network security professor adeel akram. network security architecture
TRANSCRIPT
Network Network SecuritySecurity
ProfessorProfessorAdeel AkramAdeel Akram
Network Security Network Security ArchitectureArchitecture
Lecture OutlineLecture Outline
►Attacks, services and mechanismsAttacks, services and mechanisms►Security attacksSecurity attacks►Security servicesSecurity services►Methods of DefenseMethods of Defense►A model for Internetwork SecurityA model for Internetwork Security► Internet standards and RFCsInternet standards and RFCs
BackgroundBackground
► Information Security requirements have Information Security requirements have changed in recent timeschanged in recent times
► Traditionally provided by physical and Traditionally provided by physical and administrative mechanismsadministrative mechanisms
► Computer use requires Computer use requires automated tools to automated tools to protect files and other stored informationprotect files and other stored information
► Use of networks and communications links Use of networks and communications links requires measures to protect data during requires measures to protect data during transmissiontransmission
DefinitionsDefinitions
► Computer SecurityComputer Security - - generic name for the generic name for the collection of tools designed to protect data collection of tools designed to protect data and to prevent hackersand to prevent hackers
► Network SecurityNetwork Security - - measures to protect measures to protect data during their transmissiondata during their transmission
► Internet SecurityInternet Security - - measures to protect measures to protect data during their transmission over a data during their transmission over a collection of interconnected networkscollection of interconnected networks
Our Emphasis in this CourseOur Emphasis in this Course
►Our emphasis is on Our emphasis is on internet and internet and network securitynetwork security
►Consists of measures to discourage, Consists of measures to discourage, prevent, detect, and correct security prevent, detect, and correct security violations that involve the violations that involve the transmission of informationtransmission of information
►Requirements seem straightforward, Requirements seem straightforward, but the mechanisms used to meet but the mechanisms used to meet them can be quite complex …them can be quite complex …
Services, Mechanisms, Services, Mechanisms, AttacksAttacks
►Need systematic way to define Need systematic way to define requirementsrequirements
►Consider three aspects of information Consider three aspects of information security:security: security attacksecurity attack security mechanismsecurity mechanism security servicesecurity service
►Consider in reverse orderConsider in reverse order
Security ServiceSecurity Service► Is something that enhances the security of the Is something that enhances the security of the
data processing systems and the information data processing systems and the information transfers of an organizationtransfers of an organization
► Intended to counter security attacksIntended to counter security attacks► Make use of one or more security mechanisms Make use of one or more security mechanisms
to provide the serviceto provide the service► Replicate functions normally associated with Replicate functions normally associated with
physical documents e.g. physical documents e.g. have signatures or dates have signatures or dates need protection from disclosure, tampering, or need protection from disclosure, tampering, or
destructiondestruction be be notarizednotarized or witnessed or witnessed be recorded or licensedbe recorded or licensed
Security MechanismSecurity Mechanism
► A mechanism that is designed to detect, A mechanism that is designed to detect, prevent, or recover from a security attackprevent, or recover from a security attack
► No single mechanism that will support all No single mechanism that will support all functions requiredfunctions required
► However However one particular element underlies one particular element underlies many of the security mechanisms in use: many of the security mechanisms in use: cryptographic techniquescryptographic techniques
► Hence our review of this areaHence our review of this area
Security AttacksSecurity Attacks
► Any action that compromises the security of Any action that compromises the security of information owned by an organizationinformation owned by an organization
► Information security is about how to prevent Information security is about how to prevent attacks, or failing that, to detect attacks on attacks, or failing that, to detect attacks on information-based systemsinformation-based systems
► Have a wide range of attacksHave a wide range of attacks► Can focus on generic types of attacksCan focus on generic types of attacks
NoteNote: often : often threatthreat & & attackattack mean same mean same
Security AttacksSecurity Attacks
Security AttacksSecurity Attacks
►Interruption:Interruption: This is an attack on This is an attack on availabilityavailability
►Interception:Interception: This is an attack on This is an attack on confidentialityconfidentiality
►Modification:Modification: This is an attack on This is an attack on integrityintegrity
►Fabrication:Fabrication: This is an attack on This is an attack on authenticityauthenticity
Security GoalsSecurity Goals
Integrity
Confidentiality
Availability
Summary: Attacks, Services and Summary: Attacks, Services and MechanismsMechanisms
►Security Attack:Security Attack: Any action that Any action that compromises the security of information.compromises the security of information.
►Security Mechanism:Security Mechanism: A mechanism A mechanism that is designed to detect, prevent, or that is designed to detect, prevent, or recover from a security attack.recover from a security attack.
►Security Service:Security Service: A service that A service that enhances the security of data processing enhances the security of data processing systems and information transfers. A systems and information transfers. A security service makes use of one or more security service makes use of one or more security mechanisms.security mechanisms.
OSI Security ArchitectureOSI Security Architecture
► ITU-T X.800 Security Architecture for ITU-T X.800 Security Architecture for OSIOSI
►Defines a systematic way of defining Defines a systematic way of defining and providing security requirementsand providing security requirements
►For us it provides a useful, abstract, For us it provides a useful, abstract, overview of concepts we will studyoverview of concepts we will study
Security ServicesSecurity Services
► X.800 defines it as: a service provided by a X.800 defines it as: a service provided by a protocol layer of communicating open protocol layer of communicating open systems, which ensures adequate security systems, which ensures adequate security of the systems or of data transfersof the systems or of data transfers
► RFC 2828 defines it as: a processing or RFC 2828 defines it as: a processing or communication service provided by a communication service provided by a system to give a specific kind of protection system to give a specific kind of protection to system resourcesto system resources
Security Services (X.800)Security Services (X.800)► X.800 defines security services in 5 X.800 defines security services in 5
major categoriesmajor categories AuthenticationAuthentication - - assurance that the assurance that the
communicating entity is the one claimedcommunicating entity is the one claimed Access ControlAccess Control - - prevention of the prevention of the
unauthorized use of a resourceunauthorized use of a resource Data ConfidentialityData Confidentiality – –protection of data protection of data
from unauthorized disclosurefrom unauthorized disclosure Data IntegrityData Integrity - - assurance that data assurance that data
received is as sent by an authorized entityreceived is as sent by an authorized entity Non-Non-RepudiationRepudiation - - protection against protection against
denial by one of the parties in a denial by one of the parties in a communicationcommunication
Security ServicesSecurity Services► Confidentiality (Privacy)Confidentiality (Privacy)
► Authentication (Who created or sent the data)Authentication (Who created or sent the data)
► Integrity (information has not been altered)Integrity (information has not been altered)
► Non-repudiation (the order is final)Non-repudiation (the order is final)
► Access control (Prevent misuse of resources)Access control (Prevent misuse of resources)
► Availability (Permanence, non-erasure)Availability (Permanence, non-erasure)
Denial of Service AttacksDenial of Service Attacks
Virus that deletes filesVirus that deletes files
Security Mechanisms (X.800)Security Mechanisms (X.800)► Specific security mechanisms:Specific security mechanisms:
EnciphermentEncipherment: Converting data into form that is not : Converting data into form that is not readablereadable
Digital signatures: To check authenticity and integrity of Digital signatures: To check authenticity and integrity of datadata
Access controls: Enforcing access rights to resourcesAccess controls: Enforcing access rights to resources Data integrityData integrity Authentication exchange Authentication exchange Traffic padding: Insertion of bits to frustrate traffic analysisTraffic padding: Insertion of bits to frustrate traffic analysis Routing control: Selection of secure routesRouting control: Selection of secure routes Notarization: Use of trusted third party for data exchangeNotarization: Use of trusted third party for data exchange ..
Security Mechanisms (X.800)Security Mechanisms (X.800)
►Pervasive security mechanisms:Pervasive security mechanisms: trusted functionality: perceived to be trusted functionality: perceived to be
correct with respect to some criteriacorrect with respect to some criteria security labels: security labels: event detection: detection of security event detection: detection of security
relevant eventsrelevant events security audit trails:security audit trails: security recovery:security recovery:
Classify Security Attacks asClassify Security Attacks as
► Passive attacksPassive attacks - - eavesdropping on, or eavesdropping on, or monitoring of, transmissions to:monitoring of, transmissions to: obtain message contents, orobtain message contents, or monitor traffic flowsmonitor traffic flows
► Active attacksActive attacks – modification of data – modification of data stream to:stream to: masquerademasquerade of one entity as some other of one entity as some other replay previous messagesreplay previous messages modify messages in transitmodify messages in transit denial of servicedenial of service
Passive Attacks: Release of Passive Attacks: Release of Message ContentsMessage Contents
Passive Attacks: Traffic Passive Attacks: Traffic AnalysisAnalysis
Active Attacks: MasqueradeActive Attacks: Masquerade
Active Attacks: ReplayActive Attacks: Replay
Active Attacks: Modification of Active Attacks: Modification of MessagesMessages
Active Attacks: Denial of Active Attacks: Denial of ServiceService
Classify Security Attacks asClassify Security Attacks as
Model for Network Security .Model for Network Security .
Model for Network SecurityModel for Network Security► Using this model requires us to: Using this model requires us to:
1.1. Design a suitable algorithm for the security Design a suitable algorithm for the security transformation transformation
2.2. Generate the secret information (keys) used by Generate the secret information (keys) used by the algorithm the algorithm
3.3. Develop methods to distribute and share the Develop methods to distribute and share the secret information secret information
4.4. Specify a protocol enabling the principals to Specify a protocol enabling the principals to use the transformation and secret information use the transformation and secret information for a security servicefor a security service
Model for Network Access Model for Network Access Security .Security .
Model for Network Access Model for Network Access SecuritySecurity
► Using this model requires us to: Using this model requires us to: 1.1. select appropriate gatekeeper functions select appropriate gatekeeper functions
to identify users to identify users
2.2. implement security controls to ensure implement security controls to ensure only authorised users access designated only authorised users access designated information or resources information or resources
► Trusted computer systems can be Trusted computer systems can be used to implement this modelused to implement this model
Methods of DefenseMethods of Defense
►EncryptionEncryption►Software Controls (access limitations Software Controls (access limitations
in a data base, in operating system in a data base, in operating system protect each user from other users)protect each user from other users)
►Hardware Controls (smartcard)Hardware Controls (smartcard)►Policies (frequent changes of Policies (frequent changes of
passwords)passwords)►Physical ControlsPhysical Controls
Internet standards and RFCsInternet standards and RFCs
►The Internet societyThe Internet society Internet Architecture Board (IAB)Internet Architecture Board (IAB) Internet Engineering Task Force (IETF)Internet Engineering Task Force (IETF) Internet Engineering Steering Group Internet Engineering Steering Group
(IESG)(IESG)
Internet RFC Publication Internet RFC Publication ProcessProcess
Vulnerabilities in Network Vulnerabilities in Network ProtocolsProtocols
OutlineOutline► TCP/IP LayeringTCP/IP Layering► Names and AddressesNames and Addresses► Security Considerations for Security Considerations for
Address Resolution ProtocolAddress Resolution Protocol Internet ProtocolInternet Protocol Transmission Control ProtocolTransmission Control Protocol FTP,Telnet, SMTPFTP,Telnet, SMTP Web Security Web Security (Next Lecture)(Next Lecture)
► Browser Side RisksBrowser Side Risks► Server Side RisksServer Side Risks
TCP/IP LayeringTCP/IP Layering
An ExampleAn Example
EncapsulationEncapsulationuser data
HTTP hdr
HTTPclient
HTTPclient
TCPTCP
IPIP
Ethernetdriver
Ethernetdriver
Ethernet
TCP hdr
IP hdr
Eth. hdr tr.
RARPRARP
IGMPIGMP
DemultiplexingDemultiplexing
Ethernetdriver
Ethernetdriver
DNSHTTP
FTP
TCPTCP UDPUDP
IPIP
ICMPICMP
ARPARP
SMTPSNMP
……
demuxing based on frame typein the Ethernet header
demuxing based on the protocol id in the IP header
demuxing based on the port numberin the TCP or UDP header
Names and AddressesNames and Addresses
IP AddressesIP Addresses►Format "A.B.C.D" where each letter is a byteFormat "A.B.C.D" where each letter is a byte►Class A network : A.0.0.0 Class A network : A.0.0.0
Zeroes are used to indicate that any number could be in that Zeroes are used to indicate that any number could be in that positionposition
►Class B network: A.B.0.0Class B network: A.B.0.0►Class C network: A.B.C.0Class C network: A.B.C.0►Broadcast addresses:Broadcast addresses:
255.255.255.255255.255.255.255A.B.C.255A.B.C.255
►Special caseSpecial case0.0.0.0 and A.B.C.0 can be either treated as a broadcast or 0.0.0.0 and A.B.C.0 can be either treated as a broadcast or
discardeddiscarded
Hardware (MAC)Hardware (MAC) Addresses Addresses
► Every interface has a unique and fixed Every interface has a unique and fixed hardware address toohardware address too
► Used by the data link layerUsed by the data link layer► In case of Ethernet, it is 48 bits longIn case of Ethernet, it is 48 bits long► Mapping between IP addresses and MAC Mapping between IP addresses and MAC
addresses are done by ARPaddresses are done by ARP
Host NamesHost Names
► Human readable, hierarchical names, such Human readable, hierarchical names, such as www.uettaxila.edu.pkas www.uettaxila.edu.pk
► Every host may have several namesEvery host may have several names► Mapping between names and IP addresses is Mapping between names and IP addresses is
done by the Domain Name System (DNS)done by the Domain Name System (DNS)
Address Resolution Address Resolution ProtocolProtocol
ARP – Address Resolution ARP – Address Resolution ProtocolProtocol
► Mapping from IP addresses to MAC addressesMapping from IP addresses to MAC addresses
Request
192.168.0
.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26
Reply
192.168.0
.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26
arp req | target IP: 192.168.0.5 | target eth: ?
arp rep | sender IP: 192.168.0.5 | sender eth: 00:00:C0:C2:9B:26
ARP SpoofingARP Spoofing
► An ARP request can be responded by another hostAn ARP request can be responded by another host
Request
192.168.0
.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26
Reply
192.168.0
.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26
arp req | target IP: 192.168.0.5 | target eth: ?
arp rep | sender IP: 192.168.0.5 | sender eth: 00:34:CD:C2:9F:A0
00:34:CD:C2:9F:A0
Switch
ARP Spoofing .ARP Spoofing .►Used for sniffing on switched LANUsed for sniffing on switched LAN
Outside World
1. Configure IP forwarding
2. Send fake ARP response to map default router’s IP to attacker’s MAC
3. Victim sends traffic based on poisoned ARP cache
4. Sniff the traffic from the link
5. Packets are forwarded from attacker’s machine to actual default router
Default RouterDefault Router
AttackerAttacker
VictimVictim
ARP Spoofing Prevention ?ARP Spoofing Prevention ?
► Cryptographic protection on the data is the Cryptographic protection on the data is the only wayonly way Not allow any untrusted node to read the Not allow any untrusted node to read the
contents of your trafficcontents of your traffic
Internet ProtocolInternet Protocol
IP – Internet ProtocolIP – Internet Protocol
► Provides an unreliable, connectionless datagram Provides an unreliable, connectionless datagram delivery service to the upper layersdelivery service to the upper layers
► Its main function is routingIts main function is routing► It is implemented in both end systems and It is implemented in both end systems and
intermediate systems (routers)intermediate systems (routers)► Routers maintain routing tables that define the next Routers maintain routing tables that define the next
hop router towards a given destination (host or hop router towards a given destination (host or network)network)
► IP routing uses the routing table and the IP routing uses the routing table and the information in the IP header (e.g., the destination IP information in the IP header (e.g., the destination IP address) to route a packetaddress) to route a packet
IP Security ProblemsIP Security Problems► User data in IP packets is not protected in any User data in IP packets is not protected in any
wayway Anyone who has access to a router can read Anyone who has access to a router can read
and modify the user data in the packetsand modify the user data in the packets► IP packets are not authenticatedIP packets are not authenticated
It is fairly easy to generate an IP packet with It is fairly easy to generate an IP packet with an arbitrary source IP addressan arbitrary source IP address
► Traffic analysisTraffic analysis Even if user data was encrypted, one could Even if user data was encrypted, one could
easily determine who is communicating with easily determine who is communicating with whom by just observing the addressing whom by just observing the addressing information in the IP headersinformation in the IP headers
IP Security ProblemsIP Security Problems► Information exchanged between routers to Information exchanged between routers to
maintain their routing tables is not maintain their routing tables is not authenticatedauthenticated Correct routing table updates can be Correct routing table updates can be
modified or fake ones can be disseminatedmodified or fake ones can be disseminated This may screw up routing completely This may screw up routing completely
leading to loops or partitionsleading to loops or partitions It may also facilitate eavesdropping, It may also facilitate eavesdropping,
modification, and monitoring of trafficmodification, and monitoring of traffic It may cause congestion of links or routers It may cause congestion of links or routers
(i.e., denial of service)(i.e., denial of service)
Transmission Control Transmission Control ProtocolProtocol
TCP – Transmission Control TCP – Transmission Control ProtocolProtocol
► Provides a connection oriented, reliable, Provides a connection oriented, reliable, byte stream service to the upper layersbyte stream service to the upper layers
► Connection oriented:Connection oriented: Connection establishment phase prior to Connection establishment phase prior to
data transferdata transfer State information (sequence numbers, State information (sequence numbers,
window size, etc.) is maintained at both window size, etc.) is maintained at both endsends
TCP- TCP- ReliabilityReliability
► Positive acknowledgement scheme Positive acknowledgement scheme (unacknowledged bytes are retransmitted (unacknowledged bytes are retransmitted after a timeout)after a timeout)
► Checksum on both header and dataChecksum on both header and data► Reordering of segments that are out of Reordering of segments that are out of
orderorder► Detection of duplicate segmentsDetection of duplicate segments► Flow control (sliding window mechanism)Flow control (sliding window mechanism)
TCP Connection TCP Connection EstablishmentEstablishment
Client Server
SYNC
SYNS, ACKC
ACKS
Listening
Store data
Wait
Connected
TCP Sequence NumbersTCP Sequence Numbers► TCP uses ISN (Initial Sequence Number) to order the TCP uses ISN (Initial Sequence Number) to order the
incoming packets for a connectionincoming packets for a connection► Sequence numbers are 32 bits longSequence numbers are 32 bits long► The sequence number in a data segment identifies The sequence number in a data segment identifies
the first byte in the segmentthe first byte in the segment► Sequence numbers are initialized with a “random” Sequence numbers are initialized with a “random”
value during connection setupvalue during connection setup► The RFC suggests that the ISN is incremented by one The RFC suggests that the ISN is incremented by one
at least every 4 at least every 4 ss
TCP SYN AttackTCP SYN Attack► An attacker can impersonate a trusted An attacker can impersonate a trusted
host (e.g., in case of r commands, host (e.g., in case of r commands, authentication is based on source IP authentication is based on source IP address solely)address solely) This can be done guessing the sequence This can be done guessing the sequence
number in the ongoing communicationnumber in the ongoing communication The initial sequence numbers are intended to The initial sequence numbers are intended to
be more or less random be more or less random
TCP SYN AttackTCP SYN Attack► In Berkeley implementations, the ISN is In Berkeley implementations, the ISN is
incremented by a constant amount incremented by a constant amount 128,000 once per second, and128,000 once per second, and further 64,000 each time a connection is further 64,000 each time a connection is
initiatedinitiated► RFC 793 specifies that the 32-bit counter be RFC 793 specifies that the 32-bit counter be
incremented by 1 about every 4 incremented by 1 about every 4 ss the ISN cycles every 4.55 hoursthe ISN cycles every 4.55 hours
► Whatever! It is not hopeless to guess the next ISN Whatever! It is not hopeless to guess the next ISN to be used by a systemto be used by a system
Launching a SYN AttackLaunching a SYN Attack► The attacker first establishes a valid The attacker first establishes a valid
connection with the target to know its ISN.connection with the target to know its ISN.► Next it impersonates itself as trusted host Next it impersonates itself as trusted host
T and sends the connection request with T and sends the connection request with ISNISNxx
► The target sends the ACK with its ISNThe target sends the ACK with its ISNs s to to the trusted host Tthe trusted host T
► The attacker after the expected time The attacker after the expected time sends the ACK with predicted ISNsends the ACK with predicted ISNss’’
Launching a SYN AttackLaunching a SYN Attack
SYN = ISNX, SRC_IP = T
SYN = ISNS, ACK(ISNX)
ACK(ISNS), SRC_IP = T
SRC_IP = T, nasty_data
attacker server trusted host (T)
What about the ACK for T?What about the ACK for T?
► If the ACK is received by the trusted host TIf the ACK is received by the trusted host T It will reject it, as no request for a connection was made by It will reject it, as no request for a connection was made by
itit RST will be sent and the server drops the connectionRST will be sent and the server drops the connection
BUT!!!BUT!!!► The attacker can either launch this attack when T is The attacker can either launch this attack when T is
downdown► Or launch some sort of DoS attack on TOr launch some sort of DoS attack on T
So that it can’t replySo that it can’t reply
TCP SYN Attack – How to Guess TCP SYN Attack – How to Guess ISNISNSS??
ISNISNSS’ (Attacker’s ISN) depends on ISN’ (Attacker’s ISN) depends on ISNSS and and tt t can be estimated from the round trip timet can be estimated from the round trip time Assume Assume t can be estimated with 10 ms precisiont can be estimated with 10 ms precision
SYN = ISNX
SYN = ISNS, ACK(ISNX)
SYN = ISNX’, SRC_IP = T SYN = ISN
S’, ACK(ISNX)ACK(ISN
S’), SRC_IP =T
attacker server
t
TCP SYN Attack – How to Guess TCP SYN Attack – How to Guess ISNISNSS??
►Attacker has an uncertainty of 1280 in Attacker has an uncertainty of 1280 in the possible value for ISNthe possible value for ISNSS’’
►Assume each trial takes 5 sAssume each trial takes 5 s►The attacker has a reasonable The attacker has a reasonable
likelihood of succeeding in 6400 s and likelihood of succeeding in 6400 s and a near-certainty within one day!a near-certainty within one day!
How to Prevent it?How to Prevent it?
►Can be prevented by properly Can be prevented by properly configuring the firewallconfiguring the firewall Do not allow any communication from Do not allow any communication from
outside using the address of some internal outside using the address of some internal networknetwork
TCP SYN FloodTCP SYN Flood► Attacker’s goal is to Attacker’s goal is to
overwhelm the overwhelm the destination machine destination machine with SYN packets with SYN packets with spoofed IPwith spoofed IP
► This results in:This results in: The server’s The server’s
connection queue connection queue filling up causing filling up causing DoS AttackDoS Attack
Or even if queue is Or even if queue is large enough, all large enough, all ports will be busy ports will be busy and the service and the service could not be could not be provided by the provided by the serverserver
C S
SYNC1 Listening
Store data
SYNC2
SYNC3
SYNC4
SYNC5
How to Avoid TCP SYN FloodHow to Avoid TCP SYN Flood
► Decrease the wait time for half open Decrease the wait time for half open connectionconnection
► Do not store the connection informationDo not store the connection information► Use SYN cookies as sequence numbers Use SYN cookies as sequence numbers
during connection setupduring connection setup► SYN cookie is some function applied onSYN cookie is some function applied on
Dest IP, Source IP, Port numbers, Time Dest IP, Source IP, Port numbers, Time and a secret numberand a secret number
TCP Congestion ControlTCP Congestion Control
• If packets are lost, assume congestion– Reduce transmission rate by half, repeat– If loss stops, increase rate very slowly
Design assumes routers blindly obey this policy
Source
Destination
TCP Congestion Control-TCP Congestion Control-CompetitionCompetition
• Friendly source A give way to overexcited source B– Both senders experience packet loss– Source A backs off– Source B disobeys protocol, gets better results!
Source A
Source B
Destination
Destination
DoS-Denial of Service AttacksDoS-Denial of Service Attacks
► Attempts to prevent the victim from being Attempts to prevent the victim from being able to establish connectionsable to establish connections
► Accomplished by involving the victim in Accomplished by involving the victim in heavy processing heavy processing like sending the TCP SYN packets to all like sending the TCP SYN packets to all
ports of the victim and avoiding new ports of the victim and avoiding new connection establishmentconnection establishment
► DoS attacks are much easier to accomplish DoS attacks are much easier to accomplish than gaining administrative accessthan gaining administrative access
Exploiting Ping Command forExploiting Ping Command forSmurf DoS AttackSmurf DoS Attack
• Send ping request to subnet-directed broadcast address with spoofed IP (ICMP Echo Request)
• Lots of responses:– Every host on target network generates a ping reply (ICMP Echo
Reply) to victim– Ping reply stream can overload victim
gatewayDoSSource
DoSTarget
1 ICMP Echo ReqSrc: DoS TargetDest: brdct addr
3 ICMP Echo ReplyDest: DoS Target
Smurf DoS Attack PreventionSmurf DoS Attack Prevention
► Have adequate bandwidth and redundant Have adequate bandwidth and redundant pathspaths
► Filter ICMP messages to reject external Filter ICMP messages to reject external packets to broadcast addresspackets to broadcast address
FTP – File Transfer ProtocolFTP – File Transfer Protocol
user
userinterface
userinterface
protocolinterpreter
protocolinterpreter
datatransferfunction
datatransferfunction
file system
protocolinterpreter
protocolinterpreter
datatransferfunction
datatransferfunction
file system
client
server
data connection
control connection(FTP commands and replies)
FTP – File Transfer ProtocolFTP – File Transfer Protocol
► Typical FTP commands:Typical FTP commands: RETR RETR filenamefilename – retrieve (get) a file from the server – retrieve (get) a file from the server STOR filename – store (put) a file on the serverSTOR filename – store (put) a file on the server TYPE TYPE typetype – specify file type (e.g., A for ASCII) – specify file type (e.g., A for ASCII) USER USER usernameusername – username on server – username on server PASS PASS passwordpassword – password on server – password on server
► FTP is a text (ASCII) based protocolFTP is a text (ASCII) based protocol
…
FTP – File Transfer ProtocolFTP – File Transfer Protocol
% ftp www.uettaxila.edu.pk
Connected to www.uettaxila.edu.pkName: abc
Password: pswd
client server
<TCP connection setup to port 21 of www.uettaxila.edu.pk >
“220 www.uettaxila.edu.pk FTP server (version 5.60) ready.”
“USER abc”
“331 Password required for user abc.”
“PASS pswd”
“230 User abc logged in.”
Problems with FTPProblems with FTP
► FTP information exchange is in clear textFTP information exchange is in clear text The attacker can easily eavesdrop and get The attacker can easily eavesdrop and get
the secret informationthe secret information The attacker can also know the software The attacker can also know the software
version of FTP running to exploit the version of FTP running to exploit the vulnerabilities of that particular versionvulnerabilities of that particular version
FTP Bounce ScansFTP Bounce Scans► FTP has a feature to open connection with victim machine on the request from attacker machineFTP has a feature to open connection with victim machine on the request from attacker machine► Machine A (Attacker) can request to check for the open ports on the target machine X (Victim)Machine A (Attacker) can request to check for the open ports on the target machine X (Victim)
► Newer version of FTP does not support Newer version of FTP does not support this forwarding featurethis forwarding feature
Attacker
FTP Server
Victim to be scanned
FTP control
connection
TelnetTelnet
► Provides Provides remote loginremote login service to users service to users► Works between hosts that use different Works between hosts that use different
operating systemsoperating systems► Uses option negotiation between client Uses option negotiation between client
and server to determine what features and server to determine what features are supported by both endsare supported by both ends
TelnetTelnet
Telnet clientTelnet clientTelnet serverTelnet server
terminaldriver
terminaldriver TCP/IPTCP/IP pseudo-
terminaldriver
pseudo-terminaldriver
TCP/IPTCP/IP
login shelllogin shell
user
kernel kernel
TCP connection
Telnet Session ExampleTelnet Session Example
►Single character at a timeSingle character at a time
Telnet ExampleTelnet Example% telnet ahost.com.pk
Connected to ahost.com.pkEscape character is ‘^]’.
Login: s
client server
<TCP connection setup to port 23 of ahost.com.pk>
<Telnet option negotiation>
“UNIX(r) System V Release 4.0”
“Login:”
“s”
“Password:”
…
Login: st“t”
Login: student“t”
Password: c“c”
…Password: cab123
“3”
<OS greetings and shell prompt, e.g., “%”>…
…
…
Problems with TelnetProblems with Telnet
► Information exchange is in clear textInformation exchange is in clear text The attacker can easily eavesdrop and get The attacker can easily eavesdrop and get
the information like username and the information like username and passwordspasswords
The attacker can also know the version to The attacker can also know the version to exploit the vulnerabilities of that exploit the vulnerabilities of that particular versionparticular version
SMTP – Simple Mail Transfer SMTP – Simple Mail Transfer ProtocolProtocol
useragent
useragent
localMTA
localMTA
mails to be sent
user
sending host
relayMTA
relayMTA
useragent
useragent
localMTA
localMTA
user mailbox
user
receiving host
relayMTA
relayMTA
relayMTA
relayMTA
TCP port 25TCP connection SMTP
SMTP
SMTP
SMTP
SMTPSMTP
► SMTP is a text (ASCII) based protocolSMTP is a text (ASCII) based protocol ►MTA transfers mail from the user to MTA transfers mail from the user to
the destination serverthe destination server►MTA relays are used to relay the mail MTA relays are used to relay the mail
from other clientsfrom other clients► MTAs use SMTP to talk to each otherMTAs use SMTP to talk to each other► All the messages are spooled before sendingAll the messages are spooled before sending
©Copyright 2004. Amir Qayyum. All rights reserved
87
SMTP Message Flow SMTP Message Flow sending MTA (mail.uettaxila.edu.pk) receiving MTA (smtp.yahoo.com)
“HELO mail.uettaxila.edu.pk.”
“250 smtp.yahoo.com Hello mail.uettaxila.edu.pk., pleased to meet you”
“MAIL from: [email protected]”
“250 [email protected]... Sender ok”
“RCPT to: [email protected]”
“250 student2@yahoo… Recipient ok”
“DATA”
“354 Enter mail, end with a “.” on a line by itself”
<message to be sent>.
<TCP connection establishment to port 25>
“250 Mail accepted”
“QUIT”
“221 smtp.yahoo.com delivering mail”
SMTP Security ProblemsSMTP Security Problems
► Designed in an era where internet Designed in an era where internet security was not much of an issuesecurity was not much of an issue No security at the base protocolNo security at the base protocol
► Designed around the idea of Designed around the idea of ““cooperationcooperation”” and and ““trusttrust”” between between serversservers Susceptible to DoS attacksSusceptible to DoS attacks
►Simply flood a mail server with SMTP Simply flood a mail server with SMTP connections or SMTP instructions.connections or SMTP instructions.
SMTP Security ProblemsSMTP Security Problems► SMTP does not provide any protection of SMTP does not provide any protection of
e-mail messagese-mail messages Does not ask sender to authenticate Does not ask sender to authenticate
itself. itself. Messages can be read and modified by Messages can be read and modified by
any of the MTAs involvedany of the MTAs involved Fake messages can easily be generated Fake messages can easily be generated
(e-mail forgery)(e-mail forgery) Does not check what and from whom it Does not check what and from whom it
is relaying the messageis relaying the message
SMTP Security Problems SMTP Security Problems ExampleExample
% % telnet frogstar.hit.com.pk 25telnet frogstar.hit.com.pk 25Trying...Trying...Connected to frogstar.hit.com.pk.Connected to frogstar.hit.com.pk.Escape character is ‘^[’.Escape character is ‘^[’.220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6; 220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6; Mon, 10 Feb 2003 14:23:21 +0100Mon, 10 Feb 2003 14:23:21 +0100helo abcd.com.pkhelo abcd.com.pk250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet youmail from: [email protected] from: [email protected] 2.1.0 [email protected]... Sender ok250 2.1.0 [email protected]... Sender okrcpt to: [email protected] to: [email protected] 2.1.5 [email protected]... Recipient ok250 2.1.5 [email protected]... Recipient okdatadata354 Enter mail, end with "." on a line by itself354 Enter mail, end with "." on a line by itselfYour fake message goes here.Your fake message goes here...250 2.0.0 h1ADO5e21330 Message accepted for delivery250 2.0.0 h1ADO5e21330 Message accepted for deliveryquitquit221 frogstar.hit.com.pk closing connection221 frogstar.hit.com.pk closing connectionConnection closed by foreign host.Connection closed by foreign host.%%
Be Careful, Though!Be Careful, Though!Return-Path: <[email protected]>Received: from frogstar.hit.com.pk ([email protected] [152.66.248.44])
by mail.ebizlab.hit.com.pk (8.12.7/8.12.7/Debian-2) with ESMTP id h1ADSsxG022719for <[email protected]>; Mon, 10 Feb 2003 14:28:54 +0100
Received: from abcd.com.pk ([152.66.249.32])by frogstar.hit.com.pk (8.11.6/8.11.6) with SMTP id h1ADO5e21330for [email protected]; Mon, 10 Feb 2003 14:25:41 +0100
Date: Mon, 10 Feb 2003 14:25:41 +0100From: [email protected]: <[email protected]>To: undisclosed-recipients:;X-Virus-Scanned: by amavis-dcStatus:
Your fake message goes here.
Domain Name ServerDomain Name Server
DNS – Domain Name ServerDNS – Domain Name Server
► The DNS is a distributed database that provides The DNS is a distributed database that provides mapping between hostnames and IP addressesmapping between hostnames and IP addresses
► The DNS name space is hierarchicalThe DNS name space is hierarchical Top level domains gTLDs: com, edu, gov, int, Top level domains gTLDs: com, edu, gov, int,
mil, net, org, ccTLDs like ae, …, pk, … zwmil, net, org, ccTLDs like ae, …, pk, … zw Top level domains may contain second level Top level domains may contain second level
domainsdomainse.g., edu within pk, co within uk, …e.g., edu within pk, co within uk, …
Second level domains may contain third level Second level domains may contain third level domains, etc.domains, etc.
Domain Name ServerDomain Name Server
► Usually (not always) a name server knows Usually (not always) a name server knows the IP address of the top level name serversthe IP address of the top level name servers
► If a domain contains sub-domains, then the If a domain contains sub-domains, then the name server knows the IP address of the name server knows the IP address of the sub-domain name serverssub-domain name servers
► When a new host is added to a domain, the When a new host is added to a domain, the administrator adds the (hostname, IP administrator adds the (hostname, IP address) mapping to the database of the address) mapping to the database of the local name serverlocal name server
DNS – Domain Name DNS – Domain Name ServerServer
A single DNS reply may include several A single DNS reply may include several (hostname, IP address) mappings (hostname, IP address) mappings (Resource Records)(Resource Records)
Received information is cached by the Received information is cached by the name servername server
applicationapplication localname srv
localname srv
top levelname srv
top levelname srv
name srvin pk
name srvin pk
name srvin edu.pk
name srvin edu.pk
name srv inuettaxila.edu.pk
name srv inuettaxila.edu.pk
authority.uettaxila.edu.pk = ? authority.uettaxila.edu.pk = ?
IP of ns in pk
IP of ns in edu.pk
IP of ns in uettaxila.edu.pk
202.83.173.61
202.83.173.61
DNS spoofingDNS spoofing
► The cache of a DNS name server is The cache of a DNS name server is poisoned with false informationpoisoned with false information
► How to do it?How to do it? Assume that the attacker wants Assume that the attacker wants
www.anything.com.pkwww.anything.com.pk to map to his to map to his own IP address 202.83.173.59own IP address 202.83.173.59
DNS Spoofing - Approach 1DNS Spoofing - Approach 1
►Attacker submits a DNS query Attacker submits a DNS query “www.anything.com.pk=?” to “www.anything.com.pk=?” to ns.victim.com.pkns.victim.com.pk
►A bit later it forges a DNS reply A bit later it forges a DNS reply “www.anything.com.pk=202.83.17“www.anything.com.pk=202.83.173.59”3.59”
►UDP makes forging easier but the UDP makes forging easier but the attacker must still predict the attacker must still predict the query ID query ID
DNS Spoofing – Approach 2DNS Spoofing – Approach 2
► Attacker has access to ns.attacker.com.pkAttacker has access to ns.attacker.com.pk The attacker modifies its local name server such The attacker modifies its local name server such
that it responds a query that it responds a query “www.attacker.com.pk=?” with “www.attacker.com.pk=?” with “www.anything.com.pk=202.83.173.59”“www.anything.com.pk=202.83.173.59”
The attacker then submits a query The attacker then submits a query “www.attacker.com.pk=?” to ns.victim.com.pk “www.attacker.com.pk=?” to ns.victim.com.pk
ns.victim.com.pk sends the query ns.victim.com.pk sends the query “www.attacker.com.pk=?” to ns.attacker.com.pk“www.attacker.com.pk=?” to ns.attacker.com.pk
ns.attacker.com.pk responds with ns.attacker.com.pk responds with “www.anything.com.pk=202.83.173.59”“www.anything.com.pk=202.83.173.59”
QuestionsQuestions
??????????????????????????????????????????????????????
[email protected]@uettaxila.ed
u.pku.pk