Data Link Layer Security - PowerPoint PPT Presentation

1 / 65
About This Presentation
Title:

Data Link Layer Security

Description:

Title: Lecture02 Subject: NETE4630 Author: S. Kungpisdan Last modified by: Supakorn Kungpisdan Document presentation format: On-screen Show (4:3) Other titles – PowerPoint PPT presentation

Number of Views:139
Avg rating:3.0/5.0
Slides: 66
Provided by: S984
Category:

less

Transcript and Presenter's Notes

Title: Data Link Layer Security


1
Data Link Layer Security Network Layer Security
  • Lecture 3
  • Asst.Prof. Supakorn Kungpisdan, Ph.D.
  • supakorn_at_mut.ac.th

2
Roadmap
  • Data-link Layer Security
  • Network Layer Security

3
Task MAC Address Spoofing
  • What is MAC address spoofing?
  • What is its purpose?
  • Suggest a way to perform an attack using MAC
    spoofing
  • Explain how it works
  • Suggest how to prevent MAC Address Spoofing

4
Passive Sniffing
  • Monitor incoming packets
  • Rely on a feature of network cards called
    promiscuous mode
  • A network card will pass all packets on to the
    operating system, rather than just those unicast
    or broadcast to the host
  • It only listens to incoming packets, but not
    transmits any packets
  • Does not work well in a switched network
  • The attacker can sniff traffic within his/her VLAN

5
Active Sniffing
  • Inject packets into the network that causes
    traffic that should not be sent to your system,
    to be sent to your system
  • Active wireless sniffing involves sending out
    multiple network probes to identify APs

6
ARP Poisoning
  • Active or passive sniffing?

7
ARP Poisoning (cont.)
  • By spoofing the default gateways IP address, all
    hosts on the subnet will route through the
    attackers machine
  • Need to poison ARP cache of every host on the
    subnet
  • Better if targeting a single host on the network
  • Should not spoof the IP of another client. Why?
  • To perform ARP poisoning,
  • arp s ltvictim IPgt ltour MAC addressgt pub

8
ARP Flooding
  • Aka. CAM (Content Addressable Memory) Table
    Overflow
  • CAM stores information about MAC addresses
    available on each physical port and their
    associated VLAN parameters
  • CAM is a normal memory limited in size
  • Flood huge ARP Request to switch
  • The switch is too busy to enforce its port
    security and broadcasts all traffic to every port
    in the network
  • Thus making possible a MITM attack the attacker
    can start sniffing network traffic

9
DHCP
10
DHCP Starvation Attack
  • Consuming the IP address space allocated by a
    DHCP server
  • Attacker broadcasts a large number of DHCP
    requests using spoofed MAC addresses
  • The DHCP server will lease its IP addresses one
    by one to the attacker until it runs out of
    available IPs for new, normal clients
  • Lead to DoS

11
Rogue DHCP Server
  • Set up a rogue DHCP server serving clients with
    false details
  • E.g. giving them its own IP as default router
  • Result in all the traffic passing through the
    attackers computer
  • Rogue DHCP server can be set up even without DHCP
    starvation attack, as clients accept the first
    DHCPOFFER they receive

12
Preventing DHCP Attacks
  • Port security do not allow more than X MAC
    addresses on one port
  • Rogue DHCP is more difficult to prevent
  • Authentication for DHCP Messages (RFC3118)
  • DHCP snooping filters DHCP messages from
    non-trusted hosts
  • It contains database of trusted and untrusted
    interfaces

13
DHCP Snooping
  • An untrusted interface interface configured to
    receive messages from outside the network or
    firewall
  • A trusted interface interface configured to
    receive only messages from within the network
  • An untrusted message is a message that is
    received from outside the network or firewall and
    that can cause traffic attacks within your
    network

14
DHCP Snooping (cont.)
  • DHCP snooping acts like a firewall between
    untrusted hosts and DHCP servers.
  • DHCP snooping filters untrusted DHCP messages and
    by building and maintaining a DHCP snooping
    binding table
  • DHCP snooping binding table contains
  • MAC address,
  • IP address,
  • lease time,
  • binding type,
  • VLAN number, and
  • interface information
  • that corresponds to the local untrusted
    interfaces of a switch

15
DHCP Snooping (cont.)
  • If the DHCPOFFER came from an untrusted
    interface, the switch shuts down the port
  • The switch trusts the interface to which the
    authorized DHCP server is connected (trusted
    interface)

16
Enabling DHCP Snooping
Int GigabitEthernet 5/1 is trusted
Int GigabitEthernet 2/1 is untrusted
17
Dynamic ARP Inspection (DAI)
  • DAI validates ARP packets in a network based on
    IP-to-MAC address bindings stored in a trusted
    database, the DHCP snooping binding database
  • DAI checks IP-to-MAC binding from DHCP snooping
    DB
  • It intercepts, log, and discards ARP packets with
    invalid IP-to-MAC address bindings.
  • It checks only inbound packets

18
How DAI Works
  • The switch performs these activities
  • Intercepts all ARP requests and responses on
    untrusted ports
  • Verifies that each of these intercepted packets
    has a valid IP-to-MAC address binding before
    updating the local ARP cache or before forwarding
    the packet to the appropriate destination
  • Drops invalid packets

19
DAI (cont.)
http//www.ciscopress.com/articles/article.asp?p1
181682seqNum8
20
DAI In Actions
21
DAI in DHCP Environment
  • DAI relies on the entries in the DHCP snooping
    binding database to verify IP-to-MAC address
    bindings.
  • Configure each secure interface as trusted using
    the ip arp inspection trust interface
    configuration command.
  • The trusted interfaces bypass the ARP inspection
    validation checks, and all other packets are
    subject to inspection when they arrive on
    untrusted interfaces.
  • Switch(config) interface GigabitEthernet1/0/1
    Switch(config-if) ip arp inspection trust
  • Switch(config) ip arp inspection vlan 5-10

22
DAI in non-DHCP Environment
  • DAI replies on user-configured ARP access control
    lists (ACLs) for hosts with statically configured
    IP addresses
  • Switch(config) arp access-list arpacl
  • Switch(config-arp-acl) permit ip host 10.1.1.11
    mac host 0011.0011.0011
  • Switch(config-arp-acl) exit
  • Switch(config) ip arp inspection filter arpacl
    vlan 5 Switch(config) interface
    GigabitEthernet1/0/2 Switch(config-if) no ip arp
    inspection trust
  • If the ARP packet is received on a trusted
    interface, the switch forwards the packet without
    any checks

23
DAI Steps
  • By default, all interfaces are untrusted
  • The switch does not check ARP packets that it
    receives from the other switch in the trusted
    interface
  • For untrusted interfaces,
  • the switch intercepts all ARP requests and
    responses.
  • It verifies that the intercepted packets have
    valid IP-to-MAC address bindings.
  • Firstly it checks from ARP access control list
  • If no such ACL, check from DHCP snooping database

24
Routing Games
  • One method to ensure that all traffic on a
    network will pass through your host is to change
    the routing table of the host you wish to monitor
  • Sending a fake route advertisement via the RIP,
    declaring yourself as the default gateway
  • All outbound traffic will pass though your host
    then go to the real default gateway
  • But may not receive returned traffic unless you
    can modify the default gateways routing table

25
Network Layer Security
  • Supakorn Kungpisdan, Ph.D.
  • supakorn_at_mut.ac.th

26
Overview
IP Header Length
(IPID)
IP Packet Format
27
Overview
  • IP, ICMP, and Routing protocols
  • IP is connectionless, subjected to DoS
  • ICMP can be used by attackers
  • Routing protocols are subjected to stack attacks

28
IP Attacks
  • Spoofing
  • Fragmentation
  • Passive and Active Fingerprinting
  • Port Scanning
  • Redirection

29
IP Spoofing
  • Local Spoofing
  • Blind Spoofing
  • Attacker and victim are on the same subnet
  • Attacker begins with sniffing traffic, find key
    pieces of information needed to launch an attack
  • Session hijacking is another spoofing technique.
  • The attack starts at transport layer
  • Attacker is not on the same local subnet as
    victim
  • Many pieces of information needed to be
    successful are not available. The key parameters
    must be guessed
  • Most modern OSes use fairly random sequence
    numbers making the attack difficult to launch

30
Fragmentation
  • Fragmentation is required when transmitting
    packets to different networks that have different
    MTUs
  • The idea is to send different data streams to
    each device

31
IP Fragmentation
Fragmentation is required when transmitting
packets to different networks that have different
MTUs
32
Evasion Attack
  • Evasion attack sends packets to an IDS and
    target that will be rejected by the IDS and
    accepted by the target. IDS drops and does not
    check the packet payload
  • An attacker sends the first fragment to an IDS
    that has a fragmentation timeout of 15 s, while
    target system has a timeout of 30 s
  • Attacker waits more than 15 s but less than 30 s
    before sending the 2nd fragment.
  • The IDS discards the second (inc. the first)
    segment because the timeout reaches
  • However, the target system accepts the second
    fragment (within the timeout)
  • Thus, the IDS will not record this attack

2
1
1
2
30 s
15 s
33
Fragmentation Attacks
  • Overlapping fragmentation can offer an attacker a
    means of slipping packets past an IDS and
    firewall
  • Sending a packet passing a cisco router to a
    windows-based system
  • If receiving a duplicated packet,
  • Cisco router prefers the last fragment, whereas
  • Windows prefers the original fragment

34
Fragmentation Attacks (cont.)
Same size, same offset
35
Fragmentation Attacks (cont.)
  • An attacker breaks a message into 3 fragments
  • He sends fragment 1 and 2 to both router and
    windows. Both accepts the fragments
  • He then sends fragment 2 and 3. The retransmitted
    fragment 2 is of the same size and offset as the
    original fragment but different payload
  • Windows keeps the original fragment 2 but the
    router keeps the retransmitted one

36
Teardrop Attack
  • Teardrop, targa, NewTear, Nestea Bonk, Boink,
    TearDrop2, and SynDrop are some of the tools that
    can crash machines that have a vulnerability in
    the IP atack
  • There is a fragmentation bug in the IP stack
    implementation of some old Linux kernels (2.0),
    Windows NT, and Windows 95
  • Sending malformed packets with fragmentation
    offset value tweaked so that the receiving
    packets overlap
  • A reboot solved the problem until the next attack

37
Fingerprinting
  • Fingerprinting is the act of using peculiarities
    of IP, TCP, UDP, and ICMP to determine the
    operating system
  • Active VS passive fingerprinting
  • Active fingerprinting sends malformed (or
    non-RFC-compliant) packets to the target.
    Different OSes response to these packets
    differently
  • Nmap

38
Passive Fingerprinting
  • Passive fingerprinting similar concept, but not
    injecting traffic into the network
  • Looking at 4 fields
  • TTL value
  • Dont Fragment bit (DF)
  • Type of Service (TOS)
  • Window size
  • TTL, DF, and TOS are found in IP header
  • Window size is found in TCP header

39
Passive Fingerprinting TTL
  • A packet has its TTL reduced each time it is
    passed though a router or when it remains in the
    routers queue too long
  • No requirement about the suitable of TTL
  • The attacker may assume that the value observed
    is less than the original value (no more than 255)

40
Passive Fingerprinting DF and TOS
  • DF flag is primary method that systems use to
    determine the PMTUD (Path MTU Discovery)
  • Many older OSes dont use this feature
  • TOS can be analyzed to determine the OS
  • Eventhough it is rarely used on the internet,
    some developers will set it into a value other
    than zero to prevent this fingerprinting

41
PMTUD
  • Path MTU discovery (PMTUD) is a technique in
    computer networking for determining the MTU size
    on the network path between two hosts, usually
    with the goal of avoiding IP fragmentation
  • Path MTU discovery works by setting the DF (Don't
    Fragment) option bit in the IP headers of
    outgoing packets.
  • Any device along the path whose MTU is smaller
    than the packet will drop it, and send back an
    ICMP Type 3 Code 4 Destination Unreachable
    (Fragmentation Needed and DF was set)" message
  • The ICMP Type 3 Code 4 message contains its MTU,
    allowing the source host to reduce its assumed
    path MTU appropriately.
  • The process repeats until the MTU is small enough
    to traverse the entire path without
    fragmentation.

42
PMTUD (cont.)
43
Passive Fingerprinting Window Size
  • TCP Window specifies the amount of data that can
    be sent without having to receive an
    acknowledgement
  • Window size should either be as close as possible
    to the MTU or should be some multiple of this
    value
  • Linux 2.0 used a value of 16,384, while version 3
    of FreeBSD used a value of 17,520
  • The most up-to-date passive fingerprinting tool
    is p0f

44
Idle Scan Open Port
45
Idle Scan Close Port
46
Idle Scan Limitations
  • The idle host must truly be idle
  • Not all OSes use an incrementing IPID
  • Some versions of Linux set IPID to zero or
    generate a random IPID value
  • Several message passes need to be performed to
    validate the results

47
ICMP Attacks
  • ICMP helps with logical errors and diagnostics
  • ICMP does not offer authentication
  • Payload is not checked by OS
  • ICMP attacks include using convert channels, echo
    attacks, to port scan, traffic redirection, OS
    fingerprinting, and DoS

48
Convert Channels
  • Convert channels offer attackers a way to have a
    secure communications channel by using allowed
    services
  • Convert channels can also work by exploiting
    flaws or weaknesses in protocols like ICMP, esp.
    ping
  • ICMP fields used in ping include
  • Type, Code, Identifier, Sequence Number, Optional
    Data

49
ICMP Format
50
Convert Channels (cont.)
51
Convert Channels (cont.)
52
Convert Channels (cont.)
  • Some systems like Linux let user add data into
    the ping
  • ping p 2b2b2b415448300 192.168.123.101
  • will place the modem hang up string into the
    ping packet
  • Convert channel tools can use ICMP, TCP, or even
    IGRP.
  • Loki, ICMP Backdoor, 007Shell, B0CK

53
ICMP Echo Attacks
  • Flood target with ping traffic and use up all
    available bandwidth
  • Smurf exploits ICMP by sending a spoofed ping
    packet to the broadcast address and has the
    source address listed as the victim
  • In 2002, an attacks was launched against core DNS
    servers. They had ping enabled
  • Results in a large DoS attack that slowed the
    operation of primary DNS servers

54
Port Scanning
  • ICMP can be of great use to an attacker
    attempting to discover what ports are open
  • ICMP is invaluable since there is no response
    like with TCP
  • Sending an ICMP packet to a port
  • will get no response if the port is open and
  • will receive an ICMP type 3 code 3 (Destination
    Unreachable, Port Unreachable) packet if the port
    is closed

55
Port Scanning (cont.)
Type 3 (Destination Unreachable) Code 3 (Port
Unreachable)
56
ICMP Nuke Attacks
  • Using spoofed addresses, an attacker sends Time
    Exceeded (Type 11) or Destination Unreachable
    (ICMP Type 3) messages to communicating hosts
  • This results in a DoS attack
  • Check out ICMP Types and Codes

57
ICMP Redirect Attack
  • By sending ICMP redirect messages, an attacker
    might force a router to forward packets destined
    to one host to the attackers IP address

58
Preventing ICMP Redirect Attack
  • With Linux, we can force the kernel not to accept
    redirect messages for one or all interfaces
  • root_at_router echo 0 gt /proc/sys/net/ipv4/conf/eth0
    /accept_redirects

59
ICMP Flood
  • Ping Flood creates a broadcast storm of pings
    that overwhelm the target system
  • Using Linux, one can flood a host using ping f.
  • root_at_router ping f 10.10.10.12 c 1000
  • The above command floods the host 10.10.10.12
    with 1,000 packets

60
Preventing Ping Flood
  • Ping flood can be stopped by limiting the number
    of ICMP echo-request messages with IPTables
  • root_at_router iptables A FORWARD p icmp
    icmp-type echo-request m limit limit 10/s j
    ACCEPT
  • root_at_router iptables A FORWARD p icmp
    icmp-type echo-request j DROP

61
Ping of Death
  • Ping of Death crashed machines by sending ICMP
    echo request messages in IP packets with larger
    than the maximum legal length of 65,535 octets,
    causing a buffer overflow to crash the victims
    device (computer, printer, etc.)

62
Routing Protocols Attacks
  • Distance-vector and link-state routing protocols
    are suffered from attacks especially DoS
  • RIP is unauthenticated service it is vulnerable
    to DoS
  • RIP spoofing works by making fake RIP packets and
    sending them to gateways and hosts to change
    their routes
  • Attacker can also modify the routing information
    to cause a redirect through a network, allowing
    him to sniff passwords or intercept and change
    date

63
Preventing Address Spoofing
  • Do not allow traffic with the internal IP address
    as source that comes from the internet
  • Log the dropped packets
  • Check out router configuration guide at
    http//www.nsa.gov/snac/downloads_all.cfm
  • RIPv1 sends update in cleartext and no
    authentication
  • RIPv2 has authentication but sends authentication
    in cleartext
  • Suggest to use OSPF with MD5 authentication
  • Restrict dynamic routing when possible

64
Task
  • Research a technique to enhance security of DHCP
    protocol
  • Have a presentation on June 26, 2011.
  • 15 minutes per group

65
Question?
  • Next week
  • OSI Security 3
Write a Comment
User Comments (0)
About PowerShow.com