SlideShare a Scribd company logo

Isys20261 lecture 07

Download as PPT, PDF
Wiliam Ferraciolli
Wiliam Ferraciolli
1 of 20
Computer Security Management (ISYS20261) Lecture 7 - Network-based Attacks (2) Module Leader: Dr Xiaoqi Ma School of Science and Technology
Last week … • Network-based attacks • Primary attempt to – forge or steal data – gain unauthorised access to a system – force system downtime • Means – Sniffing data – Redirecting data • Preparatory activities – Reconnaissance – scanning • Packet sniffing Computer Security Management Page 2
Today ... • IP address spoofing • Man-in-the-middle attack • Denial-of-service attack (DoS) – SYN flooding – Smurf attack – Distributed Denial of Service attack (DDoS) Computer Security Management Page 3
IP address spoofing (1) • Used to hide the identity of an attacker and to gain access by exploiting existing trust between host systems • Takes advantage of security weakness in the TCP/IP protocol: – Attacker forges the source IP address information in every IP packet with a different address – It appears that the packet was sent by a different computer • Can be used for – Denial-of-Service attacks – Session hijacking – Man-in-the-Middle attacks Computer Security Management Page 4
IP address spoofing (2) • TCP/IP protocol: Application Layer Application Layer Data Data Transport Layer Transport Layer TCP 1 TCP 2 TCP 1 TCP 2 Network Layer Network Layer IP TCP 1 IP TCP 2 IP TCP 1 IP TCP 2 Data Link Layer Data Link Layer Ethernet IP TCP 1 Ethernet IP TCP 2 Ethernet IP TCP 1 Ethernet IP TCP 2 Physical Layer Computer Security Management Page 5
IP address spoofing (3) • IP address spoofing is mainly used to defeat network security – firewall rules that rely on IP address-based authentication – IP address-based (trust based) access control – Etc. • Attacker needs to know about the established trust between systems (see reconnaissance and scanning phase!) • Difficulties with IP address spoofing: – any reply is send to the forged IP address! – Difficult to guess the sequence number Computer Security Management Page 6
IP address spoofing (4) • TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection • attacker normally can't see any reply packets, hence they have to guess the sequence number in order to hijack a connection • poor implementation in many older operating systems means that TCP sequence numbers can be predicted • if sequence numbers are compromised, data could be sent to the target blindly, e.g. creating a new user account using host-based authentication services • Two different types of IP address spoofing – Non-blind – blind Computer Security Management Page 7
Non-Blind Spoofing • attacker is on the same subnet as the victim • sequence and acknowledgement numbers can be observed (sniffed), no need for calculating them accurately • Biggest threat of Non-blind spoofing: session hijacking – corrupting the data stream of an established connection – re-establishing it based on correct sequence and acknowledgement numbers with the attack machine • Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection Computer Security Management Page 8
Blind Spoofing • sequence and acknowledgement numbers are unreachable • In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers • In the past: machines used basic techniques for generating sequence numbers • It was relatively easy to discover the exact formula by studying packets and TCP sessions (sequence guessing) Computer Security Management Page 9
Man-in-the-middle attack (1) • A malicious party intercepts a legitimate communication between two friendly parties • The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient • In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient Computer Security Management Page 10
Man-in-the-middle attack (2) • Example: Alice Ivan Bob Message1() Message1() (Bob) Message1'() (Alice) Message2() Message2() Message2'() (Alice) (Bob) Computer Security Management Page 11
Man-in-the-middle attack (3) • The most common implementation: – attacker bypasses online banking security by receiving login and transaction information – attacker passes it on to the banking site with any required alterations – attacker receives data from the banking site – sends the banking site's details back to the victim, again with minor alterations so the victim is unaware of the attack • Man-in-the-middle techniques are particularly difficult to detect and protect against, as they usually take place on a different system from the victim and their bank • It is also possible to bypass strong security measures such as two- factor authentication and one-time passwords using such techniques Computer Security Management Page 12
Denial-of-Service (DoS) attack • Attempts to prevent a piece of software, system, web server or website from functioning • Tries to overloads the system by exceeding its recourses, e.g. bandwidth, memory, CPU time, etc. • Denial-of-service attacks – SYN flooding – Smurf attack – Distributed Denial of Service attack (DDoS) Computer Security Management Page 13
SYN flooding (1) • TCP connection set-up: three way handshake – The active open is performed by the client sending a SYN to the server – In response, the server replies with a SYN-ACK – Finally the client sends an ACK back to the server Client Server SYN() SYN+ACK() ACK() Computer Security Management Page 14
SYN flooding (2) • If client skips the sending of the ACK message before the connection is established: server waits for a predefined period of time • If server is flooded with SYN requests that are not acknowledged the server will denying connection requests from legitimate users Client Server SYN() SYN+ACK() SYN() SYN+ACK() Computer Security Management Page 15
Smurf attack (1) • Uses spoofed ping messages to flood a target system • Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite • ICMP echo is used by TCP to determine – whether a host is reachable – the time it takes for the packet to get to and from the host Computer Security Management Page 16
Smurf attack (2) • Attacker sends long stream of ping packets (ICMP echo requests) to all IP addresses within a network (amplifier network) via a gateway/router that acts as a broadcaster • Ping packets are spoofed with IP address of target system • Each ICMP echo request message produces an echo response message • All hosts of the network will send their echo to the spoofed IP address • Sheer number of echo response messages brings target host down Computer Security Management Page 17
Smurf attack (3) • Amplification: Amplifier Network Attacker Router Host1 Host2 Server broadcast ICMP echo() enabled ICMP echo() ICMP echo reply() ICMP echo() ICMP echo reply() Computer Security Management Page 18
Distributed-Denial-of-Service Attacks (DDoS) • Multiple compromised host systems (Bot net) sending IP address spoofed packets to the same destination address, i.e. the target • Malware can carry DDoS attack mechanisms • DDoS is difficult to block since the attack are launched on different source systems • Difficult to trace the attacer Computer Security Management Page 19
Next week … … we will continue looking at network-based attacks Computer Security Management Page 20

Recommended

Information security advanced
Information security advancedInformation security advanced
Information security advancedJamil S. Alagha
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
Ddos attack definitivo
Ddos attack definitivoDdos attack definitivo
Ddos attack definitivolilith333
 
Topic22
Topic22Topic22
Topic22Anne Starr
 
Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1sweta dargad
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 

Recommended

Information security advanced
Information security advancedInformation security advanced
Information security advancedJamil S. Alagha
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
Ddos attack definitivo
Ddos attack definitivoDdos attack definitivo
Ddos attack definitivolilith333
 
Topic22
Topic22Topic22
Topic22Anne Starr
 
Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1sweta dargad
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Securityic2
Securityic2Securityic2
Securityic2Anne Starr
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
L1803046876
L1803046876L1803046876
L1803046876IOSR Journals
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
Ip Guardian customer presentation
Ip Guardian customer presentationIp Guardian customer presentation
Ip Guardian customer presentationacaiani
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IPSukh Sandhu
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS AttackGopi Krishnan S
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOGZobair Khan
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanningVi Tính Hoàng Nam
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full reportdeepakmarndi
 
DDOS
DDOSDDOS
DDOSMaulik Kotak
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKSShaurya Gogia
 
A Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos AttacksA Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos AttacksIOSR Journals
 
Monitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a lanMonitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a laneSAT Publishing House
 
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...IDES Editor
 
1766 1770
1766 17701766 1770
1766 1770Editor IJARCET
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingVi Tính Hoàng Nam
 
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...IDES Editor
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasuresdkaya
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 

More Related Content

What's hot

Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
Ip Guardian customer presentation
Ip Guardian customer presentationIp Guardian customer presentation
Ip Guardian customer presentationacaiani
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IPSukh Sandhu
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full reportdeepakmarndi
 
A Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos AttacksA Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos AttacksIOSR Journals
 
Monitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a lanMonitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a laneSAT Publishing House
 
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...IDES Editor
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingVi Tính Hoàng Nam
 
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...IDES Editor
 

What's hot (20)

Securityic2
Securityic2Securityic2
Securityic2
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
 
L1803046876
L1803046876L1803046876
L1803046876
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
Ip Guardian customer presentation
Ip Guardian customer presentationIp Guardian customer presentation
Ip Guardian customer presentation
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full report
 
DDOS
DDOSDDOS
DDOS
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
A Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos AttacksA Comparative Approach to Handle Ddos Attacks
A Comparative Approach to Handle Ddos Attacks
 
Monitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a lanMonitoring of traffic over the victim under tcp syn flood in a lan
Monitoring of traffic over the victim under tcp syn flood in a lan
 
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
 
1766 1770
1766 17701766 1770
1766 1770
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijacking
 
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
 

Similar to Isys20261 lecture 07

Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasuresdkaya
 
Lecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxLecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxAsmaaLafi1
 
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...Suhail Khan
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYVinil Patel
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.pptsumita02
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.pptjepoy808
 

Similar to Isys20261 lecture 07 (20)

Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Lecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxLecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptx
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Security Threats at OSI layers
Security Threats at OSI layersSecurity Threats at OSI layers
Security Threats at OSI layers
 
File000144
File000144File000144
File000144
 
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
ip spoofing
ip spoofingip spoofing
ip spoofing
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
 
26 security2
26 security226 security2
26 security2
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Security attacks
Security attacksSecurity attacks
Security attacks
 
Ipspoofing
IpspoofingIpspoofing
Ipspoofing
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
 

More from Wiliam Ferraciolli

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architectureWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and servicesWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
 

More from Wiliam Ferraciolli (20)

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissions
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objects
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstations
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 

Isys20261 lecture 07

  • 1. Computer Security Management (ISYS20261) Lecture 7 - Network-based Attacks (2) Module Leader: Dr Xiaoqi Ma School of Science and Technology
  • 2. Last week … • Network-based attacks • Primary attempt to – forge or steal data – gain unauthorised access to a system – force system downtime • Means – Sniffing data – Redirecting data • Preparatory activities – Reconnaissance – scanning • Packet sniffing Computer Security Management Page 2
  • 3. Today ... • IP address spoofing • Man-in-the-middle attack • Denial-of-service attack (DoS) – SYN flooding – Smurf attack – Distributed Denial of Service attack (DDoS) Computer Security Management Page 3
  • 4. IP address spoofing (1) • Used to hide the identity of an attacker and to gain access by exploiting existing trust between host systems • Takes advantage of security weakness in the TCP/IP protocol: – Attacker forges the source IP address information in every IP packet with a different address – It appears that the packet was sent by a different computer • Can be used for – Denial-of-Service attacks – Session hijacking – Man-in-the-Middle attacks Computer Security Management Page 4
  • 5. IP address spoofing (2) • TCP/IP protocol: Application Layer Application Layer Data Data Transport Layer Transport Layer TCP 1 TCP 2 TCP 1 TCP 2 Network Layer Network Layer IP TCP 1 IP TCP 2 IP TCP 1 IP TCP 2 Data Link Layer Data Link Layer Ethernet IP TCP 1 Ethernet IP TCP 2 Ethernet IP TCP 1 Ethernet IP TCP 2 Physical Layer Computer Security Management Page 5
  • 6. IP address spoofing (3) • IP address spoofing is mainly used to defeat network security – firewall rules that rely on IP address-based authentication – IP address-based (trust based) access control – Etc. • Attacker needs to know about the established trust between systems (see reconnaissance and scanning phase!) • Difficulties with IP address spoofing: – any reply is send to the forged IP address! – Difficult to guess the sequence number Computer Security Management Page 6
  • 7. IP address spoofing (4) • TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection • attacker normally can't see any reply packets, hence they have to guess the sequence number in order to hijack a connection • poor implementation in many older operating systems means that TCP sequence numbers can be predicted • if sequence numbers are compromised, data could be sent to the target blindly, e.g. creating a new user account using host-based authentication services • Two different types of IP address spoofing – Non-blind – blind Computer Security Management Page 7
  • 8. Non-Blind Spoofing • attacker is on the same subnet as the victim • sequence and acknowledgement numbers can be observed (sniffed), no need for calculating them accurately • Biggest threat of Non-blind spoofing: session hijacking – corrupting the data stream of an established connection – re-establishing it based on correct sequence and acknowledgement numbers with the attack machine • Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection Computer Security Management Page 8
  • 9. Blind Spoofing • sequence and acknowledgement numbers are unreachable • In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers • In the past: machines used basic techniques for generating sequence numbers • It was relatively easy to discover the exact formula by studying packets and TCP sessions (sequence guessing) Computer Security Management Page 9
  • 10. Man-in-the-middle attack (1) • A malicious party intercepts a legitimate communication between two friendly parties • The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient • In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient Computer Security Management Page 10
  • 11. Man-in-the-middle attack (2) • Example: Alice Ivan Bob Message1() Message1() (Bob) Message1'() (Alice) Message2() Message2() Message2'() (Alice) (Bob) Computer Security Management Page 11
  • 12. Man-in-the-middle attack (3) • The most common implementation: – attacker bypasses online banking security by receiving login and transaction information – attacker passes it on to the banking site with any required alterations – attacker receives data from the banking site – sends the banking site's details back to the victim, again with minor alterations so the victim is unaware of the attack • Man-in-the-middle techniques are particularly difficult to detect and protect against, as they usually take place on a different system from the victim and their bank • It is also possible to bypass strong security measures such as two- factor authentication and one-time passwords using such techniques Computer Security Management Page 12
  • 13. Denial-of-Service (DoS) attack • Attempts to prevent a piece of software, system, web server or website from functioning • Tries to overloads the system by exceeding its recourses, e.g. bandwidth, memory, CPU time, etc. • Denial-of-service attacks – SYN flooding – Smurf attack – Distributed Denial of Service attack (DDoS) Computer Security Management Page 13
  • 14. SYN flooding (1) • TCP connection set-up: three way handshake – The active open is performed by the client sending a SYN to the server – In response, the server replies with a SYN-ACK – Finally the client sends an ACK back to the server Client Server SYN() SYN+ACK() ACK() Computer Security Management Page 14
  • 15. SYN flooding (2) • If client skips the sending of the ACK message before the connection is established: server waits for a predefined period of time • If server is flooded with SYN requests that are not acknowledged the server will denying connection requests from legitimate users Client Server SYN() SYN+ACK() SYN() SYN+ACK() Computer Security Management Page 15
  • 16. Smurf attack (1) • Uses spoofed ping messages to flood a target system • Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite • ICMP echo is used by TCP to determine – whether a host is reachable – the time it takes for the packet to get to and from the host Computer Security Management Page 16
  • 17. Smurf attack (2) • Attacker sends long stream of ping packets (ICMP echo requests) to all IP addresses within a network (amplifier network) via a gateway/router that acts as a broadcaster • Ping packets are spoofed with IP address of target system • Each ICMP echo request message produces an echo response message • All hosts of the network will send their echo to the spoofed IP address • Sheer number of echo response messages brings target host down Computer Security Management Page 17
  • 18. Smurf attack (3) • Amplification: Amplifier Network Attacker Router Host1 Host2 Server broadcast ICMP echo() enabled ICMP echo() ICMP echo reply() ICMP echo() ICMP echo reply() Computer Security Management Page 18
  • 19. Distributed-Denial-of-Service Attacks (DDoS) • Multiple compromised host systems (Bot net) sending IP address spoofed packets to the same destination address, i.e. the target • Malware can carry DDoS attack mechanisms • DDoS is difficult to block since the attack are launched on different source systems • Difficult to trace the attacer Computer Security Management Page 19
  • 20. Next week … … we will continue looking at network-based attacks Computer Security Management Page 20