tcpip - university of wisconsin–madisonpages.cs.wisc.edu/~ace/media/lectures/tcpip.pdf · estonia...
TRANSCRIPT
802.11(wifi)
http://technet.microsoft.com/en-us/library/cc757419(WS.10).aspx
STA=stationAP=accesspoint
BSS=basicservicesetDS=distributionserviceESS=extendedserviceset
SSID(servicesetidentifier)identifiesthe802.11network
TypicalWiFimodes:UnsecuredWirelessProtectedAccess(WPA2)-passwordauthenticated,encrypted
802.11association
AP
Proberequest
SSID:“linksys”,BSSID:MAC1
AuthrequestMAC1
Authresponse
AssociaterequestMAC1
Associateresponse
802.11association AP
802.11association
Proberequest
AuthrequestMAC2
MAC1
MAC2SSID:“linksys”,BSSID:MAC1SSID:“linksys”,BSSID:MAC2
ChooseoneofMAC1,MAC2
…
TwoAPsforsamenetworkAP1
AP2
802.11eviltwinsBasicidea: -AttackerpretendstobeanAPtointercepttrafficorcollectdata
EviltwinMAC1
MAC2
Proberequest
SSID:“linksys”,BSSID:MAC1
AuthrequestMAC2
SSID:“linksys”,BSSID:MAC2ChooseoneofMAC1,MAC2
…
Basicattack:rogueAPAP1
WhatifclientchooseMAC1?Attackermaytrytosendaforgedresetmessageandforcere-connect
ParrotARdroneDroneisaWiFiaccesspointUsesunsecured802.11connection(WiFi)ControlledfromiPadoriPhonewithanappUsesMACaddressforsecurity
Internetprotocolstack
Application
TCP
IP
Ethernet
userdata
userdataApplhdr
userdataApplhdr
TCPhdr
userdataApplhdr
TCPhdr
IPhdr
userdataApplhdr
TCPhdr
IPhdrENethdr
ENettlr
TCPsegment
IPdatagram
Ethernetframe
14 20 20
46to1500bytes
IPprotocol(IPv4)
• Connectionless– nostate
• Unreliable– noguarantees
• ICMP(InternetControlMessageProtocol)– oftenusedbytoolssuchasping,traceroute
IPv4
dataENethdr
ENettlr
EthernetframecontainingIPdatagram
IPhdr
4-bitversion
4-bithdrlen
8-bittypeofservice
16-bitidentification
16-bittotallength(inbytes)
3-bitflags
13-bitfragmentationoffset
8-bittimetolive(TTL)
8-bitprotocol
16-bitheaderchecksum
32-bitsourceIPaddress
32-bitdestinationIPaddress
options(optional)
backbone
SecurityissueswithIP
ISP1 ISP2
Routinghasissues,we’llgettothatlaterWhatelse? -Nosourceaddressauthenticationingeneral
5.6.7.8
1.2.3.4
DenialofService(DoS)attacks
ISP1 ISP2
1.2.3.4
5.6.7.8
Backbone
Goalistopreventlegitimateusersfromaccessingvictim(1.2.3.4)
ICMPpingflood- AttackersendsICMPpingsasfastaspossibletovictim- WhenwillthisworkasaDoS?- Howcanthisbeprevented? Ingressfilteringnearvictim
Attackerresources>victim’s
think-pair-share
DenialofService(DoS)attacks
ISP1 ISP2
1.2.3.4
5.6.7.8
Backbone
Howcanattackeravoidingressfiltering?
AttackercansendpacketwithfakesourceIP(packetspoofing)PacketwillgetroutedcorrectlyReplieswillnot
source:8.7.3.4dest:1.2.3.4
SendIPpacketwith from5.6.7.8
ISP3
8.7.3.4
Filterbasedonsourcemaybeincorrect
DoSreflectionattacks
ISP1 ISP2
Note:echorequest,DESTIP=8.7.3.4,SRCIP=1.2.3.4 -Attackercanbounceanattackagainst1.2.3.4off8.7.3.4 -Avoidsourcefiltering
1.2.3.4
5.6.7.8
Backbone
ISP3
8.7.3.4
echorequest
echoreply
DenialofService(DoS)attacks
ISP1 ISP2
1.2.3.4
5.6.7.8
Backbone
DoSworksbestwhenthereisasymmetrybetweenvictimandattacker- Attackerusesfewresourcestocausevictimto
consumelotsofresources
DoSAmplification
ISP1 ISP2
1.2.3.4
5.6.7.8
Backbone
ISP3
8.7.3.4
DoSworksbestwhenthereisasymmetrybetweenvictimandattacker
Example:DNSreflectionattacksSendDNSrequestwithspoofedsourceIP(~65byterequest)DNSrepliessenttotarget(~512byteresponse)Reflect+amplifytheattack
ShortDNSrequest
LongerDNSreply
EstoniaattackDistributedDoS(DDoS)• April2007
• Usedarmyofbots
• Attackscontinuedforweekswithvaryingintensities
• Targetedgovernment,banks,news,universitywebsites
Fromanalysisof2weeksofattacktraffic
• 120+distinctattacks
• 115ICMPfloods,4TCPSYNfloods
• 12attacks:70-95Mbpsfor10+hrs
• AllattacktrafficfromoutsideEstonia• Solution:Blockallforeigntrafficuntilattackssubsided
[ATLAS 2007]
Internetprotocolstack
Application HTTP,FTP,SMTP,SSH,etc.
Transport TCP,UDP
Network IP,ICMP,IGMP
Link 802x(802.11,Ethernet)
Application
Transport
Network
Link
Application
Transport
Network
Link
Network
Link
TCP(transportcontrolprotocol)
• Connection-oriented– stateinitializedduringhandshakeandmaintained
• Goal:reliable,ordered,error-checkeddeliveryofastreamofbytes– generatessegments
– timeoutsegmentsthataren’tacknowledged
– reordersreceivedsegmentswhennecessary
TCP(transportcontrolprotocol)
dataIPhdrTCPhdr
16-bitsourceportnumber
16-bitdestinationportnumber
32-bitsequencenumber
32-bitacknowledgementnumber
4-bithdrlen
6-bitsreserved
16-bitwindowsize
6-bitsflags
16-bitTCPchecksum
16-biturgentpointer
options(optional)
data(optional)
TCP(transportcontrolprotocol)
dataIPhdrTCPhdr
URG urgentpointervalid
ACK acknowledgementnumbervalid
PSH passdatatoappASAP
RST resetconnection
SYN synchronizesequence#’s
FIN finishedsendingdata
TCPflags
TCPhandshake
SYNseqC,0
SYN/ACKseqS,seqC+1
ACKseqC+1,seqS+1
SYN=synflagsetACK=ackflagsetx,y=xissequence#,yisacknowledge#
Client Server
TCPconnectionestablished
TCPSYNfloods
ISP1 ISP2
SendlotsofTCPSYNpacketsto1.2.3.4,noACK• 1.2.3.4maintainsstateforeachSYNpacketforsometime
window
1.2.3.4
5.6.7.8
Backbone
ISP3
8.7.3.4
• Whatasymmetryisbeingabused?• WhatSRCIPdoesattackeruse?• IfattackerssetsSRCIP=8.7.3.4,whatdoes8.7.3.4receive?
PreventingDDoS
1.2.3.4
Filteringservers
LotsofSYNs
FewACKs
Largenumberoffront-endserversabsorbtrafficForwardlegitimate-lookingtraffictoback-endservers
Companiesandwebsitespayforthis:CloudFlare,ArborNetworks,Akamai,andmanyothers
LotsofSYN/ACKs