บทที่ 8 : TCP/IP และอินเทอร์เน็ต Part1 · TCP/IP เป็นโปรโตคอลที่ได้รับความนิยมสูง
Security Problems in TCP-IP
-
Upload
sukh-sandhu -
Category
Documents
-
view
230 -
download
0
Transcript of Security Problems in TCP-IP
-
7/31/2019 Security Problems in TCP-IP
1/18
1
-
7/31/2019 Security Problems in TCP-IP
2/18
SECURITY PROBLEMS IN TCP/IP
2
-
7/31/2019 Security Problems in TCP-IP
3/18
SECURITY PROBLEMS IN R-SERVICES
red.cs.umass.edu brian
*.cs.umass.edu brian
* *
3
-
7/31/2019 Security Problems in TCP-IP
4/18
SECURITY PROBLEMS IN R-SERVICES
4
Source routing
False routing table updates
Session hijacking
ICMP redirects
False ARP packets
TCP session stealing
ignore source routes
secure routing protocols
ssh/ secure connection?
Publish ARP tables
ssh/ secure connection
-
7/31/2019 Security Problems in TCP-IP
5/18
SECURITY PROBLEMS IN R-SERVICES
IP source-route option
The responder includes the source-route on the reply packets.
Some/most OSs ignore source routes these days.
5
C S
X 1. C->S: spoofed packet(source-route; includes X)
2. replies
-
7/31/2019 Security Problems in TCP-IP
6/18
SESSION HIJACKING
C->S: SYN(ISNC) S->C: SYN(ISNS), ACK(ISNC+1)
C->S: ACK(ISNS +1)
Client and Server exchange data
ISN number generation
4.2BSD: increments 128/sec
4.3BSD: increments 125000/sec
6
SYN(ISNC)
SYN(ISNS),ACK(ISNC+1
)ACK(ISNS+1)
Client C Server S
-
7/31/2019 Security Problems in TCP-IP
7/18
SESSION HIJACKING
X->S: SYN(ISNX) [spoofs C] S: rshd server
S->C: SYN(ISNS), ACK(ISNX +1)
X->S: ACK(ISNS +1) [spoofs C; estimates ISNS]
X->S: [ echo * * >> ~/.rhosts] [spoofs C]
X->S: RESET [spoofs C]
X rlogins from anywhere in the world.
7
C
3. SYN(5000), ACK(1001)
Trusted relationship
X
S2. SYN(1000)
1: Disables C
-
7/31/2019 Security Problems in TCP-IP
8/18
SESSION HIJACKING
8
C
4: SYN(ISNX)
(spoofs C)
X
S5: SYN(ISNS), ACK(ISNX+1)
6: ACK(ISNS +1)(spoofs C; estimates ISNS)
3. Executes remote commands:
C
8: RESET(spoofs C)
X
S
7: [echo * * >> ~/.rhosts](spoofs C)
-
7/31/2019 Security Problems in TCP-IP
9/18
DISABLING HOSTS: SYN FLOODING DOS
listen()
9
-
7/31/2019 Security Problems in TCP-IP
10/18
ATTACKING ROUTING TO EXPLOIT RSH
OSPF: link-state algorithm
RIP: distance vector algorithm
All subsequent packets to C will be routed to the attacker. The attacker initiates connection to rshd of the server. (spoofing C)
Only accept authenticated updates.
Requires key management.
10
-
7/31/2019 Security Problems in TCP-IP
11/18
ICMP ATTACK
Requires an existing connection
Open a spoofed connection to the host you want to attack.
Then send a spoofed ICMP redirect to the victim redirecting it to the gateway youve
compromised.
ICMP destination unreachable
Frequent ICMP source quenches
11
-
7/31/2019 Security Problems in TCP-IP
12/18
ARP ATTACKS
But in a race condition with the real machine.
Repeat frequently so that cache doesnt timeout
12
-
7/31/2019 Security Problems in TCP-IP
13/18
ARP SPOOFING - COUNTERMEASURES
Statically defining the IP to Ethernet address mapping
arp -s hostname 00:01:02:03:04:ab pub
13
-
7/31/2019 Security Problems in TCP-IP
14/18
TCP SESSION STEALING
The attacker is in the path b/w the client and the server
The attacker can sniff all the packets and inject some spoofed packets
Steps:1. The attacker sniffs the communication b/w the two.
2. The attacker disables the communication by desynchronizing the
client and the server.
3. The attacker injects spoofed packets that acceptable for both ends.
14
-
7/31/2019 Security Problems in TCP-IP
15/18
TCP SESSION STEALING
Both in Established state
No data is being sent (stable state)
S_SEQ C_ACK and C_SEQ S_ACK
The packet is accepted (buffered) but not sent to the user
The packet is dropped
15
-
7/31/2019 Security Problems in TCP-IP
16/18
TCP SESSION STEALING
E.g. [echo myhost >> ~/.rhost] for rlogin
16
C
X
S
1: C->S: C_SEQ, C_ACK
C_SEQ, C_ACK
2: X->S (spoofing C): S_ACK, S_SEQ[echo myhost >> ~/.rhost]
S_SEQ, S_ACK
(dropped)
(accepted)
S_SEQ C_ACK and C_SEQ S_ACK
-
7/31/2019 Security Problems in TCP-IP
17/18
DESYNCHRONIZATION
1. C->S(Syn): C_Seq0 ; C: Syn_Sent
2. S->C(Syn/Ack): S_Seq0, C_Seq0+1 ; S: Syn_Rcvd
; C: Established(C_Seq0+1, S_Seq0+1)
(before the packet C->S(Ack): S_Seq0+1)
3. X->S(spoofing C, Rst)
4. X->S(spoofing C, Syn): X_Seq0 ; the same port # used in (1)
5. S->C(Syn/Ack): S_Seq1, X_Seq0+1
6. X->S(spoofing C, Ack): S_Seq1+1; S: Established(S_Seq1+1, X_Seq0+1)
17
C
X
S1
2
3,4, 6
-
7/31/2019 Security Problems in TCP-IP
18/18
THE ATTACK
1. The attacker watches the session without interfering.
2. During a quiet period, the attacker sends a large amount of null data (IAC, NOP for
telnet): nothing happens, server only changes the TCP Ack number
3. Now, when the client sends data, it is dropped by the server because its lower
than the servers window.
4. The attacker does the same with the client.
18