nete46301 network layer security lecture 4 supakorn kungpisdan [email protected]
TRANSCRIPT
NETE46302
Overview
• IP, ICMP, and Routing protocols• IP is connectionless, subjected to DoS• ICMP can be used by attackers• Routing protocols are subjected to stack attacks
NETE46303
Roadmap
• Attacking the Network Layer
• Defending the Network Layer
NETE46304
IP Attacks
• Spoofing
• Fragmentation
• Passive and Active Fingerprinting
• Port Scanning
• Redirection
NETE46305
Spoofing
• Local spoofing and blind spoofing
• Local spoofing: attacker and victim are on the same subnet
• Attacker begins with sniffing traffic, find key pieces of information needed to launch an attack
• Session hijacking is another spoofing technique. – The attack starts at transport layer
NETE46306
Spoofing (cont.)
• Blind spoofing: attacker is not on the same local subnet as victim
• More sophisticated and advanced attack• Many pieces of information needed to be
successful are not available. The key parameters must be guessed
• Most modern OSes use fairly random sequence numbers making the attack difficult to launch
NETE46307
Fragmentation
• Fragmentation is required when transmitting packets to different networks that have different MTUs
• Evasion attack: sends packets to an IDS and target that will be rejected by the IDS and accepted by the target
• The idea is to send different data streams to each device• Insertion attack: sends packets to an IDS and target
device that will be accepted by the IDS and rejected by the target
IP Fragmentation
NETE46308
NETE46309
Evasion Attack
• An attacker sends the first fragment to an IDS that has a fragmentation timeout of 15 s, while target system has a timeout of 30 s
• The attacker waits more than 15 s but less than 30 s before sending the second fragment.
• The IDS discards the second (including the first) segment because the timeout reaches
• However, the target system accepts the second fragment (within the timeout)
• Thus, the IDS will not record this attack
NETE463010
Fragmentation Attacks
• Overlapping fragmentation can offer an attacker a means of slipping packets past an IDS and firewall
• Sending a packet passing a cisco router to a windows-based system
• If receiving a duplicated packet, cisco router prefer the last fragment, whereas windows prefers the original fragment
NETE463011
Fragmentation Attacks (cont.)
• An attacker breaks a message into 3 fragments• He sends fragment 1 and 2 to both router and
windows. Both accepts the fragments• He then sends fragment 2 and 3. the
retransmitted fragment 2 is of the same size and offset as the original fragment but different payload
• Windows keeps the original fragment 2 but the router keeps the retransmitted one
NETE463012
Fragmentation Attacks (cont.)
#1 #2 #3
#1 #2
#2 #3
Windows and router accepts #1 and #2
Attacker modifies #2And transmits #2 and #3
#1 #2 #3Windows keeps
#1 #2 #3Router keeps
NETE463013
Teardrop Attack
• Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, and SynDrop are some of the tools that can crash machines that have a vulnerability in the IP atack
• There is a fragmentation bug in the IP stack implementation of some old Linux kernels (2.0), Windows NT, and Windows 95
• Sending malformed packets with fragmentation offset value tweaked so that the receiving packets overlap
• A reboot solved the problem until the next attack
Teardrop Attack (cont.)
NETE463014
NETE463015
Fingerprinting
• Fingerprinting is the act of using peculiarities of IP, TCP, UDP, and ICMP to determine the operating system– Not only the OS, but also specific version
• Active and passive fingerprinting• Active fingerprinting: sends malformed (or
non-RFC-compliant) packets to the target. Different OSes response to these packets differently
• Nmap, Xprobe, Scanrand, etc.
NETE463016
Passive Fingerprinting
• Passive fingerprinting: similar concept, but not injecting traffic into the network
• Looking at 4 fields– TTL value– Don’t Fragment bit (DF)– Type of Service (TOS)– Window size
• TTL, DF, and TOS are found in IP header• Window size is found in TCP header
NETE463017
Passive Fingerprinting: TTL
• A packet has its TTL reduced each time it is passed though a router or when it remains in the routers queue too long
• No requirement about the suitable of TTL• The attacker may assume that the value observed is
less than the original value (no more than 255)
NETE463018
Passive Fingerprinting: DF and TOS
• DF flag is primary method that systems use to determine the PMTUD (Path MTU Discovery)– Many older OSes don’t use this feature
• TOS can be analyzed to determine the OS
• Eventhough it is rarely used on the internet, some developers will set it into a value other than zero to prevent this fingerprinting
PMTUD
• Path MTU discovery works by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets.
• Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP Type 3 Code 4 “Destination Unreachable (Fragmentation Needed and DF was set" message containing its MTU, allowing the source host to reduce its assumed path MTU appropriately.
• The process repeats until the MTU is small enough to traverse the entire path without fragmentation.
NETE463019
PMTUD (cont.)
NETE463020
NETE463021
Passive Fingerprinting: Window Size
• TCP Window specifies the amount of data that can be sent without having to receive an acknowledgement– Window size should either be as close as possible to
the MTU or should be some multiple of this value– Linux 2.0 used a value of 16,384, while version 3 of
FreeBSD used a value of 17,520
• The most up-to-date passive fingerprinting tool is p0f
• LAB: p0f page 129
NETE463022
Idle Scan: Open Port
NETE463023
Idle Scan: Close Port
NETE463024
Idle Scan: Limitations
• The idle host must truly be idle• Not all OSes use an incrementing IPID
– Some versions of Linux set IPID to zero or generate a random IPID value
• Several message passes need to be performed to validate the results
NETE463025
ICMP Attacks
• ICMP helps with logical errors and diagnostics• ICMP does not offer authentication• Thus, ICMP can be used to scan and exploit
devices– Including using ICMP as a backdoor (convert
channel), employing them for echo attacks, to port scan, to redirect traffic, for OS fingerprinting, and DoS attacks
NETE463026
Convert Channels
• Convert channels offer attackers a way to have a secure communications channel by using allowed services
• Convert channels can also work by exploiting flaws or weaknesses in protocols like ICMP, esp. ping
• ICMP fields used in ping include:– Type, Code, Identifier, Sequence Number, Optional
Data
NETE463027
ICMP Format
NETE463028
Convert Channels (cont.)
NETE463029
Convert Channels (cont.)
NETE463030
Convert Channels (cont.)
• Some systems like Linux let user add data into the ping
# ping –p 2b2b2b415448300 192.168.123.101
will place the modem hang up string into the ping packet
• Convert channel tools can use ICMP, TCP, or even IGRP.
• Loki, ICMP Backdoor, 007Shell, B0CK
NETE463031
ICMP Echo Attacks
• Flood target with ping traffic and use up all available bandwidth
• Smurf exploits ICMP by sending a spoofed ping packet to the broadcast address and has the source address listed as the victim
• In 2002, an attacks was launched against core DNS servers. They had ping enabled– Results in a large DoS attack that slowed the
operation of primary DNS servers
NETE463032
Port Scanning
• ICMP can be of great use to an attacker attempting to discover what ports are open
• ICMP is invaluable since there is no response like with TCP
• Sending an ICMP packet to a port – will get no response if the port is open and – will receive an ICMP type 3 code 3 packet if the port is closed
NETE463033
Port Scanning (cont.)
Type 3 (Destination Unreachable)Code 3 (Port Unreachable)
ICMP Nuke Attacks
• Using spoofed addresses, an attacker might disrupt communications between two hosts by sending “Time Exceeded” (Type 11) or “Destination Unreachable” (ICMP Type 3) messages to both hosts, resulting in a DoS attack– Check out ICMP Types and Codes
• ICMP Nuke Attack sends the target an ICMP packet with destination unreachable type 3 messages. The target then breaks communication with existing connections
NETE463034
ICMP Redirect Attack
• By sending ICMP “redirect” messages, an attacker might force a router to forward packets destined to one host to the attacker’s IP address
NETE463035
Preventing ICMP Redirect Attack
• With Linux, we can force the kernel not to accept redirect messages for one or all interfaces
root@router# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
NETE463036
ICMP Flood
• Ping Flood creates a broadcast storm of pings that overwhelm the target system
• Using Linux, one can flood a host using ping –f.
root@router# ping –f 10.10.10.12 –c 1000
The above command floods the host 10.10.10.12 with 1,000 packets
NETE463037
Preventing Ping Flood
• Ping flood can be stopped by limiting the number of ICMP echo-request messages with IPTables:
root@router# iptables –A FORWARD –p icmp –icmp-type echo-request –m limit –limit 10/s –j ACCEPT
root@router# iptables –A FORWARD –p icmp –icmp-type echo-request –j DROP
NETE463038
Ping of Death
• Ping of Death crashed machines by sending ICMP “echo request” messages in IP packets with larger than the maximum legal length of 65,535 octets, causing a buffer overflow to crash the victim’s device (computer, printer, etc.)
• A Linux patch for the ping of death was out in 2 hours, 35 minutes, and 10 seconds, and shortly after, patches for other OSes were available from vendors
NETE463039
Routing Protocols Attacks
• Misconfigured dynamic routing protocols such as RIP, BGP, and OSPF may allow attackers to inject routes into the routing tables of the machines running instances of those protocols
• This may allow attackers to conduct DoS attacks by injecting wrong routes or IP sniffing by configuring its computer to act like a router from the network
NETE463040
NETE463041
Routing Protocols Attacks (cont.)
• Distance-vector and link-state routing protocols are suffered from attacks especially DoS
• RIP is unauthenticated service; it is vulnerable to DoS– Attacker injects miscommunication packets to the network
• RIP spoofing works by making fake RIP packets and sending them to gateways and hosts to change their routes– It sends its routing tables to a broadcast address
• Attacker can also modify the routing information to cause a redirect through a network, allowing him to sniff passwords or intercept and change date
NETE463042
Router and Routing Attacks
• Hit-and-run attacks– Hard to detect and isolate– Require an attacker to only inject one or more bad
packets but cause lasting damaging effects
• Persistent attacks– Attacker continuously inject attack packets in order to
inflict significant damages– Suit for link-state protocols– Resilient to hit-and-run attacks
NETE463043
Source Routing Attack
• Source routing is one of the IP options designed to force a packet to take a specific route through the network– Using Option field in IP header: LSRR and SSRR
LSR and SSR
• Loose Source Routing is an IP option which can be used for address translation. LSR is also used to implement mobility in IP networks.
• LSR uses a source routing option in TCP/IP to record the set of routers a packet must visit.
• The destination of the packet is replaced with the next router the packet must visit.
• The name LSR comes from the fact that only part of the path is set in advance. This is in contrast with Strict Source Routing (SSR), in which every single step of the route is decided in advance when the packet is sent.
• SSR defines specific points between source and destination– No other routers are allowed to handle the datagram
Source Routing Attack (cont.)
• The use of the LSRR and SSRR options (Loose and Strict Source and Record Route) is discouraged because they create security concerns
• Attacker can spoof a source IP as a trusted system and uses source route to forward packets to a victim
• Any return packet will be sent to the attacker instead of the trusted host
• Many routers block packets containing these options.
NETE463046
Roadmap
• Attacking the Network Layer
• Defending the Network Layer
NETE463047
Securing IP
• Encryption and authentication are the two best options for securing IP– Built in IPv6, but not in IPv4
• IPSec’s greatest security is that it can allow network managers to apply security without involving end users– IPSec Tunnel Mode: link encryption
• Need to manage several keys
– IPSec Transport Mode: end-to-end encryption• Source and destination IPs are not masked
NETE463048
Securing ICMP
• Disable much of ICMP as possible especially at routers– Reject: send an ICMP destination-unreachable back
to the source– Drop: send no response
• Rejecting a connection allows services to know that something has failed and to timeout quickly
• Dropping a connection causes a service to try to connect until a retransmission value is exceeded
NETE463049
Securing ICMP (cont.)
• From legitimate perspective, – rejecting connections allows services to know
that something has failed and to timeout quickly
– Dropping a connection can cause a service to continue to try and connect until a retransmission value is exceeded
Securing ICMP (cont.)
• From security perspective, – dropping packets gives away less information and
makes it harder for an attacker to enumerate the target
– Rejecting packets can make the router a bigger target for reflective attacks and leave it vulnerable to spewing out ICMP messages to a host being attacked by a third party
Protecting against IP Spoofing
• Linux kernel has an option named “rp_filter”– root@router# echo 0 >
/proc/sys/net/ipv4/conf/all/rp_filter
• To disable on one interface e.g. eth0:– root@router# echo 0 >
/proc/sys/net/ipv4/conf/eth0/rp_filter
• Setting rp_filter to:– 1 enables IP spoofing protection– 0 disables IP spoofing protection
NETE463051
Securing Routers and Routing Protocols
• Securing routers and traffic that flows though them is primarily achieved by using packet filters
• Packet filtering is configured though access control lists (ACLs)
How ACL Handles Traffic
• Source IP address: Is it from a valid or allowed address?
• Destination IP address: Is this address allowed to receive packets from this device?
• Source and destination ports: includes TCP, UDP, and ICMP
• TCP flags: includes SYN, FIN, ACK, PSH• Protocols: includes FTP, Telnet, HTTP, DNS, and
POP3• Direction: Can allow or deny inbound or outbound traffic• Interface: Can be used to restrict only certain traffic on
certain interfaces
NETE463054
Preventing Address Spoofing
• Do not allow traffic with the internal IP address as source that comes from the internet
• Log the dropped packets• Check out router configuration guide at http://
www.nsa.gov/snac/downloads_all.cfm • RIPv1 sends update in cleartext and no authentication• RIPv2 has authentication but sends authentication in
cleartext• Suggest to use OSPF with MD5 authentication• Restrict dynamic routing when possible• Without this, OSPF may still be vulnerable• Check out Nemesis (a tool to target OSPF routing) at
http://sourceforge.net/projects/nemesis
NETE463055
NSA Security Configuration Guides
http://www.nsa.gov/snac/downloads_all.cfm
NETE4630 56
Question?
Next week
Transport Layer Security