Networking Concepts – part 3 – Network Addressing, Ports and Protocols

Networking Concepts – part 3 – Network Addressing, Ports and Protocols

Subnet classes

Not used anymore as it’s a waste of IPs. It has been supplanted by CIDR

subnet_classes

CIDR (Classless Inter-Domain Routing)

  • Uses VLSM (Variable Length Subnet Masks) to allocate IPs to subnets according to the individual needs.
  • The network/host division can occur at any bit boundary in the address.

cidr

Broadcast addresses

broadcast_addresses

Limited broadcasts are used when computers boot so they can obtain DHCP lease or otherwise configure network interfaces.

Private addresses

private_addresses

IP v6

ip6_addressingip_v6_addressingip6_featuresip6_vs_ip4

ipv6-ipv4-vs-ipv6-header

MAC and IP address

mac_ip_2

mac_ip_1

ARP (Address Resolution Protocol)

  • ARP is a layer 2 broadcast

arp

Ports and protocols

ports_protocols


DNS (Domain Name System)

  • static host table:
    • in Unix systems: /etc/hosts
    • in windows systems: %systemroot%\system32\drivers\etc\hosts with a second similar file in the same directory called lmhosts that contains additional mappings for NetBIOS to lP address translations.

dnsdns_hierarchy

Types of DNS Queries

  • Gethostbyname – forward lookup
    • Maps fully qualified domain name (FQDN) to IP address
    • e.g. maps www.sans.org to its IP address
  • Gethostbyaddr – reverse lookup
    • Maps IP address to FQDN

Making a DNS Query

$ nslookup www.yahoo.com
## Answers that come from cache are referred to as `non-authoritative` answers because a DNS server that does not house the actual database for that domain supplied them.
$ nslookup 216.109.118.72

DNS Security Attacks

dns_security

Cache Poisoning

  • DNS cache poisoning attacks involve returning extra data along with the results of a query.
  • This extra data contains invalid information, which on vulnerable DNS servers will be written to the DNS cache, thus poisoning the DNS cache for the server.
  • The end result is that any traffic for a server with a poisoned entry could be redirected to a server the attacker controls.
Defense against Cache Poisoning
  • keeping your DNS software updated to the most recent version and keeping patches up-to-date.

Denial of Service

  • Involve flooding legitimate DNS servers with a large number of queries.
  • This effectively makes servers in the domain served by the DNS server unavailable.

Footprinting

  • Footprinting involves using DNS data to learn about the servers in a network.
  • This can be done by requesting
    • zone transfers against improperly configured DNS servers,
    • or by performing reverse DNS lookups against an entire network range.
  • The gathered information can be used to formulate attacks against servers in the address space.
defense against footprinting
  • limit zone transfers to only DNS servers who legitimately require them.
  • limit the DNS information available externally to only the information for your internet accessible servers.

Registration Spoofing

  • Not a real attack, mostly social engineering.
  • convincing the domain registrar to use the attacker DNS server.
  • Large registrars use their own DNS servers to prevent this attack.

IP protocols and the OSI

ip_osi

UDP (User Diagram Protocol)

udpupd_uses

Other important UDP-based protocols include:

  • Network Time Protocol (NTP)-Synchronizes time.
  • BOOTP/DHCP protocols-Automatically configures network interfaces and loads operating systems via the network when they startup.
  • Network File System (NFS)-Supports file sharing for Unix-based networks.
  • Simple Network Management Protocol (SNMP)-Used as a management tool to query network- and server-based devices for monitoring or troubleshooting purposes.
  • Trivial File Transfer Protocol (TFTP)-Used as a method to transfer files from one device to another without requiring authentication. TFTP’s most common use is in updating code on network-based devices.

udp_header_2

UDP-Header

TCP (Transmission control protocol)

tcp

TCP often is a network programmer’s protocol of choice. It is probably the easier of the two protocols to program for because most of the error handling is down inside the transport layer and out of sight from the application code.

tcp_uses

Establishing a TCP connection

tcp_connection

  • After a connection is established, the ACK flag is set for every packet. As a result, the presence of the ACK can indicate whether a connection has been established or not.
  • In fact, simple packet filters allow all packets with ACK set and assume that they are part of an established connection.
  • It is trivial to circumvent such a filter by crafting a packet with the ACK bit set. This technique is often used to probe a network behind a filtering device and called an ACK scan.
  • To minimize traffic, ACKs are “piggy-backed” (as frequently as possible) onto packets containing data, as opposed to sending a packet with just an ACK.
  • The ACKs confirm to the client and server that both ends are still using the connection.

Closing a TCP connection

tcp_close_connection

TCP header

tcp header 2

TCP-Header

TCP vs UDP

tcp_vs_udp

FTP (File Transfer Protocol)

ftp

FTP Security issues

  • Blind FTP configurations will prevent all or certain users (especially anonymous ones) from being able to list the files or even folders in a directory.
  • In order to avoid becoming a warez site, the anonymous user can be permitted to upload into a directory that allows only Put access. ln other words, one anonymous user can upload a file, but another anonymous user will be unable to download the file.
  • Another issue to consider with FTP is that all traffic that passes as part of an FTP connection passes in cleartext. This means that even with a username and password security, an FTP connection or server is only as secure as the network it traverses.
  • A potential attacker who has the ability to sniff traffic on a network has the ability to capture usernames and passwords and even to stealthily obtain files that were transmitted by the FTP server while they were sniffing the network.
  • Another common issue with FTP revolves around one specific feature commonly referred to as the PORT command. The effect is that a user can cause an FTP server to open a connection from the FTP server directly based upon commands entered through an FTP command/control channel.
  • The end result is that a user can effectively bypass firewall controls to port scan a network behind a firewall, where they can connect to an FTP server. They can also obscure their identity by using an FTP server to scan other hosts on the Internet for them.
  • In most cases, it is advisable to disable the PORT command entirely to prevent this type of problem.

Active vs passive FTP

active_passive_ftp

  • An ephemeral port === a port greater than 1023.

Implications of FTP connection on firewalls

A stateless firewall

that will have no knowledge about the mechanics of the different ports being requested to be opened for FTP. This type of firewall will require the following ports to be opened for FTP to function:

  • Active/Passive FTP Command Channel:
    • 21 /TCP permitted inbound to the FTP server from any host coming from an ephemeral port
    • Source port 21/TCP from FTP server permitted outbound to any host on an ephemeral port
  • Active FTP Data Channel:
    • Source port 20/tcp from FTP server permitted outbound to any host on an ephemeral port
    • 20/TCP permitted inbound to the FTP server from any host coming from an ephemeral port
  • Passive FTP Data Channel:
    • Ephemeral ports to the FTP server permitted inbound from any host on an ephemeral port
    • Ephemeral ports from the FTP server permitted outbound to any host on an ephemeral port

That’s a lot of traffic to be permitted through a firewall.

The high traffic essentially provides a mechanism for unauthorized services to be accessible to or from the FTP server that may have nothing to do with FTP at all.

This loose security model can magnify the problems mentioned previously with respect to bounce scans with the PORT command and can provide a mechanism for a potentially infected FTP server to have a backdoor installed that is listening on an obscure high port.

If you are stuck with such a firewall, it would be better to disable passive FTP altogether, as active FTP is much less permissive in what it permits through the firewall.

A stateful firewall

It would be better, however, to use a stateful firewall that has additional knowledge of the FTP protocol and can dynamically open ports for the data channel based upon reading into command channel packets.

This type of firewall will always permit 21/TCP inbound (and the stateful replies outbound) for valid connections and will prevent the need to leave all of the ephemeral ports wide open at all times, either from 20/TCP or from all ephemeral ports.

ICMP (Internet Control Message Protocol)

Layer 3 (Network layer) protocol

Purposes:

  • To report errors (troubleshooting) rather than transferring information
    • Destination host unreachable
    • Fragmentation needed and OF flag set
  • To provide network information
    • Ping – Is the host alive and what’s the latency?

ICMP header

icmp_header_2

ICMP-Header

Ping

ping

Traceroute

traceroute

Unix and Windows Traceroute

Works differently; might produce different results

  • Unix traceroute uses UDP packets
  • Windows tracert uses ICMP packets

Not only is traceroute a great tool for determining paths through the network, but it is also a pretty decent network mapper.

By carefully examining the output of several runs to different hosts on the same remote network, you can start to notice similarities and differences.

Leave a Reply