6lab.cz | RSS Feed http://6lab.cz Networking, IPv6, Security Tue, 24 Oct 2017 08:54:46 +0000 en-US hourly 1 http://wordpress.org/?v=3.9.1 Hiding TCP Traffic: Threats and Counter-measures http://6lab.cz/hiding-tcp-traffic-threats-and-counter-measures/ http://6lab.cz/hiding-tcp-traffic-threats-and-counter-measures/#comments Tue, 16 Jul 2013 13:51:38 +0000 http://6lab.cz/?p=1735 Read More]]> Computer networks were designed to be simple and routers do not validate the integrity of the processed traffic. Consequently, an attacker can modify his or her traffic with the aim of confusing any analyser that intercepts the traffic, e.g. monitoring and security software or lawful interception. This paper studies the attack that is based on sending additional colliding TCP segments with the same sequential number but different content. The segments with the correct message are delivered to the other communicating party of the TCP connection while the fake segments are dropped en route. The goal of the fake segments is to confuse analysers into decoding a different message to the one that is received by the other communicating party. The other communicating party does not need to be aware of the attack and therefore does not need any specific software. Although this paper discuss the advantages and disadvantages of the attack for an attacker, our ultimate goal was to find counter-measures against the attack. Our contribution can be divided into four following parts. 1) We converted the attack to IPv6 and searched for possibilities that may force a middle box to drop fake packets. 2) We developed a tool called LDP, which behaves as a TCP proxy server that masks outbound TCP traffic of a whole network. 3) We identified several counter-measures. In addition, we implemented LNC, a tool that identifies the attack in pcap files and removes the fake segments. Since LNC is a stand-alone tool, it also deals with traces generated by other software than LDP as long as it is based on the same attack vector. 4) LDP and LNC were tested in both laboratory environment and on the Internet. The experiments validated that the attack is applicable for a communication with a server that is not under the control of an attacker. Several parameters of the attack were evaluated during the experiments; mainly the number and the length of fake packets and their influence on the performance of the attack and counter-measures.

Full paper

Presentation used at the conference

Citation: Polčák, L., Hranický, R., Matoušek, P.: Hiding TCP Traffic: Threats and Counter-measures, In: Security and Protection of Information 2013, Brno, CZ, UNOB, 2013, s. 83-96, ISBN 978-80-7231-922-0

About the main author

Libor Polčák

http://www.fit.vutbr.cz/~polcak polcak@fit.vutbr.cz

Libor Polčák is a researcher at BUT, FIT.

]]> http://6lab.cz/hiding-tcp-traffic-threats-and-counter-measures/feed/ 0 Behaviour of various operating systems during SLAAC, DAD, and ND http://6lab.cz/behaviour-of-various-operating-systems-during-slaac-dad-and-nd/ http://6lab.cz/behaviour-of-various-operating-systems-during-slaac-dad-and-nd/#comments Wed, 29 May 2013 08:27:53 +0000 http://6lab.cz/?p=1691 Read More]]> This post contains the report from the study phase of the behaviour of various operating systems during SLAAC and DAD analysis for our paper called “A New Approach for Detection of Host Identity in IPv6 Networks”, which will be presented at DCNET 2013. This post also contains PCAP files that we believe may be useful for other researchers or engineers. In this post, we call RFC4941 as PE addresses and addresses used by windows with randomly generated interface identifier (IID) are called random addresses, even though the random part of the address is generated just once. The credit for most of the work goes to Martin Holkovič.

Monitoring network

We tested the operating systems on virtual machines in VMware Workstation 7.1., the network cards of the virtual machines were operating in Host-Only mode. You can see the topology on the following image: Testing topology Additionally, Cisco 3725 router was connected to the topology: Router connected to the tested network

Performed tests

Selection of a new address

  1. The router is connected to the network and the tested interface is down on the tested OS
  2. The tested interface is enabled and consequently, the OS generates a new address

Does the tested computer reply to DAD-NS (EUI-64, static, random, PE address)?

  1. The router, the tested computer and a virtual PC with Ubuntu are present in the tested network.
  2. The tested address (EUI-64, static, random, PE) is set on the Ubuntu computer, consequently Ubuntu issues DAD and the tested OS should reply with the NA.

Does the tested computer use duplicate EUI-64 address?

  1. The router, the tested computer and a virtual PC with Ubuntu are present in the tested network. The tested interface is down.
  2. The tested system is configured to generate EUI-64 if necessary.
  3. Ubuntu is set up to use the same MAC address as the tested computer has.
  4. The tested interface is enabled, the OS generates the same address as the Ubuntu computer already has. Ubuntu replies with NA.

Does the tested computer use duplicate global EUI-64 address?

  1. Only the systems with EUI-64 addresses enabled by default were tested
  2. The router, the tested computer and a virtual PC with Ubuntu are present in the tested network. The tested interface is down.
  3. Ubuntu is set up to use the same IPv6 address as the tested computer would use as EUI-64 address.
  4. The tested interface is enabled, the OS generates the same address as the Ubuntu computer already has. Ubuntu replies with NA.

Does the tested computer use duplicate random address?

  1. Only the systems with random addresses enabled by default were tested (newer Windows).
  2. The router, the tested computer and a virtual PC with Ubuntu are present in the tested network. The tested interface is down.
  3. Ubuntu is set up to use the same IPv6 address as the tested computer would use as random address (the IID is generated once and then it stays constant).
  4. The tested interface is enabled, the OS generates the same address as the Ubuntu computer already has. Ubuntu replies with NA.

Does the tested computer use duplicate PE address?

  1. PE addresses are enabled on the tested OS.
  2. The router, the tested computer and a virtual PC with Ubuntu are present in the tested network. The tested interface is down.
  3. A script that replies with NA to all PE addresses is started on the computer with Ubuntu. The script does not reply to EUI-64 (link-local, global) a random addresses used by the tested Windows computers.
  4. The tested interface is enabled, the OS generates PE address and the script replies with NA.

Captured PCAP files

During the test, we captured various PCAP files that can be downloaded used for your analysis. We have also analysed the PCAP files, see the following section and the publications below.

  • POLČÁK Libor, HOLKOVIČ Martin a MATOUŠEK Petr. A New Approach for Detection of Host Identity in IPv6 Networks. In: Proceedings of the 4th International Conference on Data Communication Networking, 10th International Conference on e-Business and 4th International Conference on Optical Communication Systems. Reykjavík: SciTePress – Science and Technology Publications, 2013, pp. 57-63. ISBN 978-989-8565-72-3.
  • POLČÁK Libor, HOLKOVIČ Martin and MATOUŠEK Petr. Host Identity Detection in IPv6 Networks. In: E-Business and Telecommunications. Berlin: Springer Verlag, 2014, pp. 74-89. ISBN 978-3-662-44787-1. ISSN 1865-0929. (This is an extended version of the previous paper.)
  • POLČÁK, Libor. Lawful Interception: Identity Detection. Brno, 2017. PhD. Thesis. Brno University of Technology, Faculty of Information Technology. 2017-10-13. Supervisor Švéda Miroslav.

Test results

The tests result are presented in the following table

Name Version Kernel Uses PE addresses by default Does the tested computer reply to DAD-NS (static address)? The tested computer does not use duplicate static address EUI-64 replies to DAD / does not use duplicate address Does not use duplicate EUI-64 global address in case of PE are turned on Random addresses replies to DAD / does not use duplicate address privacy extension adresy replies to DAD / does not use duplicate address / Number of attempts
CentOS 6.2 2.6.32 No Yes Yes Yes / Yes Yes -1 Yes / Yes / 5
Debian 3.1 2.4.27 No Yes was not tested Yes / Yes -2 - -2
Debian 6.0.4 2.6.32 No Yes Yes Yes / Yes Yes -1 Yes / Yes / 5
Fedora 16 3.1.0 No Yes Yes Yes / Yes Yes -1 Yes / Yes / 5
FreeBSD 9.0 - No Yes Yes, tested on 9.1 Yes5 / Yes Yes 3 -1 Yes / Yes / 1 4
Linux Mint 12 3.0.0 No Yes Yes Yes / Yes Yes -1 Yes / Yes / 5
Mac OS X 10.6.2 10.2 No Yes - Yes / Yes Yes 3 -1 Yes / Yes / 1 4
Mandriva One 2011 2.6.38 No Yes was not tested Yes / Yes Yes -1 Yes / Yes / 5
OpenBSD 5.0 - No Yes Yes Yes / Yes Yes 3 -1 Yes / Yes / 1 4
Red Hat 5 2.6.18 No Yes was not tested Yes / Yes Yes -1 Yes / Yes / 5
Solaris 5.11 - No 6 Yes Yes / Yes Yes 3 -1 Yes / Yes / 5
Ubuntu 10.04 LTS 2.6.32 No Yes was not tested Yes / Yes Yes -1 Yes / Yes / 5
Ubuntu 11.10 3.0.0 No Yes was not tested Yes / Yes Yes -1 Yes / Yes / 5
Windows 7 - 6.1 Yes Yes Yes Yes5 / Yes Yes Yes / Yes Yes / Yes / 7
Windows 7 SP1 6.1 Yes Yes was not tested Yes5 / Yes Yes Yes / Yes Yes / Yes / 7
Windows 8 consumer preview 6.2 Yes Yes Yes Yes5 / Yes Yes Yes / Yes Yes / Yes / 7
Windows Server 2008 R2 SP1 6.1 No Yes was not tested Yes5 / Yes Yes Yes / Yes Yes / Yes / 7
Windows Vista - 6.0 Yes Yes was not tested Yes5 / Yes Yes Yes / Yes Yes / Yes / 7
Windows Vista SP2 6.0 Yes Yes was not tested Yes5 / Yes Yes Yes / Yes Yes / Yes / 7
Windows XP SP3 5.1 No Yes Yes Yes / Yes Yes -1 Yes / Yes / 7

Notes to the tests

  • 1.Random addresses:
    • They are only supported on Windows Vista and newer.
  • 2. Privacy extension addresses:
    • PE was not configured
  • 3. EUI-64 global addresses – reaction to duplicate address:
    • Tested OS keeps the address but it is marked as duplicate and it is not used by the OS (e.g. DAD, ping)
  • 4. Privacy extension addresses – reaction to duplicate address:
    • Only one PE is tried, it is kept after DAD but it is marked as duplicate and it is not used by the OS (e.g. DAD, ping)
  • 5. EUI-64 – reaction to DAD:
    • Marked systems ignore DAD from the same MAC address as is used by the system.
  • 6. Solaris – static address:
    • Static address was not tested because it was not used by the system.
About the main author

Libor Polčák

http://www.fit.vutbr.cz/~polcak polcak@fit.vutbr.cz

Libor Polčák is a researcher at BUT, FIT.

]]> http://6lab.cz/behaviour-of-various-operating-systems-during-slaac-dad-and-nd/feed/ 0