TCP/IP: ICMP, UDP. Network Security Lecture 5

Transcription

1 TCP/IP: ICMP, UDP Network Security Lecture 5

2 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Eike Ritter Network Security - Lecture 5 1

3 Internet Control Message Protocol Used to exchange control/error messages about the delivery of IP datagrams Encapsulated in IP datagrams Messages can be Requests Responses Error messages RFC 792 Eike Ritter Network Security - Lecture 5 2

4 ICMP message format Type Code Checksum Data Type: ICMP type Code: ICMP subtype Checksum: Error checking code -Computed on the ICMP header and data (with checksum field set to 0) Eike Ritter Network Security - Lecture 5 3

5 ICMP types Echo request/reply (type: 8, 0) Network connectivity (ping) Destination unreachable (type: 3) Inform host of the impossibility to deliver traffic to a specific destination Destination network, host, protocol, port unreachable Destination network, host unknown Fragmentation required and DF flag set Source route failed Source quench (type: 4) Congestion control Eike Ritter Network Security - Lecture 5 4

6 ICMP types cont d Time exceeded (type: 11) Report expired datagrams(ttl = 0) Redirect (type: 5) Inform hosts of better routes (gateways) Address mask request/reply (type: 17, 18) Used to obtain network mask at boot time Eike Ritter Network Security - Lecture 5 5

7 ICMP Echo request/reply Type = 0 or 8 Code = 0 Checksum Identifier Sequence number Optional data Eike Ritter Network Security - Lecture 5 6

8 ICMP echo request Eike Ritter Network Security - Lecture 5 7

9 ICMP encapsulation Eike Ritter Network Security - Lecture 5 8

10 ping $ ping PING ( ) 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=52 time=8.16 ms 64 bytes from : icmp_seq=2 ttl=52 time=8.24 ms 64 bytes from : icmp_seq=3 ttl=52 time=8.02 ms 64 bytes from : icmp_seq=4 ttl=52 time=8.02 ms 64 bytes from : icmp_seq=5 ttl=52 time=8.16 ms 64 bytes from : icmp_seq=6 ttl=52 time=8.02 ms ping statistics packets transmitted, 6 received, 0% packet loss, time 25082ms rtt min/avg/max/mdev = 8.021/8.106/8.245/0.125 ms Eike Ritter Network Security - Lecture 5 9

11 ICMP echo-based attacks: scanning Attacker wants to know which hosts in a subnet are up and running Sends a ping message to all possible hosts in that subnet (pingsweep) Collects replies from hosts that are alive $ nmap -sp /24 Starting Nmap 5.00 ( ) at :48 PST Host is up (0.0024s latency). Host is up ( s latency). Host is up (0.0065s latency). Host is up ( s latency). Nmap done: 256 IP addresses (4 hosts up) scanned in 2.54 seconds Eike Ritter Network Security - Lecture 5 10

12 ICMP echo-based attacks: smurf Broadcast ping message Echo request directed to broadcast address of network All hosts on that subnet respond with echo reply Do you see a problem with this scenario? Consider IP spoofing Eike Ritter Network Security - Lecture 5 11

13 ICMP echo-based attacks: smurf From: To: Attacker: Victim: Eike Ritter Network Security - Lecture 5 12

14 ICMP echo-based attacks: smurf Defenses Ignore ICMP echo requests destined to the broadcast address Linux: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts Eike Ritter Network Security - Lecture 5 13

15 Gateway: ICMP redirect (2) Datagram to Gateway: Destination Gateway (1) Datagram to (3) ICMP redirect message: use as gateway to communicate with 1.1.1/24 Host: (4) Destination Gateway Flags UG UGHD Eike Ritter Network Security - Lecture 5 14

16 ICMP redirect Type = 5 Code = 0, 1, 2, or 3 Checksum IP Address IP header + First 8 bytes of original datagram On receiving an ICMP redirect message, host checks that: The new gateway must be directly reachable (same subnet) The redirect must be from the current gateway for the destination The redirect cannot tell the host to act as the new gateway The route that is added must be indirect Eike Ritter Network Security - Lecture 5 15

17 ICMP redirect-based attacks ICMP redirect can be abused to re-route traffic to specific router or to a specific host Hijack traffic Denial-of-service attack How? The attacks works by sending a spoofed ICMP redirect message that appears to come from the host s default gateway Eike Ritter Network Security - Lecture 5 16

18 ICMP redirect attack Address Hwaddress Role :50:56:00:00:01 Gateway :50:56:00:00:02 Linux host :50:56:00:00:64 Windows host C:\windows\system32> route print -4 IPv4 Route Table ============================================================================ Active Routes: Network Destination Netmask Gateway Interface Metric On-link On-link On-link ============================================================================ # tcpdump n 00:50:56:00:00:02 > 00:50:56:00:00:64, IP > : ICMP redirect to host , length 68 Eike Ritter Network Security - Lecture 5 17

19 ICMP redirect attack cont d C:\Windows\system32> route print -4 IPv4 Route Table ============================================================================ Active Routes: Network Destination Netmask Gateway Interface Metric On-link On-link On-link ============================================================================ C:\Windows\system32> ping :50:56:00:00:64 > 00:50:56:00:00:02, IP > : ICMP echo request 00:50:56:00:00:64 > 00:50:56:00:00:02, IP > : ICMP echo request Eike Ritter Network Security - Lecture 5 18

20 ICMP destination unreachable Used by gateway to inform host that destination is unreachable Different subtypes Network unreachable Host unreachable Protocol unreachable Port unreachable Fragmentation needed and DF flag set Destination host unknown Destination network unknown Eike Ritter Network Security - Lecture 5 19

21 ICMP unreachable attack From To: Destination unreachable Gateway: Attacker: Victim: Eike Ritter Network Security - Lecture 5 20

22 ICMP time exceeded Type = 11 Code = 0 or 1 Checksum Unused IP header + First 8 bytes of original datagram Sent when TTL becomes 0 (code: 0) The reassembling of a fragment times out (code: 1) Eike Ritter Network Security - Lecture 5 21

23 traceroute Use ICMP time exceeded messages to determine the path used to deliver a datagram A series of IP datagramsare sent to the destination Each datagram has an increasing TTL field value (start value: 1) Router decrements TTL; if it is 0, sends back a ICMP unreachable message Useful for network analysis and debugging Eike Ritter Network Security - Lecture 5 22

24 traceroute cont d $ traceroute traceroute to ( ), 30 hops max, 40 byte pkts 1 rita-rw ( ) ms ms ms 2 bes ( ) ms ms ms 3 hscn-gw ( ) ms ms ms 4 cs-ac00b7e1-2.bham.ac.uk ( ) ms ms ms 5 cs-lb00b1e5-8b2e5-8.bham.ac.uk ( ) ms ms ms 6 fw-sr00.bham.ac.uk ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms 9 so warr-sbr1.ja.net ( ) ms ms ms 10 so read-sbr1.ja.net ( ) ms ms ms 11 as0.lond-sbr3.ja.net ( ) ms ms ms 12 po1.lond-ban3.ja.net ( ) ms ms ms 13 google.lond-ban3.ja.net ( ) ms ms ms ( ) ms ms ( ) ms ( ) ms ms ( ) ms 16 lhr14s02-in-f104.1e100.net ( ) ms ms ms Eike Ritter Network Security - Lecture 5 23

25 UDP Based on IP Provides a connectionless, unreliable, best-effortdatagram delivery service delivery, integrity, non-duplication, ordering, and bandwidth are not guaranteed Introduces the abstraction of ports Allows one to address different message destinations for the same IP address Commonly used for Multimedia Services based on request/reply schema (e.g., DNS, NFS, RPC) RFC 768 Eike Ritter Network Security - Lecture 5 24

26 UDP message format UDP source port UDP message length UDP dest port Checksum Data Eike Ritter Network Security - Lecture 5 25

27 UDP message Eike Ritter Network Security - Lecture 5 26

28 UDP encapsulation UDP header UDP data IP header IP data Frame header Frame data Eike Ritter Network Security - Lecture 5 27

29 UDP encapsulation Eike Ritter Network Security - Lecture 5 28

30 UDP spoofing Essentially, it is IP spoofing UDP request Spoofed UDP reply UDP reply Client: Attacker: Server: Eike Ritter Network Security - Lecture 5 29

31 UDP hijacking Variation of UDP spoofing attack UDP reply to spoofed request Trusted client: Attacker: Server: Eike Ritter Network Security - Lecture 5 30

32 UDP spoofing Vulnerable protocols DNS RPC NFS NIS Eike Ritter Network Security - Lecture 5 31

33 UDP portscan Used to determine which UDP services are available A zero-length UDP packet is sent to each port If an ICMP error message port unreachable is received the service is assumed to be unavailable Note that the sending rate of ICMP messages can be limited (depending on the OS): the scan can be slow Linux: $ sysctl net.ipv4.icmp_ratelimit (number of jiffies to wait before sending another message) Eike Ritter Network Security - Lecture 5 32

34 UDP portscan $ sudo nmap -su Starting Nmap 5.00 ( ) at :17 PST Interesting ports on : Not shown: 997 closed ports PORT STATE SERVICE 111/udp open filtered rpcbind 137/udp open filtered netbios-ns 2049/udp open filtered nfs MAC Address: 00:0C:29:27:25:40 (VMware) Nmap done: 1 IP address (1 host up) scanned in seconds Eike Ritter Network Security - Lecture 5 33

35 UDP portscan $ sudo tcpdump -n host > : UDP, length > : ICMP udp port 1433 unreachable, length > : UDP, length > : ICMP udp port unreachable, length > : UDP, length > : UDP, length > : ICMP udp port unreachable, length > : UDP, length > : ICMP udp port unreachable, length > : UDP, length > : ICMP udp port 1033 unreachable, length > : UDP, length > : ICMP udp port unreachable, length 36 Eike Ritter Network Security - Lecture 5 34

36 NEXT ON Eike Ritter Network Security - Lecture 5 35

37 Take away points ICMP has good functionalities to debug and control network. Some of them can be abused by attackers ICMP scanning (pingsweep) ICMP smurf attack ICMP redirection UDP Format Portscan nmap Eike Ritter Network Security - Lecture 5 36

38 Next time TCP Eike Ritter Network Security - Lecture 5 37