CS 5950/6030 Network Security Class 28 (F, 11/4/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Computer Security and Penetration Testing
NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
CS 5950/6030 Network Security Class 29 (M, 11/7/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
CS 5950/6030 Network Security Class 30 (W, 11/9/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
Security in Networks— Their design, development, usage… Barbara Endicott-Popovsky CSSE592/491 In collaboration with: Deborah Frincke, Ph.D. Director, Center.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Lecture 15 Denial of Service Attacks
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
Chapter Threats in Networks Network Security / G. Steffen.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Port Scanning.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
IIT Indore © Neminath Hubballi
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Final Introduction ---- Web Security, DDoS, others
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:
Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Security+ Guide to Network Security Fundamentals, Fourth Edition
TCP/IP Vulnerabilities
Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Chapter 9 Networking & Distributed Security. csci5233 computer security & integrity (Chap. 9) 2 Outline Overview of Networking Threats Wiretapping, impersonation,
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Denial of Service Attacks
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
McLean HIGHER COMPUTER NETWORKING Lesson 13 Denial of Service Attacks Description of the denial of service attack: effect: disruption or denial of.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
TCP Security Vulnerabilities Phil Cayton CSE
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
DoS/DDoS attack and defense
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
Security in network Outline Threats in network Network security controls Firewalls Intrusion detection system Secure Networks and Cryptography Example.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Denial-of-Service Attacks
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Introduction to Information Security
Outline Basics of network security Definitions Sample attacks
Error and Control Messages in the Internet Protocol
Spoofing Basics Presentation developed by A.F.M Bakabillah Cyber Security and Networking Consultant MCSA: Messaging, MCSE RHCE ITIL CEH.
Outline Basics of network security Definitions Sample attacks
Threats in Networks Jagdish S. Gangolly School of Business
Outline Basics of network security Definitions Sample attacks
Presentation transcript:

CS 5950/6030 Network Security Class 28 (F, 11/4/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing. Third Edition by Pfleeger and Pfleeger. Using some slides courtesy of: Prof. Aaron Striegel — at U. of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands Slides not created by the above authors are © by Leszek T. Lilien, 2005 Requests to use original slides for non-profit purposes will be gladly granted upon a written request.

2 7. Security in Networks Threats in Networks a)Introduction b)Network vulnerabilities c)Who attacks networks? d)Threat precursors e)Threats in transit: eavesdropping and wiretapping f)Protocol flaws g)Types of attacks 1) Impersonation 2) Spoofing 3) Message confidentiality threats 4) Message integrity threats 5) Web site attacks Class 27

Threats in Networks—PART 2  Outline a)Introduction b)Network vulnerabilities c)Who attacks networks? d)Threat precursors e)Threats in transit: eavesdropping and wiretapping f)Protocol flaws g)Types of attacks 1)Impersonation 2)Spoofing 3)Message confidentiality threats 4)Message integrity threats 5)Web site attacks...

4 g. Types of attacks g-1. Impersonation (1) Impersonation = attacker foils authentication and assumes identity of a valid entity in a communication Impersonation attack may be easier than wiretapping Types of impersonation attacks (IA): 1)IA by guessing 2)IA by eavesdropping/wiretaping 3)IA by circumventing authentication 4)IA by using lack of authentication 5)IA by exploiting well-known authentication 6)IA by exploiting trusted authentication

5 g-2. Spoofing (1) Spoofing — attacker (or attacker’s agent) pretends to be a valid entity without foiling authentication Spoof - 1. To deceive. [...] The American Heritage® Dictionary of the English Language: Fourth Edition Don’t confuse spoofing with impersonation Impersonation — attacker foils authentication and assumes identity of a valid entity Three types of spoofing: 1) Masquerading 2) Session hijacking 3) Man-in-the middle (MITM)

6 g-5. Web site attacks (1) Web site attacks – quite common due to: Visibility E.g., web site defacement – changing web site appearance Ease of attack Web site code available to attacker (Menu: View>>Source) A lot of vulnerabilities in web server s/w E.g., 17 security patches for MS web server s/w, IIS v. 4.0 in 18 months Common Web site attacks: 1) Buffer overflows 2) Dot-dot attacks 3) Exploiting application code errors 4) Server-side include

7 Class 27 ended here

8 7. Security in Networks Threats in Networks a)Introduction b)Network vulnerabilities c)Who attacks networks? d)Threat precursors e)Threats in transit: eavesdropping and wiretapping f)Protocol flaws g)Types of attacks 1) Impersonation 2) Spoofing 3) Message confidentiality threats 4) Message integrity threats 5) Web site defacement 6) Denial of service 7) Distributed denial of service 8) Threats to active or mobile code—PART 1 Class 27 Class 28

Threats in Networks—PART 3  Outline a)Introduction b)Network vulnerabilities c)Who attacks networks? d)Threat precursors e)Threats in transit: eavesdropping and wiretapping f)Protocol flaws g)Types of attacks 1)Impersonation 2)Spoofing 3)Message confidentiality threats 4)Message integrity threats 5)Web site attacks 6)Denial of service (attack on availability) 7)Distributed denial of service (attack on availability) 8)Threats to active or mobile code 9)Scripted and complex attacks h)Summary of network vulnerabilities

10 g-6. Denial of service (attack ov avail.) (1)  Service can be denied: A) due to (nonmalicious) failures  Examples:  Line cut accidentally (e.g., by a construction crew)  Noise on a line  Node/device failure (s/w or h/w failure)  Device saturation (due to nonmalicious excessive workload/ or traffic)  Some of the above service denials are short-lived and/or go away automatically (e.g., noise, some device saturations) B) due to denial-of-service (DoS) attacks = attacks on availab.  DoS attacks include: 1)Physical DoS attacks 2)Electronic DoS attacks

11 Denial of service (2) 1)Physical DoS attacks – examples:  Line cut deliberately  Noise injected on a line  Bringing down a node/device via h/w manipulation 2)Electronic DoS attacks – examples: (2a) Crashing nodes/devices via s/w manipulation  Many examples discussed earlier (2b) Saturating devices (due to malicious injection of excessive workload/ or traffic) Includes: (i) Connection flooding (ii)Syn flood (2c) Redirecting traffic Includes: (i) Packet-dropping attacks (incl. black hole attacks) (ii)DNS attacks

12 Denial of service (3) (i)Connection flooding = flooding a connection with useless packets so it has no capacity to handle (more) useful packets  ICMP (Internet Control Msg Protocol) - designed for Internet system diagnostic (3rd class of Internet protocols next to TCP/IP & UDP) ICMP msgs can be used for attacks  Some ICMP msgs: - echo request – source S requests destination D to return data sent to it (shows that link from S to D is good) - echo reply – response to echo request sent from D to S - destination unreachable – msg to S indicating that packet can’t be delivered to D - source quench – S told to slow down sending msgs to D (indicates that D is becoming saturated) Note: ping sends ICMP „echo request” msg to destination D. If D replies with „echo reply” msg, it indicates that D is reachable/functioning (also shows msg round-trip time).

13 Denial of service (4) Note: Try ping/echo on MS Windows: (1) Start>>All Programs>>Accessories>>Command Prompt (2) ping (try: cs.wmich.edu)  Example attacks using ICMP msgs (i1) Echo-chargen attack - chargen protocol – generates stream of packets; used for testing network - Echo-chargen attack example 1: (1) attacker uses chargen on server X to send stream of echo request packets to Y (2) Y sends echo reply packets back to X This creates endless „busy loop” beetw. X & Y - Echo-chargen attack example 2: (1) attacker uses chargen on X to send stream of echo request packets to X (2) X sends echo reply packets back to itself

14 Denial of service (5) (i2) Ping of death attack, incl. smurf attack - Ping of death example : (1) attacker uses ping after ping on X to flood Y with pings (ping uses ICMP echo req./reply) (2) X responds to pings (to Y) This creates endless „busy loop” beetw. X & Y Note: In cases (i1-Ex.1) & (i2): - if X is on 10 MB connection and path to victim Y is 100 MB, X can’t flood Y - if X is on 100 MB connection and path to victim Y is 10 MB, X can easily flood Y - Smurf attack example: (1) attacker spoofs source address of ping packet sent fr. X – appears to be sent by Z (2) att. broadcasts spoofed pkt to N hosts (3) all N hosts echo to Z – flood it

15 Denial of service (6) (ii)Syn flood DoS attack  Attack is based on properties/implementation of a session in TCP protocol suite  Session = virtual connection between protocol peers  Session established with three-way handshake (S = source, D = destination) as follows:  S to D: SYN  D to S: SYN+ACK  S to D: ACK  Now session between S and D is established  D keeps SYN_RECV queue which tracks connections being established for which it has received no ACK  Normally, entry is in SYN_RECV for a short time  If no ACK received within time T (usu. k minutes), entry discarded (connection establ. times out)

16 Denial of service (7)  Normally, size of SYN_RECV (10-20) is sufficient to accommodate all connections under establishment  Syn flood attack scenario  Attacker sends many SYN requests to D (as if starting 3-way handshake)  Attacker never replies to D’s SYN+ACK packets  D puts entry for each unanswered SYN+ACK packet into SYN_RECV queue  With many unanswered SYN+ACK packets, SYN_RECV queue fills up  When SYN_RECV is full, no entries for legitimate unanswered SYN+ACK packets can be put into SYN_RECV queue on D => nobody can establish legitim. connection with D

17 Denial of service (8)  Modification 1 of syn flood attack scenario: attacker spoofs sender’s address in SYN packets sent to D  Question: Why?

18 Denial of service (9)  Modification 1 of syn flood attack scenario: attacker spoofs sender’s address in SYN packets sent to D  Question: Why?  Answer: To mask packet’s real source, to cover his tracks  Modification 2 of syn flood attack scenario: attacker makes each spoofed sender’s address in SYN packets different  Question: Why?

19 Denial of service (10) ...  Modification 2 of syn flood attack scenario: attacker makes each spoofed sender’s address in SYN packets different  Question: Why?  Answer: If all had the same source, detection of attack would be simpler (too many incomplete connection requests coming from the same source look suspicious)

20 Denial of service (11) (2c) Redirecting traffic (incl. dropping redirected packets) (i) Redirecting traffic by advertising a false best path  Routers find best path for passing packets from S to D  Routers advertise their conections to their neighbors (cf. Disemination of routing information—class 24, slide 19; ALSO: P&P, p.380—Routing Concepts + Fig. 7-2)  Example of traffic redirection attack:  Router R taken over by attacker  R advertises (falsely) to all neighbors that it has the best (e.g., shortest) path to hosts H1, H2,..., Hn  Hosts around R forward to R all packets addressed to H1, H2,..., Hn  R drops some or all these packets drops some => packet-dropping attack drops all => black hole attack (black hole attack is spec. case of pkt-drop. attack)

21 Denial of service (12) (ii) Redirecting traffic by DNS attacks  Domain name server (DNS)  Function: resolving domain name = converting domain names into IP addresses  E.g., aol.com   DNS queries other DNSs (on other hosts) for info on unknown IP addresses  DNS caches query replies (addresses) for efficiency  Most common DNS implementation: BIND s/w (BIND = Berkeley Internet Name Domain) a.k.a. named (named = name daemon)  Numerous flaws in BIND  Including buffer overflow  Attacks on DNS (e.g., on BIND)  Overtaking DNS / fabricating cached DNS entries  Using fabricated entry to redirect traffic

22 g-7. Distributed denial of service (attack on availability)  DDoS = distributed denial of service  Attack scenario: 1) Stage 1:  Attacker plants Trojans on many target machines  Target machines controlled by Trojans become zombies 2) Stage 2:  Attacker chooses victim V, orders zombies to attack V  Each zombie launches a separate DoS attack  Different zombies can use different DoS attacks  E.g., some use syn floods, other smurf attacks  This probes different weak points  All attacks together constitute a DDoS  V becomes overwhelmed and unavailable => DDoS succeeds [Fig. courtesy of B. Endicott-Popovsky]

23 g-8. Threats to active or mobile code (1)  Active code / mobile code = code pushed by server S to a client C for execution on C  Why S doesn’t execute all code itself? For efficiency.  Example: web site with animation  Implementation 1 — S executing animation  Each new animation frame must be sent from S to C for display on C => uses network bandwidth  Implementation 2 — S sends animation code for execution to C  C executes animation  Each new animation frame is available for dispaly locally on C  Implementation 2 is better: saves S’s processor time and network bandwidth

24 Threats to active or mobile code (2)  Isn’t active/mobile code a threat to client’s host? It definitely is a threat (to C-I-A)!  Kinds of active code: 1) Cookies 2) Scripts 3) Active code 4) Automatic execution by type 1) Cookies = data object sent from server S to client C that can cause unexpected data transfers from C to S Note: Cookie is data file not really active code! Cookies typically encoded using S’s key (C can’t read them)

25 Threats to active or mobile code (3) Example cookies a - from google.com, b - from wmich.edu a) PREF ID=1e73286f27d23c88:TM= :LM= :S=gialJ4YZeKozAsGT google.com/ * b) CPSESSID wmich.edu/ * WebCTTicket wmich.edu/ * Note: Both cookies are „doctored” for privacy reasons.

26 Threats to active or mobile code (4) Types of cookies: Per-session cookie Stored in memory, deleted when C’s browser closed Persistent cookie Stored on disk, survive termination of C’s browser Cookie can store anything about client C that browser running on C can determine, including: User’s keystrokes Machine name and characteristics Connection details (incl. IP address)...

27 Threats to active or mobile code (5) Legitimate role for cookies: Providing C’s context to S Date, time, IP address Data on current transaction (incl. its state) Data on past transactions (e.g., C user’s shopping preferences)... Illegitimate role for cookies: Spying on C Collecting info for impersonating user of C who is target of cookie’s info gathering Attacker who intercepts X’s cookie can easily impersonate X in interactions with S Philosophy behind cookies: Trust us, we know what’s good for you! Hmm... They don’t trust you (encode cookie) but want you to trust them.

28 End of Class 28

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.