Lecture 6: Network Attacks II

CS 336/536: Computer Network Security

Fall 2014

Nitesh Saxena
Adopted from previous lectures by Keith Ross, and Gene Tsudik

Course Admin
• HW/Lab 1
– We are grading (should return by next class)
– Solution will be provided soon
• Lab sessions not active this Friday
• HW/Lab 2 will be posted early next week
– Covers Lecture 5 (network mapping)
• Questions?

•1
 Outline

• Various forms of Network Attacks

– Sniffing
– Spoofing and Hijacking
– DoS/DDoS
– DNS Attacks

Lecture 6 - Network Attacks II 3

Attacks & Hacker Tools

Before talking about defenses,
need to look at network from
attacker’s perspective

 Reconnaissance  IP address spoofing

 Network mapping  Session hijacking
 Port scanning  DoS
 Sniffing  DDoS

Lecture 6 - Network Attacks II 4

•2
Review of interconnection devices

 Hubs
 Switches
 Routers

Lecture 6 - Network Attacks II 5

Hubs
Hubs are essentially physical-layer repeaters:
 bits coming from one link go out all other links
 at the same rate
 no frame buffering
 no CSMA/CD at hub: adapters detect collisions
 provides net management functionality

twisted pair

hub

Lecture 6 - Network Attacks II 6

•3
Sniffing
 Attacker is inside
firewall
 Requirements
 Attacker’s host
connected to shared
medium
 NIC should be in
“promiscuous mode”
• processes all frames
that come to NIC
 Sniffer has two
components
 Capture
 Packet analysis
 Grab and file away:
 userids and passwords
 credit card numbers
 secret e-mail
conversations
 Island hopping attack:
 Take over single
machine (eg virus)
 Install sniffer, observe
passwords, take over
more machines, install
sniffers

Lecture 6 - Network Attacks II 7

Passive sniffing
 Easy to sniff:
 802.11 traffic
 Ethernet traffic passing through a hub
• Any packets sent to hub is broadcast to all interfaces
• Not true for a switch
 Popular sniffers
 Wireshark
 tcpdump (for unix)
 Snort (sniffing and intrusion detection)

Lecture 6 - Network Attacks II 8

•4
Active Sniffing through a switch

How does attacker sniff packets sent to/from the victim?

attacker

switch

victim

Have to get victim’s packets to attacker!

Lecture 6 - Network Attacks II 9

Sniffing through a switch: flooding

switch memory approach

Host sends flood of frames with random

source MAC addresses
 Switch’s forwarding table gets filled with bogus
MAC addresses
 When “good packet arrives,” dest MAC address
not in switch memory
 Switch broadcasts real packets to all links

 Sniff all the broadcast packets

Lecture 6 - Network Attacks II 10

•5
Sniffing through LAN: poison
victim’s ARP table approach
Idea: have client’s traffic (0) Sniff all frames that arrive.
Configure so that IP packets
diverted to attacker arriving from victim are
attacker
forwarded to default router

(1) Send fake ARP response,

mapping router IP address (3) Packets are
to attacker’s MAC address forwarded from
attacker’s host to
default router

victim (2) Victim sends traffic switch outside

destined to outside world.
default
world
Poisoned ARP table causes
traffic to be sent to attacker router
for LAN

Lecture 6 - Network Attacks II 11

Powerful sniffing tools

 Dsniff and ettercap
 Flooding switch memory
 ARP poisoning

Lecture 6 - Network Attacks II 12

•6
Sniffing defenses
 Encrypt data: IPsec, SSL, PGP, SSH
 Get rid of hubs: complete migration to switched
network
 Use encryption for wireless
 Configure switches with MAC addresses
 Turn off self learning (knowing mappings between ports
and MAC addresses)
 Eliminates flooding problem

 Intrusion detection systems:

 Lookout for large numbers of ARP replies

 Honeypot
 Create fake account and send password over network
 Identify attacker when it uses the password

Lecture 6 - Network Attacks II 13

Attacks & Hacker Tools

Before talking about defenses,
need to look at network from
attacker’s perspective

 Reconnaissance  IP address spoofing

 Network mapping  Session hijacking
 Port scanning  DoS
 Sniffing  DDoS

Lecture 6 - Network Attacks II 14

•7
IP address spoofing (1)
SA: 36.220.9.59
DA: 212.68.212.7

145.13.145.67 212.68.212.7

 Attacker doesn’t want actions traced back

 Simply re-configure IP address in Windows
or Unix.
 Or enter spoofed address in an application
 e.g., decoy packets with Nmap

Lecture 6 - Network Attacks II 15

IP address spoofing (2)

145.13.145.67 SA: 36.220.9.59 212.68.212.7
DA: 212.68.212.7

attacker 36.220.9.59
victim
SA: 212.68.212.7
DA: 36.220.9.59

 But attacker cannot interact with victim.

 Unless attacker is on path between victim and
spoofed address.

Lecture 6 - Network Attacks II 16

•8
IP spoofing with TCP?
 Can an attacker make a TCP connection to
server with a spoofed IP address?
 Not easy: SYNACK and any subsequent
packets sent to spoofed address.
 If attacker can guess initial sequence
number, can attempt to send commands
 Send ACK with spoofed IP and correct seq #,
say, one second after SYN
 But TCP uses random initial sequence
numbers.
Lecture 6 - Network Attacks II 17

Defense: Ingress and egress

filtering
127.32.1.1 x
Egress
filtering

127.32.1.1 x
Ingress
filtering

privately administered Internet

222.22/16
Lecture 6 - Network Attacks II 18

•9
Ingress Filtering: Upstream ISP (1)
12.12/24
BGP update:
12.12/24,
regional 34.34/24
ISP
34.34/24

tier-1 ISP
56.56/24
BGP update:
56.56/24,
78.78/24
regional
ISP
78.78/24

Lecture 6 - Network Attacks II 19

Ingress Filtering: Upstream ISP (2)

12.12/24 Filter all but
BGP update:
12.12/24 and
12.12/24,
34.34/24
34.34/24

34.34/24

56.56/24 Filter all but

BGP update: 56.56/24 and
56.56/24, 78.78/24
78.78/24

78.78/24

Lecture 6 - Network Attacks II 20

•10
Ingress Filtering: Upstream ISP (3)
12.12/24 Filter all but
12.12/24 and
regional 34.34/24
ISP 56.56.1.1 x
34.34/24

tier-1 ISP

56.56/24 Filter all but

56.56/24 and
78.78/24
regional
ISP
78.78/24

Lecture 6 - Network Attacks II 21

Ingress Filtering: Upstream ISP (3)

12.12/24 Filter all but spoofed
12.12/24 and
34.34.1.1 regional 34.34/24 packet gets
ISP
through!
34.34/24

tier-1 ISP

56.56/24 Filter all but

56.56/24 and
78.78/24
regional
ISP
78.78/24

Lecture 6 - Network Attacks II 22

•11
Ingress filtering: summary
 Effectiveness depends on widespread
deployment at ISPs
 Deployment in upstream ISPs helps, but
does not eliminate IP spoofing
 Filtering can impact router forwarding
performance
 Even if universally deployed at access,
hacker can still spoof another address in
its access network 12.12/24
 See RFC 2827 “Network Ingress Filtering:
Defeating DDoS” Lecture 6 - Network Attacks II 23

Attacks & Hacker Tools

Before talking about defenses,
need to look at network from
attacker’s perspective

 Reconnaissance  IP address spoofing

 Network mapping  Session hijacking
 Port scanning  DoS
 Sniffing  DDoS

Lecture 6 - Network Attacks II 24

•12
Session hijacking
 Take control of one side of a TCP connection
 Marriage of sniffing and spoofing

Alice telnet

Bob
Alice

Attacker

Lecture 6 - Network Attacks II 25

Session hijacking: The details

 Attacker is on segment where traffic passes from

Alice to Bob
 Attacker sniffs packets
 Sees TCP packets between Bob and Alice and their
sequence numbers
 Attacker jumps in, sending TCP packets to Bob;
source IP address = Alice’s IP address
 Bob now obeys commands sent by attacker, thinking they
were sent by Alice
 Principal defense: encyrption + MAC
 Attacker does not have keys to encrypt/authenticate and
insert meaningful traffic

Lecture 6 - Network Attacks II 26

•13
Session hijacking: limitation
2. to resync, Alice
sends segment with
correct seq #

1. weird ACK # for

data never sent
Bob
Alice

Bob is getting segments Attacker’s solution:

from attacker and Alice.
Source IP address same,
but seq #’s different.
Bob likely drops
connection.
• Send unsolicited ARP replies
to Alice and Bob with non-existent
Attacker MAC addresses
• Overwrite IP-to-MAC ARP tables
• Alice’s segments will not reach Bob
and vice-versa
• But attacker continues to hear Bob’s
segments, communicates with Bob

Lecture 6 - Network Attacks II 27

Session Hijacking Tools:

 Hunt
 http://ihackers.co/hunt-session-hijacking-tool/
 Provides ARP poisoning

 Netcat
 General purpose widget
 Very popular

Lecture 6 - Network Attacks II 28

•14
 Denial-of-Service
Prevent access by legitimate users or stop
critical system processes
 Connection flooding attack
 Implementation  Overwhelming connection
Vulnerability attack: queue with SYN flood
 Send a few crafted  Bandwidth flooding attack:
messages to target app  Overwhelming
that has vulnerability communications link with
 Malicious messages packets
called the “exploit”  Strength in flooding attack
 Remotely stopping or lies in volume rather than
crashing services content

Lecture 6 - Network Attacks II 29

DoS and DDoS

 DoS:
 source of attack small # of nodes
 source IP typically spoofed

 DDoS
 From thousands of nodes
 IP addresses often not spoofed

 Good book:
 Internet Denial of Service by J. Merkovic, D.
Dittrich, P. Reiher, 2005

Lecture 6 - Network Attacks II 30

•15
 Interlude: IP datagram format
32 bits total datagram
header length length (bytes)
ver head. type of length
(bytes) len service for
“type” of data fragment fragmentation/
16-bit identifier flgs
offset reassembly
max number time to upper Internet
remaining hops live layer checksum
(decremented at
32 bit source IP address
each router)
32 bit destination IP address
upper layer protocol
to deliver payload to Options (if any)
data
(variable length,
typically a TCP
or UDP segment)

Lecture 6 - Network Attacks II 31

IP Fragmentation and Reassembly

length ID fragflag offset
Example =4000 =x =0 =0
 4000 byte
One large datagram becomes
datagram several smaller datagrams
 MTU = 1500 bytes
length ID fragflag offset
=1500 =x =1 =0
1480 bytes in
data field length ID fragflag offset
=1500 =x =1 =185
offset =
1480/8 length ID fragflag offset
=1040 =x =0 =370

Lecture 6 - Network Attacks II 32

•16
DoS: examples of vulnerability
attacks see http://www.cert.org/advisories/CA-1997-28.html
 Land: sends spoofed
packet with source and
dest address/port the
same
 Ping of death: sends
oversized ping packet
 Jolt2: sends a stream
of fragments, none of
which have offset of
0. Rebuilding consumes
all processor capacity.
 Teardrop, Newtear,
Bonk, Syndrop: tools
send overlapping
segments, that is,
fragment offsets
incorrect.
Patches fix the problem,
but malformed packet
attacks continue to be
discovered.

Lecture 6 - Network Attacks II 33

LAND
 Local Area Network Denial
 Spoofed SYN packet with source and
destination both being the victim
 On receipt, victim’s machine keep on
responding to itself in a loop
 Causes the victim to crash
 Many OSs are vulnerable, e.g.,
 Windows 95, NT, XP SP2
 Mac OS MacTCP

Lecture 6 - Network Attacks II 34

•17
Ping of Death
 ICMP Echo Request (Ping) is 56 bytes
 If a ping message is more than 65536 bytes
(max for IP packet), this can cause some
machines to crash
 Older windows systems

Solution: patch OS, filter out ICMP packets

Lecture 6 - Network Attacks II 35

“Teardrop”, “Bonk” and kins

 TCP/IP fragments contain Offset field
 Attacker sets Offset field to:
 overlapping values
• Bad/old implementation of TCP/IP stack crashes when
attempting to re-assemble the fragments
 … or to very large values
• Target system crashes

Solution: use up-to-date TCP/IP implementation 36

•18
Connection flooding: Overwhelming
connection queue w/ SYN flood
 Recall client sends SYN
packet with initial seq.
number when initiating a
connection.
 TCP on server machine
allocates memory on its
connection queue, to track
the status of the new half-
open connection.
 For each half-open
connection, server waits
for ACK segment, using a
timeout that is often > 1
minute
 Attack: Send many SYN
packets, filling connection
queue with half-open
connections.
 Can spoof source IP
address!
 When connection queue is
exhausted, no new
connections can be
initiated by legit users.
Need to know of open port
on victim’s machine: Port
scanning.

Lecture 6 - Network Attacks II 37

SYN Flooding Attack

S
SYNC1 Listening…
SYNC2 Spawn a new thread,
store connection data
SYNC3 … and more
SYNC4 … and more

SYNC5 … and more

… and more

… and more

38

•19
 SYN Flooding Explained
 Attacker sends many connection requests (SYNs) with
spoofed source addresses
 Victim allocates resources for each request
 New thread, connection state maintained until timeout
 Fixed bound on half-open connections
 Once resources exhausted, requests from legitimate
clients are denied
 This is a classic denial of service attack
 Common pattern: it costs nothing to TCP client to send a
connection request, but TCP server must spawn a thread for
each request - asymmetry!
 What’s another example of this behavior?

39

SYN flood Issue

amateur attack:

attacker
Connection queue
freed up with
RST segment
victim

Alice Expert attack: Use multiple source IP

addresses, each from unresponsive
addresses.

Lecture 6 - Network Attacks II 40

•20
Preventing Denial of Service
(SYN Flood)
 DoS is caused by asymmetric state allocation
 If server opens new state for each connection
attempt, attacker can initiate many connections
from bogus or forged IP addresses
 Cookies allow server to remain stateless until
client produces:
 Server state (IP addresses and ports) stored in a
cookie and originally sent to client

 When client responds, cookie is verified

41

SYN flood defense: SYN cookies (1)

SYN with ISNA

SYN-ACK with ISNB= cookie

Host A Host B

 When SYN segment arrives, host B calculates

function (hash) based on:
 Source and destination IP addresses and port numbers,
and a secret number
 Host B uses resulting “cookie” for its initial seq #
(ISN) in SYNACK
 Host B does not allocate anything to half-open
connection:
 Does not remember A’s ISN
 Does not remember cookie

Lecture 6 - Network Attacks II 42

•21
 SYN Cookies (2)
[Bernstein and Schenk]
C S
SYNC
Listening…

Compatible with standard TCP; Does not store state

simply a “weird” sequence number scheme
SYNS, ACKC
sequence # = cookie

Cookie must be unforgeable

F(source addr, source port, and tamper-proof (why?)
dest addr, dest port, Client should not be able
F=Rijndael or crypto hash coarse time, server secret) to invert a cookie (why?)

ACKS(cookie) Recompute cookie,

compare with with the one
received, only establish
connection if they match

More info: http://cr.yp.to/syncookies.html 43

SYN cookies (3)

If SYN is legitimate If SYN-flood attack

 Host A returns ACK with spoofed IP
 Host B computes same
address
function, verifies  No ACK comes back to
function = ACK # in B for connection.
ACK segment  No problem: B is not
 Host B creates socket waiting for an ACK
for connection What if Host A sends
 Legit connection only ACK (no SYN)?
established without  Will host B establish a
the need for half-open connection?
connections

Lecture 6 - Network Attacks II 44

•22
 Overwhelming link bandwidth with
packets
 Attack traffic can be made similar to
legitimate traffic, hindering detection.
 Flow of traffic must consume target’s
bandwidth resources.
 Attacker needs to engage more than one
machine => DDoS
 May be easier to get target to fill-up its
upstream bandwidth: async access
 Example: attacking BitTorrent seeds

Lecture 6 - Network Attacks II 45

Distributed DoS: DDos

Attacker takes over many machines,
called “bots”. Potential bots are
machines with vulnerabilities.
bot

bot

attacker Internet

bot victim

bot processes wait

for command from
attacker to flood a target

bot

Lecture 6 - Network Attacks II 46

•23
 DDoS: Reflection attack

DNS server

request reply
request
DNS server reply

request
attacker

reply
DNS server victim
request
reply
Source IP =
victim’s IP
DNS server

Lecture 6 - Network Attacks II 47

“Smurf” Attack
Looks like a legitimate
“Are you alive?” ping
request from the victim
Stream of ping replies
1 ICMP Echo Req overwhelms victim
Src: victim’s address
Dest: broadcast address

Every host on the network router victim

generates a ping reply (ICMP
Echo Reply) to victim

Solution: reject external packets to broadcast addresses

48

•24
DDoS: Reflection attack
 Spoof source IP address = victim’s IP
 Goal: generate lengthy or numerous replies
for short requests: amplification
 Without amplification: would it make sense?
 January 2001 attack:
 requests for large DNS record
 generated 60-90 Mbps of traffic

 Reflection attack can be also be done with

Web and other services

Lecture 6 - Network Attacks II 49

DDoS Defenses
 Don’t let your systems  Signature and anomaly
become bots detection and filtering
 Keep systems patched  Rate limiting
up  Limit # of packets sent
 Employ egress anti- from source to dest
spoof filtering on
external router.
 CAPTCHAs
 Filter dangerous  Could be useful

packets against application

 Vulnerability attacks level attacks (e.g.,
 Intrusion prevention against web
systems servers)

Lecture 6 - Network Attacks II 50

•25
DNS attacks
 Reflector attack: already discussed
 Leverage DNS for attacks on arbitrary targets

 Denying DNS service

 Stop DNS root servers
 Stop top-level-domain servers (e.g. .com domain)
 Stop local (default name servers)

 Use fake DNS replies to redirect user

 Poisoning DNS:
 Insert false resource records into various DNS caches
 False records contain IP addresses operated by
attackers

Lecture 6 - Network Attacks II 51

DDos DNS Attack

Oct 21, 2002
 Ping packets sent from bots to the 13 DNS root servers.
Goal: bandwidth flood servers
 Minimal impact:
 DNS caching
 rate limiting at upstream routers: filter ping when they arrive
at an excessive rate
 During attack, some networks filtered pings; corresponding
root servers remained up.
 Root server attack is easy to defend: download root server
database to local (default) name servers
 Not much data in root server; changes infrequently
 TLD servers are more volatile
 Similar kind of attack in May 2004, Feb 2007

Lecture 6 - Network Attacks II 52

•26
 DNS attack: redirecting
hub or
WiFi 1
network
client local DNS
2 server

attacker
1. Client sends DNS query to its local
DNS server; sniffed by attacker
2. Attacker responds with bogus
DNS reply
Issues:
• Must spoof IP address: set
to local DNS server (easy)
•Must match reply ID with
request ID (easy)
•May need to stop reply
from the local DNS server
(harder)

Lecture 6 - Network Attacks II 53

Poisoning DNS Cache (1)

 Poisoning: Attempt to put bogus records
into DNS name server caches
 Bogus records could point to attacker nodes
 Attacker nodes could phish
 But unsolicited replies are not accepted at
a name server.
 Name servers use IDs in DNS messages to
match replies to queries
 So can’t just insert a record into a name server
by sending a DNS reply message.
 But can send a reply to a request.

Lecture 6 - Network Attacks II 54

•27
Poisoning local DNS server (2)
authoritative
DNS for uab.edu

2. iterative
DNS queries

Local DNS
1. DNS query
Server (eg, Berkeley)
uab.edu=? 3. DNS reply
uab.edu=
17.32.8.9
Goal: Put bogus IP address for uab.edu
Attacker in
in local Berkeley DNS server
Australia:
1) Attacker queries local DNS server
17.32.8.9
2) Local DNS makes iterative queries
3) Attacker waits for some time;
sends a bogus reply, spoofing
authoritative server for uab.edu.
Lecture 6 - Network Attacks II 55

Poisoning local DNS server (3)

authoritative
DNS for uab.edu
1. DNS query
uab.edu=?

Poisoned local DNS

server (eg, Berkeley)

2. DNS query
uab.edu=?

Attacker
in Australia
17.32.8.9 DNS response can provide IP
address of malicious server!

Lecture 6 - Network Attacks II 56

•28
DNS Poisoning (4)
 Issues:

 Attacker may need to stop upstream name

server from responding
• So that server under attack doesn’t get suspicious
• Ping of death, DoS, overflows, etc

Lecture 6 - Network Attacks II 57

DNS attacks: Summary

 DNS is a critical component of the
Internet infrastructure
 But is surprisingly robust:
 DDoS attacks against root servers have been
largely unsuccessful
 Poisoning and redirection attacks are difficult
unless you can sniff DNS requests
• And even so, may need to stop DNS servers from
replying
 DNS can be leveraged for reflection
attacks against non-DNS nodes

Lecture 6 - Network Attacks II 58

•29