ARP, TCP/IP and vulnerabilities
RP spoofing
→ Address resolution Protocol: link-layer protocol used to find a hosts hardware address given network layer address - commonly: determine MAC address associated with given IP address
→ Attack against ARP called ARP spoofing
How ARP works
→ source machine wants to send a packet to destination machine on LAN
→ Network layer: source machine knows destination IP address - link layer sends packet - source needs to identify MAC address of the destination machine
→ Resolving IP addresses into MAC addresses is done by broadcasting a message to query all network interfaces on the LAN. so the destination can respond
→ ARP request: who has IP address {ip address}
→ ARP reply: {ip address} is at {MAC address}
→ reply is transmitted in a frame only to the machine that made the request
→ machine stores the IP-MAC address pair locally in a table → ARP cache
→ source sends data to the correct destination
→ PROBLEM : no authentication scheme - any computer can claim the IP address - any machine receiving an ARP reply even if they avent sent a request will update their cache - malicious parties on the LAN can perform ARP spoofing
ARP spoofing
→ attacker sends ARP reply to a target
→ target associates IP address of the LAN gateway with MAC address of the attacker
→ attacker also sends ARP reply to LAN gateway pretending to be the target
→ ARP cache poisoning
→ creates a man-in-the-middle scenario - attacker has control over the traffic between the gateway and the target
→ attacker can passively observe, sniff passwords/other info
→ can tamper with traffic
→ can create a denial of service attack
Solution
→ need to secure local networks
→ basic: restrict LAN access to trusted users
→ better: check for multiple occurrences of the same MAC address on one LAN network - could be a sign on ARP spoofing
→ Static ARP tables: a network admin manually specifies a routers ARP cache - assigning MAC to IP. ARP requests to adjust the cache are ignored - spoofing is impossible - inconvenient - reduces flexibility when a new device joins the network - doesn’t prevent an attacker from spoofing a MAC address to intercept traffic for another host on the network
→ more complex + flexible: software solutions that inspect all ARP packets and compare with stored records of ARP entries- detect + prevent spoofing (see anti-aprspoof, XArp, Arpwatch)
IP
→ network level protocol performing a best effort to route a data packet from source to destination nodes.
→ nodes have a unique numerical address - 32 bit under IPv4, 128 bit under IPv6. Source + destination specified by IP address
Routing IP packets
→ host like PC, server or smartphone have an algorithm: → if packet addressed to machine on same LAN, transmit directly on the LAN: use ARP to determine MAC address of destination
→ if another machine not on the LAN, transmit the packet to a gateway to handle the next step of routing - ARP protocol used to determine MAC addres sof the gateway
→ host normally stores a list of IP addresses of machines on the LAN / compact description + IP address of gateway
→ routers: gayteways/ other intermediate network nodes
→ normally connected to on/more LANs
→ use routing tables to determine next router to send packet to
-. time to live prevents packets from going in circles - they have a hop limit, discarded when reaches 0 and error packet sent to source
p242-243
IP spoofing
→ IP packet includes a place to specify IP address of destination and source nodes
→ validity of source address never checked - easy to specify source address different from IP address
→ Specify the desired IP in the source field of an IP packet data
→ actual attackers’ IP address stays the same
→ if attacker sends IP packet with spoofed source address, no response will be sent from the destination server
→ machine who the spoofed IP address belongs to will receive the reponse, not the attacker
→ used for DoS attacks - overwhelm the host with requests
→ circumventing firewall policy, TCP session hijacking → a different, nonstandard way to get response packets
Dealing with IP spoofing
→ Can’t prevent
→ Border routers can block packets from outside admin domain that have source addresses from inside the domain (these are likely spoofed to seem like they are coming from inside)
→ can also block outgoing traffic with source addresses from outside the domain (sign of attack from inside the subnetwork - symptom of malware/control from malicious parties)
→ can implement IP traceback techniques → trace back to the actual source address
→ requests can be made to block packets from the actual srource to the autonomous systems along the path
246
Transport Layer
→ builds on network layer to provide comms between processes
→ achieved via viewing each machine - one IP address as a collection of ports - capable of being source/destination ports
→ specify 16 bit source and destination ports in headers
→ TCP and UDP are the protocols for this layer
→ TCP: more sophisticated - communication oriented - reliable stream of bytes - guarantee information is intact and in order - if a packet it lost, TCP guarantees it will be resent - best for files, web pages, emails
→ UDP: best-effort comms - used for speed - e.g voice conversation - short drops as in a lost packet are acceptable - long pauses - waiting for a lost packet are not ok
248-250,
Congestion control
→ TCP avoids overwhelming a network with traffic wth this
→ based on info gathered by keeping track of acks for previous data and time required for operations
→ adjusts data transmission rates based on this
TCP packet format
→ source + destination ports
→ connection sessions maintained beyond the lifetime of a single packet - TCP connections have a state
→ state starts with that used to open a connection, to exchanging data and acks, to closing a connection
TCP Connections
→ 3 way handshake used
→ client sends packet to destination with SYN flag (synchronisation)
→ includes random initialisation for a sequence number - used to ensure reliable ordering of future data transmissions
→ server replies with a packet with both the SYN and the ACK (SYN-ACK packet) - server wishes to accept the connection
→ packet includes acknowledgment number - set to the syn number + 1
→ client responds with ACK packet to indicate successful connection → final one is the syn incremented by ine
→ this aims to defeat attacks against TCP based on predicting initial sequence numbers
→ 16 bit port numbers are used - range from 2^16 -1 - lower port numbers reserved for common protocol/services
→ apps create connections using sockets - abstraction allowing developers to treat network connections like files
→ read and write info as needed
→ operating system handles encapsulating app layer information in lower levels of the TCP/IP stack
UDP
→ no guarantees for order/correctness
→ no initial handshakes to establish connection
→ datagrams: messages sent immediately
→ use a socket - no other setup
→ have a 16 bit checksum for integrity
→ no sequence number scheme - transmissions can arrive out of order/not arrive
→ checking for missing packets left for apps processing
→ much faster
→ format much simpler than UDP
253,
TCP session hijacking
TCP sequence prediction
→ session spoofing - creates a spoofed TCP session, doesn’t steal an existing one
→ attempts to predict an initial sequence number sent by server
→ incrementing by 1 is easily predictable
→ modern TCP stack implementations use psedo-random number generator in determining sequence numbers - makes it more difficult
example:
→ attacker launches DoS
256-258,
DoS Attacks
→ Bandwidth in a network is finite - num of connections a web server can maintain to clients is limited
→ Server connection needs min network capacity
→ server has used up bandwidth/ processor capability = additional connections are dropped - clients can’t access server
→ Attack targeting this is a DoS attack
→ Attackers dont care about response - so spoofing source IP address common in obscuring identity + ensure poor mitigation of attack
→ blacklisting IP addresses wont work - every packet could have a different one
ICMP attack
Ping Flood:
Ping sends ICMP echo request, then a response
Powerful machine attacks weaker one - sends massive amount of echo requests
victim is overwhelmed with traffic and drops legitimate connections
Smurf attack:
Takes advantage of misconfigured networks
Exploit broadcast function to send ICMP packets with source address set to target and destination adderss set to broadcast address
all machines reiceive packet and send a reply
multiplies num of packets sen by the number of machines on the network -overwhelms bandwith
preventing: admin configure gosts adn routers to ignore broadcast requests + routers avoid forwarding packets meant to broadcast - security risk (ping flood amplifier)
if a server is weak, ignore ping requests altogether
SYN flood attacks
→ attacker sends tons of SYN packets to the server, ignores SYN/ACK replies
→ doesnt send expected ACK packets
→ likely to use random spoofed source addresses in the SYN packets so the replies are sent to random addresses (not theirs)
→ server memory will fill with sequence numbers that it remembers to match TCP sessions wiht expected ACK packets
→ ACK packets never arrive - wasted memory blocks legit TCP session requests
Defence:
SYN cookies - Bernstein
Instead of dropping connections because its memory is full, server sends special SYN/ACK packet without a memoryu entry - encode info in TCP sequence num:
first 5 bits: timestamp as acounter incremented mintely modulo 32
next 3: encoded value represents maximum segment size of transmission
last 24: MAC of server and client IP addresses - serer and client port numbrs, prev used time stamp (computed with secret key)
261
DDoS - distributed denial of service
impractical to launch attacks from a single machine
websites can handle loads of bandwidth
DDoS!
100/ 1000s of machines leveraged
Use botnets - large networks of compromised machines remotely controlled
DOn’t need to completely eliminate DDoS - always limited bandwidth
Analyze incoming traffic and drop packets consuming too much bandwidth - but IP spoofing make sit more difficult
Lecture Notes
Network Attacks
→ Data should: flow from source to destination
→ Denial of service: blocking data
→ Wiretapping : sniffing data (redirect)
→ Wiretapping - passive - take the data, but still forward it on
→ Tampering: changes data, forwards it
→ Spoofing : attacker pretends to be the source
Wireshark
→ Passively “sniff” network
→ can do this through whatever network connected to
→ intercept packets, view packets and headers
→ need admin privileges
→ promiscuous mode: takes traffic from everywhere
IP-MAC addresses
→ IP addresses higher in the stack, MAC lower (used by devices)
→ need to agree on how to do this mapping
→ ARP is standard
→ Can use your own protocol, but others might not talk to you
ARP
→ connects network layer to data link layer
→ maps IP to MAC
→ broadcast + local caching
→ doesnt support confidentiality, integrity or authentication
→ part of RFC 826
→ Broadcasts request to ask who has IP address - tell IP address
→ Machine responds with MAC
→ This is cached to map addresses →use arp -a to display the ARP table
→ arp-a-d flushes ARP cache
→ ARP cache entries stored for a configurable amount of time
ARP cache poisoning/ ARP spoofing
→ issue: ARP table blindly update when ARP response is received
→ requests not tracker - doesn’t check it sent out a request when it gets a reply
→ machines “trust” each other
→ means ARP is open to spoofing
→ Man-in-the-middle attack (MITM)
→ ARP cache poisoning leads to eavesdropping
→ almost all ARP implementations are stateless (doesn’t know if requested/waiting for a reply)
→ poison ARP cache with gratitous ARP reples
→ can use static entries, but very difficult to manage - as number of machines grows, nearly impossible
LAN to Internet
→ If we need to talk between LANs, we need to use a router
→ Edinburgh Uni has an autonomous system (AS786) - OPERATED BY jisc (runs a lot of networks in unis uk)
→ Class B network - 64K addresses
→ Informatics - 40 sub networks (class C)
→ servers 33
→ DICE machines - 24
→Laptops no fixed IP - 90
IP vulnerabilities
→ IP packets are unencrpyted : can read header etc
→ no source address authentication - anyone can set it
User Datagram Protocol - UDP
→ stateless (don’t check if the packet arrives at the destination)
→ doesn’t check packet arrived or provide acknowledgment
→ can drop frames/ milliseconds of stuff like voice calls and we won’t notice - UDP good for this
TCP
→ reliable transmission
→ packets delivered i order
→ stateful
→ can write sequence number
→ can tell other side a packet is missing so can request that to be sent
→ ACK - acknowledgement - sent back from receiver - if sender doesn’t receive ACK, it will resend the packet
→ will use a checksum in the header to ensure data is correct
Ports
→ TCP and UDP both support concurrent apps on the same server : use ports
→ TCP header includes source and destination ports
→ 0-1023 are reserved for use by known protocols
→ 1024 - 49151 are known as user ports - listening to connections
TCP data transfer
→ 3 way handshake: initial sequence numbers exchanged
→ TCP header has a 16 bit checksum of data and parts of the header (source and destination)
→ ACKs used to:
TCP connections
→ established through 3 way handshake
→ server passive listener waiting for connection
→ client requests a connection sending out a SYN packet
→ server responds sending a SYN packet (increments)
→ client responds (increments again)
→ connection established
SYN flooding
→Send thousands of SYN requests
→ No acknowledgement of replies
→Victim runs out of space in the state table
→ add a rule to prevent this from happening: how many before you block