Академический Документы
Профессиональный Документы
Культура Документы
Course announcement
Topics in Cryptography
Tom Shrimpton (teshrim at cs . pdx . edu) http://www.cs.pdx.edu/~teshrim/spring06/info-510.html
Sniffing
Gathering packets from the local network
Passive (wired network with a hub or a wireless network)
Turn on promiscuous mode on NIC
Make NIC accept all data-link layer frames not just its own
Software
Snort (www.snort.org) tcpdump/ethereal Sniffit (reptile.rug.ac.be/~coder/sniffit/sniffit.html) Dsniff (www.monkey.org/~dugsong/dsniff)
Active Sniffing
Fool the switch into sending the packets to the sniffer
MAC Flooding
Send a flood of traffic with random MAC addresses Fill up the switchs memory Switches will then forward packets to all links on the switch
Dsniff program Macof
ARP spoofing
Send fake ARP replies to change the victims ARP table
Dsniff program Arpspoof
Attacker configures his or her system to forward any traffic it receives to the router. Any traffic from the target machine is sent to the attackers machine before being transferred to the local network.
6
Answer Check to see if your network interface is in promiscuous mode ifconfig a => look for PROMISC
Answer Send a TCP SYN packet to sniffer with bogus MAC address
802.11 vulnerabilities
802.11 MAC layer
Nodes are identified with a globally unique 12 byte address. No mechanism for verifying the correctness of the identity Implicit trust in a speaker's source address.
10
11
More attacking messages are required to get same effect of deauthentication message
Disassociation
Disassociati on
12
AP
Client Wakes Client Sleeps Client Wakes Client Sleeps Client Wakes
TIM
TIM
TIM
Retrieve Data
Client Sleeps
13
AP
TIM
TIM
14
15
16
Not all 802.11 hardware obeys NAV (a bug that saves 802.11 from this attack)
17
18
19
IP spoofing
Host fills in its own address in sending packets
Implicitly trusted not to forge the entry Leads to all sorts of problems
Chapter 3 lecture notes
IP spoofing scenario using .rhosts and predictable TCP ISN Establish a blind connection with a remote host
20
Reflector attacks
Occur at all layers (not just network layer)
However, most rely on IP spoofing
A reflector is any IP host that will return a packet or more if sent a packet.
Reflector cannot easily locate the initiator because of IP spoofing.
Examples:
Web servers: return SYN ACKS or RSTs in response to SYN or other TCP packets. DNS servers: return query replies in response to query requests. Routers: return ICMP Time Exceeded in response to TTL expiry or Host Unreachable messages in response to unroutable IP addresses
21
22
ICMP reflectors
ICMP echo
Widely used for ping Smurf attacks
Repeatedly send ICMP ping to broadcast IP address of network that can receive and respond to directed broadcast (smurf amplifier) Use the victims IP address as the source IP Victims bandwidth is filled with response packets Attacks and software
Smurf (ICMP), Fraggle (UDP), and Papasmurf (ICMP and UDP) www.packetstormsecurity.org/new-exploits/
23
ICMP reflectors
Other ICMP candidates
Timestamp Address mask Router solicitation Information request/reply Source quench Host unreachable Time exceeded Parameter problem Redirect. Need fragmentation.
24
Routing attacks
Attack
Intruder sends bogus routing information to a target and each of the gateways along the route
Impersonates an unused host
Diverts traffic for that host to the intruders machine Used to monitor dark IP addresses
25
Routing attacks
BGP Routing Fault Example:
ISP mistakenly announced routes to 3000+ prefixes (destinations) it did not own. Other ISPs adopt these routes and blackholed traffic to those sites.
26
Slides courtesy of Dan Massey
Routing attacks
Invalid BGP routes exist in everyones table.
These can include routes to root/gTLD servers One example observed on 4/16/01:
rrc00 monito r
Internet
c.gtld-servers.net 192.26.92.30
27
Slides courtesy of Dan Massey
Routing attacks
BGP routing can direct packets to false server. Detected false BGP routes to root/gTLD severs at major global ISPs.
Routes lasted up to hours, but were errors and faulty site did not reply.
Bell Labs Caching Server
Internet Routing
Root server
Routing attacks
Defenses
Filtering based on prior information
Messes with fault-tolerance but detects intrusion attempts
Authentication of advertisements
S-BGP
29
Routing attacks
Spoofing with Source Routing
Impersonate system A Attacker creates packets from system A to B, with the attackers address in the source route. Packet sent to system B, but any replies are sent to the attackers machine.
Attacker does not forward them to system A because the connection would be reset.
30
Defenses
Verify ICMP packet contains a plausible sequence # Dont modify Global Route Table due to ICMP Redirect messages
Disallow ICMP Redirects?
31
NIDS avoidance
NIDS: Network Intrusion Detection System
Passively monitor network looking for attacks Signature analysis done across packets Challenges
Accuracy: false positives and false negatives Performance: forensic value of information
Fundamental problem
Deployed on a different box Potentially on a different network
Result
NIDS could see a different stream of packets than host Protocol implementation ambiguities
Different protocol stacks have different behavior
32
NIDS avoidance
Insertion
IDS thinks packets are valid; end system rejects these
Evasion
end system accepts packets that IDS rejects
Denial of Service
resource exhaustion
33
NIDS avoidance
Confuse the NIDS
Invalid MAC addresses? Invalid headers
Permissive in receiving, frugal in sending? Bad IP checksum will be dropped? IP options
IP TTL ambiguity
Packet received or not?
Fragment time-out
Will other parts of fragment still be at destination?
Overlapping fragments
Which data will be used?
34
NIDS avoidance
Exhaust resources on NIDS
CPU, Memory, Network Bandwidth Fragmentation
Send large numbers of fragments
CPU: data structure attack Memory: space attack Can lead to DOS (teardrop, jolt2)
Fragrouter
Automatically fragment all packets Accepts IP packets routed from another system and fragments these packets according to various schemes
36
TCP hijacking
Attacker inserts itself into path
Already on the path or via ARP spoofing
Sniff to find sequence numbers of victim connection Attacker takes over existing connection using spoofed packets and dropping packets of one of the end-points
37
Most hijacking tools cannot cope with the ACK storm and the connection will be dropped.
38
39
40
41
43
Sends RST packet if no subsequent ACK received from client Eventual ACK from a good client will be ignored as a duplicate Disadvantages: Large # illegitimate open connections if system under attack Must very carefully choose timeout periods
44
46
47
48
49
50
TCP reflectors
TCP stack can be made to reflect via
SYN ACK by sending an initial SYN with spoofed IP address
Filtering leads to no-remote access.
Countermeasures problematic
Filter out SYN ACKs
Leads to disabling access to services
51
NIDS avoidance
TCP tricks to confuse or disable NIDS
TCP Options fields
Will packet be accepted? Will option be processed? Destination might be configured to drop weird options
53
DNS spoofing
Problem
No authentication of responses Any DNS response is generally believed. No attempt to distinguish valid data from invalid. Responses can contain entries that should not be trusted but are Responses are cached Just one false root server could disrupt the entire DNS.
Attacks
Inject bogus DNS responses Attach additional bogus entries in valid DNS responses (especially for internal names)
Firewall Application Resolver Local Name Server (Trusted) Remote Name Server (?) 54
DNS spoofing
55
DNS spoofing
Easy to observe UDP DNS query sent to well known server on well known port. www.darpa.mil A? www.darpa.mil A 192.5.18.19
Sanjoys Laptop Root DNS Server
www.darpa.mil A 128.9.128.127
www.google.com = 128.9.128.127
Query www.google.com
Remote attacker
57
Verify
Does the answer, really answer the query made? Was the answer received from the appropriate server?
58
59
www.darpa.mil
Authoritative DNS Servers End-user
www.darpa.mil = 192.5.18.195 Plus (RSA) signature by darpa.mil Attacker can not forge this answer without the darpa.mil private key. Challenge: add signatures to the protocol manage DNS public keys
60
Man-in-the-middle attacks
Web proxying
Attacker runs webmitm feature on Dsniff and uses DNS spoofing
Use DNS spoofing to have all HTTP and HTTPS traffic go to webmitm Target connects to attackers machine and SSL connection is established. Attackers system establishes a SSL connection with the server the target is attempting to access.
Note: the target receives attackers certificate, not the certificate of the server the target is trying to reach.
User receives warning about a certificate that is not signed by a trusted certificate authority (Who pays attention to those?) Webmitm displays the contents of the SSL session on the attackers screen
SSH proxying
Similar to above with sshmitm (another Dsniff feature)
61
Man-in-the-middle attacks
62
Distributed Denial-of-Service
Take control of large numbers of machines (zombies) Use collection of zombies (Botnet) to knock out target service
Example: TFN2K www.packetstormsecurity.nl/groups/mixter/index2.html
63
64
Packet of death
Send a malformed packet. Different platforms may be susceptible to different types of malformed packets. These packets have structures that the TCP/IP stacks cannot anticipate, causing the system to crash. Malformed packet suites available at: www.packetstormsecurity.org/DoS
65
66
Limitations
Proxies can be configured to serve a restricted set of clients. Not enough proxies to constitute a large pool of possible reflectors. Connection between slave and the reflector cannot be spoofed unless the reflecting proxy has predictable sequence numbers
Logging helps in identifying the slaves location. Definitely a major threat if proxies running on stacks with predictable sequence numbers are widely deployed.
67
Fix
Modify the protocol to include path information with push directives
68
Game protocols
Quake Qstat (UDP) Counter-strike clients (UDP)
69
70
NIDS avoidance
Confuse NIDS at application-layer
Addition of interpreted characters (^H) How does OS interpret?
71
References
C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, "Analysis of a Denial of Service Attack on TCP" S. Bellovin, "Security Problems in the TCP/IP Protocol Suite" S. Bellovin, "Defending against sequence number attacks" S. Bellovin, "Packets Found on an Internet" R. Morris, "A Weakness in the 4.2BSD Unix TCP/IP Software B. Cheswick, S. Bellovin, A DNS Filter and Switch for Packet-filtering Gateways. S. Savage, N. Cardwell, D. Wetherall, T. Anderson, TCP Congestion Control with a Misbehaving Receiver.
72
Extra slides
73
74
IP Address Spoofing
Used to disguise the IP address of a system. Three ways an IP address can be spoofed: changing the IP address, undermining UNIX r-commands, and spoofing with source routing Changing the IP address: The attacker can either reconfigure the whole system to have a different IP address or use a tool (Nmap or Dsniff) to change the source address of outgoing packets. Limitation: the attacker cannot receive any responses.
75
76
77