Unit2.pdf

Full Transcript

COMPUTER NETWORK SECURITY
Unit 2
Network Layer Attacks
Overview of IP
The IP layer handles packet routing, passing packets to transport layer, supports error
detection using ICMP, fragmentation, and reassembly, facilitating the transmission of data
across networks.
When an application sends data via a socket interface, data moves from the transport layer to
the network layer, where the IP header is added. At this stage, IP makes two decisions: which
interface to forward the packet to (routing), and which router’s MAC address to forward the
packet.
The structure of the IP header consists of:
Version (4 bits) - Specifies IP version.
Header Length (4 bits) - Represents the length of the IP header in 4-byte units
(maximum length of 60 bytes).
Type of Service (8 bits) - Specifies priority for packet handling.
Total Length (16 bits) - Represents the length of the entire IP packet (header + data),
maximum 65535 bytes (~64 KB).
TTL (Time to Live, 8 bits) - Limits packet lifespan by decrementing at each router.
When TTL reaches 0, the packet is discarded.
Protocol (8 bits) - Identifies the upper layer protocol (e.g., TCP, UDP, ICMP).
Header Checksum - Detects errors in the IP header.
IP Fragmentation
IP packets are fragmented when the packet size exceeds the hardware's Maximum
Transmission Unit (MTU), for example Ethernet's limit of 1500 bytes.
The fragmentation process happens either at the sender or intermediate routers.
Fragments are reassembled at the destination. If any fragment is missing, the entire packet is
discarded.
Fragments carry the same identification field and have an offset field to indicate their position
in the original packet.

Attacks using IP Fragmentation
Attack 1: Create a Super-Large packet
When the total length of an IP packet exceeds the theoretical limit of 65,536 bytes, the
system's network stack may fail to handle the excessive size properly, causing buffer
overflow or memory corruption within the target system's kernel.
The objective of the "Ping of Death" attack is to exploit vulnerabilities in networked systems
by sending oversized ICMP Echo Request packets using the ping command.
As a result of this, the system may crash or its memory may be corrupted that may lead to
unpredictable behaviour.
Attack 2: Create abnormal situations
In this attack, the attacker sends fragmented packets with overlapping or incorrectly ordered
fragment offsets to the target machine. The system attempts to reassemble these fragments,
but due to bugs in the fragmentation reassembly process, it fails and crashes.
Fragments sent to the target may have overlapping offsets.
A fragment may be entirely enclosed within another fragment.

Attack 3: Tie Up Target’s Resources
The objective of this attack is to consume a large amount of the target machine’s resources
using only a small amount of bandwidth.
Two Fragmented Packets with Fragment 1 having offset = 0 and Fragment 2 with a very high
offset, close to 65,536. On receiving these two fragments, the server allocates around 65,536
bytes of memory. Even though the attacker’s packet is less than 100 bytes, the server is
forced to allocate 64 KB.
By sending numerous such packets, the attacker forces the target machine to allocate
excessive memory thereby utilizing the system’s resources excessively leading to a Denial Of
Service Attack.
Overview of ICMP
ICMP (Internet Control Message Protocol) is a supporting protocol in the Internet Protocol
suite, used by hosts and routers to send error messages and operational information. It is
encapsulated within an IP packet and serves two main purposes:
Control Messages:
Echo Request/Reply: Used to check if the destination is alive and whether
communication is working properly (used in ping).
Redirect: Routers help hosts update routing information.
Timestamp Request/Reply: Exchange time information between devices.
Router Advertisement/Solicitation: Routers announce their presence.
Error Messages:
Destination Unreachable
Time Exceeded

ICMP Packet has a header and a data section. The structure of the ICMP packet consists of:
Type (1 byte): Identifies the ICMP message type.
Code (1 byte): Subtype of the message.
Checksum (2 bytes): calculated from ICMP header and data
Rest of header: Varies based on the message type and code.
Data: Often contains the IP header and first 8 bytes of the packet causing the error.
ICMP Message Types:
1. Echo Request/Reply: Used to test reachability and verify communication.
2. Time Exceeded: Notifies that the packet has expired.
3. Destination Unreachable: Sent when the destination can't be reached due to routing,
host issues, or port availability.
4. Redirect: Used by routers to inform hosts of a better route for subsequent packets.

Attacks using ICMP
1. ICMP Redirect Attack
Attackers can easily spoof ICMP redirect messages to mislead hosts into redirecting traffic to
a malicious router on the same network. This is possible as ICMP does not include built-in
mechanisms to verify the integrity of messages.
 2. Smurf Attack using ICMP echo request/reply
Attackers send a spoofed ICMP echo request to a network’s broadcast address. All hosts on
the target network respond to the victim's IP address. This amplifies the attack, where sending
one packet can cause the victim to receive responses from 100 hosts or more thereby
overwhelming the victim.

Transport Layer Attacks
Overview of TCP
TCP operates at the transport layer and plays an important role in providing reliable and
ordered communication between applications.
The length if the TCP header is typically 20 bytes and can extend up to 60 bytes with
additional options such as Maximum Segment Size, Time- stamps, Window Scaling, and
Selective ACKs. The TCP header is added after the IP header in the data packet.
The structure of the TCP header consists of:
Source and Destination Ports: Identify the sending and receiving applications.
Sequence Number: Indicates the position of the first byte of data in the segment.
Acknowledgement Number: Shows the next expected byte from the sender (valid if
the ACK flag is set).
Header Length: Indicates the length of the TCP header.
Reserved: This field is not used.
Code Bits: There are six code bits, including SYN, FIN, ACK, RST, PSH and URG.
Window Size: Indicates how much data the sender is willing to accept (flow control).
Checksum: Ensures data integrity by checking errors in the TCP segment.
Urgent Pointer: Points to urgent data that should be prioritized.
Options: TCP segments can carry a variable length of options which provide a way to
deal with the limitations of the original header.
Each TCP connection has a send buffer and a receive buffer to manage data transmission.
For providing reliable and ordered transmission of data, TCP uses sequence numbers to keep
track of the order of data (packets). At the receiving end, data is reassembled into the correct
order and placed into the receive buffer.
TCP 3-Way Handshake
SYN Packet: Client initiates the connection with a SYN packet, using a random sequence
number.
SYN-ACK Packet: Server responds with a SYN-ACK packet, using its own random
sequence number.
ACK Packet: Client sends an ACK packet to complete the handshake and establish the
connection.
When a server gets a SYN packet:
1. It stores connection info in a Transmission Control Block (TCB), this is called a half-open
connection.
2. The TCB is kept in a queue for pending connections.
3. After receiving an ACK packet from the client, the TCB is moved to established
connections. If the ACK isn’t received, the server resends the SYN-ACK and eventually
discards the TCB if the ACK doesn’t arrive in time.

Attacks on TCP Protocol
1. SYN Flooding Attack
The objective of the SYN Flooding Attack is to overwhelm the server's half-open
connection queue so it can't accept new SYN packets by continuously sending
numerous SYN packets to the server using random source IP addresses.

This results in the server’s queue to fill up with TCB records thereby preventing new
connections. As a result of this, server’s responses (SYN+ACK packets) may be lost
or unaddressed.

If responses reach valid addresses, they might trigger RST packets, but this is less
common.
 Countermeasure: SYN Cookies
 Upon receiving a SYN packet, the server calculates a hash (SYN cookie)
using a secret key and sends the SYN-ACK packet with this hash as the initial
sequence number.
 The server doesn’t store the half-open connection in its queue.
 The client, if legitimate, receives the SYN-ACK and replies with an ACK
packet. This ACK packet includes the sequence number (SYN cookie) from
the server plus one (H+1).
 If an attacker sends SYN packets with forged IP addresses, the SYN cookie
won’t be received by the attacker, because the SYN-ACK responses are either
dropped or not reachable.
 The server recalculates the SYN cookie from the ACK packet's information
and checks if it matches the received sequence number (H+1).

2. TCP Reset Attack
The objective of the TCP Reset Attack is to disrupt a TCP connection between two
parties without a proper handshake using a spoofed RST packet.

3. TCP Session Hijacking Attack
The objective of the TCP Session Hijacking Attack is to insert malicious packets into
an active TCP connection between two parties with the goal of executing commands
on the target machine.
The attacker must predict the correct sequence number so that the new packet can be
inserted at (current sequence number + 1) position.
If the spoofed sequence number is within the receiver's acceptable window, the packet
is accepted; otherwise, it is stored out of order, making the attack unsuccessful.
Once the connection is hijacked, attackers often run a reverse shell command. The
reverse shell allows the attacker to remotely control the compromised machine.
 Countermeasures:
 Randomize source port number
 Randomize initial sequence number
 Encrypting payload

Domain Name System and Attacks
Overview of DNS
The Domain Name System (DNS) is an application-layer protocol that translates domain
names into IP addresses.
DNS is organized in a hierarchical structure, starting from the root (denoted by a dot) at the
top. Below the root are TLDs (e.g.,.com,.uk), followed by second-level domains.
Zones are created to organize domains, allowing better management, especially for large
domains. Each DNS zone is managed by an authoritative nameserver, which holds the
definitive information for the zone.
DNS queries often involve multiple types of servers:
1. Root nameservers: The first point of contact for resolving DNS queries.
2. TLD nameservers: Store information about domains within a TLD.
3. Authoritative nameservers: Provide the actual answer for specific domains.
4. Recursive resolvers: Handle the DNS lookup process for clients, contacting other
servers as needed.
Attacks on DNS
1. Denial-of-Service (DoS) Attacks: These attacks target DNS servers, preventing them
from responding to DNS queries i.e resolving domain names into IP addresses is
affected.

2. DNS Spoofing Attacks: The attacker provides an incorrect IP address during the
DNS resolution process such that users are tricked into communicating with a
malicious server instead of the intended website.

3. Root Nameserver Attacks: If the attackers can bring down the servers of the root
zone, they can bring down the entire Internet. However, attacks on root servers are
difficult as they are highly distributed and resilient, making them tough targets.

4. TLD Server Attacks: Servers for Top-Level Domains (TLDs) like.com,.gov, and.net are well-protected, but country-specific TLDs are more vulnerable. A successful
attack could bring down the Internet for a specific country.
Attack Surfaces of DNS

1. Attack Surface 1 (Modifying the Host File): Attackers with root privileges can modify
system files like /etc/resolv.conf to use a malicious DNS server, or alter /etc/hosts to
redirect specific domain names (e.g., redirecting a bank's domain to the attacker's
machine).

2. Attack Surface 2 (Directly Spoofing Response to User): If the attacker is on the same
network as the user, they can send a spoofed DNS reply pretending to be the local DNS
server. This tricks the user's machine into accepting an arbitrary IP address provided by
the attacker.

3. Attack Surface 3 (DNS Cache Poisoning Attack): Attackers can send a spoofed
response to the local DNS server before the legitimate response arrives. The poisoned
entry is cached by the DNS server, meaning future users will get the incorrect IP from the
cache.
Types:
Local Cache Poisoning: Attacker is on the same network as the DNS server.
Remote Cache Poisoning (Kaminsky Attack): Attacker is on a different network but still
poisons the DNS server's cache.
4. Attacks from Malicious DNS Servers: Attackers control the authoritative DNS server
for a domain (e.g., attacker32.com) and can insert fraudulent information into DNS
responses, any of its sections namely Answer Section, Authority Section or Additional
Section. This was more effective against earlier versions of DNS software.