Dr. Igor Santos.  Denial of Service  Man in the middle  ICMP attacks 2.

Slides:



Advertisements
Similar presentations
Man in the Middle Attack
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
Computer Security and Penetration Testing
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
1 Reading Log Files. 2 Segment Format
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.
Computer Security and Penetration Testing
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Lecture 15 Denial of Service Attacks
ECE Prof. John A. Copeland fax Office: Klaus 3362.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Guide to TCP/IP, Third Edition
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
IIT Indore © Neminath Hubballi
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
1 Network Packet Generator Midway presentation Supervisor: Mony Orbach Presenting: Eugeney Ryzhyk, Igor Brevdo.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.
--Harish Reddy Vemula Distributed Denial of Service.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
CS426Network Security1 Computer Security CS 426 Network Security (1)
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
CS526Topic 18: Network Security1 Information Security CS 526 Network Security (1)
NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Protocol Headers 0x0800 Internet Protocol, Version 4 (IPv4) 0x0806 Address Resolution Protocol (ARP) 0x8100 IEEE 802.1Q-tagged frame 0x86DD Internet Protocol,
Denial of Service Attacks
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.
________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
DoS/DDoS attack and defense
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.
or call for office visit,
NETWORKING (2) Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
TCP Sliding Windows For each TCP connection each hosts keep two Sliding Windows, send sliding window, and receive sliding window to make sure the correct.
Introduction to Information Security
or call for office visit,
Error and Control Messages in the Internet Protocol
Internet Control Message Protocol (ICMP)
Intro to Denial of Serice Attacks
Presentation transcript:

Dr. Igor Santos

 Denial of Service  Man in the middle  ICMP attacks 2

3 Denial of Service (DoS)

 Denial-of-Service (DoS)  Exclusive appropiation of a resource or service with the intention of preventing access to third parties  Attacks designed to collapse a resource or system with the intent to destroy the service  Removing the service delivery of system connected to a network 4

 Many DoS are based on bandwidth  If I have more bandwidth than you, I can send you lot of traffic and you get flooded  What if the attacker does not have more bandwidth than the victim? ▪ Use DoS not based on the bandwidth (eg Ping-Of-Dead, Winnuke, etc..)ç ▪ Use DDoS 5

 Distributed Denial-of-Service (DDoS)  Denial of service attack in which a number of compromised systems attack a single system, causing the termination of a service 6

7

 Goals  Disable the service  Disable the net  Disable the organization  Cause economical losses 8

 DDoS to Wikileaks 28/11/ /wikileaks-endures-a-lengthy- ddos-attack/ Response attacks to mastercard, paypal, … 9

 Anonymous attacks institutional webs in response to the closure of Megaupload 20/01/ an/20/anonymous-attacks-after- megauploads-closure 10

 Types of DoS attacks  Network Flooding ▪ SYN Flood ▪ FIN Flood ▪ Connection Flood ▪ ICMP Smurf  System Overload ▪ Computation (eg: lots of encrypted sessions) ▪ Memory (eg: heavy SQL queries) ▪ Disk (eg: temporal files)  OS Vulnerabilities ▪ Ping of Death ▪ Land Attack 11

 PORTADA INUNDACIÓN 12 Network Flooding

 Based on the Three-Way Handshake to establish a TCP connection  Attacker initiates a high number of connections that are never completed, leaving the server waiting for the final ACK  They consume a lot of resources on the server and there is a DoS  Very easy to perform 13

 Pera-attack (Three-Way Handshake) 14

 Attack 15

 The problem is that the OS have a very low limit of the number of half-open connections that can handle  If the limit is exceeded, the server does not respond to new connection requests  The half-open connections expire, releasing 'slots' for new connections  If the attack is maintained, the probability that one of these 'slots' is used by a malicious SYN is very high 16

 Example  Limit 5-30 half-open connections that expire after about 2 minutes  To cause DoS -> send SYN every 4 sec 17

 Tools  Hping3 ▪ hping3 --flood –S –p 80  Others ▪ bin/search/search.cgi?searchvalue=syn+flood&type=arc hives&[search].x=0&[search].y=0 bin/search/search.cgi?searchvalue=syn+flood&type=arc hives&[search].x=0&[search].y=0 18

 Countermeasures  SYN-cookies ▪ Using TCP sequence numbers as session state control ▪ The SYN queue is released from the state maintenance  Raise 'backlog queue' ▪ More 'slots' to connect to ▪ If not supplemented with syn-cookies can be counterproductive 19

 Sending a TCP packet with the FIN flag active and falsified source IP, different ports and source and sequence number  If there is a connection to that IP and source port, and the sequence number matches, the legitimate connection ends ▪ Formerly the OS used consecutive sequence numbers!  Otherwise, simply saturate the network with traffic 20

 The connection-oriented services (eg ftp, http, smtp,...) have a limit of simultaneous connections supported  When the limit is reached, new connections are rejected  The attacker attempts to monopolize established connections  Similar to SYN flood, but in this case a TCP connection (three way handshake) is established 21

 Based on IP spoofing and broadcast  It involves sending a ICMP packet, for example Echo Request, to the broadcast of a subnet (amplifier)  All machines on this subnet answer the broadcast  If we spoof the packet's source IP, all the responses will go to that IP (victim) 22

 For every packet sent, the victim will receive hundreds of responses -> FLOOD  This attack works if the amplifier router is misconfigured 23

24

25 OS Vulnerabilities

 Bug in the implementation of the TCP / IP stack for Windows platforms  Sending SYN packet to an open port of the victim, with the same source and destination addresses  The OS kernel sends ACKs to itself, and causes a DoS 26

27

 ICMP is sent with a total size greater than the maximum allowed by the RFC (65,535 bytes)  The packet is fragmented and reassembled at the destination  If the system is vulnerable, it crashes when reassembling  Current systems are not vulnerable 28

29

30 Man in the Middle (MitM)

 MitM: Man in the Middle  Attack in which one is able to read, insert and modify at will, messages between two parties without either of them know that the link between them has been compromised  The attacker must be able to observe and intercept messages between the two victims 31

 Most used MitM  MAC flooding  ARP spoofing  DNS spoofing  SSL strip 32

 Attack to compromise switches  CAM Table (Content Addressable Memory)  Maps the MAC addresses with switch ports  The attacker sends packets with different source MAC in order to saturate the limited memory of the CAM table.  Once saturated, the switch acts as a hub 33

34

 Also known as ARP poisoning  Sending fake ARPs to the network  Usually the aim is to associate the attacker's MAC address with the IP address of another node (the node attacked) ▪ Eg default gateway (gateway) to see all traffic to Internet. 35

 Any traffic directed to the attacked node's IP address, will be mistakenly sent to the attacker, rather than to its actual destination  Passive Attack  Traffic is only observed  It redirects it the gateway  Active Attack  The data are modified before forwarding it to the gateway 36

37

38

39

40

 Tool: Ettercap  Ettercap -G ▪ Sniff → Unified sniffing ▪ Hosts → Host list ▪ Hosts → Scan for hosts ▪ Add the Gateway as Target1 ▪ Add the victim as Target2 ▪ Start → Start Sniffing ▪ Mitm → Arp poisoning (sniff remote connections) 41

 Countermeasures  ArpON -  Patriot NG - projects.com/?Patriot_NGhttp:// projects.com/?Patriot_NG 42

 Fake the relationship “DomainName-IP" for name resolution queries  Solving it with a fake address certain DNS name or viceversa  Tool: Ettercap  Edit /usr/local/share/ettercap/etter.dns  Plugins -> Manage plugins…  Dns_spoof 43

 Intercept HTTPS traffic  Perform a MitM between the server and the client and replace every an query “ with an “ ▪ The victim and perpetrator communicate via HTTP ▪ The attacker and the server communicate over HTTPS with server certificate ▪ The attacker is able to see all unencrypted traffic of the victim 44

45

46 ICMP Attacks

 Attacks based on sending special ICMP packets (not 'echo-requests')  ICMP redirect  Source Quench  Blind Connection-Reset  … 47

 It makes use of ICMP type 5 - Redirect  Used by a router to indicate to other computers that an alternative route bypassing it  The router generates an ICMP "redirect" with the path information that he believes best  If the team receiving the package "redirect" have faith in what you say, accept the new route ▪ Can be used to carry out attacks "Man in the middle“ ▪ ICMP redirect should be filtered 48

 It makes use of ICMP type 4 - Source Quench  In the next review of ICMP will be declared obsolete  It is used for the destination IP lowers the rate at which is sending traffic  It can be used to cause DoS 49

 When a TCP receives an ICMP serious error, aborts the connection  Errors considered serious  ICMP type 3 (Destination Unreachable) ▪ Code 2 (protocol unreachable) ▪ Code 3 (port unreachable) ▪ Code 4 (fragmentation needed and DF bit set)  Tools: icmp-reset 

 Images    svg svg  assessment-250x250.jpg assessment-250x250.jpg   content/uploads/2008/12/arp-spoofing.png content/uploads/2008/12/arp-spoofing.png  content/uploads/2011/01/sslstrip.png content/uploads/2011/01/sslstrip.png 