Network Network SecuritySecurity

ProfessorProfessorAdeel AkramAdeel Akram

Network Security Network Security ArchitectureArchitecture

Lecture OutlineLecture Outline

►Attacks, services and mechanismsAttacks, services and mechanisms►Security attacksSecurity attacks►Security servicesSecurity services►Methods of DefenseMethods of Defense►A model for Internetwork SecurityA model for Internetwork Security► Internet standards and RFCsInternet standards and RFCs

BackgroundBackground

► Information Security requirements have Information Security requirements have changed in recent timeschanged in recent times

► Traditionally provided by physical and Traditionally provided by physical and administrative mechanismsadministrative mechanisms

► Computer use requires Computer use requires automated tools to automated tools to protect files and other stored informationprotect files and other stored information

► Use of networks and communications links Use of networks and communications links requires measures to protect data during requires measures to protect data during transmissiontransmission

DefinitionsDefinitions

► Computer SecurityComputer Security - - generic name for the generic name for the collection of tools designed to protect data collection of tools designed to protect data and to prevent hackersand to prevent hackers

► Network SecurityNetwork Security - - measures to protect measures to protect data during their transmissiondata during their transmission

► Internet SecurityInternet Security - - measures to protect measures to protect data during their transmission over a data during their transmission over a collection of interconnected networkscollection of interconnected networks

Our Emphasis in this CourseOur Emphasis in this Course

►Our emphasis is on Our emphasis is on internet and internet and network securitynetwork security

►Consists of measures to discourage, Consists of measures to discourage, prevent, detect, and correct security prevent, detect, and correct security violations that involve the violations that involve the transmission of informationtransmission of information

►Requirements seem straightforward, Requirements seem straightforward, but the mechanisms used to meet but the mechanisms used to meet them can be quite complex …them can be quite complex …

Services, Mechanisms, Services, Mechanisms, AttacksAttacks

►Need systematic way to define Need systematic way to define requirementsrequirements

►Consider three aspects of information Consider three aspects of information security:security: security attacksecurity attack security mechanismsecurity mechanism security servicesecurity service

►Consider in reverse orderConsider in reverse order

Security ServiceSecurity Service► Is something that enhances the security of the Is something that enhances the security of the

data processing systems and the information data processing systems and the information transfers of an organizationtransfers of an organization

► Intended to counter security attacksIntended to counter security attacks► Make use of one or more security mechanisms Make use of one or more security mechanisms

to provide the serviceto provide the service► Replicate functions normally associated with Replicate functions normally associated with

physical documents e.g. physical documents e.g. have signatures or dates have signatures or dates need protection from disclosure, tampering, or need protection from disclosure, tampering, or

destructiondestruction be be notarizednotarized or witnessed or witnessed be recorded or licensedbe recorded or licensed

Security MechanismSecurity Mechanism

► A mechanism that is designed to detect, A mechanism that is designed to detect, prevent, or recover from a security attackprevent, or recover from a security attack

► No single mechanism that will support all No single mechanism that will support all functions requiredfunctions required

► However However one particular element underlies one particular element underlies many of the security mechanisms in use: many of the security mechanisms in use: cryptographic techniquescryptographic techniques

► Hence our review of this areaHence our review of this area

Security AttacksSecurity Attacks

► Any action that compromises the security of Any action that compromises the security of information owned by an organizationinformation owned by an organization

► Information security is about how to prevent Information security is about how to prevent attacks, or failing that, to detect attacks on attacks, or failing that, to detect attacks on information-based systemsinformation-based systems

► Have a wide range of attacksHave a wide range of attacks► Can focus on generic types of attacksCan focus on generic types of attacks

NoteNote: often : often threatthreat & & attackattack mean same mean same

Security AttacksSecurity Attacks

Security AttacksSecurity Attacks

►Interruption:Interruption: This is an attack on This is an attack on availabilityavailability

►Interception:Interception: This is an attack on This is an attack on confidentialityconfidentiality

►Modification:Modification: This is an attack on This is an attack on integrityintegrity

►Fabrication:Fabrication: This is an attack on This is an attack on authenticityauthenticity

Security GoalsSecurity Goals

Integrity

Confidentiality

Availability

Summary: Attacks, Services and Summary: Attacks, Services and MechanismsMechanisms

►Security Attack:Security Attack: Any action that Any action that compromises the security of information.compromises the security of information.

►Security Mechanism:Security Mechanism: A mechanism A mechanism that is designed to detect, prevent, or that is designed to detect, prevent, or recover from a security attack.recover from a security attack.

►Security Service:Security Service: A service that A service that enhances the security of data processing enhances the security of data processing systems and information transfers. A systems and information transfers. A security service makes use of one or more security service makes use of one or more security mechanisms.security mechanisms.

OSI Security ArchitectureOSI Security Architecture

► ITU-T X.800 Security Architecture for ITU-T X.800 Security Architecture for OSIOSI

►Defines a systematic way of defining Defines a systematic way of defining and providing security requirementsand providing security requirements

►For us it provides a useful, abstract, For us it provides a useful, abstract, overview of concepts we will studyoverview of concepts we will study

Security ServicesSecurity Services

► X.800 defines it as: a service provided by a X.800 defines it as: a service provided by a protocol layer of communicating open protocol layer of communicating open systems, which ensures adequate security systems, which ensures adequate security of the systems or of data transfersof the systems or of data transfers

► RFC 2828 defines it as: a processing or RFC 2828 defines it as: a processing or communication service provided by a communication service provided by a system to give a specific kind of protection system to give a specific kind of protection to system resourcesto system resources

Security Services (X.800)Security Services (X.800)► X.800 defines security services in 5 X.800 defines security services in 5

major categoriesmajor categories AuthenticationAuthentication - - assurance that the assurance that the

communicating entity is the one claimedcommunicating entity is the one claimed Access ControlAccess Control - - prevention of the prevention of the

unauthorized use of a resourceunauthorized use of a resource Data ConfidentialityData Confidentiality – –protection of data protection of data

from unauthorized disclosurefrom unauthorized disclosure Data IntegrityData Integrity - - assurance that data assurance that data

received is as sent by an authorized entityreceived is as sent by an authorized entity Non-Non-RepudiationRepudiation - - protection against protection against

denial by one of the parties in a denial by one of the parties in a communicationcommunication

Security ServicesSecurity Services► Confidentiality (Privacy)Confidentiality (Privacy)

► Authentication (Who created or sent the data)Authentication (Who created or sent the data)

► Integrity (information has not been altered)Integrity (information has not been altered)

► Non-repudiation (the order is final)Non-repudiation (the order is final)

► Access control (Prevent misuse of resources)Access control (Prevent misuse of resources)

► Availability (Permanence, non-erasure)Availability (Permanence, non-erasure)

Denial of Service AttacksDenial of Service Attacks

Virus that deletes filesVirus that deletes files

Security Mechanisms (X.800)Security Mechanisms (X.800)► Specific security mechanisms:Specific security mechanisms:

EnciphermentEncipherment: Converting data into form that is not : Converting data into form that is not readablereadable

Digital signatures: To check authenticity and integrity of Digital signatures: To check authenticity and integrity of datadata

Access controls: Enforcing access rights to resourcesAccess controls: Enforcing access rights to resources Data integrityData integrity Authentication exchange Authentication exchange Traffic padding: Insertion of bits to frustrate traffic analysisTraffic padding: Insertion of bits to frustrate traffic analysis Routing control: Selection of secure routesRouting control: Selection of secure routes Notarization: Use of trusted third party for data exchangeNotarization: Use of trusted third party for data exchange ..

Security Mechanisms (X.800)Security Mechanisms (X.800)

►Pervasive security mechanisms:Pervasive security mechanisms: trusted functionality: perceived to be trusted functionality: perceived to be

correct with respect to some criteriacorrect with respect to some criteria security labels: security labels: event detection: detection of security event detection: detection of security

relevant eventsrelevant events security audit trails:security audit trails: security recovery:security recovery:

Classify Security Attacks asClassify Security Attacks as

► Passive attacksPassive attacks - - eavesdropping on, or eavesdropping on, or monitoring of, transmissions to:monitoring of, transmissions to: obtain message contents, orobtain message contents, or monitor traffic flowsmonitor traffic flows

► Active attacksActive attacks – modification of data – modification of data stream to:stream to: masquerademasquerade of one entity as some other of one entity as some other replay previous messagesreplay previous messages modify messages in transitmodify messages in transit denial of servicedenial of service

Passive Attacks: Release of Passive Attacks: Release of Message ContentsMessage Contents

Passive Attacks: Traffic Passive Attacks: Traffic AnalysisAnalysis

Active Attacks: MasqueradeActive Attacks: Masquerade

Active Attacks: ReplayActive Attacks: Replay

Active Attacks: Modification of Active Attacks: Modification of MessagesMessages

Active Attacks: Denial of Active Attacks: Denial of ServiceService

Classify Security Attacks asClassify Security Attacks as

Model for Network Security .Model for Network Security .

Model for Network SecurityModel for Network Security► Using this model requires us to: Using this model requires us to:

1.1. Design a suitable algorithm for the security Design a suitable algorithm for the security transformation transformation

2.2. Generate the secret information (keys) used by Generate the secret information (keys) used by the algorithm the algorithm

3.3. Develop methods to distribute and share the Develop methods to distribute and share the secret information secret information

4.4. Specify a protocol enabling the principals to Specify a protocol enabling the principals to use the transformation and secret information use the transformation and secret information for a security servicefor a security service

Model for Network Access Model for Network Access Security .Security .

Model for Network Access Model for Network Access SecuritySecurity

► Using this model requires us to: Using this model requires us to: 1.1. select appropriate gatekeeper functions select appropriate gatekeeper functions

to identify users to identify users

2.2. implement security controls to ensure implement security controls to ensure only authorised users access designated only authorised users access designated information or resources information or resources

► Trusted computer systems can be Trusted computer systems can be used to implement this modelused to implement this model

Methods of DefenseMethods of Defense

►EncryptionEncryption►Software Controls (access limitations Software Controls (access limitations

in a data base, in operating system in a data base, in operating system protect each user from other users)protect each user from other users)

►Hardware Controls (smartcard)Hardware Controls (smartcard)►Policies (frequent changes of Policies (frequent changes of

passwords)passwords)►Physical ControlsPhysical Controls

Internet standards and RFCsInternet standards and RFCs

►The Internet societyThe Internet society Internet Architecture Board (IAB)Internet Architecture Board (IAB) Internet Engineering Task Force (IETF)Internet Engineering Task Force (IETF) Internet Engineering Steering Group Internet Engineering Steering Group

(IESG)(IESG)

Internet RFC Publication Internet RFC Publication ProcessProcess

Vulnerabilities in Network Vulnerabilities in Network ProtocolsProtocols

OutlineOutline► TCP/IP LayeringTCP/IP Layering► Names and AddressesNames and Addresses► Security Considerations for Security Considerations for

Address Resolution ProtocolAddress Resolution Protocol Internet ProtocolInternet Protocol Transmission Control ProtocolTransmission Control Protocol FTP,Telnet, SMTPFTP,Telnet, SMTP Web Security Web Security (Next Lecture)(Next Lecture)

► Browser Side RisksBrowser Side Risks► Server Side RisksServer Side Risks

TCP/IP LayeringTCP/IP Layering

An ExampleAn Example

EncapsulationEncapsulationuser data

HTTP hdr

HTTPclient

HTTPclient

TCPTCP

IPIP

Ethernetdriver

Ethernetdriver

Ethernet

TCP hdr

IP hdr

Eth. hdr tr.

RARPRARP

IGMPIGMP

DemultiplexingDemultiplexing

Ethernetdriver

Ethernetdriver

DNSHTTP

FTP

TCPTCP UDPUDP

IPIP

ICMPICMP

ARPARP

SMTPSNMP

……

demuxing based on frame typein the Ethernet header

demuxing based on the protocol id in the IP header

demuxing based on the port numberin the TCP or UDP header

Names and AddressesNames and Addresses

IP AddressesIP Addresses►Format "A.B.C.D" where each letter is a byteFormat "A.B.C.D" where each letter is a byte►Class A network : A.0.0.0 Class A network : A.0.0.0

Zeroes are used to indicate that any number could be in that Zeroes are used to indicate that any number could be in that positionposition

►Class B network: A.B.0.0Class B network: A.B.0.0►Class C network: A.B.C.0Class C network: A.B.C.0►Broadcast addresses:Broadcast addresses:

255.255.255.255255.255.255.255A.B.C.255A.B.C.255

►Special caseSpecial case0.0.0.0 and A.B.C.0 can be either treated as a broadcast or 0.0.0.0 and A.B.C.0 can be either treated as a broadcast or

discardeddiscarded

Hardware (MAC)Hardware (MAC) Addresses Addresses

► Every interface has a unique and fixed Every interface has a unique and fixed hardware address toohardware address too

► Used by the data link layerUsed by the data link layer► In case of Ethernet, it is 48 bits longIn case of Ethernet, it is 48 bits long► Mapping between IP addresses and MAC Mapping between IP addresses and MAC

addresses are done by ARPaddresses are done by ARP

Host NamesHost Names

► Human readable, hierarchical names, such Human readable, hierarchical names, such as www.uettaxila.edu.pkas www.uettaxila.edu.pk

► Every host may have several namesEvery host may have several names► Mapping between names and IP addresses is Mapping between names and IP addresses is

done by the Domain Name System (DNS)done by the Domain Name System (DNS)

Address Resolution Address Resolution ProtocolProtocol

ARP – Address Resolution ARP – Address Resolution ProtocolProtocol

► Mapping from IP addresses to MAC addressesMapping from IP addresses to MAC addresses

Request

192.168.0

.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26

Reply

192.168.0

.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26

arp req | target IP: 192.168.0.5 | target eth: ?

arp rep | sender IP: 192.168.0.5 | sender eth: 00:00:C0:C2:9B:26

ARP SpoofingARP Spoofing

► An ARP request can be responded by another hostAn ARP request can be responded by another host

Request

192.168.0

.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26

Reply

192.168.0

.1 .2 .3 .4 .508:00:20:03:F6:42 00:00:C0:C2:9B:26

arp req | target IP: 192.168.0.5 | target eth: ?

arp rep | sender IP: 192.168.0.5 | sender eth: 00:34:CD:C2:9F:A0

00:34:CD:C2:9F:A0

Switch

ARP Spoofing .ARP Spoofing .►Used for sniffing on switched LANUsed for sniffing on switched LAN

Outside World

1. Configure IP forwarding

2. Send fake ARP response to map default router’s IP to attacker’s MAC

3. Victim sends traffic based on poisoned ARP cache

4. Sniff the traffic from the link

5. Packets are forwarded from attacker’s machine to actual default router

Default RouterDefault Router

AttackerAttacker

VictimVictim

ARP Spoofing Prevention ?ARP Spoofing Prevention ?

► Cryptographic protection on the data is the Cryptographic protection on the data is the only wayonly way Not allow any untrusted node to read the Not allow any untrusted node to read the

contents of your trafficcontents of your traffic

Internet ProtocolInternet Protocol

IP – Internet ProtocolIP – Internet Protocol

► Provides an unreliable, connectionless datagram Provides an unreliable, connectionless datagram delivery service to the upper layersdelivery service to the upper layers

► Its main function is routingIts main function is routing► It is implemented in both end systems and It is implemented in both end systems and

intermediate systems (routers)intermediate systems (routers)► Routers maintain routing tables that define the next Routers maintain routing tables that define the next

hop router towards a given destination (host or hop router towards a given destination (host or network)network)

► IP routing uses the routing table and the IP routing uses the routing table and the information in the IP header (e.g., the destination IP information in the IP header (e.g., the destination IP address) to route a packetaddress) to route a packet

IP Security ProblemsIP Security Problems► User data in IP packets is not protected in any User data in IP packets is not protected in any

wayway Anyone who has access to a router can read Anyone who has access to a router can read

and modify the user data in the packetsand modify the user data in the packets► IP packets are not authenticatedIP packets are not authenticated

It is fairly easy to generate an IP packet with It is fairly easy to generate an IP packet with an arbitrary source IP addressan arbitrary source IP address

► Traffic analysisTraffic analysis Even if user data was encrypted, one could Even if user data was encrypted, one could

easily determine who is communicating with easily determine who is communicating with whom by just observing the addressing whom by just observing the addressing information in the IP headersinformation in the IP headers

IP Security ProblemsIP Security Problems► Information exchanged between routers to Information exchanged between routers to

maintain their routing tables is not maintain their routing tables is not authenticatedauthenticated Correct routing table updates can be Correct routing table updates can be

modified or fake ones can be disseminatedmodified or fake ones can be disseminated This may screw up routing completely This may screw up routing completely

leading to loops or partitionsleading to loops or partitions It may also facilitate eavesdropping, It may also facilitate eavesdropping,

modification, and monitoring of trafficmodification, and monitoring of traffic It may cause congestion of links or routers It may cause congestion of links or routers

(i.e., denial of service)(i.e., denial of service)

Transmission Control Transmission Control ProtocolProtocol

TCP – Transmission Control TCP – Transmission Control ProtocolProtocol

► Provides a connection oriented, reliable, Provides a connection oriented, reliable, byte stream service to the upper layersbyte stream service to the upper layers

► Connection oriented:Connection oriented: Connection establishment phase prior to Connection establishment phase prior to

data transferdata transfer State information (sequence numbers, State information (sequence numbers,

window size, etc.) is maintained at both window size, etc.) is maintained at both endsends

TCP- TCP- ReliabilityReliability

► Positive acknowledgement scheme Positive acknowledgement scheme (unacknowledged bytes are retransmitted (unacknowledged bytes are retransmitted after a timeout)after a timeout)

► Checksum on both header and dataChecksum on both header and data► Reordering of segments that are out of Reordering of segments that are out of

orderorder► Detection of duplicate segmentsDetection of duplicate segments► Flow control (sliding window mechanism)Flow control (sliding window mechanism)

TCP Connection TCP Connection EstablishmentEstablishment

Client Server

SYNC

SYNS, ACKC

ACKS

Listening

Store data

Wait

Connected

TCP Sequence NumbersTCP Sequence Numbers► TCP uses ISN (Initial Sequence Number) to order the TCP uses ISN (Initial Sequence Number) to order the

incoming packets for a connectionincoming packets for a connection► Sequence numbers are 32 bits longSequence numbers are 32 bits long► The sequence number in a data segment identifies The sequence number in a data segment identifies

the first byte in the segmentthe first byte in the segment► Sequence numbers are initialized with a “random” Sequence numbers are initialized with a “random”

value during connection setupvalue during connection setup► The RFC suggests that the ISN is incremented by one The RFC suggests that the ISN is incremented by one

at least every 4 at least every 4 ss

TCP SYN AttackTCP SYN Attack► An attacker can impersonate a trusted An attacker can impersonate a trusted

host (e.g., in case of r commands, host (e.g., in case of r commands, authentication is based on source IP authentication is based on source IP address solely)address solely) This can be done guessing the sequence This can be done guessing the sequence

number in the ongoing communicationnumber in the ongoing communication The initial sequence numbers are intended to The initial sequence numbers are intended to

be more or less random be more or less random

TCP SYN AttackTCP SYN Attack► In Berkeley implementations, the ISN is In Berkeley implementations, the ISN is

incremented by a constant amount incremented by a constant amount 128,000 once per second, and128,000 once per second, and further 64,000 each time a connection is further 64,000 each time a connection is

initiatedinitiated► RFC 793 specifies that the 32-bit counter be RFC 793 specifies that the 32-bit counter be

incremented by 1 about every 4 incremented by 1 about every 4 ss the ISN cycles every 4.55 hoursthe ISN cycles every 4.55 hours

► Whatever! It is not hopeless to guess the next ISN Whatever! It is not hopeless to guess the next ISN to be used by a systemto be used by a system

Launching a SYN AttackLaunching a SYN Attack► The attacker first establishes a valid The attacker first establishes a valid

connection with the target to know its ISN.connection with the target to know its ISN.► Next it impersonates itself as trusted host Next it impersonates itself as trusted host

T and sends the connection request with T and sends the connection request with ISNISNxx

► The target sends the ACK with its ISNThe target sends the ACK with its ISNs s to to the trusted host Tthe trusted host T

► The attacker after the expected time The attacker after the expected time sends the ACK with predicted ISNsends the ACK with predicted ISNss’’

Launching a SYN AttackLaunching a SYN Attack

SYN = ISNX, SRC_IP = T

SYN = ISNS, ACK(ISNX)

ACK(ISNS), SRC_IP = T

SRC_IP = T, nasty_data

attacker server trusted host (T)

What about the ACK for T?What about the ACK for T?

► If the ACK is received by the trusted host TIf the ACK is received by the trusted host T It will reject it, as no request for a connection was made by It will reject it, as no request for a connection was made by

itit RST will be sent and the server drops the connectionRST will be sent and the server drops the connection

BUT!!!BUT!!!► The attacker can either launch this attack when T is The attacker can either launch this attack when T is

downdown► Or launch some sort of DoS attack on TOr launch some sort of DoS attack on T

So that it can’t replySo that it can’t reply

TCP SYN Attack – How to Guess TCP SYN Attack – How to Guess ISNISNSS??

ISNISNSS’ (Attacker’s ISN) depends on ISN’ (Attacker’s ISN) depends on ISNSS and and tt t can be estimated from the round trip timet can be estimated from the round trip time Assume Assume t can be estimated with 10 ms precisiont can be estimated with 10 ms precision

SYN = ISNX

SYN = ISNS, ACK(ISNX)

SYN = ISNX’, SRC_IP = T SYN = ISN

S’, ACK(ISNX)ACK(ISN

S’), SRC_IP =T

attacker server

t

TCP SYN Attack – How to Guess TCP SYN Attack – How to Guess ISNISNSS??

►Attacker has an uncertainty of 1280 in Attacker has an uncertainty of 1280 in the possible value for ISNthe possible value for ISNSS’’

►Assume each trial takes 5 sAssume each trial takes 5 s►The attacker has a reasonable The attacker has a reasonable

likelihood of succeeding in 6400 s and likelihood of succeeding in 6400 s and a near-certainty within one day!a near-certainty within one day!

How to Prevent it?How to Prevent it?

►Can be prevented by properly Can be prevented by properly configuring the firewallconfiguring the firewall Do not allow any communication from Do not allow any communication from

outside using the address of some internal outside using the address of some internal networknetwork

TCP SYN FloodTCP SYN Flood► Attacker’s goal is to Attacker’s goal is to

overwhelm the overwhelm the destination machine destination machine with SYN packets with SYN packets with spoofed IPwith spoofed IP

► This results in:This results in: The server’s The server’s

connection queue connection queue filling up causing filling up causing DoS AttackDoS Attack

Or even if queue is Or even if queue is large enough, all large enough, all ports will be busy ports will be busy and the service and the service could not be could not be provided by the provided by the serverserver

C S

SYNC1 Listening

Store data

SYNC2

SYNC3

SYNC4

SYNC5

How to Avoid TCP SYN FloodHow to Avoid TCP SYN Flood

► Decrease the wait time for half open Decrease the wait time for half open connectionconnection

► Do not store the connection informationDo not store the connection information► Use SYN cookies as sequence numbers Use SYN cookies as sequence numbers

during connection setupduring connection setup► SYN cookie is some function applied onSYN cookie is some function applied on

Dest IP, Source IP, Port numbers, Time Dest IP, Source IP, Port numbers, Time and a secret numberand a secret number

TCP Congestion ControlTCP Congestion Control

• If packets are lost, assume congestion– Reduce transmission rate by half, repeat– If loss stops, increase rate very slowly

Design assumes routers blindly obey this policy

Source

Destination

TCP Congestion Control-TCP Congestion Control-CompetitionCompetition

• Friendly source A give way to overexcited source B– Both senders experience packet loss– Source A backs off– Source B disobeys protocol, gets better results!

Source A

Source B

Destination

Destination

DoS-Denial of Service AttacksDoS-Denial of Service Attacks

► Attempts to prevent the victim from being Attempts to prevent the victim from being able to establish connectionsable to establish connections

► Accomplished by involving the victim in Accomplished by involving the victim in heavy processing heavy processing like sending the TCP SYN packets to all like sending the TCP SYN packets to all

ports of the victim and avoiding new ports of the victim and avoiding new connection establishmentconnection establishment

► DoS attacks are much easier to accomplish DoS attacks are much easier to accomplish than gaining administrative accessthan gaining administrative access

Exploiting Ping Command forExploiting Ping Command forSmurf DoS AttackSmurf DoS Attack

• Send ping request to subnet-directed broadcast address with spoofed IP (ICMP Echo Request)

• Lots of responses:– Every host on target network generates a ping reply (ICMP Echo

Reply) to victim– Ping reply stream can overload victim

gatewayDoSSource

DoSTarget

1 ICMP Echo ReqSrc: DoS TargetDest: brdct addr

3 ICMP Echo ReplyDest: DoS Target

Smurf DoS Attack PreventionSmurf DoS Attack Prevention

► Have adequate bandwidth and redundant Have adequate bandwidth and redundant pathspaths

► Filter ICMP messages to reject external Filter ICMP messages to reject external packets to broadcast addresspackets to broadcast address

FTP – File Transfer ProtocolFTP – File Transfer Protocol

user

userinterface

userinterface

protocolinterpreter

protocolinterpreter

datatransferfunction

datatransferfunction

file system

protocolinterpreter

protocolinterpreter

datatransferfunction

datatransferfunction

file system

client

server

data connection

control connection(FTP commands and replies)

FTP – File Transfer ProtocolFTP – File Transfer Protocol

► Typical FTP commands:Typical FTP commands: RETR RETR filenamefilename – retrieve (get) a file from the server – retrieve (get) a file from the server STOR filename – store (put) a file on the serverSTOR filename – store (put) a file on the server TYPE TYPE typetype – specify file type (e.g., A for ASCII) – specify file type (e.g., A for ASCII) USER USER usernameusername – username on server – username on server PASS PASS passwordpassword – password on server – password on server

► FTP is a text (ASCII) based protocolFTP is a text (ASCII) based protocol

…

FTP – File Transfer ProtocolFTP – File Transfer Protocol

% ftp www.uettaxila.edu.pk

Connected to www.uettaxila.edu.pkName: abc

Password: pswd

client server

<TCP connection setup to port 21 of www.uettaxila.edu.pk >

“220 www.uettaxila.edu.pk FTP server (version 5.60) ready.”

“USER abc”

“331 Password required for user abc.”

“PASS pswd”

“230 User abc logged in.”

Problems with FTPProblems with FTP

► FTP information exchange is in clear textFTP information exchange is in clear text The attacker can easily eavesdrop and get The attacker can easily eavesdrop and get

the secret informationthe secret information The attacker can also know the software The attacker can also know the software

version of FTP running to exploit the version of FTP running to exploit the vulnerabilities of that particular versionvulnerabilities of that particular version

FTP Bounce ScansFTP Bounce Scans► FTP has a feature to open connection with victim machine on the request from attacker machineFTP has a feature to open connection with victim machine on the request from attacker machine► Machine A (Attacker) can request to check for the open ports on the target machine X (Victim)Machine A (Attacker) can request to check for the open ports on the target machine X (Victim)

► Newer version of FTP does not support Newer version of FTP does not support this forwarding featurethis forwarding feature

Attacker

FTP Server

Victim to be scanned

FTP control

connection

TelnetTelnet

► Provides Provides remote loginremote login service to users service to users► Works between hosts that use different Works between hosts that use different

operating systemsoperating systems► Uses option negotiation between client Uses option negotiation between client

and server to determine what features and server to determine what features are supported by both endsare supported by both ends

TelnetTelnet

Telnet clientTelnet clientTelnet serverTelnet server

terminaldriver

terminaldriver TCP/IPTCP/IP pseudo-

terminaldriver

pseudo-terminaldriver

TCP/IPTCP/IP

login shelllogin shell

user

kernel kernel

TCP connection

Telnet Session ExampleTelnet Session Example

►Single character at a timeSingle character at a time

Telnet ExampleTelnet Example% telnet ahost.com.pk

Connected to ahost.com.pkEscape character is ‘^]’.

Login: s

client server

<TCP connection setup to port 23 of ahost.com.pk>

<Telnet option negotiation>

“UNIX(r) System V Release 4.0”

“Login:”

“s”

“Password:”

…

Login: st“t”

Login: student“t”

Password: c“c”

…Password: cab123

“3”

<OS greetings and shell prompt, e.g., “%”>…

…

…

Problems with TelnetProblems with Telnet

► Information exchange is in clear textInformation exchange is in clear text The attacker can easily eavesdrop and get The attacker can easily eavesdrop and get

the information like username and the information like username and passwordspasswords

The attacker can also know the version to The attacker can also know the version to exploit the vulnerabilities of that exploit the vulnerabilities of that particular versionparticular version

SMTP – Simple Mail Transfer SMTP – Simple Mail Transfer ProtocolProtocol

useragent

useragent

localMTA

localMTA

mails to be sent

user

sending host

relayMTA

relayMTA

useragent

useragent

localMTA

localMTA

user mailbox

user

receiving host

relayMTA

relayMTA

relayMTA

relayMTA

TCP port 25TCP connection SMTP

SMTP

SMTP

SMTP

SMTPSMTP

► SMTP is a text (ASCII) based protocolSMTP is a text (ASCII) based protocol ►MTA transfers mail from the user to MTA transfers mail from the user to

the destination serverthe destination server►MTA relays are used to relay the mail MTA relays are used to relay the mail

from other clientsfrom other clients► MTAs use SMTP to talk to each otherMTAs use SMTP to talk to each other► All the messages are spooled before sendingAll the messages are spooled before sending

©Copyright 2004. Amir Qayyum. All rights reserved

87

SMTP Message Flow SMTP Message Flow sending MTA (mail.uettaxila.edu.pk) receiving MTA (smtp.yahoo.com)

“HELO mail.uettaxila.edu.pk.”

“250 smtp.yahoo.com Hello mail.uettaxila.edu.pk., pleased to meet you”

“MAIL from: student1@uettaxila.edu.pk”

“250 student1@uettaxila.edu.pk... Sender ok”

“RCPT to: student2@yahoo.com”

“250 student2@yahoo… Recipient ok”

“DATA”

“354 Enter mail, end with a “.” on a line by itself”

<message to be sent>.

<TCP connection establishment to port 25>

“250 Mail accepted”

“QUIT”

“221 smtp.yahoo.com delivering mail”

SMTP Security ProblemsSMTP Security Problems

► Designed in an era where internet Designed in an era where internet security was not much of an issuesecurity was not much of an issue No security at the base protocolNo security at the base protocol

► Designed around the idea of Designed around the idea of ““cooperationcooperation”” and and ““trusttrust”” between between serversservers Susceptible to DoS attacksSusceptible to DoS attacks

►Simply flood a mail server with SMTP Simply flood a mail server with SMTP connections or SMTP instructions.connections or SMTP instructions.

SMTP Security ProblemsSMTP Security Problems► SMTP does not provide any protection of SMTP does not provide any protection of

e-mail messagese-mail messages Does not ask sender to authenticate Does not ask sender to authenticate

itself. itself. Messages can be read and modified by Messages can be read and modified by

any of the MTAs involvedany of the MTAs involved Fake messages can easily be generated Fake messages can easily be generated

(e-mail forgery)(e-mail forgery) Does not check what and from whom it Does not check what and from whom it

is relaying the messageis relaying the message

SMTP Security Problems SMTP Security Problems ExampleExample

% % telnet frogstar.hit.com.pk 25telnet frogstar.hit.com.pk 25Trying...Trying...Connected to frogstar.hit.com.pk.Connected to frogstar.hit.com.pk.Escape character is ‘^[’.Escape character is ‘^[’.220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6; 220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6; Mon, 10 Feb 2003 14:23:21 +0100Mon, 10 Feb 2003 14:23:21 +0100helo abcd.com.pkhelo abcd.com.pk250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet youmail from: bill.gates@microsoft.commail from: bill.gates@microsoft.com250 2.1.0 bill.gates@microsoft.com... Sender ok250 2.1.0 bill.gates@microsoft.com... Sender okrcpt to: user@ebizlab.hit.com.pkrcpt to: user@ebizlab.hit.com.pk250 2.1.5 user@ebizlab.hit.com.pk... Recipient ok250 2.1.5 user@ebizlab.hit.com.pk... Recipient okdatadata354 Enter mail, end with "." on a line by itself354 Enter mail, end with "." on a line by itselfYour fake message goes here.Your fake message goes here...250 2.0.0 h1ADO5e21330 Message accepted for delivery250 2.0.0 h1ADO5e21330 Message accepted for deliveryquitquit221 frogstar.hit.com.pk closing connection221 frogstar.hit.com.pk closing connectionConnection closed by foreign host.Connection closed by foreign host.%%

Be Careful, Though!Be Careful, Though!Return-Path: <bill.gates@microsoft.com>Received: from frogstar.hit.com.pk (root@frogstar.hit.com.pk [152.66.248.44])

by mail.ebizlab.hit.com.pk (8.12.7/8.12.7/Debian-2) with ESMTP id h1ADSsxG022719for <user@ebizlab.hit.com.pk>; Mon, 10 Feb 2003 14:28:54 +0100

Received: from abcd.com.pk ([152.66.249.32])by frogstar.hit.com.pk (8.11.6/8.11.6) with SMTP id h1ADO5e21330for user@ebizlab.hit.com.pk; Mon, 10 Feb 2003 14:25:41 +0100

Date: Mon, 10 Feb 2003 14:25:41 +0100From: bill.gates@microsoft.comMessage-Id: <200302101325.h1ADO5e21330@frogstar.hit.com.pk>To: undisclosed-recipients:;X-Virus-Scanned: by amavis-dcStatus:

Your fake message goes here.

Domain Name ServerDomain Name Server

DNS – Domain Name ServerDNS – Domain Name Server

► The DNS is a distributed database that provides The DNS is a distributed database that provides mapping between hostnames and IP addressesmapping between hostnames and IP addresses

► The DNS name space is hierarchicalThe DNS name space is hierarchical Top level domains gTLDs: com, edu, gov, int, Top level domains gTLDs: com, edu, gov, int,

mil, net, org, ccTLDs like ae, …, pk, … zwmil, net, org, ccTLDs like ae, …, pk, … zw Top level domains may contain second level Top level domains may contain second level

domainsdomainse.g., edu within pk, co within uk, …e.g., edu within pk, co within uk, …

Second level domains may contain third level Second level domains may contain third level domains, etc.domains, etc.

Domain Name ServerDomain Name Server

► Usually (not always) a name server knows Usually (not always) a name server knows the IP address of the top level name serversthe IP address of the top level name servers

► If a domain contains sub-domains, then the If a domain contains sub-domains, then the name server knows the IP address of the name server knows the IP address of the sub-domain name serverssub-domain name servers

► When a new host is added to a domain, the When a new host is added to a domain, the administrator adds the (hostname, IP administrator adds the (hostname, IP address) mapping to the database of the address) mapping to the database of the local name serverlocal name server

DNS – Domain Name DNS – Domain Name ServerServer

A single DNS reply may include several A single DNS reply may include several (hostname, IP address) mappings (hostname, IP address) mappings (Resource Records)(Resource Records)

Received information is cached by the Received information is cached by the name servername server

applicationapplication localname srv

localname srv

top levelname srv

top levelname srv

name srvin pk

name srvin pk

name srvin edu.pk

name srvin edu.pk

name srv inuettaxila.edu.pk

name srv inuettaxila.edu.pk

authority.uettaxila.edu.pk = ? authority.uettaxila.edu.pk = ?

IP of ns in pk

IP of ns in edu.pk

IP of ns in uettaxila.edu.pk

202.83.173.61

202.83.173.61

DNS spoofingDNS spoofing

► The cache of a DNS name server is The cache of a DNS name server is poisoned with false informationpoisoned with false information

► How to do it?How to do it? Assume that the attacker wants Assume that the attacker wants

www.anything.com.pkwww.anything.com.pk to map to his to map to his own IP address 202.83.173.59own IP address 202.83.173.59

DNS Spoofing - Approach 1DNS Spoofing - Approach 1

►Attacker submits a DNS query Attacker submits a DNS query “www.anything.com.pk=?” to “www.anything.com.pk=?” to ns.victim.com.pkns.victim.com.pk

►A bit later it forges a DNS reply A bit later it forges a DNS reply “www.anything.com.pk=202.83.17“www.anything.com.pk=202.83.173.59”3.59”

►UDP makes forging easier but the UDP makes forging easier but the attacker must still predict the attacker must still predict the query ID query ID

DNS Spoofing – Approach 2DNS Spoofing – Approach 2

► Attacker has access to ns.attacker.com.pkAttacker has access to ns.attacker.com.pk The attacker modifies its local name server such The attacker modifies its local name server such

that it responds a query that it responds a query “www.attacker.com.pk=?” with “www.attacker.com.pk=?” with “www.anything.com.pk=202.83.173.59”“www.anything.com.pk=202.83.173.59”

The attacker then submits a query The attacker then submits a query “www.attacker.com.pk=?” to ns.victim.com.pk “www.attacker.com.pk=?” to ns.victim.com.pk

ns.victim.com.pk sends the query ns.victim.com.pk sends the query “www.attacker.com.pk=?” to ns.attacker.com.pk“www.attacker.com.pk=?” to ns.attacker.com.pk

ns.attacker.com.pk responds with ns.attacker.com.pk responds with “www.anything.com.pk=202.83.173.59”“www.anything.com.pk=202.83.173.59”

QuestionsQuestions

??????????????????????????????????????????????????????

??????????????adeel.akram@uettaxila.edadeel.akram@uettaxila.ed

u.pku.pk