CSE 127: Computer Security. Network Security. Kirill Levchenko

Similar documents
Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Solution of Exercise Sheet 5

How do I get to

Packet Sniffing on Layer 2 Switched Local Area Networks

Chapter 8 Security Pt 2

CS5008: Internet Computing

Attack Lab: Attacks on TCP/IP Protocols

Networking Attacks: Link-, IP-, and TCP-layer attacks. CS 161: Computer Security Prof. David Wagner

Protocol Rollback and Network Security

CSCE 465 Computer & Network Security

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Unix System Administration

Ethernet. Ethernet. Network Devices

Networks: IP and TCP. Internet Protocol

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Domain Name System (DNS) Fundamentals

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

TCP/IP Security Problems. History that still teaches

Networking Test 4 Study Guide

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

Network Security TCP/IP Refresher

Introduction to Analyzer and the ARP protocol

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Security vulnerabilities in the Internet and possible solutions

CS 3251: Computer Networking 1 Security Protocols I

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

DNS at NLnet Labs. Matthijs Mekking

Network Traffic Evolution. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

Network Fundamentals Carnegie Mellon University

DNS, DNSSEC and DDOS. Geoff Huston APNIC February 2014

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Linux Network Security

IP network tools & troubleshooting. AFCHIX 2010 Nairobi, Kenya October 2010

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

Introduction to IP networking

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

LECTURE 4 NETWORK INFRASTRUCTURE

8.2 The Internet Protocol

Computer Networks/DV2 Lab

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

UPPER LAYER SWITCHING

How To Protect A Dns Authority Server From A Flood Attack

DNS Pharming Attack Lab

Content Distribution Networks (CDN)

RARP: Reverse Address Resolution Protocol

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Chapter 9. IP Secure

Application. Transport. Network. Data Link. Physical. Network Layers. Goal

IP - The Internet Protocol

A Very Incomplete Diagram of Network Attacks

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Network Security I: Overview

What is a DoS attack?

Network Layers. CSC358 - Introduction to Computer Networks

The role of JANET CSIRT

VLAN und MPLS, Firewall und NAT,

Internet Control Protocols Reading: Chapter 3

Overview of TCP/IP. TCP/IP and Internet

IPv6 Associated Protocols

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

TCP/IP Networking An Example

Internet-Praktikum I Lab 3: DNS

Predictability of Windows DNS resolver. ing. Roberto Larcher robertolarcher@hotmail.com

Enabling DNS for IPv6 CSD Fall 2011

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

A S B

Security Technology White Paper

ACHILLES CERTIFICATION. SIS Module SLS 1508

Scapy. On-the-fly Packet Generation by Dienstag, 10. Januar 12

Internetworking. Problem: There is more than one network (heterogeneity & scale)

Network Programming TDC 561

Transport and Network Layer

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Network-Oriented Software Development. Course: CSc4360/CSc6360 Instructor: Dr. Beyah Sessions: M-W, 3:00 4:40pm Lecture 2

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Port Use and Contention in PlanetLab

IP address format: Dotted decimal notation:

1. LAB SNIFFING LAB ID: 10

Understanding Layer 2, 3, and 4 Protocols

Security of IPv6 and DNSSEC for penetration testers

Connecting to and Setting Up a Network

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

The Myth of Twelve More Bytes. Security on the Post- Scarcity Internet

Transcription:

CSE 127: Computer Security Network Security Kirill Levchenko December 4, 2014

Network Security Original TCP/IP design: Trusted network and hosts Hosts and networks administered by mutually trusted parties 15 years ago: Hosts can t be trusted Anyone can connect to public Internet Untrusted insiders on internal networks Today: Network can t be trusted either Wifi has taken the last shred of trust we had in network

Trust that Network protocols used only as intended Packet headers filled out correctly Rate limiting of costly operations Hosts controlled by trusted administrators Control of access to network by untrusted parties Correct information reported by hosts Protocols implemented correctly

Attacker Models Access to network via sockets (unprivileged ports) Unprivileged user on Unix system connected to network Direct access to network Superuser on Unix system connected to network Man in the middle (read and write only): attacker can see other traffic, inject her own packets Man in the middle: attacker can also block other traffic Unprotected Wifi network

Secrecy Who can see the packets you send? Network (routers, switches, access points, etc.) Unprotected WiFi network: everyone WPA2 Personal (PSK): everyone on same network Non-switched Ethernet: everyone on same network Switched Ethernet: maybe everyone on same network Assume anyone can see your traffic

No Authentication TCP/IP offers no authentication of packets Source address in IP header set by sender Attacker with direct access to network (including MitM) can spoof source address Spoof: forge, set to arbitrary value Connectionless protocols (UDP) especially vulnerable

TCP Connection Spoofing A B 10.0.0.2 10.0.0.3 E What prevents Eve from impersonating Alice to Bob? (Assume alice has direct network access)

TCP Connection Spoofing Eve needs to complete the TCP three-way handshake between Alice and Bob Eve can t see traffic between Alice and Bob TCP off-path attack

Three-Way Handshake source: Wikipedia

Three-Way Handshake Eve does not see Bob s response source: Wikipedia

TCP Connection Spoofing Eve needs to complete the TCP three-way handshake between Alice and Bob Eve can t see traffic between Alice and Bob TCP off-path attack Eve needs to guess initial sequence number y in order to correctly ACK Bob s SYN

source: nmap.org

TCP Connection Spoofing The sequence number field is 32 bits Early implementations just incremented a global counter used to initialize sequence numbers for TCP connections RFC 793 requires counter incrementing every 4 µs (250 khz) Early BSD kernels incremented by a large constant every second Later pseudo-random number generators were used PRNGs were still global, weaknesses allowed guessing

TCP Connection Spoofing Kevin Mitnick caught (in part) because of TCP spoofing attack Mitnick attacked Tsutomu Shimomura s computers in San Diego

ARP How does the link layer (e.g. Ethernet) know where to send an IP packet? Need a way to associate IP addresses with link-layer addresses (e.g. Ethernet MAC addresses) Address Resolution Protocol (ARP) used to query hosts on local network to get MAC address for an IP address

ARP Alice (looking for Bob s IP) broadcasts: What is the MAC address of 10.0.0.3? Bob sees broadcast and replies: The MAC address of 10.0.0.3 is 01:02:03:04:05:06. Alice sends IP packet for 10.0.0.3 in an Ethernet frame to 01:02:03:04:05:06.

ARP operation (case: destination is on the same physical network) 7-4 Link The MAC address of destination is broadcast address: 0xFFFFFFFFFFFF IP = 141.23.56.23 McGraw-Hill The McGraw-Hill Companies, Inc., 2000

(Ethernet = 6) ARP packet (Ethernet = 1) IPv4 = 4 4 bytes IPv4 = 0x0800 7-5 Opcode (1 = request, 2 = reply) 18 byte padding (to make frame payloads equal to 46 bytes) McGraw-Hill The McGraw-Hill Companies, Inc., 2000

ARP in Action % sudo tcpdump -v -n -i en0 tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:18:46.827423 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 132.239.17.70 tell 132.239.17.1, length 46 10:18:47.026680 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 132.239.17.6 tell 132.239.17.1, length 46 10:18:47.055478 IP (tos 0x0, ttl 111, id 1534, offset 0, flags [none], proto UDP (17 67.183.107.84.27222 > 132.239.17.19.6881: UDP, length 101 % arp -a cse-hazard-gateway.ucsd.edu (132.239.17.1) at 10:8c:cf:57:10:0 on en0 ifscope [ethernet] xor.ucsd.edu (132.239.17.5) at 0:1b:21:42:80:20 on en0 ifscope [ethernet] cselab1.ucsd.edu (132.239.17.111) at 0:22:19:58:2d:d on en0 ifscope [ethernet] 3dic.ucsd.edu (132.239.17.196) at d4:be:d9:ca:a2:16 on en0 ifscope [ethernet] coke.ucsd.edu (132.239.17.244) at 0:1c:c4:d:90:a8 on en0 ifscope [ethernet]

ARP Spoofing Anyone can send an ARP reply Attacker on the network can impersonate any other host Mitigation Fixed ARP tables: impractical for ann but small fixed networks Port binding on switch: restrict MAC and IP addresses allowed on a physical port switch Higher level host authentication E.g. SSH or SSL

DNS DNS uses UDP as transport No authentication of content Attacker can spoof a reply Off-path: need to know port and identifier Extra records: attacker adds additional records

DNS Packet

DNS Alice sends DNS request to her DNS server: What is the IP address of bob.ucsd.edu? Alice sends DNS request to her DNS server: What is the IP address of bob.ucsd.edu?

DNS in Action % dig +qr bob.ucsd.edu ; <<>> DiG 9.6-ESV-R4-P3 <<>> +qr bob.ucsd.edu ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30439 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;bob.ucsd.edu.!!! IN! A

;; Query time: 0 msec ;; SERVER: 132.239.0.252#53(132.239.0.252) DNS in Action ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30439 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ;; QUESTION SECTION: ;bob.ucsd.edu.!!! IN! A ;; ANSWER SECTION: bob.ucsd.edu.!! 3600! IN! A! 132.239.80.176 ;; AUTHORITY SECTION: ucsd.edu.!! 3600! IN! NS! ns0.ucsd.edu. ucsd.edu.!! 3600! IN! NS! ns1.ucsd.edu. ucsd.edu.!! 3600! IN! NS! ns2.ucsd.edu. ;; ADDITIONAL SECTION: ns0.ucsd.edu.!! 3600! IN! A! 132.239.1.51 ns0.ucsd.edu.!! 3600! IN! AAAA! 2607:f720:100:100::231 ns1.ucsd.edu.!! 3600! IN! A! 128.54.16.2 ns1.ucsd.edu.!! 3600! IN! AAAA! 2607:f720:300:202::102 ns2.ucsd.edu.!! 3600! IN! A! 132.239.1.52 ns2.ucsd.edu.!! 3600! IN! AAAA! 2607:f720:300:202::52

source: http://anouar.adlani.com/2011/12/useful-dig-command-to-troubleshot-your-domains.html

DNS Cache Poisoning DNS servers will cache replies up to the DNS result TTL An attacker needs to inject false reply into cache Off-path: need to guess identifier in query On-path: vulnerable DNS recursive resolver

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information