Network Security Overview
The Internet: Layers, TCP, UDP, IP, IPSEC, DDoS Reflection Attacks, ARP
TLS Packet
- The TLS packet contains 3 main layers:
- IP Header: Contains information for the IP layer. This section is not encrypted.
- TCP layer: Contains information for the TCP layer. This section is also not encrypted.
- TLS layer: Contains encrypted information, the MAC address, and padding.
Metadata is still leaked in TLS
- Data that is not encrypted and is leaked:
- Source and destination addresses
- Ports
- Protocol being used
- Size of the packet
- The number of packets
- How often packets are being sent
- We can tell how conversation’s pattern looks. For example we can see who is talking more in a conversation.
- Certain protocols always send packets at specific lengths.
- Leaked metadata has zero protection under the law. All metadata is exposed and the government can look at it.
- The actual conversation isn’t leaked because it is encrypted, but information such as using Gmail is exposed.
- TLS: end-to-end encryption from sender to receiver
- TCP: controls the pipe connecting the sender to the receiver
TCP (Transmission Control Protocol)
- In TCP, data is transferred through packets which arrive in order, and for each packet received, an acknowledgement is given.
- A handshake is performed in order to start the connection.
- For example: In order to transfer a movie, the movie is broken up into chunks. Each of the chunks becomes a packet such that each packet doesn’t exceed the Maximum Transmission Unit.
- Used when you want all of the information and it is okay to have delays.
UDP (User Datagram Protocol)
- UDP is an unreliable transport on top of IP.
- There is no handshake because UDP is not connection-oriented.
- Useful for things like watching videos or talking on the phone, where no latency is more important than reliability. Lost packets are not sent again.
- The UDP header contains a checksum, which protects against random errors such as bit flipping.
- However, the checksum is not secure because it is a public algorithm that is only 16 bits. As a result, it is easy to forge.
- Used when you want no delays and it is okay to lose a few packets.
DoS Reflection and Amplification Attack (Denial of Service)
- An off-path attack that exploits that DNS is sent over UDP which is a simple protocol.
- The attacker sends a small query to a server, which sends a huge response to the victim.
- Lots of large packets keep hitting the victim. Because the victim is hit with so much volume, he gets overwhelmed and crashes.
- Attacker can send the response to the victim through source IP spoofing: lying about the source IP
- For example:
monlist
is a small query, but gives you a big response of the last 600 people you’ve talked to
Why can’t we do this attack over TCP?
- You can’t spoof a victim’s IP over TCP
- You need to perform start the TCP session through SYN, SYN-ACK, and ACK before sending the
monlist
query. - The message is going to be ignored because the ACK is not received.
- You need to perform start the TCP session through SYN, SYN-ACK, and ACK before sending the
TCP Handshake
- The TCP packet contains two 32-bit random numbers:
- sequence number
- acknowledgement number
- We are unable to perform the attack because we don’t know the random number that is being placed in into the sequence number at the start of the handshake.
- If you set up the connection with your IP, and then switch to the victim’s IP, the connection will just be stopped
- Therefore, random sequence numbers in TCP prevent off-path attacks
- Cryptography is to prevent man-in-the-middle attacks.
On-Path Attack for TCP
- An attacker reads traffic slowly, and if he sees something interesting, he takes action
- He can send a reset packet with the
reset
flag set, which closes a connection if the sequence/acknowledgement numbers are sensible - On-path model is very common for censorship
- For example: Great Firewall of China
- IP address blocking: dropping packets that go to a specific IP blocks the entire website
- Man-in-the-middle is more difficult for censorship because you have to be fast enough to stop packets
Link Layer
Computers have:
- IP address: assigned to you temporarily depending on what network you’re on
- MAC address: permanent address
ARP (Address Resolution Protocol)
A form of networking roll call:
- ARP Request: “Who has this IP address?” is broadcasted to everyone
- ARP Reply: A computer responses with: “I have that IP address. Here is my MAC address.”
- For example: Asking for a printer’s IP address.
ARP Poisoning/Spoofing
- When the ARP request is broadcasted to everyone, anyone can answer.
- Spoofing is when you claim you have the IP address when you don’t
- This can be used to become a man-in-the-middle
- An attacker can pretend to be the access point 192.168.0.1, which is the router that lets us talk to the internet
- If you’re spoofing a response from the router and both you and the router sends a response, there is a race condition:
- If you are faster than the router, you win
- Otherwise, the router’s reponse will be accepted and not yours