Computer Security

CS 426
Lecture 33

Network Security (1)

CS426

Fall 2010/Lecture 33

Network Protocols Stack

Application

Application protocol
TCP protocol

Transport

Application
Transport

Network

IP protocol

IP

IP protocol

Network

Link

Dat
a
Link

Network
Access

Dat
a
Link

Link

CS426

Fall 2010/Lecture 33

Types of Addresses in Internet

Media Access Control (MAC) addresses in the network
access layer
Associated w/ network interface card (NIC)
48 bits or 64 bits

IP addresses for the network layer

32 bits for IPv4, and 128 bits for IPv6
E.g., 128.3.23.3

IP addresses + ports for the transport layer

E.g., 128.3.23.3:80

Domain names for the application/human layer

E.g., www.purdue.edu
CS426

Fall 2010/Lecture 33

Routing and Translation of

Addresses
Translation between IP addresses and MAC
addresses
Address Resolution Protocol (ARP) for IPv4
Neighbor Discovery Protocol (NDP) for IPv6

Routing with IP addresses

TCP, UDP, IP for routing packets, connections
Border Gateway Protocol for routing table updates

Translation between IP addresses and domain names

Domain Name System (DNS)

CS426

Fall 2010/Lecture 33

Threats in Networking
Confidentiality
Packet sniffing

Integrity
Session hijacking

Availability
Denial of service attacks

Common
Address translation poisoning attacks
Routing attacks

CS426

Fall 2010/Lecture 33

Concrete Security Problems

ARP is not authenticated
APR spoofing (or ARP poisoning)

Network packets pass by untrusted hosts

Packet sniffing

TCP state can be easy to guess

TCP spoofing attack

Open access
Vulnerable to DoS attacks

DNS is not authenticated

DNS poisoning attacks

CS426

Fall 2010/Lecture 33

Address Resolution Protocol (ARP)

Primarily used to translate IP addresses to Ethernet MAC
addresses
The device drive for Ethernet NIC needs to do this to send a packet

Also used for IP over other LAN technologies, e.g., FDDI, or

IEEE 802.11
Each host maintains a table of IP to MAC addresses
Message types:
ARP request
ARP reply
ARP announcement

CS426

Fall 2010/Lecture 33

http://www.netrino.com/Embedded-Systems/How-To/ARP-RARP
CS426

Fall 2010/Lecture 33

ARP Spoofing (ARP Poisoning)

Send fake or 'spoofed', ARP messages to an Ethernet LAN.
To have other machines associate IP addresses with the attackers
MAC

Defenses
static ARP table
DHCP snooping (use access control to ensure that hosts only use
the IP addresses assigned to them, and that only authorized DHCP
servers are accessible).
detection: Arpwatch (sending email when updates occur),

Legitimate use
redirect a user to a registration page before allow usage of the
network

CS426

Fall 2010/Lecture 33

IP

Internet Protocol
Version

Connectionless
Unreliable
Best effort

Flags

Fragment Offset
Time to Live
Protocol
Header Checksum

Transfer datagram
Header
Data

Header Length
Type of Service
Total Length
Identification

Source Address of Originating Host

Destination Address of Target Host
Options
Padding
IP Data

CS426

Fall 2010/Lecture 33

10

IP Routing
Meg
Packet

121.42.33.12

Office gateway

Source 121.42.33.12
132.14.11.51
Destination
5
Sequence
132.14.11.1

ISP

Tom

132.14.11.51

121.42.33.1
Internet routing uses numeric IP address
Typical route uses several hops

CS426

Fall 2010/Lecture 33

11

Packet Sniffing
Promiscuous Network Interface Card reads all
packets
Read all unencrypted data (e.g., ngrep)
ftp, telnet send passwords in clear!
Eve

Alice

Network
Network

Prevention: Encryption
CS426

Bob

(IPSEC, TLS)

Fall 2010/Lecture 33

12

User Datagram Protocol

IP provides routing
IP address gets datagram to a specific machine

UDP separates traffic by port (16-bit number)

Destination port number gets UDP datagram to
particular application process, e.g., 128.3.23.3:53
Source port number provides return address

Minimal guarantees
No acknowledgment
No flow control
No message continuation
CS426

Fall 2010/Lecture 33

13

Transmission Control Protocol

Connection-oriented, preserves order
Sender
Break data into packets
Attach sequence numbers

Receiver
Acknowledge receipt; lost packets are resent
Reassemble packets in correct order
Book

Mail each page

Reassemble book

1
19
5

1
CS426

Fall 2010/Lecture 33

1
14

TCP Sequence Numbers

Sequence number (32 bits) has a dual role:
If the SYN flag is set, then this is the initial sequence number.
The sequence number of the actual first data byte is this
sequence number plus 1.
If the SYN flag is clear, then this is the accumulated sequence
number of the first data byte of this packet for the current
session.

Acknowledgment number (32 bits)

If the ACK flag is set then this the next sequence number that the
receiver is expecting.
This acknowledges receipt of all prior bytes (if any).

CS426

Fall 2010/Lecture 33

15

TCP Handshake
C

S
SYN
(seq=x)

Listening
Store data

SYN ACK (ack=x+1 seq=y)

ACK (ack=y+1,seq=x+1)
CS426

Fall 2010/Lecture 33

Wait

Connected
16

TCP sequence prediction attack

Predict the sequence number used to identify the packets
in a TCP connection, and then counterfeit packets.
Adversary: do not have full control over the network, but
can inject packets with fake source IP addresses
E.g., control a computer on the local network

TCP sequence numbers are used for authenticating

packets
Initial seq# needs high degree of unpredictability
If attacker knows initial seq # and amount of traffic sent, can
estimate likely current values
Some implementations are vulnerable

CS426

Fall 2010/Lecture 33

17

Blind TCP Session Hijacking

A, B trusted connection

Server A

Send packets with predictable seq

numbers

E impersonates B to A
E

Opens connection to A to get initial

seq number
DoS Bs queue
Sends packets to A that resemble
Bs transmission
E cannot receive, but may execute
commands on A

Attack can be blocked if E is outside firewall.

CS426

Fall 2010/Lecture 33

18

Risks from Session Hijacking

Inject data into an unencrypted server-to-server traffic,
such as an e-mail exchange, DNS zone transfers, etc.
Inject data into an unencrypted client-to-server traffic,
such as ftp file downloads, http responses.
IP addresses often used for preliminary checks on
firewalls or at the service level.
Hide origin of malicious attacks.
Carry out MITM attacks on weak cryptographic protocols.
often result in warnings to users that get ignored

Denial of service attacks, such as resetting the

connection.

CS426

Fall 2010/Lecture 33

19

DoS vulnerability caused by

session hijacking
Suppose attacker can guess seq. number for an
existing connection:
Attacker can send Reset packet to
close connection. Results in DoS.
Naively, success prob. is 1/232 (32-bit seq. #s).
Most systems allow for a large window of
acceptable seq. #s
Much higher success probability.

Attack is most effective against long lived

connections, e.g. BGP.
CS426

Fall 2010/Lecture 33

20

Categories of Denial-of-service
Attacks
Stopping services
Locally

Process killing
Spawning processes
to fill the process table
Process crashing
System reconfiguration Filling up the whole
file system
Saturate comm
bandwidth

Malformed packets to
Remotely crash buggy services

CS426

Exhausting resources

Fall 2010/Lecture 33

Packet floods
(Smurf, SYN flood,
DDoS, etc)

21

SYN Flooding
C

S
SYNC1
SYNC2
SYNC3

Listening
Store data

SYNC4
SYNC5

CS426

Fall 2010/Lecture 33

22

SYN Flooding
Attacker sends many connection requests
Spoofed source addresses

Victim allocates resources for each request

Connection requests exist until timeout
Old implementations have a small and fixed bound on halfopen connections

Resources exhausted requests rejected

No more effective than other channel capacity-based
attack today

CS426

Fall 2010/Lecture 33

23

Smurf DoS Attack

1 ICMP Echo Req
Src: Dos Target
Dest: brdct addr
DoS
Source

3 ICMP Echo Reply

Dest: Dos Target

gateway

DoS
Target

Send ping request to broadcast addr (ICMP Echo Req)

Lots of responses:
Every host on target network generates a ping reply (ICMP
Echo Reply) to victim
Ping reply stream can overload victim
Prevention: reject external packets to broadcast address
CS426

Fall 2010/Lecture 33

24

Internet Control Message Protocol

Provides feedback about network operation
Error reporting
Reachability testing
Congestion Control

Example message types

CS426

Destination unreachable
Time-to-live exceeded
Parameter problem
Redirect to better gateway
Echo/echo reply - reachability test
Timestamp request/reply - measure transit delay

Fall 2010/Lecture 33

25

Distributed DoS (DDoS)

CS426

Fall 2010/Lecture 33

26

Hiding DDoS Attacks

Reflection
Find big sites with lots of resources, send packets with
spoofed source address, response to victim
PING => PING response
SYN => SYN-ACK

Pulsing zombie floods

each zombie active briefly, then goes dormant;
zombies taking turns attacking
making tracing difficult

CS426

Fall 2010/Lecture 33

27

Cryptographic network protection

Solutions above the transport layer
Examples: SSL and SSH
Protect against session hijacking and injected data
Do not protect against denial-of-service attacks caused by
spoofed packets

Solutions at network layer

Use cryptographically random ISNs [RFC 1948]
More generally: IPsec
Can protect against
session hijacking and injection of data
denial-of-service attacks using session resets

CS426

Fall 2010/Lecture 33

28

Readings for This Lecture

Optional Reading
Steve Bellovin: A Look Back at
Security Problems in the TCP/I
P Protocol Suite

CS426

Fall 2010/Lecture 33

29

Coming Attractions
DNS Security

CS426

Fall 2010/Lecture 33

30