Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
https://produto.mercadolivre.com.br/MLB-1113814077-juniper-firewall-vpn-gateway-router-520-k9-link-giga-c-nf-_JM?quantity=1#redirectedFromSimilar
How can we defend against IP spoofing??
best defences against IP spoofing: egress & ingress filteringby gateway routers owned by organization & ISPs
network X(130.63.x.x)
egress filtering:block outgoing traffic
not sourced from network x(e.g., a packet carrying
network y IP address as ‘source’)
network y
network X’sgateway router
IPv4: Abusing Address Fields (cont.)
with egress filtering, ISPs could stop malicious packets with spoofedsource IPs from entering the Internet; first & very important step inattack prevention (at the very source!), but not always performed!
hacker
→ egress filtering = filter out packets from invalid addresses beforeleaving your network
ISP
IP source:8.8.8.8
Does network X have any benefit from Egress Filtering?!?!
What are potential cons of Egress Filtering?!?!
IPv4: Abusing Address Fields (cont.)
https://www.caida.org/projects/spoofer/
The geographic distribution of clients seen in the last year both to measure the extent of our testing coverage as well as to determine if any region of the world is more susceptible to spoofing. The value shown is the percentage of tested IP blocks (including those behind
a NAT) that show any evidence of spoofing.
How effective are ISPs at preventing spoofing??
IPv4: Abusing Address Fields (cont.)
best defences against IP spoofing: ingress & egress filteringby gateway routers→ ingress filtering = filter out packets from invalid addresses before
entering your network
network X network Y(131.50.X.X)
network Y’sgateway router
ingress filtering:block incoming traffic
sourced from anyinvalid network
(e.g., a packet carryingnetwork x IP address as ‘source’) victim
with ingress filtering, companies could stop malicious packets carryingsuspicious IPs (e.g., an internal IP) from entering their network
company
IP source:131.50.2.2
Ingress Filtering can eliminateonly certain
types of spoofed IP packets.
IP source:8.8.8.8
IPv4: Abusing Address Fields (cont.)
(1) broadcast addresses as destination→ e.g., host bits in destination IP set to one: X.X.X.255
Which other incoming IPs should be dropped??
IPv4: Abusing Address Fields (cont.)
(1) broadcast addresses as destination→ e.g., host bits in destination IP set to one: X.X.X.255→ used in Smurf Attack = reflected amplified DDoS attack
on a remote victim machine involving ICMP packets
Which other incoming IPs should be dropped??
reflector network
victim
IP destinationX.X.X.255
-----------------IP source:
victim
(1) broadcast addresses as destination→ e.g., host bits in destination IP set to one: X.X.X.255→ used in Smurf Attack = reflected amplified DDoS attack
on a remote victim machine involving ICMP packets→ side-effect of Smurf Attack = flooding of ‘reflector’ network
IPv4: Abusing Address Fields (cont.)
Which other incoming IPs should be dropped??
IPv4: Abusing Address Fields (cont.)
(2) multicast addresses as source: 224/4→ the source address for true multicast packets is always a unicast
IP address
(3) unassigned addresses reserved for future use: 240/4
Which other incoming IPs should be dropped??
IPv4: Abusing Options Fields• IP Header Length Field
IHL = indicates the length of the IP packet header in 32-bit(4 bytes) words, and must satisfy …
condition 1: (20 bytes) 5 ≤ IHL ≤ 15 (60 bytes)basic header header with options
→ IP options can be used to circumvent normalrouting (e.g., enforce loose/strict source routing)- IHL > 5 generally suspicious & should be dropped
condition 2: IHL * 4 ≤ total packet length
• IP Header Length Field IHL = indicates the length of the IP packet header in 32-bit
(4 bytes) words, and must satisfy …
IPv4: Abusing Options Fields (cont.)
→ if not satisfied, an error or a malicious modification ⇒ the packet should be dropped
IP Datagram Fields (cont.)
Options (cont.) (c) Strict Source Route option – used by source to predetermine route for datagram▪ source provides a list of IP addresses, i.e. sequence of routers,
that datagram must (is allowed) to visit on its way to destination
From “TCP/IP Protocol Suite” by B. Forouzan, 4/e, pp. 201
Router replaces IP of the next router to visit with its own IP. Location to ‘write over’ indicated by the byte pointer.
Result: receiving station obtains ‘Record Router’, which should be used by the destination to route responses back
Indicates the byte position that contains IP address of the next
router to visit.
options type / code
total length of options fields
(including the first three bytes)
in bytes
IPv4: Abusing Options Fields (cont.)
Example: misuses of IP source routing option
https://howdoesinternetwork.com/2014/source-based-routing
Attacks using source routing can have various forms, including:→ router/firewall avoidance→ discovery of network topology→ stealthy traffic monitoring→ carousel DoS attack
very ‘strict’firewall
IPv4: Abusing Options Fields (cont.)
Example: IP source routing – stealthy traffic monitoring
https://books.google.ca/books?id=DDRSCwAAQBAJ&pg=PA82&lpg=PA82&dq=strict+source+routing+IP+attack&source=bl&ots=P22Mzraff4&sig=1IlU2hv4OElx5yHAu-GmOfzoGBc&hl=en&sa=X&ved=2ahUKEwjcmZmV6_HcAhWC94MKHXKABeo4HhDoATALegQIAxAB#v=onepage&q&f=false
packet also carries strict/loose source routing
option, with the attacker’s IP as one of the routers on the
desired (reverse) path
Example: IP source routing – Carousel DoS attack on intermediate routers
IPv4: Abusing Options Fields (cont.)
Carousel Attack: adversary sends packets with routes composed of a series of loops→ uses more energy consumption than necessary → affects Wireless Sensor Networks (WSNs)
https://www.researchgate.net/publication/260603051_Routing_Layer_Based_Resource_Exhaustion_Attacks_in_Wireless_Ad_Hoc_Sensor_Networks/figures?lo=1
Required Route: A, B, C, A, B, C, A, B, C
• Total Length Field represents the length of the entire datagram (header +
payload) measured in bytes
IPv4: Abusing Length Fields (cont.)
→ 16 bit field ⇒ max value/size: 65535 bytes = 64 Kbytes
Ping Of Death: attacker sends IP packet > 64 Kbytes total → one single packet would cause the target systems to crash,
freeze up or restart → was very popular in late 90-ties, but versions of it are still around
Actual size of the packet is bigger
than the maximum value that can be
placed in the Total Length field.
IPv4: Abusing Length Fields (cont.)
Example: Ping Of Death using ICMP = Long ICMP attack
https://books.google.ca/books?id=VADbJowCwEQC&pg=PA335&lpg=PA335&dq=%22ping+of+death%22+hping+tool&source=bl&ots=UZ46uhW97v&sig=zpG-l5KECuYYU1FivyjDCt1KccI&hl=en&sa=X&ved=2ahUKEwisgqD0hfPcAhUI16wKHd7aC6s4FBDoATAAegQIABAB#v=onepage&q=%22ping%20of%20death%22%20&f=false
http://www.cs.vsb.cz/grygarek/SPS/projekty0405/IDS/ids.html
Ping of Death using Scapy:
IPv4: Abusing Length Fields (cont.)
https://uk.news.yahoo.com/millions-iphones-vulnerable-ping-death-wi-fi-attack-131758314.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAACMzwD6-0v7FdZEro8j7jwHuKj1ULNrK2Z_-Eyl3KhuqMRVBm84ti2gNxPtpT_xG7JGtC6tDDzoIFJMY3yqOgaHTE5WYX5IMEe_kN6b3th1AavryXGEXbsQLz2QzK0M9y0kh2P6Wwiub3HdgtIGrIrJmGxXOf7TiqII6efj3Jc6p
https://searchsecurity.techtarget.com/answer/Ping-of-death-What-is-it-and-how-is-Apple-affected
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020227-ios-cef
Excluding Cisco 12000 Series Internet Routers, all Cisco devices running Cisco IOS® software that have Cisco Express Forwarding (CEF) enabled can leak information from previous packets that have been handled by the device. This can happen if the packet length described in the IP header is bigger than the physical packet size. Packets like these will be expanded to fit the IP length and, during that expansion, an information leak may occur. Please note that an attacker can only collect parts of some packets but not the whole session
Example: total length field causing information leakage
What if actual IP packet size ≤ total packet length ??
H data
IPv4: Abusing Length Fields (cont.)
IPv4: Abusing Fragmentation Fields• Identification Field
set by the sending host to aid in reassembly of fragmenteddatagrams
→ fragmentation is done by intermediate routers in cases when IP packet is longer than the MTU
• Identification Field set by the sending host to aid in reassembly of fragmented
datagrams→ should be unique for each set {source IP, destination IP, protocol}
IPv4: Abusing Fragmentation Fields (cont.)
→ this value is determined at IP layer on protocol-dependent basis→ in older systems this value was simply incremented by 1 – BAD!→ in newer systems this value is randomly generated (collisions can
occur, but not likely)
IPv4: Abusing Fragmentation Fields (cont.)
Example: possible attacks in case of sequential IP ID
(1) Remote Traffic Analysis: Sequential IP IDs expose the number ofpackets sent by a host over a given period. This can be used to estimateWeb site traffic, determine when people log on, etc.
https://www.freehaven.net/anonbib/cache/remote-traffic-pets12.pdf
Bob ping’s Alice in the evening.IP-ID = X
Bob ping’s Alice next morning.IP-ID = Y
What if Y-X = 1 ??
Example: possible attacks in case of sequential IP ID
IPv4: Abusing Fragmentation Fields (cont.)
(2) Load Balancer Demultiplexing: Large sites often use load balancingequipment so that a single address maps to a small farm of servers. By noting the IP-ID values, you can often determine how many machines arebehind the load balancer and which one you are connected with. The ID fields in the following hping execution make it obvious that beta.search.microsoft.comis handled by two machines behind a load balancer (207.46.197.115).