The Transport Layer and Implica4ons for Network Monitoring. CS 410/510 Spring 2014

Similar documents
Transport Layer Protocols

How do I get to

Overview of TCP/IP. TCP/IP and Internet

Chapter 8 Security Pt 2

Protocols. Packets. What's in an IP packet

Defending Computer Networks Lecture 6: TCP and Scanning. Stuart Staniford Adjunct Professor of Computer Science

Network Simulation Traffic, Paths and Impairment

Protocol Rollback and Network Security

How To Understand The Internet From A Telephone To A Computer (For A Computer)

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

ICOM : Computer Networks Chapter 6: The Transport Layer. By Dr Yi Qian Department of Electronic and Computer Engineering Fall 2006 UPRM

Phase 2: Scanning Detec0ng informa0on useful for break- in Live machines Network topology Firewall configura0on Applica0ons and OS types Vulnerabili0es

Life of a Packet CS 640,

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Computer Networks. Chapter 5 Transport Protocols

Networks: IP and TCP. Internet Protocol

Names & Addresses. Names & Addresses. Hop-by-Hop Packet Forwarding. Longest-Prefix-Match Forwarding. Longest-Prefix-Match Forwarding

Note! The problem set consists of two parts: Part I: The problem specifications pages Part II: The answer pages

Transport Layer Services Mul9plexing/Demul9plexing. Transport Layer Services

Networking Attacks: Link-, IP-, and TCP-layer attacks. CS 161: Computer Security Prof. David Wagner

Distributed Systems Interconnec=ng Them Fundamentals of Distributed Systems Alvaro A A Fernandes School of Computer Science University of Manchester

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Technical Support Information Belkin internal use only

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Chapter 8 Network Security

VLAN und MPLS, Firewall und NAT,

Transport and Network Layer

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CS101 Lecture 19: Internetworking. What You ll Learn Today

LMS. OSI Layers and the Learning Management System. Over view

How To Understand The Internet Of S (Netware)

IPv6 and DDoS Protec0on: Securing Carrier Grade NAT Infrastructure

Gary Hecht Computer Networking (IP Addressing, Subnet Masks, and Packets)

Unix System Administration

Solution of Exercise Sheet 5

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

Network Programming TDC 561

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

LESSON Networking Fundamentals. Understand TCP/IP

Ethernet. Ethernet. Network Devices

Computer Networks. Examples of network applica3ons. Applica3on Layer

Module 7 Internet And Internet Protocol Suite

Kick starting science...

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Indian Institute of Technology Kharagpur. TCP/IP Part I. Prof Indranil Sengupta Computer Science and Engineering Indian Institute of Technology

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

CSE 127: Computer Security. Network Security. Kirill Levchenko

CIT 380: Securing Computer Systems

CSE 473 Introduction to Computer Networks. Exam 2 Solutions. Your name: 10/31/2013

Note! The problem set consists of two parts: Part I: The problem specifications pages Part II: The answer pages

Wireless Networks. Reading: Sec5on 2.8. COS 461: Computer Networks Spring Mike Freedman

Network Intrusion Detection Systems. Beyond packet filtering

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

COMP 3331/9331: Computer Networks and Applications. Lab Exercise 3: TCP and UDP (Solutions)

Prefix AggregaNon. Company X and Company Y connect to the same ISP, and they are assigned the prefixes:

TCP and Wireless Networks Classical Approaches Optimizations TCP for 2.5G/3G Systems. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Transport Layer. Chapter 3.4. Think about

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

TCP Performance Management for Dummies

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

1 Introduction to mobile telecommunications

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

What is a DoS attack?

CSE 3461 / 5461: Computer Networking & Internet Technologies

CPS221 Lecture: Layered Network Architecture

Post-Class Quiz: Telecommunication & Network Security Domain

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

INTRODUCTION TO FIREWALL SECURITY

An Introduction to VoIP Protocols

Final for ECE374 05/06/13 Solution!!

Visualizations and Correlations in Troubleshooting

Access Control: Firewalls (1)

Migrating to Hosted Telephony. Your ultimate guide to migrating from on premise to hosted telephony.

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Attack Lab: Attacks on TCP/IP Protocols

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC


Network Security. Vorlesung Kommunikation und Netze SS 10 E. Nett

Digital Audio and Video Data

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

The OSI and TCP/IP Models. Lesson 2

Policy Based Forwarding

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

Multipath TCP in Practice (Work in Progress) Mark Handley Damon Wischik Costin Raiciu Alan Ford

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Overview. Lecture 16: IP variations: IPv6, multicast, anycast. I think we have a problem. IPv6. IPv6 Key Features

Ignoring the Great Firewall of China

Internet Control Protocols Reading: Chapter 3

Transcription:

The Transport Layer and Implica4ons for Network Monitoring CS 410/510 Spring 2014

Review Preliminaries: Three Principles of Informa4on Security The Three A s

Review: Network Protocol Stacks

Review: Network Protocol Stacks ApplicaEon Layer: HTTP, SMTP,... - Send messages to people, send files, Transport Layer: TCP - Stream- oriented I/O Network Layer: IP - Sends messages across mul4ple hops Data/Link Layer: Ethernet, Wifi, GSM - Sends messages over a single hop Physical Layer: Copper, Fiber, Wireless - Transmits bits through space

Review: The Link Layer (Ethernet, WiFi) Shared broadcast medium Snooping awacks Spoofing awacks AWacks on TLF bridges (aka switches)

Review: IP (Network Layer) Forwarding based on des4na4on address Spoofing awacks

Outline for Today Security and the Transport Layer Network Monitoring and Intrusion Detec4on Ptacek and Newsham: Inser4on and Evasion AWacks

Outline for Today Security and the Transport Layer Network Monitoring and Intrusion Detec4on Ptacek and Newsham: Inser4on and Evasion AWacks

Transport Layer Role: Provides end- to- end messages UDP Thin wrapper around IP Connec4onless, unreliable TCP Connec4on- oriented Reliable data transfer

Transport Layer Role: Provides end- to- end messages UDP Thin wrapper around IP Connec4onless, unreliable TCP Connec4on- oriented Reliable data transfer

UDP: User Datagram Protocol Idea: Fire and forget Applica4ons Streaming media (video chat, voice over IP) Short, simple messages (TFTP, DNS) Diagram credit: Wikipedia

UDP: Injec4on AWack If we re not careful, protocols that use UDP can be vulnerable to malicious injec4on (loss of integrity) Alice Bob

Example: Voice over IP (VoIP) Let s image a really simple VoIP protocol Sending app records small snippets of audio (say 20ms), and sends each audio snippet in a UDP packet When the receiving app gets a packet, it immediately plays the sound No sequence numbers or checksums in the app Alice Bob

UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice? Diagram credit: Wikipedia

UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice to Bob? Alice s IP Address Diagram credit: Wikipedia

UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice to Bob? Alice s IP Address Bob s IP Address Diagram credit: Wikipedia

UDP Injec4on AWack What does the awacker need to do in order to spoof messages from Alice to Bob? Alice s IP Address Bob s IP Address Alice s UDP Port Number Bob s UDP Port Number Diagram credit: Wikipedia

Example: Voice over IP (VoIP) Suppose the VoIP protocol only sends packets when the user is speaking Alice I love you Bob J

Example: Voice over IP (VoIP) Now our awacker can inject audio into the call Alice Bob L I hate you

Example: Voice over IP (VoIP) What if both transmit simultaneously? What does Bob actually hear? Alice I love you Bob I hate you

Example: Voice over IP (VoIP) What if both transmit simultaneously? What does Bob actually hear? Answer: Depends on Bob s applica4on code! Alice I love you Bob??? I hate you

Example: Voice over IP (VoIP) What if both transmit simultaneously? What does Bob actually hear? Answer: Depends on Bob s applica4on code! (Probably a garbled mess but it could be worse) Alice I love you Bob??? I hate you

Transport Layer Role: Provides end- to- end messages UDP Thin wrapper around IP Connec4onless, unreliable TCP Connec4on- oriented Reliable data transfer

TCP: Transmission Control Protocol Connec4on- oriented protocol Connec4on setup SYN, SYN/ACK, ACK Connec4on teardown FIN, ACK, FIN, ACK Reliable, in- order data transfer Sequence numbers Posi4ve, cumula4ve acknowledgements (ACK s) Retransmission on 4meout

TCP: Transmission Control Protocol TCP Segment Header

TCP: Injec4on AWacks Can the awacker s4ll inject arbitrary data? Alice From: Alice To: Bob Subject: Good News Bob Subject: Bad News

Textbook TCP: 3- way Handshake Flags: SYN Seq 0 Ack n/a Seq 0 Ack 0 Flags: SYN/ACK Seq 0 Ack 0

Textbook TCP: Data Transfer Seq 0 Ack 0 Data: Hi Bob!\r\n Seq 10 Ack 12 Seq 0 Ack 10 Data: Hi Alice!\r\n

Textbook TCP: Recovering from Loss Seq 1000 Seq 1100 Seq 1200 (Timeout, or 3x dup ACK) Seq 1100 Seq 905 Ack 1100 Seq 905 Ack 1300

TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n Seq 0 Ack 10 Data: Go away loser! \r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream Seq 0 Ack 10 Data: Hi Alice!\r\n

TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n Ques4on: What does Alice see (in the applica4on) as a result of these transmissions? Seq 0 Ack 10 Data: Go away loser! \r\n Seq 0 Ack 10 Data: Hi Alice!\r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream

TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream Seq 0 Ack 10 Data: Hi Alice!\r\n Now the packets are reversed. Does your answer change? Seq 0 Ack 10 Data: Go away loser! \r\n

Inside TCP What s really going on inside Alice s TCP? recv buffer

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200 Packet loss leaves a gap

TCP Injec4on AWacks Seq 0 Ack 0 Data: Hi Bob!\r\n AWacker who can predict TCP sequence numbers can inject data into a vic4m s input stream Seq 0 Ack 10 Data: Hi Alice!\r\n Now the packets are reversed. Does your answer change? Seq 0 Ack 10 Data: Go away loser! \r\n

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 0 Ack 10 When the awacker s packet arrives first, Bob s packet is bounced, because it s outside the receive window. Seq 0 Ack 10

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 0 Ack 10 Similarly, when Bob s packet arrives first, the awacker s packet is bounced, because it s outside the receive window. Seq 0 Ack 10

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 0 Ack 10 Similarly, when Bob s packet arrives first, the awacker s packet is bounced, because it s outside the receive window. Seq 0 Ack 10 BUT, the awacker s4ll wins whenever he can deliver his packet first.

Mi4ga4on: Randomize Ini4al Sequence Numbers Instead of star4ng at zero, generate a random number for each new connec4on First packet: seq = n Second packet: seq = n + sizeof(first packet)

TCP: Injec4on AWacks Sequence number guessing If the awacker can guess the random ISN, he can s4ll accomplish his awack How hard is this in prac4ce? Today (hopefully) it s quite hard But this was not always so For more info, see hwp://lcamtuf.coredump.cx/newtcp/ hwp://lcamtuf.coredump.cx/oldtcp/tcpseq.html

Visualizing ISN Randomness Linux 2.2 Not too bad

Visualizing ISN Randomness Windows NT 4 SP 6 A liwle worse

Visualizing ISN Randomness Windows 95 PreWy bad

Visualizing ISN Randomness Cisco IOS 12.0 Really bad

Visualizing ISN Randomness SGI IRIX 6.5 Horrible!

Outline for Today Security and the Transport Layer Network Monitoring and Intrusion DetecEon Ptacek and Newsham: Inser4on and Evasion AWacks

Network Monitoring Idea AWackers may penetrate our border defenses Let s watch the network to see if we can catch them Use a host separate from other network func4ons

Network Monitoring Intui4on Aper all, many link layers provide a shared broadcast medium. Data is easy to get. (Or is it?) If the awacker can use this against us, surely we can turn the same technique around on him!

Network Monitoring: Assump4ons AWacker starts outside the network, and must somehow break in to an internal host. Monitor box is off the cri4cal path, but s4ll in a good posi4on to see all packets in & out of the network

Outline for Today Security and the Transport Layer Network Monitoring and Intrusion Detec4on Ptacek and Newsham: InserEon and Evasion AQacks

Challenges in Network Monitoring Two key problems The monitor and the vic4ms sit at different loca4ons in the network The monitor and the vic4ms run different sopware, and thus interpret packets differently

Challenges in Network Monitoring Two key problems The monitor and the vicems sit at different locaeons in the network The monitor and the vic4ms run different sopware, and thus interpret packets differently

Inser4on AWacks AWacker can cause the monitor to sound a false alarm For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms.

Inser4on AWacks AWacker can cause the monitor to sound a false alarm Src: AWacker Dst: Vic4m TTL: 18 Data: (**^&^#@ For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms.

Inser4on AWacks AWacker can cause the monitor to sound a false alarm For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms. Src: AWacker Dst: Vic4m TTL: 1 Data: (**^&^#@ Oh no! ALARM!!!

Inser4on AWacks AWacker can cause the monitor to sound a false alarm For this example, suppose the awacker is 17 hops away from the monitor, and 20 hops away from the vic4ms. Src: AWacker Dst: Vic4m TTL: 0 Data: (**^&^#@ TTL = 0, so drop the packet. Yawn

Challenges in Network Monitoring Two key problems The monitor and the vic4ms sit at different loca4ons in the network The monitor and the vicems run different sosware, and thus interpret packets differently

Evasion AWacks Simplest approach: Make the monitor discard the awack packets Bogus header fields Bogus combina4ons of fields All op4ons are fair game, as long as the vicem s4ll treats the packet as valid

Evasion AWacks More sophis4cated awack: Make the monitor and the vic4m see the same packets differently Examples TCP stream reassembly IP fragmenta4on

Textbook TCP: Recovering from Loss Seq 1000 Seq 1100 Seq 1200 (Timeout, or 3x dup ACK) Seq 1100 Seq 905 Ack 1100 Seq 905 Ack 1300

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1200 When a packet is lost, Alice s TCP has a gap

Inside TCP What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1100 Seq 1200 Arrival of the missing packet fills the gap.

Problems What s really going on inside Alice s TCP? recv window recv buffer Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data?

Problems What s really going on inside Alice s TCP? recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data? Seq 1100

Problems What s really going on inside Alice s TCP? recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data? Seq 1050

Problems What s really going on inside Alice s TCP? recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 What happens when the missing packet overlaps with exis4ng data? Seq 1050

Problems Q: What happens when mul4ple TCP segments overlap? A: It depends on the host TCP implementa4on Example: Windows and Linux react very differently

Problems recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 AWacker can use overlap to disguise the real contents of the TCP connec4on Seq 1050

Problems recv window recv buffer???? Seq 900 Seq 1000 Seq 1200 AWacker can use overlap to disguise the real contents of the TCP connec4on Seq 1050

An aside: Why bother? Overlapping TCP segments?!??!! WTF?! What kind of an idiot does that? Why not just drop the connec4on? Internet philosophy: Be liberal in what you accept and conserva:ve in what you send Other implementa4ons may do crazy things For best interoperability, just go with the flow This approach made the Internet possible

Same problem, but worse: IP Fragmenta4on Perhaps the bigger concern is IP fragmenta4on Remember, IP packets can be broken up in flight if they re too big for some hop Endpoints have no guarantee as to how the packets are sliced & diced in transit

Announcements Submit an SSH public key for Git access Use the Public Keys dropbox on D2L Do this by 10pm tomorrow, Wednesday Apr 9 th

Lab 01 Walk- through with Wireshark dpkt preliminaries

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information