Network Attacks, Part 1 CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 7, 2013
Announcements / Game Plan • Homework #1 out now, due next week (Friday 2/15, 10:00PM) – Turn in electronically • We expect Project #1 to ship around the end of next week • Goal for today: a look at network attacks – With a focus on network layers 1-4 • To start: what general goals do we have communication/network security?
General Communication Security Goals: CIA • Confidentiality: – No one can read our data / communication unless we want them to • Integrity – No one can manipulate our data / processing / communication unless we want them to • Availability – We can access our data / conduct our processing / use our communication capabilities when we want to • Also: no additional traffic other than ours … 3
Layers 1 & 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a 7 Application single “subnetwork” (one physical technology) 4 Transport 3 (Inter)Network Link 2 Encoding bits to send them over a single physical link 1 Physical e.g. patterns of voltage levels / photon intensities / RF modulation 4
Physical/Link-Layer Threats: Eavesdropping • Also termed sniffing • For subnets using broadcast technologies (e.g., WiFi, some types of Ethernet), get it for “free” – Each attached system ’s NIC (= Network Interface Card) can capture any communication on the subnet – Some handy tools for doing so o tcpdump / windump (low-level ASCII printout) 5
TCPDUMP: Packet Capture & ASCII Dumper 6
Physical/Link-Layer Threats: Eavesdropping • Also termed sniffing • For subnets using broadcast technologies (e.g., WiFi, some types of Ethernet), get it for “free” – Each attached system ’s NIC (= Network Interface Card) can capture any communication on the subnet – Some handy tools for doing so o tcpdump / windump (low-level ASCII printout) o Wireshark (GUI for displaying 800+ protocols) 7
Wireshark: GUI for Packet Capture/Exam. 8
Wireshark: GUI for Packet Capture/Exam. 9
Wireshark: GUI for Packet Capture/Exam. 10
Physical/Link-Layer Threats: Eavesdropping • Also termed sniffing • For subnets using broadcast technologies (e.g., WiFi, some types of Ethernet), get it for “free” – Each attached system ’s NIC (= Network Interface Card) can capture any communication on the subnet – Some handy tools for doing so o tcpdump / windump (low-level ASCII printout) o Wireshark (GUI for displaying 800+ protocols) o Bro (scriptable real-time network analysis) • For any technology, routers (and internal “switches”) can look at / export traffic they forward • You can also “tap” a link – Insert a device to mirror physical signal 11 – Or: just steal it!
Stealing Photons 12
13
Physical/Link-Layer Threats: Disruption • With physical access to a subnetwork, attacker can – Overwhelm its signaling o E.g., jam WiFi’s RF – Send messages that violate the Layer-2 protocol’s rules o E.g., send messages > maximum allowed size, sever timing synchronization, ignore fairness rules • Routers & switches can simply “drop” traffic • There’s also the heavy-handed approach … 14
15
Physical/Link-Layer Threats: Spoofing • With physical access to a subnetwork, attacker can create any message they like – When with a bogus source address: spoofing • When using a typical computer, may require root/administrator to have full freedom • Particularly powerful when combined with eavesdropping – Because attacker can understand exact state of victim’s communication and craft their spoofed traffic to match it – Spoofing w/o eavesdropping = blind spoofing 16
Spoofing Considerations • “On path” attackers can see victim’s traffic ⇒ spoofing is easy • “Off path” attackers can’t see victim’s traffic – They have to resort to blind spoofing – Often must guess/infer header values to succeed o We then care about work factor: how hard is this – But sometimes they can just brute force o E.g., 16-bit value: just try all 65,536 possibilities! • When we say an attacker “can spoof”, we usually mean “w/ reasonable chance of success” 17
Layer 3: General Threats? Bridges multiple “subnets” to 7 Application provide end-to-end internet 4 Transport connectivity between nodes 3 (Inter)Network 4-bit 8-bit Link 4-bit 2 16-bit Total Length (Bytes) Header Type of Service Version Length (TOS) 1 Physical 3-bit 13-bit Fragment Offset 16-bit Identification Flags 8-bit Time to 8-bit Protocol 16-bit Header Checksum Live (TTL) 32-bit Source IP Address 32-bit Destination IP Address IP = Internet Protocol Payload 18
Network-Layer (IP) Threats • Can set arbitrary source address – “Spoofing” - receiver has no idea who you are – Could be blind, or could be coupled w/ sniffing – Note: many attacks require two-way communication o So successful off-path/blind spoofing might not suffice • Can set arbitrary destination address – Enables “scanning” - brute force searching for hosts • Can send like crazy (flooding) – IP has no general mechanism for tracking overuse – IP has no general mechanism for tracking consent – Very hard to tell where a spoofed flood comes from! • If attacker can manipulate routing, can bring traffic to themselves for eavesdropping (viewed as hard) 19
5 Minute Break Questions Before We Proceed?
Layer 4: General Threats? End-to-end communication 7 Application between processes 4 Transport (TCP, UDP) 3 (Inter)Network Source port Destination port Link 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 21
Layer 4: General Threats? 7 Application These plus IP addresses define a given connection 4 Transport 3 (Inter)Network Source port Destination port Link 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 22
Layer 4: General Threats? 7 Application Defines where this packet fits within the 4 Transport sender’s bytestream 3 (Inter)Network Source port Destination port Link 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 23
TCP Conn. Setup & Data Exchange Client (initiator) Server IP address 1.2.1.2, port 3344 IP address 9.8.7.6, port 80 S r c A = 1 . 2 . 1 . 2 , S r c P D = s 3 t A 3 4 4 = 9 , . 8 . 7 . 6 , D s t P = 8 0 , S Y N , S e q = x 0 , 8 = c P S r 6 , 7 . 1 8 . + 9 . x = = A c k r c A S , y = q S e , K A C + N Y S 4 , 4 3 = 3 P s t D 2 , . . 1 . 2 = 1 A s t D S r c A = 1 . 2 . 1 . 2 , S r c D P s = t A 3 3 = 9 4 4 . , 8 . 7 . 6 , D s t P = 8 0 , A C K , A c k = y + 1 S r c A = 1 . 2 . 1 . 2 , S r c P = 3 3 4 4 A , C D K s , t A S = e q 9 = . 8 x . + 7 . 1 6 , A , D c s k t P = = y + 8 0 1 , , D a t a = “ G E T / l o g i n . h t m l , 4 3 4 3 P = t D s , 2 1 . 2 . 1 . A = t D s … ” 0 , = 8 > P m l r c h t S < , … . 6 . 7 K . 8 O = 9 0 A 2 0 c “ S r a = t D a , 1 6 + x = k A c 1 , y + = q e S K , C A 24
TCP Threat: Disruption • Normally, TCP finishes (“closes”) a connection by each side sending a FIN control message – Reliably delivered, since other side must ack • But: if a TCP endpoint finds unable to continue (process dies; info from other “peer” is inconsistent), it abruptly terminates by sending a RST control message – Unilateral – Takes effect immediately (no ack needed) – Only accepted by peer if has correct* sequence number 25
Source port Destination port Sequence number Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 26
Source port Destination port Sequence number Acknowledgment RST HdrLen Advertised window 0 Checksum Urgent pointer Options (variable) Data 27
Abrupt Termination X B SYN ACK ACK RST SYN ACK a t a D A time • A sends a TCP packet with RESET ( RST ) flag to B – E.g., because app. process on A crashed – (Could instead be that B sends a RST to A) • Assuming that the sequence numbers in the RST fit with what B expects, That’s It: – B’s user-level process receives: ECONNRESET – No further communication on connection is possible 28
TCP Threat: Disruption • Normally, TCP finishes (“closes”) a connection by each side sending a FIN control message – Reliably delivered, since other side must ack • But: if a TCP endpoint finds unable to continue (process dies; info from other “peer” is inconsistent), it abruptly terminates by sending a RST control message – Unilateral – Takes effect immediately (no ack needed) – Only accepted by peer if has correct* sequence number • So: if attacker knows ports & sequence numbers, can disrupt any TCP connection 29
Recommend
More recommend