Lecture 22Network Security
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
Network Performance• Gilder’s Law– George Gilder projected that the total bandwidth of
communication systems triples every twelve months • Ethernet: 10Mbps 10Gbps (1000 times)• CPU clock frequency: 25MHz 2.5GHz (100 times)
• Metcalfe's Law – Robert Metcalfe projected that the value of a
network is proportional to the square of the number of nodes • Phone, Internet
2CS 450/650 – Lecture 22: Network Security
Internet• Internet is the collection of networks and routers – form a single cooperative virtual network– spans the entire globe
• The Internet relies on the combination of the Transmission Control Protocol and the Internet Protocol or TCP/IP– The majority of Internet traffic is carried using TCP/IP
packets
3CS 450/650 – Lecture 22: Network Security
ISO OSI Network Model
ApplicationPresentation
SessionTransportNetworkData LinkPhysical
ApplicationPresentation
SessionTransportNetworkData LinkPhysical
LAN LANInternet
4CS 450/650 – Lecture 22: Network Security
smtp sftp ssh
Transmission Control Protocol
(TCP)
Internet Protocol(IP)
Ethernet Token ring
TCP/IP
5CS 450/650 – Lecture 22: Network Security
Physical Header
IPHeader
TCPHeader
message
TCP/IP Packets
6CS 450/650 – Lecture 22: Network Security
Addressing• MAC (Media Access Control) address– Every host connected to a network has a network
interface card (NIC) with a unique physical address
• IP address– IPv4 32 bits (192.168.48.6)– IPv6 128 bits
7CS 450/650 – Lecture 22: Network Security
Routing• Routers
• Routing Tables
8CS 450/650 – Lecture 22: Network Security
IP Protocol• Best-effort packet delivery service• Datagram (IPv4)
Service TypeVERS HLEN TOTAL LENGTHIDENTIFICATION FLAGS FRAGMENT OFFSET
TIME TO LIVE PROTOCOL HEADER CHECKSUMSOURCE ADDRESS
DESTINATION ADDRESSPADDINGOPTIONS (IF ANY)
DATA
9CS 450/650 – Lecture 22: Network Security
Internet Control Message Protocol
• Transmit error messages and unusual situations
• Different types of ICMP have slightly different format
Type Code CHECKSUMUnused (must be zero)
DATA: Header and 1st 64 bits of offending datagram
ICMP time-exceeded message
10CS 450/650 – Lecture 22: Network Security
ICMP (Echo request/reply)• Transmit error messages and unusual
situations• Different types of ICMP have slightly different
formatType Code CHECKSUM
Sequence number
DATA (optional)
ICMP Echo Request/Reply Message
Identifier
11CS 450/650 – Lecture 22: Network Security
Ping of Death Attack• Denial of service attack (1st in 1996)• Some systems did not handle oversized IP
datagrams properly• An attacker construct an ICMP echo request
containing 65,510 data octets and send it to victim
• Total size of resulting datagram would be larger than 65,535 octet limit specified by IP– System would crash
12CS 450/650 – Lecture 22: Network Security
SMURF• Attacker send echo request message to
broadcast address• Attacker also spoofs source address in the
request
Intermediary
Attacker Victim
13CS 450/650 – Lecture 22: Network Security
UDP (User Datagram Protocol)• From one application to another– multiple destinations
• Port positive integer – unique destination
CHECKSUM (optional)
DATA
LENGTHDESTINATION PORTSOURCE PORT
14CS 450/650 – Lecture 22: Network Security
Attacks on UDP• Fraggle
• Trinoo
15CS 450/650 – Lecture 22: Network Security
Fraggle (similar to smurf)• UDP port 7 is used for echo service• An attacker can create a stream of user
datagram with random source port and a spoofed source address
• Destination port is 7 and destination source is a broadcast address at some intermediate site
• The attack can get worse if the source port = 7• Could be prevented by filtering out UDP echo
requests destined for broadcast addresses16CS 450/650 – Lecture 22: Network Security
spoofedsource
Victim’shost
broadcastdestination
randomsource port
destinationPort = 7
spoofedsource
Victim’shost
broadcastdestination
source Port = 7
destinationPort = 7
Stream of UDP datagrams
Stream of UDP datagrams
Fraggle attack
17CS 450/650 – Lecture 22: Network Security
Trinoo• Distributed denial of service• In smurf and fraggle, trafic comes from a
single intermediate node• Trinoo allows attacker to flood the victim from
hundreds intermediate sites simultaneously• Two programs: – master and – daemon• installed in many different stolen accounts
18CS 450/650 – Lecture 22: Network Security
attacker
master master master master
daemon daemon daemondaemon
Large number of UDP packets to random ports
Trinoo attack
19CS 450/650 – Lecture 22: Network Security
TCP• Reliable delivery• TCP messages are sent inside IP datagrams
CODE BITSHLEN RESV WINDOWURGENT POINTER
SEQUENCE NUMBER
PADDINGOPTIONS (IF ANY)
DATA
CHECKSUM
DESTINATION PORTSOURCE PORT
Acknowledgment
20CS 450/650 – Lecture 22: Network Security
TCP Overview• TCP segments are sent inside IP datagrams• TCP divides a stream of data into chunks that
fit in IP datagrams• It ensures that each datagram arrives at its
destination• It then reassembles the datagrams to produce
the original message
21CS 450/650 – Lecture 22: Network Security
TCP Overview (cont.)• TCP uses an acknowledgment-and
retransmission scheme
• TCP sending software keeps a record of each datagram and waits for an acknowledgment– If no acknowledgment is received during the
timeout interval, the datagram is retransmitted
22CS 450/650 – Lecture 22: Network Security
Host A Host B
Establishing a TCP Connection Using a 3-way handshake
Host A Host B
Closing a TCP Connection (one way A to B)
Message 1 (SYN + SEQ)
Message 2 (SYN + SEQ + ACK)
Message 3 (ACK)
Message 1 (FIN + SEQ)
Message 2 (ACK)
TCP communication
23CS 450/650 – Lecture 22: Network Security
Attacks on TCP• SYN Flood– Half-opened connection table
• LAND– Spoofed source address = destination address– Source port = destination port– Certain implementations freezing
• TRIBE Flood Network (TFN)– Similar to trinoo but more than one attack– UDP flood, smurf, SYN floods, and others
24CS 450/650 – Lecture 22: Network Security
Probes and Scans• Ping scan and traceroute– What machines exist on a given network and how
they are arranged
• Remote OS fingerprinting– What OS each detected host is running– Different OS respond to invalid packets differently– Example: FIN to connection that has not been
opened
25CS 450/650 – Lecture 22: Network Security
Probes and Scans• Port Scanning – Which ports are open? port scanner
• Open a TCP connection and close it immediately
• Use half opened connections
26CS 450/650 – Lecture 22: Network Security
Top Related