Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 – Spring 2007 mihai@cs.wisc.edu Original slides by Jonathon Giffin
Internet: Attack and Defenses � Makes communication easier and faster � Makes attacks easier and faster Today’s topics: � Short introduction to networking � Network-level attacks � Network-level defenses 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 2
Switched Networks � A network can be defined recursively as... � two or more nodes � two or more networks connected by a link, or connected by two or more nodes 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 3
Layering Motivation � Use abstractions to hide complexity � Abstraction naturally lead to layering � Alternative abstractions at each layer Application programs Request/reply Message stream channel channel Host-to-host connectivity Hardware 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 4
7-Layer Architecture � Early inter-networks were the result of gluing together dissimilar networks End host � The International Standards Application Organization came up with a model for Presentation describing interconnect between Session networks (Open Systems Interconnect) Transport Network Data link Physical 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 5
Physical Layer � Raw bits over a communications link � Examples: End host � Ethernet (Electrical and connector) Application � Wireless IEEE-802.11a/b/g/n Presentation � Cable Modem Session � DSL Transport Network Data link Software Hardware Physical Think of this as an Ethernet card and cable and vendor-specific APIs 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 6
Data link layer � Frames of data from one device to another directly-attached device End host � Example: Ethernet frames Application � Collision detection, flow control Presentation � Discovery of new devices Session Transport Network Multi-hop Single-hop Data link Example Ethernet address 08:00:2b:e4:b1:02 Physical Frame Preamble FrameCRC Payload Think of this as the FRAMES from your cable modem to your PC 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 7
Network layer � Packets delivered multiple hops � Addressed to a globally-unique, End host aggregatable address Application � Routed to the next hop Presentation Session Transport Reliable Best Effort Network Typical IPv4 address: 128.105.2.10 Data link IPHeader Physical IP Payload Think of this as a packet from a web server to your computer 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 8
Transport layer � End-to-End in-order delivery of exactly one copy of each message (TCP) End host � Retransmits lost packets (TCP) Application � Holds received packets until Presentation requested by the application Session Connection (UDP) Message Transport � Examples: TCP, UDP Network Data link TCP Header Physical TCP Payload Think of this as a packet from a web server to your computer 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 9
Session layer � Initiates and monitors whole sessions End host � Translates host names to host Application addresses Presentation User � Allocates ports and sockets Kernel Session Transport Network Data link Physical 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 10
Presentation layer � Translates from standard network data representation End host to local Application App � Handles encryption, Library Presentation compression, and OS- Session specific transmogrifications Transport Network Data link Physical 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 11
Application layer � Requestor for network service End host � Examples: Bittorrent, FTP, Firefox, Application The SIMS online, Quake, AIM, Presentation Sendmail, . . . Session Transport Network Data link Physical 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 12
Typical Routed Delivery Path End host End host Logical Messages Application Application Presentation Presentation Session Session Control Messages Transport Transport Network Network Network Network Data link Data link Data link Data link Physical Physical Physical Physical One or more nodes within the network 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 13
IP Packet Header � Connectionless (datagram-based) � Best-effort delivery 0 4 8 16 19 31 (unreliable service) Version HLen TOS Length Ident Flags Offset � packets are lost TTL Protocol Checksum � packets are delivered SourceAddr out of order DestinationAddr Pad Options (variable) � duplicate copies of a (variable) Data packet are delivered � packets can be delayed for a long time � Datagram format 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 14
TCP Overview � Byte-stream � app writes bytes � TCP sends segments � app reads bytes Application process Application process Write Read … bytes … bytes TCP TCP Send buffer Receive buffer … Segment Segment Segment Transmit segments 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 15
TCP Protocol Header � Connection oriented � Reliable delivery 0 4 10 16 31 SrcPort DstPort � Flow control: keep sender SequenceNum from overrunning receiver Acknowledgment HdrLen 0 Flags AdvertisedWindow � Congestion control: keep sender from overrunning Checksum UrgPtr network Options (variable) Data 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 16
Normal Connection Establishment The Server sets up retransmission timers, allocates receive buffers, etc. Imagine a web server that can handle 12,000 connections. If the process fails, a timeout occurs after 120 seconds, freeing up the resources. Note: SYN packets are very small and take up very little bandwidth. Graphics from http://grc.com/dos/drdos.htm 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 17
State Transition Diagram Not Connected CLOSED Active open/SYN Passive open Close Close Waiting for Connection LISTEN SYN/SYN + ACK Send/SYN TCP Handshake SYN/SYN + ACK SYN_RCVD SYN_SENT ACK SYN + ACK/ACK Connected Close/FIN ESTABLISHED Close/FIN FIN/ACK FIN_WAIT_1 CLOSE_WAIT FIN/ACK ACK + FIN/ACK ACK Close/FIN FIN_WAIT_2 CLOSING LAST_ACK Closing the Connection Timeout after two ACK ACK segment lifetimes FIN/ACK TIME_WAIT CLOSED 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 18
Attack #1: SYN Flood � Each SYN creates one half-open connection � Half-open connections take minutes to time-out � Servers have finite connection tables � Perpetrator would be easily caught (Source IP) � Unless SourceIP is spoofed � See: CERT Advisory CA-1996-21 http://www.cert.org/advisories/CA-1996-21.html � 100 SYN packets per second fits in 56 Kbps Graphics from http://grc.com/dos/drdos.htm 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 19
Spoofed IP Address The SYN/ACK is delivered to the fake (spoofed) IP Address. The attacker doesn’t see it, and doesn’t care. (Backscatter) Graphics from http://grc.com/dos/drdos.htm 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 20
Example SYN Flood Attacks � February 2000 � Victims included CNN, eBay, Yahoo, Amazon � Attackers (allegedly) used simple, readily available tools (script-kiddies) � Law enforcement unable (unwilling?) to help � Under-age perpetrators have blanket immunity � October 2002 � Root DNS servers � 9 of 13 servers brought down 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 21
22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 22
Attack #2: Distributed DoS � Rather than filling connection table, fill all available bandwidth � Infect innocent bystanders (zombies) � Zombies listen (e.g. on IRC channel) for attack command (or simply attack at will) � Attacker need not have high bandwidth connection Typical Program: EvilGoat EvilBot Graphics from http://grc.com/dos/drdos.htm 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 23
Example Distributed DOS Attack � 6 attacks on 5 different days � One attack lasted for 17 hours � 474 infected windows PC as zombies � 2.4 billion malicious packets Legitimate throughput Time Graphics from http://grc.com/dos/grcdos.htm 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 24
Flood-based Distributed DoS Attacks � Coordinate zombies to attack with big packets � Use up “last-hop” bandwidth � “Last-hop” router discards packets indiscriminately � Zombies need not spoof addresses Graphics from http://grc.com/dos/drdos.htm 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 25
Recent Twist - Reflection � Many routers accept connections on port 179 (Border Gateway Protocol) � Although any big server and any port it listens on will work � Send a SYN to a server, claiming it came from the victim � The server will send a SYN/ACK to the victim � And then re-transmit several times before giving up (typically about 4X) 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 26
Reflection Mechanism Graphics from http://grc.com/dos/drdos.htm 22 March 2007 Mihai Christodorescu - UW CS 642 - Spring 2007 27
Recommend
More recommend