PowerPoint 演示文稿 - nsec.sjtu.edu.cn

PowerPoint 演示文稿 - nsec.sjtu.edu.cn

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication unless we want them to Integrity No one can manipulate our data / processing / communication unless we want them to Availability We can access our data / conduct our processing / use our communication capabilities when we want to Also: no additional traffic other than ours 2 Link-layer threats

Confidentiality: eavesdropping (aka sniffing) Integrity: injection of spoofed packets Injection: delete legit packets (e.g., jamming) 3 Layers 1 & 2: General Threats? 7 Application 4 Transport 3 2 (Inter)Network Link 1 Physical

Framing and transmission of a collection of bits into individual messages sent across a single s u b n e twork (one physical technology) Encoding bits to send them over a single physical link e.g. patterns of voltage levels / photon intensities / RF modulation 4 Eavesdropping For subnets using broadcast technologies (e.g., WiFi, some types of Ethernet), eavesdropping comes for free Each attached systems NIC (= Network Interface Card) can capture any communication on the subnet Some handy tools for doing so o tcpdump / windump (low-level ASCII printout) o Wireshark (GUI for displaying 800+ protocols) 5

TCPDUMP: Packet Capture & ASCII Dumper Wireshark: GUI for Packet Capture/Exam Wireshark: GUI for Packet Capture/Exam Wireshark: GUI for Packet Capture/Exam Stealing Photons 10 Link-Layer Threat: Disruption If attacker sees a packet he doesnt like, he can jam it (integrity) Attacker can also overwhelm link-layer signaling, e.g., jam WiFis RF (denial-ofservice) 12

Link-Layer Threat: Disruption If attacker sees a packet he doesnt like, he can jam it (integrity) Attacker can also overwhelm link-layer signaling, e.g., jam WiFis RF (denial-ofservice) Theres also the heavy-handed approach 13 WiFi Jammer Attack on wireless networks https://www.youtube.com/watch?v=1M9AkUZ377Y Link-Layer Threat: Spoofing Attacker can inject spoofed packets, and lie about the source address D M C Hello world! 15

Physical/Link-Layer Threats: Spoofing With physical access to a local network, attacker can create any message they like When with a bogus source address: spoofing When using a typical computer, may require root/administrator to have full freedom Particularly powerful when combined with eavesdropping Because attacker can understand exact state of victims communication and craft their spoofed traffic Spoofing w/o eavesdropping = blind to match it 16 On-path vs Off-path Spoofing Host A communicates with Host D Host C Host D

Host A Router 1 Router 2 Router 3 Router 5 On-path Host B Router 6 Router 7 Host E Router 4 Off-path 18 Spoofing on the Internet On-path attackers can see victims traffic spoofing is easy

Off-path attackers cant see victims traffic They have to resort to blind spoofing Often must guess/infer header values to succeed o We then care about work factor: how hard is this But sometimes they can just brute force o E.g., 16-bit value: just try all 65,536 possibilities! 19 Layer 3: General Threats? 7 Application 4 Transport 3 2

(Inter)Network Link 1 Physical Bridges multiple s u b n e ts to provide end-to-end internet connectivity between nodes 4-bit Versio n 4-bit 8-bit Header Type of Service Length (TOS) 3-bit Flags

16-bit Identification 8-bit Time to Live (TTL) 16-bit Total Length (Bytes) 8-bit Protocol 13-bit Fragment Offset 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address IP = Internet Protocol Payload 19 IP-Layer Threats

Can set arbitrary source address S p o o fing - receiver has no idea who you are Could be blind, or could be coupled w/ sniffing Note: many attacks require two-way communication o So successful off-path/blind spoofing might not suffice Can set arbitrary destination address Enables s c a n n i n g brute force searching for hosts Can send like crazy (flooding) IP has no general mechanism for tracking overuse IP has no general mechanism for tracking consent Very hard to tell where a spoofed flood comes from! If can for manipulate routing,(not caneasy) bring to attacker themselves

eavesdropping 20 LAN Bootstrapping: DHCP New host doesnt have an IP address yet So, host doesnt know what source address to use Host doesnt know who to ask for an IP address So, host doesnt know what destination address to use Solution: shout to discover server that can help Broadcast a server-discovery message (layer 2) Server(s) sends a reply offering an address host host ... host DHCP server 21

Dynamic Host Configuration Protocol DHCP disco ver (broa dcas t) new client f f er o P DHC DHCP r e q ue st (broa dcas t)

DHCP server offer message includes IP address, DNS server, gateway router , and how long client can have these (lease time) CK A P DHC 23 Dynamic Host Configuration Protocol DHCP disco ver (broa dcas t) new client

f f er o P DHC DHCP Threats? r e q ue st (broa dcas t) DHCP server offer message includes IP address, DNS server, gateway router , and how long client can have these (lease time) CK A

P DHC 24 Dynamic Host Configuration Protocol DHCP disco ver (broa dcas t) new client f f er o P DHC DHCP Attacker on same subnet can hear new hosts

DHCP request r e q ue st (broa dcas t) DHCP server offer message includes IP address, DNS server, gateway router , and how long client can have these (lease time) CK A P DHC 25 Dynamic Host Configuration Protocol DHCP

disco ver (broa dcas t) new client f f er o P DHC DHCP r e q ue st (broa dcas t) CK A P DHC

DHCP server offer message includes IP address, DNS server, gateway router , and how long client can have these (lease time) Attacker can race the actual server; if they win, replace DNS server and/or gateway router 25 DHCP Threats Substitute a fake DNS server Redirect any of a hosts lookups to a machine of attackers choice Substitute a fake gateway router Intercept all of a hosts off-subnet traffic o (even if not preceded by a DNS lookup) Relay contents back and forth between host and remote server and modify however attacker chooses An invisible Man In The Middle (MITM)

Victim host has no way of knowing its happening o (Cant necessarily alarm on peculiarity of receiving multiple DHCP replies, since that can happen benignly) How can we fix this? Hard 26 TCP 7 Application 4 Transport 3 2 (Inter)Network Link

1 Physical Source port Destination port Sequence number Acknowledgment HdrLen 0 Flags Advertised window Checksum Urgent pointer Options (variable) Data

27 TCP 7 Application 4 Transport 3 2 (Inter)Network Link 1 Physical These plus IP addresses define a given connection Source port

Destination port Sequence number Acknowledgment HdrLen 0 Flags Advertised window Checksum Urgent pointer Options (variable) Data 28 TCP 7 Application

4 Transport 3 2 (Inter)Network Link 1 Physical Defines where this packet fits within the senders bytestream Source port Destination port Sequence number Acknowledgment HdrLen 0

Flags Advertised window Checksum Urgent pointer Options (variable) Data 29 TCP Conn. Setup & Data Exchange TCP Threat: Data Injection ta2 y Da Nast Data

Nast y Data ACK ACK CK A SYN A SYN B time If attacker knows ports & sequence numbers (e.g., on-path attacker), attacker can inject data into any TCP connection Receiver B is none the wiser!

Termed TCP connection hijacking (or s e s s i o n hijacking ) A general means to take over an already-established connection! We are toast if an attacker can see our TCP traffic! Because then they immediately know the port & sequence numbers 32 TCP Data Injection Client (initiator) IP address 1.2.1.2, port 3344 Server IP address 9.8.7.6, port 80 ... SrcA=1.2 1.2, SrcP= 3344, DstA =9.8.7.6, Ds ACK, Seq tP =80, =x+1, Ack = y+1, Data= GET /login. html

Attacker IP address 6.6.6.6, port N/A SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, ACK, Seq = y+1, Ack = x+16 Data= 2 0 0 OK Client dutifully processes as servers response 33 TCP Data Injection Client (initiator) IP address 1.2.1.2, port 3344 Server IP address 9.8.7.6, port 80

... SrcA=1.2 1.2, SrcP= 3344, DstA =9.8.7.6, Ds ACK, Seq tP =80, =x+1, Ack = y+1, Data= GET /login. html Attacker IP address 6.6.6.6, port N/A Client ignores since already processed that part of bytestream SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, ACK, Seq = y+1, Ack = x+16 Data= 2 0 0 OK

44, .1.2, DstP=33 2 1. = tA s D 0, , SrcP=8 .6 K .7 O .8 0 9 0 = 2 A rc

S Data= , Ack = x+16, +1 ACK, Seq = y 33 TCP Threat: Disruption Is it possible for an on-path attacker to shut down a TCP connection if they can see our traffic? YES: they can infer the port and sequence numbers they can insert fake data, too! (Great Firewall of China) 35 TCP Threat: Blind Hijacking Is it possible for an off-path attacker to inject into a TCP connection even if they cant see our traff ic? YES: if somehow they can infer or guess the port and sequence numbers

36 TCP Threat: Blind Spoofing Is it possible for an off-path attacker to create a fake TCP connection, even if they cant see responses? YES: if somehow they can infer or guess the TCP initial sequence numbers Why would an attacker want to do this? Perhaps to leverage a servers trust of a given client as identified by its IP address Perhaps to frame a given client so the attackers actions during the connections cant be traced back to the attacker 37 Blind Spoofing on TCP Handshake Alleged Client (not actual) IP address 1.2.1.2, port N/A Blind Attacker Server IP address 9.8.7.6, port 80

SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, SYN, Seq = z , SrcP=80, 1 SrcA=9.8.7.6 = y, Ack = z+ q e S , K C A + SYN , DstP=5566, .2 .1 .2 1 = tA s

D Attackers goal: SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, ACK, Seq = z+1, ACK = y+1 SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, ACK, Seq = z+1, ACK = y+1, Data = GET /transfer-money.html 38 Blind Spoofing on TCP Handshake Alleged Client (not actual) IP address 1.2.1.2, port NA Blind Attacker Server IP address 9.8.7.6, port 80 SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, SYN, Seq = z

, SrcP=80, 1 SrcA=9.8.7.6 = y, Ack = z+ q e S , K C A + SYN , DstP=5566, .2 .1 .2 1 = tA s D Small Note #1: if alleged client receives this, will be confused send a RST back

to server So attacker may need to hurry! 39 Blind Spoofing on TCP Handshake Alleged Client (not actual) IP address 1.2.1.2, port NA Blind Attacker Server IP address 9.8.7.6, port 80 SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, SYN, Seq = z , SrcP=80, 1 SrcA=9.8.7.6 = y, Ack = z+ q e S ,

K C A + SYN , DstP=5566, .2 .1 .2 1 = tA s D Big Note #2: attacker doesnt get to see this packet! 40 Blind Spoofing on TCP Handshake Alleged Client (not actual) IP address 1.2.1.2, port N/A Blind Attacker

Server IP address 9.8.7.6, port 80 SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, SYN, Seq = z , SrcP=80, 1 SrcA=9.8.7.6 = y, Ack = z+ q e S , K C A + SYN , DstP=5566, .2 .1 .2 1

= tA s D SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, ACK, Seq = z+1, ACK = y+1 SrcA=1.2.1.2, SrcP=5566, DstA=9.8.7.6, DstP=80, ACK, Seq = z+1, ACK = y+1, Data = GET /transfer-money.html So how can the attacker figure out what value of y to use for their ACK? 41 Reminder: Establishing a TCP Connection A SY N B

SYN+A ACK Data Data How Do We Fix This? Use a (Pseudo)Random ISN Each host tells its Initial Sequence Number (ISN) to the other host. (Spec says to pick based on local clock) Hmm, any way for the attacker to know this? Sure make a non-spoofed connection first, and see what server used for ISN y then!

42 Summary of TCP Security Issues An attacker who can observe your TCP connection can manipulate it: Forcefully terminate by forging a RST packet Inject (spoof) data into either direction by forging data packets Works because they can include in their spoofed traffic the correct sequence numbers (both directions) and TCP ports Remains a major threat today 43 Summary of TCP Security Issues An attacker who can observe your TCP connection can manipulate it: Forcefully terminate by forging a RST packet Inject (spoof) data into either direction by forging data packets Works because they can include in their spoofed traffic the correct sequence numbers (both directions) and TCP ports Remains a major threat today If attacker could predict the ISN chosen by a

server, could b l i n d spoof a connection to the server Makes it appear that host ABC has connected, and has sent data of the attackers choosing, when in fact it hasnt Undermines any security based on trusting ABCs IP address Allows attacker to frame ABC or otherwise avoid detection Fixed (mostly) today by choosing random ISNs 44 Summary of IP security No security against on-path attackers Can sniff, inject packets, mount TCP spoofing, TCP hijacking, man-in-the-middle attacks Typical example: wireless networks, malicious network operator Reasonable security against off-path attackers TCP is basically secure, but UDP and IP are not 45 Extra Material 46

Sequence Numbers Host A ISN (initial sequence number) Sequenc number = e 1st byt e Host B TCP Data TCP HD R TCP Data

TCP HD R ACK sequence number next expected byte = 47 TCP Threat: Disruption Normally, TCP finishes ( c l o s e s ) a connection by each side sending a FIN control message Reliably delivered, since other side must ack But: if a TCP endpoint finds unable to continue (process dies; info from other p e e r is

inconsistent), it abruptly terminates by sending a RST control message Unilateral Takes effect immediately (no ack needed) Only accepted by peer if has correct* sequence number 48 Source port Destination port Sequence number Acknowledgment HdrLen 0 Flags Advertised window Checksum Urgent pointer Options (variable)

Data 49 Source port Destination port Sequence number Acknowledgment RST HdrLen 0 Advertised window Checksum Urgent pointer Options (variable) Data

50 Abrupt Termination X RST Data ACK ACK CK A SYN A SYN B time A sends a TCP packet with RESET (RST) flag to B

E.g., because app. process on A crashed (Could instead be that B sends a RST to A) Assuming that the sequence numbers in the RST fit with what B expects, Thats It: Bs user-level process receives: ECONNRESET No further communication on connection is possible 51 TCP Threat: Disruption Normally, TCP finishes (closes ) a connection by each side sending a FIN control message Reliably delivered, since other side must ack But: if a TCP endpoint finds unable to continue (process dies; info from other p e e r is inconsistent), it abruptly terminates by sending a RST control message Unilateral Takes effect immediately (no ack needed) Only accepted by peer if has correct* sequence number

So: if attacker knows ports & sequence 51 TCP RST Injection Client (initiator) IP address 1.2.1.2, port 3344 Server IP address 9.8.7.6, port 80 ... SrcA=1.2 1.2, SrcP =3344, DstA =9.8.7.6, D ACK, Seq stP =80, =x+1, Ack = y+1, Data= GET /login. html Attacker IP address 6.6.6.6, port N/A SrcA=9.8.7.6, SrcP=80,

DstA=1.2.1.2, DstP=3344, RST, Seq = y+1, Ack = x+16 Client dutifully removes connection 53 TCP RST Injection Client (initiator) IP address 1.2.1.2, port 3344 Server IP address 9.8.7.6, port 80 ... SrcA=1.2 1.2, SrcP =3344, DstA =9.8.7.6, D ACK, Seq stP =80, =x+1, Ack = y+1, Data= GET /login.

html Attacker IP address 6.6.6.6, port N/A SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, RST, Seq = y+1, Ack = x+16 Client rejects since no active connectio 44, .1.2, DstP=33 2 1. = tA s D 0,

, SrcP=8 .6 K .7 O .8 0 9 0 = 2 A rc S Data= , Ack = x+16, +1 ACK, Seq = y 54 Threats to Comm. Security Goals Attacks can subvert each type of goal

Confidentiality: eavesdropping / theft of information Integrity: altering data, manipulating execution (e.g., code injection) Availability: denial-of-service Attackers can also combine different types of attacks towards an overarching goal E.g. use eavesdropping (confidentiality) to construct a spoofing attack (integrity) that tells a server to drop an important connection (denial-of-service) 55 TCPs Rate Management Unless theres loss, TCP doubles data in flight every r o u n d -trip . All TCPs expected to obey ( fairness ). Mechanism: for each arriving ack for new data, increas1e allowed data 2 by 1 maximum-sized 8 3 Src packet 4 D0-99

D200-299 A100 A20A0 300 D D D D100-199 Dest D A A A A Time

E.g., suppose maximum-sized packet = 100 bytes 56 Protocol Cheating How can the destination (receiver) get data to come to them faster than normally allowed? ACK-Splitting: each ack, even though partial, increases allowed data by one maximum-sized packet Src 2 3 4 5 1 D100-199 D0-99 A25 A50 D200-299

D500-599 D400-499 D300-399 A75 Des Time A100 t How do we defend against this? Change rule to require full ack for all data sent in a packet 56 Protocol Cheating How can the destination (receiver) still get data to come to them faster than normally allowed? Opportunistic acking: acknowledge data not yet seen! Src 2 3 4

5 1 D100-199 D0-99 A100 A200 A300 D500-599 D200-299 A400 D400-499 D300-399 Des Time t How do we defend against this? 58

Keeping Receivers Honest Approach #1: if you receive an ack for data you havent sent, kill the connection Works only if receiver acks too far ahead Approach #2: follow the round trip time (RTT) and if ack arrives too quickly, kill the connection Flaky: RTT can vary a lot, so you might kill innocent connections Approach #3: make the receiver prove they Note: a protocol change received the data Add a nonce (random marker) & require receiver to include it in ack, Kill connections w/ incorrect nonces (nonce could be function computed over payload, so sender doesnt explicitly transmit, only implicitly) 59 Assignment 1 (DDL: 2018.May.24) Please use wireshark to perform a traffic analysis on www.cs.sjtu.edu.cn and tell us your finding.

Please try to test at least three network layer attacks Wifi jamming attack IP spoofing attack Mac spoofing attack DHCP spoofing attack Note: please record the technical details and evidence.

Recently Viewed Presentations

  • Sochi World

    Sochi World

    Russian and CIS citizens go in and out with internal or external passport. Foreign citizens with visas can come or go according to their visa statuses. Russian Consular officer on duty on the territory. Possibility of including or excluding the...
  • Chapter 10 Section 3 British Columbia: Economic and

    Chapter 10 Section 3 British Columbia: Economic and

    British Columbia's location ties it to the economy and culture of the Pacific Rim. Reviewing Key Terms totem pole boomtown A tall, carved wooden pole that contains the symbols of a particular Native American group, clan or family is a...
  • Domain Name Service (DNS) Fall 2002 Ch 8-

    Domain Name Service (DNS) Fall 2002 Ch 8-

    DNS Distributed, Hierarchical Database DNS: Root name servers TLD and Authoritative Servers Local Name Server DNS Queries DNS Queries (cont'd) DNS name resolution example DNS name resolution example DNS: caching and updating records Operation of DNS RRs DNS records DNS...
  • Branston Junior Academy Topic Planning Topic: Inventors Science

    Branston Junior Academy Topic Planning Topic: Inventors Science

    Skills Journal Objectives. Pupils should be taught to: Use running, jumping, throwing and catching in isolation and in combination. Play competitive games, modified where appropriate [for example, badminton, basketball, cricket, football, hockey, netball, rounders and tennis], and apply basic principles...
  • Beyond the Environment: Socio-Economic Sustainability ...

    Beyond the Environment: Socio-Economic Sustainability ...

    ♦ International Brotherhood of Electrical Workers (IBEW), Locals 68 and 111 ♦ International Union of Operating Engineers (IUOE), Local 9 ♦ International Union of Painters and Allied Trades (IUPAT), Local 79 ♦ Jobs with Justice - Colorado ♦ Labor's Community...
  • Chapter 7

    Chapter 7

    sentry outside the customs house, Private Hugh White, called the boy over and clubbed him on the head. Garrick's companions yelled at the sentry, and a British sergeant chased them away. The apprentices returned with more locals, shouting insults at...
  • Introduction to the Oscilloscope

    Introduction to the Oscilloscope

    Press the left arrow until the digit to the left of the decimal point is blinking. Use the dial to increase the display value to 3 volts as shown. Note: You can safely ignore the value of the right most...
  • Data Types, Variables & Arithmetic C++ Integer Types

    Data Types, Variables & Arithmetic C++ Integer Types

    The significant digits of a number in Scientific Notation, with an assumed radix point after the first digit. Modulus. Operator that calculates the remainder of an integer division. % in C++. Constant. An identifier with a declared type and value...