Lecture 4: Network Layer Security

Download Report

Transcript Lecture 4: Network Layer Security

Network Layer Security
Lecture 4
Supakorn Kungpisdan
[email protected]
NETE4630
1
Overview
•
•
•
•
IP, ICMP, and Routing protocols
IP is connectionless, subjected to DoS
ICMP can be used by attackers
Routing protocols are subjected to stack attacks
2
NETE4630
Roadmap
• Attacking the Network Layer
• Defending the Network Layer
3
NETE4630
IP Attacks
•
•
•
•
•
Spoofing
Fragmentation
Passive and Active Fingerprinting
Port Scanning
Redirection
4
NETE4630
Spoofing
• Local spoofing and blind spoofing
• Local spoofing: attacker and victim are on the
same subnet
• Attacker begins with sniffing traffic, find key
pieces of information needed to launch an attack
• Session hijacking is another spoofing technique.
– The attack starts at transport layer
5
NETE4630
Spoofing (cont.)
• Blind spoofing: attacker is not on the same
local subnet as victim
• More sophisticated and advanced attack
• Many pieces of information needed to be
successful are not available. The key
parameters must be guessed
• Most modern OSes use fairly random sequence
numbers making the attack difficult to launch
6
NETE4630
Fragmentation
• Fragmentation is required when transmitting packets to
different networks that have different MTUs
• Evasion attack: sends packets to an IDS and target that
will be rejected by the IDS and accepted by the target
• The idea is to send different data streams to each device
• Insertion attack: sends packets to an IDS and target
device that will be accepted by the IDS and rejected by
the target
7
NETE4630
IP Fragmentation
8
NETE4630
Evasion Attack
• An attacker sends the first fragment to an IDS
that has a fragmentation timeout of 15 s, while
target system has a timeout of 30 s
• The attacker waits more than 15 s but less than
30 s before sending the second fragment.
• The IDS discards the second (including the first)
segment because the timeout reaches
• However, the target system accepts the second
fragment (within the timeout)
• Thus, the IDS will not record this attack
9
NETE4630
Fragmentation Attacks
• Overlapping fragmentation can offer an attacker
a means of slipping packets past an IDS and
firewall
• Sending a packet passing a cisco router to a
windows-based system
• If receiving a duplicated packet, cisco router
prefer the last fragment, whereas windows
prefers the original fragment
10
NETE4630
Fragmentation Attacks (cont.)
• An attacker breaks a message into 3 fragments
• He sends fragment 1 and 2 to both router and
windows. Both accepts the fragments
• He then sends fragment 2 and 3. the
retransmitted fragment 2 is of the same size and
offset as the original fragment but different
payload
• Windows keeps the original fragment 2 but the
router keeps the retransmitted one
11
NETE4630
Fragmentation Attacks (cont.)
#1
#1
Attacker modifies #2
And transmits #2 and #3
#2
#3
Windows and router
accepts #1 and #2
#2
#2
#3
Windows keeps
#1
#2
#3
Router keeps
#1
#2
#3
12
NETE4630
Teardrop Attack
• Teardrop, targa, NewTear, Nestea Bonk, Boink,
TearDrop2, and SynDrop are some of the tools that can
crash machines that have a vulnerability in the IP atack
• There is a fragmentation bug in the IP stack
implementation of some old Linux kernels (2.0),
Windows NT, and Windows 95
• Sending malformed packets with fragmentation offset
value tweaked so that the receiving packets overlap
• A reboot solved the problem until the next attack
13
NETE4630
Teardrop Attack (cont.)
14
NETE4630
Fingerprinting
• Fingerprinting is the act of using peculiarities of
IP, TCP, UDP, and ICMP to determine the
operating system
– Not only the OS, but also specific version
• Active and passive fingerprinting
• Active fingerprinting: sends malformed (or
non-RFC-compliant) packets to the target.
Different OSes response to these packets
differently
• Nmap, Xprobe, Scanrand, etc.
15
NETE4630
Passive Fingerprinting
• Passive fingerprinting: similar concept, but not
injecting traffic into the network
• Looking at 4 fields
– TTL value
– Don’t Fragment bit (DF)
– Type of Service (TOS)
– Window size
• TTL, DF, and TOS are found in IP header
• Window size is found in TCP header
16
NETE4630
Passive Fingerprinting: TTL
• A packet has its TTL reduced each time it is passed
though a router or when it remains in the routers queue
too long
• No requirement about the suitable of TTL
• The attacker may assume that the value observed is
less than the original value (no more than 255)
17
NETE4630
Passive Fingerprinting: DF and TOS
• DF flag is primary method that systems use to
determine the PMTUD (Path MTU Discovery)
– Many older OSes don’t use this feature
• TOS can be analyzed to determine the OS
• Eventhough it is rarely used on the internet,
some developers will set it into a value other
than zero to prevent this fingerprinting
18
NETE4630
PMTUD
• Path MTU discovery works by setting the DF (Don't
Fragment) option bit in the IP headers of outgoing
packets.
• Then, any device along the path whose MTU is smaller
than the packet will drop it, and send back an ICMP
Type 3 Code 4 “Destination Unreachable
(Fragmentation Needed and DF was set" message
containing its MTU, allowing the source host to reduce
its assumed path MTU appropriately.
• The process repeats until the MTU is small enough to
traverse the entire path without fragmentation.
19
NETE4630
PMTUD (cont.)
20
NETE4630
Passive Fingerprinting: Window Size
• TCP Window specifies the amount of data that
can be sent without having to receive an
acknowledgement
– Window size should either be as close as possible to
the MTU or should be some multiple of this value
– Linux 2.0 used a value of 16,384, while version 3 of
FreeBSD used a value of 17,520
• The most up-to-date passive fingerprinting tool
is p0f
• LAB: p0f page 129
21
NETE4630
Idle Scan: Open Port
22
NETE4630
Idle Scan: Close Port
23
NETE4630
Idle Scan: Limitations
• The idle host must truly be idle
• Not all OSes use an incrementing IPID
– Some versions of Linux set IPID to zero or generate a
random IPID value
• Several message passes need to be performed
to validate the results
24
NETE4630
ICMP Attacks
• ICMP helps with logical errors and diagnostics
• ICMP does not offer authentication
• Thus, ICMP can be used to scan and exploit
devices
– Including using ICMP as a backdoor (convert
channel), employing them for echo attacks, to port
scan, to redirect traffic, for OS fingerprinting, and DoS
attacks
25
NETE4630
Convert Channels
• Convert channels offer attackers a way to have
a secure communications channel by using
allowed services
• Convert channels can also work by exploiting
flaws or weaknesses in protocols like ICMP,
esp. ping
• ICMP fields used in ping include:
– Type, Code, Identifier, Sequence Number, Optional
Data
26
NETE4630
ICMP Format
27
NETE4630
Convert Channels (cont.)
28
NETE4630
Convert Channels (cont.)
29
NETE4630
Convert Channels (cont.)
• Some systems like Linux let user add data into
the ping
# ping –p 2b2b2b415448300
192.168.123.101
will place the modem hang up string into the
ping packet
• Convert channel tools can use ICMP, TCP, or
even IGRP.
• Loki, ICMP Backdoor, 007Shell, B0CK
30
NETE4630
ICMP Echo Attacks
• Flood target with ping traffic and use up all
available bandwidth
• Smurf exploits ICMP by sending a spoofed ping
packet to the broadcast address and has the
source address listed as the victim
• In 2002, an attacks was launched against core
DNS servers. They had ping enabled
– Results in a large DoS attack that slowed the
operation of primary DNS servers
31
NETE4630
Port Scanning
• ICMP can be of great use to an attacker attempting to
discover what ports are open
• ICMP is invaluable since there is no response like with
TCP
• Sending an ICMP packet to a port
– will get no response if the port is open and
– will receive an ICMP type 3 code 3 packet if the port is closed
32
NETE4630
Port Scanning (cont.)
Type 3 (Destination Unreachable)
Code 3 (Port Unreachable)
33
NETE4630
ICMP Nuke Attacks
• Using spoofed addresses, an attacker might disrupt
communications between two hosts by sending “Time
Exceeded” (Type 11) or “Destination Unreachable”
(ICMP Type 3) messages to both hosts, resulting in a
DoS attack
– Check out ICMP Types and Codes
• ICMP Nuke Attack sends the target an ICMP packet
with destination unreachable type 3 messages. The
target then breaks communication with existing
connections
34
NETE4630
ICMP Redirect Attack
• By sending ICMP “redirect” messages, an attacker
might force a router to forward packets destined to one
host to the attacker’s IP address
35
NETE4630
Preventing ICMP Redirect Attack
• With Linux, we can force the kernel not to accept
redirect messages for one or all interfaces
root@router# echo 0 >
/proc/sys/net/ipv4/conf/eth0/accept_redirects
NETE4630
36
ICMP Flood
• Ping Flood creates a broadcast storm of pings that
overwhelm the target system
• Using Linux, one can flood a host using ping –f.
root@router# ping –f 10.10.10.12 –c 1000
The above command floods the host 10.10.10.12 with
1,000 packets
37
NETE4630
Preventing Ping Flood
• Ping flood can be stopped by limiting the
number of ICMP echo-request messages with
IPTables:
root@router# iptables –A FORWARD –p icmp –icmptype echo-request –m limit –limit 10/s –j
ACCEPT
root@router# iptables –A FORWARD –p icmp –icmptype echo-request –j DROP
38
NETE4630
Ping of Death
• Ping of Death crashed machines by sending ICMP
“echo request” messages in IP packets with larger than
the maximum legal length of 65,535 octets, causing a
buffer overflow to crash the victim’s device (computer,
printer, etc.)
• A Linux patch for the ping of death was out in 2 hours,
35 minutes, and 10 seconds, and shortly after, patches
for other OSes were available from vendors
39
NETE4630
Routing Protocols Attacks
• Misconfigured dynamic routing protocols such
as RIP, BGP, and OSPF may allow attackers to
inject routes into the routing tables of the
machines running instances of those protocols
• This may allow attackers to conduct DoS attacks
by injecting wrong routes or IP sniffing by
configuring its computer to act like a router from
the network
40
NETE4630
Routing Protocols Attacks (cont.)
• Distance-vector and link-state routing protocols are
suffered from attacks especially DoS
• RIP is unauthenticated service; it is vulnerable to DoS
– Attacker injects miscommunication packets to the network
• RIP spoofing works by making fake RIP packets and
sending them to gateways and hosts to change their
routes
– It sends its routing tables to a broadcast address
• Attacker can also modify the routing information to cause
a redirect through a network, allowing him to sniff
passwords or intercept and change date
41
NETE4630
Router and Routing Attacks
• Hit-and-run attacks
– Hard to detect and isolate
– Require an attacker to only inject one or more bad
packets but cause lasting damaging effects
• Persistent attacks
– Attacker continuously inject attack packets in order to
inflict significant damages
– Suit for link-state protocols
– Resilient to hit-and-run attacks
42
NETE4630
Source Routing Attack
• Source routing is one of the IP options designed
to force a packet to take a specific route through
the network
– Using Option field in IP header: LSRR and SSRR
43
NETE4630
LSR and SSR
• Loose Source Routing is an IP option which can be
used for address translation. LSR is also used to
implement mobility in IP networks.
• LSR uses a source routing option in TCP/IP to record
the set of routers a packet must visit.
• The destination of the packet is replaced with the next
router the packet must visit.
• The name LSR comes from the fact that only part of the
path is set in advance. This is in contrast with Strict
Source Routing (SSR), in which every single step of the
route is decided in advance when the packet is sent.
• SSR defines specific points between source and
destination
– No other routers are allowed to handle the datagram
Source Routing Attack (cont.)
• The use of the LSRR and SSRR options (Loose and
Strict Source and Record Route) is discouraged
because they create security concerns
• Attacker can spoof a source IP as a trusted system
and uses source route to forward packets to a victim
• Any return packet will be sent to the attacker instead
of the trusted host
• Many routers block packets containing these
options.
Roadmap
• Attacking the Network Layer
• Defending the Network Layer
46
NETE4630
Securing IP
• Encryption and authentication are the two best
options for securing IP
– Built in IPv6, but not in IPv4
• IPSec’s greatest security is that it can allow
network managers to apply security without
involving end users
– IPSec Tunnel Mode: link encryption
• Need to manage several keys
– IPSec Transport Mode: end-to-end encryption
• Source and destination IPs are not masked
47
NETE4630
Securing ICMP
• Disable much of ICMP as possible especially at
routers
– Reject: send an ICMP destination-unreachable back
to the source
– Drop: send no response
• Rejecting a connection allows services to know
that something has failed and to timeout quickly
• Dropping a connection causes a service to try to
connect until a retransmission value is exceeded
48
NETE4630
Securing ICMP (cont.)
• From legitimate perspective,
– rejecting connections allows services to know
that something has failed and to timeout
quickly
– Dropping a connection can cause a service to
continue to try and connect until a
retransmission value is exceeded
49
NETE4630
Securing ICMP (cont.)
• From security perspective,
– dropping packets gives away less information and
makes it harder for an attacker to enumerate the
target
– Rejecting packets can make the router a bigger target
for reflective attacks and leave it vulnerable to
spewing out ICMP messages to a host being attacked
by a third party
Protecting against IP Spoofing
• Linux kernel has an option named “rp_filter”
– root@router# echo 0 >
/proc/sys/net/ipv4/conf/all/rp_filter
• To disable on one interface e.g. eth0:
– root@router# echo 0 >
/proc/sys/net/ipv4/conf/eth0/rp_filter
• Setting rp_filter to:
– 1 enables IP spoofing protection
– 0 disables IP spoofing protection
51
NETE4630
Securing Routers and Routing Protocols
• Securing routers and traffic that flows though them is
primarily achieved by using packet filters
• Packet filtering is configured though access control
lists (ACLs)
How ACL Handles Traffic
• Source IP address: Is it from a valid or allowed
address?
• Destination IP address: Is this address allowed to
receive packets from this device?
• Source and destination ports: includes TCP, UDP,
and ICMP
• TCP flags: includes SYN, FIN, ACK, PSH
• Protocols: includes FTP, Telnet, HTTP, DNS, and
POP3
• Direction: Can allow or deny inbound or outbound traffic
• Interface: Can be used to restrict only certain traffic on
certain interfaces
Preventing Address Spoofing
• Do not allow traffic with the internal IP address as source
that comes from the internet
• Log the dropped packets
• Check out router configuration guide at
http://www.nsa.gov/snac/downloads_all.cfm
• RIPv1 sends update in cleartext and no authentication
• RIPv2 has authentication but sends authentication in
cleartext
• Suggest to use OSPF with MD5 authentication
• Restrict dynamic routing when possible
• Without this, OSPF may still be vulnerable
• Check out Nemesis (a tool to target OSPF routing) at
http://sourceforge.net/projects/nemesis
54
NETE4630
NSA Security Configuration Guides
http://www.nsa.gov/snac/downloads_all.cfm
55
NETE4630
Question?
Next week
Transport Layer Security
NETE4630
56