Upload File

detecting spoofed packets

52
29 May 2002 UC Davis Security Lab Detecting Spoofed Packets Steven Templeton UC Davis Security Lab

Upload: abdelouahid-derhab

Post on 11-Nov-2015

18 views

Category:

Documents


1 download

Report

Tags:

DESCRIPTION

Description of spoofing attacks

TRANSCRIPT

  • Detecting Spoofed PacketsSteven TempletonUC Davis Security Lab

  • MotivationNext-generation ID approaches require greater information than predecessors.Appropriate IDS sensors are not availableRequire inference about external entities and local entities when direct sensing is not availableExamplesKnows/Has __________Same sourceExploitable __________ existsSniffer activeSpoofed packetSuccessful exploite.g. Forged TCP handshake

  • What is a Spoofed PacketPackets sent by an attacker such that the true source is not authenticMAC spoofingIP packet spoofingEmail spoofingNot same as routing attacksThese cause packets to be redirectede.g. DNS cache poisoning; router table attacks; ARP spoofing

    This talk will focus on IP source address spoofing

  • IP/TCP Header Reviewidentificationheader checksumversionTOSheaderlengthdestination IP addresssource IP addressTTLprotocoloptions (if any)fragment offsetflagstotal lengthIP Header Formatdata20 bytes

  • IP/TCP Header Reviewsource port numberheaderlengthacknowledgement numbersequence numberoptions (if any)destination port numberreservedwindow sizeTCP Header Formatdata (if any)TCP checksumurgent pointer20 bytes

  • SignificanceSpoofed packets are a part of many attacksSYN-floodSmurf AttackConnection SpoofingBounce ScanningStealth Communication

  • SYN-floodTCP Handshake Reviewclient sends SYN packet to serverwaits for SYN-ACK from serverserver responds w/ SYN-ACK packetwaits for ACK packet from clientclientsends ACK to serverSYNSYN-ACKACK

  • SYN-floodAttacker causes TCP buffer to be exhausted w/ half-open connectionsNo reply from target needed, so source may be spoofed.Claimed source must not be an active host.169.237.5.23168.150.241.155169.237.7.114TCP Buffers

  • SYN-floodAttacker causes TCP buffer to be exhausted w/ half-open connectionsNo reply from target needed, so source may be spoofed.Claimed source must not be an active host.128.120.254.1128.120.254.2128.120.254.3128.120.254.4128.120.254.5128.120.254.6128.120.254.7128.120.254.8128.120.254.9128.120.254.10128.120.254.11128.120.254.12128.120.254.13128.120.254.14169.237.7.114128.120.254.15TCP Buffers

  • Smurf AttackAllows attacker to send flood target w/ ICMP packetsAttacker does not need to see returned packets.Uses network broadcast address as packet amplifier.Claimed source address is address of target.Attacker sends anICMP echo request to a particular IP address

    Source address is set to target host

  • Smurf AttackAllows attacker to send flood target w/ ICMP packetsAttacker does not need to see returned packets.Uses network broadcast address as packet amplifier.Claimed source address is address of target.ICMP echo request causes an ICMP echo reply to be sent to target

  • Smurf AttackAllows attacker to send flood target w/ ICMP packetsAttacker does not need to see returned packets.Uses network broadcast address as packet amplifier.Claimed source address is address of target.

  • TCP Connection SpoofingTCP Handshake Reviewclient sends SYN packet and ACK number to server waits for SYN-ACK from server w/ matching ACK numberserver responds w/ SYN-ACK packet w/ initial random sequence numberwaits for ACK packet from client with matching sequence numberclientsends ACK to server w/ matching sequence number (and data)SYNack-numberSYN-ACKseq-numberack-numberACKseq_numberack-number+data

  • Connection SpoofingAllows attacker to send data to a target as if it originated with a trusted hostRequires guessing sequence numbers.Attacker does not see returned packets; attacker must infer/guess what is sent.Attacker causes DOS on intermediate (the trusted host)

  • Connection SpoofingAllows attacker to send data to a target as if it originated with a trusted hostRequires guessing sequence numbers.Attacker does not see returned packets; attacker must infer/guess what is sent.Attacker sends spoofed packet to target with a claimed source of the intermediate.

  • Connection SpoofingAllows attacker to send data to a target as if it originated with a trusted hostRequires guessing sequence numbers.Attacker does not see returned packets; attacker must infer/guess what is sent.Target sends SYN-ACK reply to intermediate.Because of DOS, intermediate does not see packet and does not reply (w/ RST)

  • Connection SpoofingAllows attacker to send data to a target as if it originated with a trusted hostRequires guessing sequence numbers.Attacker does not see returned packets; attacker must infer/guess what is sent.Attacker sends ACK packet to target with guessed sequence number (+data)

  • Bounce ScanningAllows attacker to scan a target without revealing the true source of the scanRequires an intermediate host with little trafficRelies on change pattern of IP ID (fragmentation ID)Attacker sees effects; does not need to see actual returned packetAttacker sends packets to intermediate, monitoring IP ID in replies. (e.g. TCP SYN Packets)

  • Bounce ScanningAllows attacker to scan a target without revealing the true source of the scanRequires an intermediate host with little trafficRelies on change pattern of IP ID (fragmentation ID)Attacker sees effects; does not need to see actual returned packetAttacker sends SYN packet with spoofed source address to scan target

  • Bounce ScanningAllows attacker to scan a target without revealing the true source of the scanRequires an intermediate host with little trafficRelies on change pattern of IP ID (fragmentation ID)Attacker sees effects; does not need to see actual returned packetTarget sends SYN-ACK to intermediate if port is open, RST otherwise.

  • Bounce ScanningAllows attacker to scan a target without revealing the true source of the scanRequires an intermediate host with little trafficRelies on change pattern of IP ID (fragmentation ID)Attacker sees effects; does not need to see actual returned packetIf intermediate receives a RST nothing happens. If intermediate receives a SYN-ACK, it will send a RST and increment its IP ID?

  • Bounce ScanningAllows attacker to scan a target without revealing the true source of the scanRequires an intermediate host with little trafficRelies on change pattern of IP ID (fragmentation ID)Attacker sees effects; does not need to see actual returned packetAttacker sends packets to intermediate, monitoring IP ID in replies.

    If ID incremented by 1, port was closedIf ID incremented by 2, port was open

  • Stealth CommunicationAllows attacker to send data to a target as if it originated from an arbitrary hostUses TTL timeout.Attacker does not need to see returned packets.Packets sent to target do not have a spoofed source address.Info for target passed as ICMP data (original IP header + 8 bytes data).Attacker sends packet to arbitrary host, w/ source address spoofed to be target.

  • Stealth CommunicationAllows attacker to send data to a target as if it originated from an arbitrary hostUses TTL timeout.Attacker does not need to see returned packets.Packets sent to target do not have a spoofed source address.Info for target passed as ICMP data (original IP header + 8 bytes data).Packet is passed between routers toward destination

  • Stealth CommunicationAllows attacker to send data to a target as if it originated from an arbitrary hostUses TTL timeout.Attacker does not need to see returned packets.Packets sent to target do not have a spoofed source address.Info for target passed as ICMP data (original IP header + 8 bytes data).Each hop decrements TTL.When TTL reaches zero, packet is dropped and an ICMP TTL-expired message is sent to claimed sender.

  • Detection MethodsRouting-basedActiveproactivereactivePassive

  • Routing-based MethodsFor a given network topology certain source IP addresses should never be seenInternal addresses arriving on external interfaceExternal addresses arriving on internal interfaceIANA non-routable addresses on external interfaceOther special addresses

    Internal NICExternal NIC

  • Special Addresses0.0.0.0/8- Historical Broadcast10.0.0.0/8 - RFC 1918 Private Network127.0.0.0/8 - Loopback169.254.0.0/16 - Link Local Networks172.16.0.0/12 - RFC 1918 Private Network192.0.2.0/24 - TEST-NET192.168.0.0/16 - RFC 1918 Private Network240.0.0.0/5 - Class E Reserved248.0.0.0/5 - Unallocated255.255.255.255/32 - Broadcast

  • Routing-based MethodsMost commonly used methodfirewalls, filtering routersRelies on knowledge of network topology and routing specs.Primarily used at organizational border.

    Cannot detect many examples of spoofingExternally spoofed external addressesInternally spoofed internal addresses

  • Proactive methodsLooks for behavior that would not occur if client actually processed packet from client.Method: change IP stack behaviorCan observe suspicious activityExamples TCP window gamesSYN-Cookies (block w/o detection)

  • TCP Window GamesModified TCP Handshakeclient sends SYN packet and ACK number to server waits for SYN-ACK from server w/ matching ACK numberserver responds w/ SYN-ACK packet w/ initial random sequence numberSets window size to zerowaits for ACK packet from client with matching sequence numberclientsends ACK to server w/ matching sequence number, but no data Waits for ACK w/ window > 0After receiving larger window, client sends data.Spoofer will not see 0-len window and will send data without waiting.SYNack-numberSYN-ACK seq-number, ack-numberwindow = 0ACK

    seq_number, ack-number(no data)ACK seq-number, ack-numberwindow = 4096ACK

    seq_number, ack-numberw/ data

  • SYN-CookiesModified TCP HandshakeExample of stateless handshakeclient sends SYN packet and ACK number to server waits for SYN-ACK from server w/ matching ACK numberserver responds w/ SYN-ACK packet w/ initial SYN-cookie sequence numberSequence number is cryptographically generated value based on client address, port, and time.No TCP buffers are allocatedclientsends ACK to server w/ matching sequence numberserverIf ACK is to an unopened socket, server validates returned sequence number as SYN-cookieIf value is reasonable, a buffer is allocated and socket is opened..Spoofed packets will not consume TCP buffersSYN

    ack-numberSYN-ACK

    seq-number as SYN-cookie,ack-number

    NO BUFFER ALLOCATEDACK

    seq_numberack-number+dataSYN-ACK

    seq-number, ack-number

    TCP BUFFER ALLOCATED

  • Reactive methodsWhen a suspicious packet is received, a probe of the source is conducted to verify if the packet was spoofedMay use same techniques as proactive methods Example probesIs TTL appropriate?Is ID appropriate?Is host up?Change window size

  • Passive MethodsLearn expected values for observed packetsWhen an anomalous packet is received, treat it as suspiciousExample values Expected TTLExpected client portExpected client OS idiosyncrasies

  • Experimentsdetermine the validity of various spoofed-packet detection methodsPredictability of TTLPredictability of TTL (active)Predictability of ID (active)

  • Experiment Description - PassiveMonitor network trafficRecordSource IP addressTTLProtocol Count occurrences of all unique combinationsStatistically analyze predictability of the data

  • Results - PassiveData collected over several 2 week periodsdata being reported: finals + spring breakSeclab traffic at Olympus23,000,000 IP packets observed23461 source IP addresses110 internal23351 external

  • Results - PassivePredictability measureConditional Entropy (unpredictability)

    Values closer to zero indicate higher predictability

  • Results - Passive

  • Results - Passive

  • Results - Passive

  • Results - Passive

  • Results - Passive

  • Results - PassiveTTL differs by protocolUDP most unreliabletraceroute is major contributor (can be filtered)certain programs set TTL anomalouslyToS may be useful in reducing inconsistenciesTTL on local network highly regularmust filter traceroute traffic

  • ToS ReviewMay differ by protocol and serviceTelnet: 1 0 0 0DNS - UDP:1 0 0 0DNS - TCP:0 0 0 0NNTP:0 0 0 1priorityminimizedelayreservedMinimize$$ costmaximizethroughputmaximizereliability

  • Experiment Description - ReactiveMonitor network trafficRecord IP address, Protocol, TTL and ID Send probe packet(s)ICMP echo reply packetTCP syn packetUDP packetNote the differences between the stored TTL/ID to that of the returning probes.

  • Results - ReactiveEvaluate initial vs. probe reply TTLInitial vs. probe reply ID (delta from original)Predictability measureConditional Entropy (unpredictability)Values closer to zero indicate higher predictability

  • Results - ReactivePreliminary onlyRan for 18 hours8058 probes sent218 unique addresses173 external45 internal

  • Results - ReactiveTTL off by:Total # probes8058 1591+/- 2 or less6467 37180%+/-1 or less6096 98675%0511063%

  • Results - ReactiveID off by:Total # probes8058

    OffsetCount160125742161651471189OffsetCount256735125768 22128010

  • Future and Ongoing WorkComplete and evaluate reactive experimentsEvaluate predictability of unobserved IP addresses using neural network or other ML method.Complete and test SPD programMonitor network trafficDetermine if packet is suspicious using passive systemIf suspicious, use reactive methods to determine if packet was spoofed.

  • ConclusionSpoofed-packets used in many different attacksSpoofed-packets can be detected by a number of methodsHigh predictability in TTL and ID allow use of passive and active methods


Convention Packets!

FACILITATE SCHEME FOR DETECTING HOTSPOT ...2017/07/05  · dropping all data packets) and grey hole attacks. Figure 2: wireless sensor network in access point 2.3 Loss Differentiating

Packets 2014

GPS-Spoofed Synchrophasor Data Correction for … · GPS-Spoofed Synchrophasor Data Correction for State Estimation Xiaoyuan 1Fan 1, Dongliang Duan , and Liang Du 2 1. Department

PenTest using Python · PDF fileTools Scapy Capturing and analysing network packets FiMap Detecting RFI/LFI vulnerabilites XSScrapy Detecting XSS vulnerabilites

Hyperanalytic Wavelet Packets

Side-Channel Analysis for Detecting Protocol Tunnelingcloud. Where Tor has only a low latency mode that for-wards packets as they arrive, I2P also provides medium and high latency

Defending Against Spoofed DDoS Attacks

Theme1 packets

TCP as a Reliable Transport. How things can go wrong Lost packets Corrupted packets Reordered packets…

Catalogue of Gift Boxes - Thomas Etty Esq. ·  · 2017-09-21Catalogue of Gift Boxes 7 packets £12.50 5 packets £9.00 7 packets £12.50 7 packets £12.50 6 packets £10.00 Sachet

wavelet packets

Analyzing Network Packets

Packet sniffing Packet forgery (spoofed from address) DNS … · 2006. 2. 7. · Basic network security threats • Packet sniffing • Packet forgery (spoofed from address) •

Detecting Carbon Monoxide Poisoning Detecting Carbon ...2].pdf · Detecting Carbon Monoxide Poisoning Detecting Carbon Monoxide Poisoning. Detecting Carbon Monoxide Poisoning C arbon

Detecting and Blocking Encrypted Anonymous Traffic using ...ijariie.com/...Blocking...Using_Deep_Packet_Inspection_ijariie8319.pdf · For capturing the packets we need Wireshark so

Detection of spoofed and non-spoofed DDoS attacks and ... · infrequently by using nonlinear mapping function. To model the time-varying behavior of proxy in terms of traffic, a hidden

Can Gait Biometrics be Spoofed?

A Practical GPS Location Spoofing Attack in Road Navigation … · 2019-06-13 · (a) Original navigation route (b) Off-route spoofed location (c) On-route spoofed location Figure

[September, 2012] WORKING GROUP 4 Network Security … · Network Security Best Practices . FINAL Report ... • Reflective DNS Amplification Attacks (allowing spoofed packets or

Off-Path TCP Exploits: Global Rate Limit Considered Dangerouskrish/sec16-offpath.pdf · global rate limit counter on the target system by send-ing spoofed packets. The attacker can

Detecting and reducing multicollinearity. Detecting multicollinearity

DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora

Detecting Anomalous Packets in Network Transfers

Detecting Endogenous Macromolecules Detecting Endogenous structures, cell marking, small molecules Detecting ‘Planted’ Reporters

ASVspoof 2021: accelerating progress in spoofed and

Seed Packets

Detecting Spoofed Packets-DISCEX · include both active and passive host-based methods as well as the more commonly discussed routing-based methods. Additionally, we present the results

Coping with Spoofed PS-Poll Based DoS Attack in IEEE …ceur-ws.org/Vol-1256/paper5.pdf · Coping with Spoofed PS-Poll Based DoS Attack in IEEE 802.11 Networks ... attacks targeting

Packets Review!

(ISC)2 CISSP Exam Bundle · A SYN flood is when an attacker sends a victim several SYN packets with spoofed source addresses. Each time the victim receives a SYN packet, it will set

Sphinx: Detecting Security Attacks in Software-Defined ... · A. Host- and Switch-based Attacks OpenFlow mandates that packets not matching a flow rule must be sent by the switch

Detecting Forged RSTs Weaver, Sommer, Paxson Detecting Forged TCP Reset Packets Nicholas Weaver Robin Sommer Vern Paxson

Relocation packets

Wavelet Basis Packets and Wavelet Frame Packets · Wavelet Basis and Frame Packets 241 Proof. We have 2. Orthogonal or Biorthogonal Wavelet Basis Packets and Wavelet Frame Packets