CS计算机代考程序代写 scheme dns DHCP cache assembly Lecture 8

Lecture 8
Network Security
Part 1
Dr Vicky Liu
v. .au

P4.1

OSI and TCP/IP models

Outline
Layer 3: Network
Internet Protocol (IP)
Address Resolution Protocol (ARP)
Internet Control Message Protocol (ICMP)
Layer 4: Transport
Transmission Control Protocol (TCP)
Layer 7: Application
Dynamic Host Configuration Protocol (DHCP)
Domain Name System (DNS)

Vulnerability/Threat/Risk
Vulnerability
Special Publication 800-61 Computer Security Incident Handling Guide by National Institute of Standards and Technology. (NIST SP 800-61 Rev. 2):
A weakness in a system, application, or network that is subject to exploitation or misuse.

Vulnerability/Threat/Risk (cont.)
Threat
ISO 27005 defines threat as:
A potential cause of an incident, that may result in harm of systems and organization.
Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems” by NIST
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
5

Cyber Risk
A definition from Wikipedia
Cyber risk arises from the potential that a threat may exploit a vulnerability to breach security and cause harm.
6

The Internet Protocol (IP) v4 Header Fields

QoS
IP fragmentation
8

IP Header fields
Version: IPv4 or IPv6
Head Length: 20 up to 40 bytes
Differentiated Services: for managing network performance Quality of Service (QoS)
Total Length: Total Length minus the Head Length = payload length
Time to Live (TTL): for preventing packet looping
Checksum: for detecting header corruption
Options: for providing special-delivery (routing) instructions
9

10
版本号:IPv4或IPv6

头长度:20到40字节

差异化服务:用于管理网络性能

Total Length:总长度减去头部长度=有效载荷长度

生存时间TTL (Time to Live):用于防止包循环

校验和:用于检测报头损坏

选项:用于提供特殊递送(路线)指示

IP Protocol Features
Best-effort delivery
IP routes and sends a packet to the destination. IP provides no guaranteed delivery of packets
Packet loss is left to the higher layer protocols
The network has variable delays, it is not guaranteed that the packets will be received in sequence.
Connection-less service
Each packet is individually addressed and routed, rather than in the setup a prearranged connection channel for data transmission
It is possible that two packets from the same source take different paths to reach the destination.
11

最优交货
IP路由并将数据包发送到目的地。IP不提供包的保证传递
丢包留给更高层的协议
网络有可变的延迟，它不能保证数据包将按顺序接收。

无连接服务
每个包都是单独的寻址和路由，而不是在设置一个预先安排的数据传输连接通道
来自同一来源的两个包可能走不同的路径到达目的地。
12

IP Protocol Features (cont.)
Routing
Packets go through a series of routers before they reach the destination.
At each node that the packet passes through, the node determines the next hop for the packet and routes it to the next hop.
Quality of Service (QoS) control
QoS optimizes the network by setting packet priorities (classification marking)

路由

数据包在到达目的地之前要经过一系列路由器。

在包经过的每个节点上，节点决定包的下一跳并将其路由到下一跳

服务质量(QoS)控制
QoS通过设置数据包优先级(分类标记)来优化网络
14

IP Fragmentation
What is IP fragmentation?
Fragmentation is necessary for data transmission, as every network has its maximum transmission unit (MTU), the largest number of bytes an individual packet can have on a particular network
If a packet is being sent that is larger If a packet is being sent that is larger than the network’s MTU, it must be fragmented to be transmitted.
Who assembles the fragmented packets?
When the destination host receives IP fragments, it allocates memory in preparation for fragment reassembly.

什么是IP分片?

碎片对于数据传输是必要的，因为每个网络都有其最大传输单元(MTU)，即特定网络上单个数据包的最大字节数
如果正在发送的数据包大于网络的MTU，则必须对其进行分片处理。

谁来组装零碎的数据包?
当目标主机接收到IP分片时，它分配内存，为分片重组做准备。
16

The Internet Protocol (IP) Header Fields

Fragmentation

3 fields in the IP header are related to fragmentation
Identification (16 bits)
The identification number is copied into every fragments when a datagram is fragmented.
In support of fragmentation and reassembly
Flags (3 bits)
First bit unused
D is Do not fragment bit
M more fragment bit
Fragmentation Offset (13 bits)
The offset of the data in the original datagram was measured in units of 8 bytes
The first fragment has an offset of zero
It only records the 1st byte number of that fragmented packet

U
D
M
P4.18

IP报头中有3个字段与分片相关
识别(16位)
当数据报片段化时，标识号被复制到每个片段中。
以支持分裂和重组
旗帜(3位)
第一位未使用
D为“请勿分片位”
M多片段位
碎片偏移(13位)
原始数据报中数据的偏移量以8字节为单位度量
第一个片段的偏移量为零
它只记录分片包的第1个字节数
P4.19

Fragmentation Offset Calculation
Ver Hlen Serv Type Total length

Identification Flags Frag Offset
1444
TTL Protocol Checksum

IP Source Address

IP Destination Address

1444 0 0 1 0

1444 0 0 1 1400/8 =175

1444 0 0 0 2800/8 = 350

An IP packet is 4020 bytes
MTU of the outgoing NIC = 1420 bytes
Fragment 3: Flags 000 (reserved, fragment, last) Frag Offset: 350 (2800/8) (data starts at offset 2800 – 2800 is the first byte in this fragment.
Fragment 1: Flags 001 (reserved, fragment, more to come) Frag Offset: 0 (data starts at offset 0 – it starts with the first byte of data).
Fragment 2: Flags 001 (reserved, fragment, more to come) Frag Offset: 175 (1400/8 – measured in units of 64 bits – 8 bytes) (data starts at offset 1400 – 1400 is the first byte in this fragment).
Sending the 4020 byte datagram will require 3 fragments: The MTU is 1420 but each payload must include a 20 byte IP header (at least) so we can only send 1400 bytes of the IP data in a fragment.发送4020字节的数据报将需要3个片段:MTU是1420，但每个有效负载必须包括一个20字节的IP头(至少)，所以我们只能在一个片段中发送1400字节的IP数据。
20

IP Spoofing/DoS
An attacker can send packets/datagrams from a false source address to disguise itself.
Denial-of-service (DoS) attacks often use IP spoofing to overload networks and devices with packets that appear to be from legitimate source IP addresses.
攻击者可以从虚假的源地址发送数据包/数据报来伪装自己。
拒绝服务(DoS)攻击通常使用IP欺骗，用看起来来自合法源IP地址的包使网络和设备超载
22

Issues with IPv4 Fragmentation
Fragmentation causes increase overhead in CPU and memory and slow down network performance.
Intermediate router
Creates fragment headers
Computes checksums
Copies the original packet into the fragments
Receiving host
When reassembling the fragments the receiver must allocate memory for the arriving fragments and joint together fragments into one packet after all of the fragments are received
If one fragment is dropped, the entire original packet must be resent.
The TTL time exceeded ICMP message (with Fragment reassembly timeout) is sent to the sender.

碎片化会增加CPU和内存开销，降低网络性能。
中间路由器
创建片段标题
计算校验和
将原始数据包复制到碎片中
接收主机
当重组碎片时，接收方必须为到达的碎片分配内存，并在所有碎片被接收后将碎片连接到一个包中
如果一个分片报文被丢弃，则必须重新发送整个原始报文。
TTL时间超过了ICMP报文(分片重组超时)发送给发送端。
24

ARP: IP and MAC addressing
IP addresses are used for identifying destination devices across the Internet.
MAC addresses are used for direct delivery within the same network.
ARP is used to resolve a logical (IP) address of a target host to its physical (MAC) address in a local area network.

ARP in Direct Delivery
The sender A and receiver B are located at the same network.
A requests for B’s MAC address.
Once B’s MAC address is resolved, then the data can be delivered from A to B.

A
B
C
27

ARP in Indirect Delivery
The sender A and receiver B are not located at the same network.
A requests for gateway’s MAC address. Once G’s MAC address is resolved, then A sends the data to G for data forwarding
G requests B’s MAC address. Once B’s MAC address is resolved, then G forwards the data to B
Two ARP processes involved.

B
G

131.181.1.100
131.181.2.100
131.181.2.100
131.181.1.1
28

ARP in Indirect Delivery

B
G1

131.181.1.100
131.181.2.1
131.181.1.1

G2
G3

131.181.3.1
131.181.2.2
131.181.3.2
131.181.4.1
131.181.4.100
4 * ARP processes:
A – G1
G1 – G2
G2 – G3
G3 – B

ARP
A-G1
ARP
G1-G2
ARP
G2-G3
ARP
G3-B
29

ARP Process- Request
ARP is a two-step process: a request and a reply.
Within a network, when a host (requester) – A, begins a conversation with a target host – B
A is aware of B’s IP address, but does not have the B’s MAC address. Thus A is unable to send a unicast frame to B.
A sends an ARP broadcast frame to request B’s MAC address. Since it is a broadcast, all hosts on the network receives the ARP request.
All hosts scan the content of the ARP request to determine if they are the intended target. The hosts which are not the intended target discard the broadcast frame.
30

ARP Process – Reply
B is the target of the ARP Request. It sends an ARP Reply back to A.
Since B knows who sent the initial ARP Request, it is able to send the ARP Response unicast, directly back to A.
31

ARP Frame Format
0 7 8 15 16 23 24 31
Hardware Type (e.g. Ethernet =1) Protocol Type (network layer protocol)
Hardware Address length Protocol length Operation (Request = 1, Reply = 2)
Sender Hardware Address (48 bits = 6 bytes)
Target Hardware Address (Empty in request)

Target IP address (32 bits)

ARP Poisoning
ARP Poisoning is also known as ARP Spoofing.
A type of attack carried out over a local area network (LAN).
It involves sending malicious ARP packets on a LAN to change the mapping of the attacker’s MAC address with the IP address of another host

ICMP Features
ICMP is a supporting protocol to support IP.
ICMP messages are encapsulated inside of IP datagrams before going down to the data link layer

IP Header
ICMP header + data = IP data
Frame Header
Frame data
Trailer
35

ICMP Features (cont.)
Assists the diagnosis of some network problems, particularly related to the network layer of the OSI model
Assists in obtaining specific information from routers and the destination host
Is used by routers and hosts
Returns the message back to the originator

Types of ICMP
ICMP messages can be broadly classified into 2 types:
Error reporting
Query/Reply
37

ICMP

Error
Reporting

Destination
Unreachable

Source
Quench

Time
Exceeded

Param
Problem

Redirect

Query

Echo/Reply

Timestamp

…

Time-Exceeded
The ICMP Time Exceeded message is issued:
When a packet is sent, its TTL is decremented by 1 at each hop. If the TTL reaches 0, the packet is dropped and a Time-Exceeded message is sent to the originator.
If destination does not receive all fragments in a set time, it drops any received fragments and sends a Time-Exceeded message to the originator

Sending host, A, has IP address 10.0.0.100/24
A’s routing table has a default route entry pointing to router G1’s IP address 10.0.0.1/24 as the default gateway
Router G1 uses router G2’s IP address 10.0.0.2/24 as its next hop when forwarding traffic to destination Network X.

Scenario: ICMP Redirect

Network X
G1

B
Source from Cisco: Understanding ICMP Redirect Messages
39

Scenario: ICMP Redirect (cont.)
G1 with IP address 10.0.0.1 receives a packet from host 10.0.0.100 on a network
G1 checks its routing table and obtains the IP address 10.0.0.2 of the next hop G2, on the route to the packet’s destination network X.
If G2 and sending host identified by the sending host’s IP are on the same network 10.0.0.0, ICMP Redirect message is sent to the sending host to advise the host to send its traffic for network X directly to G2, as this is one hop shorter to the destination’s network
G1 forwards the received packet to G2
40

Echo Request/Reply
A host or router that receives an echo-request message creates an echo-reply message and returns it to the originator
echo-request and echo-reply messages can be used to help diagnose some network problems
e.g. communication status between two devices
Testing destination availability and providing status is achieved by invoking a ping command
Creates a series of echo-request and echo-reply messages providing statistical information
41

Ping Utility
42

Tracert Utility
43

Can ICMP be used for evil?

Vulnerabilities in ICMP
Understanding on the types of ICMP operations
Appreciation on how ICMP normally interacts between the originator and the other hosts
Identifying the abnormal network behaviours.

How to tell TCP is
a reliable and connection-oriented protocol?

TCP header
Source port address
(16 bits) Destination port address
(16 bits)
Sequence number
(32 bits)
Acknowledgement number
(32 bits)
HLEN
(4 bits) Reserved
(3bits) NS CWR RCE URC ACK PSH RST SYN FIN Window size
Checksum
(16 bits) Urgent pointer
(If URG set, 16 bits)
Options and Padding

TCP header
48

TCP features
TCP provides reliability
Error control
Flow control
TCP is a connection-oriented protocol
TCP offers full-duplex service

A TCP Connection
Three stages of a TCP connection:
Connection establishment with a 3-way handshake
Data transfer
Connection termination with a 4-way handshake
50

(I) Connection establishment with
a 3-way handshake (cont.-)
A client (A) sends a TCP synchronization (SYN) segment to the destination device (B), usually a server
A destination port is specified and a source port is assigned dynamically
Use 3 segments establish a TCP connection
Segment 1: A issues a message to B for initialization
Segment 2: B sends a message to A for initialization and acknowledgement
Segment 3: A sends an acknowledgement to B
51

(I) Connection establishment with
a 3-way handshake (cont.-)
Seq: 8000

Seq: 15000
Ack: 8001
A S

Seq: 8001
Ack: 15001
A

SYN
segment
Server
Client
(1) Request for
connection
(2) Response
(3) Connection
established
Time
Time
SYN-ACK
segment
ACK
segment
Simplified segment fields
52

(II) TCP Data Transfer
Received data must be acknowledged with an ACK that specifies the byte number that the receiver is expecting to receive from the sender
TCP uses sequence number to identify the amount of data transferred and any out-of-order packets

Seq: 8001
Ack: 15001
A
Data
Byes: 8001-9000

Server
Client
Seq: 15001
Ack: 9001
A
Data
Byes: 15001-16000

Seq: 9001
Ack: 16001
A

Simplified segment fields
53

TCP Connection Termination:
4-Way Handshake
Seq: x
Ack: y
F

Seq: y
Ack: x +1
A

FIN
ACK
Server
Client
FIN
ACK
Seq
Ack
F

Seq
Ack
A

Threats to TCP
Predicting TCP Sequences
It’s possible for an attacker to guess the sequence of numbers that TCP assigns to a stream of data packets.
If an attacker can predict both the sequence number of an ongoing communication session. It can carry out an injection attack to insert corrupted or fraudulent data into the stream.
SYN Flooding
…

DHCP
DHCP is used to automatically assign IP addresses as needed within a network.
When a computer is turned on, it requests an IP address from a DHCP server
The server assigns an address for a specific amount of time (called a lease)
DHCP Servers listen on UDP port 67 for leasing IP addresses.
DHCP clients use UDP port 68 for requesting IP addresses

DHCP Lease Process

During the bootup process, a DHCP client broadcasts a DHCPDISCOVER message to reach a DHCP server for requesting an IP.
The DHCP server reserves an IP address for the client and makes a lease offer by sending a DHCPOFFER message to the client via unicast.
58

DHCP Lease Process (cont.)
The client responds with a DHCPREQUEST message via broadcast to accept the offered IP address.
If several DHCP servers respond to the request, the client accepts the first offer that it receives.
The DHCP server whose offer was accepted responds with a DHCPACK message via unicast.
It acknowledges the lease acceptance and contains the client’s IP address lease and other IP addressing information.

DHCP Message Format
OP Code (op) (1 byte) Hardware Type (htype) (1 byte) Hardware address length (hlen) (1byte) Hops (hops) (1 byte)
Transaction ID (xid) (4 bytes)
Seconds (sec) (2 bytes) Flags (flags) (2 bytes)
Client IP address (ciaddr) (4 bytes)
Your IP address (yiaddr) (4 bytes)
Server IP address (siaddr) (4 bytes)
Gateway IP address (giaddr) (4 bytes)
Client hardware address (chaddr) (16 bytes)
Server name (64 bytes)
Boot File name (bname) (128 bytes)
Options (variable Size)

DHCP Message Payload
UDP
IP
Ethernet
60

Threats to DHCP
DHCP spoofing
The attacker inserts a rogue DHCP server in the network
The rogue DHCP responds to DHCP requests and tries to list itself as the default gateway or DNS server, initiating a man in the middle attack.
It can intercept traffic from users before forwarding to the actual gateway
61

Threats to DHCP (Cont.)
DHCP starvation attack
The attacker uses slave hosts to keep on requesting for IP addresses from the DHCP until DHCP server’s entire pool of addresses is exhausted.
As such the legitimate client is unable to get an IP from the DHCP server and hence cannot connect to the network.
Understanding on the DHCP operation between a client and a server.
Identifying the abnormal network behaviours
62

DNS
The service converts a human readable name into an IP address on a network.
It can be thought of as a White Pages or Yellow Pages directory service. DNS is like the phone book of the Internet.
DNS is a name-to-address resolution protocol that keeps a list of computer names and their IP addresses.
Using DNS, a user can use a computer’s name instead of using its IP address.
Applications that use DNS include World Wide Web (WWW), email, and instant messages.

Name Resolution Response
Name resolution response
Authoritative response
The response is resolved from the authoritative DNS server for the queried domain name.
Non-authoritative response
The response is not resolved from the authoritative DNS server for the queried domain name.
65

Example of Authoritative Response
When you use a PC from QUT’s computer lab, you enter http://library.qut.edu.au in your web browser, the DNS client service contacts the local DNS server, i.e. QUT’s DNS server
The QUT’s DNS server has the matched record for library.qut.edu.au in the DNS zone and returns the IP address for the website library.qut.edu.au, then your computer can contact the web server to request a web page.

Example of Non-authoritative Response
Query for www.ibm.com
Query to root server
Try one of these com TLD servers
Query to com TLD server
Try one of the ibm.com DNS servers
Query to a ibm.com DNS server
Query is resolved, i.e. the address is 129.42.38.10
Return the IP address
Then the query result is cached on the local DNS server for a certain period of time. When the same query is recurred, the local DNS returns a non-authoritative answer.

1
2
3
4
5
6
7
8
Root
server
Com
TLD server
IBM.com
DNS server
DNS client
Local
DNS server
67

DNS query and response messages

Vulnerabilities/Threats in DNS
The DNS scheme has
No authentication
No authenticity and integrity checking on DNS responses
DNS Cache-poisoning attack (redirect attack)
By changing DNS records on a DNS server or DNS cache server to redirect network traffic from a legitimate web server to a malicious Website
DNS flood attack
DoS/DDos is to overload the network with a high volume to overload the network capacity and exhaust computer resources.

Protocol Threats
IP
IP Spoofing attack
Fragmentation attack
ARP
ARP Cache-poisoning attack
MITM attack
ICMP
Redirect attack
Ping of death attack

TCP
Predicting TCP Sequences
TCP SYN Flood attack
DHCP
DHCP Spoofing
Starvation attack
DNS
DNS Cache Poisoning
DNS Flood attack
70

Security attacks
Active attack
involves data modification or the creation of a false stream, e.g.
masquerade, replay, modification of messages, man-in-the-middle (MITM) and DoS/DDoS
Passive attack
attempts to learn or make use of information from the system but does not affect system resources, e.g. traffic analysis, release of information contents

/docProps/thumbnail.jpeg

Related Posts