The Transport Layer and Implica4ons for Network Monitoring. CS 410/510 Spring 2014

Transcription

1 The Transport Layer and Implica4ons for Network Monitoring CS 410/510 Spring 2014

2 Review Preliminaries: Three Principles of Informa4on Security The Three A s

3 Review: Network Protocol Stacks

4 Review: Network Protocol Stacks ApplicaEon Layer: HTTP, SMTP,... - Send messages to people, send files, Transport Layer: TCP - Stream- oriented I/O Network Layer: IP - Sends messages across mul4ple hops Data/Link Layer: Ethernet, Wifi, GSM - Sends messages over a single hop Physical Layer: Copper, Fiber, Wireless - Transmits bits through space

5 Review: The Link Layer (Ethernet, WiFi) Shared broadcast medium Snooping awacks Spoofing awacks AWacks on TLF bridges (aka switches)

6 Review: IP (Network Layer) Forwarding based on des4na4on address Spoofing awacks

7 Outline for Today Security and the Transport Layer Network Monitoring and Intrusion Detec4on Ptacek and Newsham: Inser4on and Evasion AWacks

8 Outline for Today Security and the Transport Layer Network Monitoring and Intrusion Detec4on Ptacek and Newsham: Inser4on and Evasion AWacks

9 Transport Layer Role: Provides end- to- end messages UDP Thin wrapper around IP Connec4onless, unreliable TCP Connec4on- oriented Reliable data transfer

10 Transport Layer Role: Provides end- to- end messages UDP Thin wrapper around IP Connec4onless, unreliable TCP Connec4on- oriented Reliable data transfer

11 UDP: User Datagram Protocol Idea: Fire and forget Applica4ons Streaming media (video chat, voice over IP) Short, simple messages (TFTP, DNS) Diagram credit: Wikipedia

12 UDP: Injec4on AWack If we re not careful, protocols that use UDP can be vulnerable to malicious injec4on (loss of integrity) Alice Bob

13 Example: Voice over IP (VoIP) Let s image a really simple VoIP protocol Sending app records small snippets of audio (say 20ms), and sends each audio snippet in a UDP packet When the receiving app gets a packet, it immediately plays the sound No sequence numbers or checksums in the app Alice Bob

14 UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice? Diagram credit: Wikipedia

15 UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice to Bob? Alice s IP Address Diagram credit: Wikipedia

16 UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice to Bob? Alice s IP Address Bob s IP Address Diagram credit: Wikipedia

17 UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice to Bob? Alice s IP Address Bob s IP Address Alice s UDP Port Number Bob s UDP Port Number Diagram credit: Wikipedia

18 Example: Voice over IP (VoIP) Suppose the VoIP protocol only sends packets when the user is speaking Alice I love you Bob J

19 Example: Voice over IP (VoIP) Now our awacker can inject audio into the call Alice Bob L I hate you

20 Example: Voice over IP (VoIP) What if both transmit simultaneously? What does Bob actually hear? Alice I love you Bob I hate you

21 Example: Voice over IP (VoIP) What if both transmit simultaneously? What does Bob actually hear? Answer: Depends on Bob s applica4on code! Alice I love you Bob??? I hate you

22 Example: Voice over IP (VoIP) What if both transmit simultaneously? What does Bob actually hear? Answer: Depends on Bob s applica4on code! (Probably a garbled mess but it could be worse) Alice I love you Bob??? I hate you

23 Transport Layer Role: Provides end- to- end messages UDP Thin wrapper around IP Connec4onless, unreliable TCP Connec4on- oriented Reliable data transfer

24 TCP: Transmission Control Protocol Connec4on- oriented protocol Connec4on setup SYN, SYN/ACK, ACK Connec4on teardown FIN, ACK, FIN, ACK Reliable, in- order data transfer Sequence numbers Posi4ve, cumula4ve acknowledgements (ACK s) Retransmission on 4meout

25 TCP: Transmission Control Protocol TCP Segment Header

26 TCP: Injec4on AWacks Can the awacker s4ll inject arbitrary data? Alice From: Alice To: Bob Subject: Good News Bob Subject: Bad News

27 Textbook TCP: 3- way Handshake Flags: SYN Seq 0 Ack n/a Seq 0 Ack 0 Flags: SYN/ACK Seq 0 Ack 0

28 Textbook TCP: Data Transfer Seq 0 Ack 0 Data: Hi Bob!\r\n Seq 10 Ack 12 Seq 0 Ack 10 Data: Hi Alice!\r\n

29 Textbook TCP: Recovering from Loss Seq 1000 Seq 1100 Seq 1200 (Timeout, or 3x dup ACK) Seq 1100 Seq 905 Ack 1100 Seq 905 Ack 1300

30 TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n Seq 0 Ack 10 Data: Go away loser! \r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream Seq 0 Ack 10 Data: Hi Alice!\r\n

31 TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n Ques4on: What does Alice see (in the applica4on) as a result of these transmissions? Seq 0 Ack 10 Data: Go away loser! \r\n Seq 0 Ack 10 Data: Hi Alice!\r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream

32 TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream Seq 0 Ack 10 Data: Hi Alice!\r\n Now the packets are reversed. Does your answer change? Seq 0 Ack 10 Data: Go away loser! \r\n

33 Inside TCP What s really going on inside Alice s TCP? recv buffer

34 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer

35 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900

36 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900

37 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000

38 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200

39 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200 Packet loss leaves a gap

40 TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream Seq 0 Ack 10 Data: Hi Alice!\r\n Now the packets are reversed. Does your answer change? Seq 0 Ack 10 Data: Go away loser! \r\n

41 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 0 Ack 10 When the awacker s packet arrives first, Bob s packet is bounced, because it s outside the receive window. Seq 0 Ack 10

42 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 0 Ack 10 Similarly, when Bob s packet arrives first, the awacker s packet is bounced, because it s outside the receive window. Seq 0 Ack 10

43 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 0 Ack 10 Similarly, when Bob s packet arrives first, the awacker s packet is bounced, because it s outside the receive window. Seq 0 Ack 10 BUT, the awacker s4ll wins whenever he can deliver his packet first.

44 Mi4ga4on: Randomize Ini4al Sequence Numbers Instead of star4ng at zero, generate a random number for each new connec4on First packet: seq = n Second packet: seq = n + sizeof(first packet)

45 TCP: Injec4on AWacks Sequence number guessing If the awacker can guess the random ISN, he can s4ll accomplish his awack How hard is this in prac4ce? Today (hopefully) it s quite hard But this was not always so For more info, see hwp://lcamtuf.coredump.cx/newtcp/ hwp://lcamtuf.coredump.cx/oldtcp/tcpseq.html

46 Visualizing ISN Randomness Linux 2.2 Not too bad

47 Visualizing ISN Randomness Windows NT 4 SP 6 A liwle worse

48 Visualizing ISN Randomness Windows 95 PreWy bad

49 Visualizing ISN Randomness Cisco IOS 12.0 Really bad

50 Visualizing ISN Randomness SGI IRIX 6.5 Horrible!

51 Outline for Today Security and the Transport Layer Network Monitoring and Intrusion DetecEon Ptacek and Newsham: Inser4on and Evasion AWacks

52 Network Monitoring Idea AWackers may penetrate our border defenses Let s watch the network to see if we can catch them Use a host separate from other network func4ons

53 Network Monitoring Intui4on Aper all, many link layers provide a shared broadcast medium. Data is easy to get. (Or is it?) If the awacker can use this against us, surely we can turn the same technique around on him!

54 Network Monitoring: Assump4ons AWacker starts outside the network, and must somehow break in to an internal host. Monitor box is off the cri4cal path, but s4ll in a good posi4on to see all packets in & out of the network

55 Outline for Today Security and the Transport Layer Network Monitoring and Intrusion Detec4on Ptacek and Newsham: InserEon and Evasion AQacks

56 Challenges in Network Monitoring Two key problems The monitor and the vic4ms sit at different loca4ons in the network The monitor and the vic4ms run different sopware, and thus interpret packets differently

57 Challenges in Network Monitoring Two key problems The monitor and the vicems sit at different locaeons in the network The monitor and the vic4ms run different sopware, and thus interpret packets differently

58 Inser4on AWacks AWacker can cause the monitor to sound a false alarm For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms.

59 Inser4on AWacks AWacker can cause the monitor to sound a false alarm Src: AWacker Dst: Vic4m TTL: 18 Data: (**^&^#@ For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms.

60 Inser4on AWacks AWacker can cause the monitor to sound a false alarm For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms. Src: AWacker Dst: Vic4m TTL: 1 Data: (**^&^#@ Oh no! ALARM!!!

61 Inser4on AWacks AWacker can cause the monitor to sound a false alarm For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms. Src: AWacker Dst: Vic4m TTL: 0 Data: (**^&^#@ TTL = 0, so drop the packet. Yawn

62 Challenges in Network Monitoring Two key problems The monitor and the vic4ms sit at different loca4ons in the network The monitor and the vicems run different sosware, and thus interpret packets differently

63 Evasion AWacks Simplest approach: Make the monitor discard the awack packets Bogus header fields Bogus combina4ons of fields All op4ons are fair game, as long as the vicem s4ll treats the packet as valid

64 Evasion AWacks More sophis4cated awack: Make the monitor and the vic4m see the same packets differently Examples TCP stream reassembly IP fragmenta4on

65 Textbook TCP: Recovering from Loss Seq 1000 Seq 1100 Seq 1200 (Timeout, or 3x dup ACK) Seq 1100 Seq 905 Ack 1100 Seq 905 Ack 1300

66 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900

67 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900

68 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000

69 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200

70 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1200 When a packet is lost, Alice s TCP has a gap

71 Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200 Arrival of the missing packet fills the gap.

72 Problems What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data?

73 Problems What s really going on inside Alice s TCP? recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data? Seq 1100

74 Problems What s really going on inside Alice s TCP? recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data? Seq 1050

75 Problems What s really going on inside Alice s TCP? recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data? Seq 1050

76 Problems Q: What happens when mul4ple TCP segments overlap? A: It depends on the host TCP implementa4on Example: Windows and Linux react very differently

77 Problems recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 AWacker can use overlap to disguise the real contents of the TCP connec4on Seq 1050

78 Problems recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 AWacker can use overlap to disguise the real contents of the TCP connec4on Seq 1050

79 An aside: Why bother? Overlapping TCP segments?!??!! WTF?! What kind of an idiot does that? Why not just drop the connec4on? Internet philosophy: Be liberal in what you accept and conserva:ve in what you send Other implementa4ons may do crazy things For best interoperability, just go with the flow This approach made the Internet possible

80 Same problem, but worse: IP Fragmenta4on Perhaps the bigger concern is IP fragmenta4on Remember, IP packets can be broken up in flight if they re too big for some hop Endpoints have no guarantee as to how the packets are sliced & diced in transit

81

82 Announcements Submit an SSH public key for Git access Use the Public Keys dropbox on D2L Do this by 10pm tomorrow, Wednesday Apr 9 th

83 Lab 01 Walk- through with Wireshark dpkt preliminaries