ITIS 6167/8167: Network and Information Security - PowerPoint PPT Presentation

About This Presentation
Title:

ITIS 6167/8167: Network and Information Security

Description:

ITIS 6167/8167: Network and Information Security Weichao Wang – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 32
Provided by: ITTC4
Category:

less

Transcript and Presenter's Notes

Title: ITIS 6167/8167: Network and Information Security


1
ITIS 6167/8167 Network and Information Security
  • Weichao Wang

2
Contents
  • IP fragmentation and attacks
  • IP protocol
  • IP fragmentation
  • Attacks
  • Mitigation mechanisms

3
(No Transcript)
4
IP protocol and fragmentation
  • IP layer provides the fundamental service in
    Internet unreliable, connectionless, and
    best-effort based packet delivery
  • Unreliable packet may lost, duplicated, delayed,
    out of order
  • Connectionless every packet is handled
    independently
  • Best-effort no quality guarantee

5
  • IP protocol will
  • Define the format of IP packet
  • Routing
  • Determine
  • Packet processing procedures
  • Error reporting and handling procedures
  • When the packets can be discarded

6
IP encapsulation
  • In ethernet, frame type for IP is 0x0800

IP header IP Data
7
IP format
8
  • Details of IP packet
  • Vers current version is 4
  • HLEN header length in 32 bit word. Usually is 5
    (20 byte), max can be 60 bytes (IP options)
  • Type of services usually all 0 (best effort),
    can be used for diffserv and QoS.
  • 3 bit of precedence, 4 bit of TOS, 1 bit unused
  • TOS bit 1 (min delay), 2 (max throughput), 3 (max
    reliability), 4 (min cost)
  • Total length 16 bit can represent 64K byte long
    packet

9
  • Identification, flags, and offset used for
    fragmentation and reassemble (later)
  • TTL time to live number of routers or seconds a
    packet can live.
  • Every router will reduce this value by one. When
    reach 0, the packet will be discarded.
  • Can be used to prevent routing loop
  • Use TTL to implement traceroute

10
  • -bash-3.1 ping -i 7 dell.com
  • PING dell.com (143.166.224.244) 56(84) bytes of
    data.
  • From kcm-edge-15.inet.qwest.net (65.120.164.89)
    icmp_seq1 Time to live exceeded
  • From kcm-edge-15.inet.qwest.net (65.120.164.89)
    icmp_seq2 Time to live exceeded

11
  • Type the high level protocol the IP packet
    contains ICMP (0x01), TCP (0x06), UDP (0x11)
  • Header checksum
  • calculate only over header
  • Re-compute at every hop (why)
  • Example an ICMP packet b/w 128.10.2.3 and
    128.10.2.8. Header length is 20 bytes.

12
(No Transcript)
13
  • IP header options
  • Record route option
  • Intermediate routers will attach their IP address
    to the packet
  • Timestamp option
  • Intermediate router attach 32 bit timestamp
  • Source routing option
  • Strict source routing
  • Loose source routing allow multiple hops b/w
    routers

14
(No Transcript)
15
  • IP fragmentation
  • Why do we need it
  • MTU maximum transmission unit
  • An IP packet can be as large as 65535 byte
  • Different hardware have different MTU ethernet
    1500, FDDI 4470

16
(No Transcript)
17
  • IP fragmentation
  • Routers divide an IP datagram into several
    smaller fragments based on MTU
  • Fragments use the same header format as the
    original datagram
  • Each fragment is routed independently

18
  • How to fragment
  • IDENT unique number to identify an IP datagram
    fragments with the same identifier belong to the
    same IP datagram
  • Fragment offset
  • Specify where the data belong in the original
    packet
  • Multiple of 8
  • Use 13 bits (why do we only need 13 bits)

19
  • FLAGs
  • Bit 0 reserved
  • Bit 1 do not fragment (if this bit is set and
    the MTU is not large enough, we send out ICMP to
    report this)
  • Bit 2 more fragment this bit is turned off in
    the last segment. (why we need this bit so we
    can calculate the length of the original packet)

20
(No Transcript)
21
  • Example
  • Original packet header 400 400 400
  • Header 1 FLAG 001, OFFSET 0
  • Header 2 FLAG 001, OFFSET 400/850
  • Header 3 FLAG 000, OFFSET 800/8100

22
  • Fragment of fragment
  • Need to pay special attention of the FLAG bits
  • Reassemble
  • Reassembled before delivered to higher layers
  • Where to reassemble router or destination, why??
    (not only efficiency)
  • Use a timer to handle lost fragment and discard
    the whole packet

23
(No Transcript)
24
  • Malicious activities on fragmentation
  • What if we never receive the last piece
  • Overlapping fragment
  • The reassembled packet is larger than the allowed
    IP packet size (how can attackers do this)

25
  • Attack 1 DoS attack
  • 1st fragment offset 0
  • 2nd fragment offset 64800
  • Result now the machine will allocate 64K memory,
    and usually will hold it for 15 to 255 seconds.
  • Who are vulnerable Win2K, XP, most versions of
    UNIX

26
  • Attack 2 TearDrop
  • Fist packet
  • payload size N,
  • More fragment bit on
  • 2nd fragment
  • More fragment bit off
  • Offset payload lt N
  • If the user assume that the packet should become
    longer and longer, may cause machine crash

27
  • Overlapping attacks against Firewall
  • Many firewalls inspect packet without reassemble.
    If the TCP header is fragmented and the filter
    rule is based on TCP, it may fail
  • Firewall examine the SYN bit
  • Tiny fragment attack Firewall only check the
    first fragment. The minimum fragment is 68 bytes
    (ICMP requirement), but the SYN bit maybe fall
    into the 2nd fragment with IP option.
  • Overlapping attack allow packet overlapping
    during reassemble. Then the checked segment may
    looks ok. But will be overlapped later.

28
  • IP spoofing
  • Spoofing
  • An attacker sends packet with another nodes IP
    address
  • Replies will be routed to the victim
  • Egress filtering
  • Remove packets that cannot come from your network
  • Ingress filtering
  • Remove packet from invalid address

29
  • Router and Host
  • Router usually connects to multiple networks
  • Host only connect to one
  • Routing table
  • Used by routers to determine next hop
  • When determining which entry to use, usually use
    the one with the longest match
  • Next hop routing
  • Destination IP address will not change, only the
    next hops MAC address is used

30
  • Default route
  • When no other entry matches the routing request
  • Routing procedure
  • Extract destination IP D and compute the network
    prefix N
  • Is N the same network
  • What is the routing entry with the longest match
  • What is the default route
  • Report error

31
  • Handling income packets
  • Host accept or discard, Do not forward. Why?
  • Router
  • Decrease TTL, recompute the checksum
  • If TTL 0 drop the packet and send an error
    message to source
Write a Comment
User Comments (0)
About PowerShow.com