Lecture 22 Network Security
description
Transcript of Lecture 22 Network Security
![Page 1: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/1.jpg)
Lecture 22Network Security
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
![Page 2: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/2.jpg)
Network Performance• Gilder’s Law– George Gilder projected that the total bandwidth of
communication systems triples every twelve months • Ethernet: 10Mbps 10Gbps (1000 times)• CPU clock frequency: 25MHz 2.5GHz (100 times)
• Metcalfe's Law – Robert Metcalfe projected that the value of a
network is proportional to the square of the number of nodes • Phone, Internet
2CS 450/650 – Lecture 22: Network Security
![Page 3: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/3.jpg)
Internet• Internet is the collection of networks and routers – form a single cooperative virtual network– spans the entire globe
• The Internet relies on the combination of the Transmission Control Protocol and the Internet Protocol or TCP/IP– The majority of Internet traffic is carried using TCP/IP
packets
3CS 450/650 – Lecture 22: Network Security
![Page 4: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/4.jpg)
ISO OSI Network Model
ApplicationPresentation
SessionTransportNetworkData LinkPhysical
ApplicationPresentation
SessionTransportNetworkData LinkPhysical
LAN LANInternet
4CS 450/650 – Lecture 22: Network Security
![Page 5: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/5.jpg)
smtp sftp ssh
Transmission Control Protocol
(TCP)
Internet Protocol(IP)
Ethernet Token ring
TCP/IP
5CS 450/650 – Lecture 22: Network Security
![Page 6: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/6.jpg)
Physical Header
IPHeader
TCPHeader
message
TCP/IP Packets
6CS 450/650 – Lecture 22: Network Security
![Page 7: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/7.jpg)
Addressing• MAC (Media Access Control) address– Every host connected to a network has a network
interface card (NIC) with a unique physical address
• IP address– IPv4 32 bits (192.168.48.6)– IPv6 128 bits
7CS 450/650 – Lecture 22: Network Security
![Page 8: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/8.jpg)
Routing• Routers
• Routing Tables
8CS 450/650 – Lecture 22: Network Security
![Page 9: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/9.jpg)
IP Protocol• Best-effort packet delivery service• Datagram (IPv4)
Service TypeVERS HLEN TOTAL LENGTHIDENTIFICATION FLAGS FRAGMENT OFFSET
TIME TO LIVE PROTOCOL HEADER CHECKSUMSOURCE ADDRESS
DESTINATION ADDRESSPADDINGOPTIONS (IF ANY)
DATA
9CS 450/650 – Lecture 22: Network Security
![Page 10: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/10.jpg)
Internet Control Message Protocol
• Transmit error messages and unusual situations
• Different types of ICMP have slightly different format
Type Code CHECKSUMUnused (must be zero)
DATA: Header and 1st 64 bits of offending datagram
ICMP time-exceeded message
10CS 450/650 – Lecture 22: Network Security
![Page 11: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/11.jpg)
ICMP (Echo request/reply)• Transmit error messages and unusual
situations• Different types of ICMP have slightly different
formatType Code CHECKSUM
Sequence number
DATA (optional)
ICMP Echo Request/Reply Message
Identifier
11CS 450/650 – Lecture 22: Network Security
![Page 12: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/12.jpg)
Ping of Death Attack• Denial of service attack (1st in 1996)• Some systems did not handle oversized IP
datagrams properly• An attacker construct an ICMP echo request
containing 65,510 data octets and send it to victim
• Total size of resulting datagram would be larger than 65,535 octet limit specified by IP– System would crash
12CS 450/650 – Lecture 22: Network Security
![Page 13: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/13.jpg)
SMURF• Attacker send echo request message to
broadcast address• Attacker also spoofs source address in the
request
Intermediary
Attacker Victim
13CS 450/650 – Lecture 22: Network Security
![Page 14: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/14.jpg)
UDP (User Datagram Protocol)• From one application to another– multiple destinations
• Port positive integer – unique destination
CHECKSUM (optional)
DATA
LENGTHDESTINATION PORTSOURCE PORT
14CS 450/650 – Lecture 22: Network Security
![Page 15: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/15.jpg)
Attacks on UDP• Fraggle
• Trinoo
15CS 450/650 – Lecture 22: Network Security
![Page 16: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/16.jpg)
Fraggle (similar to smurf)• UDP port 7 is used for echo service• An attacker can create a stream of user
datagram with random source port and a spoofed source address
• Destination port is 7 and destination source is a broadcast address at some intermediate site
• The attack can get worse if the source port = 7• Could be prevented by filtering out UDP echo
requests destined for broadcast addresses16CS 450/650 – Lecture 22: Network Security
![Page 17: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/17.jpg)
spoofedsource
Victim’shost
broadcastdestination
randomsource port
destinationPort = 7
spoofedsource
Victim’shost
broadcastdestination
source Port = 7
destinationPort = 7
Stream of UDP datagrams
Stream of UDP datagrams
Fraggle attack
17CS 450/650 – Lecture 22: Network Security
![Page 18: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/18.jpg)
Trinoo• Distributed denial of service• In smurf and fraggle, trafic comes from a
single intermediate node• Trinoo allows attacker to flood the victim from
hundreds intermediate sites simultaneously• Two programs: – master and – daemon• installed in many different stolen accounts
18CS 450/650 – Lecture 22: Network Security
![Page 19: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/19.jpg)
attacker
master master master master
daemon daemon daemondaemon
Large number of UDP packets to random ports
Trinoo attack
19CS 450/650 – Lecture 22: Network Security
![Page 20: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/20.jpg)
TCP• Reliable delivery• TCP messages are sent inside IP datagrams
CODE BITSHLEN RESV WINDOWURGENT POINTER
SEQUENCE NUMBER
PADDINGOPTIONS (IF ANY)
DATA
CHECKSUM
DESTINATION PORTSOURCE PORT
Acknowledgment
20CS 450/650 – Lecture 22: Network Security
![Page 21: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/21.jpg)
TCP Overview• TCP segments are sent inside IP datagrams• TCP divides a stream of data into chunks that
fit in IP datagrams• It ensures that each datagram arrives at its
destination• It then reassembles the datagrams to produce
the original message
21CS 450/650 – Lecture 22: Network Security
![Page 22: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/22.jpg)
TCP Overview (cont.)• TCP uses an acknowledgment-and
retransmission scheme
• TCP sending software keeps a record of each datagram and waits for an acknowledgment– If no acknowledgment is received during the
timeout interval, the datagram is retransmitted
22CS 450/650 – Lecture 22: Network Security
![Page 23: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/23.jpg)
Host A Host B
Establishing a TCP Connection Using a 3-way handshake
Host A Host B
Closing a TCP Connection (one way A to B)
Message 1 (SYN + SEQ)
Message 2 (SYN + SEQ + ACK)
Message 3 (ACK)
Message 1 (FIN + SEQ)
Message 2 (ACK)
TCP communication
23CS 450/650 – Lecture 22: Network Security
![Page 24: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/24.jpg)
Attacks on TCP• SYN Flood– Half-opened connection table
• LAND– Spoofed source address = destination address– Source port = destination port– Certain implementations freezing
• TRIBE Flood Network (TFN)– Similar to trinoo but more than one attack– UDP flood, smurf, SYN floods, and others
24CS 450/650 – Lecture 22: Network Security
![Page 25: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/25.jpg)
Probes and Scans• Ping scan and traceroute– What machines exist on a given network and how
they are arranged
• Remote OS fingerprinting– What OS each detected host is running– Different OS respond to invalid packets differently– Example: FIN to connection that has not been
opened
25CS 450/650 – Lecture 22: Network Security
![Page 26: Lecture 22 Network Security](https://reader036.fdocuments.us/reader036/viewer/2022070419/56815b87550346895dc98ad1/html5/thumbnails/26.jpg)
Probes and Scans• Port Scanning – Which ports are open? port scanner
• Open a TCP connection and close it immediately
• Use half opened connections
26CS 450/650 – Lecture 22: Network Security