EE579T_GD/5 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 5: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.

Slides:



Advertisements
Similar presentations
Module X Session Hijacking
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Computer Security and Penetration Testing
Transmission Control Protocol (TCP)
Intermediate TCP/IP TCP Operation.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Network Attacks Mark Shtern.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Firewalls and Intrusion Detection Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
EE579T/9 #1 Spring 2002 © , Richard A. Stanley WPI EE579T Network Security 9: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
EE579T/7 #1 Spring 2005 © , Richard A. Stanley EE579T Network Security 7: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
TCP/IP Basics A review for firewall configuration.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
EE579T/7 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 7: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Port Scanning.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
IIT Indore © Neminath Hubballi
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:
ICOM 6115©Manuel Rodriguez-Martinez ICOM 6115 – Computer Networks and the WWW Manuel Rodriguez-Martinez, Ph.D. Lecture 26.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
CSE 461 Section. Let’s learn things first! Joke Later!
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
CHAPTER 9 Sniffing.
DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.
Department of Information Engineering1 About your assignment 5 -layers Model Application Layer(HTTP, DNS,...) TCP Layer(add sequence number to packets)
Sniffing and Session Hijacking Lesson 12. Session Hijacking Passive Attacker hijacks a session, but just sits back and watches and records all of the.
DoS/DDoS attack and defense
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
© 2002, Cisco Systems, Inc. All rights reserved..
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
TCP Sliding Windows For each TCP connection each hosts keep two Sliding Windows, send sliding window, and receive sliding window to make sure the correct.
An Introduction To ARP Spoofing & Other Attacks
Outline Basics of network security Definitions Sample attacks
Topic 5: Communication and the Internet
CCNA 2 v3.1 Module 10 Intermediate TCP/IP
Outline Basics of network security Definitions Sample attacks
Session 20 INST 346 Technologies, Infrastructure and Architecture
Outline Basics of network security Definitions Sample attacks
TCP Connection Management
Presentation transcript:

EE579T_GD/5 #1 Summer 2003 © , Richard A. Stanley EE579T Network Security 5: An Introduction to Network-Based Attacks Prof. Richard A. Stanley

EE579T_GD/5 #2 Summer 2003 © , Richard A. Stanley Thought for the Day “Everything should be made as simple as possible. But not simpler.” Albert Einstein

EE579T_GD/5 #3 Summer 2003 © , Richard A. Stanley Overview of Today’s Class Review last two week’s lessons Network attacks

EE579T_GD/5 #4 Summer 2003 © , Richard A. Stanley Last two times... Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful There are three basic steps to planning, which is called vulnerability assessment: –Acquire the target (case the joint) –Scan for vulnerabilities (find the entry points) –Identify poorly protected data (enumeration) This applies if you are inside or outside the protected perimeter!

EE579T_GD/5 #5 Summer 2003 © , Richard A. Stanley SSL Handshake Overview Client Server 1. Supported ciphers, random number 2. Cipher choice, certificate, random number 3. PreMasterSecret (encrypted in server’s public key) Verify certificate, Generate PreMasterSecret 4. Generate keys 6. HMAC over handshake messages received 5. HMAC over handshake messages sent

EE579T_GD/5 #6 Summer 2003 © , Richard A. Stanley Network Based Attacks Oldies and Goodies--It Isn’t Magic

EE579T_GD/5 #7 Summer 2003 © , Richard A. Stanley Word of Warning Some of the attacks about to be described are as old as network attacks themselves –This doesn’t make studying them a waste of time –There is nothing new under the sun -- old attacks keep popping up in new clothes “Those who do not study history are condemned to repeat it.” George Santayana

EE579T_GD/5 #8 Summer 2003 © , Richard A. Stanley Target Acquisition ?

EE579T_GD/5 #9 Summer 2003 © , Richard A. Stanley TCP Review

EE579T_GD/5 #10 Summer 2003 © , Richard A. Stanley

EE579T_GD/5 #11 Summer 2003 © , Richard A. Stanley TCP Assumptions Assumes IP addresses are valid and correct If sequence number received  sequence number expected, packet is refused (discarded); system waits for correctly numbered packet –If correct packet doesn’t arrive before the timer winds down, then a retransmission occurs

EE579T_GD/5 #12 Summer 2003 © , Richard A. Stanley TCP Handshake Overview Client Server 1. SYN 2. SYN, ACK 3. ACK What if Step 3 never happens?

EE579T_GD/5 #13 Summer 2003 © , Richard A. Stanley Getting Fingered

EE579T_GD/5 #14 Summer 2003 © , Richard A. Stanley Do You Know Who?

EE579T_GD/5 #15 Summer 2003 © , Richard A. Stanley Sequence Number Prediction Determine server’s IP address –Sniffing packets –Trying host numbers in order –Connect w/browser, observe address in status Try addresses in the server’s address space Monitor packet sequence numbers Predict and spoof the next sequence number –Hacker now appears to be a legitimate user

EE579T_GD/5 #16 Summer 2003 © , Richard A. Stanley Purpose, Detection & Defense Once on net as an internal user, hacker can use net as a base for other attacks, or to access information on the net just spoofed Detection: look for sequential “Access denied” entries in the audit log Prevention: if available, enable real-time notification of large number of sequential access denial entries

EE579T_GD/5 #17 Summer 2003 © , Richard A. Stanley Enumeration

EE579T_GD/5 #18 Summer 2003 © , Richard A. Stanley Finding out What’s There Scans –Stealthy –Not so stealthy Fingerprinting Tools –Nmap –Retina (eeye.com) –...etc.

EE579T_GD/5 #19 Summer 2003 © , Richard A. Stanley Attacks

EE579T_GD/5 #20 Summer 2003 © , Richard A. Stanley SYN Flood Send a normal SYN packet to a server, as if to open a TCP connection When the server returns a SYN/ACK packet, ignore it Send another SYN packet to the server Repeat as necessary...until server cannot handle any more

EE579T_GD/5 #21 Summer 2003 © , Richard A. Stanley SYN Flood Client Server 1. SYN 2. SYN, ACK Repeat quickly, over and over. After awhile, the server is able to do nothing except wait for the pending connections. Thus, DoS.

EE579T_GD/5 #22 Summer 2003 © , Richard A. Stanley FINish, But Don’t Start Attacker sends FIN packet to server, but has not previously established a TCP connection Server replies with RST packet Attacker now knows that port on that server is alive and functioning

EE579T_GD/5 #23 Summer 2003 © , Richard A. Stanley Passive Sniffing Hacker obtains access to network segment; observes and analyzes traffic –Unauthorized access to legitimate computer (packet monitors standard NT/2000 fixture) –Unauthorized added NIC on segment Purpose: gather intelligence, read traffic Defense: –Secure authentication schemes (Kerberos) –Data encryption

EE579T_GD/5 #24 Summer 2003 © , Richard A. Stanley Desynchronization Attacks Hacker forces both ends of TCP session into a desynchronized state Hacker then uses a third-party host (a computer connected to the physical segment under attack) to intercept original packets and create acceptable replacement packets that mimic the real ones that would have been exchanged NB: desynchronized  disconnected

EE579T_GD/5 #25 Summer 2003 © , Richard A. Stanley Post-Desynchronization Hijacking - 1 Assume: –hacker can listen to any packet exchanged on a TCP session –hacker can forge any kind of IP packet desired and replace the original with it –session has been desynchronized

EE579T_GD/5 #26 Summer 2003 © , Richard A. Stanley Post-Desynchronization Hijacking - 2 Client sends packet header with –SEG_SEQ = CLT_SEQ –SEG_ACK = CLT_ACK Because session has been desynchronized, client packet sequence number (CLT_SEQ) will never equal server’s expected sequence number (SVR_ACK) Server therefore discards packet

EE579T_GD/5 #27 Summer 2003 © , Richard A. Stanley Post-Desynchronization Hijacking - 3 Hacker copies server-discarded packet Hacker waits to give server time to discard the packet Sends server same packet the client did, but changes SEG_ACK, SEG_SEQ, & checksum to: –SEG_SEQ = SVR_ACK –SEG_ACK = SVR_SEQ

EE579T_GD/5 #28 Summer 2003 © , Richard A. Stanley

EE579T_GD/5 #29 Summer 2003 © , Richard A. Stanley Post-Desynchronization Hijacking - 4 The sequence numbers are now correct, so the server accepts the packet the hacker sent Hacker must produce sequence data so that –SEG_SEQ = (SEG_SEQ + CLT_TO_SVR_OFFSET) –SEG_ACK = (SEG_ACK - SVR_TO_CLT_OFFSET) Where –CLT_TO_SVR_OFFSET = SVR_ACK - CLT_SEQ –SVR_TO_CLT_OFFSET = CLT_ACK - SVR_SEQ

EE579T_GD/5 #30 Summer 2003 © , Richard A. Stanley Post-Desynchronization Hijacking - 5 Hacker now interposed between true client and server All packets now routed through hacker machine, so any desired commands can be added to / removed from the payload Server responds to both client & hacker requests; hacker filters his requests and sends client requests to true client

EE579T_GD/5 #31 Summer 2003 © , Richard A. Stanley

EE579T_GD/5 #32 Summer 2003 © , Richard A. Stanley

EE579T_GD/5 #33 Summer 2003 © , Richard A. Stanley

EE579T_GD/5 #34 Summer 2003 © , Richard A. Stanley ACK Storm Primary flaw of desynchronization attack Receipt of unacceptable packet generates ACK packet to source with expected sequence number –First ACK packet from server contains server’s own sequence number –Client refuses packet, because it did not initially send the modified-request packet –Client now sends its own ACK packet, and...

EE579T_GD/5 #35 Summer 2003 © , Richard A. Stanley The End of the Storm In theory, the ACK storm is an infinite loop BUT… –If ACK packet lost, no further ACK is sent, because the packet contains no data payload –TCP communicates over a lossy network (i.e. packets will get lost) –With non-zero packet loss, storm quickly ends –Self-regulating

EE579T_GD/5 #36 Summer 2003 © , Richard A. Stanley Early Desynchronization Attack -1 Breaks client-server connection during the setup stage –Breaks on server side –After break, hacker creates new connection with a different sequence number Hacker listens for SYN/ACK exchange Hacker then sends server a RST, then SYN/ACK with same parameters as client packet, but with different sequence number

EE579T_GD/5 #37 Summer 2003 © , Richard A. Stanley Early Desynchronization Attack -2 On receipt of hacker’s RST packet, server closes first connection, and opens new connection on same port, but with a new sequence number when it receives hacker SYN. Sends SYN/ACK to original client. Hacker intercepts server SYN/ACK and sends server its own ACK packet Server switches to synchronized connection ESTABLISHED state

EE579T_GD/5 #38 Summer 2003 © , Richard A. Stanley Early Desynchronization Attack -3 Client had already switched to ESTABLISHED state on receipt of first SYN/ACK from server Attack success depends on hacker choosing correct value of CLT_TO_SVR_OFFSET –Wrong value makes both client and hacker packets unacceptable –Produces unwanted effects, including disconnect

EE579T_GD/5 #39 Summer 2003 © , Richard A. Stanley Early Desynchronization Attack -4 The hacker now has an established connection with the server, and looks just like the real client Real client cannot establish a connection on this port until the hacker disconnects, because the server believes that the client is already connected

EE579T_GD/5 #40 Summer 2003 © , Richard A. Stanley Null Data Desynchronization TCP connection can be desynchronized by sending large amount of null data to both server and client Data not visible to client Sheer volume of data interferes with ability to maintain the TCP session, and ultimately desynchronizes connection

EE579T_GD/5 #41 Summer 2003 © , Richard A. Stanley Telnet Session Attack - 1 Hacker passively monitors session When appropriate, hacker sends large volume of null data to server Hacker sends ATK_SVR_OFFSET bytes containing sequence IAC NOP –Server interprets these as null due to NOP –Telnet daemon removes each byte pair from data stream –Reception of null data interrupts Telnet session

EE579T_GD/5 #42 Summer 2003 © , Richard A. Stanley

EE579T_GD/5 #43 Summer 2003 © , Richard A. Stanley Telnet Session Attack - 2 Server has now received commands –SVR_ACK = CLTSEQ + ATK_SVR_OFFSET –Telnet session now desynchronized Same procedure carried out with client to desynchronize Early desynchronization attack carried out Hacker now establishes Telnet session with server and client, becomes “man in middle”

EE579T_GD/5 #44 Summer 2003 © , Richard A. Stanley

EE579T_GD/5 #45 Summer 2003 © , Richard A. Stanley Some Caveats Telnet session has to be able to carry null data Timing is everything -- if null data sent at wrong time, session may simply break If your Telnet session appears unpredictable, you might be experiencing an attack

EE579T_GD/5 #46 Summer 2003 © , Richard A. Stanley More ACK Info All networks lose packets, so retransmission occurs When an active attack such as described before occurs, even more retransmission occurs than in the normal course of events Extra packets due to the ACK storms One data packet can generate empty ACK packets

EE579T_GD/5 #47 Summer 2003 © , Richard A. Stanley Detecting Attacks Detect desynchronized states –Use packet reader (i.e., a sniffer) to view sequence numbers at both ends of a connection –Sequence numbers show if desynchronized Packet percentage counting –Collect statistics on normal network operations –Use statistics to detect packet storms resulting from attacks

EE579T_GD/5 #48 Summer 2003 © , Richard A. Stanley Spoofing “You can fool all of the people some of the time. You can fool some of the people all of the time. But you can’t fool all of the people all of the time.” Abraham Lincoln Fooling most of the people most of the time is usually good enough!

EE579T_GD/5 #49 Summer 2003 © , Richard A. Stanley IP Spoofing-1 Hacker changes masquerade host IP address to the trusted client’s address Hacker builds source route to server with direct path packets should take to/from server and back to hacker’s host, with trusted client as last hop in route to server Hacker uses source route to send client request to server What’s wrong with this picture?

EE579T_GD/5 #50 Summer 2003 © , Richard A. Stanley IP Spoofing -2 Simpler approach: wait until client system shuts down and impersonate the system –Example: Unix NFS uses IP only addresses to authenticate clients –Hacker sets up PC with name and IP address of legitimate client, then initiates connection to Unix host –Typical “insider” attack, as needs knowledge of which computers are not active

EE579T_GD/5 #51 Summer 2003 © , Richard A. Stanley Spoofing Open your client Change the “Name” field to something else Change the “ address” to something else Delete the Incoming Mail Server address Delete the value of Mail Server User Name If you were really bad, you would find an outgoing mail server that allowed anonymous login for outgoing mail, and put its name here The approach above is good enough to fool most people most of the time

EE579T_GD/5 #52 Summer 2003 © , Richard A. Stanley Automated Spoofing C2MYAZZ –Who knows to what this filename refers? –Hijacks session without disrupting connectivity –This clever utility exploits what was intended as a feature for convenience and backwards compatibility –So, since this is well-known, the tool must be hard to get or overtaken by events, yes?

EE579T_GD/5 #53 Summer 2003 © , Richard A. Stanley

EE579T_GD/5 #54 Summer 2003 © , Richard A. Stanley Preventing Spoofing Firewall packet filtering –Audit incoming traffic. You should never find packets with source and destination addresses in the local domain coming in from outside. BUT…this takes lots of effort –Don’t allow packets that appear to have originated locally to come in from outside Hard, especially when hacker is inside

EE579T_GD/5 #55 Summer 2003 © , Richard A. Stanley Buffer Overflows Sending oversize ICMP packets Sending IIS 3.0 a 4048 byte URL request Sending with 256-character file name attachments to Netscape/MS clients SMB logon to NT with incorrect data size Sending Pine user an with “from” address > 256 characters Connect to WinGate POP3 port with user name of 256 characters

EE579T_GD/5 #56 Summer 2003 © , Richard A. Stanley What Do You Intend? Take over a session –Why? –What information do you want to get/put? Associate with a network more or less permanently Deny service to selected servers / networks / clients? Anything else?

EE579T_GD/5 #57 Summer 2003 © , Richard A. Stanley The Dreaded Cookie

EE579T_GD/5 #58 Summer 2003 © , Richard A. Stanley If You Don’t Like Cookies? Use a utility or your browser tools to remove them (IE and Netscape 6 and later) –Find them using the FIND function; they’re all over the place (especially in Windows) –But they keep coming back! In Windows, accept those you want, set the C:/Windows/Cookies folder as Read Only In Unix, make cookies.txt zero-length R/O

EE579T_GD/5 #59 Summer 2003 © , Richard A. Stanley How to Keep Up? Common Vulnerabilities and Exposures – CVE is –A dictionary, NOT a database –A community effort –Freely available In short, this is not a “how to hack” list

EE579T_GD/5 #60 Summer 2003 © , Richard A. Stanley What About Hacker Sites? Can provide an idea of the current state of affairs, and also toolkits BE CAREFUL! –What you download may come with little “surprises” If you download, quarantine and test –These sites don’t just exist to serve hackers; some also exist to hack

EE579T_GD/5 #61 Summer 2003 © , Richard A. Stanley Summary TCP/IP was not intended as a secure protocol; as a result, it has vulnerabilities that can be exploited There are many ways to get access to info There are many types of attacks that can be mounted over network connections in order to gain unauthorized access to resources Never forget, the best access is hands-on

EE579T_GD/5 #62 Summer 2003 © , Richard A. Stanley Homework How would you prevent post- desynchronization hijacking attacks? 2. Research attack scenarios and tools that you find in literature or on the Internet. Describe two attack scenarios and the tools required (if any) that would enable you to break into the WPI network from outside. Don’t actually break in, or try to!!

EE579T_GD/5 #63 Summer 2003 © , Richard A. Stanley Homework Describe how a SMURF attack works (don’t just parrot the description you find). Describe how to stop it.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.