19-06-2012, 12:12 PM
Network Security
Network_Security1.ppt (Size: 841.5 KB / Downloads: 206)
Learning objectives
Understand IP addressing
Learn how fragmentation and IP spoofing issues pose risks
Understand the function of ICMP
Learn how the various types of ICMP messages pose risks
Be able to reason about blocking ICMP messages depending on their type and intra- or inter-net origin
Network Layer Vulnerabilities
We'll discuss IPv4, although other protocols can be used at this level
IP features
Network addresses
IP spoofing
Fragmentation
IP Components:
ICMP
Transport layer components dependent on IP:
UDP
TCP
IP Addresses
Format "A.B.C.D" where each letter is a byte
Class A network : A.0.0.0
Zeroes are used to indicate that any number could be in that position
Class B network: A.B.0.0
Class C network: A.B.C.0
Broadcast addresses:
255.255.255.255
A.B.C.255
Special case
0.0.0.0 and A.B.C.0 can be either treated as a broadcast or discarded
CIDR Addresses
Classless Inter-Domain Routing
Classes A, B, C too rigid
Add flexibility on a bit level instead of byte level
W.X.Y.Z/B
B is the number of bits that constitute the network address
/8 is class A
/16 is class B
/24 is class C
IP Spoofing with Amplification
Use broadcasts pretending to originate from victim
All replies go back to victim
Class B broadcast: 253^2 = 64 009 replies
Assuming class C subnetting
This may use any IP protocol (ICMP, TCP, UDP)
Any application or service that replies using these protocols
Famous attack: Smurf (using ICMP) DoS
CERT® Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks
Many others
Smurf Amplifier Registry
Scans and Recon
If an attacker wants to map your network, the trivial way is to ping all the IP addresses in your network...
Therefore, if you allow pings, your network is exposed.
Smurf Attack
Ping a broadcast address, with the (spoofed) IP of a victim as source address
All hosts on the network respond to the victim
The victim is overwhelmed
Keys: Amplification and IP spoofing
Protocol vulnerability; implementation can be “patched” by violating the protocol specification, to ignore pings to broadcast addresses
ICMP echo just used for convenience
All ICMP messages can be abused this way
"Fraggle" is the equivalent, using UDP instead of ICMP
Defending Against IP spoofing
Ingress filtering
Forbid inbound broadcasts from the internet into your networks
Forbid inbound packets from non-routable networks
Egress filtering
Prevent stations in networks you control from spoofing IPs from other networks by dropping their outbound packets
Make your network a less attractive and useful target for attackers that want to launch other attacks
Be a good internet citizen (reputation is important)
Drop outbound broadcasts
Concepts Needed to Continue
Fragmentation
Packet reassembly
Other networking problems: What to do if
The destination doesn't exist?
Port
Host
Network
There's a routing loop?
Destination is overwhelmed with packets
Packets are going to the wrong router/gateway
How does a host learn about the network it is on?