Lecture 22 Network Security

Lecture 22Network Security

CS 450/650

Fundamentals of Integrated Computer Security

Slides are modified from Hesham El-Rewini

Network Performance• Gilder’s Law– George Gilder projected that the total bandwidth of

communication systems triples every twelve months • Ethernet: 10Mbps 10Gbps (1000 times)• CPU clock frequency: 25MHz 2.5GHz (100 times)

• Metcalfe's Law – Robert Metcalfe projected that the value of a

network is proportional to the square of the number of nodes • Phone, Internet

2CS 450/650 – Lecture 22: Network Security

Internet• Internet is the collection of networks and routers – form a single cooperative virtual network– spans the entire globe

• The Internet relies on the combination of the Transmission Control Protocol and the Internet Protocol or TCP/IP– The majority of Internet traffic is carried using TCP/IP

packets


ISO OSI Network Model

ApplicationPresentation

SessionTransportNetworkData LinkPhysical

ApplicationPresentation

SessionTransportNetworkData LinkPhysical

LAN LANInternet


smtp sftp ssh

Transmission Control Protocol

(TCP)

Internet Protocol(IP)

Ethernet Token ring

TCP/IP


Physical Header

IPHeader

TCPHeader

message

TCP/IP Packets


Addressing• MAC (Media Access Control) address– Every host connected to a network has a network

interface card (NIC) with a unique physical address

• IP address– IPv4 32 bits (192.168.48.6)– IPv6 128 bits


Routing• Routers

• Routing Tables


IP Protocol• Best-effort packet delivery service• Datagram (IPv4)

Service TypeVERS HLEN TOTAL LENGTHIDENTIFICATION FLAGS FRAGMENT OFFSET

TIME TO LIVE PROTOCOL HEADER CHECKSUMSOURCE ADDRESS

DESTINATION ADDRESSPADDINGOPTIONS (IF ANY)

DATA


Internet Control Message Protocol

• Transmit error messages and unusual situations

• Different types of ICMP have slightly different format

Type Code CHECKSUMUnused (must be zero)

DATA: Header and 1st 64 bits of offending datagram

ICMP time-exceeded message


ICMP (Echo request/reply)• Transmit error messages and unusual

situations• Different types of ICMP have slightly different

formatType Code CHECKSUM

Sequence number

DATA (optional)

ICMP Echo Request/Reply Message

Identifier


Ping of Death Attack• Denial of service attack (1st in 1996)• Some systems did not handle oversized IP

datagrams properly• An attacker construct an ICMP echo request

containing 65,510 data octets and send it to victim

• Total size of resulting datagram would be larger than 65,535 octet limit specified by IP– System would crash


SMURF• Attacker send echo request message to

broadcast address• Attacker also spoofs source address in the

request

Intermediary

Attacker Victim


UDP (User Datagram Protocol)• From one application to another– multiple destinations

• Port positive integer – unique destination

CHECKSUM (optional)

DATA

LENGTHDESTINATION PORTSOURCE PORT


Attacks on UDP• Fraggle

• Trinoo


Fraggle (similar to smurf)• UDP port 7 is used for echo service• An attacker can create a stream of user

datagram with random source port and a spoofed source address

• Destination port is 7 and destination source is a broadcast address at some intermediate site

• The attack can get worse if the source port = 7• Could be prevented by filtering out UDP echo

requests destined for broadcast addresses16CS 450/650 – Lecture 22: Network Security

spoofedsource

Victim’shost

broadcastdestination

randomsource port

destinationPort = 7

spoofedsource

Victim’shost

broadcastdestination

source Port = 7

destinationPort = 7

Stream of UDP datagrams

Stream of UDP datagrams

Fraggle attack


Trinoo• Distributed denial of service• In smurf and fraggle, trafic comes from a

single intermediate node• Trinoo allows attacker to flood the victim from

hundreds intermediate sites simultaneously• Two programs: – master and – daemon• installed in many different stolen accounts


attacker

master master master master

daemon daemon daemondaemon

Large number of UDP packets to random ports

Trinoo attack


TCP• Reliable delivery• TCP messages are sent inside IP datagrams

CODE BITSHLEN RESV WINDOWURGENT POINTER

SEQUENCE NUMBER

PADDINGOPTIONS (IF ANY)

DATA

CHECKSUM

DESTINATION PORTSOURCE PORT

Acknowledgment


TCP Overview• TCP segments are sent inside IP datagrams• TCP divides a stream of data into chunks that

fit in IP datagrams• It ensures that each datagram arrives at its

destination• It then reassembles the datagrams to produce

the original message


TCP Overview (cont.)• TCP uses an acknowledgment-and

retransmission scheme

• TCP sending software keeps a record of each datagram and waits for an acknowledgment– If no acknowledgment is received during the

timeout interval, the datagram is retransmitted


Host A Host B

Establishing a TCP Connection Using a 3-way handshake

Host A Host B

Closing a TCP Connection (one way A to B)

Message 1 (SYN + SEQ)

Message 2 (SYN + SEQ + ACK)

Message 3 (ACK)

Message 1 (FIN + SEQ)

Message 2 (ACK)

TCP communication


Attacks on TCP• SYN Flood– Half-opened connection table

• LAND– Spoofed source address = destination address– Source port = destination port– Certain implementations freezing

• TRIBE Flood Network (TFN)– Similar to trinoo but more than one attack– UDP flood, smurf, SYN floods, and others


Probes and Scans• Ping scan and traceroute– What machines exist on a given network and how

they are arranged

• Remote OS fingerprinting– What OS each detected host is running– Different OS respond to invalid packets differently– Example: FIN to connection that has not been

opened


Probes and Scans• Port Scanning – Which ports are open? port scanner

• Open a TCP connection and close it immediately

• Use half opened connections


Lecture 22 Network Security

Documents

Transcript of Lecture 22 Network Security