EECS 700: Network Security

Download Report

Transcript EECS 700: Network Security

ITIS 6167/8167: Network and
Information Security
Weichao Wang
Contents
• IP fragmentation and attacks
– IP protocol
– IP fragmentation
– Attacks
– Mitigation mechanisms
2
3
IP protocol and fragmentation
• IP layer provides the fundamental service
in Internet: unreliable, connectionless, and
best-effort based packet delivery
– Unreliable: packet may lost, duplicated,
delayed, out of order
– Connectionless: every packet is handled
independently
– Best-effort: no quality guarantee
4
• IP protocol will
– Define the format of IP packet
– Routing
– Determine
• Packet processing procedures
• Error reporting and handling procedures
• When the packets can be discarded
5
IP encapsulation
• In ethernet, frame type for IP is 0x0800
IP header
IP Data
6
IP format
7
• Details of IP packet
– Vers: current version is 4
– HLEN: header length in 32 bit word. Usually is 5 (20
byte), max can be 60 bytes (IP options)
– Type of services: usually all 0 (best effort), can be
used for diffserv and QoS.
• 3 bit of precedence, 4 bit of TOS, 1 bit unused
• TOS bit 1 (min delay), 2 (max throughput), 3 (max reliability),
4 (min cost)
– Total length: 16 bit can represent 64K byte long
packet
8
• Identification, flags, and offset: used for
fragmentation and reassemble (later)
• TTL: time to live: number of routers or
seconds a packet can live.
– Every router will reduce this value by one.
When reach 0, the packet will be discarded.
– Can be used to prevent routing loop
– Use TTL to implement traceroute
9
-bash-3.1$ ping -i 7 dell.com
PING dell.com (143.166.224.244) 56(84) bytes of data.
From kcm-edge-15.inet.qwest.net (65.120.164.89)
icmp_seq=1 Time to live exceeded
From kcm-edge-15.inet.qwest.net (65.120.164.89)
icmp_seq=2 Time to live exceeded
10
• Type: the high level protocol the IP packet
contains: ICMP (0x01), TCP (0x06), UDP
(0x11)
• Header checksum:
– calculate only over header
– Re-compute at every hop (why)
• Example: an ICMP packet b/w 128.10.2.3
and 128.10.2.8. Header length is 20 bytes.
11
12
• IP header options
– Record route option
• Intermediate routers will attach their IP address to
the packet
– Timestamp option
• Intermediate router attach 32 bit timestamp
– Source routing option
• Strict source routing
• Loose source routing: allow multiple hops b/w
routers
13
14
• IP fragmentation
• Why do we need it
– MTU: maximum transmission unit
– An IP packet can be as large as 65535 byte
– Different hardware have different MTU:
ethernet 1500, FDDI 4470
15
16
• IP fragmentation
– Routers divide an IP datagram into several
smaller fragments based on MTU
– Fragments use the same header format as
the original datagram
– Each fragment is routed independently
17
• How to fragment
– IDENT: unique number to identify an IP
datagram; fragments with the same identifier
belong to the same IP datagram
– Fragment offset:
• Specify where the data belong in the original
packet
• Multiple of 8
• Use 13 bits (why do we only need 13 bits)
18
• FLAGs:
– Bit 0: reserved
– Bit 1: do not fragment (if this bit is set and the
MTU is not large enough, we send out ICMP
to report this)
– Bit 2: more fragment: this bit is turned off in
the last segment. (why we need this bit: so we
can calculate the length of the original packet)
19
20
• Example:
– Original packet: header + 400 + 400 + 400
– Header 1: FLAG = 001, OFFSET =0
– Header 2: FLAG = 001, OFFSET =400/8=50
– Header 3: FLAG = 000, OFFSET= 800/8=100
21
• Fragment of fragment
– Need to pay special attention of the FLAG bits
• Reassemble
– Reassembled before delivered to higher
layers
– Where to reassemble: router or destination,
why?? (not only efficiency)
– Use a timer to handle lost fragment and
discard the whole packet
22
23
• Malicious activities on fragmentation
– What if we never receive the last piece
– Overlapping fragment
– The reassembled packet is larger than the
allowed IP packet size (how can attackers do
this)
24
• Attack 1: DoS attack
– 1st fragment: offset =0;
– 2nd fragment: offset = 64800;
– Result: now the machine will allocate 64K
memory, and usually will hold it for 15 to 255
seconds.
– Who are vulnerable: Win2K, XP, most
versions of UNIX
25
• Attack 2: TearDrop
– Fist packet:
• payload size N,
• More fragment bit on
– 2nd fragment:
• More fragment bit off
• Offset + payload < N
– If the user assume that the packet should
become longer and longer, may cause
machine crash
26
• Overlapping attacks against Firewall
– Many firewalls inspect packet without reassemble. If
the TCP header is fragmented and the filter rule is
based on TCP, it may fail
– Firewall examine the SYN bit
• Tiny fragment attack: Firewall only check the first fragment.
The minimum fragment is 68 bytes (ICMP requirement), but
the SYN bit maybe fall into the 2nd fragment with IP option.
• Overlapping attack: allow packet overlapping during
reassemble. Then the checked segment may looks ok. But
will be overlapped later.
27
• IP spoofing
– Spoofing
• An attacker sends packet with another node’s IP
address
• Replies will be routed to the victim
– Egress filtering
• Remove packets that cannot come from your
network
– Ingress filtering
• Remove packet from invalid address
28
• Router and Host
– Router usually connects to multiple networks
– Host only connect to one
• Routing table
– Used by routers to determine next hop
– When determining which entry to use, usually use the
one with the longest match
• Next hop routing
– Destination IP address will not change, only the next
hop’s MAC address is used
29
• Default route
– When no other entry matches the routing request
• Routing procedure
– Extract destination IP D and compute the network
prefix N
– Is N the same network
– What is the routing entry with the longest match
– What is the default route
– Report error
30
• Handling income packets
– Host: accept or discard, Do not forward. Why?
– Router:
• Decrease TTL, recompute the checksum
• If TTL = 0; drop the packet and send an error
message to source
31