Network Protocols Pre.
Download
Report
Transcript Network Protocols Pre.
Computer Forensics
Network Protocols
Overview for Network Forensics
Focus of this presentation
Protocols
With a few anecdotes, how-to-dos and previews thrown
in.
Network Protocols: Layering
Complexity of networking leads to
layered architectures.
TCP/IP stack has four levels.
OSI has seven.
Network Protocols: Layering
Network Protocols: Layering
Each layer adds a header.
Application
TCP
IP
Link
Repetition:
Capturing Data on a Network
Develop a threat model before
deploying Network Security Monitoring
Internal / External Attacker
Wireless / Wired / …
Develop Monitoring zoning
Demilitarized zone
Wireless zone
Intranet zones
Repetition:
Capturing Data on a Network
Wired monitoring
Hubs
SPAN ports
Taps
Inline devices
Repetition:
Capturing Data on a Network
Hubs
Broadcasts incoming data on all interfaces.
Be careful about NIC capacity
(10/100/1000 Mb/sec)
Be careful about hub quality
Are inexpensive, but can introduce
collisions on the links where the hub
sits.
Repetition:
Capturing Data on a Network
Switched Port Analyzer (SPAN)
A.k.a. Port mirroring, Port monitoring.
SPAN port located on enterprise class switches.
Copy traffic between certain ports to SPAN port.
Configurable
Easy access to traffic.
Can make mistakes with configuration.
Under heavy load, SPAN port might not get
all traffic.
SPAN only allows monitoring of a single
switch.
Repetition:
Capturing Data on a Network
Test Access Port (TAP)
Networking device specifically designed for
monitoring applications.
Typically four ports:
Router
Firewall
Monitor traffic on remaining ports.
One port sees incoming, the other outgoing traffic.
Moderately high costs.
Repetition:
Capturing Data on a Network
Specialized inline devices:
Server or hardware device
Filtering bridges
Server with OpenBSD and two NICs
Link Layer
Network Interface Cards (NIC)
Format 48b written as twelve hex bytes.
Unique Medium Access Control (MAC) number
First 6 identify vendor.
Last 6 serial number.
NICs either select based on MAC address or
are in promiscuous mode (capture every
packet).
Link Layer
Address Resolution Protocol (ARP)
Resolves IP addresses to MAC
addresses
RFC 826
Link Layer:
ARP Resolution Protocol
Assume node A with IP address 10.10.10.100 and MAC
00:01:02:03:04:05 wants to talk to IP address
10.10.10.101.
Sends out a broadcast who-has request:
00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101
All devices on the link capture the packet and pass it to
the IP layer.
10.10.10.101 is the only one to answer:
a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply
10.10.10.101 is-at a0:a0:a0:a0:a0:a0
A caches the value in its arp cache.
Link Layer:
ARP Resolution Protocol
ARP requests:
Link Layer:
ARP Resolution Protocol
Link Layer Forensics
Network
monitoring tools
such as Argus or
Ethereal log MAC
addresses.
Link Layer Forensics
Example:
Spike in network traffic comes from a computer with a
certain IP address.
However, Argus logs reveal that the traffic comes from a
computer with a different MAC then the computer
assigned that IP. (Spoofing)
Finally, intrusion response finds the computer with that
MAC, a Linux laptop that has been compromised and is
used for a Denial of Service attack.
Link Layer Forensics
ARP cache can be viewed on Windows
NT/2000/XP with arp –a command.
ATM
ATM
uses fiber optic cables and ATM switches.
encapsulates data into ATM cells.
number identifies the circuit that ATM has
established between two computers.
ATMARP allows machines to discover MAC
addresses.
ATMARP has a central server that responds to ARP
requests.
ATM forensics is similar.
Link Layer Evidence
Sniffers in promiscuous mode.
Intruders also use sniffers.
Intruders sometimes encrypt their traffic.
Typically monitor traffic to / from compromised system.
Sometimes they monitor themselves coming back to look at
the sniffer logs.
But the sniffers still see the packets, they just cannot read
them.
Installing sniffers can violate the wire-tapping and
other laws and is resource-intensive.
FreeBSD / OpenBSD seem to be the best platforms.
Link Layer Evidence
Sniffer location:
On compromised machine.
Evidence not trustworthy.
Nearby host.
Switched Port Analyzer (SPAN)
Copies network traffic from one switch port to another
Only copy valid ethernet packets.
Do not duplicate all error information.
Copying process has lower priority and some packets
might not be mirrored.
Misses out on traffic on the local link.
Link Layer Evidence
Sniffer configuration
Can capture entire frames.
Or only first part.
Tcpdump default setting.
Link Layer Evidence
Some organizations log ARP
information.
Routers keep ARP tables.
show ip arp
All hosts keep ARP tables.
DHCP often assigns addresses only to
computers with known MAC.
Link Layer Evidence
An employee received harassing e-mail from a host on
the employer’s network with IP address 192.168.1.65.
DHCP server database showed that this IP was assigned
to a computer with MAC address 00:00:48:5c:3a:6c.
This MAC belonged to a network printer.
The router’s ARP table showed that the IP address
192.168.1.65. was used by a computer with MAC
00:30:65:4b:2a:5c.
Although this MAC was not on the organization’s list,
there were only a few Apple computers on the network
and the culprit was soon found.
Link Layer Evidence
Analyze and filter log files:
Keyword searches
E.g. for USER, PASS, login
Nicknames, channel names
Filters
Reconstruction
E.g. contents of web-mail inbox.
Link Layer
Evidence
NetIntercept Screenshot
An example for a Network Forensics /
Network Intrusion Detection
commercial tool that reveals link layer
evidence
ARP Package
RFC 826
ARP package :
0-1: Hardware type (0x0001 – Ethernet)
2-3: Protocol type (0x0800 – IP)
4: Number of bytes in hardware address (6 for MAC)
5: Number of bytes in protocol address (4 for IP)
6-7: Opcode: 1 for ARP request, 2 for an ARP reply
8-13: Source MAC
14-17: Source IP
18-23: Target MAC
24-27: Target IP
ARP Package
Ethereal deassembly of ARP package
Monitoring Tools
Arpwatch
monitors ethernet activity and keeps a
database of ethernet/ip address pairings.
Attacks on ARP
Package Generators for various OS.
hping2 for Windows.
*NIX, XWindows:
packit
http://sourceforge.net/projects/packitgui/
IP Sorcery
and many, many more.
Use to create arbitrary packages
RARP
RARP (Reverse Address Resolution Protocol)
Used to allow diskless systems to obtain a
static IP address.
System requests an IP address from another
machine (with its MAC-address).
Responder either uses DNS with name-to-Ethernet
address or looks up a MAC to IP ARP table.
Administrator needs to place table in a gateway.
RARP-daemon (RARP-d) responds to RARP
requests.
RARP
RARP vulnerability
Use RARP together with ARP spoofing to
request an IP address and take part in
communications over the network.
RARP Package
Package Format as in ARP:
0-1: Hardware type (0x0001 – Ethernet)
2-3: Protocol type (0x0800 – IP)
4: Number of bytes in hardware address (6 for MAC)
5: Number of bytes in protocol address (4 for IP)
6-7: Opcode: 1 for ARP request, 2 for an ARP reply
8-13: Source MAC
14-17: Source IP
18-23: Target MAC
24-27: Target IP
IP
Uses IP addresses of source and
destination.
IP datagrams are moved from hop to
hop.
“Best Effort” service.
Corrupted datagrams are detected and
dropped.
IP
Addresses contain IP address and port
number.
IPv4 addresses are 32 bit longs
IPv6 addresses are 8*16 bits long.
IP: ICMP
Internet Control Message Protocol
Created to deal with non-transient
problems.
Fragmentation is necessary, but the No Frag
flag is set.
UPD datagram sent to a non-listening port.
Ping.
IP: ICMP
ICMP error messages should not be
sent:
For any but the first fragment.
A source address of broadcast or loopback
address.
Are probably malicious, anyway.
IP: ICMP
ICMP errors are not sent:
In response to an ICMP error message.
Otherwise, craft a message with invalid UDP
source and destination port. Then watch ICMP
ping-pong.
A destination broadcast address.
Don’t answer with destination unreachable for
a broadcast. Otherwise, this makes it trivial to
scan a network.
Transport Layer: TCP and UDP
Transmission Control Protocol (TCP)
Reliable
Connection-Oriented.
Slow
User Datagram Protocol (UDP)
Unreliable
Connectionless.
Fast.
TCP
Only supports unicasting.
Full duplex connection.
Message numbers to prevent loss of
messages.
TCP:
Three Way Handshake
Initiator to responder: Syns
Responder to initator: Acks, Synt
Initiator to responder: Ackt
Sets up two connections with initial
message numbers s and t.
TCP:
Three Way Handshake
20:13:34.972069 IP Bobadilla.scu.edu.1316 >
server8.engr.scu.edu.23: S 2882650416:2882650416(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
20:13:34.972487 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack
2882650417 win 32768 <mss 1460> (DF)
20:13:34.972500 IP Bobadilla.scu.edu.1316 >
server8.engr.scu.edu.23: . ack 1 win 17520 (DF)
TCP:
Terminating Connections
Graceful shutdown
Party
Party
Party
Party
1
2
2
1
to
to
to
to
Party
Party
Party
Party
2:
1:
1:
2:
Fin
Ack
Fin
Ack
Abrupt shutdown
Party 1 to Party 2: Res
TCP:
Shutting down a connection
20:48:45.221851
16958 (DF)
20:48:45.226300
32768 (DF)
20:48:45.231650
win 32768 (DF)
20:48:45.231666
16940 (DF)
20:48:45.235303
win 32768 (DF)
20:48:45.235331
16940 (DF)
20:48:45.235494
win 16940 (DF)
20:48:45.236027
(DF)
IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win
IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win
IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5
IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win
IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5
IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win
IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24
IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767
TCP
Exchanging Data
Each packet has a sequence number.
(One for each direction.)
Initial sequence numbers are created
during initial three way handshake.
NMap uses the creation of these sequence
numbers to determine the OS.
OS are now much better with truly random
sequence numbers.
TCP
Exchanging Data
Party that receives packet sends an
acknowledgement.
Acknowledgement consists in
Ack flag.
Sequence number of the next package to
be expected.
TCP
Exchanging Data
If a package is lost, then the ack
number will not change:
“Duplicate acknowledgement”
Depending on settings, sender will
resend, after at most three stationary
ack numbers.
Also, resend after timeout.
TCP
Exchanging Data
20:48:45.087563 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: . ack 4 win 16959 (DF)
20:48:45.087583 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF)
20:48:45.096443 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF)
20:48:45.221851 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF)
20:48:45.226300 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF)
20:48:45.231650 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF)
20:48:45.231666 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: . ack 23 win 16940 (DF)
TCP flags
Part of TCP header
F : FIN - Finish; end of session
S : SYN - Synchronize; indicates request to start session
R : RST - Reset; drop a connection
P : PUSH - Push; packet is sent immediately
A : ACK - Acknowledgement
U : URG - Urgent
E : ECE - Explicit Congestion Notification Echo
W : CWR - Congestion Window Reduced
UDP
“Send and pray”
No connection.
No special header like TCP.
Protocol field in the IP header is 0x11
Another field in the IP header contains
UDP specific header information
Fragmentation
IP datagram can come across smaller
maximum transmission units than its
own size.
Resender chops up the IP datagram
into many IP datagrams, the fragments.
Fragmentation
Fragments are reassembled at the
destination.
Fragments carry:
Fragment identifier
Offset in original data portion
Length of data payload in fragment
Flag that indicates whether or not this is
the final fragment.
Fragmentation
Example
Large Echo Request
ping -l 1480 129.218.19.198
Assume MTU is 1500
Fragmentation
Fragmentation:
First Fragment
Fragmentation:
Second Fragment
Fragmentation:
Last Fragment
Fragmentation
ping –l 65500 129.218.19.198
12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400
(frag 10712:1472@0+)
12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@1472+)
12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@2944+)
12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50
12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@4416+)
12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@5888+)
12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@7360+)
12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@8832+)
12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@10304+)
12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@11776+)
12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@13248+)
12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@14720+)
Fragmentation
DF (Don’t Fragment) Flag
If forwarding node finds that the
datagram needs to be fragmented but
that the DF flag is set, it should respond
with ICMP host unreachable – need to
fragment.
Useful to find minimum MTU on a link.
Fragmentation
Stateless firewalls look only at individual
packages.
Protocol header is only in the first
fragment.
“Stealth attacks / scans” have evil
payload only in the second and
following fragments.
Fragments:
Teardrop and Friends
Teardrop (1997)
Fragments with overlapping offset fields.
Many contemporary OS crashed, hang,
rebooted.
Jolt2
Single fragment with non-zero offset.
Receiving system allocates resources to
reconstruct a datagram that never arrives.
Fragments:
Teardrop and Friends
Create fragments that seem to come from
a GB datagram.
Ping of Death
Trusting OS tries to allocate memory and dies.
Win95 allowed to send a ping that was just a
tad too long. Receiving host would crash.
Unnamed Attacks
Missing fragments lead to resource allocation.
ICMP
ICMP has no port numbers.
No acks, no message delivery guarantee
http://www.iana.org/assignments/icmpparameters
First Byte Type
Second Byte Code
ICMP
Attackers can use ICMP for scanning:
Mapping Techniques.
Detect up host.
Detect OS through responses.
ICMP
Tireless Mapper
Sends ICMP echo requests messages to all
possible IP addresses
Many IDS might not capture this scan if the
number of packages per hour is small.
Firewalls should filter incoming ping requests.
ICMP
Efficient Mapper
Use the ICMP echo request with a
broadcast address.
Ping 129.210.19.255
ICMP
Clever Mapper
Use a different ICMP message such as
ICMP address mask.
Determines the class of the network
ICMP
Normal messages:
Host unreachable
Port unreachable
Admin prohibited
Need to fragment
Time exceeded in transit
Malicious ICMP: Smurf Attack
Smurf attack on victim 129.219.19.198
Step 1: Send ICMP echo request to a
broadcast address with spoofed IP of
129.219.19.198
Step 2: Router allows in ICMP echo
request to broadcast address
Step 3: All live hosts respond with ICMP
echo reply to real source IP
Malicious ICMP: Smurf Attack
Denial of Service Attack.
Effort of Attacker << Effort of Victim.
Uses ICMP replies from network as an
amplifier.
Works well if victim has a slow
connection.
Malicious ICMP:
Tribal Flood Network
Based on Smurf
Creates zombies out of compromised
machines
Compromised machines use a trigger to
start bombarding a victim with requests
Many variations on this theme
Malicious ICMP:
Winfreeze (obsolete)
Uses the ICMP redirect message.
Legal use is to update routing
information.
Flood of redirect message causes the
victim (Win95 / Win98) to redirect
traffic to itself via random hosts.
Victim spends too much time updating
routing table.
Malicious ICMP: Loki
Uses ICMP packages for covert channel
A compromised host with a Loki server
responds to requests from a Loki client.
Requests are sent via ping messages
with data embedded in ICMP pings.
Originally used bytes 6 and 7.
http://sourceforge.net/projects/loki-lib/
Malicious ICMP:
Simple Counter-Measures
Limit ICMP messages at the firewall.
Leads to inefficiencies, such as trying a
TCP connection to a host that is down.
Need to admit path MTU discovery.
Log those that are let through.
FTP
Uses TCP
Active / Passive FTP
Both use port 21 to issue FTP
commands.
Active FTP:
Uses port 20 for data.
FTP server establishes connection to client
FTP: Active FTP Example:
Command channel between server8.engr.scu.edu.21 and
Bobadilla.1628
Dir command creates a new connection between
server9.engr.scu.edu.20 and Bobadilla.5001
FTP
The opening of a connection from the
outside to an ephemeral port is
dangerous.
Passive FTP: The client initiates the
data connection to port 20.
Malicious TCP Use:
Mitnick Attack (obsolete)
SYN flood
Goal is to disconnect victim from the net.
Throws hundreds / thousands of SYN
packets
Return address is spoofed.
Recipient’s stack of connections waiting to
be established is flooded.
Still works with DDoS attack.
Malicious TCP Use:
Mitnick Attack (obsolete)
Identify Trust Relationships
Extensive network mapping.
Nbtstat/finger, showmount, rpcinfo -r, …
Rpcinfo provides information about the
remote procedure call services and their
ports
Malicious TCP Use:
Mitnick Attack (obsolete)
Initiate a number of TCP connections to
the host.
Send SYN packet. Receive SYN/ACK
packet. Send RES so that victim is not
flooded.
Observe the sequence number values
between different connections.
Can they be predicted?
Malicious TCP Use:
Mitnick Attack (obsolete)
B
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Attacker can predict the sequence
number that victim expects.
B
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Attacker SYN floods B.
B cannot respond.
B
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Attacker takes over B’s identity.
Spoofs packet from B to Victim.
B
SYN
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Victim responds with SYN / ACK to B.
B does not respond.
ACK / SYN
Victim trusts B
B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Attacker sends the ACK with the
guessed sequence number to victim
B
ACK
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Attacker sends another TCP packet with
payload: rsh victim “echo ++ >> .rhosts”
B
Bad stuff
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Now victim trusts everyone.
B
Victim trusts
everyone.
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Attacker terminates connection with a
FIN exchange
B
FIN ACK FIN ACK
Victim trusts
everyone
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
To wake up B, attacker sends it a bunch
of RES to free B from the SYN flood.
B
RES
RES
RES
Victim trusts
everyone
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Attacker now starts a new connection
with the victim.
B
Yak yak yak
Victim trusts
everyone
Attacker
Malicious TCP Use:
Mitnick Attack Detection
Network based intrusion detection (NID) can
find the original site mapping.
NID can find the reconnaissance by finding
“finger” “showmount” etc. commands.
Directed to the same port (111).
This is a dangerous port.
Frequent.
Malicious TCP Use:
Mitnick Attack Detection
Host scans log instances where a single
system accesses multiple hosts at the
same time.
Host-based Intrusion Detection (HID)
can find access to a single port.
HID / Tripwire could find changes to
.rhosts.
Malicious TCP Use:
Mitnick Attack Detection
Computer Forensics can detect the attack
by
Logging network traffic.
Examining MAC of important files
(.rhosts)
Malicious TCP Use:
Mitnick Attack Prevention
Router-based Firewall blocks certain type of
traffic.
Host-based firewall blocks
Network mapping.
SYN flooding.
Access to dangerous ports.
Access to dangerous ports.
Security policy
Disallows reconnaissance tools.
Enforces better authentication.
Domain Name Servers
Provide mapping from host names to IP
addresses.
DNS resolution process
Client sends a gethostbyname message to
the local domain name server.
Local domain name server sends back ip
address.
Uses UDP (almost exclusively)
DNS: Resolution protocol
1.
2.
3.
4.
5.
6.
Client to local DNS server gethostbyname
Local DNS server sends forwards request to root server.
Root server returns with name of remote DNS server.
Local DNS server queries remote DNS server.
Remote DNS server answers with IP address.
Local DNS server gives data to client.
DNS
Use caching to prevent overload by root
servers.
DNS records have a TTL
Responding DNS server sets TTL.
Receiving DNS server caches record for
TTL time.
DNS: Reverse Lookup
IP-address to host-name
Query for 1.2.3.4 send to 4.3.2.1.inaddr.arpa
DNS:
Master - Slave Name Servers
Each domain has a single master DNS
server.
Add slaves for redundancy.
Slave server periodically contacts
master to see whether there are
changes.
Older BIND download all data from
domain, even if only one record has
changed.
DNS
Zone Transfer
Slave server restarts zone transfer
from master to slave
Uses TCP, port 53.
Attackers like zone transfer
Gives all IP addresses and names in
subnet.
Newer versions of BIND limit transfers
based on IP address.
DNS:
Abuse for Reconnaissance
nslookup: Get name servers.
DNS:
Abuse for Reconnaissance
HINFO: host information.
DNS:
Abuse for Reconnaissance
List the zone map information.
> ls –d engr.scu.edu in nslookup
DNS:
Abuses and Problems
DNS cache poisoning
Affects BIND versions before 8.1.1.
Based on lack of authentication
Some BIND versions cache every DNS
data they see.
DNS Cache Poisoning
Attack on Hillary Clinton’s Run for
Senate Website
Traffic to www.hillary2000.org (IP
address 206.245.150.74) redirected to
www.hillaryno.com (IP address
206.245.150.74.)
DNS Cache Poisoning
Step 1: Evil sends a bogus query to the victim’s
name server that contains data
www.hillary2000.org at 206.245.150.74
DNS Cache Poisoning
Step 2: Name server accepts the bogus
information (even though it is contained
in a query).
Step 3: Victim requests IP address of
hillary2000.org and is directed to
hillaryno.com.
Vulnerability arises from lack of
authentication and of using queries to
update entries at the queried server.
DNS Cache Poisoning
Birthday Attack
Attacker sends large number of queries to a
vulnerable name server asking for hillary2000.
Attacker sends an equal number of phony replies
(with the poisoned data).
Name server will generate requests to resolve
hillary2000.
With high probability, one of the phony answers
will have the same transaction number as the
name server’s query.
DNS: The Bind Birthday Attack
DNS Cache Poisoning
Redirect traffic to a fake Pay-Pal or other ecommerce site.
Set-up Man in the Middle Attacks
Defenses:
Domain Owner has to rely on the DNS system.
ISP name server admin needs to protect by
Updating BIND or replacing it with djbdns
Two name servers, one for the public domain information
to the outside, another for internal use.
End user has to rely on the DNS system.
Routing
Local Routing Table: netstat -r
Static Routing
IP Layer searches the routing table in
the following order
Search for a matching destination host
address
Search for a matching destination network
address
Search for a default entry
Routing
Static routes are typically added during
the boot process.
Administrative changes with a “routing”
command.
ICMP routing discovery messages
Routing Changes
A host might have inefficient entries in
the routing table.
ICMP Router Discovery Protocol (IRDP)
ICMP redirect messages
ICMP routing discovery messages
IRDP needs to be enabled.
Routing Changes
ICMP Redirect Message
A sends message to D.
Routing table says to send to B first.
Routing Changes
ICMP Redirect Message
B forwards to C
B informs A that there is a direct route to C
ICMP Redirect Message
Routing Changes
ICMP Redirect Message
C forwards package to target.
A updates routing table.
IRDP DoS Exploit
Attacker (E) sends spoofed IRDP message to A
A updates routing table to reflect bogus default
value.
A looses connectivity
IRDP Windows Exploit
Windows (95, 98, 2000) and some Solaris systems
are vulnerable.
If a Windows hosts runs a Dynamic Host
Configuration Protocol (DHCP) client, it obtains its
default route from the DHCP server.
ICMP router advertisement can be spoofed.
First router advertisement is checked for correct IP
address.
Second router advertisement is erroneously not.
IRDP Windows Exploit
Attacker sends two ICMP router
advertisements to victim.
Victim updates its default gateway to IP
determined by attacker.
Use for man in the middle attacks or
DoS.
ARP Poisoning
Address resolution protocol associates MAC
addresses with IP addresses.
Four Messages
ARP Request: “Who has this IP?”
ARP Reply: “I have this IP. My MAC is …”
Reverse ARP Request: “Who has that MAC?”
Reverse ARP Request Reply: “I have that MAC, my
IP is …”
ARP Poisoning
ARP is very efficient, but does not do
any authentication.
Many OS still accept ARP replies even
without making an ARP request.
ARP poisoning: Spoofing an ARP
package with false ARP data.
ARP Poisoning
Denial of Service:
Spoofed ARP message can associate the
default gateway address with a nonexisting MAC.
Traffic to the outside is no longer picked
up.
ARP Poisoning
Man in the Middle
Intercept traffic between devices A and B.
A has IP IA and MAC MA.
B has IP IB and MAC MB.
Attacker has machine C with MAC MC.
Attacker sends an ARP reply to B: IA is at MC.
B updates its ARP cache entry: IA is at MC.
Attacker sends an ARP reply to A: IB is at MC.
A updates its ARP cache entry: IB is at MC.
A sends traffic to IB on a level 1 frame to MC.
C intercepts the package and forwards it to MB.
Traffic from A to B (and vice versa) now flows through C.
ARP Poisoning
MAC flooding
Switches maintain a MAC to port table.
Traffic only flows to destination.
Attacker sends lots of bogus ARP data to switch.
Switch’s ARP table is flooded.
Switches either stop functioning (DoS attack) or
drop to hub mode.
Switch in hub mode forwards a package to all
ports.
Allows traffic to be sniffed.
ARP Poisoning
Small networks:
Could use a static ARP table.
Disables ARP messaging.
All ARP entries need to be put in by hand and
maintained.
Will not work with DHCP.
Maintenance becomes quickly impossible with
larger size of network.
Some Win OS will still accept and use dynamic
ARP updates, even if all routes are statically
encoded.
ARP Poisoning
Large Networks
Use Port Security features on higher-end
switches.
Allow only one MAC address.
Prevents hackers from embedding their
MAC address more than once.
All networks
Monitor ARP traffic (ARP monitoring tool)
IP Options
IP options enhance the IP protocol.
Security
Stream Identification
Internet Timestamp
Loose Source Routing
Strict Source Routing
Record Route
These are
security risks
IP Route Options
Loose Source Routing specifies a route
that includes a list of required nodes.
Strict Source Routing specifies the
beginning of a route (up to 9 nodes)
completely.
Record Route: does not alter the
routing but requires that all nodes are
recorded.
Detecting IP Source Routing
IP header is larger than 20B
IP option field has a hex value of
83: loose source routing
89: strict source routing
ip[0] & 0x0f > 5 and (ip[20] = 0x83 or
ip[20] = 89)
Source Route Exploit
Spoofing host requires source routing
through a host trusted by the victim.
Victim decides that the traffic comes
from a trusted host.
Therefore: firewalls need to disable
source-routing or network admin needs
to disable trust relationships.
Internet Group Management
Protocol (IGMP)
Defined by RFC 1112.
IGMP messages use IP Protocol 2
IGMP are used to join and leave
multicast groups.
TCP/IP Related Evidence
Sniffer Logs
A computer intrusion left a program called router behind.
Investigation of the binary code revealed that it was a
Portuguese language sniffer storing data in a given file.
The sniffer file contained log entries of log-ins from Brazil to
a non-authenticated account as well as further activities.
TCP/IP Related Evidence
Authentication, Server Logs
Maury Travis Case:
During a series of homicides in St. Louis, a reporter
received a letter with the location of an additional victim.
The FBI determined that the map was from Expedia.com.
The web server logs showed that only one IP address
requested that particular map around the time that the
letter was sent.
TCP/IP Related Evidence
The IP address belonged to an ISP.
The ISP logs showed that this IP address was registered
to Maury Travis. The telephone number from the
connection was made also belonged to Maury Travis.
A (warranted) search of Maury Travis’ home found a
torture chamber and videotapes of Maury torturing and
killing victims.
Maury killed himself while in custody. The total number
of victims is unknown.
TCP/IP Related Evidence
Internet dial-up logs are created by
RADIUS and TACACS authentication
servers.
These servers are also used for VPN
concentrators.
Kerberos logs authentication requests.
…
TCP/IP Related Evidence
Application Logs
When someone defaces web servers, they
usually view them shortly before and after
defacement.
The web logs might contain evidence of
someone checking for vulnerabilities before
defacement.
With the IP address that they used.
TCP/IP Related Evidence
Application Logs
Mail servers log details of message.
Example: An email spoofer makes a typo.
Logs contains entries with backspaces, …
OS log connections.
Network devices log.