Date post: | 26-May-2015 |
Category: |
Documents |
Upload: | prakhar-bansal |
View: | 535 times |
Download: | 1 times |
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
TCP Vulnerabilities and IP Spoofing:Current Challenges and Future Prospects
Prakhar BansalRegistration No. - 2011CS29
Computer Science and Engineering DepartmentMotilal Nehru National Institute of Technology Allahabad,
Allahabad, India
November 5, 2012Prakhar Bansal, MNNIT Allahabad 1 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
1 Motivation
2 Problem Statement
3 TCP Vulnerabilities
4 ARP Cache Poisoning Attack
5 LOT: Lightweight Opportunistic Plug and Play SecureTunneling Protocol
6 Observation
7 Conclusion
8 References
Prakhar Bansal, MNNIT Allahabad 2 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Why?Motivation
Prakhar Bansal, MNNIT Allahabad 3 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Why?Motivation
Prakhar Bansal, MNNIT Allahabad 4 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Prolexic Attack Report [1]
# of DDoS attacks 88% ⇑average attack duration ⇑ up to 33 hours
average attack bandwidth ⇑packets/second rate ⇑top-most DDoS attacks originating country China
Prakhar Bansal, MNNIT Allahabad 5 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Norton Cyber Crime Report 2012 [2]
According to report, cybercrime affects
556 million victims/year2 out-of 3 online adults in their lifetime42 million+ people in India in last 12 monthsGlobal price tag has reached up to $110 billions$197 average cost/victim
Prakhar Bansal, MNNIT Allahabad 6 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Cybercrime global cost
Figure: Cybercrime global cost [2]Prakhar Bansal, MNNIT Allahabad 7 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Government Budgets and Recent Reports
UK businesses lose around £21 billion a year [3]India spent 37.7 crores this yearUS has proposed $800 million for next fiscal year 2013-14Government should spend more on policing the Internet [4]
Prakhar Bansal, MNNIT Allahabad 8 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Recent Anonymous Attacks I
Prakhar Bansal, MNNIT Allahabad 9 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Recent Anonymous Attacks II
On Jan 19, 2012, group attacked US Department of Justiceand FBI in protest of SOPA.
Group claimed this to be a largest attack with over 5635bot-nets.
Attacks on facebook on October 12, 2012, which leadsfacebook to shutdown in Europe.
Prakhar Bansal, MNNIT Allahabad 10 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Recent Anonymous Attacks III
Attacked on many Indian websites including website forSupreme court of India and other national political parties inresponse to Internet censorship.
Took down UK governments websites on April, 2012, inprotest against government surveillance policies.
Prakhar Bansal, MNNIT Allahabad 11 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Problem Statement
‘To design a reliable, scalable and secure network. The networkwhich no one can spoof, no one can flood and no one can hack.’
Protocol vulnerabilities is one of the long standing majorchallenge in networks communications.
Reports and attacks discussed, shows how vulnerable ournetwork protocols are.
Prakhar Bansal, MNNIT Allahabad 12 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
TCP VulnerabilitiesThree-way Handshake
Figure: Three-way handshake
Prakhar Bansal, MNNIT Allahabad 13 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Establishing & Closing a TCP ConnectionSequence States at Client TCP
Figure: Sequence of states at client TCP
Prakhar Bansal, MNNIT Allahabad 14 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Establishing & Closing a TCP ConnectionSequence States at Server TCP
Figure: Sequence of states at server TCP
Prakhar Bansal, MNNIT Allahabad 15 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
TCP SYN Flooding AttackTheory of Operation
Server TCP, in LISTEN state transited to SYN-RECEIVEDstate, when receives a SYN segment.
Server TCP maintains Transmission Control Block (TCB).
SYN flooding attacks tries to exhaust the memory at attackedsystem.
The success of SYN flooding attack lies in:
packet-size,frequency, anddistinct, distributed and unreachable IP addresses.
Prakhar Bansal, MNNIT Allahabad 16 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
TCP SYN Flooding Attack ICountermeasures
Filtering
Increasing Backlog
Reducing SYN-RECEIVED Timer
Recycling the oldest half-open TCB
SYN cache
SYN cookiesSYN cookies limitations
Prakhar Bansal, MNNIT Allahabad 17 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP Cache Poisoning AttackAbout ARP
David C. Plummer originally published in RFC 826.
To communicate with host on network we must know 48-bitethernet address (MAC address) of the host.
Host broadcasts ARP query on the network.
The host with given IP unicasts ARP reply.
Each node in a network maintains a data structure namedARP cache for storing < IP,MAC > pairing.
ARP cache entries expires after some time.
Prakhar Bansal, MNNIT Allahabad 18 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP Cache Poisoning AttackTheory of Operation
ARP protocol is stateless protocol.
Host updates its ARP cache by any ARP query.
The false ARP is reply is reflected in ARP cache as soon ashost receives it.
Once host updates its ARP cache, the attacker also gets thepackets intended for some other system.
Prakhar Bansal, MNNIT Allahabad 19 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP Cache Poisoning Attack ICountermeasures
Huang in 2008, suggests to add state in ARP protocol [5].
Figure: Huang solution [5]
Prakhar Bansal, MNNIT Allahabad 20 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP Cache Poisoning Attack ICountermeasures
Seung Yeob Nam in 2010 proposed voting-based resolutionmechanism to prevent ARP attacks.
Suggests host firstly asks other neighboring hosts about thisIP and MAC before updating table.
Some firewall and router manufacturers have procedure intheir products to detect the ARP spoofing attacks.
Softwares like arp-guard recognizes the changes in ARP tablesand report these to managing system [6].
Prakhar Bansal, MNNIT Allahabad 21 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOTAbout LOT
LOT is needed to be installed at communicating networkgateways [7].
Once installed one gateway would establish an efficient tunnelfor secure communication with another gateway.
The working code prototype is available online at url:‘http://lighttunneling.sourceforge.net’
Prakhar Bansal, MNNIT Allahabad 22 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOTLOT Features
Local and remote quotas
Filtering
Congestion detection
Ingress filtering solution: adds a pseudo random tag toeach packet occurs.
Prakhar Bansal, MNNIT Allahabad 23 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOTCommunication Model
As IP address has address space {0, 1}32 [8],According to LOT protocol, every entity in network hasaddress space S of {0, 1}l.A set NB ⊆ S is a network block, if ∃P, a prefix, P∈ {0, 1}l′ ,l′ < l.Network hosts and LOT gateways all are network entitiesNB(e).Each host entity e must be associated with single networkblock |NB(h) = 1 |.Gateway entity may be associated with a larger network block.
Prakhar Bansal, MNNIT Allahabad 24 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOTCommunication Model
Figure: Communication model [7]
Prakhar Bansal, MNNIT Allahabad 25 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOTCommunication Model
Network entities communicate via sending messages to nextpeers.Next peers are decided as follows:Two entities e1 , e2 are said to be peers if and only if;
NB(e1) ⊂ NB(e2) andNB(e1) * NB(G) * NB(e2) means,for eg; entities A, C are peers.NB(e2) * NB(e1), NB(e1) * NB(e2) andNB(e1) * NB(G) or NB(e2) * NB(G)for eg; entities F, G are peers.
Prakhar Bansal, MNNIT Allahabad 26 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between GatewaysPhase 1: Hello Phase I
HOSTA, ∈ some NB1 behind GWA sends a packet toHOSTB in some another NB2 not associated GWA.
It identifies gateway GWB associated with NB(HOSTB).
GWA begins handshake by sending a hello request message toHOSTB.
Hello request message contains,
details of NB(HOSTA) associated with GWA, andcookie cookieA.
Prakhar Bansal, MNNIT Allahabad 27 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between GatewaysPhase 1: Hello Phase II
GWB intercepts the hello request message and replies withresponse message.
Hello response message contains,
details of NB(HOSTB) associated with GWB ,cookieA, andfor optimization, cookieB .
Prakhar Bansal, MNNIT Allahabad 28 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between GatewaysPhase 1: Hello Phase III
Figure: Phase 1: hello phase
Prakhar Bansal, MNNIT Allahabad 29 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between GatewaysPhase 2: Network Block Validation I
GWA checks GWB ∈ NB(HOSTB) or not and,GWB checks whether GWA ∈ NB(HOSTA) or not.It consists of n iterations.GWA sends packet with cookie to any random host inNB(GWB).If GWB is associated with same NB then it should be able tointercept it.Cookie is based on NB(GWB), current time at GWA,current iteration number and agreed upon iterations.
Prakhar Bansal, MNNIT Allahabad 30 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between GatewaysPhase 2: Network Block Validation II
GWB, after intercepting correctly, sends back challenge torandom host associated with GWA with response.This response contains two cookies, and arguments needed forGWA to regenerate cookie.GWA extracts its cookie and matches it after regenerating.And GWA ∈ NB(HOSTA) then it intercepts challenge.Now, GWA selects any other random host fromNB(HOSTB).This process is repeated till n times.To avoid DDoS attacks, ηmax is set as a global constant andn ≤ ηmax.
Prakhar Bansal, MNNIT Allahabad 31 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between GatewaysPhase 2: Network Block Validation
Figure: Phase 2: network block validationPrakhar Bansal, MNNIT Allahabad 32 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOTLOT Packet Structure
IP header is modified significantly in order to encapsulate LOT.
IP flags: DF/MF flags are always unset as no packetfragmentation within the LOT tunnel.Protocol Type: To indicate that the packet is encapsulatedusing LOT, this field is modified.LOT Header: A LOT header is attached with the packet. Itcontains:
Tag,Fields for reconstruction of the original packet including IPflags and transport protocol.Fields that allow receiving-end gateway to reconstruct thesession key.
Prakhar Bansal, MNNIT Allahabad 33 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My ObservationTCP Three-way Handshake I
While studying TCP protocol, I observed few things in three-wayhandshake.
The success of SYN flooding attacks depends on frequency ofSYN segments reaching at server side.
Neither ⇑ backlog nor ⇓ SYN-RECEIVED timer will work.
Attackers usually send SYN flood messages from set ofunreachable IPs.
If the backlog (half-open connections queue) is filling veryfast, why not we firstly ping the client before sending anyreply.
Prakhar Bansal, MNNIT Allahabad 34 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My ObservationTCP Three-way Handshake
Figure: Redefinition of TCP three-way handshake
Prakhar Bansal, MNNIT Allahabad 35 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My ObservationTCP Three-way Handshake II
SYN-cookie limitation can be removed by using separate cookie.
Client sends SYN segment to server.
Server reply with ‘SY N/ACK/cookieserver’.
cookieserver is based on client IP address, port address,current time and other information.
Once it reaches to client, client acknowledges server bysending ‘ACK/cookieserver’.
Server authenticates its cookie and validates client.
Prakhar Bansal, MNNIT Allahabad 36 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My ObservationTCP Three-way Handshake
Figure: Redefinition of TCP three-way handshake
Prakhar Bansal, MNNIT Allahabad 37 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My ObservationTCP Three-way Handshake III
In Linux OS, SYN-cookie mechanism is disabled by defaultbut it can be enabled via changing value of variablesysctl.net.ipv4.tcp syncookie to 1, in /etc/sysctl.conf file.
Prakhar Bansal, MNNIT Allahabad 38 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP IARP Protocol
ARP is a stateless protocol.
ARP protocol accepts any ARP reply and updates its ARPtable as soon as any ARP reply is received.
We can add new data structure along with existing ARP table.
This data structure is a dynamic list which records all theoutstanding ARP requests.
When a ARP reply came, we check this list whether we havesent any such query or not.
Further confirm this ARP reply by asking few neighbors.
We can originate RARP for the MAC address received in ARPresponse.
Prakhar Bansal, MNNIT Allahabad 39 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARPARP Protocol
Figure: Redefinition of ARP protocol
Prakhar Bansal, MNNIT Allahabad 40 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Conclusion
Recent network attacks has shown how vulnerable ournetworks are.Flooding, IP spoofing and denial of service attacks arebecoming a significant threats.Ingress filtering was suggested but not yet completelyimplemented by alL ISPs.LOT protocol is best but needed to be installed on mostly allgateways on network.All gateways shares a secret key first through a vulnerablenetwork, this can dangerous.LOT tunnels can’t pass over Network Address Translators(NATs). However NAT devices do not prevent LOT and LOTtunnels will be formed.
Prakhar Bansal, MNNIT Allahabad 41 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Conclusion
Now, the world is changing. The face of networkcommunication is changing rapidly.Now use of smart-phones and embedded systems is increasingrapidly.Cloud computing and mobile computing are attackers futuretargets.Security in cloud computing is still a major issue. There is aneed of reliable, scalable and fault-tolerant clouds both onsystem and mobile.Protocols are not much sophisticated and thus vulnerable toattacks.The research in developing sophisticated network protocols isstill a very important area and full of challenges, thrust forfuture research.
Prakhar Bansal, MNNIT Allahabad 42 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
References I
“Prolexic Quarterly Global DDoS Attack Report,” Quarter 3,2012.
“2012 Norton Cybersecurity Report,”
“Government to warn businesses about cyber crime threat,”BBC, 5 september 2012.
Ross Anderson and Chris Bardon, “Measuring the cost ofcybercrime,”
Huang, T. and Bai, G., “Method against ARP spoofing baseedon improved protocol mechanism,”
“ARP Guard,” in https://www.arp-guard.com/info.
Prakhar Bansal, MNNIT Allahabad 43 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
References II
Gilad, Yossi and Hergberg, Amir, “LOT: A Defense Against IPSpoofing and Flooding Attacks,” vol. 15 of 6, ACMTransactions on Information and System Security, July 2012.
Postel, J., “Internet Protocol, The Protocol Specification, RFC791,” DARPA Internet Program.
Prakhar Bansal, MNNIT Allahabad 44 / 45
TCP Vulnerabilities and IP Spoofing
Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Thankyou
Questions ?
Prakhar Bansal, MNNIT Allahabad 45 / 45
TCP Vulnerabilities and IP Spoofing