Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information."— Presentation transcript:

1 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information Security Risks, Part I Module 1: Denial of Service Attacks Module 2: Network Intrusions –Spoofing  Module 3: Network Intrusions –Session Hijacking, ARP Poisoning, etc. Module 4: Software Vulnerabilities Module 5: Malicious Code Module 6: Summary

2 Module 3 Network Intrusion (Others)

3 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: –Recognize different mechanisms for ARP Poisoning and Session Hijacking. –Identify vulnerabilities associated with these types of attacks. –Decide upon defenses to protect against these attacks. Network Attacks Learning Objectives

4 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Each node connected to the Ethernet LAN has two addresses MAC address & IP address MAC address is hardwired into the specific network interface card (NIC) of the node –MAC addresses are globally unique and with this address the Ethernet protocol sends the data back and forth. –Ethernet builds data frames that contain the MAC address of the source and destination computer. IP address is a virtual address and is assigned by software. –IP communicates by constructing packets which are different from frame structure. –These packets are delivered by the network layer (Ethernet) that splits the packets into frames, adds an Ethernet header and sends them to a network component. Network Attacks ARP

5 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 IP and Ethernet work together. Packets are sent over Ethernets. –Ethernet devices do not understand the 32-bit IPv4 addresses. –They transmit Ethernet packets with 48-bit Ethernet addresses. An Ethernet frame is built from IP packet, but for the construction of Ethernet frame the MAC address of the destination computer is required. An IP driver must translate an IP destination address into an Ethernet destination address. –The Address Resolution Protocol (ARP) is used to determine these mappings. –For efficiency the ARP allows the address translation to be cached in the routers. Network Attacks ARP

6 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 There is considerable risk here if un trusted nodes have write access to the local net. Such a machine could emit phony ARP queries or replies and divert all traffic to itself; it could then either impersonate some machines or simply modify the data streams en passant. This is called ARP spoofing Network Attacks ARP

7 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 In ARP poisoning the hacker updates the target computer’s ARP cache with a forged ARP request and reply packets in an effort to change the MAC address to one that the attacker can monitor. –Since ARP replies are forged, the target computer sends frames that were meant for the original destination to the attacker’s computer first so the frames can be read. A successful ARP attempt is invisible to the user Network Attacks ARP Poisoning

8 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Static ARP table entries –Scalability Issues Critical Machines Only Separation of Servers and Workstations –Permanent not always permanent RFC compliance Network Segmentation –Economic Factors –Added Complexity Attack Detection –Packet Anomalies –ARP Traffic Anomalies Ethernet Fields\ARP fields do not match Monitor for ARP Reply\Request matches Monitor ARP traffic for abnormally high percentages of certain MAC addresses Network Attacks ARP Poisoning

9 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Definition: Hacker takes over an existing active session and exploits the existing trust relationship Process: –User makes a connection to the server by authenticating using his user ID and password. –After the user authenticates, the user has access to the server as long as the session lasts. –Hacker takes the user offline by denial of service –Hacker gains access to the user by impersonating the user Typical Behaviors: Attacker usually monitors the session, periodically injects commands into session and can launch passive and active attacks from the session. Network Attacks Session Hijacking: Definitions

10 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Network Attacks Session Hijacking: Process Bob telnets to Server Bob authenticates to Server Bob Attacker Server Die!Hi! I am Bob Protection: –Use Encryption –Use a secure protocol –Limit incoming connections –Minimize remote access –Have strong authentication

11 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Reliable Transport –At sending end file broken to packets –At receiving end packets assembled into files Sequence numbers are 32-bit counters used to: –Tell receiving machines the correct order of packets –Tell sender which packets are received and which are lost Receiver and Sender have their own sequence numbers Session Hijacking Process

12 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 When two parties communicate the following are needed: –IP addresses –Port Numbers –Sequence Number IP addresses and port numbers are easily available –Hacker usually has to make educated guesses of the sequence number –Once attacker gets server to accept the guessed sequence number he can hijack the session. Session Hijacking Process

13 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Juggernaut –Network sniffer that that can also be used for hijacking –Get from http://packetstorm.securify.com Hunt –Can be use to listen, intercept and hijack active sessions on a network –http://lin.fsid.cvut.cz/~kra/index.html TTY Watcher –Freeware program to monitor and hijack sessions on a single host –http://www.cerias.purdue.edu IP Watcher –Commercial session hijacking tool based on TTY Watcher –http://www.engrade.com Session Hijacking Popular Programs

14 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Use Encryption Use a secure protocol Limit incoming connections Minimize remote access Have strong authentication Session Hijacking Protection

15 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 The network protocols were not designed with intrinsic security –Weaknesses in the protocols can be exploited to launch attacks Two attacks that have been discussed –ARP Attacks –Session Hijacking attacks Network Intrusions (Other) Summary

Download ppt "Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information."

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
ARP Spoofing.

ARP Spoofing.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
A Client Side Defense against Address Resolution Protocol (ARP) Poisoning George Mason University INFS 612, Spring 2013 Group #3 (C. Blair, N. Eisele,

A Client Side Defense against Address Resolution Protocol (ARP) Poisoning George Mason University INFS 612, Spring 2013 Group #3 (C. Blair, N. Eisele,
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.

 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Chapter 4: Managing LAN Traffic

Chapter 4: Managing LAN Traffic
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing

CCNA 1 v3.0 Module 9 TCP/IP Protocol Suite and IP Addressing

Similar presentations

Ads by Google