Network Security Fundamentals Security Training Course Dr. Charles - - PowerPoint PPT Presentation

Network Security Fundamentals

Security Training Course

• Dr. Charles J. Antonelli

The University of Michigan 2013

Network Security Fundamentals

Module 3 Network Protocol Attacks

Roadmap

• Network security
• The basic objectives: CIA
• Vulnerabilities and defenses for layers 1 - 4

04/13 3 cja 2013

Some notes

• Focus on IPv4 and Ethernet
• IP is the dominant network protocol
• IPv6 not yet widely deployed
• Ethernet is ubiquitous
• The basic principles apply to other

protocols and other media

• As always, the devil is in the details…

04/13 4 cja 2013

You are here…

• Network security
• The basic objectives: CIA
• Vulnerabilities and defenses for layers 1 - 4

04/13 5 cja 2013

Network Security: CIA

• Confidentiality
• No eavesdropping
• No mis-directed traffic
• Integrity
• What’s received = What’s sent
• Availability
• The network should never go down
• Networks should always be fast enough

04/13 6 cja 2013

Availability: Layer 0

• Never forget the

physical environment

• Fire
• Lightning
• Flood
• Power failures
• Backhoe events
• Vandalism
• HVAC failure
• Etc…

04/13 7 cja 2013

You are here…

• Network security
• The basic objectives: CIA
• Vulnerabilities and defenses for layers 1 - 4

04/13 8 cja 2013

Layer 1 CIA issues

• Confidentiality I
• RF is almost always interceptable

 Ex: the Pringles can antenna (Instructions)  Ex: 60 GHz point-to-point radio

• Copper is sometimes tappable

 Difficulty increases with frequency (to a point)  Equipment isn’t a commodity item

• Fiber is hard to tap

 Essentially no leakage radiation

04/13 9 cja 2013

Layer 1 CIA issues

• Confidentiality II
• Electronics are the weak spot

 Hubs simply rebroadcast what comes in  Many switches have an “eavesdrop” mode  Some switches have “remote eavesdrop” mode

• Administrative access to equipment must be

controlled

• Physical access to equipment must be controlled

04/13 10 cja 2013

Layer 1 CIA issues

• Integrity
• RF is subject to fading and interference

 High noise => high BER (bit error rate)  Ex: AA to DBRN microwave link  Ex: RFID jamming (Instructions)

• Cables are usually reliable but…

 Attenuation leads to low S/N => high BER  Bad termination leads to reflections

• Vendors usually get the electronics right

04/13 11 cja 2013

Layer 1 CIA issues

• Availability
• Same issues as “Layer 0”

 Acts of [malevolent] deities  Acts of malevolent people  Acts of the merely ignorant…

04/13 12 cja 2013

Example: Rogue CCS server

• We detected a DDoS attack against a

central campus CCS address

• CCS had no machine at that IP address
• ARP data gave us a MAC address
• Switch in the Union said MAC address

was in West Quad

• Switch in West Quad said MAC address

was in the Union

04/13 13 cja 2013

Example: Rogue CCS server

• On further investigation, we found:
• New switch in comm closet in West Quad
• Patched into fiber between Union and WQ
• Rack-mounted server connected to the switch
• Many GB of Warez, photos of unclad persons,

music, movies, etc.

• Examination of traffic logs found that it had

been in service for ca. 6 months

• The good news: no sniffer was running (we

think…)

04/13 14 cja 2013

Layer 2 vulnerabilities

• Broadcast storms
• ARP/CAM lifetime mismatch
• ARP spoofing/Gateway spoofing
• MAC spoofing/CAM flooding
• VLAN hopping
• Spanning Tree attacks
• DHCP attacks

04/13 15 cja 2013

Broadcast storms

• A loop in a LAN can be created

accidentally or deliberately

• Broadcast messages travel around the

loop at wire speed

• => Entire LAN is flooded with broadcasts
• Solutions:
• Spanning tree to eliminate loops

04/13 16 cja 2013

ARP/CAM lifetime mismatch

• High-volume UDP stream inbound to valid IP
• Target goes off-line but source keeps sending
• Switch CAM table times out in 5 minutes, router’s ARP

cache times out in 4 hours

• => Switch floods traffic out all ports
• Solutions:
• Adjust CAM lifetime to match ARP (everywhere!)
• Reduce ARP lifetime to match CAM

 Can cause high router CPU load from excessive ARPing 04/13 17 cja 2013

ARP/gateway spoofing

• Good guy ARPs for default gateway
• Bad guy replies faster than router
• Bad guy sends gratuitous ARP to router
• => Good guy’s external traffic all passes

through Bad guy’s machine

• Solutions:
• Static ARP and ARP monitoring
• “Private VLANs” (maybe)

04/13 18 cja 2013

MAC spoofing/CAM flooding

• Bad guy floods net with random bogus source

MAC addresses (uni- or broadcast)

• Switch CAM tables fill up and overflow
• => All traffic gets flooded out all ports
• Solutions:
• Static CAM entries (sometimes)
• Switch “port security” & broadcast control
• SNMP trap on CAM overflow

04/13 19 cja 2013

VLAN hopping I

• Frames on trunks have 802.1q VLAN tags
• Switches strip tags on incoming frames
• Bad guy pretends to be switch and sets up

trunking to his machine

• => Bad guy has access to all VLANs
• Solutions:
• Turn off dynamic trunking protocol
• Limit trunks to required VLANs only

04/13 20 cja 2013

VLAN hopping II

• Bad guy generates frames with multiple

802.1q headers (multiple encapsulation)

• Switch only strips one header on ingress
• => Bad guy can send to another VLAN
• Solutions:
• This only works if trunk “native” VLAN is a

user VLAN, so use a dedicated native VLAN.

04/13 21 cja 2013

Spanning tree attacks I

• Bad guy sends lots of BPDU’s
• => Switches keep recalculating, no traffic

gets through

• This also DoS’s the bad guy, unless he

runs the attack remotely…

04/13 22 cja 2013

Spanning tree attacks II

• Bad guy sends BPDU with priority 0
• Switches make bad guy the root, or
• Bad guy’s switch becomes the root
• => Bad guy has access to VLAN traffic
• => Traffic flow may be non-optimal (DoS)
• Solutions:
• Shut down access ports with incoming root

BPDUs

04/13 23 cja 2013

DHCP attacks

• Bad guy floods net with DHCP requests
• => DHCP server runs out of addresses
• Bad guy runs rogue DHCP server
• => Users get bogus addresses, or
• => Users use Bad guy as default gateway

04/13 24 cja 2013

Layer 3/4 vulnerabilities

• IP spoofing
• Ping of Death and other buffer overflows
• Smurfing
• Zombies & Bots
• ICMP/UDP flooding
• TCP SYN flooding
• Random target scans
• Routing table attacks

04/13 25 cja 2013

IP Spoofing

• Source address of IP traffic may not be

the “real” address of the sender

• Some machine do have multiple addresses…
• Often used with other forms of attack to

mask the true location of the attacker

• Local spoofing mitigated by router ingress

ACLs on all LANs and/or RPF checks

• Remote spoofing can be hard to stop…

04/13 26 cja 2013

Packets of Death, etc.

• Cisco IOS crashes when ICMP packets

are received with certain options set

• Solaris crashes when SMTP traffic arrives

with a multicast source IP address

• Other buffer overflows can push random

info (or crafted code) on CPU stack

• Modern buffer overflows usually designed to

cause compromise rather than death

04/13 27 cja 2013

Smurfing

• Send traffic to LAN directed broadcast

address (with spoofed source address)

• => All machines on LAN reply to the

target

• Solution:
• Turn off directed-broadcast forwarding
• Newer exploit - Use a bot to send local

broadcasts with a spoofed source address

04/13 28 cja 2013

DNS Multiplication

• Build bogus domain with large TXT records
• Send requests with spoofed source address

to DNS servers with open recursion turned

• n
• All servers reply to the target; large records

=> fragmentation => hard to filter

• Solution:
• Fix everyone else’s DNS servers…
• Turn off open recursion

04/13 29 cja 2013

Zombies and Bots

• Use worms/viruses to install remote control

software in many machines

• Typically communicating via rendezvous
• Commands may be embedded in ICMP, etc.
• Add a few layers of indirection between the

controller and the distribution medium

• Result: millions of machines waiting to be told

who, how and when to attack.

• More on this later …

04/13 30 cja 2013

ICMP/UDP Flooding

• Bombard the target with a one-way stream
• Can be a single source
• Can be multiple sources
• Can be run from a bot net
• Often use fragmented packets
• Harder to filter as frags have no port info
• Solution:
• Monitor traffic for high-volume flows

04/13 31 cja 2013

TCP SYN flooding

• TCP’s three-way handshake:
• A: SYN -> B

(I’d like to talk)

• B: SYN-ACK -> A

(I’m willing to talk)

• A: ACK -> B

(OK, let’s talk!)

• TCP half-ack:
• A: SYN -> B

(I’d like to talk)

• B: SYN-ACK -> A

(I’m willing to talk)

• A: [silence]

(Are we talking?)

• Solution
• Limit # buffers in half-open state

04/13 32 cja 2013

Random target scans

• If destination is unknown, router must

ARP

• => Worm causes router CPU meltdown
• If destinations are in multicast space then

MSDP entry is needed for each source

• => Worm causes router CPU meltdown
• Networks come on/off line due to attack
• => Routing table thrashing causes CPU

meltdown

04/13 33 cja 2013

“Market Research” - MitM

• Victim installs “Web acceleration” SW
• Redirects all web traffic through MitM’s

proxy/cache servers

• Proxy servers also proxy SSL traffic
• Don’t you always accept unknown certs?
• => “Secure” traffic gets logged by MitM
• Didn’t you read the fine print in the license?

04/13 34 cja 2013

Routing attacks

• Bad guy injects bogus routes into IGP
• => DoS, or traffic passing through bad guy
• Bad guy injects bogus routes into EGP
• => Campus/company/country black-holed
• Bad guy engages in sub-prefix hijacking
• => Traffic passes through bad guy
• Bad guy sends malformed IGP/EGP traffic
• => Buffer overflow crashes routing process

04/13 35 cja 2013

Router attacks

• SNMP Vulnerabilities
• Network equipment may have “hidden” R/W

SNMP communities

• Routers (and many other devices) crash when

SNMP request with multiple OIDs is received

• Saturation attacks
• ARP overload from random traffic
• telnet/ssh scanning
• Cache thrashing from random traffic
• Broadcast storms

04/13 36 cja 2013

Backbone

Open VLAN Protected VLAN Secure VLAN Research Collaboration Servers Administrative Staff

Virtual Firewall

04/13 37 cja 2013

Some UMnet tools

• UMnet Network Information database
• https://netinfo.umnet.umich.edu/
• UMnet Backbone page
• http://www.itcom.itd.umich.edu/backbone/umnet/
• Umnet Cacti Network Graphs
• https://netstats.umnet.umich.edu/cacti/
• UMnet Intermapper server
• http://intermapper.umnet.umich.edu/~admin/map_screen.html

04/13 38 cja 2013

Some Useful References

• Cisco Internetworking Technology Handbook
• http://www.cisco.com/en/US/docs/internetworking/technology/handbook/

ito_doc.html

• Cisco Internetwork Design Guide
• http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook

04/13 39 cja 2013