Defending Computer Networks Lecture 6: TCP and Scanning. Stuart Staniford Adjunct Professor of Computer Science

Similar documents
Defending Computer Networks Lecture 7: Port Scanning. Stuart Staniford Adjunct Professor of Computer Science

How do I get to

Network Security TCP/IP Refresher

Solution of Exercise Sheet 5

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Ethernet. Ethernet. Network Devices

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

CSCE 465 Computer & Network Security

IP address format: Dotted decimal notation:

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

CS5008: Internet Computing

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

The Transport Layer and Implica4ons for Network Monitoring. CS 410/510 Spring 2014

CSE 127: Computer Security. Network Security. Kirill Levchenko

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Transport and Network Layer

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Internet Control Protocols Reading: Chapter 3

Protecting and controlling Virtual LANs by Linux router-firewall

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Ethernet and IP A slightly less introductory networking class. Drew Saunders Networking Systems Stanford University

Firewall Firewall August, 2003

Access Control: Firewalls (1)

ACHILLES CERTIFICATION. SIS Module SLS 1508

CS155: Computer and Network Security

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

Networking Test 4 Study Guide

Technical Support Information Belkin internal use only

CIT 380: Securing Computer Systems

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

CMPT 471 Networking II

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

Transport Layer Protocols

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Final for ECE374 05/06/13 Solution!!

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

[Prof. Rupesh G Vaishnav] Page 1

ICOM : Computer Networks Chapter 6: The Transport Layer. By Dr Yi Qian Department of Electronic and Computer Engineering Fall 2006 UPRM

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

VLAN und MPLS, Firewall und NAT,

Chapter 8 Security Pt 2

Network Traffic Analysis

(Refer Slide Time: 02:17)

Unix System Administration

TCP/IP Security Problems. History that still teaches

IPv6 and DDoS Protec0on: Securing Carrier Grade NAT Infrastructure

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Scapy. On-the-fly Packet Generation by Dienstag, 10. Januar 12

FIREWALL AND NAT Lecture 7a

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Linux Network Security

Distributed Systems Interconnec=ng Them Fundamentals of Distributed Systems Alvaro A A Fernandes School of Computer Science University of Manchester

Phase 2: Scanning Detec0ng informa0on useful for break- in Live machines Network topology Firewall configura0on Applica0ons and OS types Vulnerabili0es

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

How To Protect A Dns Authority Server From A Flood Attack

VisuSniff: A Tool For The Visualization Of Network Traffic

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Safeguards Against Denial of Service Attacks for IP Phones

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Firewalls. Chapter 3

co Characterizing and Tracing Packet Floods Using Cisco R

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Project 4: (E)DoS Attacks

Life of a Packet CS 640,

TCP/IP and the Internet

Security vulnerabilities in the Internet and possible solutions

Overview of TCP/IP. TCP/IP and Internet

A S B

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

IP - The Internet Protocol

Practical Network Forensics

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

April 23, 2015 ACME Company. Security Assessment Report

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Network Security CS 192

Networking Attacks: Link-, IP-, and TCP-layer attacks. CS 161: Computer Security Prof. David Wagner

Cisco Configuring Commonly Used IP ACLs

LESSON Networking Fundamentals. Understand TCP/IP

Wireless Networks: Network Protocols/Mobile IP

General Network Security

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

+ iptables. packet filtering && firewall

Host Fingerprinting and Firewalking With hping

Firewalls. Chien-Chung Shen

1. Firewall Configuration

Transcription:

Defending Computer Networks Lecture 6: TCP and Scanning Stuart Staniford Adjunct Professor of Computer Science

Logis;cs HW1 due tomorrow First quiz will be Tuesday September 23 rd. Half hour quiz at start of class. Covering everything in class through Thurs Sep 18 th and all readings assigned by then. Shorter lecture will con;nue aler quiz to end of normal ;meslot.

Revision Materials

Addi;onal Reading Fyodor. The Art of Port Scanning. hop://nmap.org/p51-11.html. You can skim the code sec;on if ;me pressed. Note again you are being pointed at intro papers that are dated. Have to start somewhere. Prac;cal network aoack/defense is not a ;meless body of knowledge. Constantly evolving arms race between aoackers and defenders coming up with new techniques.

Latest News hop://www.wjla.com/ar;cles/2014/09/usis- to- lose- government- work- aler- cyberaoack- compromises- security- of- 25-000- government- workers- 106.html

More News hop://www.foxnews.com/world/2014/09/11/digital- jihad- isis- al- qaeda- seek- cyber- caliphate- to- launch- aoacks- on- us/

Main Goals for Today Finish up Arp Spoofing from Last Time Basics of TCP Protocol IP Address Space Leading to port scanning Maybe start today HW2 will be building a simple portscanner

Refresh on Ether/IP H1 Physical Network R Physical Network R Physical Network R Physical Network H2

Address Resolu;on: The Problem H1 Physical Network R Ether R IP H1 Data

ARP Packet Format Ethernet = 0x0001 IP = 0x0800 1 = request, 2 = reply

Opera;on of ARP request Given an IP, Look up in local arp table arp a n less to see table If not in table, send a broadcast to ethernet ff:ff:ff:ff:ff:ff Asking for that des;na;on IP address Also includes our ethernet and ip address

ARP response Recipient Reverses src/dest fields Fills out its correct MAC address Changes opcode to 2 Sends out in an ethernet packet directly to requester (not broadcast) Now communica;on can be established from requester to responder

ARP Spoofing Everyone that sees an arp broadcast request Will associate the sender MAC/IP in their table Good for low maintenance handling of change Bad for security As a dark- arts prac;;oner I can broadcast a request, pretending to be someone else Everyone will then think I m them Now I get all their traffic and can do evil

Recall Bartemius Crouch Jr impersona;ng Alastor Moody

Defenses Against ARP Spoofing Sta;c ARP entries Works but inconvenient doesn t scale Force ARP to conform to DHCP Cisco Dynamic ARP Inspec;on (DAI) Doesn t help with sta;c IPs Have to be individually configured Monitoring tools Arpwatch (hop://ee.lbl.gov/) Alerts when ip addresses shil to a new ether address

Intro to TCP Transmission Control Protocol RFC 793 (1981) Provides for delivery of stream of data Reliably In order Bi- direc;onally Between client and server applica9ons Not just hosts like IP

Protocol Rela;onship TCP is known as a transport layer protocol Goes over the network layer protocol (IP) To provide addi;onal services (reliability, etc) Which goes over physical layer (ethernet) TCP segments are nested inside ip packets Nested inside ethernet frames

Ethernet/IP/TCP Nes;ng Ether Header IP Header TCP Header TCP Data TCP Data TCP Data

TCP Header Format

TCP Port Number 2 byte quan;ty (so 65536 possible port #s) Server binds to a fixed port Typically well known (below 1024): HTTP: 80 HTTPS: 443 SMTP: 25 SSH: 22 Client typically is assigned a port by OS High numbered In some high volume situa;ons port numbers wrap aler a while

TCP Connec;ons Name for the bidirec;onal stream Between client applica;on and server applica;on Defined by the fivetuple Source IP Source port Dest IP Dest port Time

How Reliability/In- Order is done Checksums to detect outright transmission error Retransmit if bad 32 bit sequence numbers for each byte To detect missing data Retransmit if doesn t show up aler a while Each segment can Carry some data (indicated by seq number) Acknowledge some data in other direc;on Ack sequence number

Let s work through an example Bytes 1-500 Ack 501 Bytes 1-800, Ack 501 Client Bytes 501-1000, Ack 801 Server Bytes 1501-2000, Ack 801 Ack 1001

TCP 3- way handshake Serves to have client and server agree they are talking Also establishes ini;al sequence numbers In both direc;ons Can t have fixed start (eg zero) Too easy for bad guys if predictable A man in the middle can interfere

Handshake packets Syn Packet Syn- ack Packet Client Ack Packet Normal data exchange Server

Syn Packet First packet in handshake Makes use of TCP flags byte field in header 0x01 FIN (F) 0x02 SYN (S) 0x04 RST (R) 0x08 PSH (P) 0x10 ACK (A) 0x20 URG (U) 0x40 ECE 0x80 CWR

Syn Packet Layout Ini;al seq # for client to server bytes Doesn t maoer Only S (0x02) set Typically none

Syn- ack packet Ini;al seq # for server to client bytes Ack of client - > server ISN +1 S (0x02) A (0x10) set Typically none

Final Handshake Ack Ini;al seq # for client to server bytes+1 Ini;al seq # for server to client bytes+1 Only A (0x10) set Typically none

IP Address Space Different organiza;ons get different amounts Class A: x.0.0.0/8 (2 24 = 16,777,216) x.1.1.1 is in, as is x.254.254.254) Huge org eg (DOD is 11.0.0.0/8 IBM is 9.0.0.0/8) Class B: x.y.0.0/16 (2 16 = 65536) Mid- sized organiza;on eg Cornell has 128.253.0.0/16, 128.84.0.0/16, 132.236.0.0/16 and 140.251.0.0/16 Class C: x.y.z.0/24 (2 8 = 256) Small organiza;ons. Can also have intermediate bitmasks. eg /22

Internal Address Spaces RFC 1918 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 These addresses are not routable They will not be delivered across the Internet Not allowed on there, technically. Need a special translator device at boundary NAT box = Network Address Transla;on Converts them to internet routable addresses

Port Scan Scenarios Bad guy wants to map an address space Old style: across the internet S;ll happens for internet facing servers But rarely can map en;re networks any more Newer style: has a compromised machine on an internal network Wants to know what servers are here? Specifically, which machines have open ports?

Class B Portscan Example 2^16 addresses Say bad guy just scans on port 80 Eg say he knows an IIS or Apache exploit. Send out 2 16 syn packets to port 80 x.y.0.0, x.y.0.1, x.y.0.2, x.y.255.254 Horizontal scan on port 80 See who sends back a syn- ack. Means they have a process answering on port 80. Find all the web servers this way. AOack em! Start with sending an ack pkt to establish conn. Or not if we don t send the 3 rd handshake, system typically won t log. Half- open connec;on

Ver;cal Port Scan of 1 IP Targexng a single IP address. Scan all 2 16 ports. Find all ports answering

What Happens if Port Not Open No machine at all. Typically get an ICMP response from a router Special protocol for Internet error message packets Saying no host at this address Machine but with closed port Typically get a reset packet Like a syn- ack, but with R set instead of S and A Seman;cs stop this immediately Security system (firewall) Silence (depending on configura;on)

Visualizing Scans Port IP Address

Small Piece of a Large Random Scan Port IP Address

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information