《网络与信息安全:08Network Protocol Weaknesses8》由会员分享,可在线阅读,更多相关《网络与信息安全:08Network Protocol Weaknesses8(49页珍藏版)》请在金锄头文库上搜索。
1、 2002, Cisco Systems, Inc. All rights reserved.1Protocol Weaknesses 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-2Lesson ObjectiveThis lesson will enable the learner to identify specific protocol weaknesses and the methods of their exploitation. 2002, Cisco Systems, Inc. All rights rese
2、rved.ESAP 1.01-1-3OutlineThis lesson includes these sections:ARPIPTCP/UDPICMP Application protocolsOvert and Covert Channels 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-4OverviewInternet protocols are either extremely simple (finger), or exceedingly complex (H.323)Almost no protocol wa
3、s designed with a lot of security in mindAn attacker can fool the protocol endpointsBy spoofing the protocol messages (impersonation)By sending malformed messages to crash or compromise the endpoint 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-5ARP RefresherARP provides resolution of L2
4、 addresses on a subnetMostly a request-response protocolARP replies can be sent asynchronously (gratuitous ARP)There is no authentication whatsoeverBy RFC, workstations use the latest learned address from any ARP reply 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-6ARP One-Way SpoofingTh
5、e attackers poisons an endpoint with a gratuitous ARP reply:Default gateway address is a prime candidate to spoofNot invisible to the endpoint (ARP cache), but generally invisible to the end user 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-7ARP One-Way Spoofing (Cont.)Enables connectio
6、n hijacking, denial-of-service or simplex sniffing:Any strong authentication is defeated, if the session is not encrypted 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-8ARP Two-Way SpoofingThe attackers poisons two endpoints with two gratuitous ARPs:The attacker becomes a man-in-the-midd
7、le relay between the hostsNot invisible to the endpoint (ARP cache), but invisible to the end user 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-9ARP Two-Way Spoofing (Cont.)Enables sniffing and traffic manipulations on any switched network:The attackers system performs IP forwarding for
8、 transparencyChanging of data requires resynchronization of TCP stream 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-10ARP Spoofing ConsequencesConfidentiality breaches an attacker can capture traffic between any two points on a L2 network.Integrity breaches an attacker can change arbitr
9、ary information using a man-in the middle attack.Availability the attacker can inject false L2 information, disrupting connectivity.The attacker needs to be on the same L2 broadcast domain:Or bridge his traffic in via GRE 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-11Example: The Arpsp
10、oof ToolC:arp -d 15.1.1.1C:ping -n 1 15.1.1.1Pinging 15.1.1.1 with 32 bytes of data:Reply from 15.1.1.1: bytes=32 timearp -aInterface: 15.1.1.26 on Interface 2 Internet Address Physical Address Type 15.1.1.1 00-04-4e-f2-d8-01 dynamic 15.1.1.25 00-10-83-34-29-72 dynamicC:arp -aInterface: 15.1.1.26 on
11、 Interface 2 Internet Address Physical Address Type 15.1.1.1 00-10-83-34-29-72 dynamic 15.1.1.25 00-10-83-34-29-72 dynamicrootlnx dsniff-2.3# ./arpspoof 15.1.1.10:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 15.1.1.1 is-at 0:4:4e:f2:d8:10:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 15.1.1
12、.1 is-at 0:4:4e:f2:d8:10:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 15.1.1.1 is-at 0:4:4e:f2:d8:10:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 15.1.1.1 is-at 0:4:4e:f2:d8:115.1.1.25 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-12Example: The Webmitm ToolThis tool connects A
13、RP spoofing with SSL spoofing: it spoofs the remote server on L2 and presents the client with a fake certificateAlthough obvious, most users would proceed, not knowing what is happening 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-13ARP GuidelinesOn networks, where ARP spoofing is possi
14、ble, use:Encrypted and fully authenticated network sessionsDisable ARP and/or use static ARP entries in and for critical L3 devices (routers, servers)ARP Inspection in CatOSPrivate VLANs to restrict L2 connectivity on a subnetRestrictions on switch port access (physical security, 802.1x)Extremely sh
15、ort ARP timeouts to reduce DoS potential (not robust)Restrictive port security on switches, static CAM Mapping (not enough) 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-14IP RefresherThe IP protocol has some security features and weaknesses:Authentication, integrity and confidentiality
16、provided by IPsec encapsulationsDestination-based routing, no source verification requiredRequired to support asymmetric routingIP spoofing is traditionally possibleSome IP options allow an attacker to bypass desired routing (loose, strict source route)Simplifies IP spoofingIP fragmentation attacks
17、were used to exhaust end-host resources and bypass some filtering mechanisms 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-15IP Spoofing on a LANWeak binding between IP and L2 addresses:On a LAN, IP spoofing of local addresses is trivial, as routing or ARP spoofing brings return traffic
18、backBidirectional (TCP) connection spoofing is possible, if the attacker can see return trafficEgress filtering can prevent random spoofing out of a subnet 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-16Remote IP SpoofingRemote IP spoofing is more difficult, as the attacker usually cann
19、ot control the reverse route:Used for unidirectional attacks (TCP SYN flooding)Can conditionally be used for bidirectional attacks 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-17IP Source Routing OptionsThe ability of the source to specify the full routing path between endpoints inside
20、IP header:The destination must reply along reverse pathThis makes remote IP spoofing trivialLoose and Strict Source Routing exist 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-18IP Source Routing ExampleThe IOS telnet client has an option for loose source routing:A loopback interface can
21、 be created and used as the source of an attack 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-19IP GuidelinesTo defend against IP-layer attacks use:IPsec protection of traffic to guarantee authenticity, integrity, and confidentialityTight control over classic routing (authenticated routi
22、ng)Tight control over source addresses (anti-spoofing using ingress/egress filtering)Filtering of all source-routed packets 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-20TCP RefresherThe TCP protocol is designed well from the security perspective:It relies on IPsec or application layer
23、 for authentication, confidentiality, and integritySequencing is used to mitigate spoofingSome implementations were flawed to allow denial-of-service and bidirectional spoofing attacksAlmost all implementations have quirks which allow identification of the operating system by TCP probing 2002, Cisco
24、 Systems, Inc. All rights reserved.ESAP 1.01-1-21TCP SpoofingSpoofing TCP packets without access to the session is very difficult:Sequence/acknowledge numbers have to be set rightRST/FIN DoS attacks are possible with firewalls if they do not check sequence numbers.TCP connection spoofing is possible
25、, if the end system uses weak initial sequence numbers (ISNs):The attacker can predict the servers response and complete the TCP handshake without seeing reverse traffic 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-22TCP Spoofing Example: The Kevin Mitnick AttackUsed when systems trust
26、each other based on IP address, and spoofing exploits that trust:An attacker first probes the TCP server to determine its TCP ISN algorithm and current state 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-23TCP Spoofing Example: The Kevin Mitnick Attack (Cont.)The attacker then sends a sp
27、oofed SYN from a trusted IP address, and the target replies with a SYN/ACK:The real spoofed trusted IP address must be disabled to not reply with a RSTOr use a non-active host 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-24TCP Spoofing Example: The Kevin Mitnick Attack (Cont.)The attack
28、er finishes the attack using a predicted sequence number, and sends a malicious payload to the target 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-25TCP Denial-of-Service AttacksTCP stacks are complex and have been vulnerable to denial-of-service attacks:Poisonous packets (land.c, Windo
29、ws URG interpretation)Floods (TCP SYN flooding) to make TCP servers non-responsiveTCP stacks improve and those attacks are less likely today.SYN flooding can be mitigated with several tools (SYN Cookies, TCP Intercept). 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-26land.c TCP Denial-of
30、-ServiceThe attacker sends a TCP segment to the target, which has the same source and destination IP addresses:A bug in BSD-based TCPs causes the kernel to enter an endless loop 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-27TCP SYN FloodingAn attacker sends a flood of SYN segments to a
31、 target server, and never completes the handshake:Servers have a limit to the number of half-open connections, and stop accepting new connectionsThe source address is usually forged, using a non-responsive part of the address space (prevents RSTs) 2002, Cisco Systems, Inc. All rights reserved.ESAP 1
32、.01-1-28Using TCP for OS IdentificationMany TCP stacks reply to strange packets in different ways:Allows identification of remote operating system by the attacker 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-29UDP RefresherThe UDP protocol is extremely simple and has no sequencing or st
33、ate machine:It relies on IPsec or application layer for authentication, confidentiality, and integrityNo sequencing, therefore it is much simpler to spoofThe attacker generally only needs to guess a port number (215 packets on the average)Protection against spoofing needs to be provided on the appli
34、cation layer (RADIUS, DNS, use hard-to-guess request IDs) 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-30TCP/UDP GuidelinesTo defend against transport-layer attacks use:Robust TCP/IP implementations (random ISNs, SYN Cookies)Firewall protection against flooding attacks (TCP Intercept, S
35、YN Cookies) 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-31ICMP RefresherThe ICMP protocol provides diagnostics and fault detection to IP.Often abused by attackers to:Gather information (ICMP scanning) about networks, hosts, and operating systemsnmap, XprobePerform denial-of-service att
36、acks (crafted packets, floods)Ping-of-death, SMURF, DDoSInfluence routing (ICMP redirects)Build tunnels to bypass access control (secret channels inside ICMP exchanges)Loki 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-32Scanning Using ICMPSimple scanning elicit ICMP responses from remot
37、e hosts:Uses ICMP Echo (Ping), Time-stamp request, Info request, Address mask requestCan be done with IP fragments, looking for Fragmentation timeout messages 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-33Scanning Using ICMP (Cont.)Inverse mapping probing with any packets, and looking
38、for Destination unreachable replies:Indicates live hosts behind the firewall 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-34Scanning Using ICMP (Cont.)Detection of host operating systems and filtering routers:The ICMP replies might indicate the host OSA filtering router might reply with
39、 an Administratively prohibited message indicating its presence 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-35Denial-of-Service Attacks Using ICMPICMP is permitted by a lot of firewalls, therefore bugs on end-host IP layer can be exploited:Ping-of-death (too-large packets)ICMP fragment
40、s to fill reassembly buffers 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-36Denial-of-Service Attacks Using ICMP (Cont.)ICMP flooding attacks were popular due to amplification techniques:SMURF attacks used a spoofed broadcast PING to elicit a large number of responses to the target 2002
41、, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-37Redirect Attacks Using ICMPICMP redirects can be sent to hosts to change their routing tables (denial of service or traffic redirection):Very similar to ARP spoofing attacksRouters not vulnerable, as they ignore redirects 2002, Cisco Systems, I
42、nc. All rights reserved.ESAP 1.01-1-38Secret Channels in ICMPIf a firewall permits ICMP, it can be used to convey information with the help of an insider:The insider can be a human or a program (Trojan horse) 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-39ICMP GuidelinesTo defend agains
43、t ICMP-based attacks use:Very conservative ICMP rules with restrictive firewallsRate limiting on network edges to prevent floodingNetwork IDS to indicate possible ICMP games on sensitive segments 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-40Application ProtocolsSeveral Internet applic
44、ation protocols do not provide high levels of assurance:Authentication, confidentiality, and integrity was not built in from the beginningMany applications only use client-side authentication (server spoofing)Many applications are extremely complex and difficult to perform access control on 2002, Ci
45、sco Systems, Inc. All rights reserved.ESAP 1.01-1-41DNS SecurityDNS has no authentication, integrity, and confidentiality built in:Man-in-the-middle attacks in the packet path are easyA request ID makes remote DNS spoofing difficult 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-42DNS Sec
46、urity (Cont.)Reverse DNS lookups provide *some* trust in DNS, if used for authentication:Dual DNS lookups are used to provide securityWorks only if DNS servers are reachable securelyThis is not the case on the Internet 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-43Application Protocols
47、 GuidelinesTo defend against application-protocol-based attacks use:Strong bidirectional authentication of application endpoints over untrusted networksA VPN technology to protect applications with weak security featuresPrefer simple to complex protocols 2002, Cisco Systems, Inc. All rights reserved
48、.ESAP 1.01-1-44Overt and Covert ChannelsOvert and Covert channels refer to the ability to hide information within or using other information:An overt channel is a transmission channel based on tunneling one protocol inside anotherA covert channel is a transmission channel based on encoding data usin
49、g another set of eventsInternet protocols and data transferred over them provide ample possibilities for overt and covert channels:Firewalls generally cannot detect them 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-45Overt Channel ExampleOne protocol can be tunneled within another to by
50、pass the security policy:PPP over telnet, telnet over DNS, IP over email, etc.Watermarks in JPEG images used to leak confidential company information 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-46Covert Channel ExampleInformation encoded as another set of events:One ping per minute = 0
51、, two pings per minute = 1One visit of web page per day = 1, no visits = 0Usually quite limited in bandwidth 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-47SummaryThis lesson presented these key points:Internet protocols are simple, but can be augmented to provide enough security for mo
52、st environmentsA lot of protocol weaknesses are due to weak implementations, not specificationsOvert and covert channels are always possible, and almost impossible to prevent 2002, Cisco Systems, Inc. All rights reserved.ESAP 1.01-1-48Lesson Review1.How can ARP spoofing be prevented?2.What is the main risk of IP source routing?3.When can an attacker spoof a TCP connection?4.What is the difference between an overt, and a covert channel?
