Tài liệu IP Routing pptx

Trang 1

Routing protocols provide the basis by which information is transferred between hosts on the Internet We’ll look at these protocols that provide for dynamic routing They are divided into major categories based on a specific operating environment Besides explaining these various environments, we will examine their potential strengths and weaknesses Furthermore, we will attempt to provide a basic overview of how the different protocols are susceptible to attack and how some of these threats can be mitigated through simply router configuration changes.

Trang 2

Objectives

• Static Routing

– Sending packets from the local host

• Address Resolution Protocol (ARP)

– Getting packets from hop to hop

– Examples of malicious activity

• IP Options

– Loose source routing

– Strict source routing

• Dynamic Routing Protocols

– Interior Gateway Protocols

– Exterior Gateway Protocols

The “Objectives” slide outlines the different topics that we will be covering First, we will look at

static routing which hosts employ to send traffic Then, we’ll examine the protocols involved in the transmission of packets on the local network This will be followed by a discussion of IP options and how they can be used to alter the course of packets as they travel toward their destination

Then various protocols that govern how packets traverse IP networks will be investigated

Specifically, we will examine all of the protocols that affect the transmission of a packet from one host to another This transmittal can be as simple a sending a packet from one host to another on the same local subnet, or as complex as sending a packet across the world

Trang 3

In this section, we will examine the types of decisions hosts need to make about routing traffic and some of the susceptibilities and exploits associated with static routing.

Trang 4

Local Routing Table

Look at the “Local Routing Table” slide to see a Unix host’s relatively static list of routes The routing

decisions are made based on the destination of the traffic that is to be sent This table was generated using the netstat command with the -r n options that indicate to list the routing table, but do not try to resolve IP numbers to host names This routing table is for host 1.2.3.4 on the 1.2.3.0 network

The first line in the table says that any traffic bound for the 1.2.3.0 network should be directed through the local host 1.2.3.4 using interface le0 which is one of its network interface designations The flag of U says that this route is up and the reference count indicates how many current connections are established through that interface and the use column indicates how many packets have traveled through the interface

The second line is for the local loopback address that is designated as 127.0.0.1 Some processes such as X terminal applications (Netscape) require that the host talk to itself and this is the interface through which that occurs

The final line indicates the default destination that traffic should be sent if it doesn’t match any of the other

Trang 5

9 - 5

Static Routing Decisions

• IP layer searches the routing table in the following

manner:

– Search for a matching host address

– Search for a matching network address

– Search for a default entry

Turning to slide “Static Routing Decisions” ,we see how the IP layer uses a routing mechanism to

make routing decisions of which interface to direct traffic If the destination host matches the routing table’s destination entry, the traffic is routed through the corresponding interface If there is

no such matching entry, then the destination address is compared against all the routing table destination entries to see if the network addresses match The network address is determined by combining the specified IP address and the subnet mask for the network The first match is sent to the specified network interface Finally, if nothing else matches, the traffic is sent to the interface with the “default” designation This is usually a router on the same local network that will forward the traffic to the destination

Many hosts do not act as routers meaning that they do not forward traffic received through one interface to another interface Yet, they still need to be able to route traffic generated on the local host to the correct interface This is an important distinction

Trang 6

How Are Routes Added?

• Static routes are typically added during the boot

process

• Administrative changes can be made with the “route”

command

• ICMP router discovery messages

The next topic of discussion “How Are Routes Added?” is found on the following slide Since

these routes are fairly static, they should be assigned during the boot process and remain mostly unchanged Some Unix systems have a file /etc/defaultrouter that initializes the routes; others configure the routes in the boot scripts using the route command The route command can be used

by the administrator to make changes for new interfaces

Another way for a host to receive initial routes after the boot process is to issue a router solicitation message using ICMP router discovery Routers can respond to these solicitations to inform the host

of the router IP addresses along with a lifetime or number of seconds that the advertised router addresses are considered to be valid

Trang 7

9 - 7

How Are Routes Changed?

• ICMP redirect messages

• ICMP router discovery messages

Slide “How are Routes Changed?” lists the ways in which a relatively static routing table can be

informed of best routes or changing conditions on the network A host might have entries in the routing table that are not the most efficient ones When this happens ICMP redirect messages are sent to the host by a router that detects it is not the optimum router to be used The host will adjust its routing tables to use a more optimum router when sending traffic the next time to the destination address that elicited the message

Hosts that use the ICMP router discovery protocol (IRDP) can receive periodic advertisements of available routers They can change their routing tables to reflect any new information received

Trang 8

Redirect

non-optimum

router

misguided sending host

target host

optimum router

send datagram to target host use optimum router next time

datagram delivered to target host

non-optimum.router > sending.host : icmp: redirect target.host to net

optimum.router

The “ICMP Redirect” message discussed on the next slide allows a router to tell a sending host that

it is not the optimum router to be used for sending the traffic to the desired destination The optimum router forwards the traffic to the destination, but informs the sending host to change its routing table so that a more optimum router is chosen the next time traffic is sent to the same

1) The optimum router must be on the directly connected network

2) The redirect must be from the non-optimum router that was attempted

3) The redirect must not tell the host to use itself as the optimum router

Trang 9

9 - 9

IRDP DoS Exploit

spoofing.host > duped.host : icmp: router advertisement

normal route

redirected default route

IRDP message

spoofing.host

black hole 4.4.4.4

Now, for a different type of scenario for malicious ICMP messages, look at the next slide “IRDP

DoS Exploit” In this case, we have a local or remote host that spoofs an ICMP router discovery

protocol router advertisement

The duped.host listens for IRDP advertisements, receives one from spoofing.host, and changes its routing table so that the default router is 4.4.4.4 Router 4.4.4.4 does not exist or is not accessible to duped.host on the local network So, all traffic that duped.host sends outbound will end up in a black hole essentially causing a denial of service for outbound traffic for duped.host

Trang 10

IRDP Windows Exploit

windows.host

192.168.59.181

default.router 192.168.59.1

Actual default route

redirected default route

ICMP router advertisement

Let’s examine an IDRP attack seen on the slide “IRDP Windows Exploit” As the name implies this attack is

mostly limited to Windows hosts (95, 98 and 2000) although some Solaris hosts too are susceptible If a Windows hosts runs as a Dynamic Host Configuration Protocol (DHCP) client, it will obtain its default route from the DHCP server However, using IRDP Router Advertisements, a Windows host can be convinced to use a different (incorrect) default route

As you’ve no doubt witnessed from previous IRDP exploits, the ICMP Router Advertisement packets have no way to authenticate that the sender is a legitimate trusted host Therefore, if we can dupe the Windows host into believing an incorrect default route, we can reroute data leaving the targeted host

The means by which this is done is by sending a Router Advertisement that contains two or more router addresses to the target Windows host Normally, if just one router address is included in the Router

Advertisement, the receiving host examines the source IP to make sure if it is in the same subnet However, this same check erroneously is not validated for subsequent addresses in the Router Advertisement

Therefore, a host outside the network can spoof multiple Router Advertisements and send them to the target host (assuming the site does not block this type of ICMP message inbound)

Another field in the Router Advertisement tells the metric to be used The formula for computing this for Windows hosts is to subtract 1000 from the received metric value In other words, if the metric in the Router Advertisement that is sent is 1000, the receiving host will assign a metric of 0 to this route What this

Trang 11

9 - 11

Static Routing Review

• Hosts maintain tables of destination routes

• These tables are normally static

• Initialized by boot scripts or IRDP

• ICMP messages can change entries

Slide “Static Routing Review” summarizes what we’ve learned in this section Each host has a

routing table that is the mechanism used by the IP layer to direct traffic from the host to the correct interface and closer to its destination This is called static routing because these tables are relatively stable and initialized with boot scripts or using ICMP router discovery protocol to populate the table

Changes can be made to the routing tables using two different ICMP messages The ICMP redirect message informs the sending host that a given router used to send traffic to a given destination is not the best one and informs the host of the better router Also, IRDP messages inform the host of changing conditions on the network and allow it to update its routing tables accordingly As you’ve witnessed, ICMP has no way of authenticating whether received messages are genuine and this is sometimes exploited using man-in-the-middle or denial of service attacks It is wise to disallow these types of ICMP messages from entering your network from the outside

Trang 12

Address Resolution Protocol

(ARP)

Our next section begins with the “Address Resolution Protocol” slide The basic foundation to the

movement of IP packets across a physical network is enabled by the the Address Resolution Protocol (ARP) This protocol, specified by RFC 826, provides the mechanism by which a host can map an

IP address to a hardware address, as well as caching this information for efficiency

Trang 13

9 - 13

Why do we need ARP?

Sending packets to hosts on the local subnet

Router

Se

nd in

g p ac ke

ts t o

lo ca

l g ate w ay

Router

Sending packets between adjacent gateways

ARP provides a mechanism to determine the hardware addresses

of hosts on local network

Turning to the slide “Why do we need ARP?” we will examine exactly what the ARP protocol

provides us Whenever computers communicate, they transmit packets which must travel from one host to another host, usually via intermediate routers While the IP address is used to route the packet to its final destination, the packets travel from intermediate hop to intermediate hop using Media Access Control (MAC) addresses To make a distinction; the IP address is a "logical" address; the MAC is more of a "hardware" address ARP is concerned with mapping the "logical" address to the "hardware" address

To maximize efficiency, hosts maintain an ARP table that lists the local hosts that have been

communicating with it recently The entries eventually timeout if there is no communication with the host in a specified period

Trang 14

ARP Request

172.21.164.50 00:E0:29:3D:B0:4D

IP Address MAC Address

Initial ARP Cache for host A

arp who-has 172.21.164.75 tell 172.21.164.140

The next slide is entitled “ARP Request” Host A wants to communicate with host B Host A’s

ARP cache does not contain an entry with B’s IP address (172.21.164.75) Therefore, A broadcasts

an ARP request seeking the information This request is broadcast to all of the hosts on the local network, since A does not know which host has the IP address in question

Trang 15

IP Address MAC Address

Updated ARP Cache for host A

arp reply 172.21.164.75 is-at 0:E0:29:44:48:82

Turning to the slide “ARP Reply”, we can see how A’s ARP request is answered After seeing the

ARP request for 172.21.164.75, host B sends an ARP reply to host A indicating that it is located at 00:E0:29:44:48:82

When A receives this information it updates the ARP cache by adding an entry for 172.21.164.75 Now host A can send packets to host B And as long as the entry remains in the cache, host A does not need to issue any more ARP requests to send datagrams to host B because he now has the hardware address of host B Host B also caches the information from host A about its IP address and MAC address

Trang 16

Malicious ARP packets

00:90:27:73:D1:31

The next slide is “Malicious ARP Packets” By altering a host’s ARP table, an attacker can alter

the course that packets take Although packets transmitted after the table alteration will contain the correct IP address, they will fail to reach the correct destination because their MAC address is wrong

In the example shown on the previous slide, host A’s ARP table contains an entry for host B Host

C now sends out an unsolicited ARP reply to A stating that host B is at host C’s MAC address (Using the source IP address for B in the reply) Host A updates its ARP table, thinking that the information came from B Now any packets that A tries to send to B will be redirected to Host C In

this example, host C has launched an successful ARP spoofing attack against A Host C can now

exploit any trusted relations between hosts A and B

One saving note is that the ARP messages are only valid on the local network They will not cross a router Therefore to perform these malicious ARP spoofing attacks, the attacker must reside on the local network

Trang 17

9 - 17

ARP Theory Review

• ARP cache maps IP addresses to MAC addresses

• On physical networks, IP packets travel from hop-to-hop via

MAC addresses

• Many hosts accept unsolicited ARP replies, allowing spoofing

attacks

• Hosts cache ARP entries in a table for efficiency

• ARP spoofing attacks can only be launched on the local network

Wrapping up this section with “ARP Theory Review”, you’ve learned that ARP is the

communication method used between IP addresses and MAC addresses All IP datagrams are sent using MAC addresses They are hardware addresses of the medium that the packet must travel over Those sent outside the local network are set to the router hardware address

A host has no way of authenticating that ARP replies are genuine and is susceptible to accepting and caching MAC addresses that might not reflect the true host ARP is a protocol that is limited to the local network and is not routable

Trang 18

IP Options

The next section begins with the slide “IP Options” The IP options are specified in detail in RFC

791, “Internet Protocol” They are appended to the end of the IP header and get processed by each router as the packet travels to its destination As the Internet has grown, however, these options have become unnecessary Processing IP options actually reduces the performance of a router because the options field is of variable length Nevertheless, several of the options can be used in a malicious fashion to attack or gain reconnaissance on a network

By understanding how these options can be misused, an administrator can take proactive steps to insure that these malicious packets do not enter their networks Secondly, they will be able to look for these packets to verify that their protective measures are configured correctly

Trang 19

9 - 19

What are IP options?

Security

Loose Source Routing Strict Source Routing Record Route

Stream Identification

Internet Timestamp

These Options represent potential security holes that can be used to attack your network.

The next slide is “What are IP Options?” Initially these options were designed as an enhancement

to the IP protocol to perform specific functions and provide alternate methods of tracking and routing packets The IP Options are:

Security

Loose Source Routing Strict Source Routing Record Route

Stream IDInternet Timestamp

The main options that we are interested in are highlighted in bold These are the options that deal with routing Two of these options alter the normal path that a routed packet would take as it travels through a network, while the third option records the path that a packet takes By altering the normal route, these options (if supported) can pose a tremendous risk to the security of the network by bypassing security mechanisms such as firewalls and Intrusion Detection Systems

Trang 20

On the slide, “IP Route Options” the format for the IP options that involve routing is displayed.

The code field defines the type of IP option that is being specified The length field is used to determine the number of IP Addresses in the list And finally, the ptr references which IP address we

are currently at in the option list

For Loose Source Routing and Strict Source Routing, the initiating host must construct the whole IP routing list Each gateway along the way inspects the list If the pointer is greater than the length, then the list is exhausted and the gateway routes the packet to its destination If not, the gateway fetches the IP address pointed to by the pointer, puts its own IP address in that field and routes the packet to the address it fetched from the list Just like record route, when the packet reaches its destination, it has a list of IP addresses through which it traveled

For Record Route, the list is empty and accumulates IP addresses as the packet is routed across the network to it destination

Trang 21

9 - 21

Loose Source Routing

Loose source routing specifies only some of the

intermediate hops on the route Example illustrates loose source route through Y.

Router

Router Router

A

R P

The next slide is “Loose Source Routing” Loose source routing specifies a route that includes a

list of required nodes through which the packet must traverse In the example shown, the option list will initially contain the IP address Y The initiating host uses the option address Y as the

destination address for the packet and places the address X on the option list

Loose Source routing refers to that fact that any number of intermediate routers may be traversed

between the routers listed in the options list In our example, the first hop does not happen to be Y Instead, the packet must first go through P to reach Y

Trang 22

Strict Source Routing

Strict source routing specifies a group of up to 9

intermediate routers beginning at the source address that the packets must traverse through

The example illustrates strict route through P,Y,D.

Router

Router Router

A

R P

The next slide is “Strict Source Routing” Strict source routing specifies the exact route that a

packet will travel between two hosts for up to the first 9 hops In the example shown, the original option address list consists of P, Y, and D The initiating host takes P and uses it as the address of the initial packet and places the true destination, X, as the last entry in option address list, which then becomes Y, D, and X

As the packet is routed through the network, each router compares its address to the destination address of the packet If they match, then the next address on the option list becomes the new destination and the ptr is incremented If the addresses do not match, then the packet is dropped and

an ICMP error message is returned to the initiating host

If the end of the option list is reached before the final destination is reached, then routing proceeds normally, until the final destination is reached

Strict Source routing refers to that fact that the list of routers must be followed exactly as specified in

Trang 23

9 - 23

Record Route Option

Router

Router Router

A

R P

Y

X

Router

D

The Record Route Option will collect the

addresses of all of the routers that the packet went through.

The final option is covered by the slide labeled “Record Route Option” Unlike the previous IP

options that we have discussed, the record route option does not alter the routing of the packet It simply records the addresses of all of the routers that the packet travels through This information represents extremely valuable reconnaissance information to an attacker

In the example shown on the slide, the IP option list will contain the following addresses that were discovered during its traversal from host A to host X: P, D, and R

Trang 24

Detecting Source Routing

• IP header is greater than 20 bytes

• IP option field has a hexadecimal value of:

83: loose source routing 89: strict source routing

ip[0] & 0xf > 5 and (ip[20] = 0x83 or ip[20] = 0x89)

14:19:31.800000 1.2.3.4 > 192.168.5.5: icmp: echo reply (DF)

4f00 0028 b5cb 4000 fe01 b229 0102 0304c0a8 0505 8327 0402 0304 0501 0101 0102 etc

IP header

length

IP options

Examine on the next slide “Detecting Source Routing” First, we have to detect an IP header of

greater than 20 bytes The IP header length is stored in the first byte of the IP header in the low order nibble Values are given in 32-bit words (4 bytes) so an IP header of greater than 5 might indicate an IP option Next, we look at the first byte of the IP option field, which is found in the 20thbyte of the IP header Specifically, if we find a value of 83 or 89 in that byte, we can assume we’ve got source routing

We see where we’ve detected some traffic that appears to be source routed We have to dump the tcpdump output in hexadecimal (-x option of tcpdump) to verify that this is the case You see that the IP length is set to the maximum value of a hexadecimal “f” which is a decimal 15 So, we have a header length of a maximum 60 bytes We see that this is loose source routing because we find a value of 83 in the IP options header

Trang 25

9 - 25

Source Route Exploit

trusted host router1

router2 router3

Appears to be traffic from trusted host

Let’s take a look at one of the malicious uses of source routing on slide “Source Route Exploit” In this slide,

we’ve got a spoofing host sending traffic to a target host pretending to be a trusted host Normally, if a spoofing host sends a bogus source IP number pretending to be trusted host and the target host receives the traffic, any response will be sent back to the real trusted host However, if source routing is allowed into the network of the target host, we have just managed to subvert dynamic routing and have dictated the path we want the datagram to take on its return trip – namely back to the spoofing host

In this manner, we see that we can emulate a trusted host relationship with the target host For instance, if the target host allows access to the host based on trust – perhaps no need for a password, we have just subverted that relationship Obviously, this is something that you do not want to allow into your network Most routers

provide a command that disables the route options For Cisco’s IOS, the command is simply “no ip

source-route” Verifying that these options have been disabled is extremely important to the security of your

network

Some spoofing attacks can also be eliminated through the use of packet filters Almost every router should

contain a filter that drops any packets that are attempting to enter a network with a source address equal to one

of the addresses that are part of the destination network These packets have obviously been spoofed.

Trang 26

IP Options Review

• IP options are rarely used

• IP options can be used to record the path that a

packet takes

• IP options can be used to alter the routing of a packet

• Correct router configuration can stop these packets

To briefly wrap up what we’ve learned in this section, turn to “IP Options Review” IP options

were used at one time to help debug the Internet to verify that traffic was traveling the way it was supposed to But today they are used more for malicious purposes and are considered dangerous if allowed into your networks They can record routes of a packet traveling into your network and enable someone to learn about your internal architecture

More threatening yet is the ability to source route traffic This means that normal dynamic routing will be pre-empted so that spoofed traffic can actually purport to be from one source IP yet be returned to an entirely different IP from a hostile host Disallow source routed traffic into your network

Trang 27

9 - 27

Dynamic Routing Protocols

In our next section “Dynamic Routing Protocols”, we begin our examination of the routing

decisions encountered when packets must travel beyond the local network

Routing protocols are divided into two major categories: Interior Gateway Protocols (IGPs) and Exterior Gateway Protocols (EGPs) The Interior Gateway Protocols are designed to support routing packets within a network which is under the same administration also known as an Autonomous System, whereas the Exterior Gateway Protocols are designed to operate when packets must traverse between multiple autonomous systems

Autonomous System - A network of routers that all fall under the same administrative control.

Tiêu đề	IP Routing
Trường học	SANS Institute
Chuyên ngành	Information Technology
Thể loại	bài giảng
Năm xuất bản	2001
Thành phố	Bethesda

Định dạng
Số trang	55
Dung lượng	692,44 KB