layers 1 2 general threats
play

Layers 1 & 2: General Threats? Framing and transmission of a - PowerPoint PPT Presentation

Feb 29, 2024 •456 likes •897 views

Layers 1 & 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a 7 Application single subnetwork (one physical technology) 4 Transport 3 (Inter)Network Link 2 Encoding

  1. Layers 1 & 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a 7 Application single “subnetwork” (one physical technology) 4 Transport 3 (Inter)Network Link 2 Encoding bits to send them over a single physical link 1 Physical e.g. patterns of voltage levels / photon intensities / RF modulation 3

  2. Physical/Link-Layer Threats: Eavesdropping • For subnets using broadcast technologies (e.g., WiFi, some types of Ethernet), get it for “free” – Each attached system ’s NIC (= Network Interface Card) can capture any communication on the subnet – Some handy tools for doing so o Wireshark o tcpdump / windump o bro (demo) • For any technology, routers (and internal “switches”) can look at / export traffic they forward • You can also “tap” a link – Insert a device to mirror physical signal – Or: just steal it! 4

  3. Stealing Photons 5

  4. 6

  5. Physical/Link-Layer Threats: Disruption • With physical access to a subnetwork, attacker can – Overwhelm its signaling o E.g., jam WiFi’s RF – Send messages that violate the Layer-2 protocol’s rules o E.g., send messages > maximum allowed size, sever timing synchronization, ignore fairness rules • Routers & switches can simply “drop” traffic • There’s also the heavy-handed approach … 7

  6. 8

  7. Physical/Link-Layer Threats: Injection • With physical access to a subnetwork, attacker can create any message they like • May require root/administrator access to have full freedom • Particularly powerful when combined with eavesdropping – Can manipulate existing communications 9

  8. Dynamic Host Configuration Protocol DHCP discover (broadcast) DHCP offer DHCP server new client “ offer ” message includes IP address, DHCP request DNS server, “gateway router”, and how long (broadcast) client can have these (“lease” time) Threats? DHCP ACK 11

  9. Dynamic Host Configuration Protocol DHCP discover (broadcast) DHCP offer DHCP server new client “ offer ” message includes IP address, DHCP request DNS server, “gateway router”, and how long (broadcast) Attacker on same client can have these subnet can hear (“lease” time) new host’s DHCP ACK DHCP request 12

  10. Dynamic Host Configuration Protocol DHCP discover (broadcast) DHCP offer DHCP server new client “ offer ” message includes IP address, DHCP request DNS server, “gateway router”, and how long (broadcast) client can have these (“lease” time) DHCP ACK Attacker can race the actual server; if they win, replace DNS server and/or gateway router 13

  11. DHCP Threats • Substitute a fake DNS server – Redirect any of a host’s lookups to a machine of attacker’s choice • Substitute a fake “gateway” – Intercept all of a host’s off-subnet traffic o (even if not preceded by a DNS lookup) – Relay contents back and forth between host and remote server o Modify however attacker chooses • An invisible “Man In The Middle” (MITM) – Victim host has no way of knowing it’s happening o (Can’t necessarily alarm on peculiarity of receiving multiple DHCP replies, since that can happen benignly) • How can we fix this? 14

  12. Layer 3: General Threats? Bridges multiple “subnets” to 7 Application provide end-to-end internet 4 Transport connectivity between nodes 3 (Inter)Network 4-bit 8-bit Link 4-bit 2 16-bit Total Length (Bytes) Header Type of Service Version Length (TOS) 1 Physical 3-bit 16-bit Identification 13-bit Fragment Offset Flags 8-bit Time to 8-bit Protocol 16-bit Header Checksum Live (TTL) 32-bit Source IP Address 32-bit Destination IP Address IP = Internet Protocol Payload 10

  13. Network-Layer Threats • Major: – Can set arbitrary source address o “ Spoofing ” - receiver has no idea who you are – Can set arbitrary destination address o Enables “ scanning ” - brute force searching for hosts • Lesser: (FYI; don’t worry about unless later explicitly covered) – Fragmentation mechanism can evade network monitoring – Identification field leaks information – Time To Live allows discovery of topology – TOS can let you steal high priority service – IP “options” can reroute traffic 11

  14. Layer 4: General Threats? End-to-end communication 7 Application between processes 4 Transport (TCP, UDP) 3 (Inter)Network Source port Destination port Link 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 12

  15. TCP Threat: Disruption • Normally, TCP finishes (“closes”) a connection by each side sending a FIN control message – Reliably delivered, since other side must ack • But: if a TCP endpoint finds unable to continue (process dies; info from other “peer” is inconsistent), it abruptly terminates by sending a RST control message – Unilateral – Takes effect immediately (no ack needed) – Only accepted by peer if has correct sequence numbers • So: if attacker knows sequence numbers … 13

  16. Tools For Disruption Demo • netcat (sometimes “nc”) s
=
socket(AF_INET, 
SOCK_RAW,
IPPROTO_RAW); – Can listen or send on ... arbitrary TCP port char
pkt[pktlen]; • telnet (std. Unix utility) struct
ip
*ip
= 



(struct
ip
*)
pkt; – Sends ASCII to ... arbitrary TCP port ip‐>ip_v
=
IPVERSION; • bro (bro-ids.org) ip‐>ip_len
=
pktlen; – Programmable network ip‐>ip_off
=
0; analyzer/monitor ip‐>ip_src
=
from; ip‐>ip_dst
=
to; • inject ip‐>ip_hl
=
5; – Custom Unix utility for ip‐>ip_p
=
IPPROTO_TCP; forging packets ip‐>ip_ttl
=
255; 14

  17. TCP Threat: Injection • If attacker knows sequence numbers, can inject whatever they like into TCP connection • Instead of a RST, how about data? • Note: desynchronizes client & server – They have inconsistent views of the byte stream and what acknowledgments refer to – However, if you’ve already killed one end with a spoofed RST, doesn’t matter ⇒ TCP session hijacking – General means to take over an already-established connection! – We are toast if an attacker can see our TCP traffic 15

  18. TCP Threat: Blind Spoofing • TCP connection establishment: Server ( 5.6.7.8) Client ( 1.2.3.4 ) S Y N , S e q N u m = x Each host tells its Initial Sequence Number (ISN) SYN + ACK, SeqNum = y, Ack = x + 1 to the other host. (Spec says to pick based on local clock) A C K , A c k = y + 1 • How can an attacker create an apparent connection from 1.2.3.4 to 5.6.7.8 even if they can’t see the real 1.2.3.4 ’s traffic? 16

  19. Blind Spoofing: Attacker ʼ s Viewpoint Attacker can Server ( 5.6.7.8) Client ( 1.2.3.4 ) spoof this S Y N , S e q N u m = x Each host tells its Initial But can’t Sequence Number (ISN) see this SYN + ACK, SeqNum = y, Ack = x + 1 to the other host. (Spec says to pick based on local clock) A C K , A c k = y + 1 So how do they Hmm, any way know what to for the attacker put here? to know this? Sure - make a non-spoofed How Do We Fix This? connection first , and see what server used for ISN y then! Use a random ISN 17

  20. TCP ʼ s Rate Management Unless there’s loss, TCP doubles data in flight every “round-trip”. All TCPs expected to obey (“fairness”). Mechanism: for each arriving ack for new data, increase allowed data by 1 maximum-sized packet 1 2 3 4 8 Src D D 200-299 A 200 A 300 D D D D 0-99 A 100 D 100-199 A A A A Dest Time E.g., suppose maximum-sized packet = 100 bytes 3

  21. TCP Threat: Cheating on Allowed Rate How can the destination (receiver) get data to come to them faster than normally allowed? ACK-Splitting : each ack, even though partial , increases allowed data by one maximum-sized packet 2 3 4 5 1 Src D 100-199 D 500-599 D 400-499 D 0-99 D 200-299 A 25 A 50 D 300-399 A 75 A 100 Dest Change rule to require Time “full” ack for all data How do we defend against this? sent in a packet 4

  22. TCP Threat: Cheating on Allowed Rate How can the destination (receiver) still get data to come to them faster than normally allowed? Opportunistic ack’ing : acknowledge data not yet seen! 2 3 4 5 1 Src D 100-199 D 500-599 D 400-499 D 0-99 D 200-299 A 100 A 200 D 300-399 A 300 A 400 Dest Time How do we defend against this ? 5

  23. Keeping Receivers Honest • Approach #1: if you receive an ack for data you haven’t sent, kill the connection – Works only if receiver acks too far ahead • Approach #2: follow the “round trip time” (RTT) and if ack arrives too quickly, kill the connection – Flaky: RTT can vary a lot, so you might kill innocent connections • Approach #3: make the receiver prove they received the data Note: a protocol change – Add a nonce (“random” marker) & require receiver to include it in ack. Kill connections w/ incorrect nonces o (nonce could be function computed over payload, so sender doesn’t explicitly transmit, only implicitly) 6

  24. Summary of TCP Security Issues • An attacker who can observe your TCP connection can manipulate it: – Forcefully terminate by forging a RST packet – Inject data into either direction by forging data packets – Works because they can include in their spoofed traffic the correct sequence numbers (both directions) and TCP ports – Remains a major threat today 7

  25. 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Pace Layers The social economy ecosystem has many layers, all of which change at different

Pace Layers The social economy ecosystem has many layers, all of which change at different

Pace Layers The social economy ecosystem has many layers, all of which change at different rates, the outer layers moving faster than the inner Source: Stewart Brand, The Clock of the Long Now 1 | Confidential & Proprietary 2 |

421 views • 4 slides
TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats Explosive ad incendiary Threats Bio Hazardous Powder Threats 3 Improvised mechanical Devices TR15 Smart Scan Can easily detect the component

192 views • 16 slides
Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1

Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1

Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1 Layers 1 & 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a single subnetwork

809 views • 54 slides
53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats every minute* * Merrill Lynch ...Causing $3T USD in costs, and expected to double by 2021* * CyberSecurity Ventures (2015) Todays threat

508 views • 35 slides
3/5/2020 Mixture of natural streamflow and wastewater for Blanco River General threats to water

3/5/2020 Mixture of natural streamflow and wastewater for Blanco River General threats to water

3/5/2020 Mixture of natural streamflow and wastewater for Blanco River General threats to water quality and human Blanco WWTP outfall health from proposed municipal Final Permit request to discharge 1.6 mgd wastewater discharges by the City

424 views • 6 slides
Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give

Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give

Loom ing Threats - transcript of presentation video Nick : Team 4 Looming Threats, please give them a hand. Mark : Good afternoon, Simon and I have the absolute pleasure to be presenting on behalf of Team Looming Threats. So, one of the, I guess

377 views • 3 slides
CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats to small businesses 3. Cyber Recovery Insurance Y our presenters Anne Jackson Sarah Morton Gary Hibberd Sales Director, Lorega Sales and

342 views • 31 slides
Layers Yelps Mission Connecting people with great local businesses. (Abstraction) Layers

Layers Yelps Mission Connecting people with great local businesses. (Abstraction) Layers

Layers Yelps Mission Connecting people with great local businesses. (Abstraction) Layers (related: separation of concerns) Abstractions? "Being abstract is something profoundly different from being vague The purpose of

919 views • 71 slides
Todays Objec3ves Using git Networking Layers End to End Argument discussion Sept

Todays Objec3ves Using git Networking Layers End to End Argument discussion Sept

9/15/17 Todays Objec3ves Using git Networking Layers End to End Argument discussion Sept 15, 2017 Sprenkle - CSCI325 1 Review What are some performance issues we need to consider with Web Servers (and servers in general)?

351 views • 12 slides
Chapter 4 The Von Neumann Model Computing Layers Problems Algorithms Language Instruction

Chapter 4 The Von Neumann Model Computing Layers Problems Algorithms Language Instruction

Chapter 4 The Von Neumann Model Computing Layers Problems Algorithms Language Instruction Set Architecture Microarchitecture Circuits Devices The Stored Program Computer 1943: ENIAC Presper Eckert and John Mauchly -- first general

547 views • 25 slides
Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order):

Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order):

Multi6 Threats draft-nordmark-multi6-threats-00.txt Design Team Members (alphabetical order): Iljitsch van Beijnum, Steve Bellovin, Brian Carpenter, Mike O'Dell, Sean Doran, Dave Katz, Tony Li, Erik Nordmark, and Pekka Savola Why? Allowing

612 views • 11 slides
A GLA DGNSS monitoring network with the potential to detect and mitigate threats to GNSS

A GLA DGNSS monitoring network with the potential to detect and mitigate threats to GNSS

A GLA DGNSS monitoring network with the potential to detect and mitigate threats to GNSS performance Michelle De Voy , George Shaw , Alan Grant & Nick Ward The General Lighthouse Authorities of the United Kingdom and Ireland Session 4: GNSS

511 views • 17 slides
Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack:

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack:

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack: cyberatuc.slack.com (URL changed!) SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of our committees:

484 views • 13 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication

876 views • 60 slides
Galaxy Halo Assembly Simon White Max Planck Institute for Astrophysics Halo assembly for

Galaxy Halo Assembly Simon White Max Planck Institute for Astrophysics Halo assembly for

Arcetri, February 2009 Galaxy Halo Assembly Simon White Max Planck Institute for Astrophysics Halo assembly for neutralino CDM Typical first generation halos are similar in mass to the free- streaming mass limit Earth mass or below

2.07k views • 49 slides
DTSC: A Dynamic Taxonomy on Structural Colour Carlos Fiorentino, Doctoral Research Project on

DTSC: A Dynamic Taxonomy on Structural Colour Carlos Fiorentino, Doctoral Research Project on

DTSC: A Dynamic Taxonomy on Structural Colour Carlos Fiorentino, Doctoral Research Project on Biomimetics of Colour Pitch presentation for CMPUT401 Biomimicry / Biomimetic design: Design informed/ inspired by nature Biomimicry / Biomimetic

226 views • 10 slides
Axes of scale Dr. Keith Scott keithlscott@gmail.com The views, opinions, and/or findings

Axes of scale Dr. Keith Scott keithlscott@gmail.com The views, opinions, and/or findings

Axes of scale Dr. Keith Scott keithlscott@gmail.com The views, opinions, and/or findings contained in this ar5cle/presenta5on are those of the author/presenter and should not be interpreted as represen5ng the official views or policies, either

701 views • 28 slides
Implementation and Operation of Mobility in WIDE The 14th Korea Internet Conference June 28,

Implementation and Operation of Mobility in WIDE The 14th Korea Internet Conference June 28,

Implementation and Operation of Mobility in WIDE The 14th Korea Internet Conference June 28, 2006 Keiichi Shima <keiichi@iijlab.net> Internet Initiative Japan Inc. / WIDE project Contents Background Implementation Operation

741 views • 55 slides
CSE 440: Introduction to HCI User Interface Design, Prototyping, and Evaluation Lecture 02:

CSE 440: Introduction to HCI User Interface Design, Prototyping, and Evaluation Lecture 02:

CSE 440: Introduction to HCI User Interface Design, Prototyping, and Evaluation Lecture 02: James Fogarty Design of Alex Fiannaca Everyday Things Lauren Milne Saba Kawas Kelsey Munsell Tuesday/Thursday 12:00 to 1:20 Today Section

1.06k views • 90 slides
Global constraints (2/2) Marco Chiarandini Department of Mathematics & Computer Science

Global constraints (2/2) Marco Chiarandini Department of Mathematics & Computer Science

DM841 D ISCRETE O PTIMIZATION Global constraints (2/2) Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Outline Global Constraints 1. Global Constraints 2 Outline Global Constraints 1.

727 views • 34 slides
Stijn Wuyts (MPE) Natascha Frster Schreiber (MPE) Benjamin Magnelli (MPE) Raanan Nordon (MPE)

Stijn Wuyts (MPE) Natascha Frster Schreiber (MPE) Benjamin Magnelli (MPE) Raanan Nordon (MPE)

A RESOLVED VIEW ON STELLAR POPULATIONS AT COSMIC NOON Stijn Wuyts (MPE) Natascha Frster Schreiber (MPE) Benjamin Magnelli (MPE) Raanan Nordon (MPE) Reinhard Genzel (MPE) Stefano Berta (MPE) Arjen van der Wel (MPIA) Herve Aussel

330 views • 29 slides

More recommend