7/29/2019 D15 Sicurezza Reti Parte I
1/25
ComputerNetworks
7/29/2019 D15 Sicurezza Reti Parte I
2/25
Circuitand
Packet
Switching
Circuitswitching
Legacyphone
network
Singleroutethrough
sequenceofhardware
devicesestablished
when
twonodesstart
communication
Datasent
along
route
Routemaintaineduntil
communicationends
Packetswitching
Internet
Datasplitintopackets
Packetstransported
independentlythrough
network
Eachpackethandledona
bestefforts
basis
Packetsmayfollow
differentroutes
7/29/2019 D15 Sicurezza Reti Parte I
3/25
PacketSwitching
A
C
B
D
F
D
3 2 1
7/29/2019 D15 Sicurezza Reti Parte I
4/25
PacketSwitching
A
C
B
D
F
D
3 2
1
7/29/2019 D15 Sicurezza Reti Parte I
5/25
PacketSwitching
A
C
B
D
F
D
3
21
7/29/2019 D15 Sicurezza Reti Parte I
6/25
PacketSwitching
A
C
B
D
F
D
321
7/29/2019 D15 Sicurezza Reti Parte I
7/25
Protocols
Aprotocoldefinestherulesforcommunicationbetweencomputers
Protocolsarebroadlyclassifiedasconnectionlessandconnectionoriented
Connectionlessprotocol
Sendsdata
out
as
soon
as
there
is
enough
data
to
be
transmitted
E.g.,userdatagramprotocol(UDP)
Connectionorientedprotocol Providesareliableconnectionstreambetweentwonodes
Consistsof
set
up,
transmission,
and
tear
down
phases
Createsvirtualcircuitswitchednetwork
E.g.,transmissioncontrolprotocol(TCP)
7/29/2019 D15 Sicurezza Reti Parte I
8/25
Encapsulation
Apackettypicallyconsistsof
Controlinformationforaddressingthepacket:headerandfooter
Data:payload
AnetworkprotocolN1canusetheservicesofanother
networkprotocolN2
A
packet
p1
of
N1
is
encapsulated
into
a
packet
p2
of
N2
Thepayloadofp2isp1
Thecontrolinformationofp2isderivedfromthatofp1
Header
Payload
FooterHeader Payload Footer
7/29/2019 D15 Sicurezza Reti Parte I
9/25
NetworkLayers
Networkmodelstypicallyuseastackoflayers
Higherlayers
use
the
services
of
lower
layers
via
encapsulation
Alayercanbeimplementedinhardwareorsoftware
Thebottommost
layer
must
be
in
hardware
Anetworkdevicemayimplementseverallayers
Acommunicationchannelbetweentwonodesis
establishedfor
each
layer
Actualchannelatthebottomlayer
Virtualchannelathigherlayers
7/29/2019 D15 Sicurezza Reti Parte I
10/25
InternetLayers
Application
Transport
Network
Link
Application
Transport
Network
Link
Network
Link
Network
Link
EthernetFiber
OpticsWi-Fi
Physical Layer
7/29/2019 D15 Sicurezza Reti Parte I
11/25
IntermediateLayers
Linklayer
Localareanetwork:Ethernet,WiFi,opticalfiber
48bit
media
access
control
(MAC)
addresses
Packetscalledframes
Networklayer
Internetwidecommunication
Bestefforts
32bitinternetprotocol(IP)addressesinIPv4
128bitIPaddressesinIPv6
Transportlayer
16bitaddresses(ports)forclassesofapplications
Connectionorientedtransmissionlayerprotocol(TCP)
Connectionlessuserdatagramprotocol(UDP)
7/29/2019 D15 Sicurezza Reti Parte I
12/25
InternetPacket
Encapsulation
ApplicationPacket
TCP DataTCP
Header
IPHeader
FrameHeader
FrameFooter Link Layer
Network Layer
Transport Layer
IP Data
Frame Data
Application Layer
7/29/2019 D15 Sicurezza Reti Parte I
13/25
InternetPacket
Encapsulation
Datalinkframe
IPpacket
TCPorUDPpacket
Applicationpacket
Datalink
header
IP
header
TCP
orUDP
header
App
lication
packet
Datalink
footer
7/29/2019 D15 Sicurezza Reti Parte I
14/25
TheOSI
Model
TheOSI(OpenSystem
Interconnect)
Reference
Modelisanetwork
modelconsistingof
sevenlayers
Createdin
1983,
OSI
is
promotedbythe
InternationalStandard
Organization(ISO)
7/29/2019 D15 Sicurezza Reti Parte I
15/25
NetworkInterfaces
Networkinterface:deviceconnectingacomputertoa
network Ethernetcard
WiFiadapter
Acomputermayhavemultiplenetworkinterfaces
Packetstransmitted
between
network
interfaces
Mostlocalareanetworks,(includingEthernetandWiFi)
broadcastframes
Inregularmode,eachnetworkinterfacegetstheframes
intendedfor
it
Trafficsniffingcanbeaccomplishedbyconfiguringthe
networkinterfacetoreadallframes(promiscuousmode)
7/29/2019 D15 Sicurezza Reti Parte I
16/25
MACAddresses
MostnetworkinterfacescomewithapredefinedMACaddress
AMACaddressisa48bitnumberusuallyrepresentedinhex
E.g.,001A92D4BF86
ThefirstthreeoctetsofanyMACaddressareIEEEassignedOrganizationallyUniqueIdentifiers
E.g.,Cisco001AA1,DLink001B11,ASUSTek001A92
Thenextthreecanbeassignedbyorganizationsastheyplease,withuniquenessbeingtheonlyconstraint
OrganizationscanutilizeMACaddressestoidentifycomputersontheirnetwork
MACaddresscanbereconfiguredbynetworkinterfacedriversoftware
7/29/2019 D15 Sicurezza Reti Parte I
17/25
Switch
Aswitchisacommon
network
device
Operatesatthelinklayer
Hasmultipleports,each
connectedtoacomputer
Operationof
aswitch
LearntheMACaddressof
eachcomputerconnectedtoit
Forwardframes
only
to
the
destinationcomputer
7/29/2019 D15 Sicurezza Reti Parte I
18/25
CombiningSwitches
Switchescanbearranged
intoatree
EachportlearnstheMAC
addressesofthemachines
inthesegment(subtree)
connected
to
it
Fragmentstounknown
MACaddressesare
broadcast
Framesto
MAC
addresses
inthesamesegmentasthe
senderareignored
7/29/2019 D15 Sicurezza Reti Parte I
19/25
MACAddress
Filtering
AswitchcanbeconfiguredtoprovideserviceonlytomachineswithspecificMACaddresses
AllowedMACaddressesneedtoberegisteredwithanetworkadministrator
AMACspoofingattackimpersonatesanothermachine
Findout
MAC
address
of
target
machine
ReconfigureMACaddressofroguemachine
Turnofforunplugtargetmachine
Countermeasures Block
port
of
switch
when
machine
is
turned
off
or
unplugged
DisableduplicateMACaddresses
7/29/2019 D15 Sicurezza Reti Parte I
20/25
Viewingand
Changing
MAC
Addresses
ViewingtheMACaddressesoftheinterfacesofamachine Linux: ifconfig
Windows:ipconfig
/all
ChangingaMACaddressinLinux Stopthenetworkingservice:/etc/init.d/networkstop
ChangetheMACaddress:ifconfigeth0hwether
Startthe
networking
service:
/etc/init.d/network
start
ChangingaMACaddressinWindows OpentheNetworkConnectionsapplet
Accessthepropertiesforthenetworkinterface
ClickConfigure
Intheadvancedtab,change thenetworkaddresstothedesiredvalue
ChangingaMACaddressrequiresadministratorprivileges
7/29/2019 D15 Sicurezza Reti Parte I
21/25
ARP Theaddressresolutionprotocol(ARP)connectsthenetworklayertothedata
layerbyconvertingIPaddressestoMACaddresses
ARPworksbybroadcastingrequestsandcachingresponsesforfutureuse
Theprotocol
begins
with
acomputer
broadcasting
amessage
of
the
form
whohastell
WhenthemachinewithoranARPserverreceivesthismessage,itsbroadcaststheresponse
is
TherequestorsIPaddress iscontainedinthelinkheader
TheLinuxandWindowscommandarp adisplaystheARPtableInternet Address Physical Address Type
128.148.31.1 00-00-0c-07-ac-00 dynamic
128.148.31.15 00-0c-76-b2-d7-1d dynamic
128.148.31.71 00-0c-76-b2-d0-d2 dynamic
128.148.31.75 00-0c-76-b2-d7-1d dynamic
128.148.31.102 00-22-0c-a3-e4-00 dynamic
128.148.31.137 00-1d-92-b6-f1-a9 dynamic
7/29/2019 D15 Sicurezza Reti Parte I
22/25
ARPSpoofing
TheARPtableisupdatedwheneveranARP
responseis
received
Requestsarenottracked
ARP
announcements
are
not
authenticated
Machinestrusteachother
Aroguemachinecanspoofothermachines
7/29/2019 D15 Sicurezza Reti Parte I
23/25
ARPPoisoning
(ARP
Spoofing)
Accordingtothestandard,almostallARP
implementationsare
stateless
Anarpcacheupdateseverytimethatitreceivesan
arpreplyevenifitdidnotsendanyarprequest!
Itis
possible
to
poison
an
arp
cache
by
sending
gratuitousarpreplies
Usingstaticentriessolvestheproblembutitis
almostimpossible
to
manage!
7/29/2019 D15 Sicurezza Reti Parte I
24/25
ARPCaches
IP: 192.168.1.1MAC: 00:11:22:33:44:01
IP: 192.168.1.105MAC: 00:11:22:33:44:02
ARPCache192.168.1.105 00:11:22:33:44:02
ARPCache192.168.1.1 00:11:22:33:44:01
Data
192.168.1.1isat00:11:22:33:44:01192.168.1.105
is
at
00:11:22:33:44:02
7/29/2019 D15 Sicurezza Reti Parte I
25/25
PoisonedARP
Caches
192.168.1.105isat00:11:22:33:44:03
PoisonedARPCache192.168.1.1 00:11:22:33:44:03
PoisonedARPCache192.168.1.105 00:11:22:33:44:03
Data Data
192.168.1.1isat00:11:22:33:44:03
192.168.1.100:11:22:33:44:01
192.168.1.10500:11:22:33:44:02
192.168.1.10600:11:22:33:44:03
Top Related