Routing: Indirect Delivery
Routing: Indirect Delivery
Blind IP Spoofing
• A host sends an IP datagram with the address of some other host as the
source address
• The host replies to the legitimate host
• Usually the attacker does not have access to the reply traffic
Man-in-the-middle Attacks
• An attacker that has control a gateway used in the delivery
process can
– Sniff the traffic
– Intercept/block traffic
– Modify traffic
Types of Routing
• Source routing
– The originator of a datagram determines the route to follow
independently before sending the datagram (IP source routing
option)
• Hop-by-hop routing
– The delivery route is determined by the gateways that participate in
the delivery process
Attacks Using Source Routing
• The IP source routing option can be used to specify the
route to be used in the delivery process, independent of the
“normal” delivery mechanisms
• Using source routing a host can force the traffic through
specific routes that allow access to the traffic (sniffing or
man-in-the-middle attacks)
• If the reverse route is used to reply to traffic, a host can
easily impersonate another host that has some kind of
privileged relationship with the host that is the destination
of the datagram (a trust relationship)
Hop-by-hop Routing: The Routing Table
• The information about delivery is maintained in the routing
table
% route -n
Kernel IP routing table
Destination Gateway Genmask F lags Iface
192.168.1.24 0.0.0.0 255.255.255.255 UH eth0
192.168.1.0 0.0.0.0 255.255.255.0 U eth0
127.0.0.0 0.0.0.0 255.0.0.0 U lo
0.0.0.0 192.168.1.1 0.0.0.0 UG eth0
• Flags
– U: the route is up
– G: the destination is a gateway
– H: the route is to a host (if not set, the route is to a network)
– D: the route was created by a redirect message
– M: the route was modified by a redirect message
Routing Mechanism
• Search for a matching host address
• Search for a matching network address
• Search for a default entry
• If a match is not found a message of “host unreachable” is
returned (by the kernel or by a remote gateway by using
ICMP)
• Routing tables can be set
– Statically (at startup, or by using the “route” command)
– Dynamically (using routing protocols)
Routing Protocols
• Dynamic routing is performed by a number of protocols
organized hierarchically with different scopes and
characteristics
• Routing protocols distribute information about delivery
routes
• Exterior Gateway Protocols (EGPs) are used to distribute
routing information between different autonomous systems
(e.g., EGP, Border Gateway Protocol - BGP)
• Interior Gateway Protocols (IGPs) are used to distribute
routing information inside an autonomous system (e.g.,
Routing Information Protocol - RIP, Open Shortest Path First
- OSPF)
RIP Attacks
• A host can send spoofed RIP packets and “inject” routes to
a host (IP/UDP spoofing is easy!)
• A route with a smaller hop count would be used instead of
the legitimate one
• This attack can be used for
– hijacking
– denial-of-service
• On a LAN, RIPv2 passwords can be sniffed and used in the
attack
If two hosts are in different physical networks the IP
datagram is encapsulated in a lower level protocol and
delivered to the directly connected gateway
• The gateway decides which is the next step in the delivery
process
• This step is repeated until a gateway that is in the same
physical subnetwork of the destination host is reached
• Then direct delivery is used
datagram is encapsulated in a lower level protocol and
delivered to the directly connected gateway
• The gateway decides which is the next step in the delivery
process
• This step is repeated until a gateway that is in the same
physical subnetwork of the destination host is reached
• Then direct delivery is used
Blind IP Spoofing
• A host sends an IP datagram with the address of some other host as the
source address
• The host replies to the legitimate host
• Usually the attacker does not have access to the reply traffic
Man-in-the-middle Attacks
• An attacker that has control a gateway used in the delivery
process can
– Sniff the traffic
– Intercept/block traffic
– Modify traffic
Types of Routing
• Source routing
– The originator of a datagram determines the route to follow
independently before sending the datagram (IP source routing
option)
• Hop-by-hop routing
– The delivery route is determined by the gateways that participate in
the delivery process
• The IP source routing option can be used to specify the
route to be used in the delivery process, independent of the
“normal” delivery mechanisms
• Using source routing a host can force the traffic through
specific routes that allow access to the traffic (sniffing or
man-in-the-middle attacks)
• If the reverse route is used to reply to traffic, a host can
easily impersonate another host that has some kind of
privileged relationship with the host that is the destination
of the datagram (a trust relationship)
Hop-by-hop Routing: The Routing Table
• The information about delivery is maintained in the routing
table
% route -n
Kernel IP routing table
Destination Gateway Genmask F lags Iface
192.168.1.24 0.0.0.0 255.255.255.255 UH eth0
192.168.1.0 0.0.0.0 255.255.255.0 U eth0
127.0.0.0 0.0.0.0 255.0.0.0 U lo
0.0.0.0 192.168.1.1 0.0.0.0 UG eth0
• Flags
– U: the route is up
– G: the destination is a gateway
– H: the route is to a host (if not set, the route is to a network)
– D: the route was created by a redirect message
– M: the route was modified by a redirect message
Routing Mechanism
• Search for a matching host address
• Search for a matching network address
• Search for a default entry
• If a match is not found a message of “host unreachable” is
returned (by the kernel or by a remote gateway by using
ICMP)
• Routing tables can be set
– Statically (at startup, or by using the “route” command)
– Dynamically (using routing protocols)
Routing Protocols
• Dynamic routing is performed by a number of protocols
organized hierarchically with different scopes and
characteristics
• Routing protocols distribute information about delivery
routes
• Exterior Gateway Protocols (EGPs) are used to distribute
routing information between different autonomous systems
(e.g., EGP, Border Gateway Protocol - BGP)
• Interior Gateway Protocols (IGPs) are used to distribute
routing information inside an autonomous system (e.g.,
Routing Information Protocol - RIP, Open Shortest Path First
- OSPF)
RIP Attacks
• A host can send spoofed RIP packets and “inject” routes to
a host (IP/UDP spoofing is easy!)
• A route with a smaller hop count would be used instead of
the legitimate one
• This attack can be used for
– hijacking
– denial-of-service
• On a LAN, RIPv2 passwords can be sniffed and used in the
attack
0 comments:
Post a Comment