IP and ARP Security, Earlence Fernandes UW Madison CS 642 1
Today’s agenda • IP Spoofing • Denial of Service attack (DoS) • Distributed DoS (DoS) • Source address validation • Link layer security • Address resolution protocol (ARP) • Mapping IP to MAC address • MAC address spoofing UW Madison CS 642 2
Announcements • Midterm 1 in class Mar 10 Tuesday • Open notes/books with laptop but NO INTERNET • 70 minutes, 70 points • Everything we’ve covered until and including today • Questions biased towards earlier material • Free form, recall and creative thinking • Feedback forms are out • Take a minute now to put some feedback in • Very helpful for us UW Madison CS 642 3
Recap: Network threat model ISP2 ISP1 2. Subverted backbone routes or links 1. Malicious hosts 3. Malicious ISPs or backbone UW Madison CS 642 4
Recap: Internet Protocol Stack user data HTTP, FTP, SMTP, Appl user data SSH, etc. hdr TCP segment PORT TCP, UDP TCP Appl user data hdr hdr IP, ICMP, IGMP IP datagram IP IP TCP Appl user data hdr hdr hdr Ethernet frame 802.11, Ethernet, MAC ENet IP TCP Appl ENet 802x user data hdr hdr hdr hdr tlr 14 20 20 46 to 1500 bytes UW Madison CS 642 5
Recap: Identifiers on the internet • Port: 0 – 65535 (16-bit) • 0 – 1023 : System reserved, 80: HTTP, 443: HTTPS, 53: DNS, • 1024 – 49151 : Semi-reserved, used by application developer • 49152 – 65535 : Used by client programs, e.g. Browser • IP: 32-bit (IPv4) or 128-bit (IPv6) identifier • a.b.c.d – four unsigned integers • CIDR (Classless Inter-Domain routing): a.b.c.d/x • x – bit prefix is “owned” by the entity, • Or, IP addresses with same /x prefix share some portion of route • MAC # (Media access control): 48-bit identifier • Unique for the ethernet/wifi card • Often preset by manufacturer, but one can change them easily UW Madison CS 642 6
Denial of Service (DoS) attacks 5.6.7.8 victim Backbone ISP2 ISP1 1.2.3.4 Goal: prevent legitimate users from accessing victim (1.2.3.4) 15.6.9.18
DoS • Overwhelm the victim with malicious traffic • E.g., ICMP Flood, SYN flood • Many types • Application layer DoS • Locking all user accounts in a system (by repeated password guesses) • Distributed DoS • Get a pool of (compromised) machines/devices to send malicious traffic • SYN floods • Reflected DoS • Send spoofed IP packets to benign servers who responds with large amount data UW Madison CS 642 8
ICMP (Internet Control Message Protocol) IP ICMP ICMP message hdr hdr 8-bit 8-bit 16-bit type code checksum 4-byte more of header (depends on type) message …
ICMP Flood 5.6.7.8 victim Backbone ISP2 ISP1 1.2.3.4 15.6.9.18 ICMP ping flood - Attacker sends ICMP pings as fast as possible to victim - When will this work as a DoS? Attacker resources > victim’s - How can this be prevented? Ingress filtering near victim
TCP SYN Flood Send a bunch of SYN packet to a router/server - Never respond with an ACK - Half-open TCP connections hold resources in the server - Legitimate users cannot access the server UW Madison CS 642 11
Reflected DoS attacks 5.6.7.8 victim Backbone ISP2 ISP1 1.2.3.4 ISP3 source: 1.2.3.4 5.6.7.8 sends IP 8.7.3.4 dest: 8.7.3.4 packet like this Attacker sends packets with spoofed source address Filter based on source may be incorrect
DoS with resource asymmetry 5.6.7.8 Backbone ISP2 ISP1 1.2.3.4 Attacker uses few resources to cause victim to consume lots of resources - DNS amplification attack - Send DNS request w/ spoofed target IP (~64-byte request) - DNS replies sent to target (~512-byte response) - Smurf Attack - Broadcast ICMP ping on a router with spoofed victim’s IP address - (not allowed with newer router) - Ping of death - A single packet that causes crash on remote system - Early on: ping packet with size > 65,535
How to prevent spoofing? 5.6.7.8 Backbone ISP2 ISP1 1.2.3.4 ISP3 8.7.3.4 Spoofed IPs means we cannot know where packets came from. Solution: - BCP 38 (RFC 2827) - upstream ingress filtering to drop spoofed packets - source address validation - IP traceback - Identify sources of attack
IP traceback 5.6.7.8 Backbone ISP2 ISP1 1.2.3.4 ISP3 8.7.3.4 IP traceback approaches: • Logging – each router keeps logs of packets going by • Input debugging – feature of routers allowing filtering egress port traffic based on ingress port. Associate egress with ingress • Controlled flooding – mount your own DoS on links selectively to see how it affects malicious flood • Marking – router probabilistically marks packets with info
BCP38: Network Ingress filtering 5.6.7.8 Backbone ISP2 ISP1 1.2.3.4 ISP3 8.7.3.4 Before forwarding on packets, check at ingress that source IP legitimate
BCP 38: We are getting there… Still 14-21% are still spoofable
Preventing DoS: beat the power Lots of SYNs Lots of SYN/ACKs 1.2.3.4 Filtering box Few ACKs Just need a beefy box to help with filtering. There are several anti-DoS protection - Prolexic (acquired by Akamai) - Cloudflare - Google Cloud Armor
Mirai • September 2016, 600 Gbps attack on Krebs, Dyn. • IoT devices: IP Cameras • Peak infection: 600k devices, steady state: 200 to 300k • Default username/passwords on IP Cameras UW Madison CS 642 19
UW Madison CS 642 20
Paras Jha, co-author of Mirai • 2500 hours community service • Home confinement • 8.6 million USD in restitution • Why DDoS? • Juvenile reasons (student at Rutgers CS) • Delay calculus exam • Prevent others from registering for an advanced CS course he wanted to take https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/ https://krebsonsecurity.com/2018/10/mirai-co-author-gets-6-months-confinement-8-6m-in- fines-for-rutgers-attacks/ UW Madison CS 642 21
Link layer security UW Madison CS 642 22
Link layer: Ethernet/WiFi Carrier Sense, Multiple Access with Collision Detection (CSMA/CD) - Take turns using broadcast channel (the wire) - Detect collisions, jam, and random back off Security issues? UW Madison CS 642 23
Address resolution protocol (ARP) IP IP routin ing: - Figure out where to send an IP packet based on destination address. - Link layer and IP layer must cooperate to get things sent - ARP/RARP enables this cooperation by mapping IPs to MACs 32-bit IP address ARP RARP 48-bit MAC address UW Madison CS 642 24
Media Access Control Number (MAC) • “Unique” identifier for a device. Two types • Globally administered • Locally administered • OS can “change” MAC https://en.wikipedia.org/wiki/MAC_address UW Madison CS 642 25
MAC Spoofing For privacy APPLE: $ sudo ifconfig en0 ether xx:xx:xx:xx:xx:xx LINUX $ sudo ip link set eth0 address xx:xx:xx:xx:xx:xx For stealing UW Madison CS 642 26
MAC spoofing is not illegal, but can show criminal intent Aaron Swartz, a fellow at Harvard University's Center for Ethics and an open source programmer involved with creating the RSS 1.0 specification and more generally in the open culture movement, has been arrested and charged with wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer after he entered a computer lab at MIT in Cambridge, Massachusetts and downloaded two-thirds of the material on JSTOR, an academic journal repository. http://en.wikinews.org/wiki/Aaron_Swartz_arrested_and_charge d_for_downloading_JSTOR_articles https://www.internethalloffame.org/inductees/aaron-swartz UW Madison CS 642 27
Address resolution protocol ARP message (28B) Ethernet header (14B) 6 6 2 2 2 1 1 2 6 4 6 4 18 4 enet enet hw prot hw prot sender ip target ip type op pad CRC dest src type type size size hw addr sender hw addr target Target t hw hw add address Ignored in ARP request fra rame typ ype op op specifies whether this is en enet dest - 0x0806 (ARP) an ARP request, ARP reply, - all 1’s, - 0x8035 (RARP) RARP request, RARP reply 0xFFFFFFFFFFFF Sender hw Se hw add address for broadcast Host’s MAC address for hw typ hw ype, pr prot ot(ocol) typ ype ARP and ARP reply specify what types of addresses we’re looking up UW Madison CS 642 28
ARP caches • Hosts maintain cache of ARP data • just a table mapping between IPs and MACs UW Madison CS 642 29
ARP has no authentication • Easy to sniff packets on (non-switched) ethernet • What else can we do? Easy Denial of Service (DoS): Send ARP reply associating gateway 192.168.1.1 with a non-used MAC address UW Madison CS 642 30
ARP has no authentication • Easy to sniff packets on (non-switched) ethernet • What else can we do? 192.168.1.1 MAC1 Active Man-in-the-Middle: ARP reply to MAC2 192.168.1.1 -> MAC3 192.168.1.2 192.168.1.3 ARP reply to MAC1 MAC2 MAC3 192.168.1.2 -> MAC3 Now traffic “routed” through malicious box UW Madison CS 642 31
ARP Poisoning UW Madison CS 642 32
UW Madison CS 642 33
Recommend
More recommend