Document Details

Uploaded by Deleted User

Tags

computer network security IP layer network attacks internet protocols

Full Transcript

COMPUTER NETWORK SECURITY Unit 2 Network Layer Attacks Overview of IP The IP layer handles packet routing, passing packets to transport layer, supports error detection using ICMP, fragmentation, and reassembly, facilitating the transmission of data across networks. When an app...

COMPUTER NETWORK SECURITY Unit 2 Network Layer Attacks Overview of IP The IP layer handles packet routing, passing packets to transport layer, supports error detection using ICMP, fragmentation, and reassembly, facilitating the transmission of data across networks. When an application sends data via a socket interface, data moves from the transport layer to the network layer, where the IP header is added. At this stage, IP makes two decisions: which interface to forward the packet to (routing), and which router’s MAC address to forward the packet. The structure of the IP header consists of: Version (4 bits) - Specifies IP version. Header Length (4 bits) - Represents the length of the IP header in 4-byte units (maximum length of 60 bytes). Type of Service (8 bits) - Specifies priority for packet handling. Total Length (16 bits) - Represents the length of the entire IP packet (header + data), maximum 65535 bytes (~64 KB). TTL (Time to Live, 8 bits) - Limits packet lifespan by decrementing at each router. When TTL reaches 0, the packet is discarded. Protocol (8 bits) - Identifies the upper layer protocol (e.g., TCP, UDP, ICMP). Header Checksum - Detects errors in the IP header. IP Fragmentation IP packets are fragmented when the packet size exceeds the hardware's Maximum Transmission Unit (MTU), for example Ethernet's limit of 1500 bytes. The fragmentation process happens either at the sender or intermediate routers. Fragments are reassembled at the destination. If any fragment is missing, the entire packet is discarded. Fragments carry the same identification field and have an offset field to indicate their position in the original packet. Attacks using IP Fragmentation Attack 1: Create a Super-Large packet When the total length of an IP packet exceeds the theoretical limit of 65,536 bytes, the system's network stack may fail to handle the excessive size properly, causing buffer overflow or memory corruption within the target system's kernel. The objective of the "Ping of Death" attack is to exploit vulnerabilities in networked systems by sending oversized ICMP Echo Request packets using the ping command. As a result of this, the system may crash or its memory may be corrupted that may lead to unpredictable behaviour. Attack 2: Create abnormal situations In this attack, the attacker sends fragmented packets with overlapping or incorrectly ordered fragment offsets to the target machine. The system attempts to reassemble these fragments, but due to bugs in the fragmentation reassembly process, it fails and crashes. Fragments sent to the target may have overlapping offsets. A fragment may be entirely enclosed within another fragment. Attack 3: Tie Up Target’s Resources The objective of this attack is to consume a large amount of the target machine’s resources using only a small amount of bandwidth. Two Fragmented Packets with Fragment 1 having offset = 0 and Fragment 2 with a very high offset, close to 65,536. On receiving these two fragments, the server allocates around 65,536 bytes of memory. Even though the attacker’s packet is less than 100 bytes, the server is forced to allocate 64 KB. By sending numerous such packets, the attacker forces the target machine to allocate excessive memory thereby utilizing the system’s resources excessively leading to a Denial Of Service Attack. Overview of ICMP ICMP (Internet Control Message Protocol) is a supporting protocol in the Internet Protocol suite, used by hosts and routers to send error messages and operational information. It is encapsulated within an IP packet and serves two main purposes: Control Messages: Echo Request/Reply: Used to check if the destination is alive and whether communication is working properly (used in ping). Redirect: Routers help hosts update routing information. Timestamp Request/Reply: Exchange time information between devices. Router Advertisement/Solicitation: Routers announce their presence. Error Messages: Destination Unreachable Time Exceeded ICMP Packet has a header and a data section. The structure of the ICMP packet consists of: Type (1 byte): Identifies the ICMP message type. Code (1 byte): Subtype of the message. Checksum (2 bytes): calculated from ICMP header and data Rest of header: Varies based on the message type and code. Data: Often contains the IP header and first 8 bytes of the packet causing the error. ICMP Message Types: 1. Echo Request/Reply: Used to test reachability and verify communication. 2. Time Exceeded: Notifies that the packet has expired. 3. Destination Unreachable: Sent when the destination can't be reached due to routing, host issues, or port availability. 4. Redirect: Used by routers to inform hosts of a better route for subsequent packets. Attacks using ICMP 1. ICMP Redirect Attack Attackers can easily spoof ICMP redirect messages to mislead hosts into redirecting traffic to a malicious router on the same network. This is possible as ICMP does not include built-in mechanisms to verify the integrity of messages. 2. Smurf Attack using ICMP echo request/reply Attackers send a spoofed ICMP echo request to a network’s broadcast address. All hosts on the target network respond to the victim's IP address. This amplifies the attack, where sending one packet can cause the victim to receive responses from 100 hosts or more thereby overwhelming the victim. Transport Layer Attacks Overview of TCP TCP operates at the transport layer and plays an important role in providing reliable and ordered communication between applications. The length if the TCP header is typically 20 bytes and can extend up to 60 bytes with additional options such as Maximum Segment Size, Time- stamps, Window Scaling, and Selective ACKs. The TCP header is added after the IP header in the data packet. The structure of the TCP header consists of: Source and Destination Ports: Identify the sending and receiving applications. Sequence Number: Indicates the position of the first byte of data in the segment. Acknowledgement Number: Shows the next expected byte from the sender (valid if the ACK flag is set). Header Length: Indicates the length of the TCP header. Reserved: This field is not used. Code Bits: There are six code bits, including SYN, FIN, ACK, RST, PSH and URG. Window Size: Indicates how much data the sender is willing to accept (flow control). Checksum: Ensures data integrity by checking errors in the TCP segment. Urgent Pointer: Points to urgent data that should be prioritized. Options: TCP segments can carry a variable length of options which provide a way to deal with the limitations of the original header. Each TCP connection has a send buffer and a receive buffer to manage data transmission. For providing reliable and ordered transmission of data, TCP uses sequence numbers to keep track of the order of data (packets). At the receiving end, data is reassembled into the correct order and placed into the receive buffer. TCP 3-Way Handshake SYN Packet: Client initiates the connection with a SYN packet, using a random sequence number. SYN-ACK Packet: Server responds with a SYN-ACK packet, using its own random sequence number. ACK Packet: Client sends an ACK packet to complete the handshake and establish the connection. When a server gets a SYN packet: 1. It stores connection info in a Transmission Control Block (TCB), this is called a half-open connection. 2. The TCB is kept in a queue for pending connections. 3. After receiving an ACK packet from the client, the TCB is moved to established connections. If the ACK isn’t received, the server resends the SYN-ACK and eventually discards the TCB if the ACK doesn’t arrive in time. Attacks on TCP Protocol 1. SYN Flooding Attack The objective of the SYN Flooding Attack is to overwhelm the server's half-open connection queue so it can't accept new SYN packets by continuously sending numerous SYN packets to the server using random source IP addresses. This results in the server’s queue to fill up with TCB records thereby preventing new connections. As a result of this, server’s responses (SYN+ACK packets) may be lost or unaddressed. If responses reach valid addresses, they might trigger RST packets, but this is less common. Countermeasure: SYN Cookies  Upon receiving a SYN packet, the server calculates a hash (SYN cookie) using a secret key and sends the SYN-ACK packet with this hash as the initial sequence number.  The server doesn’t store the half-open connection in its queue.  The client, if legitimate, receives the SYN-ACK and replies with an ACK packet. This ACK packet includes the sequence number (SYN cookie) from the server plus one (H+1).  If an attacker sends SYN packets with forged IP addresses, the SYN cookie won’t be received by the attacker, because the SYN-ACK responses are either dropped or not reachable.  The server recalculates the SYN cookie from the ACK packet's information and checks if it matches the received sequence number (H+1). 2. TCP Reset Attack The objective of the TCP Reset Attack is to disrupt a TCP connection between two parties without a proper handshake using a spoofed RST packet. 3. TCP Session Hijacking Attack The objective of the TCP Session Hijacking Attack is to insert malicious packets into an active TCP connection between two parties with the goal of executing commands on the target machine. The attacker must predict the correct sequence number so that the new packet can be inserted at (current sequence number + 1) position. If the spoofed sequence number is within the receiver's acceptable window, the packet is accepted; otherwise, it is stored out of order, making the attack unsuccessful. Once the connection is hijacked, attackers often run a reverse shell command. The reverse shell allows the attacker to remotely control the compromised machine. Countermeasures:  Randomize source port number  Randomize initial sequence number  Encrypting payload Domain Name System and Attacks Overview of DNS The Domain Name System (DNS) is an application-layer protocol that translates domain names into IP addresses. DNS is organized in a hierarchical structure, starting from the root (denoted by a dot) at the top. Below the root are TLDs (e.g.,.com,.uk), followed by second-level domains. Zones are created to organize domains, allowing better management, especially for large domains. Each DNS zone is managed by an authoritative nameserver, which holds the definitive information for the zone. DNS queries often involve multiple types of servers: 1. Root nameservers: The first point of contact for resolving DNS queries. 2. TLD nameservers: Store information about domains within a TLD. 3. Authoritative nameservers: Provide the actual answer for specific domains. 4. Recursive resolvers: Handle the DNS lookup process for clients, contacting other servers as needed. Attacks on DNS 1. Denial-of-Service (DoS) Attacks: These attacks target DNS servers, preventing them from responding to DNS queries i.e resolving domain names into IP addresses is affected. 2. DNS Spoofing Attacks: The attacker provides an incorrect IP address during the DNS resolution process such that users are tricked into communicating with a malicious server instead of the intended website. 3. Root Nameserver Attacks: If the attackers can bring down the servers of the root zone, they can bring down the entire Internet. However, attacks on root servers are difficult as they are highly distributed and resilient, making them tough targets. 4. TLD Server Attacks: Servers for Top-Level Domains (TLDs) like.com,.gov, and.net are well-protected, but country-specific TLDs are more vulnerable. A successful attack could bring down the Internet for a specific country. Attack Surfaces of DNS 1. Attack Surface 1 (Modifying the Host File): Attackers with root privileges can modify system files like /etc/resolv.conf to use a malicious DNS server, or alter /etc/hosts to redirect specific domain names (e.g., redirecting a bank's domain to the attacker's machine). 2. Attack Surface 2 (Directly Spoofing Response to User): If the attacker is on the same network as the user, they can send a spoofed DNS reply pretending to be the local DNS server. This tricks the user's machine into accepting an arbitrary IP address provided by the attacker. 3. Attack Surface 3 (DNS Cache Poisoning Attack): Attackers can send a spoofed response to the local DNS server before the legitimate response arrives. The poisoned entry is cached by the DNS server, meaning future users will get the incorrect IP from the cache. Types: Local Cache Poisoning: Attacker is on the same network as the DNS server. Remote Cache Poisoning (Kaminsky Attack): Attacker is on a different network but still poisons the DNS server's cache. 4. Attacks from Malicious DNS Servers: Attackers control the authoritative DNS server for a domain (e.g., attacker32.com) and can insert fraudulent information into DNS responses, any of its sections namely Answer Section, Authority Section or Additional Section. This was more effective against earlier versions of DNS software.

Use Quizgecko on...
Browser
Browser