Transcript The Future of Computing: Challenges and Opportunities

Lecture 22
Network Security
CS 450/650
Fundamentals of
Integrated Computer Security
Slides are modified from Hesham El-Rewini
Network Performance
• Gilder’s Law
– George Gilder projected that the total bandwidth
of communication systems triples every twelve
months
• Ethernet: 10Mbps  10Gbps (1000 times)
• CPU clock frequency: 25MHz  2.5GHz (100 times)
• Metcalfe's Law
– Robert Metcalfe projected that the value of a
network is proportional to the square of the
number of nodes
• Phone, Internet
CS 450/650 – Lecture 22: Network Security
2
Internet
• Internet is the collection of networks and
routers
– form a single cooperative virtual network
– spans the entire globe
• The Internet relies on the combination of the
Transmission Control Protocol and the
Internet Protocol or TCP/IP
– The majority of Internet traffic is carried using
TCP/IP packets
CS 450/650 – Lecture 22: Network Security
3
ISO OSI Network Model
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
Data Link
Data Link
Physical
Physical
LAN
CS 450/650 – Lecture 22: Network Security
Internet
LAN
4
TCP/IP
smtp
sftp
ssh
Transmission Control
Protocol
(TCP)
Internet Protocol
(IP)
Ethernet
CS 450/650 – Lecture 22: Network Security
Token ring
5
TCP/IP Packets
Physical
Header
IP
Header
CS 450/650 – Lecture 22: Network Security
TCP
Header
message
6
Addressing
• MAC (Media Access Control) address
– Every host connected to a network has a network
interface card (NIC) with a unique physical address
• IP address
– IPv4  32 bits (192.168.48.6)
– IPv6  128 bits
CS 450/650 – Lecture 22: Network Security
7
Routing
• Routers
• Routing Tables
CS 450/650 – Lecture 22: Network Security
8
IP Protocol
• Best-effort packet delivery service
• Datagram (IPv4)
VERS
HLEN
Service Type
IDENTIFICATION
TIME TO LIVE
TOTAL LENGTH
FLAGS
PROTOCOL
FRAGMENT OFFSET
HEADER CHECKSUM
SOURCE ADDRESS
DESTINATION ADDRESS
OPTIONS (IF ANY)
PADDING
DATA
CS 450/650 – Lecture 22: Network Security
9
Internet Control Message Protocol
• Transmit error messages and unusual
situations
• Different types of ICMP have slightly different
format
Type
Code
CHECKSUM
Unused (must be zero)
DATA: Header and 1st 64 bits of offending datagram
ICMP time-exceeded message
CS 450/650 – Lecture 22: Network Security
10
ICMP (Echo request/reply)
• Transmit error messages and unusual
situations
• Different types of ICMP have slightly different
format
Type
Code
Identifier
CHECKSUM
Sequence number
DATA (optional)
ICMP Echo Request/Reply Message
CS 450/650 – Lecture 22: Network Security
11
Ping of Death Attack
• Denial of service attack (1st in 1996)
• Some systems did not handle oversized IP
datagrams properly
• An attacker construct an ICMP echo request
containing 65,510 data octets and send it to
victim
• Total size of resulting datagram would be
larger than 65,535 octet limit specified by IP
– System would crash
CS 450/650 – Lecture 22: Network Security
12
SMURF
• Attacker send echo request message to
broadcast address
• Attacker also spoofs source address in the
request
Intermediary
Attacker
CS 450/650 – Lecture 22: Network Security
Victim
13
UDP (User Datagram Protocol)
• From one application to another
– multiple destinations
• Port  positive integer
– unique destination
SOURCE PORT
DESTINATION PORT
LENGTH
CHECKSUM (optional)
DATA
CS 450/650 – Lecture 22: Network Security
14
Attacks on UDP
• Fraggle
• Trinoo
CS 450/650 – Lecture 22: Network Security
15
Fraggle (similar to smurf)
• UDP port 7 is used for echo service
• An attacker can create a stream of user
datagram with random source port and a
spoofed source address
• Destination port is 7 and destination source is
a broadcast address at some intermediate site
• The attack can get worse if the source port = 7
• Could be prevented by filtering out UDP echo
requests destined for broadcast addresses
CS 450/650 – Lecture 22: Network Security
16
Fraggle attack
Victim’s
host
spoofed broadcast
random
source destination source port
destination
Port = 7
Stream of UDP datagrams
Victim’s
host
spoofed broadcast
source destination
source
Port = 7
destination
Port = 7
Stream of UDP datagrams
CS 450/650 – Lecture 22: Network Security
17
Trinoo
• Distributed denial of service
• In smurf and fraggle, trafic comes from a
single intermediate node
• Trinoo allows attacker to flood the victim from
hundreds intermediate sites simultaneously
• Two programs:
– master and
– daemon
• installed in many different stolen accounts
CS 450/650 – Lecture 22: Network Security
18
Trinoo attack
attacker
master
daemon daemon
master
master
master
daemon daemon
Large number of UDP packets to random ports
CS 450/650 – Lecture 22: Network Security
19
TCP
• Reliable delivery
• TCP messages are sent inside IP datagrams
SOURCE PORT
DESTINATION PORT
SEQUENCE NUMBER
Acknowledgment
HLEN
RESV
CODE BITS
CHECKSUM
WINDOW
URGENT POINTER
OPTIONS (IF ANY)
PADDING
DATA
CS 450/650 – Lecture 22: Network Security
20
TCP Overview
• TCP segments are sent inside IP datagrams
• TCP divides a stream of data into chunks that
fit in IP datagrams
• It ensures that each datagram arrives at its
destination
• It then reassembles the datagrams to produce
the original message
CS 450/650 – Lecture 22: Network Security
21
TCP Overview (cont.)
• TCP uses an acknowledgment-and
retransmission scheme
• TCP sending software keeps a record of each
datagram and waits for an acknowledgment
– If no acknowledgment is received during the
timeout interval, the datagram is retransmitted
CS 450/650 – Lecture 22: Network Security
22
TCP communication
Message 1 (SYN + SEQ)
Message 2 (SYN + SEQ + ACK)
Host A
Host B
Message 3 (ACK)
Establishing a TCP Connection Using a 3-way handshake
Message 1 (FIN + SEQ)
Host A
Message 2 (ACK)
Host B
Closing a TCP Connection (one way A to B)
CS 450/650 – Lecture 22: Network Security
23
Attacks on TCP
• SYN Flood
– Half-opened connection table
• LAND
– Spoofed source address = destination address
– Source port = destination port
– Certain implementations  freezing
• TRIBE Flood Network (TFN)
– Similar to trinoo but more than one attack
– UDP flood, smurf, SYN floods, and others
CS 450/650 – Lecture 22: Network Security
24
Probes and Scans
• Ping scan and traceroute
– What machines exist on a given network and how
they are arranged
• Remote OS fingerprinting
– What OS each detected host is running
– Different OS respond to invalid packets differently
– Example: FIN to connection that has not been
opened
CS 450/650 – Lecture 22: Network Security
25
Probes and Scans
• Port Scanning
– Which ports are open?  port scanner
• Open a TCP connection and close it
immediately
• Use half opened connections
CS 450/650 – Lecture 22: Network Security
26