02-NetSec Network aspects - unitn.it...The Network Layer • Provides information on how to reach other systems • Addressing functionalities • IP operates at this layer • High-level

NetworkSecurityAA2015/2016NetworkaspectsDr.LucaAllodi

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)

1

Internetcommunication

• Internetismadeofseverallogicallyseparatednetworksà AutonomousSystems (AS)• Internet=networkofnetworks

• EachASautonomouslymanagescommunicationswithinitself• InteriorGatewayProtocols(IGP)à routewithineachAS• e.g.LocalAreaNetwork

• EachAScancommunicatetootherAS• ExteriorGatewaysProtocolsà routebetweenASs

• BorderGatewayProtocol

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 2

Internetautonomoussystems

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 3https://www.usenix.org/legacy/event/lisa98/full_papers/pultar/pultar_html/pultar.html

OSImodel


DATAExamples:

HTTP/Mail/Chatprotocols/econding info/

RPC/Telnet

SEGMENTSorDatagramsExamples:TCP,UDP

PacketExamples:IPv4,IPv6

FrameExamples:Ethernet,PPP

BitExamples:ethernet cable/

opticalfiber

OSIDataLinklayer


5

Datalinklayer

• Lowest“logical”level• Datalinkinterconnectsphysicalinterfaces• EachphysicalinterfaceisidentifiedbyaMACaddress• “Ethernetaddress”• 48-bitNetworkinterfaceidentifiers• Closestrepresentationoffinaldestinationofaframe• HEXnotation

• HH-HH-HH-HH-HH-HH• Usedtoroutepacketsinlocalnetworks


Macaddresses

• Uniquelyidentifyanetworkinterface• AssignedbytheproduceraccordingtothestandardIEEE802


ifconfig:*nixsystemcommandtolistnetinterfaces“ipconfig”onwindowsmachines

en0: nameofinterface

Macaddressofinterface“en0”

Macaddressesexample

• First24bitaresetbyIEEEstandard• Identifynetworkinterfaceproducer• 00-10-BCà Aastra Telecom• https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 8c8-2a-14-01-86-87

00-10-BC-19-3d-5d 00-10-BC-2c-11-56

Sendframeto00-10-BC-2c-11-56

Keeps frameDrops frame

OSINetworkLayer


9

TheNetworkLayer

• Providesinformationonhowtoreachothersystems• Addressingfunctionalities

• IPoperatesatthislayer• High-levelrepresentationofahost’saddresses• Conveysinformationtoroutethedatagram• IPv4definedinRFC791

• IPaddressesaredynamicallyassignedbyanauthority(e.g.ISP’sDHCPserver)• AsopposedtoMACaddressesthatarefixedbythevendor• “Connectionless”protocol(stateless)

• Nonotionof“established connection”atthisstage• Onlyprovidesthemeansnecessaryforapackettoreachitsdestination


statelessvsstateful

• Acommunicationismadeofanumberofmessagges• Communicationsstart,develop,andends• Stateful protocolsprovidemeanstoestablishandcloseaconnection• e.g.TCP

• Statelessprotocolsdonothavethisnotion• IPmessagesarestand-alonepackets


IPvsMACaddresses


c8-2a-14-01-86-87

00-10-BC-19-3d-5d

00-10-BC-2c-11-56

7B-12-00-93-73-28

75-CD-6C-59-37-B2

FB-2A-9D-AC-56-DB

..-..-..-..-..-..

48bità 248 addresses=281474976710656à 1536terabyte• Howtomanagerevoking? (e.g.Oneethernetcardgetssubstituted)• Howtomanagerouting?

IPaddresses

• IPprovidesastructuredwaytoabstracthostaddressesawayfromtheirphysicalproperties• Twoversions• IPv4àmostcommon,currentlyused

• 32bits• IPv6à earlyadoption,willbeseencommonlyinthefuture• 128bits

• MakeitpossibletoefficientlytalkbetweensystemsindifferentAS


IPaddresses– routing(simplified)


c8-2a-14-01-86-87

00-10-BC-19-3d-5d

7B-12-00-93-73-28

AS1e.g.ISPA

AS2e.g.ISPB

Hey192.168.1.1,SendIPpacketto10.11.14.3

Idonotknowwho10.11.14.3 is,I’llask192.67.65.2

192.67.65.2

192.168.1.1

192.168.1.2

192.67.1.3

10.11.14.13 isnotinthisASbutunder10.11.1.1

10.11.14.13 is7B-12-00-93-73-28

10.11.14.13

10.11.1.1

75-CD-6C-59-37-B2

EA-43-55-11-B3-C9

00-10-BC-2c-11-56

2.4.5.1

FB-2A-9D-AC-56-DB

192.67.65.175-CD-6C-78-71-AA

Details:http://disi.unitn.it/locigno/index.php/teaching-duties/computer-networks/102-reti-aa13-14

10.11.14.100-10-BC-2c-11-57

ARPprotocol

• ARP=addressresolutionprotocol• AllowssystemstoassociateanIPaddresstoaMACaddress• Allowsdiscoverythroughbroadcast

• ARPtablescontaininformationtotranslateIPaddressesintoMACaddresses


ARPtablesAàBIPaddress MACaddress …(e.g.TTL,interfaces..)

192.168.0.15 00-10-BC-19-3d-5d …

192.168.0.17 00-10-BC-4e-12-62 …


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

B C

D

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1

ARPtablesAàCIPaddress MACaddress …(e.g.TTL,interfaces..)

192.168.0.15 00-10-BC-19-3d-5d …

192.168.0.17 00-10-BC-4e-12-62 …


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

B C

D

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1

ARPtablesAàDIPaddress MACaddress …(e.g.TTL,interfaces..)

192.168.0.15 00-10-BC-19-3d-5d …

192.168.0.17 00-10-BC-4e-12-62 …


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

???

A

B C

D

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1

ARPquery

• AlladdressesinanARPtableareaddedbyoneoftwomechanisms• ARPrequest-reply

à whois192.168.0.16 tell 192.168.0.1à 192.168.0.16isat00-10-BC-2c-11-56

• GratuitousARPà 192.168.0.16isat00-10-BC-2c-11-56

• Thediscoveryprocesshappensthroughqueriestoneighbordevices• BroadcastmessagetothedesiredIP

• L2ethernet addressFF-FF-FF-FF-FF-FF• ThesystemwiththerequestedIPrepliesbackwithitscorrectmacaddress


ARPframeheader


1=request2=reply


192.168.0.15 00-10-BC-19-3d-5d …

192.168.0.17 00-10-BC-4e-12-62 …


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

B C

D

L2Dest:FF-FF-FF-FF-FF-FFIP:192.168.0.16

L2Dest:FF-FF-FF-FF-FF-FFIP:192.168.0.16

MAC:00-10-BC-2c-11-56IP:192.168.0.16

BandCdropRequest(IPdoesnotmatch)

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1


192.168.0.15 00-10-BC-19-3d-5d …

192.168.0.17 00-10-BC-4e-12-62 …

192.168.0.16 00-10-BC-2c-11-56


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

B C

D

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1

ExampleofARPrequest-reply


reply

request

ARPbroadcastexample


L2dest

ARPpoisoning

• ARPanswersorGratuitousARPframesdonotrequirean(additional)answer/confirmation• It’sadeclarativeprotocol

• Nodesarenotauthenticated• WhomevercansayIamx.x1.x2.x3,mymacaddressishh.hh1.hh2.hh3.hh4.hh5

• CcantellB“Disat[Cmacaddress]”• CcantellD“Bisat[Cmacaddress]”• AsaresulteverycommunicationbetweenBandDwillpassbyC


ARPpoisoning


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

BC

DIPaddress MACaddress

192.168.0.15 00-10-BC-19-3d-5d

192.168.0.17 00-10-BC-4e-12-62

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1

ARPpoisoning


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

BC

DIPaddress MACaddress

192.168.0.15 00-10-BC-4e-12-62

192.168.0.17 00-10-BC-4e-12-62

192.168.0.15 isat00-10-BC-4e-12-62

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1

ARPpoisoning


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

BC

D

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1

IPaddress MACaddress

192.168.0.1 e0:f8:47:1a:4e:d6

ARPpoisoning


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

BC

D

192.168.0.1 isat00-10-BC-4e-12-62

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1


192.168.0.1 00-10-BC-4e-12-62

ARPpoisoning


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

BC

D

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1

1.Messageto192.168.0.100-10-BC-4e-12-62


192.168.0.1 00-10-BC-4e-12-62

2

ARPpoisoning


MAC:00-10-BC-19-3d-5dIP:192.168.0.15

MAC:00-10-BC-2c-11-56IP:192.168.0.16

MAC:00-10-BC-4e-12-62IP:192.168.0.17

A

BC

D

MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1


192.168.0.15 00-10-BC-4e-12-62

3.Messageto192.168.0.1500-10-BC-4e-12-62

4

ARPpoisoning- limitations

• Worksonlyonlocalnetworks,whereMACaddressesareactuallymeaningful• Whencommunicationistargetedtodifferentnetwork,IPaddressesareused

• Routers andDNSshaveMACaddressestoo..• Thepoisoningworksbecausesystemsarenotauthenticated• Someimplementations/thirdpartytoolscanmitigatetheproblem• Checkforanomalies

• Canyouthinkofapossiblemitigation?


IPHeader


SubnetsandCIDR

• SubnetsarelogicaldivisionsofIPaddresses• Possibletosplitanetworkinmultiplesub-networks

• IPbitsaredividedin• x networkbits• ysubnetbits• zhostbits

• SubnetmaskindicatessectionsofIPaddressesmeantfornetwork+subnet• 255.255.255.0à 24bitstonetwork+subnet,8bitstohosts

• CIDRà syntheticwaytorepresentsubnetmasks• ClasslessInter-DomainRouting• Indicatesnumberofbitscoveredbythemask• 192.168.10.1/24=192.168.10.1/255.255.255.0


Subnetexample

NETWORK SUBNET HOST

binary 10000100 10000110 0000111101100000

decimal 132 134 1596


• Ip addressà 132.134.15.96

• Networkmask?• 255.255.0.0

• CIDRrepresentation?• 132.134.15.96/16

• Howmanyhosts?• 2^16=65,536- 1

Subnetexample

NETWORK SUBNET HOST

BinaryIP 10000100 10000110 0000111101100000

BinarySubnet mask 11111111 11111111 00000000 00000000

Network= IPANDSubnet 10000100 10000110 00000000 00000000

Host=IP ANDcomplement(subnet)

00000000 00000000 0000111101100000


• Ip addressà 132.134.15.96

IPclasses

• IPv4hasseveralclasses• Definedover• RangeofIP• Numberofreferenceablehosts

• Classes:• A:0.0.0.0/8à 127.255.255.255/8• B:128.0.0.0/16à 191.255.255.255/16• C:192.0.0.0/24à 223.255.255.255/24• D:224.0.0.0à 239.255.255.255• E:240.0.0.0à 254.255.255.254


Standardcommunications

Multicast

Experimental

IPaddresses– privateaddresses

• SomeIPsarereservedforprivatenetworks• 10.0.0.0à 10.255.255.255• 192.168.0.0à 192.168.255.255• 172.16.0.0à 172.31.255.255

• Theseshouldnotberoutedontheinternet• Gatewayshoulddrop thedatagram


IPfragmentation(datagramsize>MTU)


IPFragments

• Identification,16bit:uniqueidentifierofthefragmenteddatagrams• Allfragmentshavethesameidentificationnumber

• Flags,3bit• 0à Reserved,mustbe0• DFà Don’tfragment

• 0=theremaybefragments• 1=don’tfragment.Ifmustbefragmented,dropdatagram

• MFàMorefragments• 0=lastfragment• 1=therearemorefragments

• Offset,13bits:offsetofthisdatagramw.r.t firstfragmentwiththatID.


Fragmentationexample

• Needtosenda4200bytesofdataoverIP• MaximumTransmissionUnitonethernet channelis1500bytes• ThedatagramdoesnotfitintheMTU


IPheader data

IPheader data data data

20bytes 4200bytes

4220bytes

20bytes 1480bytes 1500bytes 1220bytes

Fragmentationexample(cntd)


IPheader data data data

20bytes 1480bytes 1480bytes 1240bytes

IPheader

IPheader

20bytes 20bytes

1500bytes 1500bytes 1280bytes

A B C

A B C

Identification 4452 4452 4452

Flags • DF=0• MF=1

• DF=0• MF=1

• DF=0• MF=0

Offset 0 1480 2960

DenialofservicewithIPfragments


IP:10.1.1.1, ID=xDF=0;MF=1Offset=1480

IP:10.1.1.1, ID=xDF=0;MF=1Offset=2960

IP:10.1.1.1, ID=xDF=0;MF=1Offset=….

Waitforfirstfragment

DatagramisneverdeliveredasTCP/UDP/..Headerisinthefirstfragmentwhichneverarrives

InternetControlMessageProtocol• DefinedinRFC792• ReliesonIP• However,itisanintegral partoftheInternetProtocol• AllIPmodulesmusthaveICMPsupport


SomeICMPMessagetypes

• DestinationUnreachableMessage(Type3)• Code

• 0=netunreachable;• 1=hostunreachable;• 2=protocolunreachable;

• 3=portunreachable;• 4=fragmentationneededandDFset;

• 5=sourceroutefailed.


• TimeExceededMessage (Type11)• Code

• 0=netunreachable;• 1=hostunreachable;

• EchoorEchoReplyMessage• Type

• 8 =echomessage;• 0 =echoreply;

• Code• 0

Traceroute(slideaddedfromclass)


Seeforexample:http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12778-ping-traceroute.html

Picturefrom:http://www.loriotpro.com/Products/On-line_Documentation_V5/LoriotProDoc_EN/J10-Loriotpro_tools/J10-U21_Trace_Route_EN.htm (noaffiliation)

Listofallmessagetypes

• 0EchoReply• 3DestinationUnreachable• 4SourceQuench• 5Redirect• 8Echo• 11TimeExceeded• 12ParameterProblem• 13Timestamp• 14TimestampReply• 15InformationRequest• 16InformationReply


DenialofService

• Denialofservice(DoS)isatypeofattackthataimsatcongestingoroverpoweringasystem’scapacitybygeneratingrequeststhesystemwillhavetoanswer• Canaffecttheperformanceoftheattackedsystemoritschannels• Canleadtoasystemcrashduetoresourceconsumption

• DoS canbeoperated• Locally• Overthenetwork


AsimpleDoS (PingFlood)

• NetworkDoS attacksusuallyexploitprotocolfeatures


Bandwidthsize

A B

ICMPType=8Code=0(Echoreply)ICMPType=0Code=0(Echoreply)

• AcanexploititswiderbandwidthtofloodBwithICMPechorequests• B’sbandwidthgets(quickly,relativelytoA’s)exhaustedwith

• A’srequests• B’sreplies

• Bcannolongeroperateonitsnetworkchannel

AmoreadvancedDoS – PingofDeath• ICMPpacketsaretypically64bytesinsizeincludingIPheadersanddata

• IPdatagramcanextendupto65,535 bytes• Data Length field is 16bit

• Early implementations ofInternetmoduleswere strictlyimplementingRFCdirectives• Not handling exceptions properly

• Ping ofDeath• Generate large ICMPpacket• Fragmentin1024IPpackets of64Bytes• Destinationreceivesregularpacket

• IPmodulecomposefragments• ICMPmoduletriestoreaddatagrambiggerthanassignedbuffersize

• Destinationcrashes• “bufferoverflow”à possibleexecutionofcodeinmemory(moreonthisin

thiscourse)


Pingofdeathà visualisation


A B

ICMPhead+data

IPdatagramSize:65536bytes

ICMPmodulebufferSize:64bytes

data

data

data

data

id=100,offset=0,MF=1Length=64id=100,offset=64,MF=1Length=64

id=100,offset=128,MF=1Length=64

id=100,offset=65,472,MF=0,Length=64

data

data

data

ICMPhead+data

IPdatagramSize:65536bytes

Documents

02-NetSec Network aspects - unitn.it...The Network Layer • Provides information on how to reach other systems • Addressing functionalities • IP operates at this layer • High-level