networking attacks link ip and tcp layer attacks
play

Networking Attacks: Link-, IP-, and TCP-layer attacks Network - PowerPoint PPT Presentation

Aug 15, 2022 •262 likes •876 views

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication

  1. Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019

  2. General Communication Security Goals: CIA • Confidentiality: – No one can read our data / communication unless we want them to • Integrity – No one can manipulate our data / processing / communication unless we want them to • Availability – We can access our data / conduct our processing / use our communication capabilities when we want to • Also: no additional traffic other than ours … 2

  3. Link-layer threats • Confidentiality: eavesdropping (aka sniffing) • Integrity: injection of spoofed packets • Injection: delete legit packets (e.g., jamming) 3

  4. Layers 1 & 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a Application 7 single “ s u b n e twork” (one physical technology) 4 Transport 3 (Inter)Network Link 2 Encoding bits to send them over a single physical link 1 Physical e.g. patterns of voltage levels / photon intensities / RF modulation 4

  5. Eavesdropping • For subnets using broadcast technologies (e.g., WiFi, some types of Ethernet), eavesdropping comes for “ free” – Each attached system’s NIC (= Network Interface Card) can capture any communication on the subnet – Some handy tools for doing so o tcpdump / windump (low-level ASCII printout) o Wireshark (GUI for displaying 800+ protocols) 5

  6. TCPDUMP: Packet Capture & ASCII Dumper

  7. Wireshark: GUI for Packet Capture/Exam 篝

  8. Wireshark: GUI for Packet Capture/Exam 篝

  9. Wireshark: GUI for Packet Capture/Exam 篝

  10. Stealing Photons 10

  12. Link-Layer Threat: Disruption • If attacker sees a packet he doesn’t like, he can jam it (integrity) • Attacker can also overwhelm link-layer signaling, e.g., jam WiFi’s RF (denial-of-service) 12

  13. Link-Layer Threat: Disruption • If attacker sees a packet he doesn’t like, he can jam it (integrity) • Attacker can also overwhelm link-layer signaling, e.g., jam WiFi’s RF (denial-of-service) • There’s also the heavy-handed approach … 13

  15. WiFi Jammer Attack on wireless networks • https://www.youtube.com/watch?v=1M9AkUZ377Y

  16. Link-Layer Threat: Spoofing • Attacker can inject spoofed packets, and lie about the source address D C Hello world! M 15

  17. Physical/Link-Layer Threats: Spoofing • With physical access to a local network, attacker can create any message they like – When with a bogus source address: spoofing • When using a typical computer, may require root/administrator to have full freedom • Particularly powerful when combined with eavesdropping – Because attacker can understand exact state of victim’s communication and craft their spoofed traffic to match it – Spoofing w/o eavesdropping = blind spoofing 16

  18. On-path vs Off-path Spoofing HostA communicates with Host D Host C Host D Host A Router 1 Router 2 Router 3 On-path Router 5 Host B Host E Router 7 Router 6 Router 4 Off-path 18

  19. Spoofing on the Internet • On-path attackers can see victim’s traffic ⇒ spoofing is easy • Off-path attackers can’t see victim’s traffic – They have to resort to blind spoofing – Often must guess/infer header values to succeed o We then care about work factor: how hard is this – But sometimes they can just brute force o E.g., 16-bit value: just try all 65,536 possibilities! • When we say an attacker “ c a n spoof” , we usually mean “ w / reasonable chance of success” 19

  20. Layer 3: General Threats? Bridges multiple “ s u b n e ts” Application 7 to provide end-to-end 4 internet connectivity between Transport 3 nodes 4-bit 8-bit (Inter)Network Link 4-bit 2 16-bit T otal Length (Bytes) Header Type of Service Version Length (TOS) 1 Physical 3-bit 13-bit Fragment Offset 16-bit Identification Flags 8-bit Time to 8-bit Protocol 16-bit Header Checksum Live (TTL) 32-bit Source IP Address 32-bit Destination IP Address IP = Internet Protocol Payload 19

  21. IP-Layer Threats • Can set arbitrary source address – “ S p o o fing” - receiver has no idea who you are – Could be blind, or could be coupled w/ sniffing – Note: many attacks require two-way communication o So successful off-path/blind spoofing might not suffice • Can set arbitrary destination address – Enables “ s c a n n i n g” – brute force searching for hosts • Can send like crazy (flooding) – IP has no general mechanism for tracking overuse – IP has no general mechanism for tracking consent – Very hard to tell where a spoofed flood comes from! • If attacker can manipulate routing, can bring traffic to themselves for eavesdropping (not easy) 20

  22. LAN Bootstrapping: DHCP • New host doesn’t have an IP address yet – So, host doesn’t know what source address to use • Host doesn’t know who to ask for an IP address – So, host doesn’t know what destination address to use • Solution: shout to “ discover ” server that can help – Broadcast a server-discovery message (layer 2) – Server(s) sends a reply offering an address ... host host host DHCP server 21

  23. Dynamic Host Configuration Protocol DHCP server new client “ offer ” message includes IP address, DNS server, gateway router” , and how long client can have these (“lease” time) 23

  24. Dynamic Host Configuration Protocol DHCP server new client “ offer ” message includes IP address, DNS server, gateway router” , and how long client can have these (“lease” time) Threats? 24

  25. Dynamic Host Configuration Protocol DHCP server new client “ offer ” message includes IP address, DNS server, gateway router” , and how long Attacker on same client can have these subnet can hear (“lease” time) new host’s DHCP request 25

  26. Dynamic Host Configuration Protocol DHCP server new client “ offer ” message includes IP address, DNS server, gateway router” , and how long client can have these (“lease” time) Attacker can race the actual server; if they win, replace DNS server and/or gateway router 25

  27. DHCP Threats • Substitute a fake DNS server – Redirect any of a host’s lookups to a machine of attacker’s choice • Substitute a fake gateway router – Intercept all of a host’s off-subnet traffic o (even if not preceded by a DNS lookup) – Relay contents back and forth between host and remote server and modify however attacker chooses • An invisible Man In The Middle (MITM) – Victim host has no way of knowing it’s happening o (Can’t necessarily alarm on peculiarity of receiving multiple DHCP replies, since that can happen benignly) • How can we fix this? Hard 26

  28. TCP Application 7 4 Transport 3 (Inter)Network Link Source port Destination port 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 27

  29. TCP Application 7 These plus IP addresses define a given connection 4 Transport 3 (Inter)Network Link Source port Destination port 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 28

  30. TCP Application 7 Defines where this packet fits within the 4 Transport sender’s bytestream 3 (Inter)Network Link Source port Destination port 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 29

  31. TCP Conn. Setup & Data Exchange

  32. TCP Threat: Data Injection B A time • If attacker knows ports & sequence numbers (e.g., on-path attacker), attacker can inject data into any TCP connection – Receiver B is none the wiser! • Termed TCP connection hijacking (or “ s e s s i o n hijacking ” ) – A general means to take over an already-established connection! • We are toast if an attacker can see our TCP traffic! – Because then they immediately know the port & sequence numbers 32

  33. TCP Data Injection Client (initiator) Server IP address 1.2.1.2, port 3344 IP address 9.8.7.6, port 80 ... Attacker IP address 6.6.6.6, port N/A SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, ACK, Seq = y+1, Ack = x+16 Data= “ 2 0 0 OK … <poison> … ” Client dutifully processes as server’s 33 response

  34. TCP Data Injection Client (initiator) Server IP address 1.2.1.2, port 3344 IP address 9.8.7.6, port 80 ... Attacker IP address 6.6.6.6, port N/A SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, ACK, Seq = y+1, Ack = x+16 Data= “ 2 0 0 OK … <poison> Client … ” ignores since already processed that part of 33 bytestream

  35. TCP Threat: Disruption • Is it possible for an on-path attacker to shut down a TCP connection if they can see our traffic? • YES: they can infer the port and sequence numbers – they can insert fake data, too! (Great Firewall of China) 35

  36. TCP Threat: Blind Hijacking • Is it possible for an off-path attacker to inject into a TCP connection even if they can’t see our traffic? • YES: if somehow they can infer or guess the port and sequence numbers 36

Recommend

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner February 28, 2013 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication unless we want

1.03k views • 58 slides
SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres

SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres

Fakultt fr Informatik Technische Universitt Mnchen SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres Rauschecker Advisor: Lukas Schwaighofer Supervisor: Prof. Dr.-Ing. Georg Carle Chair of

402 views • 26 slides
CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk Kang , Virgil D. Gligor CyLab, Carnegie Mellon University * Qualcomm Dec. 12, 2013 Large Scale Link-Flooding Attacks Massive DDoS attacks against

487 views • 27 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
Networking: Physical &amp; Link Layer Summer 2013 Cornell University 1 Today Which are the

Networking: Physical &amp; Link Layer Summer 2013 Cornell University 1 Today Which are the

CS 4410 Operating Systems Networking: Physical &amp; Link Layer Summer 2013 Cornell University 1 Today Which are the services that the Link layer offers? Link layer Implementation Media Access Control Addressing

451 views • 16 slides
SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang Virgil D. Gligor Vyas Sekar ECE Department and CyLab, Carnegie Mellon University Feb 22, 2016 Large-scale link-flooding attacks Massive DDoS

511 views • 20 slides
BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified

BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified

Overview BLE Refresher Attacks Improvements BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified Refresh Link Layer State Machine Application Layer GATT ATT L2CAP Link Layer Physical Layer

783 views • 3 slides
5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

Data Link Layer Data Link Layer Hubs Switch physical- layer (dumb) repeaters: bits coming in one link go out all other links at same link-layer device: smarter than hubs, take rate active role all nodes connected to hub can

442 views • 5 slides
Link-Cutting Attacks Steven M. Bellovin Emden R. Gansner smb@research.att.com

Link-Cutting Attacks Steven M. Bellovin Emden R. Gansner smb@research.att.com

Link-Cutting Attacks Link-Cutting Attacks Steven M. Bellovin Emden R. Gansner smb@research.att.com erg@research.att.com AT&amp;T Labs Research Florham Park, NJ 07932 1 Steven M. Bellovin August 7, 2003

179 views • 7 slides
Systems Programming &amp; Engineering Spring 2018 Networking Link Layer Tyler Bletsch Duke

Systems Programming &amp; Engineering Spring 2018 Networking Link Layer Tyler Bletsch Duke

ECE 650 Systems Programming &amp; Engineering Spring 2018 Networking Link Layer Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) TCP/IP Model 2 Layer 1 &amp; 2 Layer 1: Physical Layer Encoding of bits to

769 views • 45 slides
Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport

Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport

Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Scope of the Link Layer Concerns how to transfer messages over one or more

629 views • 23 slides
A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse Elwell 1 Ryan Riley 2 Nael Abu-Ghazaleh 1 Dmitry Ponomarev 1 1 State University of New York at Binghamton Department of Computer Science 2 Qatar

872 views • 76 slides
Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand principles behind data link layer services: error detection, correction sharing a broadcast channel: multiple access link layer addressing link

598 views • 26 slides
Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand principles behind data link layer services: error detection, correction sharing a broadcast channel: multiple access link layer addressing link

591 views • 18 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
1 Switch link-layer device: smarter than hubs, take active role store, forward Ethernet

1 Switch link-layer device: smarter than hubs, take active role store, forward Ethernet

The Data Link Layer Last time Our goals: link layer services understand principles error detection, correction behind data link layer services: multiple access protocols and LANs error detection, correction link layer

302 views • 18 slides
ELEC / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ELEC / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ELEC / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Application Layer Transport Layer Network Layer Link Layer Physical Layer 2 Application Layer Transport Layer Network Layer Link Layer

903 views • 51 slides
Data-link layer Da Data ta-link link layer er Referred to as layer 2 Physical

Data-link layer Da Data ta-link link layer er Referred to as layer 2 Physical

Data-link layer Da Data ta-link link layer er Referred to as layer 2 Physical layer is layer 1 Transferring datagram from one node to adjacent node over a physical link wired links (Ethernet) wireless links

721 views • 26 slides
Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias Schulz, Adrian Loch, Matthias Hollick Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias

607 views • 22 slides
Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit`

721 views • 44 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
TCP/IP Networking Computer Center, CS, NCTU Overview Introduction Layers of TCP/IP

TCP/IP Networking Computer Center, CS, NCTU Overview Introduction Layers of TCP/IP

TCP/IP Networking Computer Center, CS, NCTU Overview Introduction Layers of TCP/IP Link Layer Network Layer Transport Layer Application Layer Network Interface and Hardware Networking ARP Setting up Network

1.04k views • 50 slides

More recommend