Findmyip org

CIT 480: Securing Computer Systems

TCP/IP Security

Topics

1. Internet Protocol (IP) 2. IP Spoofing and Other Vulnerabilities 3. ICMP 4. Transmission Control Protocol (TCP) 5. TCP Session Hijacking 6. UDP

Internet Protocol (IP) Connectionless

– Each packet is transported independently from other packets

Unreliable – Delivery on a best effort basis – No acknowledgments

– Packets may be lost, reordered, corrupted, or duplicated

IP packets – Encapsulate TCP and UDP

packets – Encapsulated into link-layer

frames

Data link frame

IP packet

TCP or UDP packet

IP Addresses 32-bit integers that identify machine on net

Dotted decimal notation: ii.jj.kk.ll DNS translates names to IP addresses

172 . 16 . 254 . 1

10101100 00010000 11111110 00000001

1 byte

32 bits = 4 bytes

IPv6 addresses are 128-bit integers written like 2001:0db8:0000:0000:0000:ff00:0042:8329

Network Address Translation Uses public IP addr to represent private IP.

– Translates source IP in outgoing packets. – Translates dest IP in incoming packets. – Router keeps table of translations.

IP Address Geolocation

• ISPs get blocks of IP addresses from ARIN.

• ARIN database records where IP addresses are.

• Application layer and time data may help reveal details.

Check http://www.findmyip.org/ for your location.

http://www.findmyip.org/

http://www.findmyip.org/

http://www.findmyip.org/

IP Header

IP Routing

A router bridges two or more networks – Operates at the network layer. – Maintains tables to forward packets to the

appropriate network. – Forwarding decisions based solely on the

destination address.

Routing table – Maps ranges of IP addresses to LANs or other

gateway routers.

IP Routing

New MAC address at each hop

Same IP address at each hop used to route data packet.

IP Vulnerabilities 1. Unencrypted transmission

– Eavesdropping possible at any intermediate host during routing.

2. No source authentication – Sender can spoof source address, making it difficult to trace

packet back to attacker.

3. No integrity checking – Entire packet, header and payload, can be modified while en

route to destination, enabling content forgeries, redirections, and man-in-the-middle attacks.

4. No bandwidth constraints – Large number of packets can be sent to DoS target.

IP Spoofing

IP Spoofing is an attempt by an intruder to send packets from one IP address that appear to originate at another.

• If victim trusts spoofed IP, then attacker trusted.

• Tracking down attack leads to spoofed IP.

Two basic forms of IP Spoofing • Blind Spoofing can be used from any source. • Non-Blind Spoofing must be on same subnet.

Blind Spoofing

Attacker cannot see response packets, but – Some attacks, like DoS do not want to receive

response packets, and – Some responses can be guessed sufficiently

accurately to carry on conversation, such as TCP hijacking attacks.

Network Tests with ICMP

Internet Control Message Protocol (ICMP) – Used for network testing and debugging. – Simple messages encapsulated in single IP packets. – Considered a network layer protocol.

ICMP-based Network Testing Tools – ping: sends echo request messages and provides

statistics on roundtrip times and packet loss. – traceroute: sends series of ICMP packets with

increasing TTL value to discover routes.

ICMP DoS Attacks Ping of death

– ICMP specifies messages must fit a single IP packet (64KB).

– Send a ping packet that exceeds maximum size using IP fragmentation.

– Reassembled packet caused several operating systems to crash due to a buffer overflow.

Smurf – Ping a broadcast address using a spoofed source

address. Large number of responses sent to target whose address was spoofed.

Smurf Attack

Attacker Victim

Amplifying Network

echo request

echo response

echo response

echo response

Slide #17

TCP: Transmission Control Protocol

Connection-oriented Must establish connection before sending data. 3-way handshake.

Reliable byte-stream TCP decides how to divide stream into packets. ACK, timeout, retransmit, reordering.

16-bit source and destination ports. FTP(21), HTTP(80), POP(110), SMTP(25)

Slide #18

TCP Reliability 1. Breaks data into best-sized chunks. 2. After sending segment, maintains timer; if no

ACK within time limit, resends segment. 3. Sends ACK on receipt of packets. 4. Discards pkts on bad checkum of header and

data. 5. Receiver resequences TCP segments, based on

sequence numbers, allowing data to be reassembled correctly no matter what order.

6. Receiver discards duplicate segments. 7. Flow control: only sends as much data as

receiver can process.

Slide #19

TCP Header

Slide #20

TCP Connection Establishment

TCP 3-Way Handshake

SYN Floods Create many half-open connections to target

– Send SYN packet – Ignore SYN+ACK response

• (May spoof invalid source IP address for each SYN)

Target connection table fills up, resulting in DoS – 3 minute timeout for final ACK – all new TCP connections refused

Defenses – Micro-connections (allocate few resources til see ACK) – SYN cookies store state in TCP ISN, not on server

TCP Connection Termination

TCP Session Killing RST

– Need one valid TCP sequence number. – Send RST segment with spoofed IP address and valid

sequence number. – May need to send multiple RST’s in case host receives

TCP segment with your chosen sequence number before your RST segment.

FIN – Need valid TCP sequence + ACK numbers. – Send FIN+ACK segment with spoofed IP address to

terminate session. – Receive FIN packet in response, verifying kill if

successful.

TCP Session Hijacking A TCP session hijacking attack is when an attacker takes control of an existing TCP session. The attacker must be able to

– Spoof IP address of one side of connection. – Predict TCP sequence numbers.

Gives threat access to authenticated sessions. Defenses:

– Random initial TCP sequence numbers. – Use encrypted protocols like SSH, so attacker cannot

interact with system due to inability to send properly encrypted traffic.

TCP Session Hijacking Steps

1. Guess TCP sequence numbers used in current session between two hosts.

2. Create desynchronized state so neither side of connection can talk to the other.

3. Send packet with correct SN + ACK with spoofed client IP address to server, containing attack.

ACK Storm • Noisy side effect of TCP session hijacking. • Both client and server ACK unacceptable

packets with expected sequence number. • Each ACK is also unacceptable and

generates another ACK response. • If network drops packet, no response made. • ACK storms create network congestion,

leading to many dropped packets.

Covert Channels in TCP/IP Covert channels enable communication using techniques not meant for information exchange. Possible techniques include:

– Timing of packets (temporal channel). – Size of packets. – Unused header fields (header bit modulation). – Hiding data in packet body.

Covert channels may be able to be detected by – Too many packets of certain protocols (ICMP, DNS) – Too large packets from certain protocols – Multiple response packets for protocols like ICMP, DNS

Port Knocking Port knocking is a method of opening ports by making connections to a set of unused ports in a specified sequence.

– Fairly secure against brute force attacks since there are 65536k combinations, where k is the number of ports knocked

– Susceptible to replay attacks. If a port knock is sniffed, then attacker can replay the knock.

Used to hide ports from network scans. Can be used by defenders and attackers.

User Datagram Protocol (UDP)

Stateless, unreliable layer 4 protocol. – Runs on top of IP. – Trades reliability for speed.

Applications – Streaming audio/video. – TFTP (builds simple state on top of UDP.) – DNS.

Slide #30

UDP Header

Key Points 1. IP addresses seen by recipient unlike MAC

– NAT hides many IP addresses behind one.

2. IP spoofing – Blind: do not see responses. – Non-blind: use sniffer to see responses.

3. Technical DoS: ping of death, smurf, SYN flood 4. TCP session hijacking seizes authenticated session

– Guess TCP sequence numbers based on ISN. – Desynchronize existing TCP session. – Threat resynchronizes with server, seizing control.

5. Cannot hijack encrypted sessions like ssh.

References

1. Carna Botnet, Internet Census 2012, http://internetcensus2012.bitbucket.org/p aper.html, 2012.

2. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.

3. Richard Stevens, TCP/IP Illustrated, Vol. 1, Addison-Wesley, 1994.

http://internetcensus2012.bitbucket.org/paper.html

http://internetcensus2012.bitbucket.org/paper.html

Released under CC BY-SA 3.0  This presentation is released under the Creative Commons

Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license  You are free:

 to Share — to copy and redistribute the material in any medium  to Adapt— to remix, build, and transform upon the material  to use part or all of this presentation in your own classes

 Under the following conditions:  Attribution — You must attribute the work to James Walden, but

cannot do so in a way that suggests that he endorses you or your use of these materials.

 Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license.

 Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/

https://creativecommons.org/licenses/by-nc-sa/3.0/

CIT 480: Securing Computer Systems

Topics

Internet Protocol (IP)

IP Addresses

Slide Number 5

Network Address Translation

IP Address Geolocation

IP Header

IP Routing

IP Routing

IP Vulnerabilities

IP Spoofing

Blind Spoofing

Network Tests with ICMP

ICMP DoS Attacks

Smurf Attack

TCP: Transmission Control Protocol

TCP Reliability

TCP Header

TCP Connection Establishment

SYN Floods

TCP Connection Termination

TCP Session Killing

TCP Session Hijacking

TCP Session Hijacking Steps

ACK Storm

Covert Channels in TCP/IP

Port Knocking

User Datagram Protocol (UDP)

UDP Header

Key Points

References

Released under CC BY-SA 3.0

Applied Sciences

Architecture and Design

Biology

Business & Finance

Chemistry

Computer Science

Geography

Geology

Education

Engineering

English

Environmental science

Spanish

Government

History

Human Resource Management

Information Systems

Law

Literature

Mathematics

Nursing

Physics

Political Science

Psychology

Reading

Science

Social Science

Home

Blog

Archive

Contact

google+twitterfacebook

Copyright © 2019 HomeworkMarket.com