ICMP Nuke Attack
Download
Report
Transcript ICMP Nuke Attack
Network Layer Security
Lecture 4
Supakorn Kungpisdan, Ph.D.
[email protected]
Overview
IP Header Length
(IPID)
IP Packet Format
NETE4630: Advanced Network Security and Implementation
2
Overview
IP, ICMP, and Routing protocols
IP is connectionless, subjected to DoS
ICMP can be used by attackers
Routing protocols are subjected to stack attacks
NETE4630: Advanced Network Security and Implementation
3
Roadmap
Attacking the Network Layer
Defending the Network Layer
NETE4630: Advanced Network Security and Implementation
4
IP Attacks
Spoofing
Fragmentation
Passive and Active Fingerprinting
Port Scanning
Redirection
NETE4630: Advanced Network Security and Implementation
5
Spoofing
Local spoofing and blind spoofing
Local spoofing: attacker and victim are on the same
subnet
Attacker begins with sniffing traffic, find key pieces of
information needed to launch an attack
Session hijacking is another spoofing technique.
The attack starts at transport layer
NETE4630: Advanced Network Security and Implementation
6
Spoofing (cont.)
Blind spoofing: attacker is not on the same local subnet
as victim
More sophisticated and advanced attack
Many pieces of information needed to be successful are
not available. The key parameters must be guessed
Most modern OSes use fairly random sequence numbers
making the attack difficult to launch
NETE4630: Advanced Network Security and Implementation
7
Fragmentation
Fragmentation is required when transmitting packets to
different networks that have different MTUs
The idea is to send different data streams to each device
Evasion attack: sends packets to an IDS and target that
will be rejected by the IDS and accepted by the target
IDS drops and does not check the packet payload
Insertion attack: sends packets to an IDS and target
device that will be accepted by the IDS and rejected by the
target
NETE4630: Advanced Network Security and Implementation
8
IP Fragmentation
NETE4630: Advanced Network Security and Implementation
9
Evasion Attack
An attacker sends the first fragment to an IDS that has a fragmentation timeout of
15 s, while target system has a timeout of 30 s
The attacker waits more than 15 s but less than 30 s before sending the second
fragment.
The IDS discards the second (including the first) segment because the timeout
reaches
However, the target system accepts the second fragment (within the timeout)
Thus, the IDS will not record this attack
#2
#1
#2
30 s
#1
15 s
NETE4630: Advanced Network Security and Implementation
10
Fragmentation Attacks
Overlapping fragmentation can offer an attacker a means
of slipping packets past an IDS and firewall
Sending a packet passing a cisco router to a windowsbased system
If receiving a duplicated packet, cisco router prefer the last
fragment, whereas windows prefers the original fragment
NETE4630: Advanced Network Security and Implementation
11
Fragmentation Attacks (cont.)
#1
#2
#1
#2
Attacker modifies #2
And transmits #2 and #3
#3
Windows and router
accepts #1 and #2
#2
#3
Windows keeps
#1
#2
#3
Router keeps
#1
#2
#3
NETE4630: Advanced Network Security and Implementation
12
Fragmentation Attacks (cont.)
An attacker breaks a message into 3 fragments
He sends fragment 1 and 2 to both router and windows. Both
accepts the fragments
He then sends fragment 2 and 3. The retransmitted fragment 2 is of
the same size and offset as the original fragment but different
payload
Windows keeps the original fragment 2 but the router keeps the
retransmitted one
NETE4630: Advanced Network Security and Implementation
13
Teardrop Attack
Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, and
SynDrop are some of the tools that can crash machines that have a
vulnerability in the IP atack
There is a fragmentation bug in the IP stack implementation of some
old Linux kernels (2.0), Windows NT, and Windows 95
Sending malformed packets with fragmentation offset value tweaked
so that the receiving packets overlap
A reboot solved the problem until the next attack
NETE4630: Advanced Network Security and Implementation
14
Teardrop Attack (cont.)
NETE4630: Advanced Network Security and Implementation
15
Fingerprinting
Fingerprinting is the act of using peculiarities of IP, TCP, UDP, and
ICMP to determine the operating system
Not only the OS, but also specific version
Active and passive fingerprinting
Active fingerprinting: sends malformed (or non-RFC-compliant)
packets to the target. Different OSes response to these packets
differently
Nmap, Xprobe, Scanrand, etc.
NETE4630: Advanced Network Security and Implementation
16
Passive Fingerprinting
Passive fingerprinting: similar concept, but not injecting traffic into
the network
Looking at 4 fields
TTL value
Don’t Fragment bit (DF)
Type of Service (TOS)
Window size
TTL, DF, and TOS are found in IP header
Window size is found in TCP header
NETE4630: Advanced Network Security and Implementation
17
Passive Fingerprinting: TTL
A packet has its TTL reduced each time it is passed though a router
or when it remains in the routers queue too long
No requirement about the suitable of TTL
The attacker may assume that the value observed is less than the
original value (no more than 255)
NETE4630: Advanced Network Security and Implementation
18
Passive Fingerprinting: DF and TOS
DF flag is primary method that systems use to determine
the PMTUD (Path MTU Discovery)
Many older OSes don’t use this feature
TOS can be analyzed to determine the OS
Eventhough it is rarely used on the internet, some
developers will set it into a value other than zero to prevent
this fingerprinting
NETE4630: Advanced Network Security and Implementation
19
PMTUD
1.
2.
3.
4.
Path MTU discovery (PMTUD) is a technique in computer networking for
determining the MTU size on the network path between two hosts, usually
with the goal of avoiding IP fragmentation
Path MTU discovery works by setting the DF (Don't Fragment) option bit
in the IP headers of outgoing packets.
Any device along the path whose MTU is smaller than the packet will drop
it, and send back an ICMP Type 3 Code 4 “Destination Unreachable
(Fragmentation Needed and DF was set)" message
The ICMP Type 3 Code 4 message contains its MTU, allowing the source
host to reduce its assumed path MTU appropriately.
The process repeats until the MTU is small enough to traverse the entire
path without fragmentation.
NETE4630: Advanced Network Security and Implementation
20
PMTUD (cont.)
NETE4630: Advanced Network Security and Implementation
21
Passive Fingerprinting: Window Size
TCP Window specifies the amount of data that can be sent
without having to receive an acknowledgement
Window size should either be as close as possible to the MTU or
should be some multiple of this value
Linux 2.0 used a value of 16,384, while version 3 of FreeBSD
used a value of 17,520
The most up-to-date passive fingerprinting tool is p0f
LAB: p0f page 129
NETE4630: Advanced Network Security and Implementation
22
Idle Scan: Open Port
NETE4630: Advanced Network Security and Implementation
23
Idle Scan: Close Port
NETE4630: Advanced Network Security and Implementation
24
Idle Scan: Limitations
The idle host must truly be idle
Not all OSes use an incrementing IPID
Some versions of Linux set IPID to zero or generate a random
IPID value
Several message passes need to be performed to validate
the results
NETE4630: Advanced Network Security and Implementation
25
ICMP Attacks
ICMP helps with logical errors and diagnostics
ICMP does not offer authentication
Thus, ICMP can be used to scan and exploit devices
Including using ICMP as a backdoor (convert channel),
employing them for echo attacks, to port scan, to redirect traffic,
for OS fingerprinting, and DoS attacks
NETE4630: Advanced Network Security and Implementation
26
Convert Channels
Convert channels offer attackers a way to have a secure
communications channel by using allowed services
Convert channels can also work by exploiting flaws or
weaknesses in protocols like ICMP, esp. ping
ICMP fields used in ping include:
Type, Code, Identifier, Sequence Number, Optional Data
NETE4630: Advanced Network Security and Implementation
27
ICMP Format
NETE4630: Advanced Network Security and Implementation
28
Convert Channels (cont.)
NETE4630: Advanced Network Security and Implementation
29
Convert Channels (cont.)
NETE4630: Advanced Network Security and Implementation
30
Convert Channels (cont.)
Some systems like Linux let user add data into the ping
# ping –p 2b2b2b415448300
192.168.123.101
will place the modem hang up string into the ping packet
Convert channel tools can use ICMP, TCP, or even IGRP.
Loki, ICMP Backdoor, 007Shell, B0CK
NETE4630: Advanced Network Security and Implementation
31
ICMP Echo Attacks
Flood target with ping traffic and use up all available
bandwidth
Smurf exploits ICMP by sending a spoofed ping packet to
the broadcast address and has the source address listed
as the victim
In 2002, an attacks was launched against core DNS
servers. They had ping enabled
Results in a large DoS attack that slowed the operation of
primary DNS servers
NETE4630: Advanced Network Security and Implementation
32
Port Scanning
ICMP can be of great use to an attacker attempting to
discover what ports are open
ICMP is invaluable since there is no response like with
TCP
Sending an ICMP packet to a port
will get no response if the port is open and
will receive an ICMP type 3 code 3 (Destination Unreachable,
Port Unreachable) packet if the port is closed
NETE4630: Advanced Network Security and Implementation
33
Port Scanning (cont.)
Type 3 (Destination Unreachable)
Code 3 (Port Unreachable)
NETE4630: Advanced Network Security and Implementation
34
ICMP Nuke Attacks
ICMP Nuke Attack: Using spoofed addresses, an attacker
might disrupt communications between two hosts by
sending “Time Exceeded” (Type 11) or “Destination
Unreachable” (ICMP Type 3) messages to both hosts
This results in a DoS attack
Check out ICMP Types and Codes
NETE4630: Advanced Network Security and Implementation
35
ICMP Redirect Attack
By sending ICMP “redirect” messages, an attacker might force a
router to forward packets destined to one host to the attacker’s IP
address
NETE4630: Advanced Network Security and Implementation
36
Preventing ICMP Redirect Attack
With Linux, we can force the kernel not to accept redirect
messages for one or all interfaces
root@router# echo 0 >
/proc/sys/net/ipv4/conf/eth0/accept_redirects
NETE4630: Advanced Network Security and Implementation
37
ICMP Flood
Ping Flood creates a broadcast storm of pings that overwhelm the
target system
Using Linux, one can flood a host using ping –f.
root@router# ping –f 10.10.10.12 –c 1000
The above command floods the host 10.10.10.12 with 1,000
packets
NETE4630: Advanced Network Security and Implementation
38
Preventing Ping Flood
Ping flood can be stopped by limiting the number of ICMP
echo-request messages with IPTables:
root@router# iptables –A FORWARD –p icmp –icmptype echo-request –m limit –limit 10/s –j
ACCEPT
root@router# iptables –A FORWARD –p icmp –icmptype echo-request –j DROP
NETE4630: Advanced Network Security and Implementation
39
Ping of Death
Ping of Death crashed machines by sending ICMP “echo
request” messages in IP packets with larger than the
maximum legal length of 65,535 octets, causing a buffer
overflow to crash the victim’s device (computer, printer,
etc.)
A Linux patch for the ping of death was out in 2 hours, 35
minutes, and 10 seconds, and shortly after, patches for
other OSes were available from vendors
NETE4630: Advanced Network Security and Implementation
40
Routing Protocols Attacks
Misconfigured dynamic routing protocols such as RIP,
BGP, and OSPF may allow attackers to inject routes into
the routing tables of the machines running instances of
those protocols
This may allow attackers to conduct DoS attacks by
injecting wrong routes or IP sniffing by configuring its
computer to act like a router from the network
NETE4630: Advanced Network Security and Implementation
41
Routing Protocols Attacks (cont.)
Distance-vector and link-state routing protocols are
suffered from attacks especially DoS
RIP is unauthenticated service; it is vulnerable to DoS
Attacker injects miscommunication packets to the network
RIP spoofing works by making fake RIP packets and
sending them to gateways and hosts to change their
routes
It sends its routing tables to a broadcast address
Attacker can also modify the routing information to cause a
redirect through a network, allowing him to sniff passwords
or intercept and change date
NETE4630: Advanced Network Security and Implementation
42
Source Routing Attack
Source routing is one of the IP options designed to force a
packet to take a specific route through the network
Using Option field in IP header: LSRR (Loose Source Record
Route) and SSRR (Strict Source Record Route)
NETE4630: Advanced Network Security and Implementation
43
LSR and SSR
Loose Source Routing is an IP option which can be used for
address translation. LSR is also used to implement mobility in IP
networks.
LSR uses a source routing option in TCP/IP to record the set of
routers a packet must visit.
The destination of the packet is replaced with the next router the
packet must visit.
The name LSR comes from the fact that only part of the path is set
in advance. This is in contrast with Strict Source Routing (SSR), in
which every single step of the route is decided in advance when the
packet is sent.
SSR defines specific points between source and destination
No other routers are allowed to handle the datagram
NETE4630: Advanced Network Security and Implementation
44
Source Routing Attack (cont.)
The use of the LSRR and SSRR options (Loose and Strict
Source and Record Route) is discouraged because they create
security concerns
Attacker can spoof a source IP as a trusted system and uses
source route to forward packets to a victim
Any return packet will be sent to the attacker instead of the
trusted host (because the route is fixed, static!!)
Many routers block packets containing these options.
NETE4630: Advanced Network Security and Implementation
45
Roadmap
Attacking the Network Layer
Defending the Network Layer
NETE4630: Advanced Network Security and Implementation
46
Securing IP
Encryption and authentication are the two best options for
securing IP
Built in IPv6, but not in IPv4
IPSec’s greatest security is that it can allow network
managers to apply security without involving end users
IPSec Tunnel Mode: link encryption
Need to manage several keys
IPSec Transport Mode: end-to-end encryption
Source and destination IPs are not masked
NETE4630: Advanced Network Security and Implementation
47
Securing ICMP
Disable much of ICMP as possible especially at
routers
Reject: send an ICMP destination-unreachable back to
the source
Drop: send no response
NETE4630: Advanced Network Security and Implementation
48
Securing ICMP (cont.)
From legitimate perspective,
Rejecting connections allows services to know that
something has failed and to timeout quickly
Dropping a connection can cause a service to continue
to try and connect until a retransmission value is
exceeded
NETE4630: Advanced Network Security and Implementation
49
Securing ICMP (cont.)
From security perspective,
dropping packets gives away less information and
makes it harder for an attacker to enumerate the target
Rejecting packets can make the router a bigger target
for reflective attacks and leave it vulnerable to spewing
out ICMP messages to a host being attacked by a third
party
NETE4630: Advanced Network Security and Implementation
50
Protecting against IP Spoofing
Linux kernel has an option named “rp_filter”
To disable on all interfaces:
root@router# echo 0 >
/proc/sys/net/ipv4/conf/all/rp_filter
To disable on one interface e.g. eth0:
root@router# echo 0 >
/proc/sys/net/ipv4/conf/eth0/rp_filter
Setting rp_filter to:
1 enables IP spoofing protection
0 disables IP spoofing protection
rp_filter performs Ingress Filtering: packets coming into the
network are filtered if the network sending it should not send packets
from IP address of the originating computer
NETE4630: Advanced Network Security and Implementation
51
Securing Routers and Routing Protocols
Securing routers and traffic that flows though them is primarily
achieved by using packet filters
Packet filtering is configured though access control lists (ACLs)
NETE4630: Advanced Network Security and Implementation
52
How ACL Handles Traffic
Source IP address: Is it from a valid or allowed address?
Destination IP address: Is this address allowed to receive packets
from this device?
Source and destination ports: includes TCP, UDP, and ICMP
TCP flags: includes SYN, FIN, ACK, PSH
Protocols: includes FTP, Telnet, HTTP, DNS, and POP3
Direction: Can allow or deny inbound or outbound traffic
Interface: Can be used to restrict only certain traffic on certain
interfaces
NETE4630: Advanced Network Security and Implementation
53
Preventing Address Spoofing
Do not allow traffic with the internal IP address as source that comes
from the internet
Log the dropped packets
Check out router configuration guide at
http://www.nsa.gov/snac/downloads_all.cfm
RIPv1 sends update in cleartext and no authentication
RIPv2 has authentication but sends authentication in cleartext
Suggest to use OSPF with MD5 authentication
Restrict dynamic routing when possible
Without this, OSPF may still be vulnerable
Check out Nemesis (a tool to target OSPF routing) at
http://sourceforge.net/projects/nemesis
NETE4630: Advanced Network Security and Implementation
54
NSA Security Configuration Guides
http://www.nsa.gov/snac/downloads_all.cfm
NETE4630: Advanced Network Security and Implementation
55
Question?
Next week
Transport Layer Security