Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
NetworkSecurityAA2015/2016NetworkaspectsDr.LucaAllodi
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
1
Internetcommunication
• Internetismadeofseverallogicallyseparatednetworksà AutonomousSystems (AS)• Internet=networkofnetworks
• EachASautonomouslymanagescommunicationswithinitself• InteriorGatewayProtocols(IGP)à routewithineachAS• e.g.LocalAreaNetwork
• EachAScancommunicatetootherAS• ExteriorGatewaysProtocolsà routebetweenASs
• BorderGatewayProtocol
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 2
Internetautonomoussystems
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 3https://www.usenix.org/legacy/event/lisa98/full_papers/pultar/pultar_html/pultar.html
OSImodel
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 4
DATAExamples:
HTTP/Mail/Chatprotocols/econding info/
RPC/Telnet
SEGMENTSorDatagramsExamples:TCP,UDP
PacketExamples:IPv4,IPv6
FrameExamples:Ethernet,PPP
BitExamples:ethernet cable/
opticalfiber
OSIDataLinklayer
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
5
Datalinklayer
• Lowest“logical”level• Datalinkinterconnectsphysicalinterfaces• EachphysicalinterfaceisidentifiedbyaMACaddress• “Ethernetaddress”• 48-bitNetworkinterfaceidentifiers• Closestrepresentationoffinaldestinationofaframe• HEXnotation
• HH-HH-HH-HH-HH-HH• Usedtoroutepacketsinlocalnetworks
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 6
Macaddresses
• Uniquelyidentifyanetworkinterface• AssignedbytheproduceraccordingtothestandardIEEE802
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 7
ifconfig:*nixsystemcommandtolistnetinterfaces“ipconfig”onwindowsmachines
en0: nameofinterface
Macaddressofinterface“en0”
Macaddressesexample
• First24bitaresetbyIEEEstandard• Identifynetworkinterfaceproducer• 00-10-BCà Aastra Telecom• https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 8c8-2a-14-01-86-87
00-10-BC-19-3d-5d 00-10-BC-2c-11-56
Sendframeto00-10-BC-2c-11-56
Keeps frameDrops frame
OSINetworkLayer
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
9
TheNetworkLayer
• Providesinformationonhowtoreachothersystems• Addressingfunctionalities
• IPoperatesatthislayer• High-levelrepresentationofahost’saddresses• Conveysinformationtoroutethedatagram• IPv4definedinRFC791
• IPaddressesaredynamicallyassignedbyanauthority(e.g.ISP’sDHCPserver)• AsopposedtoMACaddressesthatarefixedbythevendor• “Connectionless”protocol(stateless)
• Nonotionof“established connection”atthisstage• Onlyprovidesthemeansnecessaryforapackettoreachitsdestination
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 10
statelessvsstateful
• Acommunicationismadeofanumberofmessagges• Communicationsstart,develop,andends• Stateful protocolsprovidemeanstoestablishandcloseaconnection• e.g.TCP
• Statelessprotocolsdonothavethisnotion• IPmessagesarestand-alonepackets
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 11
IPvsMACaddresses
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 12
c8-2a-14-01-86-87
00-10-BC-19-3d-5d
00-10-BC-2c-11-56
7B-12-00-93-73-28
75-CD-6C-59-37-B2
FB-2A-9D-AC-56-DB
..-..-..-..-..-..
48bità 248 addresses=281474976710656à 1536terabyte• Howtomanagerevoking? (e.g.Oneethernetcardgetssubstituted)• Howtomanagerouting?
IPaddresses
• IPprovidesastructuredwaytoabstracthostaddressesawayfromtheirphysicalproperties• Twoversions• IPv4àmostcommon,currentlyused
• 32bits• IPv6à earlyadoption,willbeseencommonlyinthefuture• 128bits
• MakeitpossibletoefficientlytalkbetweensystemsindifferentAS
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 13
IPaddresses– routing(simplified)
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 14
c8-2a-14-01-86-87
00-10-BC-19-3d-5d
7B-12-00-93-73-28
AS1e.g.ISPA
AS2e.g.ISPB
Hey192.168.1.1,SendIPpacketto10.11.14.3
Idonotknowwho10.11.14.3 is,I’llask192.67.65.2
192.67.65.2
192.168.1.1
192.168.1.2
192.67.1.3
10.11.14.13 isnotinthisASbutunder10.11.1.1
10.11.14.13 is7B-12-00-93-73-28
10.11.14.13
10.11.1.1
75-CD-6C-59-37-B2
EA-43-55-11-B3-C9
00-10-BC-2c-11-56
2.4.5.1
FB-2A-9D-AC-56-DB
192.67.65.175-CD-6C-78-71-AA
Details:http://disi.unitn.it/locigno/index.php/teaching-duties/computer-networks/102-reti-aa13-14
10.11.14.100-10-BC-2c-11-57
ARPprotocol
• ARP=addressresolutionprotocol• AllowssystemstoassociateanIPaddresstoaMACaddress• Allowsdiscoverythroughbroadcast
• ARPtablescontaininformationtotranslateIPaddressesintoMACaddresses
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 15
ARPtablesAàBIPaddress MACaddress …(e.g.TTL,interfaces..)
192.168.0.15 00-10-BC-19-3d-5d …
192.168.0.17 00-10-BC-4e-12-62 …
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 16
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
B C
D
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
ARPtablesAàCIPaddress MACaddress …(e.g.TTL,interfaces..)
192.168.0.15 00-10-BC-19-3d-5d …
192.168.0.17 00-10-BC-4e-12-62 …
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 17
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
B C
D
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
ARPtablesAàDIPaddress MACaddress …(e.g.TTL,interfaces..)
192.168.0.15 00-10-BC-19-3d-5d …
192.168.0.17 00-10-BC-4e-12-62 …
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 18
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
???
A
B C
D
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
ARPquery
• AlladdressesinanARPtableareaddedbyoneoftwomechanisms• ARPrequest-reply
à whois192.168.0.16 tell 192.168.0.1à 192.168.0.16isat00-10-BC-2c-11-56
• GratuitousARPà 192.168.0.16isat00-10-BC-2c-11-56
• Thediscoveryprocesshappensthroughqueriestoneighbordevices• BroadcastmessagetothedesiredIP
• L2ethernet addressFF-FF-FF-FF-FF-FF• ThesystemwiththerequestedIPrepliesbackwithitscorrectmacaddress
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 19
ARPframeheader
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 20
1=request2=reply
ARPtablesAàDIPaddress MACaddress …(e.g.TTL,interfaces..)
192.168.0.15 00-10-BC-19-3d-5d …
192.168.0.17 00-10-BC-4e-12-62 …
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 21
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
B C
D
L2Dest:FF-FF-FF-FF-FF-FFIP:192.168.0.16
L2Dest:FF-FF-FF-FF-FF-FFIP:192.168.0.16
MAC:00-10-BC-2c-11-56IP:192.168.0.16
BandCdropRequest(IPdoesnotmatch)
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
ARPtablesAàDIPaddress MACaddress …(e.g.TTL,interfaces..)
192.168.0.15 00-10-BC-19-3d-5d …
192.168.0.17 00-10-BC-4e-12-62 …
192.168.0.16 00-10-BC-2c-11-56
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 22
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
B C
D
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
ExampleofARPrequest-reply
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 23
reply
request
ARPbroadcastexample
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 24
L2dest
ARPpoisoning
• ARPanswersorGratuitousARPframesdonotrequirean(additional)answer/confirmation• It’sadeclarativeprotocol
• Nodesarenotauthenticated• WhomevercansayIamx.x1.x2.x3,mymacaddressishh.hh1.hh2.hh3.hh4.hh5
• CcantellB“Disat[Cmacaddress]”• CcantellD“Bisat[Cmacaddress]”• AsaresulteverycommunicationbetweenBandDwillpassbyC
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 25
ARPpoisoning
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 26
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
BC
DIPaddress MACaddress
192.168.0.15 00-10-BC-19-3d-5d
192.168.0.17 00-10-BC-4e-12-62
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
ARPpoisoning
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 27
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
BC
DIPaddress MACaddress
192.168.0.15 00-10-BC-4e-12-62
192.168.0.17 00-10-BC-4e-12-62
192.168.0.15 isat00-10-BC-4e-12-62
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
ARPpoisoning
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 28
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
BC
D
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
IPaddress MACaddress
192.168.0.1 e0:f8:47:1a:4e:d6
ARPpoisoning
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 29
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
BC
D
192.168.0.1 isat00-10-BC-4e-12-62
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
IPaddress MACaddress
192.168.0.1 00-10-BC-4e-12-62
ARPpoisoning
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 30
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
BC
D
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
1.Messageto192.168.0.100-10-BC-4e-12-62
IPaddress MACaddress
192.168.0.1 00-10-BC-4e-12-62
2
ARPpoisoning
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 31
MAC:00-10-BC-19-3d-5dIP:192.168.0.15
MAC:00-10-BC-2c-11-56IP:192.168.0.16
MAC:00-10-BC-4e-12-62IP:192.168.0.17
A
BC
D
MAC:e0:f8:47:1a:4e:d6IP:192.168.0.1
IPaddress MACaddress
192.168.0.15 00-10-BC-4e-12-62
3.Messageto192.168.0.1500-10-BC-4e-12-62
4
ARPpoisoning- limitations
• Worksonlyonlocalnetworks,whereMACaddressesareactuallymeaningful• Whencommunicationistargetedtodifferentnetwork,IPaddressesareused
• Routers andDNSshaveMACaddressestoo..• Thepoisoningworksbecausesystemsarenotauthenticated• Someimplementations/thirdpartytoolscanmitigatetheproblem• Checkforanomalies
• Canyouthinkofapossiblemitigation?
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 32
IPHeader
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 33
SubnetsandCIDR
• SubnetsarelogicaldivisionsofIPaddresses• Possibletosplitanetworkinmultiplesub-networks
• IPbitsaredividedin• x networkbits• ysubnetbits• zhostbits
• SubnetmaskindicatessectionsofIPaddressesmeantfornetwork+subnet• 255.255.255.0à 24bitstonetwork+subnet,8bitstohosts
• CIDRà syntheticwaytorepresentsubnetmasks• ClasslessInter-DomainRouting• Indicatesnumberofbitscoveredbythemask• 192.168.10.1/24=192.168.10.1/255.255.255.0
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 34
Subnetexample
NETWORK SUBNET HOST
binary 10000100 10000110 0000111101100000
decimal 132 134 1596
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 35
• Ip addressà 132.134.15.96
• Networkmask?• 255.255.0.0
• CIDRrepresentation?• 132.134.15.96/16
• Howmanyhosts?• 2^16=65,536- 1
Subnetexample
NETWORK SUBNET HOST
BinaryIP 10000100 10000110 0000111101100000
BinarySubnet mask 11111111 11111111 00000000 00000000
Network= IPANDSubnet 10000100 10000110 00000000 00000000
Host=IP ANDcomplement(subnet)
00000000 00000000 0000111101100000
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 36
• Ip addressà 132.134.15.96
IPclasses
• IPv4hasseveralclasses• Definedover• RangeofIP• Numberofreferenceablehosts
• Classes:• A:0.0.0.0/8à 127.255.255.255/8• B:128.0.0.0/16à 191.255.255.255/16• C:192.0.0.0/24à 223.255.255.255/24• D:224.0.0.0à 239.255.255.255• E:240.0.0.0à 254.255.255.254
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 37
Standardcommunications
Multicast
Experimental
IPaddresses– privateaddresses
• SomeIPsarereservedforprivatenetworks• 10.0.0.0à 10.255.255.255• 192.168.0.0à 192.168.255.255• 172.16.0.0à 172.31.255.255
• Theseshouldnotberoutedontheinternet• Gatewayshoulddrop thedatagram
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 38
IPfragmentation(datagramsize>MTU)
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 39
IPFragments
• Identification,16bit:uniqueidentifierofthefragmenteddatagrams• Allfragmentshavethesameidentificationnumber
• Flags,3bit• 0à Reserved,mustbe0• DFà Don’tfragment
• 0=theremaybefragments• 1=don’tfragment.Ifmustbefragmented,dropdatagram
• MFàMorefragments• 0=lastfragment• 1=therearemorefragments
• Offset,13bits:offsetofthisdatagramw.r.t firstfragmentwiththatID.
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 40
Fragmentationexample
• Needtosenda4200bytesofdataoverIP• MaximumTransmissionUnitonethernet channelis1500bytes• ThedatagramdoesnotfitintheMTU
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 41
IPheader data
IPheader data data data
20bytes 4200bytes
4220bytes
20bytes 1480bytes 1500bytes 1220bytes
Fragmentationexample(cntd)
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 42
IPheader data data data
20bytes 1480bytes 1480bytes 1240bytes
IPheader
IPheader
20bytes 20bytes
1500bytes 1500bytes 1280bytes
A B C
A B C
Identification 4452 4452 4452
Flags • DF=0• MF=1
• DF=0• MF=1
• DF=0• MF=0
Offset 0 1480 2960
DenialofservicewithIPfragments
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 43
IP:10.1.1.1, ID=xDF=0;MF=1Offset=1480
IP:10.1.1.1, ID=xDF=0;MF=1Offset=2960
IP:10.1.1.1, ID=xDF=0;MF=1Offset=….
Waitforfirstfragment
DatagramisneverdeliveredasTCP/UDP/..Headerisinthefirstfragmentwhichneverarrives
InternetControlMessageProtocol• DefinedinRFC792• ReliesonIP• However,itisanintegral partoftheInternetProtocol• AllIPmodulesmusthaveICMPsupport
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 44
SomeICMPMessagetypes
• DestinationUnreachableMessage(Type3)• Code
• 0=netunreachable;• 1=hostunreachable;• 2=protocolunreachable;
• 3=portunreachable;• 4=fragmentationneededandDFset;
• 5=sourceroutefailed.
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 45
• TimeExceededMessage (Type11)• Code
• 0=netunreachable;• 1=hostunreachable;
• EchoorEchoReplyMessage• Type
• 8 =echomessage;• 0 =echoreply;
• Code• 0
Traceroute(slideaddedfromclass)
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 46
Seeforexample:http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12778-ping-traceroute.html
Picturefrom:http://www.loriotpro.com/Products/On-line_Documentation_V5/LoriotProDoc_EN/J10-Loriotpro_tools/J10-U21_Trace_Route_EN.htm (noaffiliation)
Listofallmessagetypes
• 0EchoReply• 3DestinationUnreachable• 4SourceQuench• 5Redirect• 8Echo• 11TimeExceeded• 12ParameterProblem• 13Timestamp• 14TimestampReply• 15InformationRequest• 16InformationReply
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 47
DenialofService
• Denialofservice(DoS)isatypeofattackthataimsatcongestingoroverpoweringasystem’scapacitybygeneratingrequeststhesystemwillhavetoanswer• Canaffecttheperformanceoftheattackedsystemoritschannels• Canleadtoasystemcrashduetoresourceconsumption
• DoS canbeoperated• Locally• Overthenetwork
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 48
AsimpleDoS (PingFlood)
• NetworkDoS attacksusuallyexploitprotocolfeatures
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 49
Bandwidthsize
A B
ICMPType=8Code=0(Echoreply)ICMPType=0Code=0(Echoreply)
• AcanexploititswiderbandwidthtofloodBwithICMPechorequests• B’sbandwidthgets(quickly,relativelytoA’s)exhaustedwith
• A’srequests• B’sreplies
• Bcannolongeroperateonitsnetworkchannel
AmoreadvancedDoS – PingofDeath• ICMPpacketsaretypically64bytesinsizeincludingIPheadersanddata
• IPdatagramcanextendupto65,535 bytes• Data Length field is 16bit
• Early implementations ofInternetmoduleswere strictlyimplementingRFCdirectives• Not handling exceptions properly
• Ping ofDeath• Generate large ICMPpacket• Fragmentin1024IPpackets of64Bytes• Destinationreceivesregularpacket
• IPmodulecomposefragments• ICMPmoduletriestoreaddatagrambiggerthanassignedbuffersize
• Destinationcrashes• “bufferoverflow”à possibleexecutionofcodeinmemory(moreonthisin
thiscourse)
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 50
Pingofdeathà visualisation
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 51
A B
ICMPhead+data
IPdatagramSize:65536bytes
ICMPmodulebufferSize:64bytes
data
data
data
data
id=100,offset=0,MF=1Length=64id=100,offset=64,MF=1Length=64
id=100,offset=128,MF=1Length=64
id=100,offset=65,472,MF=0,Length=64
data
data
data
ICMPhead+data
IPdatagramSize:65536bytes