ece 4112 - internetwork security 1 address spoofing and denial of service agenda mac modification ...

ECE 4112 - Internetwork Security 1

Address Spoofing and Denial of Service

• Agenda Mac Modification Address Resolution Protocol Trickery IP address spoofing TCP session Hijacking Domain Name Spoofing Email Spoofing (not in lab) Denial of Service


IP Spoofing and Denial of Service Lab Exercises

Medium Access Control Address Spoofing

Windows XP MAC modificationLinux MAC modification

IP SpoofingFrom Windows wINJECTFrom Linux fraggle.c

Domain Name System Spoofingdsniff tool

Denial of Servicedatapool tool

synfulteardropudpflood


The Ethernet Frame - IEEE 802.3

•Destination and Source MAC Addresses are modified for spoofing.


MAC modification/Spoofing

• Change the MAC on a Host (Cloning)

Linux (ifconfig) Windows Network Settings

• Creating Link Layer Packets (Spoofing)

libnet (API) Linkcat (tool – netcat for link layer)


Modifying Windows XP Network Interface


Modifying Windows XP Network Interface (continued)


Modifying Linux Network Interface


Address Resolution Protocol (ARP)

• Method to finding a host's Ethernet address• Broadcast message looking for the IP address• Hosts maintain a cache to avoid frequent requests


ARP Cache Poisoning

• Man in the Middle (MiM) Attack Session Stealing Packet/Data Injection

• Beat the Switch Making a Switch into a Hub


Arpspoof Example


Network and Transport Layers

• Internet Protocol (IP)• Internet Control Message Protocol

(ICMP)• Transmission Control Protocol (TCP)• User Data Protocol• TCP Session Hijacking


Internet Protocol (IP)

• IP provides a best-effort way to route datagrams from source to destination

• Source address, destination address: network number and host number

• IP spoofing: change or disguise source address

version IHL Type of Service Total length

Identification DF DF MF Fragment offset

Time to live Protocol Header checksum

Source address

Destination address

Options (0 or more words)


IP Spoofing

• Non-blind attacks Attacker and target on same subnet Reply traffic can be sniffed

• Blind attacks Attacker and target on different subnets Reply traffic cannot be seen by attacker Attacker must be able to predict replies


IP Spoofing

• Attacks made possible by IP spoofing include Denial of Service (DOS) Session Hijacking Man in the Middle

• To take over a TCP stream, sequence and acknowledgement numbers must be sniffed or predicted.


Transmission Control Protocol (TCP)

• Source and Destination Ports• Sequence and Acknowledgement number• Reliability Checksum (not tamperproof)

Source port Destination port

Sequence number

Acknowledgement number

TCP HLURG

ACK

PSH

RST

SYN

FIN

Window size

Checksum Urgent pointer

Options (0 or more 32-bit words)

Data (Optional)


Transmission Control Protocol (TCP)

• Packet Types URG - Urgent ACK - Acknowledge PSH - Push RST - Reset SYN - Synchronize can flood a server FIN - Finish


Transmission Control Protocol (TCP) (4)

• TCP connection initiation Three-way handshake

SYN (SEQ=x)

SYN (SEQ=y, ACK=x+1)

(SEQ=x+1, ACK=y+1)

Host 1 Host 2


Session Hijacking

• Session hijacking attacks: based on sniffing and IP spoofing Attacker monitors packets between Alice and

Bob Attacker injects spoofed traffic with a source IP

address of AliceAlice Bob

Attacker

network

Alice telnet

“Hi, I am Alice”


DNS Spoofing

• Causes name resolution to result in an incorrect IP address

• In our lab, use tool dsniff to accomplish


DSniff

• Collection of tools for network auditing and penetration testing.

• Tools included ArpSpoof DNSspoof Dsniff Filesnarf Macof


DSniff

Mailsnarf Msgsnarf TCPKill TCPnice URLSnarf WebSpy SSHMITM WebMITM


DSniff

• All kinds of attacks can be run. E.g. – Password Sniffing Message and File Capture URL Capture Man-In-The-Middle

• Lab exercises DNS Spoofing


Email Spoofing

• Email spoofing is effective because most people don’t have time to double check their headers all the time.

• An email’s true origin can be further obfuscated by forging extra “Received:” lines.

• To force a verification, email can be cryptographically signed.


Email Spoofing

• Email spoofing is a form of social engineering.

• Email spoofing is also used by spammers to make it more difficult to track them.

• A forged email can be detected by close inspection of its headers.

• Login to SMTP (port 25) is unauthenticated, so anyone can log in and send mail.


Email Spoofing (Not in Lab Assignment)

telnet mail.xyz.gatech.edu 25220 sark.xyz.gatech.edu ESMTP Sendmail 8.12.10/8.12.8; Mon, 1 Dec 2003 040500 (EST)HELO abc4883.com250 sark.xyz.gatech.edu Hello ece-237-37.abc.gatech.edu [130.207.237.37], pleased to meet youMAIL FROM: <[email protected]>250 2.1.0 <[email protected]>... Sender okRCPT TO: <[email protected]>250 2.1.5 <[email protected]>... Recipient okDATA354 Enter mail, end with "." on a line by itselfGreetings from abc4883!.250 2.0.0 hAUMOh6c005386 Message accepted for deliveryQUIT221 2.0.0 sark.xyz.gatech.edu closing connection


Raw Sockets

• Allows the application to directly access the Network Access Layer (TCP/IP model)

• Develop new or build upon existing protocols• Programming difference:

socket( sockfd, SOCK_RAW, IPPROTO_TCP);

Manually build the necessary headers

• Requires super user access• Not implemented the same across all

platforms


libnet

• Raw Sockets and Link Layer facilities• Simplifies packet injection programming

libnet_build_ipv4( packet_length, type_of_service, identity, fragment, time-to-live, protocol, checksum, source_port, destination_port, payload, payload_size, libnet, ptag)

libnet_autobuild_ipv4( packet_length, protocol, destination_port, libnet);

• Allows for prebuilding streams of packets• Efficient mechanism for packet injection• Portable solution for packet injection


Denial of Service

• Denial of Service Easy to mount – script kiddies Requires few computing resources Most common attack – deadly results

• Comes in various forms. E.g. – Buffer Overflow Attack Teardrop Attack Syn Flood Smurf Attack


Internet Control Message Protocol (ICMP)

• ICMP is used to test the Internet.• Each ICMP message type is encapsulated in an IP

packet.

Message type Description

Destination unreachable Packet could not be delivered

Time exceeded Time to live field hit 0

Parameter problem Invalid header field

Redirect Teach a router about geography

Echo request Ask a machine if it is alive

Echo reply Yes, I am alive


Denial of Service

• Buffer Overflow Send more data than allotted buffer space.

E.g. – More than 256 chars in email from field.

• Tear Drop Takes advantage of IP Fragmentation.

• Syn Flood Flood target with connection requests.

• Smurf ICMP echo requests with spoofed IP.


Denial of Service

• Tool to be used in lab – Datapool• Customizable script with capabilities

to run 106 different DoS attacks (including ones discussed)!

• Can run attacks against multiple IPs and learns about vulnerabilities of each.

• IPSpoofing used to disguise source of attack.


References WWW

• OSI Model: RAD Data Communications

• libnet (packetfactory.net)• Raw Socket Programming (mixter.void.

ru)• Paketto (www.doxpara.com/paketto)• Dsniff (naughty.monkey.org/~dugsong/dsniff)


References Books

• Computer Networks Third Edition, Andrew Tanenbaum, Prentice-Hall1996.

• Counter Hack. Ed Skoudis, Prentice-Hall 2002.

• TCP/IP Illustrated, Volume 1. W. Richard Stevens, Addison-Wesley1994.

ece 4112 - internetwork security 1 address spoofing and denial of service agenda mac modification ...

Documents

destination address

incorrect ip address

destinationsource address

network auditing

network number

source mac addresses

host numberip spoofing

tcp stream