SlideShare ist ein Scribd-Unternehmen logo

Black Ops TCP/IP: Packet Misadventures and NATless NAT

Als PPT, PDF herunterladen
Dan Kaminsky
Dan Kaminsky
Technologie
1 von 47
BLACK OPS OF TCP/IPSpliced NAT2NAT And Other Packet-Level Misadventures Dan Kaminsky, CISSP DoxPara Research www.doxpara.com
Where I’m Coming From…  Black Hat / DefCon 0x7D1  Impossible Tunnels through Improbable Networks with OpenSSH  Getting Out: ProxyCommands for Non-TCP comm layers  HTTP, SOCKS, UDP, Packet Radio*, AIM/Yahoo*  Coming In: Active Connection Brokering for NAT2NAT  One host exports SSHD to broker  Other host imports access from broker  Passing Through: Dynamic Forwarding for Psuedo-VPN Work  Web Browsing, Dialpad(Split-H323), etc.
Interesting Problems  Instant Portscan  “Is it possible to discover instantaneously what network services have been made available, even on massive networks?”  Guerrila Multicast  “Is it possible to send a single packet to multiple recipients, using today’s multicast-free Internet?”  “NATless NAT”  “Is it possible to share a globally addressable IP address without translating private IP ranges a la NAT?”  Is it possible to allow incoming connections to an IP multiplexed in this manner?  NAT Deadlock Resolution  “Is it possible to establish a TCP connection between two hosts, both behind NATs?”
On Possibility  Restraint Free Engineering  “Abandon All Practicality, Ye Who Enter Here”  “It’s amazing what you can do once security is no longer a concern.”  You’ve got what you’ve got. Make interesting things happen.  It might end up practical.  It might end up secure.  Right now, it’s impossible. Fix that first.  Maybe.
On Packet Structure  Packets are “strangely ordered”  Where it’s ending up next, where it came from recently, how it’s hopping from one place to the next, how it’s hopping to its final destination, checksum, where the packet came from originally, where it’s going to end up, what app it came from, what app it’s going to, checksum, god knows what, ANOTHER checksum  Why not sort everything; put all the “came from” and “going to’s” Why so much redundancy? Isn’t it inefficient?  WHO CARES?
Layers: Not What, But Who  One medium, many messages  Listeners reconstruct meanings relevant to themselves, ignore the rest  Managed (ir)responsibility  Fields are out of order, occasionally because they’re addressed to different entities  Name and address repeated inside a business letter and on the envelope  Messages at one layer can modulate messages received at another  Insufficient postage will prevent a correctly addressed letter from getting sent  Incorrect internal address has unknown effects
Error Recovery Per Layer  Layer 2 (Point to Point)  Errors are quickly recoverable, but error generation can occur at same layer as layer control  Data is destroyed and recreated each frame  Corporate Fertilizer  Layer 3 (Router to Router)  Many more sources of personally irrelevant error  Highest Traffic Link  Data is modulated – minimum change possible  Layer 4 (End to End)  Lowest traffic, highest personal relevance  Errors here actually matter
 This slide intentionally left blank
TCP Connection Traits: Flags  Connection Request (Alice -> Bob)  SYN: I want to talk to you  Connection Response (Bob -> Alice)  SYN|ACK: OK, lets talk.  RST|ACK: I ain’t listening  Connection Initiation (Alice -> Bob)  ACK: OK, beginning conversation.
TCP (and UDP) Connection Traits: Ports  Local Port: What application requested the connection. Usually a random number, 0-65535.  0 is a valid port  Remote Port: What application accepted the connection. Usually a “known number”  80 for HTTP  143 for IMAP  443 for HTTP/SSL  IP handles who we’re talking to; Ports handle what we want from them
TCP Connection Traits: Sequences  Sequence Numbers  32 bit number, randomly generated, must be reflected by the opposite party in a TCP handshake  After initial reflection, used to relay information about successful packet acquisition
Connection Summary  Flag determines phase  Asymmetric  Port determines process  Sequence “secures session”  Prevents trivial spoofing attacks  Also used to manage connection speed, identify which bytes are being acknowledged
Stateless Pulse Scanning  Instant Portscan  “Is it possible to discover instantaneously what network services have been made available, even on massive networks?”  Answer: Yes, practically, even securely  Separate scanner and listener processes  Sending  Directly send n SYN packets  Same local port  SYN cookies  Receiving  Kernel filter packets arriving to local port  Record connection phase: Port up(SYN|ACK) or host up, port down(RST|ACK)
Issue: Spoofed Responses  Easy to spoof hosts being up if the scanner isn’t tracking who (or how it scanned)  Solution: Invert SYN Cookies!
SYN Cookies  Developed in ’96, when SYN floods became common  ACK reflects ACK# of SYN|ACK(incremented by one)  Encrypts connection state into the SYN|ACK’s ACK#  Therefore, you can use legitimate remote hosts – instead of kernel memory – to store handshake state  Ahhh…but SYN|ACK also reflects SEQ# of SYN in its ACK#…  Instead of tracking SYN|ACK reflections in the ACK, track SYN reflections in the SYN|ACK
Implementation: Scanrand 1.0  Element of: Paketto Keiretsu  384 lines of libnet and libpcap, w/ trivial MD4 include  No state stored  Scans at ~11-20mbit  Possibly even portable  100% complete, release imminent
Observed Results  Since no state is maintained within the scanner, we can send SYNs at wire speed  Implementation can get faster  Found ~8300 web servers on a corporation’s Class B  Time spent: ~4 Seconds  Collisions  Initial SYNs might collide, but SYN|ACKs resend  SYN|ACKs are given RSTs by present kernels automatically  The SYNs were generated in userspace – the kernel has no idea the connection request was
Implications  Userspace manipulation of packets can lead to less overhead  Kernels are optimized to talk to other hosts, not simply to scan them  Packet content can be overloaded  A random field can always be replaced with encrypted data (and vice versa)  This is the heart of kleptography  Elegant solutions sometimes can be reapplied elsewhere  SYN(really SYN|ACK) cookies made SYN reception more efficient  Inverse SYN cookies make SYN transmission
Layer Redundancy  L2: Broadcast MAC Address  FF:FF:FF:FF:FF:FF  Absolute  L3: Broadcast IP Address  Last IP of Subnet  Relative  Sending to it is known as a Directed Broadcast  Often blocked, if it can be detected  Detection can be…suppressed.
Broadcast GHosts  Guerrila Multicast  “Is it possible to send a single packet to multiple recipients, using today’s multicast-free Internet?”  Answer: Yes, barely.  Link a unicast IP to a broadcast MAC address; all responses to that IP will be broadcast throughout a subnet  No individual client need duplicate the datastream – the switch will issue copies of the data to all downstream hosts
IP Incorporated  DHCP for an IP  May or may not use broadcast MAC in DHCP request – just trying to validate that nobody else is using the IP  Answer ARP requests for that IP with Broadcast MAC (or Multicast MAC)  At L2, w/o IGMP Snooping working, Multicast = Broadcast  Issue L4 requests against a remote host, unicasted via layer 3, with responses broadcasted locally at layer 2  Elegance has left the building
Firewall Issues  NAT  100% NAT penetration, as long as the implementation doesn’t refuse to NAT for a broadcast MAC  PIX, which accepts…Multicast MACs!  Multicast through NAT!  UDP  Remote side can send data forever – as long as it keeps packets coming in before the UDP state expires, no further data is required from behind the wall
TCP w/ Guerrila Multicast  Without any listeners, stream dies  With one listener, stream can operate normally  With many listeners, only one should participate in acknowledging the stream  If that one dies, another should take its place  Solution: Random delays  On reception of a packet to be acknowledged, queue a response within the next 50-1500ms  Broadcast response  If another host broadcasted a response before you had the chance to, unschedule your response
Recontextualizing L2/L3  One IP, normally linked to one host, can be transformed at L2 into all hosts at a given subnet  This transformation is undetectable outside the subnet  Other Uses  “All hosts” could also include “Many hosts” using L2 Multicast packets  Do we have another other situation where one IP “stands in” for many hosts?
NAT: Splitting IPs For Fun and Profit  NAT multiplexes several hosts into one IP address by splitting on local port  Already munging IP, might as well munge ports too  Some implementations make best efforts to match local port inside the network w/ local port outside  Birthday Paradox: Collision chance = 1 / sqrt(range_of_local_ports) = 1/256  If we can always match IP and Port, then we can always maintain end-to-end correctness  Only have a problem 1/256 connections to the same host  Alternate strategies exist – munge the SEQ#(problems w/ Window overlap), MTU decrement, TIMESTAMPS
MAC Address Translation  “NATless NAT”  “Is it possible to share a globally addressable IP address without translating private IP ranges a la NAT?”  Is it possible to allow incoming connections to an IP multiplexed in this manner?  Answer: Yes. Oh yes.  NAT: L4->L3  ARP: L3->L2  MAT: L4->(L3,L2)  Multiplex with L2/L3 instead of just L3  Make ARP Table dynamic, based on each individual L4 connection  Maintains L3 end-to-end integrity
Implementation: AllNewt 1.0  “All New Translation Engine”  Another part of Paketto Keiretsu  Translates arbitrary local IP addresses into globally routable IP addresses  Instead of just storing IP_SRC, stores IP_SRC, ETHER_DHOST, and ETHER_SHOST  If IP_SRC == External IP, packets will retain end- to-end integrity  If IP_SRC == RFC1918 IP, packets will be NATted normally  If IP_SRC == Yahoo/Microsoft/Whatever, packets will be NATted a little less normally  Multiple hosts can share the same IP address, if
Pizza Protocol A La Mode  “Anyone order a pizza?”  Stateless approach: Ask everybody, drop RST|ACK, forward everything else.  Just broadcast to the IP  Actually works behind NATs, but you need to catalog all the local IPs  Drop all RSTs, pass all streams/ACKs  Breaks down when two people are listening on the same port  Can split port range(1022, 2022, 3022, etc. all being different instances of 22/ssh)  Apply host-level heuristics – priority for incoming selection based on outgoing sessions
Incoming State  Stateful Approach (“you ordered the last one”)  Ask everyone, but remember who’s hosting  Send to the first host that replies  Increment the timer every time a packet is emitted from the serving host for that port  If no packets are emitted after a certain amount of time, allow open registration once more  “It’s amazing what you can do once security is not an issue.”
TCP Splicing  NAT Deadlock Resolution  “Is it possible to establish a TCP connection between two hosts, both behind NATs?”  Answer: Yes…but it ain’t pretty.  Convince each firewall that the other accepted the connection  Layers will need to be played against eachother to prevent certain otherwise desirable messaging behaviors from going too far
An Analogy  Bill Gates ‘n Larry Ellison  Why? They can call anyone they want – their secretaries won’t stop ‘em.  None of us can call them – their secretaries will stop us.  If Bill or Larry did call us, they’d actually be able to hear us reply.  Asymmetry is in the initiation
Setting Up  Alice and Bob both behind NATting firewalls  Firewalls authorize all outgoing sessions, block all incoming sessions  Block w/ state – no faking  Only accept fully validated responses to outgoing messages  Ports must match  SEQ#’s must match  Total outgoing trust, zero incoming trust
The Attempt  Alice tries to send a message to Bob  SYN hits Alice’s firewall, is given global IP + entry in state table “connection attempted”  SYN travels across Internet  SYN hits Bob’s firewall, RST|ACK sent  RST|ACK hits Alice’s firewall, entry in state table torn down, RST|ACK readdressed to Alice  Alice gets nowhere  Bob does the same thing
Analysis  Good  Entry in firewall state table, awaiting a reply  Bad  Negative reply, entry in state table destroyed  Can we get the former without the latter?
Doomed TTLs  Packet first hits local firewall, gets NAT entry, travels across Internet, hits remote firewall, gets shot down.  Good stuff closer to us, bad stuff farther away  TTL: Time To Live – SET TO ~4  Maximum number of hops packet is allowed to travel along the network before being dropped  Used by IP to prevent routing loops  Used by us to prevent state table from closing the hole  Alice SYNs w/ Doomed TTL  Bob SYNs w/ Doomed TTL  Both firewalls have a hole open for eachother
Packets, Ports, Problems  Three way handshake – SYN, SYN|ACK, ACK  Outgoing connections have SYNs and ACKs but no SYN|ACKs  Ports  Need to agree on which ports are linking up  Need to discover firewall multiplexing rules  Timing  Need to know when to attempt connection  Solution to all three: Handshake Only Connection Broker  Involved only in setting up connection
The Other Shoe Drops  Now you add a connection broker  HANDSHAKE ONLY.  Sends the SYN|ACK Host/Port/SEQ# combination “virtually added” to firewall packet acceptance rules  Larry Ellison: “Bill Gates is going to call here in the next two minutes, please put his call through.”  Need to generate packets, though
Local Port Strategies  Some firewalls do best effort to match  Some increment from a fixed counter  Some use random local ports  Entropy cannot be differentiated – rule from kleptography  As long as it’s translated back…  Need to discover what strategy is being used
Full Broker Discovery  Alice and Bob SYN Charlie 2x  Charlie NFO Alice and Bob  Alice and Bob SYN Charlie  Alice and Bob DoomSYN Bob and Alice  Alice and Bob SYN Charlie  Charlie SYN|ACK Alice and Bob  Throw details about port selection in IPID  Alice and Bob DoomACK Bob and Alice  Alice and Bob begin normal TCP session to eachother, as if the other acknowledged correctly
Much easier strategies  Source route through connection broker, drop the route once the connection goes live  UDP NAT2NAT  Works all over the place in games  UDP is symmetrical – just spew packets at eachother with opposite local port / source port, and eventually the state system will assume the other’s outgoing packet is a response to its own outgoing packet  You can run TCP over UDP  Far less fun though
TTL-Based Firewall Analysis  Emit a SYN with a low TTL  SYN spawns ICMP error, hits local firewall, which rewrites IP header and forwards to local host  Firewall doesn’t rewrite ICMP data  Original outgoing header  Can discover how firewall is munging our datastream
State of Disarray  State Management  State = Buffers  Buffers need to be searched  Buffers need to be allocated  Buffers need to be overflown  If your name is Gobbles  NAT normally needs to be stateful  A packet comes in, and given the Source IP, the Source Port, and the Destination Port, we check our tables to rewrite on the internal interface the Destination IP(not firewall) and maybe the destination port too  The MAC address is always rewritten, but with MAT we
Stateless NAT: Possible?  State is all about things we have to remember  Stateless scanning is about extracting what we need from what we get back  “Can we embed the NAT state in every outgoing IP packet such that every response received will contain the full NAT state”?  Answer: Yup. (Thanks, Spence.)  IP Timestamps Mode 3  IP Option against each host along the route. Up to four 4 byte IP addresses are specified, with space for up to four 4 byte timestamps to be added  If IP in the timestamp request matches IP of the router, the router replaces the timestamp with its own  If IP doesn’t match, pass along the timestamps of others
Abusing IP Timestamps  Insert timestamps from invalid IP’s containing not actual timestamps but NAT state  Encrypt NAT state so it may not be modified en route  Decrypt NAT state upon packet return  Problems  Need to insert IP options – may overflow packet, may need to fragment, etc.  IP options are sometimes blocked by firewalls  Damn source routers ;-)  Possibilities with TCP Timestamps too  Reply field contains 32 bits of user specified stamp
Tricking Firewalls/IDSs  Alice can forge a connection from an arbitrary IP by cooperating with Charlie  Alice looks like she’s connecting to Yahoo, but is informing Charlie of the specifics of the connection attempt  Charlie replies as if he was Yahoo, and begins a TCP stream of arbitrary data to Alice from “Yahoo”  Alice acknowledges all data to “Yahoo” with the doomed TTL – we continue low TTL count through the data stream  Really messy in terms of ICMP time exceeded messages, BUT logging systems might drop these messages
Interesting things are possible  All code to be released at http://www.doxpara.com

Empfohlen

Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminskyDan Kaminsky
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japanDan Kaminsky
 
Interpolique
InterpoliqueInterpolique
InterpoliqueDan Kaminsky
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsDan Kaminsky
 
Campus networking
Campus networkingCampus networking
Campus networkingJisc
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 

Empfohlen

Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminskyDan Kaminsky
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japanDan Kaminsky
 
Interpolique
InterpoliqueInterpolique
InterpoliqueDan Kaminsky
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsDan Kaminsky
 
Campus networking
Campus networkingCampus networking
Campus networkingJisc
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Tcp Anonymous Authenticated ID
Tcp Anonymous Authenticated IDTcp Anonymous Authenticated ID
Tcp Anonymous Authenticated IDJim MacLeod
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Ipo spaces calling document-v1
Ipo spaces calling document-v1Ipo spaces calling document-v1
Ipo spaces calling document-v1ManmeetShandilya2
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2pDavide Carboni
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST Security2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
 
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, HelpshiftKafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, HelpshiftBhasker Kode
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
There and back again
There and back againThere and back again
There and back againJon Spriggs
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSMichiel Cazemier
 
NAT Scneario
NAT ScnearioNAT Scneario
NAT ScnearioMansour Naslcheraghi
 
Real-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot EngineReal-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot EngineFabio Alessandrelli
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 
Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2Dan Kaminsky
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 

Weitere ähnliche Inhalte

Was ist angesagt?

Tcp Anonymous Authenticated ID
Tcp Anonymous Authenticated IDTcp Anonymous Authenticated ID
Tcp Anonymous Authenticated IDJim MacLeod
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Ipo spaces calling document-v1
Ipo spaces calling document-v1Ipo spaces calling document-v1
Ipo spaces calling document-v1ManmeetShandilya2
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST Security2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
 
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, HelpshiftKafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, HelpshiftBhasker Kode
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
There and back again
There and back againThere and back again
There and back againJon Spriggs
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSMichiel Cazemier
 
Real-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot EngineReal-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot EngineFabio Alessandrelli
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 

Was ist angesagt? (20)

Tcp Anonymous Authenticated ID
Tcp Anonymous Authenticated IDTcp Anonymous Authenticated ID
Tcp Anonymous Authenticated ID
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Ipo spaces calling document-v1
Ipo spaces calling document-v1Ipo spaces calling document-v1
Ipo spaces calling document-v1
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2p
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST Security2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST Security
 
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, HelpshiftKafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
Kafka & Storm - FifthElephant 2015 by @bhaskerkode, Helpshift
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
 
There and back again
There and back againThere and back again
There and back again
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
 
NAT Scneario
NAT ScnearioNAT Scneario
NAT Scneario
 
Real-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot EngineReal-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot Engine
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker Webcast
 

Andere mochten auch

A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix ThingsDan Kaminsky
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Dan Kaminsky
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On BitcoinDan Kaminsky
 

Andere mochten auch (15)

Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
Chicken
ChickenChicken
Chicken
 
Dmk blackops2006
Dmk blackops2006Dmk blackops2006
Dmk blackops2006
 
Dmk bo2 k7_web
Dmk bo2 k7_webDmk bo2 k7_web
Dmk bo2 k7_web
 
Dmk neut toor
Dmk neut toorDmk neut toor
Dmk neut toor
 
Confidence web
Confidence webConfidence web
Confidence web
 
Dmk shmoo2007
Dmk shmoo2007Dmk shmoo2007
Dmk shmoo2007
 
Dmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fedDmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fed
 
Dmk bo2 k8
Dmk bo2 k8Dmk bo2 k8
Dmk bo2 k8
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open ssh
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On Bitcoin
 

Ähnlich wie Black Ops TCP/IP: Packet Misadventures and NATless NAT

Simplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 TeachersSimplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 Teacherswebhostingguy
 
Introduction to networking
Introduction to networkingIntroduction to networking
Introduction to networkingMohsen Sarakbi
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2samis
 
Physical And Data Link Layers
Physical And Data Link LayersPhysical And Data Link Layers
Physical And Data Link Layerstmavroidis
 
F06_Lecture7_etherne..
F06_Lecture7_etherne..F06_Lecture7_etherne..
F06_Lecture7_etherne..webhostingguy
 

Ähnlich wie Black Ops TCP/IP: Packet Misadventures and NATless NAT (20)

Simplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 TeachersSimplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 Teachers
 
Introduction to networking
Introduction to networkingIntroduction to networking
Introduction to networking
 
Mitm
MitmMitm
Mitm
 
lis508p02a-10.ppt
lis508p02a-10.pptlis508p02a-10.ppt
lis508p02a-10.ppt
 
I pv6 mechanism
I pv6 mechanismI pv6 mechanism
I pv6 mechanism
 
Internetworking
InternetworkingInternetworking
Internetworking
 
Tcpip
TcpipTcpip
Tcpip
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For Engineers
 
3.Network
3.Network3.Network
3.Network
 
Tcp
TcpTcp
Tcp
 
TCPIP
TCPIPTCPIP
TCPIP
 
Networking
NetworkingNetworking
Networking
 
PyNet
PyNetPyNet
PyNet
 
Mod9
Mod9Mod9
Mod9
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
Vlan
VlanVlan
Vlan
 
Physical And Data Link Layers
Physical And Data Link LayersPhysical And Data Link Layers
Physical And Data Link Layers
 
F06_Lecture7_etherne..
F06_Lecture7_etherne..F06_Lecture7_etherne..
F06_Lecture7_etherne..
 
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENTTCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
 

Mehr von Dan Kaminsky

Bugs Aren't Random
Bugs Aren't RandomBugs Aren't Random
Bugs Aren't RandomDan Kaminsky
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Dan Kaminsky
 
I Want These * Bugs Off My * Internet
I Want These * Bugs Off My * InternetI Want These * Bugs Off My * Internet
I Want These * Bugs Off My * InternetDan Kaminsky
 
Chicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenChicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenDan Kaminsky
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Dan Kaminsky
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Dan Kaminsky
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defenseDan Kaminsky
 

Mehr von Dan Kaminsky (14)

Bugs Aren't Random
Bugs Aren't RandomBugs Aren't Random
Bugs Aren't Random
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
 
I Want These * Bugs Off My * Internet
I Want These * Bugs Off My * InternetI Want These * Bugs Off My * Internet
I Want These * Bugs Off My * Internet
 
Chicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenChicken Chicken Chicken Chicken
Chicken Chicken Chicken Chicken
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defense
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
 
Dmk audioviz
Dmk audiovizDmk audioviz
Dmk audioviz
 
Bo2004
Bo2004Bo2004
Bo2004
 
Gwc3
Gwc3Gwc3
Gwc3
 
Dmk bo2 k8_ccc
Dmk bo2 k8_cccDmk bo2 k8_ccc
Dmk bo2 k8_ccc
 

Kürzlich hochgeladen

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Kürzlich hochgeladen (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

Black Ops TCP/IP: Packet Misadventures and NATless NAT

  • 1. BLACK OPS OF TCP/IPSpliced NAT2NAT And Other Packet-Level Misadventures Dan Kaminsky, CISSP DoxPara Research www.doxpara.com
  • 2. Where I’m Coming From…  Black Hat / DefCon 0x7D1  Impossible Tunnels through Improbable Networks with OpenSSH  Getting Out: ProxyCommands for Non-TCP comm layers  HTTP, SOCKS, UDP, Packet Radio*, AIM/Yahoo*  Coming In: Active Connection Brokering for NAT2NAT  One host exports SSHD to broker  Other host imports access from broker  Passing Through: Dynamic Forwarding for Psuedo-VPN Work  Web Browsing, Dialpad(Split-H323), etc.
  • 3. Interesting Problems  Instant Portscan  “Is it possible to discover instantaneously what network services have been made available, even on massive networks?”  Guerrila Multicast  “Is it possible to send a single packet to multiple recipients, using today’s multicast-free Internet?”  “NATless NAT”  “Is it possible to share a globally addressable IP address without translating private IP ranges a la NAT?”  Is it possible to allow incoming connections to an IP multiplexed in this manner?  NAT Deadlock Resolution  “Is it possible to establish a TCP connection between two hosts, both behind NATs?”
  • 4. On Possibility  Restraint Free Engineering  “Abandon All Practicality, Ye Who Enter Here”  “It’s amazing what you can do once security is no longer a concern.”  You’ve got what you’ve got. Make interesting things happen.  It might end up practical.  It might end up secure.  Right now, it’s impossible. Fix that first.  Maybe.
  • 5. On Packet Structure  Packets are “strangely ordered”  Where it’s ending up next, where it came from recently, how it’s hopping from one place to the next, how it’s hopping to its final destination, checksum, where the packet came from originally, where it’s going to end up, what app it came from, what app it’s going to, checksum, god knows what, ANOTHER checksum  Why not sort everything; put all the “came from” and “going to’s” Why so much redundancy? Isn’t it inefficient?  WHO CARES?
  • 6. Layers: Not What, But Who  One medium, many messages  Listeners reconstruct meanings relevant to themselves, ignore the rest  Managed (ir)responsibility  Fields are out of order, occasionally because they’re addressed to different entities  Name and address repeated inside a business letter and on the envelope  Messages at one layer can modulate messages received at another  Insufficient postage will prevent a correctly addressed letter from getting sent  Incorrect internal address has unknown effects
  • 7. Error Recovery Per Layer  Layer 2 (Point to Point)  Errors are quickly recoverable, but error generation can occur at same layer as layer control  Data is destroyed and recreated each frame  Corporate Fertilizer  Layer 3 (Router to Router)  Many more sources of personally irrelevant error  Highest Traffic Link  Data is modulated – minimum change possible  Layer 4 (End to End)  Lowest traffic, highest personal relevance  Errors here actually matter
  • 8.  This slide intentionally left blank
  • 9. TCP Connection Traits: Flags  Connection Request (Alice -> Bob)  SYN: I want to talk to you  Connection Response (Bob -> Alice)  SYN|ACK: OK, lets talk.  RST|ACK: I ain’t listening  Connection Initiation (Alice -> Bob)  ACK: OK, beginning conversation.
  • 10. TCP (and UDP) Connection Traits: Ports  Local Port: What application requested the connection. Usually a random number, 0-65535.  0 is a valid port  Remote Port: What application accepted the connection. Usually a “known number”  80 for HTTP  143 for IMAP  443 for HTTP/SSL  IP handles who we’re talking to; Ports handle what we want from them
  • 11. TCP Connection Traits: Sequences  Sequence Numbers  32 bit number, randomly generated, must be reflected by the opposite party in a TCP handshake  After initial reflection, used to relay information about successful packet acquisition
  • 12. Connection Summary  Flag determines phase  Asymmetric  Port determines process  Sequence “secures session”  Prevents trivial spoofing attacks  Also used to manage connection speed, identify which bytes are being acknowledged
  • 13. Stateless Pulse Scanning  Instant Portscan  “Is it possible to discover instantaneously what network services have been made available, even on massive networks?”  Answer: Yes, practically, even securely  Separate scanner and listener processes  Sending  Directly send n SYN packets  Same local port  SYN cookies  Receiving  Kernel filter packets arriving to local port  Record connection phase: Port up(SYN|ACK) or host up, port down(RST|ACK)
  • 14. Issue: Spoofed Responses  Easy to spoof hosts being up if the scanner isn’t tracking who (or how it scanned)  Solution: Invert SYN Cookies!
  • 15. SYN Cookies  Developed in ’96, when SYN floods became common  ACK reflects ACK# of SYN|ACK(incremented by one)  Encrypts connection state into the SYN|ACK’s ACK#  Therefore, you can use legitimate remote hosts – instead of kernel memory – to store handshake state  Ahhh…but SYN|ACK also reflects SEQ# of SYN in its ACK#…  Instead of tracking SYN|ACK reflections in the ACK, track SYN reflections in the SYN|ACK
  • 16. Implementation: Scanrand 1.0  Element of: Paketto Keiretsu  384 lines of libnet and libpcap, w/ trivial MD4 include  No state stored  Scans at ~11-20mbit  Possibly even portable  100% complete, release imminent
  • 17.
  • 18. Observed Results  Since no state is maintained within the scanner, we can send SYNs at wire speed  Implementation can get faster  Found ~8300 web servers on a corporation’s Class B  Time spent: ~4 Seconds  Collisions  Initial SYNs might collide, but SYN|ACKs resend  SYN|ACKs are given RSTs by present kernels automatically  The SYNs were generated in userspace – the kernel has no idea the connection request was
  • 19. Implications  Userspace manipulation of packets can lead to less overhead  Kernels are optimized to talk to other hosts, not simply to scan them  Packet content can be overloaded  A random field can always be replaced with encrypted data (and vice versa)  This is the heart of kleptography  Elegant solutions sometimes can be reapplied elsewhere  SYN(really SYN|ACK) cookies made SYN reception more efficient  Inverse SYN cookies make SYN transmission
  • 20. Layer Redundancy  L2: Broadcast MAC Address  FF:FF:FF:FF:FF:FF  Absolute  L3: Broadcast IP Address  Last IP of Subnet  Relative  Sending to it is known as a Directed Broadcast  Often blocked, if it can be detected  Detection can be…suppressed.
  • 21. Broadcast GHosts  Guerrila Multicast  “Is it possible to send a single packet to multiple recipients, using today’s multicast-free Internet?”  Answer: Yes, barely.  Link a unicast IP to a broadcast MAC address; all responses to that IP will be broadcast throughout a subnet  No individual client need duplicate the datastream – the switch will issue copies of the data to all downstream hosts
  • 22. IP Incorporated  DHCP for an IP  May or may not use broadcast MAC in DHCP request – just trying to validate that nobody else is using the IP  Answer ARP requests for that IP with Broadcast MAC (or Multicast MAC)  At L2, w/o IGMP Snooping working, Multicast = Broadcast  Issue L4 requests against a remote host, unicasted via layer 3, with responses broadcasted locally at layer 2  Elegance has left the building
  • 23. Firewall Issues  NAT  100% NAT penetration, as long as the implementation doesn’t refuse to NAT for a broadcast MAC  PIX, which accepts…Multicast MACs!  Multicast through NAT!  UDP  Remote side can send data forever – as long as it keeps packets coming in before the UDP state expires, no further data is required from behind the wall
  • 24. TCP w/ Guerrila Multicast  Without any listeners, stream dies  With one listener, stream can operate normally  With many listeners, only one should participate in acknowledging the stream  If that one dies, another should take its place  Solution: Random delays  On reception of a packet to be acknowledged, queue a response within the next 50-1500ms  Broadcast response  If another host broadcasted a response before you had the chance to, unschedule your response
  • 25. Recontextualizing L2/L3  One IP, normally linked to one host, can be transformed at L2 into all hosts at a given subnet  This transformation is undetectable outside the subnet  Other Uses  “All hosts” could also include “Many hosts” using L2 Multicast packets  Do we have another other situation where one IP “stands in” for many hosts?
  • 26. NAT: Splitting IPs For Fun and Profit  NAT multiplexes several hosts into one IP address by splitting on local port  Already munging IP, might as well munge ports too  Some implementations make best efforts to match local port inside the network w/ local port outside  Birthday Paradox: Collision chance = 1 / sqrt(range_of_local_ports) = 1/256  If we can always match IP and Port, then we can always maintain end-to-end correctness  Only have a problem 1/256 connections to the same host  Alternate strategies exist – munge the SEQ#(problems w/ Window overlap), MTU decrement, TIMESTAMPS
  • 27. MAC Address Translation  “NATless NAT”  “Is it possible to share a globally addressable IP address without translating private IP ranges a la NAT?”  Is it possible to allow incoming connections to an IP multiplexed in this manner?  Answer: Yes. Oh yes.  NAT: L4->L3  ARP: L3->L2  MAT: L4->(L3,L2)  Multiplex with L2/L3 instead of just L3  Make ARP Table dynamic, based on each individual L4 connection  Maintains L3 end-to-end integrity
  • 28. Implementation: AllNewt 1.0  “All New Translation Engine”  Another part of Paketto Keiretsu  Translates arbitrary local IP addresses into globally routable IP addresses  Instead of just storing IP_SRC, stores IP_SRC, ETHER_DHOST, and ETHER_SHOST  If IP_SRC == External IP, packets will retain end- to-end integrity  If IP_SRC == RFC1918 IP, packets will be NATted normally  If IP_SRC == Yahoo/Microsoft/Whatever, packets will be NATted a little less normally  Multiple hosts can share the same IP address, if
  • 29. Pizza Protocol A La Mode  “Anyone order a pizza?”  Stateless approach: Ask everybody, drop RST|ACK, forward everything else.  Just broadcast to the IP  Actually works behind NATs, but you need to catalog all the local IPs  Drop all RSTs, pass all streams/ACKs  Breaks down when two people are listening on the same port  Can split port range(1022, 2022, 3022, etc. all being different instances of 22/ssh)  Apply host-level heuristics – priority for incoming selection based on outgoing sessions
  • 30. Incoming State  Stateful Approach (“you ordered the last one”)  Ask everyone, but remember who’s hosting  Send to the first host that replies  Increment the timer every time a packet is emitted from the serving host for that port  If no packets are emitted after a certain amount of time, allow open registration once more  “It’s amazing what you can do once security is not an issue.”
  • 31. TCP Splicing  NAT Deadlock Resolution  “Is it possible to establish a TCP connection between two hosts, both behind NATs?”  Answer: Yes…but it ain’t pretty.  Convince each firewall that the other accepted the connection  Layers will need to be played against eachother to prevent certain otherwise desirable messaging behaviors from going too far
  • 32. An Analogy  Bill Gates ‘n Larry Ellison  Why? They can call anyone they want – their secretaries won’t stop ‘em.  None of us can call them – their secretaries will stop us.  If Bill or Larry did call us, they’d actually be able to hear us reply.  Asymmetry is in the initiation
  • 33. Setting Up  Alice and Bob both behind NATting firewalls  Firewalls authorize all outgoing sessions, block all incoming sessions  Block w/ state – no faking  Only accept fully validated responses to outgoing messages  Ports must match  SEQ#’s must match  Total outgoing trust, zero incoming trust
  • 34. The Attempt  Alice tries to send a message to Bob  SYN hits Alice’s firewall, is given global IP + entry in state table “connection attempted”  SYN travels across Internet  SYN hits Bob’s firewall, RST|ACK sent  RST|ACK hits Alice’s firewall, entry in state table torn down, RST|ACK readdressed to Alice  Alice gets nowhere  Bob does the same thing
  • 35. Analysis  Good  Entry in firewall state table, awaiting a reply  Bad  Negative reply, entry in state table destroyed  Can we get the former without the latter?
  • 36. Doomed TTLs  Packet first hits local firewall, gets NAT entry, travels across Internet, hits remote firewall, gets shot down.  Good stuff closer to us, bad stuff farther away  TTL: Time To Live – SET TO ~4  Maximum number of hops packet is allowed to travel along the network before being dropped  Used by IP to prevent routing loops  Used by us to prevent state table from closing the hole  Alice SYNs w/ Doomed TTL  Bob SYNs w/ Doomed TTL  Both firewalls have a hole open for eachother
  • 37. Packets, Ports, Problems  Three way handshake – SYN, SYN|ACK, ACK  Outgoing connections have SYNs and ACKs but no SYN|ACKs  Ports  Need to agree on which ports are linking up  Need to discover firewall multiplexing rules  Timing  Need to know when to attempt connection  Solution to all three: Handshake Only Connection Broker  Involved only in setting up connection
  • 38. The Other Shoe Drops  Now you add a connection broker  HANDSHAKE ONLY.  Sends the SYN|ACK Host/Port/SEQ# combination “virtually added” to firewall packet acceptance rules  Larry Ellison: “Bill Gates is going to call here in the next two minutes, please put his call through.”  Need to generate packets, though
  • 39. Local Port Strategies  Some firewalls do best effort to match  Some increment from a fixed counter  Some use random local ports  Entropy cannot be differentiated – rule from kleptography  As long as it’s translated back…  Need to discover what strategy is being used
  • 40. Full Broker Discovery  Alice and Bob SYN Charlie 2x  Charlie NFO Alice and Bob  Alice and Bob SYN Charlie  Alice and Bob DoomSYN Bob and Alice  Alice and Bob SYN Charlie  Charlie SYN|ACK Alice and Bob  Throw details about port selection in IPID  Alice and Bob DoomACK Bob and Alice  Alice and Bob begin normal TCP session to eachother, as if the other acknowledged correctly
  • 41. Much easier strategies  Source route through connection broker, drop the route once the connection goes live  UDP NAT2NAT  Works all over the place in games  UDP is symmetrical – just spew packets at eachother with opposite local port / source port, and eventually the state system will assume the other’s outgoing packet is a response to its own outgoing packet  You can run TCP over UDP  Far less fun though
  • 42. TTL-Based Firewall Analysis  Emit a SYN with a low TTL  SYN spawns ICMP error, hits local firewall, which rewrites IP header and forwards to local host  Firewall doesn’t rewrite ICMP data  Original outgoing header  Can discover how firewall is munging our datastream
  • 43. State of Disarray  State Management  State = Buffers  Buffers need to be searched  Buffers need to be allocated  Buffers need to be overflown  If your name is Gobbles  NAT normally needs to be stateful  A packet comes in, and given the Source IP, the Source Port, and the Destination Port, we check our tables to rewrite on the internal interface the Destination IP(not firewall) and maybe the destination port too  The MAC address is always rewritten, but with MAT we
  • 44. Stateless NAT: Possible?  State is all about things we have to remember  Stateless scanning is about extracting what we need from what we get back  “Can we embed the NAT state in every outgoing IP packet such that every response received will contain the full NAT state”?  Answer: Yup. (Thanks, Spence.)  IP Timestamps Mode 3  IP Option against each host along the route. Up to four 4 byte IP addresses are specified, with space for up to four 4 byte timestamps to be added  If IP in the timestamp request matches IP of the router, the router replaces the timestamp with its own  If IP doesn’t match, pass along the timestamps of others
  • 45. Abusing IP Timestamps  Insert timestamps from invalid IP’s containing not actual timestamps but NAT state  Encrypt NAT state so it may not be modified en route  Decrypt NAT state upon packet return  Problems  Need to insert IP options – may overflow packet, may need to fragment, etc.  IP options are sometimes blocked by firewalls  Damn source routers ;-)  Possibilities with TCP Timestamps too  Reply field contains 32 bits of user specified stamp
  • 46. Tricking Firewalls/IDSs  Alice can forge a connection from an arbitrary IP by cooperating with Charlie  Alice looks like she’s connecting to Yahoo, but is informing Charlie of the specifics of the connection attempt  Charlie replies as if he was Yahoo, and begins a TCP stream of arbitrary data to Alice from “Yahoo”  Alice acknowledges all data to “Yahoo” with the doomed TTL – we continue low TTL count through the data stream  Really messy in terms of ICMP time exceeded messages, BUT logging systems might drop these messages
  • 47. Interesting things are possible  All code to be released at http://www.doxpara.com