1. Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006

2. Security School of Business Eastern Illinois University

3. 3 Identifying security attacks’ targets n Scanning (Probing) – Ping messages (To know if a potential victim exist) – Supervisory messages (To know if victim available) – Tracert, Traceroute (To know how to get to target) http://www.netscantools.com/nstpro_netscanner.html

4. 4 Identifying security attacks’ targets n Examining scanning results reveal n IP addresses of potential victims n What services victims are running; different services have different weaknesses n Host’s operating system, version number, etc.

5. 5 Denial of Service (DoS) attacks n Types of DoS attacks: Flooding DoS Smurf Flooding DoS Ping of Death attacks LAND attacks Distributed Denial of Service attacks

6. 6 Flooding DoS n Send a stream of request messages to the target n Makes the target run very slowly or crash n Objective is to have the target deny service to legitimate users DoS requests Server Attacker http://www.netscantools.com/nstpro_netscanner.html Legitimate user Legitimate request

7. 7 Smurf Flooding DoS n Attacker uses IP spoofing ( false source IP address in outgoing messages ) n Attacker sends ping / echo messages to third party computers on behalf of the target n All third party computers respond to target

8. 8 Ping of Death attacks n Take advantage of – Fact that TCP/IP allows large packets to be fragmented – Some operating systems inability to handle packets larger than 65 536 bytes n Attacker sends a request message that are larger than 65,536 bytes n Ping of Death are usually single-message DoS attacks n Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring http://insecure.org/sploits/ping-o-death.html

9. 9 LAND attacks n First, appeared in 1997 n Attacker uses IP spoofing (false source IP address in outgoing messages) n Attacker sends IP packets where the source and destination address refer to target itself. n LAND attacks are usually single-message DoS attacks n Back in time, OS and routers were not designed to deal with loopback n Problem resurface recently with Windows XP and Windows 2003 Server

10. 10 Distributed DoS (DDoS) Attack Server DoS Messages Computer with Zombie Computer with Zombie Attacker Attack Command Attack Command n Attacker hacks into multiple clients and plants Zombie programs on them n Attacker sends commands to Zombie programs which execute the attacks n First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, dell.com, etc.

11. 11 Review Questions What is the difference between DoS and DDoS? What kinds of tools/techniques could be used during the scanning process by a hacker? Are ping of death attacks and LAND attacks all example of single-message DoS attacks What kind of techniques or defense systems could be used to protect a system against (a) intercepting messages, (b) malware or content attack What is the difference between a worm, a Trojan horse, and a logic bomb What kind of malware could harm a host computer by consuming processor time and random access memory

12. 12 Security Goals n CIA is the key word in implementing security – C onfidentiality of communications – I ntegrity of data – A vailability of network services and resources

13. 13 Packet Filter Firewall Packet Filter Firewall IP-H TCP-H UDP-HApplication Message IP-HICMP Message Arriving Packets Permit Deny Corporate NetworkThe Internet Examines content of IP header, TCP header, UDP header, and content of ICMP supervisory messages

14. 14 Application (Proxy) Firewall n Application firewalls, also known as Proxy firewalls – Examine Application layer messages to check for illicit content n Application firewalls and Packet filter firewalls are complementary – In terms of what part of a message they examine. IP-H TCP-H UDP-HApplication Message

15. 15 Intrusion Detection Systems n Software or hardware device that – Capture network activity data in log files – Generate alarms in case of suspicious activities

16. 16 Review Questions What are the three main security goals? What parts of incoming messages do packet filter firewalls examine? What parts of incoming messages do application firewalls examine? b) What do they look for? Answer: (a) Application layer messages, (b) illicit content What kind of techniques or defense systems could be used to protect a system against (a) intercepting messages, (b) malware or content attack What could an IDS be used for?

17. 17 Summary Questions n Jason sends a message to Kristin using public key encryption. (a) What key will Jason use to encrypt the message? (b) What key will Kristin use to decrypt the message? (c) What key will Kristin use to encrypt the reply? (d) What key will Jason use to decrypt the reply? (e) Can the message and reply be long messages? Explain. Answer: a) Jason will encrypt the message with Kristin’s public key. b) Kristin will use her own private key to decrypt the message. c) Kristin will use Jason’s public key to encrypt the reply. d) Jason will use his own private key to decrypt the reply. e) No, public key encryption can only encrypt short messages. n Does public key encryption have a problem with secure key exchange for the public key? Explain. Answer: There is no problem distributing the public key, because it does not have to be distributed securely. You can even find companies’ public keys on their website.

18. Network Management

19. 19 Summary Questions (Part 1) 1) List the main elements in centralized network management 2) Does the Manager communicate directly with the managed devices? Explain. 3) Explain the difference between a managed device and objects. 4) Where is the MIB (database) stored?

20. 20 Summary Questions (Part 2) 1) In Manager-Agent communications, what device creates commands? Responses? Traps? 2) Explain the two types of commands. 3) What is a trap?