Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Similar documents
Network and Services Discovery

Chapter 8 Security Pt 2

Linux MDS Firewall Supplement

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Attack Lab: Attacks on TCP/IP Protocols

CSCE 465 Computer & Network Security

ACHILLES CERTIFICATION. SIS Module SLS 1508

Chapter 8 Network Security

Host Discovery with nmap

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Denial Of Service. Types of attacks

Host Fingerprinting and Firewalking With hping

Looking for Trouble: ICMP and IP Statistics to Watch

Firewall Firewall August, 2003

A S B

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CIT 380: Securing Computer Systems

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Content Distribution Networks (CDN)

Abstract. Introduction. Section I. What is Denial of Service Attack?

CS5008: Internet Computing

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Lecture 5: Network Attacks I. Course Admin

Seminar Computer Security

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Attack and Defense Techniques

Linux MPS Firewall Supplement

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Troubleshooting Tools

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Security of IPv6 and DNSSEC for penetration testers

IP addressing and forwarding Network layer

1. Firewall Configuration

Network Security CS 192

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Introduction of Intrusion Detection Systems

Denial of Service Attacks

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Project 4: (E)DoS Attacks

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Internet Control Protocols Reading: Chapter 3

Firewalls, Tunnels, and Network Intrusion Detection

Introduction to IP networking

Network layer: Overview. Network layer functions IP Routing and forwarding

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Transport Layer Protocols

Firewalls and Intrusion Detection

Client Server Registration Protocol

Installing and Configuring Nessus by Nitesh Dhanjani

Development of a Network Intrusion Detection System

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

1.0 Introduction. 2.0 Data Gathering

SECURING APACHE : DOS & DDOS ATTACKS - I

A Very Incomplete Diagram of Network Attacks

Remote Network Analysis

IP Filter/Firewall Setup

What is a DoS attack?

Solution of Exercise Sheet 5

Attacks and Defense. Phase 1: Reconnaissance

How To Understand A Network Attack

About Firewall Protection

Chapter 4 Firewall Protection and Content Filtering

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

co Characterizing and Tracing Packet Floods Using Cisco R

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Stateful Firewalls. Hank and Foo

Security vulnerabilities in the Internet and possible solutions

Outline. Outline. Outline

General Network Security

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

FIREWALL AND NAT Lecture 7a

Ignoring the Great Firewall of China

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Huawei Traffic Cleaning Solution

PROFESSIONAL SECURITY SYSTEMS

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

CMPT 471 Networking II

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Chapter 6 Phase 2: Scanning

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Payment Card Industry (PCI) Executive Report 08/04/2014

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Topics in Network Security

Firewalls. Network Security. Firewalls Defined. Firewalls

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Transcription:

Network Security ICMP, TCP, DNS, Scanning Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Agenda A couple of examples of network protocols that did not have security in mind during the design. Lesson learned: When designing new protocols it is hard to imagine all the ways the design may be exploited. Lesson learned: It is important to learn from the past Lesson learned: Not all development is done with security in mind, do not blindly trust the work of others. Scanning A tool for network managers to check their configurations. A tool for attackers to find potential targets. Requires detailed knowledge about protocols to build, simple to use. 2

ICMP ICMP is used to send error and control messages in a network. A requested service is not available. Time to live exceeded in transit. Echo reply (used by ping). etc. Absolutely necessary for networks to work properly. Not designed for security, and has had a reputation of being a dangerous protocol. Source quench: Tells the recipient to slow down sending, if obeyed source quench messages could be used to complete a lowbandwidth DoS. Redirect: Tells a system to send traffic destined for a particular system to a specified router, bad idea as it allows DoS, MITM, etc. There are others, but systems today ignore the inappropriate messages. 3

TCP (Simplified) The client sends a connection request to the server. The server, if willing to accept the connection, responds with an acknowledgment. The client then acknowledges that, and the connection is established. Client Server Problem: The server upon receiving the second packet, needs to confirm that it previously accepted this connection, and that it isn t a stray packet or something bad. Therefore, TCP has a connection queue where all accepted connections are parked until the second packet is received. 4

SYN flood The SYN flood attack exploits this. A large number of connections are requested, but the second packet is never sent. Client Server The server allocates resources to remember the accepted connection in the queue (until time-out or second packet). In theory this will eat up the servers resources, making it unable to accept new requests. In practice this is not much of a problem anymore, but when developing new protocols it is easy to miss these details. 5

Preventing SYN floods One way of preventing SYN flood attacks is to not save any information at all on the server about accepted connections. Instead a cookie is sent along with the acknowledgement from the server. This cookie contains information only the server knows. The client attaches the cookie to its response, and the server is able to verify that the cookie is correct, and that the client has previously been accepted. An attempt has been made to add this to TCP, but it turned out to be quite ugly. But for new protocols it has been implemented successfully (SCTP). Learn from the past to create better solutions in the future. 6

DNS Security DNS Security An absolute vital service for the Internet as we know it. Primary purpose to map easy-to-remember names to addresses. Domain Name System Maps names to addresses DNS can be viewed as Maps a distributed addresses database, to names which is accessed every UDP-based time you client-server access a remote system. Caching f.root-servers.net referral g.gtld-servers.net referral ns1.google.com 66.102.11.99 66.102.11.99 Cache com NS g.gtld-servers.net google.com NS ns1.goole.com A 66.102.11.99 7 The domain name system is a critical infrastru

DNS Security DNS Security The full database is distributed over a huge number of hosts, ordered in a hierarchical fashion, facilitated to find information rapidly. Domain Name System Maps names to addresses Caching is used extensively Maps addresses to ensure to names efficiency. UDP-based client-server Caching is one of the main security issues. Caching f.root-servers.net referral g.gtld-servers.net referral ns1.google.com 66.102.11.99 66.102.11.99 Cache com NS g.gtld-servers.net google.com NS ns1.goole.com A 66.102.11.99 8 The domain name system is a critical infrastru

DNS Security DNS Security What if an attacker compromised the DNS database? Domain Name System Example: You want to go to example.com, but the compromised Maps names to addresses DNS responds with the IP for evil.com, you keep sending your private data to this IP, and the Maps attacker addresses gets the to data. names UDP-based client-server Caching This also propagates throughout the network, and is cached, so called cache poisoning. f.root-servers.net referral g.gtld-servers.net referral ns1.google.com 66.102.11.99 66.102.11.99 Cache com NS g.gtld-servers.net google.com NS ns1.goole.com A 66.102.11.99 9 The domain name system is a critical infrastru

DNS Security DNS Security Cache poisoning has become harder since new implementations protect against it. Domain Name System Maps names to addresses However it can be done, and it is important to remember Maps addresses to names that DNS can be compromised and should not be trusted UDP-based client-server blindly. Caching f.root-servers.net referral g.gtld-servers.net referral ns1.google.com 66.102.11.99 66.102.11.99 Cache com NS g.gtld-servers.net google.com NS ns1.goole.com A 66.102.11.99 10 The domain name system is a critical infrastru

11 SCANNING

What do people scan for? Firewall configurations Open ports RPC services Known vulnerabilities Operating system details The purpose of the scan is to gather information that can be used later in an attack. There are tools that greatly simplify the job, such as nmap. nmap will determine open ports and operating system details. Firewalk is another tool for firewall configuration scanning. 12

What do people scan for? Building a scanner requires very good understanding of all the parts in a system. One has to know the differences in response if a request is sent to an open port or not, etc. These differences often depend on the used implementation and the configuration of the system. There are differences depending on the operating system version, firewall configuration, etc. 13

Firewalking The goal is to figure out the configuration of a firewall without connecting to any system beyond it. Theory: Most firewalls will inspect each datagram before sending it to the forwarding engine of the firewall. If a datagram is not passed by the firewall rules, it is usually discarded (other reactions can be used). If it passes the rules, it is processed for forwarding, which involves decrementing its TTL. If the TTL reaches zero then an ICMP destination unreachable/time exceeded is sent. 14

Firewalking The goal is to figure out the configuration of a firewall without connecting to any system beyond it. Practice: Firewalking works by sending datagrams that have a TTL set such that if it is passed by the firewall it will be zero. The datagrams are sent to any address behind the firewall. If the firewall does not respond, this means the port is filtered; if an ICMP destination unreachable/time exceeded is received then the port is open. 15

TCP Scans TCP Scans Knowing a port is open in a firewall is useful, but knowing if there is a process actually listening to this port is even more so. TCP SYN scan Send SYN segments to the server. If a SYN/ACK is sent back then the port is used, immediately send a RST back (this tears down the connection before it is complete, and usually avoids logging). If server responds with RST then no process on port. Open port Closed port SYN Scan SYN SYN / ACK RST SYN RST Open port Closed port If no response, then firewall is probably filtering. 16

TCP Scans TCP Scans SYN Scan Alternative to SYN scan is FIN scan. SYN Attacker sends segment with FIN flag. SYN / ACK Open port Firewalls that only RST filter connection attempts will let all FIN segments through. TCP specification requires SYN that an RST is responded if destination port is closed, and ignores RST the FIN if it is open. Closed port Open port Closed port FIN/XMAS Scan FIN nothing FIN RST / ACK 17

TCP Scans Implementations of TCP can behave differently. A third scanning version called ACK scan TCP Scans RST is returned regardless if the port is used or not. But there are then instead differences in the TTL and window size in the response, these can then be read and ACK used Scaninstead. Open port ACK RST TTL = 40 TCP Window Size = 16384 Closed port ACK RST TTL = 64 TCP Window Size = 0 18

UDP scanning is a bit harder than TCP scanning. Depends on the target responding with a port unreachable message when a UDP datagram is sent to a closed port. Other Scans UDP Scans Open port UDP Scan UDP Datagram Nothing When sent to an open port the response is unpredictable, sometimes nothing is done at all. This makes it hard to distinguish between a filtered and open port. Closed port UDP Datagram Port unreachable 19

Summary Lesson learned: When designing new protocols it is hard to imagine all the ways the design may be exploited. Lesson learned: It is important to learn from the past Lesson learned: Not all development is done with security in mind, do not blindly trust the work of others. Scanning A tool for network managers to check their configurations. A tool for attackers to find potential targets. Requires detailed knowledge about protocols. 20

www.liu.se

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information