networking attacks link ip and tcp layer attacks
play

Networking Attacks: Link-, IP-, and TCP-layer attacks Network - PowerPoint PPT Presentation

Aug 15, 2022 •262 likes •876 views

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication

  1. Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019

  2. General Communication Security Goals: CIA • Confidentiality: – No one can read our data / communication unless we want them to • Integrity – No one can manipulate our data / processing / communication unless we want them to • Availability – We can access our data / conduct our processing / use our communication capabilities when we want to • Also: no additional traffic other than ours … 2

  3. Link-layer threats • Confidentiality: eavesdropping (aka sniffing) • Integrity: injection of spoofed packets • Injection: delete legit packets (e.g., jamming) 3

  4. Layers 1 & 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a Application 7 single “ s u b n e twork” (one physical technology) 4 Transport 3 (Inter)Network Link 2 Encoding bits to send them over a single physical link 1 Physical e.g. patterns of voltage levels / photon intensities / RF modulation 4

  5. Eavesdropping • For subnets using broadcast technologies (e.g., WiFi, some types of Ethernet), eavesdropping comes for “ free” – Each attached system’s NIC (= Network Interface Card) can capture any communication on the subnet – Some handy tools for doing so o tcpdump / windump (low-level ASCII printout) o Wireshark (GUI for displaying 800+ protocols) 5

  6. TCPDUMP: Packet Capture & ASCII Dumper

  7. Wireshark: GUI for Packet Capture/Exam 篝

  8. Wireshark: GUI for Packet Capture/Exam 篝

  9. Wireshark: GUI for Packet Capture/Exam 篝

  10. Stealing Photons 10

  12. Link-Layer Threat: Disruption • If attacker sees a packet he doesn’t like, he can jam it (integrity) • Attacker can also overwhelm link-layer signaling, e.g., jam WiFi’s RF (denial-of-service) 12

  13. Link-Layer Threat: Disruption • If attacker sees a packet he doesn’t like, he can jam it (integrity) • Attacker can also overwhelm link-layer signaling, e.g., jam WiFi’s RF (denial-of-service) • There’s also the heavy-handed approach … 13

  15. WiFi Jammer Attack on wireless networks • https://www.youtube.com/watch?v=1M9AkUZ377Y

  16. Link-Layer Threat: Spoofing • Attacker can inject spoofed packets, and lie about the source address D C Hello world! M 15

  17. Physical/Link-Layer Threats: Spoofing • With physical access to a local network, attacker can create any message they like – When with a bogus source address: spoofing • When using a typical computer, may require root/administrator to have full freedom • Particularly powerful when combined with eavesdropping – Because attacker can understand exact state of victim’s communication and craft their spoofed traffic to match it – Spoofing w/o eavesdropping = blind spoofing 16

  18. On-path vs Off-path Spoofing HostA communicates with Host D Host C Host D Host A Router 1 Router 2 Router 3 On-path Router 5 Host B Host E Router 7 Router 6 Router 4 Off-path 18

  19. Spoofing on the Internet • On-path attackers can see victim’s traffic ⇒ spoofing is easy • Off-path attackers can’t see victim’s traffic – They have to resort to blind spoofing – Often must guess/infer header values to succeed o We then care about work factor: how hard is this – But sometimes they can just brute force o E.g., 16-bit value: just try all 65,536 possibilities! • When we say an attacker “ c a n spoof” , we usually mean “ w / reasonable chance of success” 19

  20. Layer 3: General Threats? Bridges multiple “ s u b n e ts” Application 7 to provide end-to-end 4 internet connectivity between Transport 3 nodes 4-bit 8-bit (Inter)Network Link 4-bit 2 16-bit T otal Length (Bytes) Header Type of Service Version Length (TOS) 1 Physical 3-bit 13-bit Fragment Offset 16-bit Identification Flags 8-bit Time to 8-bit Protocol 16-bit Header Checksum Live (TTL) 32-bit Source IP Address 32-bit Destination IP Address IP = Internet Protocol Payload 19

  21. IP-Layer Threats • Can set arbitrary source address – “ S p o o fing” - receiver has no idea who you are – Could be blind, or could be coupled w/ sniffing – Note: many attacks require two-way communication o So successful off-path/blind spoofing might not suffice • Can set arbitrary destination address – Enables “ s c a n n i n g” – brute force searching for hosts • Can send like crazy (flooding) – IP has no general mechanism for tracking overuse – IP has no general mechanism for tracking consent – Very hard to tell where a spoofed flood comes from! • If attacker can manipulate routing, can bring traffic to themselves for eavesdropping (not easy) 20

  22. LAN Bootstrapping: DHCP • New host doesn’t have an IP address yet – So, host doesn’t know what source address to use • Host doesn’t know who to ask for an IP address – So, host doesn’t know what destination address to use • Solution: shout to “ discover ” server that can help – Broadcast a server-discovery message (layer 2) – Server(s) sends a reply offering an address ... host host host DHCP server 21

  23. Dynamic Host Configuration Protocol DHCP server new client “ offer ” message includes IP address, DNS server, gateway router” , and how long client can have these (“lease” time) 23

  24. Dynamic Host Configuration Protocol DHCP server new client “ offer ” message includes IP address, DNS server, gateway router” , and how long client can have these (“lease” time) Threats? 24

  25. Dynamic Host Configuration Protocol DHCP server new client “ offer ” message includes IP address, DNS server, gateway router” , and how long Attacker on same client can have these subnet can hear (“lease” time) new host’s DHCP request 25

  26. Dynamic Host Configuration Protocol DHCP server new client “ offer ” message includes IP address, DNS server, gateway router” , and how long client can have these (“lease” time) Attacker can race the actual server; if they win, replace DNS server and/or gateway router 25

  27. DHCP Threats • Substitute a fake DNS server – Redirect any of a host’s lookups to a machine of attacker’s choice • Substitute a fake gateway router – Intercept all of a host’s off-subnet traffic o (even if not preceded by a DNS lookup) – Relay contents back and forth between host and remote server and modify however attacker chooses • An invisible Man In The Middle (MITM) – Victim host has no way of knowing it’s happening o (Can’t necessarily alarm on peculiarity of receiving multiple DHCP replies, since that can happen benignly) • How can we fix this? Hard 26

  28. TCP Application 7 4 Transport 3 (Inter)Network Link Source port Destination port 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 27

  29. TCP Application 7 These plus IP addresses define a given connection 4 Transport 3 (Inter)Network Link Source port Destination port 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 28

  30. TCP Application 7 Defines where this packet fits within the 4 Transport sender’s bytestream 3 (Inter)Network Link Source port Destination port 2 Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 29

  31. TCP Conn. Setup & Data Exchange

  32. TCP Threat: Data Injection B A time • If attacker knows ports & sequence numbers (e.g., on-path attacker), attacker can inject data into any TCP connection – Receiver B is none the wiser! • Termed TCP connection hijacking (or “ s e s s i o n hijacking ” ) – A general means to take over an already-established connection! • We are toast if an attacker can see our TCP traffic! – Because then they immediately know the port & sequence numbers 32

  33. TCP Data Injection Client (initiator) Server IP address 1.2.1.2, port 3344 IP address 9.8.7.6, port 80 ... Attacker IP address 6.6.6.6, port N/A SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, ACK, Seq = y+1, Ack = x+16 Data= “ 2 0 0 OK … <poison> … ” Client dutifully processes as server’s 33 response

  34. TCP Data Injection Client (initiator) Server IP address 1.2.1.2, port 3344 IP address 9.8.7.6, port 80 ... Attacker IP address 6.6.6.6, port N/A SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, ACK, Seq = y+1, Ack = x+16 Data= “ 2 0 0 OK … <poison> Client … ” ignores since already processed that part of 33 bytestream

  35. TCP Threat: Disruption • Is it possible for an on-path attacker to shut down a TCP connection if they can see our traffic? • YES: they can infer the port and sequence numbers – they can insert fake data, too! (Great Firewall of China) 35

  36. TCP Threat: Blind Hijacking • Is it possible for an off-path attacker to inject into a TCP connection even if they can’t see our traffic? • YES: if somehow they can infer or guess the port and sequence numbers 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner February 28, 2013 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication unless we want

1.03k views • 58 slides
SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres

SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres

Fakultt fr Informatik Technische Universitt Mnchen SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres Rauschecker Advisor: Lukas Schwaighofer Supervisor: Prof. Dr.-Ing. Georg Carle Chair of

402 views • 26 slides
CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk Kang , Virgil D. Gligor CyLab, Carnegie Mellon University * Qualcomm Dec. 12, 2013 Large Scale Link-Flooding Attacks Massive DDoS attacks against

487 views • 27 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
Networking: Physical &amp; Link Layer Summer 2013 Cornell University 1 Today Which are the

Networking: Physical &amp; Link Layer Summer 2013 Cornell University 1 Today Which are the

CS 4410 Operating Systems Networking: Physical &amp; Link Layer Summer 2013 Cornell University 1 Today Which are the services that the Link layer offers? Link layer Implementation Media Access Control Addressing

451 views • 16 slides
SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang Virgil D. Gligor Vyas Sekar ECE Department and CyLab, Carnegie Mellon University Feb 22, 2016 Large-scale link-flooding attacks Massive DDoS

511 views • 20 slides
BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified

BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified

Overview BLE Refresher Attacks Improvements BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified Refresh Link Layer State Machine Application Layer GATT ATT L2CAP Link Layer Physical Layer

783 views • 3 slides
5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

Data Link Layer Data Link Layer Hubs Switch physical- layer (dumb) repeaters: bits coming in one link go out all other links at same link-layer device: smarter than hubs, take rate active role all nodes connected to hub can

442 views • 5 slides
Link-Cutting Attacks Steven M. Bellovin Emden R. Gansner smb@research.att.com

Link-Cutting Attacks Steven M. Bellovin Emden R. Gansner smb@research.att.com

Link-Cutting Attacks Link-Cutting Attacks Steven M. Bellovin Emden R. Gansner smb@research.att.com erg@research.att.com AT&amp;T Labs Research Florham Park, NJ 07932 1 Steven M. Bellovin August 7, 2003

179 views • 7 slides
Systems Programming &amp; Engineering Spring 2018 Networking Link Layer Tyler Bletsch Duke

Systems Programming &amp; Engineering Spring 2018 Networking Link Layer Tyler Bletsch Duke

ECE 650 Systems Programming &amp; Engineering Spring 2018 Networking Link Layer Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) TCP/IP Model 2 Layer 1 &amp; 2 Layer 1: Physical Layer Encoding of bits to

769 views • 45 slides
Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport

Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport

Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Scope of the Link Layer Concerns how to transfer messages over one or more

629 views • 23 slides
A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse Elwell 1 Ryan Riley 2 Nael Abu-Ghazaleh 1 Dmitry Ponomarev 1 1 State University of New York at Binghamton Department of Computer Science 2 Qatar

872 views • 76 slides
Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand principles behind data link layer services: error detection, correction sharing a broadcast channel: multiple access link layer addressing link

598 views • 26 slides
Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand principles behind data link layer services: error detection, correction sharing a broadcast channel: multiple access link layer addressing link

591 views • 18 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Galaxy Halo Assembly Simon White Max Planck Institute for Astrophysics Halo assembly for

Galaxy Halo Assembly Simon White Max Planck Institute for Astrophysics Halo assembly for

Arcetri, February 2009 Galaxy Halo Assembly Simon White Max Planck Institute for Astrophysics Halo assembly for neutralino CDM Typical first generation halos are similar in mass to the free- streaming mass limit Earth mass or below

2.07k views • 49 slides
DTSC: A Dynamic Taxonomy on Structural Colour Carlos Fiorentino, Doctoral Research Project on

DTSC: A Dynamic Taxonomy on Structural Colour Carlos Fiorentino, Doctoral Research Project on

DTSC: A Dynamic Taxonomy on Structural Colour Carlos Fiorentino, Doctoral Research Project on Biomimetics of Colour Pitch presentation for CMPUT401 Biomimicry / Biomimetic design: Design informed/ inspired by nature Biomimicry / Biomimetic

226 views • 10 slides
Axes of scale Dr. Keith Scott keithlscott@gmail.com The views, opinions, and/or findings

Axes of scale Dr. Keith Scott keithlscott@gmail.com The views, opinions, and/or findings

Axes of scale Dr. Keith Scott keithlscott@gmail.com The views, opinions, and/or findings contained in this ar5cle/presenta5on are those of the author/presenter and should not be interpreted as represen5ng the official views or policies, either

701 views • 28 slides
Mult ultiple iple Pat athw hway ays for or Univer Univ ersit ity-I -Indus ndustry Innov

Mult ultiple iple Pat athw hway ays for or Univer Univ ersit ity-I -Indus ndustry Innov

Mult ultiple iple Pat athw hway ays for or Univer Univ ersit ity-I -Indus ndustry Innov nnovat ation ion Peter Lammers New Mexico State University New Mexico State University Required Reading: Trends in the Innovation Ecosystem

895 views • 17 slides
Layers 1 &amp; 2: General Threats? Framing and transmission of a collection of bits into

Layers 1 &amp; 2: General Threats? Framing and transmission of a collection of bits into

Layers 1 &amp; 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a 7 Application single subnetwork (one physical technology) 4 Transport 3 (Inter)Network Link 2 Encoding

897 views • 43 slides
Implementation and Operation of Mobility in WIDE The 14th Korea Internet Conference June 28,

Implementation and Operation of Mobility in WIDE The 14th Korea Internet Conference June 28,

Implementation and Operation of Mobility in WIDE The 14th Korea Internet Conference June 28, 2006 Keiichi Shima &lt;keiichi@iijlab.net&gt; Internet Initiative Japan Inc. / WIDE project Contents Background Implementation Operation

741 views • 55 slides
Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1

Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1

Network Attacks CS 334 - Computer Security Once again thanks to Vern Paxson and David Wagner 1 Layers 1 &amp; 2: General Threats? Framing and transmission of a collection of bits into individual messages sent across a single subnetwork

809 views • 54 slides
CSE 440: Introduction to HCI User Interface Design, Prototyping, and Evaluation Lecture 02:

CSE 440: Introduction to HCI User Interface Design, Prototyping, and Evaluation Lecture 02:

CSE 440: Introduction to HCI User Interface Design, Prototyping, and Evaluation Lecture 02: James Fogarty Design of Alex Fiannaca Everyday Things Lauren Milne Saba Kawas Kelsey Munsell Tuesday/Thursday 12:00 to 1:20 Today Section

1.06k views • 90 slides

More recommend