CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Similar documents
CSC 6575: Internet Security Fall 2017

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

AN INTRODUCTION TO ARP SPOOFING

ICS 451: Today's plan

A Framework for Optimizing IP over Ethernet Naming System

CSC 6575: Internet Security Fall 2017

Switching & ARP Week 3

20-CS Cyber Defense Overview Fall, Network Basics

CSE 565 Computer Security Fall 2018

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Chapter 5: Ethernet. Introduction to Networks - R&S 6.0. Cisco Networking Academy. Mind Wide Open

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

CSC 6575: Internet Security Fall 2017

Lab Using Wireshark to Examine Ethernet Frames

Chapter 5 Reading Organizer After completion of this chapter, you should be able to:

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Lab Using Wireshark to Examine Ethernet Frames

CSC 574 Computer and Network Security. TCP/IP Security

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

TSIN02 - Internetworking

To make a difference between logical address (IP address), which is used at the network layer, and physical address (MAC address),which is used at

Configuring attack detection and prevention 1

Connecting to the Network

DDoS Testing with XM-2G. Step by Step Guide

CCNA 1 Chapter 5 v5.0 Exam Answers 2013

2. What is a characteristic of a contention-based access method?

CS 457 Lecture 11 More IP Networking. Fall 2011

Configuring attack detection and prevention 1

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Computer Networks Security: intro. CS Computer Systems Security

CSc 466/566. Computer Security. 18 : Network Security Introduction

EITF25 Internet Techniques and Applications L7: Internet. Stefan Höst

The Interconnection Structure of. The Internet. EECC694 - Shaaban

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

9. Security. Safeguard Engine. Safeguard Engine Settings

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Internet Protocols (chapter 18)

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

CSE/EE 461 The Network Layer. Application Presentation Session Transport Network Data Link Physical

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

ELEC5616 COMPUTER & NETWORK SECURITY

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

Computer Networking: A Top Down Approach Featuring the. Computer Networks with Internet Technology, William

TSIN02 - Internetworking

Network Security. Network Vulnerabilities

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

IP: Addressing, ARP, Routing

Lecture 8. Network Layer (cont d) Network Layer 1-1

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Computer Networks (Introduction to TCP/IP Protocols)

Cisco Implementing Cisco IP Routing (ROUTE v2.0)

Telecom Systems Chae Y. Lee. Contents. Overview. Issues. Addressing ARP. Adapting Datagram Size Notes

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Chapter 2 Advanced TCP/IP

Position of IP and other network-layer protocols in TCP/IP protocol suite

Network Security Fundamentals. Network Security Fundamentals. Roadmap. Security Training Course. Module 2 Network Fundamentals

Internet Control Message Protocol (ICMP)

CIT 380: Securing Computer Systems. Network Security Concepts

McGraw-Hill The McGraw-Hill Companies, Inc., 2000

CSCI 680: Computer & Network Security

Selected Network Security Technologies

ECPE / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

The Internet. 9.1 Introduction. The Internet is a global network that supports a variety of interpersonal and interactive multimedia applications.

CIS-331 Final Exam Spring 2016 Total of 120 Points. Version 1

6 Chapter 6. Figure 1 Required Unique Addresses

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Detecting Sniffers on Your Network

CIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1

Scribe Notes -- October 31st, 2017

Denial of Service and Distributed Denial of Service Attacks

TCPIP Protocol Suite & Utilities. Revision no.: PPT/2K403/02

ARP Inspection and the MAC Address Table

Hands-On Network Security: Practical Tools & Methods

TCP/IP Protocol Suite and IP Addressing

Address Resolution Protocol (ARP), RFC 826

Keywords: ARP Protocol; ARP Cache; ARP Spoofing Attack; Reverse ARP Poisoning, Active IP Probing

The Internet Protocol (IP)

Lecture 8. Basic Internetworking (IP) Outline. Basic Internetworking (IP) Basic Internetworking (IP) Service Model

ECE 461 Internetworking Fall Quiz 1

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Troubleshooting High CPU Utilization Due to the IP Input Process

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Lecture 3. The Network Layer (cont d) Network Layer 1-1

NETWORK SECURITY. Ch. 3: Network Attacks

CIS-331 Final Exam Fall 2015 Total of 120 Points. Version 1

Chapter 8 ARP(Address Resolution Protocol) Kyung Hee University

Lecture 8. Reminder: Homework 3, Programming Project 2 due on Thursday. Questions? Tuesday, September 20 CS 475 Networks - Lecture 8 1

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

CS 458 Internet Engineering Spring First Exam

IT220 Network Standards & Protocols. Unit 8: Chapter 8 The Internet Protocol (IP)

Introduction to Computer Security

Security and Networking Basics

ECE4110 Internetwork Programming. Introduction and Overview

Chapter 7. ARP and RARP MGH T MGH C I 20

Networking interview questions

CIS 5373 Systems Security

Inter-networking. Problem. 3&4-Internetworking.key - September 20, LAN s are great but. We want to connect them together. ...

Transcription:

CSC 6575: Internet Security Fall 2017 Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee Tech University

Agenda OSI (TCP/IP) Layers Network/Lower Layer Protocols ICMP Protocol ARP Protocol Some Attacks M. Ashiq Rahman, Tennessee Tech University 2

OSI Model Open Systems Interconnection (OSI) model M. Ashiq Rahman, Tennessee Tech University 3

OSI Model: Data M. Ashiq Rahman, Tennessee Tech University 4

OSI Model: Communication MAC Address of the directly connected node, not of the ultimate destination node. M. Ashiq Rahman, Tennessee Tech University 5

OSI Model: Protocols Different protocols work at different layers of the OSI model. IP has two existing versions: IPv4 and IPv6 M. Ashiq Rahman, Tennessee Tech University 6

IPv6 Adoption IPv6 addresses are 128-bit IP address written in hexadecimal and separated by colons. An example IPv6 address: 3ffe:1900:4545:3:200:f8ff:fe21:67cf https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption M. Ashiq Rahman, Tennessee Tech University 7

IPv4 Address Globally unique (!) 32 bit address What and why is NAT? Two parts: network address & host address M. Ashiq Rahman, Tennessee Tech University 8

IP Address Distribution M. Ashiq Rahman, Tennessee Tech University 9

IP Header Differentiated Services Code Point Different traffic classes. E.g., Expedited Forwarding (EF) PHB dedicated to lowloss, low-latency traffic. If a router encounters a datagram too large to pass over the next physical network but with the DF bit set to 1? http://www.inacon.de/ph/data/ipv4/ip-header-format_os_rfc-791.htm M. Ashiq Rahman, Tennessee Tech University 10

General Attacks Spoofing One person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage Man in the Middle (MIM/MITM) Attack Eavesdropping/sniffing False data injection/ data poisoning Denial-of-Service (DoS) Attacks Attack on availability Single-source DoS Attacks vs. distributed DoS attacks Send unusual combination for which developers did not test Protocol level vulnerabilities Header based Protocol based Authentication based Traffic based Session Hijacking The exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. M. Ashiq Rahman, Tennessee Tech University 11

Header Based Attacks Unauthorized modification of header fields Endpoint fields causes packets to be dropped by end points Length, flags, offset, protocol, source IP Transit fields causes packets to be dropped by routers Too small TTL If TTL is very large? Fragmentation Attacks: Abnormal fragments (too many, too big, too small, etc.) can cause security problems. M. Ashiq Rahman, Tennessee Tech University 12

Fragmentation Attacks Fragment overrun attack IP packets larger than 65,535 bytes may cause the system to crash. The maximum datagram length An example scenario: If offset is set to 65,530 bytes, then packet with length greater than 5 would cause reassembly buffer to overflow. Fragmentation buffer full attack There is an excessive amount of incomplete fragmented datagrams. A large number of fragments for an individual datagram Fragment overlap: Teardrop attack M. Ashiq Rahman, Tennessee Tech University 13

Teardrop Attack Sending fragmented packets manipulating the Flag (M bit) such that fragments are overlapped. The victim is unable to reassemble them Exhausts resources doing so and may crashed http://www.trainsignaltraining.com/ping-of-death-and-dos-attacks/2009-05-14/ M. Ashiq Rahman, Tennessee Tech University 14

More Header-Based Attacks Attacks with Special IP Addresses Source IP spoofed to be broadcast address will make the packet drop Destination broadcast address Full broadcast address (255.255.255.255) Only affect local network Layer 3 (L3) router does route these packets. Directed broadcast address (10.10.2.255) Can be used to get multiple machines respond to a single packet At the destination L3 device (that has the 10.10.2.0 network connected), it is translated into a local broadcast. M. Ashiq Rahman, Tennessee Tech University 15

ARP Network Layer Control Protocols A network/link layer protocol Operates below the network layer as a part of the interface between the OSI network and OSI link layer. ICMP A network layer protocol M. Ashiq Rahman, Tennessee Tech University 16

ARP Address Resolution Protocol Used to find physical hardware address given IP address MAC (Media Access Control) address 6 bytes (48 bits) unique address E.g., C0:B3:44:17:21:17 The broadcast address is all 1 s. Used to check conflict in IP address Sent through data link layer as Ethernet payload ARP request is broadcast, ARP reply is unicast. ARP Data Unit (Encapsulated in an Ethernet (Layer 2) frame) M. Ashiq Rahman, Tennessee Tech University 17

RARP Reverse Address Resolution Protocol In a LAN, a machine can learn its IP address from a gateway server's ARP table or cache. A table can be created in a LAN's gateway router that maps the MAC addresses to corresponding IP addresses. When a new machine is set up, its RARP client program requests from the RARP server on the router for its IP. Assuming that an entry has been set up in the router table, the RARP server will return the IP address to the machine. M. Ashiq Rahman, Tennessee Tech University 18

ARP Based Spoofing Attack ARP cache poisoning Bogus ARP reply with attacker s address populates/corrupts actual ARP cache entries ARP based spoofing: Man in the middle (MIM) attack M. Ashiq Rahman, Tennessee Tech University 19

Defense Against ARP Spoofing Attacks There is no universal defense against ARP spoofing. A possible defense is the use of static ARP entries. Static entries cannot be updated, spoofed ARP replies are ignored. The ARP tables would have to have a static entry for each machine on the network. The overhead in deploying these tables, as well as keeping them up to date is not practical for most LANs. M. Ashiq Rahman, Tennessee Tech University 20

ARP Flooding Denial of Service (DoS) with ARP flooding Flooding a switch with fake MAC addresses. ARP cache poisoning Hence, it needs to broadcast all network traffic to every connected node like a hub. It does not result in a crash - the network becomes overloaded. Remote ARP flooding! Router retries ARP requests that are without replies! What is the idea? Packets are sent to all ip addresses, some of which are not associated with any physical machine. Some of ARP requests by the router will have no replies. Consecutive packets that are coming for those nonexisting ip addresses will make the router to broadcast again and again. M. Ashiq Rahman, Tennessee Tech University 21

THANKS Acknowledgement: - Most of the figures are taken from different online sources - Ehab Al-Shaer, UNC Charlotte - Dr. Ambareen Siraj, Tennessee Tech University M. Ashiq Rahman, Tennessee Tech University 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback