Transcript Session-25 - Lyle School of Engineering

Computer System Security
CSE 5339/7339
Session 25
November 16, 2004
Computer Science and Engineering
Contents
Security in Networks
 Group Work
 Wing’s presentation
Computer Science and Engineering
IP Protocol
 Unreliable packet delivery service
 Datagram (IPv4)
VERS
HLEN
Service Type
IDENTIFICATION
TIME TO LIVE
TOTAL LENGTH
FLAGS
PROTOCOL
FRAGMENT OFFSET
HEADER CHECKSUM
SOURCE ADDRESS
DESTINATION ADDRESS
OPTIONS (IF ANY)
PADDING
DATA
Computer Science and Engineering
Attacks
 IP Spoofing
 Teardrop attacks
Computer Science and Engineering
ICMP (Internet Control Message Protocol)
 Transmit error messages and unusual situations
 Different types of ICMP have slightly different
format
Type
Code
CHECKSUM
Unused (must be zero)
DATA: Header and 1st 64 bits of offending datagram
ICMP time-exceeded message
Computer Science and Engineering
ICMP (Echo request/reply)
 Transmit error messages and unusual situations
 Different types of ICMP have slightly different format
Type
Code
Identifier
CHECKSUM
Sequence number
DATA (optional)
ICMP Echo Request/Reply Message
Computer Science and Engineering
Ping of Death Attack
Denial of service attack (1st in 1996)
Some systems did not handle oversized IP datagrams
properly
An attacker construct an ICMP echo request
containing 65,510 data octets and send it to victim
The total size of the resulting datagram would be
larger than the 65.535 octet limit specified by IP
System would crash
Computer Science and Engineering
SMURF
Attacker send echo request message to
broadcast address
Attacker also spoofs source address in the
request
Intermediary
Attacker
Victim
Computer Science and Engineering
UDP (User Datagram Protocol)
 From one application to another (multiple destinations)
 Port  positive integer (unique destination)
SOURCE PORT
DESTINATION PORT
LENGTH
CHECKSUM (optional)
DATA
Computer Science and Engineering
Attacks on UDP
 Fraggle
 Trinoo
Computer Science and Engineering
Fraggle (similar to smurf)
UDP port 7 is used for echo service
An attacker can create a stream of user datagram
with random source port and a spoofed source
address
 Destination port is 7 and destination source is a
broadcast address at some intermediate site
The attack can get worse if the source port = 7
Could be prevented by filtering out UDP echo
requests destined for broadcast addresses
Computer Science and Engineering
Victim’s
host
spoofed
source
broadcast
random
destination source port
destination
Port = 7
Stream of UDP datagrams
Victim’s
host
spoofed
source
broadcast
destination
source
Port = 7
destination
Port = 7
Stream of UDP datagrams
Computer Science and Engineering
Trinoo
Distributed denial of service
In smurf and fraggle, trafic comes from a single
intermediate node.
 Trinoo allows the attacker to flood the victim from
hundreds intermediate sites simultaneously
Two programs: master and daemon – installed in
many different stolen accounts
Computer Science and Engineering
attacker
master
daemon daemon
master
master
master
daemon daemon
Large number of UDP packets to random ports
Computer Science and Engineering
TCP
 Reliable delivery
 TCP messages are sent inside IP datagrams
SOURCE PORT
DESTINATION PORT
SEQUENCE NUMBER
Acknowledgment
HLEN
RESV
CODE BITS
CHECKSUM
WINDOW
URGENT POINTER
OPTIONS (IF ANY)
PADDING
DATA
Computer Science and Engineering
TCP Overview
 TCP segments are sent inside IP datagrams
TCP divides a stream of data into chncks that fit in
IP datagrams
 It ensures that each datagram arrives at its
destination
 Itthen reassembles the datagrams to produce the
original message
Computer Science and Engineering
TCP Overview (cont.)
 TCP uses an acknowledgment-and retransmission
scheme
TCP sending software keeps a record of each
datagram and waits for an acknowledgment
 If no acknowledgment is received during the
timeout interval, the datagram is retransmitted
Computer Science and Engineering
Message 1 (SYN + SEQ)
Host A
Message 2 (SYN + SEQ + ACK)
Host B
Message 3 (ACK)
Establishing a TCP Connection Using a 3-way handshake
Message 1 (FIN + SEQ)
Host A
Host B
Message 2 (ACK)
Closing a TCP Connection (one way A to B)
Computer Science and Engineering
Group Work
Discuss possible attacks
Computer Science and Engineering
Attacks on TCP
 SYN Flood
Half-opened connection table
 LAND
Spoofed source address = destination address
Source port = destination port
Certain implementations  freezing
TRIBE Flood Network (TFN)
Similar to trinoo but more than one attack
UDP flood, smurf, SYN floods, and others
Computer Science and Engineering
Probes and Scans
Ping scan and traceroute
(What machines exist on a given network and how they are
arranged)
Remote OS fingerprinting
(What OS each detected host is running)
(Different OS respond to invalid packets differently)
(Example: FIN to connection that has not been opened)
Port Scanning
(Which ports are open?  port scanner)
Open a TCP connection and close it immediately
Use half opened connections
Computer Science and Engineering
Wired Backbone with Mobile nodes
Mobile Host
Mobile Host
Wired Backbone
Base Station
Base Station
Fixed host
Fixed Host
Fixed Communication
Network
Base Station
Base Station
Fixed Host
Fixed Host
Mobile Host
Mobile Host
Computer Science and Engineering
Mobile IP (Cont.)
Foreign Agent
Foreign subnet
Mobile Host visiting
A foreign subnet
Foreign subnet
Foreign Agent
Arbitrary
Topology of
Routers and
Links
Home Agent
Home subnet
Mobile Host at Home
Computer Science and Engineering
Wireless Multi-hop Backbone
Mobile Host
Mobile Host
Wireless Multi-hop
Backbone
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Computer Science and Engineering
Hybrid backbone
Hybrid Backbone
Mobile Host
Mobile Host
Wired Backbone
Base Station
Fixed host
Base Station
Fixed
Communication
Network
Mobile Host
Fixed Host
Base Station
Base Station
Fixed Host
Fixed Host
Mobile Host
Mobile Host
Wireless Multi-hop
Backbone
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Mobile Host
Computer Science and Engineering