CT-541 Network Security TCP/IP Security

CT-541 Network Security TCP/IP Security

Lecture 2/3/4

Dr. Muhammad Mubashir Khan

[email protected]

December 2017

OSI Model

7. Application layer 6. Presentation layer 5. Session layer

4. Transport layer 3. Network layer 2. Data link layer 1. Physical layer

Layer 4 Application

Layer

Layer 3 Transport Layer

Layer 1 Link Layer

Layer 2 Internet Layer

TCP/IP Layers

A conceptual model that characterizes and

standardizes the communication

functions of a telecommunication or

computing system without regard to their

underlying internal structure and

technology.

TCP/IP

• Set of communications protocols used on the Internet and similar computer networks

• Commonly known as TCP/IP because TCP and IP are its two main protocols

• Provides end-to-end data communication specifying how data should be packetized,

addressed, transmitted, routed and received.

• Organized into four abstraction layers

Encapsulation of application data descending through the layers described in RFC 1122

Link Layer: TCP/IP Layer 1

• Corresponds to OSI Layer 1 and 2

• The link layer has the networking scope of the local network connection to which a host is attached.

• The data link layer provides the functional and procedural means to transfer data between network entities and might provide the means to detect and possibly correct errors that may occur in the physical layer.

• Performs data link functions such as adding a packet header to prepare it for transmission, then actually transmit the

frame over a physical medium.

• Main Protocols: ARP, PPP, OSPF, MAC (Ethernet, DSL, ISDN)…

• Translation of IP Addresses to Data Link (MAC Addresses) is

performed using ARP at this layer.

Internet Layer: TCP/IP Layer 2

• Responsible for sending packets across potentially multiple networks.

• Routing is performed at this layer: Sending data from the source network to the destination network

• Main protocols: IP (IPv4, IPv6), ICMP, IPSec etc.

• IP performs:

1. Host Addressing & Identification

2. Packet Routing (from one network router to another)

• ICMP is used by routers to send error messages, for example, that

– a requested service is not available or

– a host or router could not be reached

Transport layer: TCP/IP Layer 3

• Provides end-to-end services that are independent of the structure of user data and the logistics of

exchanging information for any particular specific purpose.

• End-to-end message transmission is either

connection-oriented, implemented in TCP, or connectionless, implemented in UDP.

• Provides process-specific transmission channels for

applications, by establishing the concept of ports.

Application Layer: TCP/IP Layer 4

• Includes protocols for providing user services or exchanging application data over the network

connections established by the lower level protocols

• Important Protocols: HTTP, SMTP, FTP, …

• Data coded according to application layer protocols are encapsulated into transport layer protocol units (such as TCP or UDP messages), which in turn use lower layer protocols to effect actual data transfer.

• Corresponds 5 ^th 6 ^th and 7 ^th layer of OSI Model

• Possible Attack: DoS for example, The attack over- exercises specific functions or features of a website with the intention to disable those functions or

features.

Exploiting Vulnerabilities in TCP/IP

• ARP Cache Poisoning (Layer 1)

• ICMP Redirect Attack (Layer 2)

• SYN Flooding Attack (Layer 3)

ARP Spoofing / Cache Poisoning

ARP Cache Poisoning Attack

• ARP Address Resolution Protocol

– Resolves mapping between MAC Address and IP Address

• ARP Cache: Once resolved, mapping is cached and there is no need to repeat ARP

• How it works:

– When another host's IP address is known, and its MAC address is needed, a broadcast packet (ARP request) is sent out on the local network.

– The destination machine with the IP address in the ARP

request then responds with an ARP reply, which contains

the MAC address for that IP

ARP Vulnerabilities

• ARP is a stateless protocol

– no information is retained by either sender or receiver.

– Hence, no expectation of acknowledgment

• Network hosts will automatically cache any ARP replies they receive, regardless of whether network hosts

requested them.

• Even ARP entries which have not yet expired will be overwritten when a new ARP reply packet is received.

• There is no method in the ARP protocol by which a host can authenticate the peer from which the packet

originated.

• This behavior is the vulnerability which allows ARP

spoofing or ARP-Cache Poisoning to occur.

ARP Cache Poisoning Attack

• Because ARP is stateless, cache can be easily poisoned by maliciously crafted ARP messages resulting the ARP cache poisoning attack)

• Also called ARP spoofing or ARP poison routing

• Possible consequences

1. DoS attack against a victim by associating a non- existent MAC address to the IP-address of victims default gateway

2. Attackers can redirect the traffic to and from the victim

to another machine, etc. …

ARP Cache Poisoning Attack

• Attacker’s Aim: is to associate the attacker's MAC

address with the IP address of another host, such as the default gateway , causing any traffic meant for

that IP address to be sent to the attacker instead.

Home work

• Perform a practical demo of ARP cache poisoning on Ubuntu VM’s using Netwox, Netwag and

Wireshark tools.

• Write a brief report on it by suggesting possible

solutions (existing or may be your own).

Attack Scenario 1: Cache Poisoning

Add a Non-existent MAC and IP Address in ARP Cache

VM1

VM2 VM3

Add a non- existent IP and

MAC address

Victim

Attacker

Attack Scenario 2: DoS Attack

Associate Non-existent MAC to an existing IP Address

VM1

VM2 VM3

Associates IP of VM3 to a non-

existing MAC

Victim

Attacker

Attack Scenario 3:

Redirect all traffic between VM2 & VM3 to Attacker Machine

VM1

VM2 VM3

VM1 Associates IP of VM3 to

VM1’s MAC

Victim

Attacker

Victim

Ping VM2 Ping VM3

VM1 Associates IP of VM2 to

VM1’s MAC

All traffic from VM2 to VM3 and vice-versa will go through VM1

Useful Commands

• To view ARP cache

arp

• Poison ARP cache on a machine 10.0.2.5 with a fake MAC (0:a:a:a:a:a) and IP (192.168.181.199)

netwox 72 --ips ”10.0.2.5" --device "Eth0" --src-eth 0:a:a:a:a:a --src-ip 192.168.181.199

– (Note: use this command with sudo)

• To enable a machine to forward traffic through itself (set value of ip_forward to 1)

– Check the value by command

sysctl -a | grep net.ipv4.ip_forward

– Set the value by command

sysctl -w net.ipv4.ip_forward=1

– Again verify the value by command

sysctl -a | grep net.ipv4.ip_forward

ICMP Redirect Attack

ICMP

• The Internet Control Message Protocol (ICMP) is one of the main protocols of the TCP/IP at Layer 2.

• It is used by network devices, like routers, to send error messages

– For example, a requested service is not available or a host or router could not be reached.

• ICMP differs from TCP and UDP

– it is not typically used to exchange data between systems,

– it is not regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and

traceroute).

• ping utility is implemented using the ICMP "Echo

request" and "Echo reply" messages.

ICMP datagram structure

calculated from the ICMP header and

data for error checking

ICMP Header

ICMP Data

Includes the entire IPv4 header, plus the first eight bytes of data from the IPv4 packet that caused the error message.

ICMP Type/Code description

Types of ICMP Control Messages

• Echo request/reply used by ping utility to test reachability of a host

• Source Quench requests that the sender decrease the rate of messages sent to a router or host.

• Redirect requests data packets be sent on an alternative route.

• Time Exceeded is generated by a gateway to inform the

source of a discarded datagram due to the time to live field reaching zero.

• Timestamp is used for time synchronization.

• Timestamp Reply replies to a Timestamp message.

• Address mask request/reply is normally sent by a host to a router in order to obtain an appropriate subnet mask.

• Destination unreachable is generated by the host or its

inbound gateway to inform the client that the destination is

unreachable for some reason.

ICMP Redirect

• Redirect requests data packets be sent on an alternative route.

• ICMP Redirect is a mechanism for routers to convey routing information to hosts.

• The message informs a host to update its routing information (to

send packets on an alternative route).

ICMP Redirect

• If a host tries to send data through a router (R1) and R1 sends the

data on another router (R2) and

– a direct path from the host to R2 is available (that is, the host and R2 are on the same Ethernet segment),

then

– R1 will send a redirect message to inform the host that the best route for the destination is via R2.

– The host should then send packets

for the destination directly to R2.

ICMP Redirect Attacks

• ICMP is also used by routers to provide up-to-date routing information to hosts, which in turn update their routing tables accordingly

• Vulnerability: No authentication in ICMP!

– Because of lack of validation attackers may trick hosts to modify their routing table by sending spoofed ICMP

messages

• The attacker can send a spoofed ICMP redirect

message to a victim, which can cause the victim’s routing information to be modified.

• In Linux, the routing information can be displayed

using the command route

ICMP Redirect Attack Model

Tools for ICMP Redirect Attack

• Netwox tool 86 could be used to attack the routing table by associating a new/fake/malicious gateway address in the original route

netwox 86 --device "Eth0" --filter "src host

192.168.181.142" --gw 192.168.181.141 --code 1 -- src-ip 192.168.181.2

– Here VM1(192.168.181.141) use Netwox 86 to attack the route table of VM2( 192.168.181.142 ) and

associates itself as a new gateway using the original default gateway( 192.168.181.2 )

• When there comes out an ICMP request packet from

VM2 this tool will spoof the ICMP redirect packet from

VM3 and send it to the victim to tell him that the new

gateway is VM1

Tools for ICMP Redirect Attack

• Defense: UBUNTU has a “secure_redirects” mechanism that only accepts ICMP redirect messages for gateways listed in default gateway list

– To check secure redirects status

sysctl -a | grep secure_redirects – ICMP redirects are enabled by default on Linux.

• We need to set the secure redirects to 0 on the victim machine

– sysctl -w net.ipv4.conf.all.secure_redirects=0 – sysctl -w

net.ipv4.conf.default.secure_redirects=0

– sysctl -w net.ipv4.conf.eth0.secure_redirects=0

– sysctl -w net.ipv4.conf.lo.secure_redirects=0

Outcome

• ICMP redirect packets are successfully sent to victim machine VM2 with the message (New nexthop:

VM1_ip_address)

• Wireshark could also be used to monitor the

situation

Other ICMP Attacks

• Smurf attack: a DDoS attack in which large numbers of ICMP packets (with the intended victim's spoofed source IP) are broadcast to a computer network

using an IP broadcast address.

Other ICMP Attacks

• Ping of death: is a type of attack on a computer system that involves sending a malformed or

otherwise malicious ping to a computer.

• When the target computer reassembles the

malformed packet, a buffer overflow can occur,

causing a system crash and potentially allowing the

injection of malicious code.

SYN Flooding Attack

Normal TCP Connection

A normal connection between a user (Alice) and a server.

The three-way handshake is correctly performed as follows:

1. The client requests a connection by sending a SYN (synchronize)

message to the server.

2. The server acknowledges this

request by sending SYN-ACK back to the client.

3. The client responds with an ACK,

and the connection is established.

SYN Flooding (DoS)

The attacker sends several

packets but does not send the

"ACK" back to the server.

The connections are hence half-opened and consuming server resources.

Alice, a legitimate user, tries to connect but the server

refuses to open a connection

resulting in a denial of service.

SYN Flooding Attack

• Attackers can flood the victim’s connection queue that is used for half-opened connections, i.e. the connections that has

finished SYN, SYN-ACK, but has not yet got a final ACK back.

• When this queue is full, the victim cannot take any more connection.

• The size of the queue has a system-wide setting.

• The application that uses this queue, for example ftp, can also specify its size.

• In Linux, we can check the system queue size setting using the following command:

sysctl -q net.ipv4.tcp_max_syn_backlog

Default value of queue size is 1024 for systems with more than 128Mb of memory, and 128 for low memory machines.

SYN Flooding Attack

• We can use command "netstat -na" to check the

usage of the queue, i.e., the number of half-opened connection associated with a listening port.

• The state for such connections is SYN-RECV.

• If the 3-way handshake is finished, the state of the connections will be ESTABLISHED.

• While the attack is ongoing, run the "netstat -na"

command on the victim machine, and compare the result with that before the attack.

• You should describe in report how you know

whether the attack is successful or not.

SYN Cookie Defense

• SYN cookie is a defense mechanism to counter the SYN flooding attack.

• Using SYN cookies allows a server to avoid dropping connections when the SYN queue fills up.

– Instead, the server behaves as if the SYN queue had been enlarged.

– The server sends back the appropriate SYN+ACK

response to the client but discards the SYN queue entry.

• If the server then receives a subsequent ACK response from the client, the server is able to

reconstruct the SYN queue entry using information

encoded in the TCP sequence number.

Unsuccessful SYN Flooding Attack

• If your attack seems unsuccessful, one thing that you can investigate is whether the SYN cookie mechanism is turned on.

• The mechanism will kick in if the machine detects that it is under the SYN flooding attack.

• You can use the sysctl command to turn on/off the SYN cookie mechanism:

# sysctl -a | grep cookie (Display the SYN cookie flag)

# sysctl -w net.ipv4.tcp_syncookies=0 (turn off SYN cookie)

# sysctl -w net.ipv4.tcp_syncookies=1 (turn on SYN

cookie)

SYN Flooding Attack

• Run your attacks with the SYN cookie mechanism on and off, and compare the results.

• In your report, describe why the SYN cookie can

effectively protect the machine against the SYN

flooding attack.

SYN Flooding Attack

• Experimenting with the SYN flood attack command provided by Netwox is fairly straightforward.

• WireShark can be used on the target machine to record incoming SYN messages and outgoing SYN- ACK messages.

• After the command was issued from the attacker, WireShark can be inundated with packets showing response to all of the SYN requests. (may cause

problem for the experimenter!!!)

Attack Scenario

• Create three Virtual Machines

• For example

– VM1: 192.168.181.141 (Attacker)

– VM2: 192.168.181.142 (Victim)

– VM3: 192.168.181.143

Useful commands

• On Attacker VM (i.e. VM1)

– sudo netwox 76 --dst-ip

192.168.181.142 --dst-port 80 – sudo netwox 76 --dst-ip

192.168.181.142 --dst-port 53 (port 53 is TCP/UDP port used by DNS)

• On Victim VM (i.e. VM2)

– netstat -aon | grep 80 | more

– netstat -an | grep :80 | grep -i syn | wc -l

TCP RST Attacks on telnet and ssh Connections

telnet

• telnet and SSH are application layer protocols of TCP/IP protocol suite

• telnet provides access to a command-line interface (usually, of an operating system) on a remote host, including most network equipment and operating systems with a configuration utility.

• telnet establishes a connection to TCP port 23.

• Because of serious security concerns when using

telnet over an open network such as the Internet,

its use for this purpose has waned significantly in

favor of SSH.

SSH

• SSH is a cryptographic network protocol for operating network services securely over an unsecured network.

• It provides a secure channel over an unsecured

network in a client-server architecture, connecting an SSH client application with an SSH server.

• Common applications include remote command-

line login and remote command execution, but any network service can be secured with SSH.

• SSH establishes a connection to TCP port 22.

TCP RST (reset)

• In a stream of packets of a TCP connection, each packet contains a TCP header.

• Each of these headers contains a bit known as the

"reset" (RST) flag.

• In most packets RST flag is set to 0 and has no effect

• If RST flag is set to 1, it indicates to the receiving

computer that the computer should immediately stop using the TCP connection;

– i.e. it should not send anymore packets using the

connection's identifying numbers, called ports, and discard any further packets it receives with headers indicating they belong to that connection.

• A TCP reset basically kills a TCP connection instantly.

Usefulness of TCP RST (reset)

• When used as designed, this can be a useful tool.

• One common application is the scenario where a computer (computer A) crashes while a TCP connection is in progress.

• The computer on the other end (computer B) will continue to send TCP packets since it does not know that computer A has crashed.

• When computer A reboots, it will then receive packets from the old pre-crash connection.

• Computer A has no context for these packets and no way of knowing what to do with them, so it might send a TCP reset to computer B.

• This reset lets computer B know that the connection is no longer working.

• The user on computer B can now try another connection or

take other action.

Forging TCP RST (reset)

• In the normal case, the TCP reset bit is sent by a computer that was one of the connection endpoints.

• It is possible for a 3rd computer to monitor the TCP packets on the connection and then send a "forged" packet containing a TCP reset to one or both endpoints.

• The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger.

• This information includes the endpoint IP addresses and port numbers.

• Every field in the IP and TCP headers must be set to a convincing forged value for the fake reset to trick the endpoint into closing the TCP connection.

• Properly formatted forged TCP resets can be a very effective way to disrupt any TCP connection that the forger can

monitor.

TCP RST Attack Scenario

• The TCP RST Attack can terminate an established TCP connection between two victims.

• For example, if there is an established telnet connection (TCP) between two users A and B,

– attackers can spoof a RST packet from A to B, breaking this existing connection.

– To succeed in this attack, attackers need to correctly construct the TCP RST packet.

• In this attack, you need to launch a TCP RST attack to break an existing telnet connection between A and B

• You may try the same attack on an SSH connection.

• In the attack scenario you may assume that the

attackers and the victims are on the same LAN, i.e.,

attackers can observe the TCP traffic between A and B.

Attack Scenario and Tools

• Open 3 Virtual Machines.

– VM1: 192.168.181.141 (Attacker) – VM2: 192.168.181.142 (Victim) – VM3: 192.168.181.143

• On VM2 - telnet 192.168.181.143

• Then launch the following attack from VM1

- netwox 78 --device "Eth0" --filter "dst host 192.168.181.143 and dst port 23" --ips

"192.168.181.142”

• The verification of successful attack is that the

telnet from VM2 to VM3 will be closed

Attack Scenario and Tools

• Now on VM2 - ssh 192.168.181.143

• Then launch the following attack from VM1

- netwox 78 --device "Eth0" --filter "dst host 192.168.181.143 and dst port 22" --ips

"192.168.181.142”

• The verification of successful attack is that the ssh

from VM2 to VM3 will be closed

Acknowledgement

• SEED Project led by Prof. Wenliang Du,

Syracuse University

Assignments

Visit Course homepage for assignments

https://sites.google.com/site/mcitnetworksecurity

Get in touch

Course homepage

https://sites.google.com/site/mcitnetworksecurity Contact me

[email protected]