Network Security I: Overview April 13, 2015 Lecture by: Kevin Chen - - PowerPoint PPT Presentation

network security i overview
SMART_READER_LITE
LIVE PREVIEW

Network Security I: Overview April 13, 2015 Lecture by: Kevin Chen - - PowerPoint PPT Presentation

Feb 14, 2024 300 likes •1.03k views

Network Security I: Overview April 13, 2015 Lecture by: Kevin Chen Slides credit: Vern Paxson, Dawn Song 1 network security 2 s T o d a y L e c t u r e Networking overview + security issues Keep in mind, networking is:

slide-1
SLIDE 1

1

Network Security I: Overview

April 13, 2015

Lecture by: Kevin Chen

Slides credit: Vern Paxson, Dawn Song

slide-2
SLIDE 2

2

network security

slide-3
SLIDE 3

3

T

  • d

a y ’s L e c t u r e

  • Networking overview + security issues

Keep in mind, networking is:

  • Complex topic with many facets

–We will omit concepts/details that are not very security- relevant –We’ll mainly look at IP, TCP, DNS and DHCP

  • Networking is full of abstractions

–Goal is for you to develop apt mental models / analogies –ASK questions when things are unclear

  • (but we may skip if not ultimately relevant for security,
  • r postpone if question itself is directly about security)
slide-4
SLIDE 4

4

N e t w

  • r

k i n g O v e r v i e w

slide-5
SLIDE 5

5

K e y C

  • n

c e p t # 1 : P r

  • t
  • c
  • l

s

  • A protocol is an agreement on how to

communicate

  • Includes syntax and semantics

–How a communication is specified & structured

  • Format, order messages are sent and received

–What a communication means

  • Actions taken when transmitting, receiving, or timer expires
  • E.g.: asking a question in lecture?

1.Raise your hand. 2.Wait to be called on. 3.Or: wait for speaker to pause and vocalize 4.If unrecognized (after timeout): vocalize w/ “excuse me”

slide-6
SLIDE 6

E x a mp l e : I P P a c k e t H e a d e r

4-bit Version 4-bit Header Length 8-bit Type of Service (TOS)

16-bit Total Length (Bytes) 16-bit Identification

3-bit Flags

13-bit Fragment Offset

8-bit Time to Live (TTL)

8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Payload

Header is like a letter envelope: contains all info needed for delivery

IP = Internet Protocol

slide-7
SLIDE 7

7

K e y C

  • n

c e p t # 2 : D u mb N e t w

  • r

k

  • Original Internet design: interior nodes (“routers”)

have no knowledge* of ongoing connections going through them

  • Not: how you picture the telephone system works

–Which internally tracks all of the active voice calls

  • Instead: the postal system!

–Each Internet message (“packet”) self-contained –Interior “routers” look at destination address to forward –If you want smarts, build it “end-to-end” –Buys simplicity & robustness at the cost of shifting complexity into end systems

* Today’s Internet is full of hacks that violate this

slide-8
SLIDE 8

9

K e y C

  • n

c e p t # 3 : L a y e r i n g

  • Internet design is strongly partitioned into layers

–Each layer relies on services provided by next layer below … –… and provides services to layer above it

  • Analogy:

–Consider structure of an application you’ve written and the “services” each layer relies on / provides

Code You Write Run-Time Library System Calls Device Drivers Voltage Levels / Magnetic Domains }

Fully isolated from user programs

slide-9
SLIDE 9

10

I n t e r n e t L a y e r i n g ( “P r

  • t
  • c
  • l

S t a c k ”)

Application Transport (Inter)Network Link Physical 7 4 3 2 1

slide-10
SLIDE 10

11

I n t e r n e t L a y e r i n g ( “P r

  • t
  • c
  • l

S t a c k ”)

Application Transport (Inter)Network Link Physical 7 4 3 2 1

}

Implemented only at hosts, not at interior routers (“dumb network”)

slide-11
SLIDE 11

12

I n t e r n e t L a y e r i n g ( “P r

  • t
  • c
  • l

S t a c k ”)

Application Transport (Inter)Network Link Physical 7 4 3 2 1

}

Implemented everywhere

slide-12
SLIDE 12

13

I n t e r n e t L a y e r i n g ( “P r

  • t
  • c
  • l

S t a c k ”)

Application Transport (Inter)Network Link Physical 7 4 3 2 1

}

Different for each Internet “hop” ~Same for each Internet “hop”

}

slide-13
SLIDE 13

14

H

  • p
  • B

y

  • H
  • p

v s . E n d

  • t
  • E

n d L a y e r s

Host A Host B Host E Host D Host C Router 1 Router 2 Router 3 Router 4 Router 5 Router 6 Router 7

Host A communicates with Host D

slide-14
SLIDE 14

15

H

  • p
  • B

y

  • H
  • p

v s . E n d

  • t
  • E

n d L a y e r s

Host A Host B Host E Host D Host C Router 1 Router 2 Router 3 Router 4 Router 5 Router 6 Router 7

Host A communicates with Host D Different Physical & Link Layers (Layers 1 & 2) E.g., Wi-Fi E.g., Ethernet

slide-15
SLIDE 15

16

H

  • p
  • B

y

  • H
  • p

v s . E n d

  • t
  • E

n d L a y e r s

Host A Host B Host E Host D Host C Router 1 Router 2 Router 3 Router 4 Router 5 Router 6 Router 7

Host A communicates with Host D Same Network / Transport / Application Layers (3/4/7) (Routers ignore Transport & Application layers) E.g., HTTP over TCP over IP

slide-16
SLIDE 16

17

Security Issues

slide-17
SLIDE 17

R e v i e w : G e n e r a l S e c u r i t y G

  • a

l s : C I A

  • Confidentiality:

– No one can read our data / communication unless we want them to

  • Integrity

– No one can manipulate our data / processing / communication unless we want them to

  • Availability

– We can access our data / conduct our processing / use

  • ur communication capabilities when we want to
  • Also: no additional traffic other than ours ...

18

slide-18
SLIDE 18

19

L a y e r 1 , 2

slide-19
SLIDE 19

20

L a y e r 1 : P h y s i c a l L a y e r

Application Transport (Inter)Network Link Physical 7 4 3 2 1

Encoding bits to send them

  • ver a single physical link

e.g. patterns of voltage levels / photon intensities / RF modulation

slide-20
SLIDE 20

21

L a y e r 2 : L i n k L a y e r

Application Transport (Inter)Network Link Physical 7 4 3 2 1

Framing and transmission of a collection of bits into individual messages sent across a single “subnetwork” (one physical technology) Might involve multiple physical links (e.g., modern Ethernet) Often technology supports broadcast transmission (every “node” connected to subnet receives)

slide-21
SLIDE 21

22

Layer 1,2 Threats

slide-22
SLIDE 22

24

P h y s i c a l / L i n k

  • L

a y e r T h r e a t s : E a v e s d r

  • p

p i n g

  • For subnets using broadcast technologies (e.g.,

WiFi, some types of Ethernet), get it for “free”

–Each attached system ’s NIC (= Network Interface Card) can capture any communication on the subnet –Some handy tools for doing so

  • Wireshark (GUI for displaying 800+ protocols)
  • tcpdump / windump (low-level ASCII printout)
  • For any technology, routers (and internal

“switches”) can look at / export traffic they forward

  • You can also “tap” a link

–Insert a device to mirror physical signal –Or: just steal it!

slide-23
SLIDE 23

25

S t e a l i n g P h

  • t
  • n

s

slide-24
SLIDE 24

26

slide-25
SLIDE 25

27

  • With physical access to a subnetwork,

attacker can

– Overwhelm its signaling

  • E.g., jam WiFi’s RF

– Send messages that violate the Layer-2 protocol’s rules

  • E.g., send messages > maximum allowed size,

sever timing synchronization, ignore fairness rules

  • Routers & switches can simply “drop” traffic
  • There’s also the heavy-handed approach …

P h y s i c a l / L i n k

  • L

a y e r T h r e a t s : D i s r u p t i

  • n
slide-26
SLIDE 26

28

slide-27
SLIDE 27

29

  • With physical access to a subnetwork,

attacker can create any message they like

– Termed spoofing

  • May require root/administrator access to

have full freedom

  • Particularly powerful when combined with

eavesdropping

– Because attacker can understand exact state of victim’s communication and craft their spoofed traffic to match it – Spoofing w/o eavesdropping = blind spoofing

P h y s i c a l / L i n k

  • L

a y e r T h r e a t s : S p

  • fj

n g

slide-28
SLIDE 28

30

L a y e r 3 : T h e N e t w

  • r

k L a y e r

slide-29
SLIDE 29

31

L a y e r 3 : ( I n t e r ) N e t w

  • r

k L a y e r

Application Transport (Inter)Network Link Physical 7 4 3 2 1

Bridges multiple “subnets” to provide end-to-end internet connectivity between nodes

  • Provides global addressing

Works across different link technologies

slide-30
SLIDE 30

I P P a c k e t S t r u c t u r e

4-bit Version 4-bit Header Length 8-bit Type of Service (TOS)

16-bit Total Length (Bytes) 16-bit Identification

3-bit Flags

13-bit Fragment Offset

8-bit Time to Live (TTL)

8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

slide-31
SLIDE 31

I P P a c k e t S t r u c t u r e

4-bit Version 4-bit Header Length 8-bit Type of Service (TOS)

16-bit Total Length (Bytes) 16-bit Identification

3-bit Flags

13-bit Fragment Offset

8-bit Time to Live (TTL)

8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

slide-32
SLIDE 32

34

I P P a c k e t H e a d e r F i e l d s

  • Version number (4 bits)

– Indicates the version of the IP protocol – Necessary to know what other fields to expect – Typically “4” (for IPv4), and sometimes “6” (for IPv6)

  • Header length (4 bits)

– Number of 32-bit words in the header – Typically “5” (for a 20-byte IPv4 header) – Can be more when IP options are used

  • Type-of-Service (8 bits)

– Allow packets to be treated differently based on needs – E.g., low delay for audio, high bandwidth for bulk transfer

slide-33
SLIDE 33

I P P a c k e t S t r u c t u r e

4-bit Version 4-bit Header Length 8-bit Type of Service (TOS)

16-bit Total Length (Bytes) 16-bit Identification

3-bit Flags

13-bit Fragment Offset

8-bit Time to Live (TTL)

8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

slide-34
SLIDE 34

36

I P P a c k e t H e a d e r ( C

  • n

t i n u e d )

  • Two IP addresses

– Source IP address (32 bits) – Destination IP address (32 bits)

  • Destination address

– Unique identifier/locator for the receiving host – Allows each node to make forwarding decisions

  • Source address

– Unique identifier/locator for the sending host – Recipient can decide whether to accept packet – Enables recipient to send a reply back to source

slide-35
SLIDE 35

I P P a c k e t S t r u c t u r e

4-bit Version 4-bit Header Length 8-bit Type of Service (TOS)

16-bit Total Length (Bytes) 16-bit Identification

3-bit Flags

13-bit Fragment Offset

8-bit Time to Live (TTL)

8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

slide-36
SLIDE 36

38

I P P a c k e t H e a d e r F i e l d s ( C

  • n

t i n u e d )

  • Total length (16 bits)

– Number of bytes in the packet – Maximum size is 65,535 bytes (216 -1) – … though underlying links may impose smaller limits

  • Fragmentation: when forwarding a packet, an

Internet router can split it into multiple pieces (“fragments”) if too big for next hop link

  • End host reassembles to recover original packet
  • Fragmentation information (32 bits)

– Packet identifier, flags, and fragment offset – Supports dividing a large IP packet into fragments – … in case a link cannot handle a large IP packet

slide-37
SLIDE 37

39

I P : “B e s t E fg

  • r

t ” P a c k e t D e l i v e r y

  • Routers inspect destination address, locate “next

hop” in forwarding table

– Address = ~unique identifier/locator for the receiving host

  • Only provides a “I’ll give it a try” delivery service:

– Packets may be lost – Packets may be corrupted – Packets may be delivered out of order source destination

IP network

slide-38
SLIDE 38

40

L a y e r 3 T h r e a t s

slide-39
SLIDE 39

41

  • Major:

– Can set arbitrary source address

  • “Spoofing” - receiver has no idea who you are
  • Could be blind, or could be coupled w/ sniffing

– Can set arbitrary destination address

  • Enables “scanning” - brute force searching for hosts
  • Lesser:

– Identification field leaks information – Time To Live allows discovery of topology – IP “options” can reroute traffic Other: ARP Poisoning Attacks

N e t w

  • r

k

  • L

a y e r T h r e a t s ( ma i n l y I P )

(FYI; don’t worry about unless later explicitly covered)

slide-40
SLIDE 40

42

L a y e r 4 : T h e T r a n s p

  • r

t L a y e r

slide-41
SLIDE 41

44

IP’s “B e s t E fg

  • r

t ” i s L a me ! Wh a t t

  • d
  • ?
  • It’s the job of our Transport (layer 4) protocols to

build services our apps need out of IP’s modest layer-3 service

  • #1 workhorse: TCP (Transmission Control Protocol)
  • Service provided by TCP:

– Connection oriented (explicit set-up / tear-down)

  • End hosts (processes) can have multiple concurrent long-lived

communication

– Reliable, in-order, byte-stream delivery

  • Robust detection & retransmission of lost data

– Congestion control

  • Dynamic adaptation to network path’s capacity
slide-42
SLIDE 42

45

T C P H e a d e r

Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

slide-43
SLIDE 43

46

T C P H e a d e r

Ports are associated with OS processes

Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

slide-44
SLIDE 44

47

T C P H e a d e r

Ports are associated with OS processes

IP source & destination addresses plus TCP source and destination ports uniquely identifies a TCP connection

Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

IP Header

slide-45
SLIDE 45

48

T C P H e a d e r

Ports are associated with OS processes

IP source & destination addresses plus TCP source and destination ports uniquely identifies a TCP connection

Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

Some port numbers are “well known” / reserved e.g. port 80 = HTTP

slide-46
SLIDE 46

49

T C P H e a d e r

Starting sequence number (byte

  • ffset) of data

carried in this packet Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

slide-47
SLIDE 47

50

T C P H e a d e r

Starting sequence number (byte

  • ffset) of data

carried in this packet Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

Byte stream numbered independently in each direction

slide-48
SLIDE 48

51

T C P H e a d e r

Starting sequence number (byte

  • ffset) of data

carried in this packet Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

Byte stream numbered independently in each direction Sequence number assigned to start

  • f byte stream is picked when

connection begins; doesn’t start at 0

slide-49
SLIDE 49

52

T C P H e a d e r

Acknowledgment gives seq # just beyond highest

  • seq. received in
  • rder.

If sender sends N in-order bytes starting at seq S then ack for it will be S+N. Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

slide-50
SLIDE 50

53

T C P H e a d e r

Uses include: acknowledging data (“A CK ”) setting up (“SYN ”) and closing connections (“FI N ” and “R ST”) Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

slide-51
SLIDE 51

54

T i mi n g D i a g r a m: 3

  • Wa

y H a n d s h a k i n g

Client (initiator) Server SYN, SeqNum = x S Y N + A C K , S e q N u m = y , A c k = x + 1 ACK, Ack = y + 1 Active Open Passive Open connect() listen() accept() Different starting sequence numbers in each direction

slide-52
SLIDE 52

55

E s t a b l i s h i n g a T C P C

  • n

n e c t i

  • n
  • Three-way handshake to establish connection

– Host A sends a SYN (open; “synchronize sequence numbers”) to host B – Host B returns a SYN acknowledgment (SYN +A CK ) – Host A sends an A CK to acknowledge the SYN +ACK

SYN

SYN+ACK

ACK

A B

Data Data

E a c h h

  • s

t t e l l s i t s I n i t i a l S e q u e n c e N u m b e r ( I S N ) t

  • t

h e

  • t

h e r h

  • s

t .

( S p e c s a y s t

  • p

i c k b a s e d

  • n

l

  • c

a l c l

  • c

k )

slide-53
SLIDE 53

56

T C P “B y t e s t r e a m” S e r v i c e

B y t e B y t e 1 B y t e 2 B y t e 3 B y t e B y t e 1 B y t e 2 B y t e 3

Process A on host H1 Process B

  • n host

H2

B y t e 8 B y t e 8

Hosts don’t ever see packet boundaries, lost

  • r corrupted packets, retransmissions, etc.
slide-54
SLIDE 54

60

I s s u e s w i t h T C P

slide-55
SLIDE 55

61

  • Normally, TCP finishes (“closes”) a connection by

each side sending a FI N control message

–Reliably delivered, since other side must ack

  • But: if a TCP endpoint finds unable to continue

(process dies; info from other “peer” is inconsistent), it abruptly terminates by sending a R ST control message

–Unilateral –Takes effect immediately (no ack needed) –Only accepted by peer if has correct* sequence number

T C P T h r e a t : D i s r u p t i

  • n
slide-56
SLIDE 56

62

Source port Destination port Sequence number Acknowledgment Advertised window HdrLen Flags Checksum Urgent pointer Options (variable)

Data

slide-57
SLIDE 57

63

Source port Destination port Sequence number Acknowledgment Advertised window HdrLen

RST

Checksum Urgent pointer Options (variable)

Data

slide-58
SLIDE 58

64

A b r u p t T e r mi n a t i

  • n
  • A sends a TCP packet with RESET (RST) flag to B

–E.g., because app. process on A crashed

  • Assuming that the sequence numbers in the RST fit with what B

expects, That’s It: –B’s user-level process receives: ECONNRESET

–No further communication on connection is possible

S Y N SYN ACK A C K Data RST ACK

time

A B

slide-59
SLIDE 59

65

  • Normally, TCP finishes (“closes”) a connection by

each side sending a FI N control message

–Reliably delivered, since other side must ack

  • But: if a TCP endpoint finds unable to continue

(process dies; info from other “peer” is inconsistent), it abruptly terminates by sending a RST control message

–Unilateral –Takes effect immediately (no ack needed) –Only accepted by peer if has correct* sequence number

  • So: if attacker knows ports & sequence numbers,

can disrupt any TCP connection

T C P T h r e a t : D i s r u p t i

  • n
slide-60
SLIDE 60

66

T C P T h r e a t : I n j e c t i

  • n
  • What about inserting data rather than disrupting a connection?

–Again, all that’s required is attacker knows correct ports, seq. numbers –Receiver B is none the wiser!

  • Termed TCP connection hijacking (or “session hijacking”)

–General means to take over an already-established connection!

  • We are toast if an attacker can see our TCP traffic!

–Because then they immediately know the port & sequence numbers

S Y N SYN ACK A C K Data ACK

time

A B

Nasty Data Nasty Data2

slide-61
SLIDE 61

67

T C P T h r e a t : B l i n d S p

  • fj

n g

  • Is it possible for an attacker to inject into a TCP

connection even if they can’t see our traffic?

  • YES: if somehow they can guess the port and

sequence numbers

  • Let’s look at a related attack where the goal of the

attacker is to create a fake connection, rather than inject into a real one

–Why? –Perhaps to leverage a server’s trust of a given client as identified by its IP address –Perhaps to frame a given client so the attacker’s actions during the connections can’t be traced back to the attacker

slide-62
SLIDE 62

68

T C P T h r e a t : B l i n d S p

  • fj

n g

Client (1. 2. 3. 4) Server (5. 6. 7. 8) SYN, SeqNum = x S Y N + A C K , S e q N u m = y , A c k = x + 1 ACK, Ack = y + 1 E a c h h

  • s

t t e l l s i t s I n i t i a l S e q u e n c e N u m b e r ( I S N ) t

  • t

h e

  • t

h e r h

  • s

t .

( S p e c s a y s t

  • p

i c k b a s e d

  • n

l

  • c

a l c l

  • c

k )

  • TCP connection establishment:
  • How can an attacker create an apparent but fake

connection from 1. 2. 3. 4 to 5. 6. 7. 8?

slide-63
SLIDE 63

69

B l i n d S p

  • fj

n g : A t t a c k e r ’s V i e w p

  • i

n t

Client? (1. 2. 3. 4) Server (5. 6. 7. 8) SYN, SeqNum = x S Y N + A C K , S e q N u m = y , A c k = x + 1 ACK, Ack = y + 1 E a c h h

  • s

t t e l l s i t s I n i t i a l S e q u e n c e N u m b e r ( I S N ) t

  • t

h e

  • t

h e r h

  • s

t .

( S p e c s a y s t

  • p

i c k b a s e d

  • n

l

  • c

a l c l

  • c

k ) Attacker can spoof this But can’t see this So how do they know what to put here? Hmm, any way for the attacker to know this? Sure - make a non-spoofed connection first, and see what server used for ISN y then! How Do We Fix This? Use A Random ISN

A ttacke r

slide-64
SLIDE 64

70

T C P ’s R a t e M a n a g e me n t

Unless there’s loss, TCP doubles data in flight every “round-trip”. All TCPs expected to obey (“fairness”). Mechanism: for each arriving ack for new data, increase allowed data by 1 maximum-sized packet

D0-99 A100 D100-199 D200-299 A200 A300 D D D D

1 2 4 3

A A A A

8

E.g., suppose maximum-sized packet = 100 bytes Src Dest

Time

slide-65
SLIDE 65

71

P r

  • t
  • c
  • l

C h e a t i n g

How can the destination (receiver) get data to come to them faster than normally allowed?

D0-99

Src Dest

1

A25 A50 A75 A100 D100-199 D200-299

2

How do we defend against this?

D300-399

3

D400-499

4

D500-599

5

ACK-Splitting: each ack, even though partial, increases allowed data by one maximum-sized packet

Time

Change rule to require “full” ack for all data sent in a packet

slide-66
SLIDE 66

72

P r

  • t
  • c
  • l

C h e a t i n g

How can the destination (receiver) still get data to come to them faster than normally allowed?

D0-99

Src Dest

1

A100 A200 A300 A400 D100-199 D200-299

2

How do we defend against this?

D300-399

3

D400-499

4

D500-599

5

Opportunistic ack’ing: acknowledge data not yet seen!

Time

slide-67
SLIDE 67

73

  • Approach #1: if you receive an ack for data you

haven’t sent, kill the connection

–Works only if receiver acks too far ahead

  • Approach #2: follow the “round trip time” (RTT)

and if ack arrives too quickly, kill the connection

–Flaky: RTT can vary a lot, so you might kill innocent connections

  • Approach #3: make the receiver prove they

received the data

–Add a nonce (“random” marker) & require receiver to include it in ack. Kill connections w/ incorrect nonces

  • (nonce could be function computed over payload, so sender

doesn’t explicitly transmit, only implicitly)

K e e p i n g R e c e i v e r s H

  • n

e s t

Note: a protocol change

slide-68
SLIDE 68

74

  • An attacker who can observe your TCP connection can

manipulate it:

–Forcefully terminate by forging a RST packet –Inject (spoof) data into either direction by forging data packets –Works because they can include in their spoofed traffic the correct sequence numbers (both directions) and TCP ports –Remains a major threat today

S u mma r y

  • f

T C P S e c u r i t y I s s u e s

slide-69
SLIDE 69

75

  • An attacker who can observe your TCP connection can

manipulate it:

–Forcefully terminate by forging a RST packet –Inject (spoof) data into either direction by forging data packets –Works because they can include in their spoofed traffic the correct sequence numbers (both directions) and TCP ports –Remains a major threat today

  • An attacker who can predict the ISN chosen by a server

can “blind spoof” a connection to the server

–Makes it appear that host ABC has connected, and has sent data

  • f the attacker’s choosing, when in fact it hasn’t

–Undermines any security based on trusting ABC’s IP address –Allows attacker to “frame” ABC or otherwise avoid detection –Fixed today by choosing random ISNs

S u mma r y

  • f

T C P S e c u r i t y I s s u e s

slide-70
SLIDE 70

76

  • TCP limits the rate at which senders transmit:

–TCP relies on endpoints behaving properly to achieve “fairness” in how network capacity is used –Protocol lacks a mechanism to prevent cheating –Senders can cheat by just not abiding by the limits

  • Remains a significant vulnerability: essentially nothing today prevents
  • Receivers can manipulate honest senders into sending too

fast because senders trust that receivers are honest

–To a degree, sender can validate (e.g., partial acks) –A nonce can force receiver to only act on data they’ve seen –Such rate manipulation remains a vulnerability today

  • General observation: tension between ease/power of

protocols that assume everyone follows vs. violating

–Security problems persist due to difficulties of retrofitting … –… coupled with investment in installed base

T C P S e c u r i t y I s s u e s , c

  • n

’t

slide-71
SLIDE 71

77

L a y e r 7 : A p p l i c a t i

  • n

L a y e r

Application Transport (Inter)Network Link Physical 7 4 3 2 1

Communication of whatever you wish Can use whatever transport(s) is convenient Freely structured E.g.: DNS, DHCP (Next Lecture) Skype, SMTP (email),

HTTP (Web), Halo, BitTorrent