Scribd
Upload
6 views99 pages

NetworkSecurity 2

Uploaded by

Yat Kiu Wong
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
6 views99 pages

NetworkSecurity 2

Uploaded by

Yat Kiu Wong
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 99

COMP3355 Cyber Security (2023 Fall) Network Security

Network Security

Chenxiong Qian
[email protected]
COMP3355 Cyber Security (2023 Fall) Network Security

In Last Class
 Network Basics (OSI Model and TCP/IP Stack)
 Network Layer Security
 Transport Layer Security
 Application Layer Security
COMP3355 Cyber Security (2023 Fall) Network Security

In This Class
 Network Basics (OSI Model and TCP/IP Stack)
 Network Layer Security
 Transport Layer Security
 Application Layer Security
COMP3355 Cyber Security (2023 Fall) Network Security

Recap

TCP Header
Application message - data
Application Message

Transport Segment TCP data TCP data TCP data


(TCP, UDP)
Network (IP) Packet IP TCP data

Network Frame
Interface EH IP TCP data ET
IP Header

Ethernet Frame Header


Ethernet Frame Trailer
COMP3355 Cyber Security (2023 Fall) Network Security

Recap IP
 Break up segment from transport layer to packets

Message Application

Segment
Transport segment
(TCP, UDP)
Packet Network (IP) packet …… packet

Frame
Network
Interface
COMP3355 Cyber Security (2023 Fall) Network Security

Recap IP
 Break up segment from transport layer to packets
 Add an IP header

Message Application

Segment
Transport segment
(TCP, UDP)
Packet Network (IP) IP packet …… IP packet

Frame
Network
Interface
COMP3355 Cyber Security (2023 Fall) Network Security

Recap IP
 Break up segment from transport layer to packets
 Add an IP header
 Source/Destination IP address

Message Application

Segment
Transport segment
(TCP, UDP)
Packet Network (IP) IP packet …… IP packet

Frame
Network
Interface
Source Node Destination Node
COMP3355 Cyber Security (2023 Fall) Network Security

Recap IP
 Break up segment from transport layer to packets
 Add an IP header
 Source/Destination IP address
 Find a path from the source node to the destination node

Message Application

Segment
Transport segment
(TCP, UDP)
Packet Network (IP) IP packet …… IP packet

Frame
Network
Interface
Source Node Destination Node
COMP3355 Cyber Security (2023 Fall) Network Security

Transport
Alice callsLayer
Bob using Skype

Alice’s Host Bob’s Host


COMP3355 Cyber Security (2023 Fall) Network Security

Transport
Alice callsLayer
Bob using Skype

Alice’s Host Bob’s Host

Skype’s data

IP packet
COMP3355 Cyber Security (2023 Fall) Network Security

Transport
Alice callsLayer
Bob using Skype

Alice’s Host Bob’s Host

Skype’s data

IP packet

Source Node Destination Node


COMP3355 Cyber Security (2023 Fall) Network Security

Transport
Alice callsLayer
Bob using Skype

Alice’s Host Bob’s Host

Skype’s data

IP packet

Source Node Destination Node


COMP3355 Cyber Security (2023 Fall) Network Security

Transport
Alice callsLayer
Bob using Skype

Alice’s Host Bob’s Host

Skype’s data

Which app should


receive this data?

IP packet
Source Node Destination Node
COMP3355 Cyber Security (2023 Fall) Network Security

Transport Layer
 Establish connections between applications

Source Node Destination Node


COMP3355 Cyber Security (2023 Fall) Network Security

Transport Layer
 Breaks up application data into segments

app data
Message Application

Segment
Transport
segment …… segment
(TCP, UDP)
Packet Network (IP)

Frame
Network
Interface
COMP3355 Cyber Security (2023 Fall) Network Security

Transport Layer
 Breaks up application data into segments
 Append a TCP/UDP header to each segment

app data
Message Application

Segment
Transport
TCP/UDP segment TCP/UDP segment
……
(TCP, UDP)
Packet Network (IP)

Frame
Network
Interface
COMP3355 Cyber Security (2023 Fall) Network Security

Transport Layer
 Breaks up application data into segments
 Append a TCP/UDP header to each segment
 Source port and Destination port
 Distinguish data from/to different applications

app data
Message Application

Segment
Transport
TCP/UDP segment TCP/UDP segment
……
(TCP, UDP)
Packet Network (IP)

Frame
Network
Interface
COMP3355 Cyber Security (2023 Fall) Network Security

Transport
Alice callsLayer
Bob using Skype

Alice’s Host Bob’s Host

Skype’s data

IP Header
TCP/UDP Header
Source Node Destination Node
Message Payload
COMP3355 Cyber Security (2023 Fall) Network Security

Transport Layer is used for routing the data from source node to
The IP header
destination node
Alice’s Host Bob’s Host

Skype’s data

IP Header
TCP/UDP Header
Source Node Destination Node
Message Payload
COMP3355 Cyber Security (2023 Fall) Network Security

Transport Layerheader is used for identifying the app/service that


The TCP/UDP
should receive the data
Alice’s Host Bob’s Host

Skype’s data

IP Header
TCP/UDP Header
Message Payload
Source Node Destination Node
COMP3355 Cyber Security (2023 Fall) Network Security

TCP And UDP


 TCP
 UDP

 Email  Online Movie


 Website  Video Game
 File Transfer  Voice Call

UDP
TCP
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Reliability
 Reliable connection (Connection-oriented)
 Detect and retransmit lost data
 All packets are delivered to applications
 Rearrange the data in order
 Detect modified data with reasonably high probability
COMP3355 Cyber Security (2023 Fall) Network Security

TCP’s Byte Stream Service


 TCP is a byte-oriented protocol
 The sender writes bytes into a TCP connection and the receiver reads bytes
out of the TCP connection
COMP3355 Cyber Security (2023 Fall) Network Security

TCP’s Byte Stream Service


 TCP is a byte-oriented protocol
 The sender writes bytes into a TCP connection and the receiver reads bytes
out of the TCP connection
 App Process A on host 1
 Sends byte 0, byte 1, byte 2, …
COMP3355 Cyber Security (2023 Fall) Network Security

TCP’s Byte Stream Service


 TCP is a byte-oriented protocol
 The sender writes bytes into a TCP connection and the receiver reads bytes
out of the TCP connection
 App Process A on host 1
 Sends byte 0, byte 1, byte 2, …
 App Process B on host 2
 Receives byte 0, byte 1, byte 2, …
COMP3355 Cyber Security (2023 Fall) Network Security

TCP’s Byte Stream Service


 The applications do not see:
 Packet boundaries (looks like a stream of bytes)
 Lost packets (they all arrive)
 Duplicated packets (they all appear once)
 Wrong order packets (they all arrive in order)
 Corrupted packets (highly ensure)
COMP3355 Cyber Security (2023 Fall) Network Security

TCP’s Byte Stream Service


Process 1 on host 1
byte 0 byte 1 byte 2 byte 3 byte 4 byte 5 byte 6 byte 7

byte 0 byte 1 byte 2 byte 3 byte 4 byte 5 byte 6 byte 7

Process 2 on host 2 Application’s View

TCP’s View
Process 1 on host 1
byte 0 byte 1 byte 2 byte 3 byte 4 byte 5 byte 6

byte 4 byte 5 byte 2 byte 3 byte 6 byte 6

Process 2 on host 2
COMP3355 Cyber Security (2023 Fall) Network Security

TCP’s Byte Stream Service


 TCP offers “byte stream” service to application process, but itself does
not transmit individual bytes over the internet.
 TCP buffers enough bytes from the sending process to fill a reasonably
sized packet and then sends this packet to its peer on the destination
host.
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Header
 SrcPort and DstPort
 Identify the source and destination ports, respectively
 (SrcIPAddr::SrcPort, DstIPAddr::DstPort) identifies a TCP connection
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Header
 SequenceNum
 The sequence number of the first byte in the payload
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Header
 Acknowledgment
 Next sequence number that the sender of the ACK is expecting
 Acknowledges receipt of all prior bytes
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Header
 AdvertisedWindow
 Specifies the number of bytes that the sender of this segment is currently
willing to receive
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Header
 HdrLen (Header Length)
 The length of the header, number of 32-bit word (4 bytes); 5~15

20 bytes
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Header
 Flags
 Relay control information between TCP peers
 SYN, FIN, RESET, ACK, PUSH, URG
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Header
 Checksum
 Used for error-checking for TCP header, the payload and an IP pseudo-header
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Header
 Checksum
 Used for error-checking for TCP header, the payload and an IP pseudo-header

What is this?
COMP3355 Cyber Security (2023 Fall) Network Security

Connection Establishment
 Three-Way Handshake
 The client and the server exchange information to establish a connection.
 The information fall into two categories
 Sync initial sequence number (ISN)
 Exchange parameters (e.g., maximum segment size)
COMP3355 Cyber Security (2023 Fall) Network Security

Client Server
SYN

NS CWRECE URG ACK PSH RST SYN FIN

Is set to 1
COMP3355 Cyber Security (2023 Fall) Network Security

Client Server
SYN

SYN+ACK

NS CWRECE URG ACK PSH RST SYN FIN

Is set to 1
COMP3355 Cyber Security (2023 Fall) Network Security

Client Server
SYN

SYN+ACK

ACK
NS CWRECE URG ACK PSH RST SYN FIN

Is set to 1
COMP3355 Cyber Security (2023 Fall) Network Security

The client sends a segment to the server stating the initial sequence
number
Client Server
SYN Seq = X X is a randomly generated number
COMP3355 Cyber Security (2023 Fall) Network Security

The server responds with a single segment to (1) acknowledge the


client’s sequence number and (2) state its own beginning sequence
number
Client Server
SYN Seq = X X is a randomly generated number

SYN+ACK
Y is a randomly generated number
Seq = Y Ack = X+1
COMP3355 Cyber Security (2023 Fall) Network Security

The client responds with a segment that acknowledges the server’s


sequence number
Client Server
SYN Seq = X X is a randomly generated number

SYN+ACK
Y is a randomly generated number
Seq = Y Ack = X+1

ACK Seq = Y+1

Why are sequence numbers initialized randomly?


COMP3355 Cyber Security (2023 Fall) Network Security

After receiving SYN, the server will create a special data structure
called Transmission Control Block (TCB) and store it in a queue.

Client Server
SYN Seq = X
Connection information

TCB
TCB queue
COMP3355 Cyber Security (2023 Fall) Network Security

Server sends the SYN+ACK segment and waits for an ACK segment

Client Server
SYN Seq = X

SYN+ACK
TCB
Seq = Y Ack = X+1 TCB queue
COMP3355 Cyber Security (2023 Fall) Network Security

After receiving ACK, the server will take TCB out of the queue.

Client Server
SYN Seq = X Removed from the queue

SYN+ACK
TCB
Seq = Y Ack = X+1 TCB queue

ACK Seq = Y+1


COMP3355 Cyber Security (2023 Fall) Network Security

After receiving ACK, the server will take TCB out of the queue.

Client Server
SYN Seq = X

SYN+ACK
Seq = Y Ack = X+1 TCB queue

ACK Seq = Y+1


COMP3355 Cyber Security (2023 Fall) Network Security

The server will resend SYN+ACK packet if the final ACK packet does
not come.

Client Server
SYN Seq = X

SYN+ACK
TCB
Seq = Y Ack = X+1 TCB queue
SYN+ACK
Seq = Y Ack = X+1
COMP3355 Cyber Security (2023 Fall) Network Security

TCB will be discarded after timeout.

Client Server
SYN Seq = X Removed from the queue

SYN+ACK
TCB
Seq = Y Ack = X+1 TCB queue
SYN+ACK
Seq = Y Ack = X+1
……
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Flooding Attack

1. The attacker keeps sending SYN


packets but never send ACK
packets
2. The TCP queue will be full very
quickly
3. The sever cannot accept new SYN
packets
COMP3355 Cyber Security (2023 Fall) Network Security

First SYN Flooding Attack


 Panix (1996)
 https://archive.nytimes.com/www.nytimes.com/library/cyber/week/0914pan
ix.html
COMP3355 Cyber Security (2023 Fall) Network Security

First SYN Flooding Attack


 Panix (1996)
 https://archive.nytimes.com/www.nytimes.com/library/cyber/week/0914pan
ix.html
COMP3355 Cyber Security (2023 Fall) Network Security

Countermeasures
 Enlarge TCB queue
 Reduce timeout for waiting ACK packet
 Recycle the oldest half-open TCP
 SYN cookies
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
 It is a standard part of Linux and FreeBSD
 It is enabled by default
 It starts working when the system detects there are too many half-
open connections
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
 The basic idea is to allocate resources only if the server has received
the final ACK packet.

Client Server
SYN Seq = X

SYN+ACK
Seq = Y Ack = X+1

ACK Seq = Y+1 TCB


TCB queue
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
 The basic idea is to allocate resources only if the server has received
the final ACK packet.

Client Server
SYN Seq = X
Must track the previous SYN segment.
SYN+ACK
Seq = Y Ack = X+1

ACK Seq = Y+1 TCB


TCB queue
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
 The basic idea is to allocate resources only if the server has received
the final ACK packet.

Client Server What should be recorded at


SYN Seq = X this moment?

SYN+ACK
Seq = Y Ack = X+1

ACK Seq = Y+1 TCB


TCB queue
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
 SYN cookies are particular choices of initial TCP sequence numbers by
TCP servers.
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
1. After receiving SYN, the server calculates a keyed hash (cookie)
using the packet’s information.

Client Server
SYN Seq = X
Y
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
2. The server sends the hash in SYN+ACK packet. Also records Y.

Client Server
SYN Seq = X
Y

SYN+ACK
Seq = Y Ack = X+1
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
3. When the server receives the final ACK packet, it calculates the hash
again to verify.

Client Server
SYN Seq = X

SYN+ACK
Y
Seq = Y Ack = X+1

ACK Seq = Y+1 TCB


TCB queue
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
 The attacker cannot forge a valid cookie without knowing the secret
key

SYN Seq = X

SYN+ACK
Y
Seq = Y Ack = X+1

ACK Seq = Y+1 TCB


TCB queue
COMP3355 Cyber Security (2023 Fall) Network Security

SYN Cookies
 If the attacker spoofs IP address
 Cannot receive the SYN+ACK packet
 If the attack does not spoof IP address
 Connection is created
COMP3355 Cyber Security (2023 Fall) Network Security

Questions?
COMP3355 Cyber Security (2023 Fall) Network Security

Data Transfer

Sender Receiver

Se q = 0
, 1k d a 2k
ta
COMP3355 Cyber Security (2023 Fall) Network Security

Data Transfer

Sender Receiver
Se q = 0
, 1k d a 2k
ta

Win = 1k
024,
Ack=1
COMP3355 Cyber Security (2023 Fall) Network Security

Data Transfer

Sender Receiver
Se q = 0
, 1k d a 2k
ta

W in = 1k
024,
Ack=1
Se q = 1
024, 1
k data
COMP3355 Cyber Security (2023 Fall) Network Security

Data Transfer

Sender Receiver
Se q = 0
, 1k d a 2k
ta

W in = 1k
024,
Ack=1
Se q = 1
024, 1
k data
COMP3355 Cyber Security (2023 Fall) Network Security

Data Transfer

Sender Receiver
Se q = 0
, 1k d a 2k
ta

W in = 1k
024,
Ack=1
Se q = 1
024, 1
k data

8, Win=0
0 4
Ack=2
COMP3355 Cyber Security (2023 Fall) Network Security

Data Transfer

Sender Receiver
Se q = 0
, 1k d a 2k
ta

W in = 1k
024,
Ack=1
Se q = 1
024, 1
k data

8 , W in=0
0 4
Ack=2
8 , W in=1k
04
Ack=2
Se q = 2
048, 1
k data
COMP3355 Cyber Security (2023 Fall) Network Security

Data Transfer
 Retransmission
 Timeout
Sender Receiver
Se q # 1

Timeout Se q # 2

Se q # 3

Se q # 1

Se q # 2
COMP3355 Cyber Security (2023 Fall) Network Security

Data Transfer
 Retransmission
 Error
Sender Receiver
Se q # 1

Se q # 2
Ack#1
Se q # 3
Ack#1
Se q # 2
COMP3355 Cyber Security (2023 Fall) Network Security

Connection Termination
 Four-Way Handshake
COMP3355 Cyber Security (2023 Fall) Network Security

The initiator transmits a FIN packet


Initiator Receiver
FIN Seq = X
COMP3355 Cyber Security (2023 Fall) Network Security

The receiver acknowledges with an ACK

Initiator Receiver
FIN Seq = X

Ack = X+1 ACK


COMP3355 Cyber Security (2023 Fall) Network Security

The receiver transmits a FIN packet

Initiator Receiver
FIN Seq = X

Ack = X+1 ACK

Seq = Y FIN
COMP3355 Cyber Security (2023 Fall) Network Security

The initiator acknowledges with an ACK and waits for a timeout before
closing the connection
Initiator Receiver
FIN Seq = X

Ack = X+1 ACK

Seq = Y FIN

ACK Ack = Y+1


COMP3355 Cyber Security (2023 Fall) Network Security

Questions?
COMP3355 Cyber Security (2023 Fall) Network Security

Attacks On TCP
 SYN Flooding Attack
 TCP Reset Attack
 TCP Session Hijacking Attack
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Reset Attack


Initiator Receiver
FIN Seq = X

Ack = X+1 ACK

Seq = Y FIN

ACK Ack = Y+1

Connection Termination
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Reset Attack


 TCP RESET segment
Initiator Receiver
 When one party sends a RESET segnment, the
connection will be immediately closed FIN Seq = X
 Used in emergency situations, e.g., no time to
do FIN protocol, errors are detected
Ack = X+1 ACK

Seq = Y FIN

ACK Ack = Y+1

Connection Termination
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Reset Attack


 The attacker spoofs a RESET segment from one side to the other
 The spoofed packet should have correct fields
 Source/Destination IP addresses
 Source/Destination ports
 Sequence number
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Reset Attack


 https://www.nbcnews.com/id/wbna21376597
COMP3355 Cyber Security (2023 Fall) Network Security

Countermeasures
 Encrypt the connection using VPN

Service
Client
Server
COMP3355 Cyber Security (2023 Fall) Network Security

Attacks On TCP
 SYN Flooding Attack
 TCP Reset Attack
 TCP Session Hijacking Attack
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Session Hijacking Attack


 If the attacker on the path between the source node and the
destination node
 Sniff the packets and inject packets with correct sequence numbers
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Session Hijacking Attack


 If the attacker on the path between the source node and the
destination node
 Sniff the packets and inject packets with correct sequence numbers

Sender Receiver
Se q = 0
, 1k d a 2k
ta

4, Win=1k
02
Ack=1
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Session Hijacking Attack


 If the attacker on the path between the source node and the
destination node
 Sniff the packets and inject packets with correct sequence numbers

Sender Receiver
Se q = 0
, 1k d a 2k
ta

Sniff
4, Win=1k
02
Ack=1
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Session Hijacking Attack


 If the attacker on the path between the source node and the
destination node
 Sniff the packets and inject packets with correct sequence numbers

Sender Receiver
Se q = 0
, 1k d a 2k
ta

Sniff
4, W in=1k
02
Ack=1
Se q = 1
024, 1
k data
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Session Hijacking Attack


 If the attacker on the path between the source node and the
destination node
 Sniff the packets and inject packets with correct sequence numbers

Sender Receiver
Se q = 0
, 1k d a 2k
ta

Sniff
4, W in=1k
02
Ack=1
Se q = 1
024, 1
k data
Se q = 1
024, 1
k data
COMP3355 Cyber Security (2023 Fall) Network Security

TCP Session Hijacking Attack


 If the attacker is not on the path
 Guess the sequence number
 If the sequence number is outside the buffer, it will be discarded
COMP3355 Cyber Security (2023 Fall) Network Security

The Mitnick Attack


 Kevin David Mitnick
 An American computer security
consultant, author, and convicted hacker
COMP3355 Cyber Security (2023 Fall) Network Security

Takedown (2000)
COMP3355 Cyber Security (2023 Fall) Network Security

The Mitnick Attack

Tsutomu Shimomura
COMP3355 Cyber Security (2023 Fall) Network Security

The Mitnick Attack


 Step 1: Information gathering
 Determine the TCP sequence number generator’s behavior of X-Terminal
 Send many SYN packets and analyze the sequence numbers in the response SYN+ACK
packets
 The sequence numbers are not random, the latter one was 128000 greater than the previous
one
 Determine the trusted server’s IP address

SYN, seq=x

SYN+ACK, seq=y
……
COMP3355 Cyber Security (2023 Fall) Network Security

The Mitnick Attack


 Step 2: The flood
 Use SYN Flooding attack to mute the trusted server

i ng
od
Flo
N
SY
COMP3355 Cyber Security (2023 Fall) Network Security

The Mitnick Attack


 Step 3: Trusted relationship hijacking
 The attacker sends a SYN packet to the target with the server’s IP
address
 The target replies SYN+ACK packet to the server, which is muted
 The attacker send an ACK packet to the target with a guessed
sequence number

=y
eq
s
K,
AC
N+
SY
SYN, seq=x, spoofed IP

ACK, seq=y+1, spoofed IP

Connected!
Let’s talk!
COMP3355 Cyber Security (2023 Fall) Network Security

The Mitnick Attack


 Step 4: Remote command pump
 Create a backdoor on the target’s computer by sending the command “echo +
+ >> ./rhosts”
 This allows any computers connect to the target without being verified
 Step 5: Clean up
 Sends RESET packets to the server to cancel all half-open connections
 The server is free

The initial sequence numbers must be difficult to predict!


COMP3355 Cyber Security (2023 Fall) Network Security

Questions?
 SYN Flooding Attack
 TCP Reset Attack
 TCP Session Hijacking Attack

You might also like