Upload
mabel-porter
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
TCP/IP For TCP/IP For Security Security AdministratorsAdministratorsSteve RileySteve RileySecurity Program ManagerSecurity Program ManagerMicrosoft CorporationMicrosoft Corporation
[email protected]@microsoft.com
ses. ses. codecode
Why are we here?Why are we here?Security is (or will be) your job. Security is Security is (or will be) your job. Security is your life. You your life. You areare securitysecurity for your org. for your org.If you wanna be good, there are some things If you wanna be good, there are some things you gotta know—you gotta know—
How to say “I don’t know”How to say “I don’t know”How to say “That’s not allowed” without giving How to say “That’s not allowed” without giving away the fact that you really don’t knowaway the fact that you really don’t knowHow to say “It’s not my fault” even though you How to say “It’s not my fault” even though you screwed up the configuration really goodscrewed up the configuration really goodHow to deflect blame toward othersHow to deflect blame toward othersHow to speak the language of network How to speak the language of network communicationscommunications
Protocols? IANAG!Protocols? IANAG!Ah but yes you are Ah but yes you are
Acknowledgement is the first step toward recoveryAcknowledgement is the first step toward recoveryYou’re in a room filled with like-minded GsYou’re in a room filled with like-minded Gs
““How do I become a security expert?”How do I become a security expert?”Learn everything you can about how network Learn everything you can about how network devices talk to each otherdevices talk to each otherAttend more conferencesAttend more conferencesDream in TCP/IP (lucid/IP?)Dream in TCP/IP (lucid/IP?)
ImportanceImportanceOur goal today: to thoroughly understand Our goal today: to thoroughly understand important network protocols important network protocols (and to boldly split infinitives)(and to boldly split infinitives)
We will explore—We will explore—How the protocols workHow the protocols workHow attackers abuse themHow attackers abuse themHow to defend themHow to defend them
We will not—We will not—Have any marketing contentHave any marketing contentPrepare you for passing some Prepare you for passing some (hugely bogus and useless)(hugely bogus and useless) examexamBe entirely actionable todayBe entirely actionable today
But you’ll thank me later! But you’ll thank me later!
The OSI modelThe OSI model
1. physical
2. link
3. network
4. transport
5. session
6. presentation
7. application
ARP, RARP
The real worldThe real worldFour layers are sufficiently representativeFour layers are sufficiently representative
1. interface
2. network
3. transport
4. application
IP, ICMP, IGMP
TCP, UDP, IPsec
HTTP, FTP, TFTP, telnet, ping, SMTP,POP3, IMAP4, RPC, SMB, NTP, DNS, …
Presentation conventionsPresentation conventions““A” and “B” represent networked hostsA” and “B” represent networked hostsProtocol format diagrams look like this:Protocol format diagrams look like this:
Some protocol dump examplesSome protocol dump examples
element element
0 8 16 24 31
element
Interface LayerInterface LayerProtocolsProtocols
ARPARP
MAC addresses are 48 bits. IP addresses are MAC addresses are 48 bits. IP addresses are 32 bits. How to encode MAC in IP?32 bits. How to encode MAC in IP?ARP to the rescue: resolves IP to MACARP to the rescue: resolves IP to MACSimple two-frame conversationSimple two-frame conversation
Broadcast question; unicast responseBroadcast question; unicast response
Replies kept in a cache to reduce number of Replies kept in a cache to reduce number of broadcastsbroadcasts
Cache implements timeout because addresses do Cache implements timeout because addresses do change (default 20 minutes)change (default 20 minutes)
Address Resolution Protocol RFC 826
ARP formatARP format
hardware type protocol type
HA length PA length operation
sender MAC address (bytes 0-3)
sender MAC address (bytes 4-5)sender IP address (bytes 0-1)
sender IP address (bytes 2-3)target MAC address (bytes 0-1)
target MAC address (bytes 2-5)
target IP address (bytes 0-3)
0 8 16 24 31
operation: 1 = ARP request, 2 = ARP reply
ARP operationARP operation
who-has
1.1.1.2?
1.1.1.2 is-at 00:11:22:33:44:55
1.1.1.1
1.1.1.2
ARP conversationsARP conversationsNormal:Normal: BB saves saves AA’s ARP info in cache, ready for ’s ARP info in cache, ready for repliesreplies
Other machines on same subnet also save Other machines on same subnet also save AA’s ARP’s ARP00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.254 tell 192.168.99.3500:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.254 tell 192.168.99.35
00:80:c8:f8:5c:73 00:80:c8:f8:4a:51: arp reply 192.168.99.254 is-at 00:80:c8:f8:5c:7300:80:c8:f8:5c:73 00:80:c8:f8:4a:51: arp reply 192.168.99.254 is-at 00:80:c8:f8:5c:73
Gratuitous:Gratuitous: reply sent before a host is asked reply sent before a host is askedOften addressed to an upstream router or LB deviceOften addressed to an upstream router or LB device
arp reply 192.168.99.35 is-at 0:80:c8:f8:4a:51 (0:80:c8:f8:4a:51)arp reply 192.168.99.35 is-at 0:80:c8:f8:4a:51 (0:80:c8:f8:4a:51)
Unsolicited:Unsolicited: broadcast by host owning an IP address; broadcast by host owning an IP address; usually at boot timeusually at boot time
Also good for detecting duplicate IP addressesAlso good for detecting duplicate IP addresses00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.35 tell 192.168.99.3500:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.35 tell 192.168.99.35
ARP security issuesARP security issuesARP spoofingARP spoofing
ARP replies are honored and cached, whether ARP replies are honored and cached, whether normal or gratuitousnormal or gratuitousCan poison a host’s ARP cache with spoofed Can poison a host’s ARP cache with spoofed entries to force redirectionentries to force redirectionProxy ARP (routers) does this legitimatelyProxy ARP (routers) does this legitimately
ARP flooding ARP flooding (how to turn a switch into a hub)(how to turn a switch into a hub)
Fill a switch’s memory with bogus mappingsFill a switch’s memory with bogus mappingsSwitch will flood all ports with all traffic since it Switch will flood all ports with all traffic since it doesn’t know where hosts aredoesn’t know where hosts are
ARP MARP Man an IIn n TThe he MMiddleiddle attack attack
who-has
1.1.1.2?
1.1.
1.2
is-a
t
99:8
8:77
:66:
5
5:44
1.1.1.2 is-at 00:11:22:33:44:55
1.1.1.1
1.1.1.2
1.1
.1.1
is-at
99:8
8:7
7:6
6:5
5:4
4
ARP defensesARP defensesNone built into protocolNone built into protocolarpwatch: Monitoring toolarpwatch: Monitoring tool
Must mirror all traffic on one switch portMust mirror all traffic on one switch port
Switch featuresSwitch featuresAllow only one MAC address per portAllow only one MAC address per port
Stops people from using hubsStops people from using hubsUnless they steal MAC+IP from another machine…Unless they steal MAC+IP from another machine…
Compare requests and replies to other mapping Compare requests and replies to other mapping informationinformationAcquired from DHCP servers, DHCP snooping, Acquired from DHCP servers, DHCP snooping, manual configuration (avoid)manual configuration (avoid)
Network LayerNetwork LayerProtocolsProtocols
IPIP
IP is a lousy network protocol!IP is a lousy network protocol!Unreliable:Unreliable: no delivery guarantees no delivery guarantees
Send ICMP message to source if delivery failsSend ICMP message to source if delivery fails
Connectionless:Connectionless: no state maintained no state maintainedDatagrams routed independently and in no orderDatagrams routed independently and in no order
Best-effort:Best-effort: packets not dropped capriciously packets not dropped capriciously
Has one job: to route datagramsHas one job: to route datagramsRelies on transport layer for improvementsRelies on transport layer for improvementsHosts must implement error detection and Hosts must implement error detection and correction and recoverycorrection and recovery
Internet Protocol RFC 791
IP formatIP format
version datagram length
identification flags fragment offset
header checksum
source IP address
destination IP address
options, if any (variable length)
0 8 16 24 31
version: 4TOS: differentiated services codepoints (no guarantee of honoring)dg length, ID, flags, offset: for fragmentation (will examine later)TTL: max. hops through network (decremented by routers); usually 32next protocol: TCP, 6 | UDP, 17 | ICMP, 1 | IPsec AH, 51 | IPsec ESP, 50header checksum: 16-bit one’s compliment of sumoptions: restrictions, record route, record timestamp, source-routing
headerlengthtype of service
time to live next protocol
(padding)
IP routingIP routingTwo types of network nodes—Two types of network nodes—
HostsHostsDon’t forward datagrams between interfacesDon’t forward datagrams between interfaces
RoutersRoutersDo forward datagrams between interfacesDo forward datagrams between interfaces
Hosts can be routers if appropriate software Hosts can be routers if appropriate software is installed and enabledis installed and enabled
Presents security risksPresents security risks
IP routing operationIP routing operation
1.1.1.1
1.1.1.2
1.1.1.3
1.1.1.4
1.1.1.5
Datagramfor
1.1.1.5
1.1.1.254
Datagramfor
9.8.7.6network1.1.1.0/
24
search routing tableand decrement TTL
Is it tomy IP?
Is it tomy IP?
Basic routing algorithmBasic routing algorithmExtract destination address D from datagram
Compute network prefix NIf N matches any directly-connected network address
Deliver datagram to D over that networkElse if routing table contains a host-specific route for D
Send datagram to next hop specified in tableElse if routing table contains a route for N
Send datagram to next hop specified in tableElse if routing table contains a default route
Send datagram to default router specified in tableElse declare a routing error
Route processingRoute processingroutingdaemon
routecommand
netstatcommand
routingtable
IP output:calculate next
hop router(if necessary)
ICMP
our packet(one of our IPaddresses orbroadcast)?
IP input queue
process IP options
UDP TCP
network interfaces
redire
cts
yes
no
forward
source routing
IP layer
IP security issuesIP security issuesMostly involve spoofed addressesMostly involve spoofed addresses
Unsigned and unencrypted in the headersUnsigned and unencrypted in the headersTherefore: they are unreliable identifiersTherefore: they are unreliable identifiers
Not useful for hiding IP addressesNot useful for hiding IP addressesIs useful for:Is useful for:
Misdirecting connections (“MITM”)Misdirecting connections (“MITM”)Source routingSource routingDenial-of-service attacks (“flooding”)Denial-of-service attacks (“flooding”)Network attacks that don’t need to see responses Network attacks that don’t need to see responses (“blind spoofing”)(“blind spoofing”)
IP checksum is not securityIP checksum is not securityAttacker:Attacker:
Intercepts datagramIntercepts datagramSpoofs addressesSpoofs addressesComputes new checksumComputes new checksum
Intended for error detection onlyIntended for error detection onlyA computes and adds to headerA computes and adds to headerB computes and compares to included sumB computes and compares to included sumIf mismatch: B silently dropsIf mismatch: B silently drops
Denial-of-service attacksDenial-of-service attacksLet’s wait until we talk about ICMP…Let’s wait until we talk about ICMP…
Source routingSource routing
10.0.0.254
131.107.0.254
10.0.0.1
SA: <doesn’t matter>DA: 10.0.0.1SR: via 131.107.0.254
IP fragmentationIP fragmentationSome payloads might exceed physical frame Some payloads might exceed physical frame size (MTU)size (MTU)IP will fragment data if necessaryIP will fragment data if necessaryReassembled only at destinationReassembled only at destination
Transparent to transport layerTransparent to transport layer
Each fragment is separate datagramEach fragment is separate datagram(Possibly) independently routed(Possibly) independently routedNo delivery order guaranteeNo delivery order guaranteeOne could get lostOne could get lost
All fragments must then be retransmittedAll fragments must then be retransmitted
IP format—fragmentationIP format—fragmentation
version datagram length
identification flags fragment offset
header checksum
source IP address
destination IP address
options, if any (variable length)
0 8 16 24 31
ID: unique for each datagram; copied into each fragmentflag1: one bit for “more fragments”; off in final fragmentflag2: one bit for “don’t fragment”; if set, IP discards datagram and returns ICMP erroroffset: from beginning of original datagram (8-byte multiples)length: of this fragment only
headerlengthtype of service
time to live next protocol
(padding)
Fragmentation exampleFragmentation example
IP header(20 bytes)
next hdr(20 bytes)
payload(1473 bytes)
IP header(20 bytes)
next hdr(20 bytes)
payload(1472 bytes)
IP header(20 bytes)
payload(1 byte)
Note no TCP/UDP header!Many firewalls will allow fragments through…hmm!
Fragmentation exampleFragmentation example
A.1234 > B.500: udp 1473A.1234 > B.500: udp 1473 (frag 26304:1480@0+) (frag 26304:1480@0+)
A > B: (frag 26304:1@1480)A > B: (frag 26304:1@1480)
frame size = 1501; must fragmentidentification field1472 (payload) + 8 (UDP header)0 offset = beginning; + = more fragmentsno port infofragment number @ byte offset
IP defensesIP defensesCan block nearly all attacks at borderCan block nearly all attacks at borderNeed five rulesNeed five rules
Block all inbound where SA in internal netsBlock all inbound where SA in internal nets
Block all outbound where SA not in internal Block all outbound where SA not in internal netsnets
Block all in/out where SA | DA in RFC1918 or Block all in/out where SA | DA in RFC1918 or APIPAAPIPA
Block all source-routed datagramsBlock all source-routed datagrams
Block all datagram fragmentsBlock all datagram fragments
ICMPICMP
IP’s “message delivery” serviceIP’s “message delivery” serviceReports errorsReports errorsAsks and answers questionsAsks and answers questions
Encapsulated in IPEncapsulated in IPMessages might need to be routedMessages might need to be routedConsidered a network layer protocolConsidered a network layer protocol
Error reports always include first 64 bits of Error reports always include first 64 bits of error-causing datagramerror-causing datagram
Helps determine which protocol and application Helps determine which protocol and application caused the errorcaused the error
Internet Control Message Protocol RFC 792
ICMP formatICMP format
type checksum
content (variable length; depends on type and code)
0 8 16 24 31
type: message typecode: sub-message type
code
ICMP messagesICMP messagesTypeType CodeCode DescriptionDescription CodeCode DescriptionDescription QueryQuery ErrorError
00 00 echo replyecho reply 33 destination unreachabledestination unreachable
00 network unreachablenetwork unreachable 88 source host isolated (obsolete)source host isolated (obsolete)
11 host unreachablehost unreachable 99 destination network administratively prohibiteddestination network administratively prohibited
22 protocol unreachableprotocol unreachable 1010 destination host administratively prohibiteddestination host administratively prohibited
33 port unreachableport unreachable 1111 network unreachable for DiffServnetwork unreachable for DiffServ
44 fragmentation needed butfragmentation needed butdon’t-fragment bit is setdon’t-fragment bit is set
1212 host unreachable for DiffServhost unreachable for DiffServ
55 source route failedsource route failed 1313 communication administrativelycommunication administrativelyprohibited by filteringprohibited by filtering
66 destination network unknowndestination network unknown 1414 host precedence violationhost precedence violation
77 destination host unknowndestination host unknown 1515 precedence cutoff in effectprecedence cutoff in effect
44 00 source quenchsource quench 55 redirectredirect
00 for networkfor network 22 for DiffServ and networkfor DiffServ and network
11 for hostfor host 33 for DiffServ and hostfor DiffServ and host
88 00 echo requestecho request 99 00 router advertisementrouter advertisement
1010 00 router solicitationrouter solicitation 1111 time exceededtime exceeded
00 TTL = 0 during transitTTL = 0 during transit 11 TTL = 0 during reassemblyTTL = 0 during reassembly
1212 parameter problemparameter problem 00 IP header bad (catchall error)IP header bad (catchall error) 11 required option missingrequired option missing
1313 00 timestamp requesttimestamp request 1414 00 timestamp replytimestamp reply 1515 00 information request (obsolete)information request (obsolete) 1616 00 information reply (obsolete)information reply (obsolete) 1717 00 address mask requestaddress mask request
1818 00 address mask replyaddress mask reply
ICMP echoICMP echo
type checksum
optional data (variable length)
0 8 16 24 31
type: 8 = request, 0 = replycode: 0identifier, sequence number: for matching replies to requestsdata: returned to sender
code
identifier sequence number
ICMP reconnaissance attacksICMP reconnaissance attacks““Port unreachable” = port closedPort unreachable” = port closed““Host unreachable” = host doesn’t existHost unreachable” = host doesn’t exist
ICMP redirect attacksICMP redirect attacksAdvise hosts of better routesAdvise hosts of better routesDifficult to spoofDifficult to spoof
Can come only from host’s existing DGCan come only from host’s existing DGMust be tied to an existing connectionMust be tied to an existing connection
Can’t be used for unsolicited route table updatesCan’t be used for unsolicited route table updates
Redirects generally aren’t usedRedirects generally aren’t usedBest to block themBest to block themUseful only on LANs with multiple gateways to the Useful only on LANs with multiple gateways to the InternetInternet
ICMP DoS attacksICMP DoS attacksPing attacksPing attacks
Forged source address can create havoc when Forged source address can create havoc when replies arrivereplies arrive
Unreachable attacksUnreachable attacksForged messages can be used to reset existing Forged messages can be used to reset existing connectionsconnectionsnetstat gives the attacker everything necessary to netstat gives the attacker everything necessary to generate messagesgenerate messages
DDoS constellationDDoS constellation (“smurf” var.) (“smurf” var.)
Wake up!
Ping!
Reply!
ICMP scanningICMP scanningICMP’s implementation-specific responses to ICMP’s implementation-specific responses to certain queries helps attackers learn about a certain queries helps attackers learn about a networknetworkOfir Arkin’s workOfir Arkin’s workhttp://www.sys-security.com/html/projects/icmp.htmlhttp://www.sys-security.com/html/projects/icmp.htmlhttp://www.sys-security.com/html/projects/X.htmlhttp://www.sys-security.com/html/projects/X.html
ICMP defensesICMP defensesLimit which ICMP types and codes you allow Limit which ICMP types and codes you allow into your networkinto your networkAvoid those which are little used and have Avoid those which are little used and have better alternativesbetter alternatives
RedirectsRedirectsRouter solicitations and advertisementsRouter solicitations and advertisementsTimestampsTimestamps
Don’t permit “unreachable” messages Don’t permit “unreachable” messages outside your borderoutside your border
Let the absence of a reply imply a problemLet the absence of a reply imply a problem
Transport LayerTransport LayerProtocolsProtocols
UDPUDP
Datagram-orientedDatagram-orientedvs. TCP’s stream orientation (later)vs. TCP’s stream orientation (later)
No transport reliabilityNo transport reliabilityNo delivery guaranteesNo delivery guaranteesSome applications work better with app-level error Some applications work better with app-level error handlinghandling
User Datagram Protocol RFC 768
UDP formatUDP format
source port
data (variable length)
0 8 16 24 31
checksum: computed over source and destination IP addresses, protocol number, length, and entire UDP packet (header and data)
destination port
length checksum
UDP app responsibilitiesUDP app responsibilitiesHandle all error detection and correctionHandle all error detection and correctionUnderstand size of underlying MTU to avoid Understand size of underlying MTU to avoid packet fragmentationpacket fragmentationRecover from out-of-order deliveryRecover from out-of-order deliveryTrack communications state between peersTrack communications state between peers
UDP security issuesUDP security issuesStreaming media and VoIP often use dynamic Streaming media and VoIP often use dynamic portsportsLack of a connection makes it difficult to Lack of a connection makes it difficult to determine flowsdetermine flows
Port loopback attack Port loopback attack (“pingpong”)(“pingpong”)
Spoof!from A:19/udp (chargen)to B:7/udp (echo)
UDP defensesUDP defensesUse application-aware proxies to improve Use application-aware proxies to improve securitysecurityDon’t expose applications that you don’t Don’t expose applications that you don’t needneed
echoechodaytimedaytimechargenchargen
TCPTCP
Connection-oriented, reliable, full-duplex Connection-oriented, reliable, full-duplex byte stream transport servicebyte stream transport serviceMany decisions are made by the protocol, Many decisions are made by the protocol, not the applicationsnot the applications
Segment size (amount of data per packet)Segment size (amount of data per packet)Acknowledgement of packet receiptAcknowledgement of packet receiptRetransmittal of unacknowledged packetsRetransmittal of unacknowledged packetsResequencing of out-of-order packetsResequencing of out-of-order packetsFlow controlFlow control
Transmission Control Protocol RFC 793
TCP formatTCP format
source port
0 8 16 24 31
seq/ack numbers: track session state; indicate which byte we’re onflags: urgent | acknowledge | push | reset | synchronize | finishwindow size: flow controlchecksum: computed over source and destination IP addresses, protocol number, length, and entire TCP packet (header and data)
destination port
sequence number
acknowledgement numberheaderlength reserved flags window size
checksum urgent pointer
options (if any) (variable length)
data (variable length)
TCP connection establishmentTCP connection establishment(“three-way handshake”)(“three-way handshake”)
A sends packet to B with:• SYN set• Destination port number• A’s ISN (initial sequence number)
B sends packet to A with:• SYN set• B’s ISN• ACK with A’s SYN+1
A sends packet to B with:•ACK with B’s SYN+1
TCP connection establishmentTCP connection establishment
A.1037 > B.23: S 1415531521:1415531521 (0)A.1037 > B.23: S 1415531521:1415531521 (0) win 4096 <mss 1024> win 4096 <mss 1024>
B.23 > A.1037: S 1823083521:1823083521 (0)B.23 > A.1037: S 1823083521:1823083521 (0) ack 1415531522 ack 1415531522 win 4096 <mss 1024> win 4096 <mss 1024>
A.1037 > B.23: . ack 1823083522 win 4096A.1037 > B.23: . ack 1823083522 win 4096
A’s sequence number + 1 B’s sequence
number + 1
TCP connection terminationTCP connection termination(“four-way close”)(“four-way close”)
A sends packet to B with:• FIN set•A’s next sequence number
B sends packet to A with:•ACK with A’s SYN+1
A sends packet to B with:•ACK with B’s SYN+1
B sends packet to A with:• FIN set•B’s next sequence number
TCP connection terminationTCP connection termination
A.1037 > B.23: F 1415531522:1415531522 (0)A.1037 > B.23: F 1415531522:1415531522 (0) ack 1823083522 win 4096 ack 1823083522 win 4096
B.23 > A.1037: . ack 1415531523 win 4096B.23 > A.1037: . ack 1415531523 win 4096
B.23 > A.1037: F 1823083522:1823083522 (0)B.23 > A.1037: F 1823083522:1823083522 (0) ack 1415531523 win 4096 ack 1415531523 win 4096
A.1037 > B.23: . ack 1823083523 win 4096A.1037 > B.23: . ack 1823083523 win 4096
TCP connection resetTCP connection reset
B sends packet to A with:• RST set• B’s next sequence number• ACK with A’s SYN+1
An immediate “go away”An immediate “go away”Never acknowledgedNever acknowledged
MSS (maximum segment MSS (maximum segment size)size)Largest “chunk” of data TCP sendsLargest “chunk” of data TCP sends
Each side announces; lower of two is chosenEach side announces; lower of two is chosenCan go as high as 1460Can go as high as 1460
Ethernet frame payload (IP): 1500 bytes
IP datagram payload (TCP): 1480 bytes
TCP packet payload (data): 1460 bytes
Total length: 1536 bytes
TCP security issuesTCP security issuesSYNSYN flooding flooding
Consume memory with many half-opensConsume memory with many half-opens
Session hijackingSession hijackingSource-routed packetsSource-routed packetsSniffingSniffingPredictable sequence numbersPredictable sequence numbers
Sequence number predictionSequence number prediction
SYN setISN A
SYN setISN BACK A
SYN setISN Esource=A
SYN setISN BACK E
Huh? RST
ACK B (predicted!)source=A
TCP defensesTCP defensesBetter sequence number generationBetter sequence number generation
RandomRandomCryptographicCryptographic
Changes to implementationsChanges to implementationsDon’t allocate resources until complete openDon’t allocate resources until complete open
Router rules to block spoofed packetsRouter rules to block spoofed packetsTCP attacks are almost always spoofedTCP attacks are almost always spoofed
© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Steve RileySteve [email protected]@microsoft.c
omom