networking attacks link ip and tcp layer attacks
play

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: - PowerPoint PPT Presentation

Oct 05, 2023 •437 likes •1.03k views

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner February 28, 2013 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication unless we want

  1. Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner February 28, 2013

  2. � General Communication Security Goals: CIA • Confidentiality: – No one can read our data / communication unless we want them to • Integrity – No one can manipulate our data / processing / communication unless we want them to • Availability – We can access our data / conduct our processing / use our communication capabilities when we want to • Also: no additional traffic other than ours … 2

  3. Link-layer threats � • Confidentiality: eavesdropping (aka sniffing) • Integrity: injection of spoofed packets • Injection: delete legit packets (e.g., jamming) 3

  4. Layers 1 & 2: General Threats? � Framing and transmission of a collection of bits into individual messages sent across a 7 Application single “ subnetwork ” (one physical technology) 4 Transport 3 (Inter)Network 2 Link Encoding bits to send them over a single physical link 1 Physical e.g. patterns of voltage levels / photon intensities / RF modulation 4

  5. � Eavesdropping • For subnets using broadcast technologies (e.g., WiFi, some types of Ethernet), get it for “ free ” – Each attached system’s NIC (= Network Interface Card) can capture any communication on the subnet – Some handy tools for doing so o tcpdump / windump (low-level ASCII printout) o Wireshark (GUI for displaying 800+ protocols) 5

  6. � TCPDUMP: Packet Capture & ASCII Dumper 6

  7. � Wireshark: GUI for Packet Capture/Exam. 7

  8. � Wireshark: GUI for Packet Capture/Exam. 8

  9. � Wireshark: GUI for Packet Capture/Exam. 9

  10. Stealing Photons � 10

  11. 11

  12. � Link-Layer Threat: Disruption • If attacker sees a packet he doesn’t like, he can jam it (integrity) • Attacker can also overwhelm its signaling, e.g., jam WiFi’s RF (denial-of-service) 12

  13. � Link-Layer Threat: Disruption • If attacker sees a packet he doesn’t like, he can jam it (integrity) • Attacker can also overwhelm its signaling, e.g., jam WiFi’s RF (denial-of-service) • There’s also the heavy-handed approach … 13

  14. 14

  15. � Link-Layer Threat: Spoofing • Attacker can inject spoofed packets, and lie about the source address M D C Hello world! 15

  16. � Physical/Link-Layer Threats: Spoofing • With physical access to a subnetwork, attacker can create any message they like – When with a bogus source address: spoofing • When using a typical computer, may require root/administrator to have full freedom • Particularly powerful when combined with eavesdropping – Because attacker can understand exact state of victim’s communication and craft their spoofed traffic to match it – Spoofing w/o eavesdropping = blind spoofing 16

  17. On-path vs Off-path Spoofing � Host A communicates with Host D Host C Host D Host A Router 1 Router 2 Router 3 On-path Router 5 Host B Host E Router 7 Router 6 Router 4 Off-path 17

  18. � Spoofing on the Internet • On-path attackers can see victim’s traffic ⇒ spoofing is easy • Off-path attackers can’t see victim’s traffic – They have to resort to blind spoofing – Often must guess/infer header values to succeed o We then care about work factor: how hard is this – But sometimes they can just brute force o E.g., 16-bit value: just try all 65,536 possibilities! • When we say an attacker “ can spoof ” , we usually mean “ w/ reasonable chance of success ” 18

  19. Layer 3: General Threats? � Bridges multiple “ subnets ” to 7 Application provide end-to-end internet 4 Transport connectivity between nodes 3 (Inter)Network 4-bit 8-bit 2 Link 4-bit 16-bit Total Length (Bytes) Header Type of Service Version Length (TOS) 1 Physical 3-bit 13-bit Fragment Offset 16-bit Identification Flags 8-bit Time to 8-bit Protocol 16-bit Header Checksum Live (TTL) 32-bit Source IP Address 32-bit Destination IP Address IP = Internet Protocol Payload 19

  20. � IP-Layer Threats • Can set arbitrary source address – “ Spoofing ” - receiver has no idea who you are – Could be blind, or could be coupled w/ sniffing – Note: many attacks require two-way communication o So successful off-path/blind spoofing might not suffice • Can set arbitrary destination address – Enables “ scanning ” - brute force searching for hosts • Can send like crazy (flooding) – IP has no general mechanism for tracking overuse – IP has no general mechanism for tracking consent – Very hard to tell where a spoofed flood comes from! • If attacker can manipulate routing, can bring traffic to themselves for eavesdropping (not easy) 20

  21. LAN Bootstrapping: DHCP � • New host doesn’t have an IP address yet – So, host doesn’t know what source address to use • Host doesn’t know who to ask for an IP address – So, host doesn’t know what destination address to use • Solution: shout to “ discover ” server that can help – Broadcast a server-discovery message (layer 2) – Server(s) sends a reply offering an address ... � host � host � host � DHCP server � 21

  22. Dynamic Host Configuration Protocol � DHCP discover � (broadcast) � � r e f f DHCP server � o P C new 
 H D client � “ offer ” message includes IP address, DHCP request � DNS server, “ gateway router ” , and how long (broadcast) � client can have these ( “ lease ” time) � K C A P C H D 22

  23. Dynamic Host Configuration Protocol � DHCP discover � (broadcast) � � r e f f DHCP server � o P C new 
 H D client � “ offer ” message includes IP address, DHCP request � DNS server, “ gateway router ” , and how long (broadcast) � client can have these ( “ lease ” time) Threats? � K C A P C H D 23

  24. Dynamic Host Configuration Protocol � DHCP discover � (broadcast) � � r e f f DHCP server � o P C new 
 H D client � “ offer ” message includes IP address, DHCP request � DNS server, “ gateway router ” , and how long (broadcast) � Attacker on same client can have these subnet can hear ( “ lease ” time) new host’s DHCP request � K C A P C H D 24

  25. Dynamic Host Configuration Protocol � DHCP discover � (broadcast) � � r e f f DHCP server � o P C new 
 H D client � “ offer ” message includes IP address, DHCP request � DNS server, “ gateway router ” , and how long (broadcast) � client can have these ( “ lease ” time) � K C A P C H Attacker can race the actual D server; if they win, replace DNS server and/or gateway router 25

  26. � DHCP Threats • Substitute a fake DNS server – Redirect any of a host’s lookups to a machine of attacker’s choice • Substitute a fake gateway router – Intercept all of a host’s off-subnet traffic o (even if not preceded by a DNS lookup) – Relay contents back and forth between host and remote server and modify however attacker chooses • An invisible Man In The Middle (MITM) – Victim host has no way of knowing it’s happening o (Can’t necessarily alarm on peculiarity of receiving multiple DHCP replies, since that can happen benignly) • How can we fix this? Hard 26

  27. TCP � 7 Application 4 Transport 3 (Inter)Network Source port Destination port 2 Link Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 27

  28. TCP � 7 Application These plus IP addresses define a given connection 4 Transport 3 (Inter)Network Source port Destination port 2 Link Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 28

  29. TCP � 7 Application Defines where this packet fits within the 4 Transport sender’s bytestream 3 (Inter)Network Source port Destination port 2 Link Sequence number 1 Physical Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data 29

  30. TCP Conn. Setup & Data Exchange � Client (initiator) Server IP address 1.2.1.2, port 3344 IP address 9.8.7.6, port 80 S r c A = 1 . 2 . 1 . 2 , S r c D P s = 3 t A 3 = 4 9 4 . 8 , . 7 . 6 , D s t P = 8 0 , S Y N , S e q = x SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, SYN+ACK, Seq = y, Ack = x+1 S r c A = 1 . 2 . 1 D . 2 s , t A S = r 9 c P . 8 = . 3 7 . 3 6 4 , D 4 , s t P = 8 0 , A C K , S e q = x + 1 , A c k = y + 1 S r c A = 1 . 2 . 1 . 2 , S r c P = 3 3 A 4 C 4 , D K s , S t e A q = = 9 . x 8 + . 7 1 , . 6 A , c D k s = t P y = + 8 1 0 , , D a t a = “ “ G E T / l o g i n . h t m l SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, ACK, Seq = y+1, Ack = x+16, Data= “ 200 OK … <html> … ” 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication

876 views • 60 slides
SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres

SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres

Fakultt fr Informatik Technische Universitt Mnchen SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres Rauschecker Advisor: Lukas Schwaighofer Supervisor: Prof. Dr.-Ing. Georg Carle Chair of

402 views • 26 slides
CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk Kang , Virgil D. Gligor CyLab, Carnegie Mellon University * Qualcomm Dec. 12, 2013 Large Scale Link-Flooding Attacks Massive DDoS attacks against

487 views • 27 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
Networking: Physical &amp; Link Layer Summer 2013 Cornell University 1 Today Which are the

Networking: Physical &amp; Link Layer Summer 2013 Cornell University 1 Today Which are the

CS 4410 Operating Systems Networking: Physical &amp; Link Layer Summer 2013 Cornell University 1 Today Which are the services that the Link layer offers? Link layer Implementation Media Access Control Addressing

451 views • 16 slides
SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang Virgil D. Gligor Vyas Sekar ECE Department and CyLab, Carnegie Mellon University Feb 22, 2016 Large-scale link-flooding attacks Massive DDoS

511 views • 20 slides
BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified

BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified

Overview BLE Refresher Attacks Improvements BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified Refresh Link Layer State Machine Application Layer GATT ATT L2CAP Link Layer Physical Layer

783 views • 3 slides
5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

Data Link Layer Data Link Layer Hubs Switch physical- layer (dumb) repeaters: bits coming in one link go out all other links at same link-layer device: smarter than hubs, take rate active role all nodes connected to hub can

442 views • 5 slides
Link-Cutting Attacks Steven M. Bellovin Emden R. Gansner smb@research.att.com

Link-Cutting Attacks Steven M. Bellovin Emden R. Gansner smb@research.att.com

Link-Cutting Attacks Link-Cutting Attacks Steven M. Bellovin Emden R. Gansner smb@research.att.com erg@research.att.com AT&amp;T Labs Research Florham Park, NJ 07932 1 Steven M. Bellovin August 7, 2003

179 views • 7 slides
Systems Programming &amp; Engineering Spring 2018 Networking Link Layer Tyler Bletsch Duke

Systems Programming &amp; Engineering Spring 2018 Networking Link Layer Tyler Bletsch Duke

ECE 650 Systems Programming &amp; Engineering Spring 2018 Networking Link Layer Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) TCP/IP Model 2 Layer 1 &amp; 2 Layer 1: Physical Layer Encoding of bits to

769 views • 45 slides
Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport

Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport

Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Scope of the Link Layer Concerns how to transfer messages over one or more

629 views • 23 slides
A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse Elwell 1 Ryan Riley 2 Nael Abu-Ghazaleh 1 Dmitry Ponomarev 1 1 State University of New York at Binghamton Department of Computer Science 2 Qatar

872 views • 76 slides
Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand principles behind data link layer services: error detection, correction sharing a broadcast channel: multiple access link layer addressing link

598 views • 26 slides
Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand principles behind data link layer services: error detection, correction sharing a broadcast channel: multiple access link layer addressing link

591 views • 18 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Network Attacks CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Network Attacks CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Network Attacks CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 10, 2010 1 Announcements / Game

402 views • 17 slides
AUTOMATED VALIDATION OF CLINICAL INCIDENT TYPES J.GUPTA, I.KORINSKA, J.PATRICK SCHOOL OF

AUTOMATED VALIDATION OF CLINICAL INCIDENT TYPES J.GUPTA, I.KORINSKA, J.PATRICK SCHOOL OF

AUTOMATED VALIDATION OF CLINICAL INCIDENT TYPES J.GUPTA, I.KORINSKA, J.PATRICK SCHOOL OF INFORMATION TECHNOLOGY SYDNEY UNIVERSITY HEALTH INFORMATICS CONFERENCE, BRISBANE 5 AUG 2015 MOTIVATIONS Improve patient safety and quality of

128 views • 11 slides
CLINICAL SAFETY INCIDENT TAXONOMY PERFORMANCE ON J48 AND RANDOM FOREST J.GUPTA, J.PATRICK,

CLINICAL SAFETY INCIDENT TAXONOMY PERFORMANCE ON J48 AND RANDOM FOREST J.GUPTA, J.PATRICK,

CLINICAL SAFETY INCIDENT TAXONOMY PERFORMANCE ON J48 AND RANDOM FOREST J.GUPTA, J.PATRICK, S.PHOON SCHOOL OF COMPUTER SCIENCES SYDNEY UNIVERSITY HEALTH INFORMATICS CONFERENCE 2019 MELBOURNE MOTIVATIONS Clinical safety incident (CSI)

374 views • 14 slides
WAVE ENERGY UTILIZATION Antnio F. O. Falco Instituto Superior Tcnico, Universidade

WAVE ENERGY UTILIZATION Antnio F. O. Falco Instituto Superior Tcnico, Universidade

INTERNATIONAL PhD COURSE XXVII Cycle UNIVERSITY OF FLORENCE - TU-BRAUNSCHWEIG Processes, Materials and Constructions in Civil and Environmental Engineering Florence 18-19 April 2012 Universit degli Studi di Firenze, 18-19 April

584 views • 41 slides
Study 105 Atazanavir + [Cobicistat or Ritonavir] + TDF-FTC (Phase 2) Study 105: Study Design

Study 105 Atazanavir + [Cobicistat or Ritonavir] + TDF-FTC (Phase 2) Study 105: Study Design

Atazanavir + [Cobicistat or Ritonavir] + TDF-FTC (Phase 2) Study 105 Atazanavir + [Cobicistat or Ritonavir] + TDF-FTC (Phase 2) Study 105: Study Design Study Design: 105 Background : Randomized, partially placebo- controlled, double-blind

314 views • 6 slides
New Agents in DLBCL Targeting Macrophages Stephen M. Ansell, MD, PhD Professor of Medicine

New Agents in DLBCL Targeting Macrophages Stephen M. Ansell, MD, PhD Professor of Medicine

New Agents in DLBCL Targeting Macrophages Stephen M. Ansell, MD, PhD Professor of Medicine Chair, Lymphoma Group Mayo Clinic Peripheral blood monocyte numbers are associated with prognosis A. B. &lt;570 &lt;630 570 630 No. at

369 views • 15 slides
Disclosures I have nothing to disclose 1 10/ 17/ 2018 Outline Updates on oncologic

Disclosures I have nothing to disclose 1 10/ 17/ 2018 Outline Updates on oncologic

10/ 17/ 2018 Oncologic Emergencies, Including Side Effects of New Therapies Gerald Hsu, MD, PhD Asst Clinical Professor of Medicine University of California, San Francisco Disclosures I have nothing to disclose 1 10/ 17/ 2018 Outline

560 views • 24 slides
Chemistry 1000 Lecture 25: Introduction to transition metal chemistry Marc R. Roussel November

Chemistry 1000 Lecture 25: Introduction to transition metal chemistry Marc R. Roussel November

Chemistry 1000 Lecture 25: Introduction to transition metal chemistry Marc R. Roussel November 5, 2018 Marc R. Roussel Transition metals November 5, 2018 1 / 21 The transition metals The transition metals d block of periodic table Sc Ti

341 views • 21 slides

More recommend