The Transport Layer and Implica4ons for Network Monitoring CS 410/510 Spring 2014
Review Preliminaries: Three Principles of Informa4on Security The Three A s
Review: Network Protocol Stacks
Review: Network Protocol Stacks ApplicaEon Layer: HTTP, SMTP,... - Send messages to people, send files, Transport Layer: TCP - Stream- oriented I/O Network Layer: IP - Sends messages across mul4ple hops Data/Link Layer: Ethernet, Wifi, GSM - Sends messages over a single hop Physical Layer: Copper, Fiber, Wireless - Transmits bits through space
Review: The Link Layer (Ethernet, WiFi) Shared broadcast medium Snooping awacks Spoofing awacks AWacks on TLF bridges (aka switches)
Review: IP (Network Layer) Forwarding based on des4na4on address Spoofing awacks
Outline for Today Security and the Transport Layer Network Monitoring and Intrusion Detec4on Ptacek and Newsham: Inser4on and Evasion AWacks
Outline for Today Security and the Transport Layer Network Monitoring and Intrusion Detec4on Ptacek and Newsham: Inser4on and Evasion AWacks
Transport Layer Role: Provides end- to- end messages UDP Thin wrapper around IP Connec4onless, unreliable TCP Connec4on- oriented Reliable data transfer
Transport Layer Role: Provides end- to- end messages UDP Thin wrapper around IP Connec4onless, unreliable TCP Connec4on- oriented Reliable data transfer
UDP: User Datagram Protocol Idea: Fire and forget Applica4ons Streaming media (video chat, voice over IP) Short, simple messages (TFTP, DNS) Diagram credit: Wikipedia
UDP: Injec4on AWack If we re not careful, protocols that use UDP can be vulnerable to malicious injec4on (loss of integrity) Alice Bob
Example: Voice over IP (VoIP) Let s image a really simple VoIP protocol Sending app records small snippets of audio (say 20ms), and sends each audio snippet in a UDP packet When the receiving app gets a packet, it immediately plays the sound No sequence numbers or checksums in the app Alice Bob
UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice? Diagram credit: Wikipedia
UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice to Bob? Alice s IP Address Diagram credit: Wikipedia
UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice to Bob? Alice s IP Address Bob s IP Address Diagram credit: Wikipedia
UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice to Bob? Alice s IP Address Bob s IP Address Alice s UDP Port Number Bob s UDP Port Number Diagram credit: Wikipedia
Example: Voice over IP (VoIP) Suppose the VoIP protocol only sends packets when the user is speaking Alice I love you Bob J
Example: Voice over IP (VoIP) Now our awacker can inject audio into the call Alice Bob L I hate you
Example: Voice over IP (VoIP) What if both transmit simultaneously? What does Bob actually hear? Alice I love you Bob I hate you
Example: Voice over IP (VoIP) What if both transmit simultaneously? What does Bob actually hear? Answer: Depends on Bob s applica4on code! Alice I love you Bob??? I hate you
Example: Voice over IP (VoIP) What if both transmit simultaneously? What does Bob actually hear? Answer: Depends on Bob s applica4on code! (Probably a garbled mess but it could be worse) Alice I love you Bob??? I hate you
Transport Layer Role: Provides end- to- end messages UDP Thin wrapper around IP Connec4onless, unreliable TCP Connec4on- oriented Reliable data transfer
TCP: Transmission Control Protocol Connec4on- oriented protocol Connec4on setup SYN, SYN/ACK, ACK Connec4on teardown FIN, ACK, FIN, ACK Reliable, in- order data transfer Sequence numbers Posi4ve, cumula4ve acknowledgements (ACK s) Retransmission on 4meout
TCP: Transmission Control Protocol TCP Segment Header
TCP: Injec4on AWacks Can the awacker s4ll inject arbitrary data? Alice From: Alice To: Bob Subject: Good News Bob Subject: Bad News
Textbook TCP: 3- way Handshake Flags: SYN Seq 0 Ack n/a Seq 0 Ack 0 Flags: SYN/ACK Seq 0 Ack 0
Textbook TCP: Data Transfer Seq 0 Ack 0 Data: Hi Bob!\r\n Seq 10 Ack 12 Seq 0 Ack 10 Data: Hi Alice!\r\n
Textbook TCP: Recovering from Loss Seq 1000 Seq 1100 Seq 1200 (Timeout, or 3x dup ACK) Seq 1100 Seq 905 Ack 1100 Seq 905 Ack 1300
TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n Seq 0 Ack 10 Data: Go away loser! \r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream Seq 0 Ack 10 Data: Hi Alice!\r\n
TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n Ques4on: What does Alice see (in the applica4on) as a result of these transmissions? Seq 0 Ack 10 Data: Go away loser! \r\n Seq 0 Ack 10 Data: Hi Alice!\r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream
TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream Seq 0 Ack 10 Data: Hi Alice!\r\n Now the packets are reversed. Does your answer change? Seq 0 Ack 10 Data: Go away loser! \r\n
Inside TCP What s really going on inside Alice s TCP? recv buffer
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200 Packet loss leaves a gap
TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream Seq 0 Ack 10 Data: Hi Alice!\r\n Now the packets are reversed. Does your answer change? Seq 0 Ack 10 Data: Go away loser! \r\n
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 0 Ack 10 When the awacker s packet arrives first, Bob s packet is bounced, because it s outside the receive window. Seq 0 Ack 10
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 0 Ack 10 Similarly, when Bob s packet arrives first, the awacker s packet is bounced, because it s outside the receive window. Seq 0 Ack 10
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 0 Ack 10 Similarly, when Bob s packet arrives first, the awacker s packet is bounced, because it s outside the receive window. Seq 0 Ack 10 BUT, the awacker s4ll wins whenever he can deliver his packet first.
Mi4ga4on: Randomize Ini4al Sequence Numbers Instead of star4ng at zero, generate a random number for each new connec4on First packet: seq = n Second packet: seq = n + sizeof(first packet)
TCP: Injec4on AWacks Sequence number guessing If the awacker can guess the random ISN, he can s4ll accomplish his awack How hard is this in prac4ce? Today (hopefully) it s quite hard But this was not always so For more info, see hwp://lcamtuf.coredump.cx/newtcp/ hwp://lcamtuf.coredump.cx/oldtcp/tcpseq.html
Visualizing ISN Randomness Linux 2.2 Not too bad
Visualizing ISN Randomness Windows NT 4 SP 6 A liwle worse
Visualizing ISN Randomness Windows 95 PreWy bad
Visualizing ISN Randomness Cisco IOS 12.0 Really bad
Visualizing ISN Randomness SGI IRIX 6.5 Horrible!
Outline for Today Security and the Transport Layer Network Monitoring and Intrusion DetecEon Ptacek and Newsham: Inser4on and Evasion AWacks
Network Monitoring Idea AWackers may penetrate our border defenses Let s watch the network to see if we can catch them Use a host separate from other network func4ons
Network Monitoring Intui4on Aper all, many link layers provide a shared broadcast medium. Data is easy to get. (Or is it?) If the awacker can use this against us, surely we can turn the same technique around on him!
Network Monitoring: Assump4ons AWacker starts outside the network, and must somehow break in to an internal host. Monitor box is off the cri4cal path, but s4ll in a good posi4on to see all packets in & out of the network
Outline for Today Security and the Transport Layer Network Monitoring and Intrusion Detec4on Ptacek and Newsham: InserEon and Evasion AQacks
Challenges in Network Monitoring Two key problems The monitor and the vic4ms sit at different loca4ons in the network The monitor and the vic4ms run different sopware, and thus interpret packets differently
Challenges in Network Monitoring Two key problems The monitor and the vicems sit at different locaeons in the network The monitor and the vic4ms run different sopware, and thus interpret packets differently
Inser4on AWacks AWacker can cause the monitor to sound a false alarm For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms.
Inser4on AWacks AWacker can cause the monitor to sound a false alarm Src: AWacker Dst: Vic4m TTL: 18 Data: (**^&^#@ For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms.
Inser4on AWacks AWacker can cause the monitor to sound a false alarm For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms. Src: AWacker Dst: Vic4m TTL: 1 Data: (**^&^#@ Oh no! ALARM!!!
Inser4on AWacks AWacker can cause the monitor to sound a false alarm For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms. Src: AWacker Dst: Vic4m TTL: 0 Data: (**^&^#@ TTL = 0, so drop the packet. Yawn
Challenges in Network Monitoring Two key problems The monitor and the vic4ms sit at different loca4ons in the network The monitor and the vicems run different sosware, and thus interpret packets differently
Evasion AWacks Simplest approach: Make the monitor discard the awack packets Bogus header fields Bogus combina4ons of fields All op4ons are fair game, as long as the vicem s4ll treats the packet as valid
Evasion AWacks More sophis4cated awack: Make the monitor and the vic4m see the same packets differently Examples TCP stream reassembly IP fragmenta4on
Textbook TCP: Recovering from Loss Seq 1000 Seq 1100 Seq 1200 (Timeout, or 3x dup ACK) Seq 1100 Seq 905 Ack 1100 Seq 905 Ack 1300
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1200 When a packet is lost, Alice s TCP has a gap
Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200 Arrival of the missing packet fills the gap.
Problems What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data?
Problems What s really going on inside Alice s TCP? recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data? Seq 1100
Problems What s really going on inside Alice s TCP? recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data? Seq 1050
Problems What s really going on inside Alice s TCP? recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data? Seq 1050
Problems Q: What happens when mul4ple TCP segments overlap? A: It depends on the host TCP implementa4on Example: Windows and Linux react very differently
Problems recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 AWacker can use overlap to disguise the real contents of the TCP connec4on Seq 1050
Problems recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 AWacker can use overlap to disguise the real contents of the TCP connec4on Seq 1050
An aside: Why bother? Overlapping TCP segments?!??!! WTF?! What kind of an idiot does that? Why not just drop the connec4on? Internet philosophy: Be liberal in what you accept and conserva:ve in what you send Other implementa4ons may do crazy things For best interoperability, just go with the flow This approach made the Internet possible
Same problem, but worse: IP Fragmenta4on Perhaps the bigger concern is IP fragmenta4on Remember, IP packets can be broken up in flight if they re too big for some hop Endpoints have no guarantee as to how the packets are sliced & diced in transit
Announcements Submit an SSH public key for Git access Use the Public Keys dropbox on D2L Do this by 10pm tomorrow, Wednesday Apr 9 th
Lab 01 Walk- through with Wireshark dpkt preliminaries