CSC 6575: Internet Security Fall 2017 Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee Tech University
Agenda OSI (TCP/IP) Layers Network/Lower Layer Protocols ICMP Protocol ARP Protocol Some Attacks M. Ashiq Rahman, Tennessee Tech University 2
OSI Model Open Systems Interconnection (OSI) model M. Ashiq Rahman, Tennessee Tech University 3
OSI Model: Data M. Ashiq Rahman, Tennessee Tech University 4
OSI Model: Communication MAC Address of the directly connected node, not of the ultimate destination node. M. Ashiq Rahman, Tennessee Tech University 5
OSI Model: Protocols Different protocols work at different layers of the OSI model. IP has two existing versions: IPv4 and IPv6 M. Ashiq Rahman, Tennessee Tech University 6
IPv6 Adoption IPv6 addresses are 128-bit IP address written in hexadecimal and separated by colons. An example IPv6 address: 3ffe:1900:4545:3:200:f8ff:fe21:67cf https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption M. Ashiq Rahman, Tennessee Tech University 7
IPv4 Address Globally unique (!) 32 bit address What and why is NAT? Two parts: network address & host address M. Ashiq Rahman, Tennessee Tech University 8
IP Address Distribution M. Ashiq Rahman, Tennessee Tech University 9
IP Header Differentiated Services Code Point Different traffic classes. E.g., Expedited Forwarding (EF) PHB dedicated to lowloss, low-latency traffic. If a router encounters a datagram too large to pass over the next physical network but with the DF bit set to 1? http://www.inacon.de/ph/data/ipv4/ip-header-format_os_rfc-791.htm M. Ashiq Rahman, Tennessee Tech University 10
General Attacks Spoofing One person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage Man in the Middle (MIM/MITM) Attack Eavesdropping/sniffing False data injection/ data poisoning Denial-of-Service (DoS) Attacks Attack on availability Single-source DoS Attacks vs. distributed DoS attacks Send unusual combination for which developers did not test Protocol level vulnerabilities Header based Protocol based Authentication based Traffic based Session Hijacking The exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. M. Ashiq Rahman, Tennessee Tech University 11
Header Based Attacks Unauthorized modification of header fields Endpoint fields causes packets to be dropped by end points Length, flags, offset, protocol, source IP Transit fields causes packets to be dropped by routers Too small TTL If TTL is very large? Fragmentation Attacks: Abnormal fragments (too many, too big, too small, etc.) can cause security problems. M. Ashiq Rahman, Tennessee Tech University 12
Fragmentation Attacks Fragment overrun attack IP packets larger than 65,535 bytes may cause the system to crash. The maximum datagram length An example scenario: If offset is set to 65,530 bytes, then packet with length greater than 5 would cause reassembly buffer to overflow. Fragmentation buffer full attack There is an excessive amount of incomplete fragmented datagrams. A large number of fragments for an individual datagram Fragment overlap: Teardrop attack M. Ashiq Rahman, Tennessee Tech University 13
Teardrop Attack Sending fragmented packets manipulating the Flag (M bit) such that fragments are overlapped. The victim is unable to reassemble them Exhausts resources doing so and may crashed http://www.trainsignaltraining.com/ping-of-death-and-dos-attacks/2009-05-14/ M. Ashiq Rahman, Tennessee Tech University 14
More Header-Based Attacks Attacks with Special IP Addresses Source IP spoofed to be broadcast address will make the packet drop Destination broadcast address Full broadcast address (255.255.255.255) Only affect local network Layer 3 (L3) router does route these packets. Directed broadcast address (10.10.2.255) Can be used to get multiple machines respond to a single packet At the destination L3 device (that has the 10.10.2.0 network connected), it is translated into a local broadcast. M. Ashiq Rahman, Tennessee Tech University 15
ARP Network Layer Control Protocols A network/link layer protocol Operates below the network layer as a part of the interface between the OSI network and OSI link layer. ICMP A network layer protocol M. Ashiq Rahman, Tennessee Tech University 16
ARP Address Resolution Protocol Used to find physical hardware address given IP address MAC (Media Access Control) address 6 bytes (48 bits) unique address E.g., C0:B3:44:17:21:17 The broadcast address is all 1 s. Used to check conflict in IP address Sent through data link layer as Ethernet payload ARP request is broadcast, ARP reply is unicast. ARP Data Unit (Encapsulated in an Ethernet (Layer 2) frame) M. Ashiq Rahman, Tennessee Tech University 17
RARP Reverse Address Resolution Protocol In a LAN, a machine can learn its IP address from a gateway server's ARP table or cache. A table can be created in a LAN's gateway router that maps the MAC addresses to corresponding IP addresses. When a new machine is set up, its RARP client program requests from the RARP server on the router for its IP. Assuming that an entry has been set up in the router table, the RARP server will return the IP address to the machine. M. Ashiq Rahman, Tennessee Tech University 18
ARP Based Spoofing Attack ARP cache poisoning Bogus ARP reply with attacker s address populates/corrupts actual ARP cache entries ARP based spoofing: Man in the middle (MIM) attack M. Ashiq Rahman, Tennessee Tech University 19
Defense Against ARP Spoofing Attacks There is no universal defense against ARP spoofing. A possible defense is the use of static ARP entries. Static entries cannot be updated, spoofed ARP replies are ignored. The ARP tables would have to have a static entry for each machine on the network. The overhead in deploying these tables, as well as keeping them up to date is not practical for most LANs. M. Ashiq Rahman, Tennessee Tech University 20
ARP Flooding Denial of Service (DoS) with ARP flooding Flooding a switch with fake MAC addresses. ARP cache poisoning Hence, it needs to broadcast all network traffic to every connected node like a hub. It does not result in a crash - the network becomes overloaded. Remote ARP flooding! Router retries ARP requests that are without replies! What is the idea? Packets are sent to all ip addresses, some of which are not associated with any physical machine. Some of ARP requests by the router will have no replies. Consecutive packets that are coming for those nonexisting ip addresses will make the router to broadcast again and again. M. Ashiq Rahman, Tennessee Tech University 21
THANKS Acknowledgement: - Most of the figures are taken from different online sources - Ehab Al-Shaer, UNC Charlotte - Dr. Ambareen Siraj, Tennessee Tech University M. Ashiq Rahman, Tennessee Tech University 22