12/2018 JE Savage 12

The Internet Protocol (IP) IP makes best effort to send packets between source and des4na4on addresses. Addresses are 32-bits (IPv4) or 128-bits (IPv6). An autonomous system has a subset of IP addresses that it assigns to its hosts. Name Server Routers Lect06 2/12/2018 JE Savage 13

Packet Transmission ARP sends packets within local area net (LAN). Packets des4ned for IP address on remote LAN are sent to a LAN Internet gateway, then to remote LAN. Gateways and intermediate nodes are routers. Routers use rou4ng tables to direct packets. For each IP address, a table specifies a neighbor to receive the packet. To prevent looping, each packet has a 4me-to-live (TTL) value. It is decreased by one each 4me it passes through a router. When TTL = 0, packet is discarded. Lect06 2/12/2018 JE Savage 14

Internet Structure Routers quickly drop, deliver or forward packets. Drop if TTL =0, deliver if dest. is on LAN; forward if not Packet forwarding protocol is via one of these: Open Shortest Path First (OSPF) or Border Gateway Protocol (BGP) OSPF or BGP route packets within autonomous syst. BGP also routes packets between autonomous systs Note: A LAN hub/switch is simple but a router must quickly handle complex rou4ng policies. Lect06 2/12/2018 JE Savage 15

Format of IPv4 Packets 2 16 = 65,536 ports 4 bits 4 bits 8 bits 3 bits 13 bits Bit Offset 0-3 4-7 8-15 16-18 19-31 0 Version Header Length Service Type Total Length 32 Iden4fica4on Flags Fragment Offset 64 Time to Live Protocol Header Checksum 96 Source Address 128 Des4na4on Address 160 (Op4ons) 160+ Data Data Data Data Data Header Payload Lect06 2/12/2018 JE Savage 16

Format of IP Packets Header checksum iden4fies transmission errors Checksum recomputed every 4me TTL decremented. IPv4 addresses are 4 bytes e.g. 128.148.32.5 where each byte (8-bits) is in the range [0-255]. IPv6 addresses are 8 sets of 4 hexadecimal digits from [0,1,2,,9,a,b,,f] each represen4ng 4 bits, (8 x 4 x 4 = 128) e.g. 2001:0db8:1234:0000:0000:0000:0000:0000 Lect06 2/12/2018 JE Savage 17

More on Format of IP Packets A domain (prefix) defines a block of IP addresses that is associated with a subnetwork. A domain is specified by (IP address)/(integer) and assigned to an autonomous system. E.g. 128.148.32.5/24 specifies a set of IPv4 address beginning with first 24 address bits. What are the first 24 bits? The domain contains the addresses 128.148.32.0, 128.148.32.1,, 128.148.32.255. Since there are 2 8 = 256 choices for the last 8 = 32-24 bits, this prefix defines 256 addresses in the subnetwork. Lect06 2/12/2018 JE Savage 18

Internet Control Message Protocol ICMP is network layer protocol for tes4ng and error no4fica4on. Message types shown below Echo request asks des4na4on to acknowledge Echo response acknowledges receipt of packet Time exceeded sends no4fica4on that TTL = 0 Des4na4on unreachable packet not delivered Ping uses ICMP to tell if machine reachable PING princeton.edu (140.180.223.22): 56 (84) bytes of data 64 bytes from Princeton.EDU (140.180.223.22): icmp_seq=1 Hl=243 4me=11.3 ms 64 bytes from Princeton.EDU (140.180.223.22): icmp_seq=2 Hl=243 4me=12.2 ms Lect06 2/12/2018 JE Savage 19

Traceroute Traceroute uses ICMP to trace path from source to des4na4on. Packet dropped here, response sent Echo request, TTL= 1 Time exceeded Echo request, TTL = 2 Time exceeded Echo request, TTL = 3 Time exceeded Lect06 2/12/2018 JE Savage 20

Traceroute Example traceroute to princeton.edu (140.180.223.22), 30 hops max, 60 byte packets 1 10.116.52.1 (10.116.52.1) 1.414 ms 1.515 ms 1.716 ms 2 commodus-int.cs.brown.edu (10.116.1.5) 0.171 ms 0.160 ms 0.150 ms 3 138.16.160.253 (138.16.160.253) 1.897 ms 1.898 ms 1.905 ms 4 vl2062-ddmz-cit-r.net.brown.edu (10.1.18.1) 0.904 ms 0.923 ms 0.907 ms 5 lsb-inet-r-230.net.brown.edu (128.148.230.6) 0.969 ms 0.961 ms 1.198 ms 6 131.109.202.1 (131.109.202.1) 1.885 ms 1.825 ms 2.112 ms 7 bostonlight.oshean.org (198.7.255.1) 3.248 ms 3.566 ms 3.565 ms 8 nox300gw1-oshean-re.nox.org (192.5.89.125) 3.541 ms 3.506 ms 3.490 ms 9 i2-re-nox300gw1.nox.org (192.5.89.222) 7.809 ms 8.164 ms 8.105 ms 10 216.27.100.5 (216.27.100.5) 10.280 ms 10.218 ms 10.197 ms 11 remote1.princeton.magpi.net (216.27.98.114) 11.261 ms 11.253 ms 11.226 ms 12 core-87-router.princeton.edu (128.112.12.130) 11.919 ms 12.503 ms 12.150 ms 13 Princeton.EDU (140.180.223.22) 11.505 ms 11.498 ms 11.489 ms Lect06 2/12/2018 JE Savage 21

IP Spoofing Host/router can change Source Address in a packet. Can be used in denial of service ahack. If ICMPs are sent to many des4na4ons with the same spoofed source address, all respond to spoofed source, swamping it. Coping with IP spoofing: Routers should drop a packet entering a domain with source address from inside that domain. Should also drop leaving packets whose source is outside If routers log packets passing through them, which is not always done, can trace spoofed packets back to a source. Lect06 2/12/2018 JE Savage 22

Protocol Layers Again Source: Wikipedia Lect06 2/12/2018 JE Savage 23

Transport Layer Protocols Connect a process at one port of an IP address to a process at a port of a remote IP address. 2 16 ports. TCP and UDP are primary protocols at this layer. Transmission Control Protocol (TCP) provides reliable packet stream between ports. Packets repeated if lost. What should it be used for? files, web pages, email User Datagram Protocol (UDP) provides best-effort communica4on between ports. Send it and forget it Used for VoIP and apps where lost bytes not important. Lect06 2/12/2018 JE Savage 24

Transmission Control Protocol (TCP) TCP/IP sets up connec4on to des4na4on using three-way handshake. Packets are sent with a sequence number so that they can be assembled in order. If a packet is not acknowledged during a conges4on window (a reasonable round trip 4me) it is repeated. Thus, copies of packets can be in network. The sender uses flow control (adjusts window) to avoid overwhelming the receiver. If payload checksum fails, receiver rejects packet. Lect06 2/12/2018 JE Savage 25

TCP Packet Format 16 bits 2 16 = 65,536 ports Bit Offset 0-3 4-7 8-15 16-18 19-31 0 Source Port Des4na4on Port 32 Sequence Number (Seq) 64 Acknowledgement Number (Ack) 96 Offset Reserved Flags Window Size 128 Checksum Urgent Pointer 160 Op4ons >= 160 Data Data Data Header Payload Port 80 for HTTP, 21 for FTP, 22 for SSH, for example. Lect06 2/12/2018 JE Savage 26

Three-Way TCP Handshake SYN Seq = X SYN-ACK Seq = Y Ack = X+1 ACK Seq = X+1 Ack = Y+1 Lect06 2/12/2018 JE Savage 27

TCP Three-Way Handshake Establishes connec4on between source/dest. 1. Source S sends a packet to des4na4on D with SYN flag on and random sequence number Seq = X. 2. D sends S a packet with both SYN and ACK flags on adds a random sequence number Seq = Y, and an acknowledgement number Ack = X+1. (S checks X) 3. S sends D a packet with SYN flag off, ACK flag on, Seq = X+1 and Ack = Y+1. (D compares Ack to Y.) If successfully completed, TCP connec4on is made. Random values for X and Y help defeat ahacks. Lect06 2/12/2018 JE Savage 28

User Datagram Protocol (UDP) Header includes source and des4na4on ports, length, checksum, and payload Designed for speed, not accuracy. Used for 4me-sensi4ve tasks such as DNS and Voice over IP (VoIP) Lect06 2/12/2018 JE Savage 29

Network Address Translator (NAT) A NAT is hardware that maps one external IP address into mul4ple internal IP addresses. Each internal IP address is assigned a unique port number of the external IP address. When packet sent back to the IP address, its port number is used to lookup is internal IP address. The packet IP address is changed to the internal one. A NAT hides internal IP addresses protects against random hits Lect06 2/12/2018 JE Savage 30

TCP Session Hijacking AHacker takes over or spoofs a TCP session. AHacker needs seq numbers for server ACK packets If ahacker on same network as client or server, packet sniffing can reveal seq numbers. If not, ahacker can try predic4ng seq numbers. Blind injec4on ahacker sends packet to server, client (not ahacker) receives the packet. Can lead to storm of ACK packets between client and server as they try to synchronize one another. Spoofing ahacker can become man-in-middle! Lect06 2/12/2018 JE Savage 31

Denial of Service (Flooding) AHacks Because bandwidth is limited, many packets directed to a client, can overwhelm client. Ping flood ahack SYN flood ahacks Op4mis4c TCP ahacks Distributed denial of service (DDoS) ahacks Denial of service from many sites, such as botnet. Can defend against DDoS via IP tracebacks or more sophis4cated automa4c techniques. Lect06 2/12/2018 JE Savage 32

Ping Flood AHack AHacker floods vic4m with pings (ICMP packets) AHacker can be much more powerful than vic4m. SMURF ahack ahacker sends ICMP packet with spoofed address to network broadcast site. All sites on network respond to spoofed site. Lect06 2/12/2018 JE Savage 33

SYN Flood AHacks AHacker opens many TCP sessions by sending SYN packets to a vic4m without replying to SYN/ACK packets from the vic4m. Vic4m keeps list of SYN seq numbers in memory so that it can synchronize sessions. If too many sessions are opened, vic4m s memory fills up, blocking other TCP sessions. Routers can be redesigned to avoid this. Lect06 2/12/2018 JE Savage 34

Two Defenses Against SYN Flood AHacks SYN Cookies Recipient of SYN does not reserve session space. Instead, it sends special seq no. to source iden4fying it. If SYN/ACK response is with valid seq. no., session space is reserved. Not adopted by Windows in some Linux versions SYN Queue Half-opened TCP connec4ons put on special queue They are dropped if no SYN/ACK reply soon enough Adopted by Windows Lect06 2/12/2018 JE Savage 35

IP Traceback IP traceback uses one of several techniques to determine the source of packets. Examples Mark packets with informa4on about path travelled Node sampling: overwrite an address field with router address with some probability. With high probability all the IP addresses of visited routers can be determined if packet stream long enough. Send info on packet stream going through a router to the des4na4on via an independent stream. Lect06 2/12/2018 JE Savage 36

Review Network security The link layer The network layer The transport layer Denial of service ahacks Lect06 2/12/2018 JE Savage 37

iclicker Ques4on TCP was invented by Kahn and Cerf A. Yes B. No, it was invented by Thomas C. Paine Lect06 2/12/2018 JE Savage 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback