7. tcp ip ip Normal IP Fragmentation Penetration – IP Fragments To support different transmission media, IP allows for the breaking up of single large packets into smaller packets, called fragments. The higher‑level protocol carried in IP (usually TCP or UDP) is split up among the various fragments. ip tcp ip tcp ip tcp ip tcp ip tcp ip tcp
8. Tiny Fragment Attack Penetration – IP Fragments tcp ip ip Make a fragment small enough so that the TCP header is split between two fragments. The port number will be in the second fragment. ip tcp ip tcp ip tcp ip tcp ip tcp ip tcp ip
9.
10.
11. Attacker Firewall IDS Penetration – IP Fragments Fragment 1 (part of tcp header) Fragment 2(rest of tcp header) Tcp port unknown All IP fragments are re-assembled Server ip tcp ip tcp
12.
13. Attacker Firewall IDS Penetration – IP Fragments Fragment 1 (Packet is for port 80) Tcp port 80. OK! All IP fragments are re-assembled Fragment Overlap attack ‑ In the second fragment, lie about the offset from the first fragment. When the packet is reconstructed at the protected server, the port number will be overwritten. Fragment 2 (Packet says is for port 80), however, I have an offset, say 12, and After overlaying, the TCP header will read port 23! Second IP fragment was just a fragment of the first. That is OK too! Server ip tcp ip tcp
31. Alice Eve Alice telnets to do some work.. Eve is on a segment of the lan where she can sniff, or on a point in the path. Bob
32. Alice Eve Alice telnets to do some work.. Attacker can monitor and generate packets with the same sequence number. “ Hi, I am Alice” Eve uses a session hijacking tool to observe the session. at Eve's command, the session hijacking tool jumps in and continues the session with Bob. Attacker can kick Alice off and make any changes on B. The logs will show that Alice made the changes Bob
33. Alice Eve Session Hijacking: Ack Storms If the attacker just jumps in on a session, starting to spoof packets, the sequence numbers between the two sides will get out of synch As the two sides try to resynchronize, they will resend SYNs and ACKs back and forth trying to figure out what's wrong, resulting in an ACK storm SYN (A, SNa) ACK (SNb) SYN (B, SNb) ACK (SLNa) SYN(A,Sna) ACK(SNb) Bob
34.
35.
36.
37. Alice Eve MAC=CC.CC “ ARP w.x.y.z is at DD.DD” “ ARP a.b.c.d is at EE.EE” Ip=w.x.y.z MAC=BB.BB Ip=a.b.c.d MAC=AA.AA Eve send a Gratuitous ARP broadcast message Bob
45. www.ebay.com www.ebay.com www.ebay.com www.ebay.com Client Local Nameserver Root Name Server .com Name Server ebay.com Name Server Referral to .com Referral to ebay.com The Answer! 216.32.120.133 Clients use a "resolver" to access DNS servers Most common DNS server is BIND, Berkeley Internet Name Domain DNS servers query each other
46.
47.
48. Alice, a happy bank customer Evil Attacker Dns.bank.com name server Alice wants to access. Dsn.good.com Alice’s unsuspecting DNS Server Dns.evil.com, Evil’s DNS server owned by evil www.bank.com, Alice’s online bank.
49. DNS Cache Poisoning Alice Dsn.good.com Evil Dns.evil.com www.bank.com Dns.bank.com STEP 1: Any.evil.com STEP 2: Any.evil.com STEP 3: store the query ID