Professional Documents
Culture Documents
426 Fall10 Lect33
426 Fall10 Lect33
CS 426
Lecture 33
CS426
Fall 2010/Lecture 33
Application
Application protocol
TCP protocol
Transport
Application
Transport
Network
IP protocol
IP
IP protocol
Network
Link
Dat
a
Link
Network
Access
Dat
a
Link
Link
CS426
Fall 2010/Lecture 33
Fall 2010/Lecture 33
CS426
Fall 2010/Lecture 33
Threats in Networking
Confidentiality
Packet sniffing
Integrity
Session hijacking
Availability
Denial of service attacks
Common
Address translation poisoning attacks
Routing attacks
CS426
Fall 2010/Lecture 33
Open access
Vulnerable to DoS attacks
CS426
Fall 2010/Lecture 33
CS426
Fall 2010/Lecture 33
http://www.netrino.com/Embedded-Systems/How-To/ARP-RARP
CS426
Fall 2010/Lecture 33
Defenses
static ARP table
DHCP snooping (use access control to ensure that hosts only use
the IP addresses assigned to them, and that only authorized DHCP
servers are accessible).
detection: Arpwatch (sending email when updates occur),
Legitimate use
redirect a user to a registration page before allow usage of the
network
CS426
Fall 2010/Lecture 33
IP
Internet Protocol
Version
Connectionless
Unreliable
Best effort
Flags
Fragment Offset
Time to Live
Protocol
Header Checksum
Transfer datagram
Header
Data
Header Length
Type of Service
Total Length
Identification
CS426
Fall 2010/Lecture 33
10
IP Routing
Meg
Packet
121.42.33.12
Office gateway
Source 121.42.33.12
132.14.11.51
Destination
5
Sequence
132.14.11.1
ISP
Tom
132.14.11.51
121.42.33.1
Internet routing uses numeric IP address
Typical route uses several hops
CS426
Fall 2010/Lecture 33
11
Packet Sniffing
Promiscuous Network Interface Card reads all
packets
Read all unencrypted data (e.g., ngrep)
ftp, telnet send passwords in clear!
Eve
Alice
Network
Network
Prevention: Encryption
CS426
Bob
(IPSEC, TLS)
Fall 2010/Lecture 33
12
Minimal guarantees
No acknowledgment
No flow control
No message continuation
CS426
Fall 2010/Lecture 33
13
Receiver
Acknowledge receipt; lost packets are resent
Reassemble packets in correct order
Book
Reassemble book
1
19
5
1
CS426
Fall 2010/Lecture 33
1
14
CS426
Fall 2010/Lecture 33
15
TCP Handshake
C
S
SYN
(seq=x)
Listening
Store data
ACK (ack=y+1,seq=x+1)
CS426
Fall 2010/Lecture 33
Wait
Connected
16
CS426
Fall 2010/Lecture 33
17
Server A
E impersonates B to A
E
Fall 2010/Lecture 33
18
CS426
Fall 2010/Lecture 33
19
Fall 2010/Lecture 33
20
Categories of Denial-of-service
Attacks
Stopping services
Locally
Process killing
Spawning processes
to fill the process table
Process crashing
System reconfiguration Filling up the whole
file system
Saturate comm
bandwidth
Malformed packets to
Remotely crash buggy services
CS426
Exhausting resources
Fall 2010/Lecture 33
Packet floods
(Smurf, SYN flood,
DDoS, etc)
21
SYN Flooding
C
S
SYNC1
SYNC2
SYNC3
Listening
Store data
SYNC4
SYNC5
CS426
Fall 2010/Lecture 33
22
SYN Flooding
Attacker sends many connection requests
Spoofed source addresses
CS426
Fall 2010/Lecture 33
23
gateway
DoS
Target
Fall 2010/Lecture 33
24
CS426
Destination unreachable
Time-to-live exceeded
Parameter problem
Redirect to better gateway
Echo/echo reply - reachability test
Timestamp request/reply - measure transit delay
Fall 2010/Lecture 33
25
CS426
Fall 2010/Lecture 33
26
CS426
Fall 2010/Lecture 33
27
CS426
Fall 2010/Lecture 33
28
CS426
Fall 2010/Lecture 33
29
Coming Attractions
DNS Security
CS426
Fall 2010/Lecture 33
30