2. Last week …
• Network-based attacks
• Primary attempt to
– forge or steal data
– gain unauthorised access to a system
– force system downtime
• Means
– Sniffing data
– Redirecting data
• Preparatory activities
– Reconnaissance
– scanning
• Packet sniffing
Computer Security Management
Page 2
3. Today ...
• IP address spoofing
• Man-in-the-middle attack
• Denial-of-service attack (DoS)
– SYN flooding
– Smurf attack
– Distributed Denial of Service attack (DDoS)
Computer Security Management
Page 3
4. IP address spoofing (1)
• Used to hide the identity of an attacker and to gain access by
exploiting existing trust between host systems
• Takes advantage of security weakness in the TCP/IP protocol:
– Attacker forges the source IP address information in every IP packet with a
different address
– It appears that the packet was sent by a different computer
• Can be used for
– Denial-of-Service attacks
– Session hijacking
– Man-in-the-Middle attacks
Computer Security Management
Page 4
5. IP address spoofing (2)
• TCP/IP protocol: Application Layer Application Layer
Data Data
Transport Layer Transport Layer
TCP 1 TCP 2 TCP 1 TCP 2
Network Layer Network Layer
IP TCP 1 IP TCP 2 IP TCP 1 IP TCP 2
Data Link Layer Data Link Layer
Ethernet IP TCP 1 Ethernet IP TCP 2 Ethernet IP TCP 1 Ethernet IP TCP 2
Physical Layer
Computer Security Management
Page 5
6. IP address spoofing (3)
• IP address spoofing is mainly used to defeat network security
– firewall rules that rely on IP address-based authentication
– IP address-based (trust based) access control
– Etc.
• Attacker needs to know about the established trust between
systems (see reconnaissance and scanning phase!)
• Difficulties with IP address spoofing:
– any reply is send to the forged IP address!
– Difficult to guess the sequence number
Computer Security Management
Page 6
7. IP address spoofing (4)
• TCP uses sequence numbers negotiated with the remote machine to
ensure that arriving packets are part of an established connection
• attacker normally can't see any reply packets, hence they have to
guess the sequence number in order to hijack a connection
• poor implementation in many older operating systems means that
TCP sequence numbers can be predicted
• if sequence numbers are compromised, data could be sent to the
target blindly, e.g. creating a new user account using host-based
authentication services
• Two different types of IP address spoofing
– Non-blind
– blind
Computer Security Management
Page 7
8. Non-Blind Spoofing
• attacker is on the same subnet as the victim
• sequence and acknowledgement numbers can be observed (sniffed),
no need for calculating them accurately
• Biggest threat of Non-blind spoofing: session hijacking
– corrupting the data stream of an established connection
– re-establishing it based on correct sequence and acknowledgement numbers
with the attack machine
• Using this technique, an attacker could effectively bypass any
authentication measures taken place to build the connection
Computer Security Management
Page 8
9. Blind Spoofing
• sequence and acknowledgement numbers are unreachable
• In order to circumvent this, several packets are sent to the target
machine in order to sample sequence numbers
• In the past: machines used basic techniques for generating
sequence numbers
• It was relatively easy to discover the exact formula by studying
packets and TCP sessions (sequence guessing)
Computer Security Management
Page 9
10. Man-in-the-middle attack (1)
• A malicious party intercepts a legitimate communication between
two friendly parties
• The malicious host then controls the flow of communication and can
eliminate or alter the information sent by one of the original
participants without the knowledge of either the original sender or
the recipient
• In this way, an attacker can fool a victim into disclosing confidential
information by “spoofing” the identity of the original sender, who is
presumably trusted by the recipient
Computer Security Management
Page 10
11. Man-in-the-middle attack (2)
• Example:
Alice Ivan Bob
Message1()
Message1()
(Bob) Message1'()
(Alice)
Message2()
Message2()
Message2'() (Alice)
(Bob)
Computer Security Management
Page 11
12. Man-in-the-middle attack (3)
• The most common implementation:
– attacker bypasses online banking security by receiving login and transaction
information
– attacker passes it on to the banking site with any required alterations
– attacker receives data from the banking site
– sends the banking site's details back to the victim, again with minor alterations
so the victim is unaware of the attack
• Man-in-the-middle techniques are particularly difficult to detect and
protect against, as they usually take place on a different system
from the victim and their bank
• It is also possible to bypass strong security measures such as two-
factor authentication and one-time passwords using such techniques
Computer Security Management
Page 12
13. Denial-of-Service (DoS) attack
• Attempts to prevent a piece of software, system, web server or
website from functioning
• Tries to overloads the system by exceeding its recourses, e.g.
bandwidth, memory, CPU time, etc.
• Denial-of-service attacks
– SYN flooding
– Smurf attack
– Distributed Denial of Service attack (DDoS)
Computer Security Management
Page 13
14. SYN flooding (1)
• TCP connection set-up: three way handshake
– The active open is performed by the client sending a SYN to the server
– In response, the server replies with a SYN-ACK
– Finally the client sends an ACK back to the server
Client Server
SYN()
SYN+ACK()
ACK()
Computer Security Management
Page 14
15. SYN flooding (2)
• If client skips the sending of the ACK message before the
connection is established: server waits for a predefined period of
time
• If server is flooded with SYN requests that are not acknowledged
the server will denying connection requests from legitimate users
Client Server
SYN()
SYN+ACK()
SYN()
SYN+ACK()
Computer Security Management
Page 15
16. Smurf attack (1)
• Uses spoofed ping messages to flood a target system
• Internet Control Message Protocol (ICMP) is one of the core
protocols of the Internet Protocol Suite
• ICMP echo is used by TCP to determine
– whether a host is reachable
– the time it takes for the packet to get to and from the host
Computer Security Management
Page 16
17. Smurf attack (2)
• Attacker sends long stream of ping packets (ICMP echo requests) to
all IP addresses within a network (amplifier network) via a
gateway/router that acts as a broadcaster
• Ping packets are spoofed with IP address of target system
• Each ICMP echo request message produces an echo response
message
• All hosts of the network will send their echo to the spoofed IP
address
• Sheer number of echo response messages brings target host down
Computer Security Management
Page 17
19. Distributed-Denial-of-Service Attacks (DDoS)
• Multiple compromised host systems (Bot net) sending IP address
spoofed packets to the same destination address, i.e. the target
• Malware can carry DDoS attack mechanisms
• DDoS is difficult to block since the attack are launched on different
source systems
• Difficult to trace the attacer
Computer Security Management
Page 19
20. Next week …
… we will continue looking at network-based attacks
Computer Security Management
Page 20