Data Link Layer Security

1
Data Link Layer Security Network Layer Security

• Lecture 3
• Asst.Prof. Supakorn Kungpisdan, Ph.D.
• supakorn_at_mut.ac.th

2
Roadmap

• Data-link Layer Security
• Network Layer Security

3
Task MAC Address Spoofing

• What is MAC address spoofing?
• What is its purpose?
• Suggest a way to perform an attack using MAC
  spoofing
• Explain how it works
• Suggest how to prevent MAC Address Spoofing

4
Passive Sniffing

• Monitor incoming packets
• Rely on a feature of network cards called
  promiscuous mode
• A network card will pass all packets on to the
  operating system, rather than just those unicast
  or broadcast to the host
• It only listens to incoming packets, but not
  transmits any packets
• Does not work well in a switched network
• The attacker can sniff traffic within his/her VLAN

5
Active Sniffing

• Inject packets into the network that causes
  traffic that should not be sent to your system,
  to be sent to your system
• Active wireless sniffing involves sending out
  multiple network probes to identify APs

6
ARP Poisoning

• Active or passive sniffing?

7
ARP Poisoning (cont.)

• By spoofing the default gateways IP address, all
  hosts on the subnet will route through the
  attackers machine
• Need to poison ARP cache of every host on the
  subnet
• Better if targeting a single host on the network
• Should not spoof the IP of another client. Why?
• To perform ARP poisoning,
• arp s ltvictim IPgt ltour MAC addressgt pub

8
ARP Flooding

• Aka. CAM (Content Addressable Memory) Table
  Overflow
• CAM stores information about MAC addresses
  available on each physical port and their
  associated VLAN parameters
• CAM is a normal memory limited in size
• Flood huge ARP Request to switch
• The switch is too busy to enforce its port
  security and broadcasts all traffic to every port
  in the network
• Thus making possible a MITM attack the attacker
  can start sniffing network traffic

9
DHCP
10
DHCP Starvation Attack

• Consuming the IP address space allocated by a
  DHCP server
• Attacker broadcasts a large number of DHCP
  requests using spoofed MAC addresses
• The DHCP server will lease its IP addresses one
  by one to the attacker until it runs out of
  available IPs for new, normal clients
• Lead to DoS

11
Rogue DHCP Server

• Set up a rogue DHCP server serving clients with
  false details
• E.g. giving them its own IP as default router
• Result in all the traffic passing through the
  attackers computer
• Rogue DHCP server can be set up even without DHCP
  starvation attack, as clients accept the first
  DHCPOFFER they receive

12
Preventing DHCP Attacks

• Port security do not allow more than X MAC
  addresses on one port
• Rogue DHCP is more difficult to prevent
• Authentication for DHCP Messages (RFC3118)
• DHCP snooping filters DHCP messages from
  non-trusted hosts
• It contains database of trusted and untrusted
  interfaces

13
DHCP Snooping

• An untrusted interface interface configured to
  receive messages from outside the network or
  firewall
• A trusted interface interface configured to
  receive only messages from within the network
• An untrusted message is a message that is
  received from outside the network or firewall and
  that can cause traffic attacks within your
  network

14
DHCP Snooping (cont.)

• DHCP snooping acts like a firewall between
  untrusted hosts and DHCP servers.
• DHCP snooping filters untrusted DHCP messages and
  by building and maintaining a DHCP snooping
  binding table
• DHCP snooping binding table contains
• MAC address,
• IP address,
• lease time,
• binding type,
• VLAN number, and
• interface information
• that corresponds to the local untrusted
  interfaces of a switch

15
DHCP Snooping (cont.)

• If the DHCPOFFER came from an untrusted
  interface, the switch shuts down the port
• The switch trusts the interface to which the
  authorized DHCP server is connected (trusted
  interface)

16
Enabling DHCP Snooping
Int GigabitEthernet 5/1 is trusted
Int GigabitEthernet 2/1 is untrusted
17
Dynamic ARP Inspection (DAI)

• DAI validates ARP packets in a network based on
  IP-to-MAC address bindings stored in a trusted
  database, the DHCP snooping binding database
• DAI checks IP-to-MAC binding from DHCP snooping
  DB
• It intercepts, log, and discards ARP packets with
  invalid IP-to-MAC address bindings.
• It checks only inbound packets

18
How DAI Works

• The switch performs these activities
• Intercepts all ARP requests and responses on
  untrusted ports
• Verifies that each of these intercepted packets
  has a valid IP-to-MAC address binding before
  updating the local ARP cache or before forwarding
  the packet to the appropriate destination
• Drops invalid packets

19
DAI (cont.)
http//www.ciscopress.com/articles/article.asp?p1
181682seqNum8
20
DAI In Actions
21
DAI in DHCP Environment

• DAI relies on the entries in the DHCP snooping
  binding database to verify IP-to-MAC address
  bindings.
• Configure each secure interface as trusted using
  the ip arp inspection trust interface
  configuration command.
• The trusted interfaces bypass the ARP inspection
  validation checks, and all other packets are
  subject to inspection when they arrive on
  untrusted interfaces.
• Switch(config) interface GigabitEthernet1/0/1
  Switch(config-if) ip arp inspection trust
• Switch(config) ip arp inspection vlan 5-10

22
DAI in non-DHCP Environment

• DAI replies on user-configured ARP access control
  lists (ACLs) for hosts with statically configured
  IP addresses
• Switch(config) arp access-list arpacl
• Switch(config-arp-acl) permit ip host 10.1.1.11
  mac host 0011.0011.0011
• Switch(config-arp-acl) exit
• Switch(config) ip arp inspection filter arpacl
  vlan 5 Switch(config) interface
  GigabitEthernet1/0/2 Switch(config-if) no ip arp
  inspection trust
• If the ARP packet is received on a trusted
  interface, the switch forwards the packet without
  any checks

23
DAI Steps

• By default, all interfaces are untrusted
• The switch does not check ARP packets that it
  receives from the other switch in the trusted
  interface
• For untrusted interfaces,
• the switch intercepts all ARP requests and
  responses.
• It verifies that the intercepted packets have
  valid IP-to-MAC address bindings.
• Firstly it checks from ARP access control list
• If no such ACL, check from DHCP snooping database

24
Routing Games

• One method to ensure that all traffic on a
  network will pass through your host is to change
  the routing table of the host you wish to monitor
• Sending a fake route advertisement via the RIP,
  declaring yourself as the default gateway
• All outbound traffic will pass though your host
  then go to the real default gateway
• But may not receive returned traffic unless you
  can modify the default gateways routing table

25
Network Layer Security

• Supakorn Kungpisdan, Ph.D.
• supakorn_at_mut.ac.th

26
Overview
IP Header Length
(IPID)
IP Packet Format
27
Overview

• IP, ICMP, and Routing protocols
• IP is connectionless, subjected to DoS
• ICMP can be used by attackers
• Routing protocols are subjected to stack attacks

28
IP Attacks

• Spoofing
• Fragmentation
• Passive and Active Fingerprinting
• Port Scanning
• Redirection

29
IP Spoofing

• Local Spoofing

• Blind Spoofing

• Attacker and victim are on the same subnet
• Attacker begins with sniffing traffic, find key
  pieces of information needed to launch an attack
• Session hijacking is another spoofing technique.
• The attack starts at transport layer

• Attacker is not on the same local subnet as
  victim
• Many pieces of information needed to be
  successful are not available. The key parameters
  must be guessed
• Most modern OSes use fairly random sequence
  numbers making the attack difficult to launch

30
Fragmentation

• Fragmentation is required when transmitting
  packets to different networks that have different
  MTUs
• The idea is to send different data streams to
  each device

31
IP Fragmentation
Fragmentation is required when transmitting
packets to different networks that have different
MTUs
32
Evasion Attack

• Evasion attack sends packets to an IDS and
  target that will be rejected by the IDS and
  accepted by the target. IDS drops and does not
  check the packet payload
• An attacker sends the first fragment to an IDS
  that has a fragmentation timeout of 15 s, while
  target system has a timeout of 30 s
• Attacker waits more than 15 s but less than 30 s
  before sending the 2nd fragment.
• The IDS discards the second (inc. the first)
  segment because the timeout reaches
• However, the target system accepts the second
  fragment (within the timeout)
• Thus, the IDS will not record this attack

2
1
1
2
30 s
15 s
33
Fragmentation Attacks

• Overlapping fragmentation can offer an attacker a
  means of slipping packets past an IDS and
  firewall
• Sending a packet passing a cisco router to a
  windows-based system
• If receiving a duplicated packet,
• Cisco router prefers the last fragment, whereas
• Windows prefers the original fragment

34
Fragmentation Attacks (cont.)
Same size, same offset
35
Fragmentation Attacks (cont.)

• An attacker breaks a message into 3 fragments
• He sends fragment 1 and 2 to both router and
  windows. Both accepts the fragments
• He then sends fragment 2 and 3. The retransmitted
  fragment 2 is of the same size and offset as the
  original fragment but different payload
• Windows keeps the original fragment 2 but the
  router keeps the retransmitted one

36
Teardrop Attack

• Teardrop, targa, NewTear, Nestea Bonk, Boink,
  TearDrop2, and SynDrop are some of the tools that
  can crash machines that have a vulnerability in
  the IP atack
• There is a fragmentation bug in the IP stack
  implementation of some old Linux kernels (2.0),
  Windows NT, and Windows 95
• Sending malformed packets with fragmentation
  offset value tweaked so that the receiving
  packets overlap
• A reboot solved the problem until the next attack

37
Fingerprinting

• Fingerprinting is the act of using peculiarities
  of IP, TCP, UDP, and ICMP to determine the
  operating system
• Active VS passive fingerprinting
• Active fingerprinting sends malformed (or
  non-RFC-compliant) packets to the target.
  Different OSes response to these packets
  differently
• Nmap

38
Passive Fingerprinting

• Passive fingerprinting similar concept, but not
  injecting traffic into the network
• Looking at 4 fields
• TTL value
• Dont Fragment bit (DF)
• Type of Service (TOS)
• Window size
• TTL, DF, and TOS are found in IP header
• Window size is found in TCP header

39
Passive Fingerprinting TTL

• A packet has its TTL reduced each time it is
  passed though a router or when it remains in the
  routers queue too long
• No requirement about the suitable of TTL
• The attacker may assume that the value observed
  is less than the original value (no more than 255)

40
Passive Fingerprinting DF and TOS

• DF flag is primary method that systems use to
  determine the PMTUD (Path MTU Discovery)
• Many older OSes dont use this feature
• TOS can be analyzed to determine the OS
• Eventhough it is rarely used on the internet,
  some developers will set it into a value other
  than zero to prevent this fingerprinting

41
PMTUD

• Path MTU discovery (PMTUD) is a technique in
  computer networking for determining the MTU size
  on the network path between two hosts, usually
  with the goal of avoiding IP fragmentation
• Path MTU discovery works by setting the DF (Don't
  Fragment) option bit in the IP headers of
  outgoing packets.
• Any device along the path whose MTU is smaller
  than the packet will drop it, and send back an
  ICMP Type 3 Code 4 Destination Unreachable
  (Fragmentation Needed and DF was set)" message
• The ICMP Type 3 Code 4 message contains its MTU,
  allowing the source host to reduce its assumed
  path MTU appropriately.
• The process repeats until the MTU is small enough
  to traverse the entire path without
  fragmentation.

42
PMTUD (cont.)
43
Passive Fingerprinting Window Size

• TCP Window specifies the amount of data that can
  be sent without having to receive an
  acknowledgement
• Window size should either be as close as possible
  to the MTU or should be some multiple of this
  value
• Linux 2.0 used a value of 16,384, while version 3
  of FreeBSD used a value of 17,520
• The most up-to-date passive fingerprinting tool
  is p0f

44
Idle Scan Open Port
45
Idle Scan Close Port
46
Idle Scan Limitations

• The idle host must truly be idle
• Not all OSes use an incrementing IPID
• Some versions of Linux set IPID to zero or
  generate a random IPID value
• Several message passes need to be performed to
  validate the results

47
ICMP Attacks

• ICMP helps with logical errors and diagnostics
• ICMP does not offer authentication
• Payload is not checked by OS
• ICMP attacks include using convert channels, echo
  attacks, to port scan, traffic redirection, OS
  fingerprinting, and DoS

48
Convert Channels

• Convert channels offer attackers a way to have a
  secure communications channel by using allowed
  services
• Convert channels can also work by exploiting
  flaws or weaknesses in protocols like ICMP, esp.
  ping
• ICMP fields used in ping include
• Type, Code, Identifier, Sequence Number, Optional
  Data

49
ICMP Format
50
Convert Channels (cont.)
51
Convert Channels (cont.)
52
Convert Channels (cont.)

• Some systems like Linux let user add data into
  the ping
• ping p 2b2b2b415448300 192.168.123.101
• will place the modem hang up string into the
  ping packet
• Convert channel tools can use ICMP, TCP, or even
  IGRP.
• Loki, ICMP Backdoor, 007Shell, B0CK

53
ICMP Echo Attacks

• Flood target with ping traffic and use up all
  available bandwidth
• Smurf exploits ICMP by sending a spoofed ping
  packet to the broadcast address and has the
  source address listed as the victim
• In 2002, an attacks was launched against core DNS
  servers. They had ping enabled
• Results in a large DoS attack that slowed the
  operation of primary DNS servers

54
Port Scanning

• ICMP can be of great use to an attacker
  attempting to discover what ports are open
• ICMP is invaluable since there is no response
  like with TCP
• Sending an ICMP packet to a port
• will get no response if the port is open and
• will receive an ICMP type 3 code 3 (Destination
  Unreachable, Port Unreachable) packet if the port
  is closed

55
Port Scanning (cont.)
Type 3 (Destination Unreachable) Code 3 (Port
Unreachable)
56
ICMP Nuke Attacks

• Using spoofed addresses, an attacker sends Time
  Exceeded (Type 11) or Destination Unreachable
  (ICMP Type 3) messages to communicating hosts
• This results in a DoS attack
• Check out ICMP Types and Codes

57
ICMP Redirect Attack

• By sending ICMP redirect messages, an attacker
  might force a router to forward packets destined
  to one host to the attackers IP address

58
Preventing ICMP Redirect Attack

• With Linux, we can force the kernel not to accept
  redirect messages for one or all interfaces
• root_at_router echo 0 gt /proc/sys/net/ipv4/conf/eth0
  /accept_redirects

59
ICMP Flood

• Ping Flood creates a broadcast storm of pings
  that overwhelm the target system
• Using Linux, one can flood a host using ping f.
• root_at_router ping f 10.10.10.12 c 1000
• The above command floods the host 10.10.10.12
  with 1,000 packets

60
Preventing Ping Flood

• Ping flood can be stopped by limiting the number
  of ICMP echo-request messages with IPTables
• root_at_router iptables A FORWARD p icmp
  icmp-type echo-request m limit limit 10/s j
  ACCEPT
• root_at_router iptables A FORWARD p icmp
  icmp-type echo-request j DROP

61
Ping of Death

• Ping of Death crashed machines by sending ICMP
  echo request messages in IP packets with larger
  than the maximum legal length of 65,535 octets,
  causing a buffer overflow to crash the victims
  device (computer, printer, etc.)

62
Routing Protocols Attacks

• Distance-vector and link-state routing protocols
  are suffered from attacks especially DoS
• RIP is unauthenticated service it is vulnerable
  to DoS
• RIP spoofing works by making fake RIP packets and
  sending them to gateways and hosts to change
  their routes
• Attacker can also modify the routing information
  to cause a redirect through a network, allowing
  him to sniff passwords or intercept and change
  date

63
Preventing Address Spoofing

• Do not allow traffic with the internal IP address
  as source that comes from the internet
• Log the dropped packets
• Check out router configuration guide at
  http//www.nsa.gov/snac/downloads_all.cfm
• RIPv1 sends update in cleartext and no
  authentication
• RIPv2 has authentication but sends authentication
  in cleartext
• Suggest to use OSPF with MD5 authentication
• Restrict dynamic routing when possible

64
Task

• Research a technique to enhance security of DHCP
  protocol
• Have a presentation on June 26, 2011.
• 15 minutes per group

65
Question?

• Next week
• OSI Security 3