Presentation is loading. Please wait.

Presentation is loading. Please wait.

EE579T/7 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 7: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EE579T/7 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 7: An Introduction to Network-Based Attacks Prof. Richard A. Stanley."— Presentation transcript:

1 EE579T/7 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 7: An Introduction to Network-Based Attacks Prof. Richard A. Stanley

2 EE579T/7 #2 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Thought for the Day “Everything should be made as simple as possible. But not simpler.” Albert Einstein

3 EE579T/7 #3 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Overview of Tonight’s Class Review last week’s lesson Look at network security in the news Course project outlines Network attacks

4 EE579T/7 #4 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Last Week... Protocols exist to provide end-to-end security over the Internet and other hop-by- hop networks The existence of such protocols is not a guarantee of security Steganography is one way for information to leak out of a system Steganography can be very hard to find, but it is very easy to implement at low cost

5 EE579T/7 #5 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Network Security Last Week- 1 Gnutella worm finds new way to squirm into PCs Government e-security measures inadequate, according to some experts Germany closer to finalizing regulations that would allow monitoring every e-mail Security hole in Java may expose servers

6 EE579T/7 #6 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Network Security Last Week- 2 New flaw discovered in Lotus Domino Consultant tells CEOs and COOs that most security problems come from within a company, for financial or political gain Last year businesses throughout the world lost $1.6 trillion due to computer down time resulting from security breaches and virus attacks (Mary Pat McCarthy, Vice Chairwoman, KPMG)

7 EE579T/7 #7 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Network Security Last Week- 3 Harvard's Dr. Michael Rabin claims he has developed an unbreakable encryption technique using a disposable key and that he has mathematical proof of its security Verizon administrative error causes e-mail outage OfficeMax customer data, including credit card numbers, forwarded to other shoppers

8 EE579T/7 #8 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Network Security Last Week- 4 Columbia House breach exposes customer information Home page redirections on the rise Hacker downloads names, SSN’s of 3,000 University of Indiana students e-commerce and Internet risks rank as number one European risk concern and number two concern of US risk managers

9 EE579T/7 #9 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Course Projects - 1 1. Port scanning technology –Sullivan, Toomey 2. Extensible authentication protocol –Mizar, Hirsch, Tummala 3. Honey Pot –Kaps, Gaubatz 4. Wired/Wireless security comparison –Azevedo, Nguyen, H. Tummala

10 EE579T/7 #10 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Course Projects - 2 5. SOHO network security –Davis, Syversen, Kintigh 6. Sniffing switched networks –Michaud, Lindsay, VanRandwyk 7. Broadband access security –Sumeet, Nirmit, Harsh 8. Trojan Horse security –Aparna, Subramanian

11 EE579T/7 #11 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Course Projects - 3 9. Java security –Malloy 10. Router security –Mansour, 11. DDoS Security –Gorse, Pushee 12. Network Security Processors –McLaren, Brown

12 EE579T/7 #12 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Projects -4 13. Network cryptography –Lee

13 EE579T/7 #13 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Schedule Options Exam on 5 April + 1-2 projects, balance on 12, 19 April Exam on 12 April, with projects week before and after, and 1-2 after exam on 12th Others?

14 EE579T/7 #14 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Network Based Attacks Oldies and Goodies--It Isn’t Magic

15 EE579T/7 #15 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Word of Warning Some of the attacks about to be described are as old as network attacks themselves –This doesn’t make studying them a waste of time –There is nothing new under the sun -- old attacks keep popping up in new clothes “Those who do not study history are condemned to repeat it.” George Santayana

16 EE579T/7 #16 Spring 2001 © 2000, 2001, Richard A. Stanley WPI TCP Review

17 EE579T/7 #17 Spring 2001 © 2000, 2001, Richard A. Stanley WPI

18 EE579T/7 #18 Spring 2001 © 2000, 2001, Richard A. Stanley WPI TCP Actions Assumes IP addresses are valid and correct If sequence number received  sequence number expected, packet is refused (discarded), system waits for correctly numbered packet

19 EE579T/7 #19 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Sequence Number Prediction Determine server’s IP address –Sniffing packets –Trying host numbers in order –Connect w/browser, observe address in status Try addresses in the server’s address space Monitor packet sequence numbers Predict and spoof the next sequence number –Hacker now appears to be a legitimate user

20 EE579T/7 #20 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Purpose, Detection & Defense Once on net as an internal user, hacker can use net as a base for other attacks, or to access information on the net just spoofed Detection: look for sequential “Access denied” entries in the audit log Prevention: if available, enable real-time notification of large number of sequential access denial entries

21 EE579T/7 #21 Spring 2001 © 2000, 2001, Richard A. Stanley WPI IP Spoofing

22 EE579T/7 #22 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Passive Sniffing Hacker obtains access to network segment; observes and analyzes traffic –Unauthorized access to legitimate computer –Unauthorized added NIC on segment Purpose: gather intelligence, read traffic Defense: –Secure authentication schemes (Kerberos) –Data encryption

23 EE579T/7 #23 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Desynchronization Attacks Hacker forces both ends of TCP session into a desynchronized state Hacker then uses a third-party host (a computer connected to the physical segment under attack) to intercept original packets and create acceptable replacement packets that mimic the real ones that would have been exchanged NB: desynchronized  disconnected

24 EE579T/7 #24 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Post-Desynchronization Hijacking - 1 Assume: –hacker can listen to any packet exchanged on a TCP session –hacker can forge any kind of IP packet desired and replace the original with it –session has been desynchronized

25 EE579T/7 #25 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Post-Desynchronization Hijacking - 2 Client sends packet header with –SEG_SEQ = CLT_SEQ –SEG_ACK = CLT_ACK Because session has been desynchronized, client packet sequence number (CLT_SEQ) will never equal server’s expected sequence number (SVR_ACK) Server therefore discards packet

26 EE579T/7 #26 Spring 2001 © 2000, 2001, Richard A. Stanley WPI

27 EE579T/7 #27 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Post-Desynchronization Hijacking - 3 Hacker copies server-discarded packet Hacker waits to give server time to discard the packet Sends server same packet the client did, but changes SEG_ACK, SEG_SEQ, & checksum to: –SEG_SEQ = SVR_ACK –SEG_ACK = SVR_SEQ

28 EE579T/7 #28 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Post-Desynchronization Hijacking - 4 The sequence numbers are now correct, so the server accepts the packet the hacker sent Hacker must produce sequence data so that –SEG_SEQ = (SEG_SEQ + CLT_TO_SVR_OFFSET) –SEG_ACK = (SEG_ACK - SVR_TO_CLT_OFFSET) Where –CLT_TO_SVR_OFFSET = SVR_ACK - CLT_SEQ –SVR_TO_CLT_OFFSET = CLT_ACK - SVR_SEQ

29 EE579T/7 #29 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Post-Desynchronization Hijacking - 5 Hacker now interposed between true client and server All packets now routed through hacker machine, so any desired commands can be added to / removed from the payload Server responds to both client & hacker requests; hacker filters his requests and sends client requests to true client

30 EE579T/7 #30 Spring 2001 © 2000, 2001, Richard A. Stanley WPI

31 EE579T/7 #31 Spring 2001 © 2000, 2001, Richard A. Stanley WPI

32 EE579T/7 #32 Spring 2001 © 2000, 2001, Richard A. Stanley WPI

33 EE579T/7 #33 Spring 2001 © 2000, 2001, Richard A. Stanley WPI ACK Storm Primary flaw of desynchronization attack Receipt of unacceptable packet generates ACK packet to source with expected sequence number –First ACK packet from server contains server’s own sequence number –Client refuses packet, because it did not initially send the modified-request packet –Client now sends its own ACK packet, and...

34 EE579T/7 #34 Spring 2001 © 2000, 2001, Richard A. Stanley WPI The End of the Storm In theory, the ACK storm is an infinite loop BUT… –If ACK packet lost, no further ACK is sent, because the packet contains no data payload –TCP communicates over a lossy network (i.e. packets will get lost) –With non-zero packet loss, storm quickly ends –Self-regulating

35 EE579T/7 #35 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Early Desynchronization Attack -1 Breaks client-server connection during the setup stage –Breaks on server side –After break, hacker creates new connection with a different sequence number Hacker listens for SYN/ACK exchange Hacker then sends server a RST, then SYN/ACK with same parameters as client packet, but with different sequence number

36 EE579T/7 #36 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Early Desynchronization Attack -2 On receipt of hacker’s RST packet, server closes first connection, and opens new connection on same port, but with a new sequence number when it receives hacker SYN. Sends SYN/ACK to original client. Hacker intercepts server SYN/ACK and sends server its own ACK packet Server switches to synchronized connection ESTABLISHED state

37 EE579T/7 #37 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Early Desynchronization Attack -3 Client had already switched to ESTABLISHED state on receipt of first SYN/ACK from server Attack success depends on hacker choosing correct value of CLT_TO_SVR_OFFSET –Wrong value makes both client and hacker packets unacceptable –Produces unwanted effects, including disconnect

38 EE579T/7 #38 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Early Desynchronization Attack -4 The hacker now has an established connection with the server, and looks just like the real client Real client cannot establish a connection on this port until the hacker disconnects, because the server believes that the client is already connected

39 EE579T/7 #39 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Null Data Desynchronization TCP connection can be desynchronized by sending large amount of null data to both server and client Data not visible to client Sheer volume of data interferes with ability to maintain the TCP session, and ultimately desynchronizes connection

40 EE579T/7 #40 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Telnet Session Attack - 1 Hacker passively monitors session When appropriate, hacker sends large volume of null data to server Hacker sends ATK_SVR_OFFSET bytes containing sequence IAC NOP –Server interprets these as null due to NOP –Telnet daemon removes each byte pair from data stream –Reception of null data interrupts Telnet session

41 EE579T/7 #41 Spring 2001 © 2000, 2001, Richard A. Stanley WPI

42 EE579T/7 #42 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Telnet Session Attack - 2 Server has now received commands –SVR_ACK = CLTSEQ + ATK_SVR_OFFSET –Telnet session now desynchronized Same procedure carried out with client to desynchronize Early desynchronization attack carried out Hacker now establishes Telnet session with server and client, becomes “man in middle”

43 EE579T/7 #43 Spring 2001 © 2000, 2001, Richard A. Stanley WPI

44 EE579T/7 #44 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Some Caveats Telnet session has to be able to carry null data Timing is everything -- if null data sent at wrong time, session may simply break If your Telnet session appears unpredictable, you might be experiencing an attack

45 EE579T/7 #45 Spring 2001 © 2000, 2001, Richard A. Stanley WPI More ACK Info All networks lose packets, so retransmission occurs When an active attack such as described before occurs, even more retransmission occurs than in the normal course of events Extra packets due to the ACK storms One data packet can generate 10-300 empty ACK packets

46 EE579T/7 #46 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Detecting Attacks Detect desynchronized states –Use packet reader (i.e., a sniffer) to view sequence numbers at both ends of a connection –Sequence numbers show if desynchronized Packet percentage counting –Collect statistics on normal network operations –Use statistics to detect packet storms resulting from attacks

47 EE579T/7 #47 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Spoofing “You can fool all of the people some of the time. You can fool some of the people all of the time. But you can’t fool all of the people all of the time.” Abraham Lincoln Fooling most of the people most of the time is usually good enough!

48 EE579T/7 #48 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Spoofing-1 Hacker changes masquerade host IP address to the trusted client’s address Hacker builds source route to server with direct path packets should take to/from server and back to hacker’s host, with trusted client as last hop in route to server Hacker uses source route to send client request to server

49 EE579T/7 #49 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Spoofing -2 Simpler approach: wait until client system shuts down and impersonate the system –Example: Unix NFS uses IP addresses only to authenticate clients –Hacker sets up PC with name and IP address of legitimate client, then initiates connection to Unix host –Typical “insider” attack, as needs knowledge of which computers are not active

50 EE579T/7 #50 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Spoofing E-mail Open your email client Change the “Name” field to something else Change the “Email address” to something else Delete the Incoming Mail Server address Delete the value of Mail Server User Name If you were really bad, you would find an outgoing mail server that allowed anonymous login for outgoing mail, and put its name here The approach above is good enough to fool most people most of the time

51 EE579T/7 #51 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Automated Spoofing C2MYAZZ –Who knows to what this filename refers? –Hijacks session without disrupting connectivity –This clever utility exploits what was intended as a feature for convenience and backwards compatibility –So, since this is well-known, the tool must be hard to get or overtaken by events, yes?

52 EE579T/7 #52 Spring 2001 © 2000, 2001, Richard A. Stanley WPI

53 EE579T/7 #53 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Preventing Spoofing Firewall packet filtering –Audit incoming traffic. You should never find packets with source and destination addresses in the local domain coming in from outside. BUT…this takes lots of effort –Don’t allow packets that appear to have originated locally to come in from outside Hard, especially when hacker is inside

54 EE579T/7 #54 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Buffer Overflows Sending oversize ICMP packets Sending IIS 3.0 a 4048 byte URL request Sending email with 256-character file name attachments to Netscape/MS email clients SMB logon to NT with incorrect data size Sending Pine user an email with “from” address > 256 characters Connect to WinGate POP3 port with user name of 256 characters

55 EE579T/7 #55 Spring 2001 © 2000, 2001, Richard A. Stanley WPI What Do You Intend? Take over a session –Why? –What information do you want to get/put? Associate with a network more or less permanently Deny service to selected servers / networks / clients? Anything else?

56 EE579T/7 #56 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Summary TCP/IP was not intended as a secure protocol; as a result, it has vulnerabilities that can be exploited There are many types of attacks that can be mounted over network connections in order to gain unauthorized access to resources Never forget, the best access is hands-on

57 EE579T/7 #57 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Homework - 1 1. How would you prevent post- desynchronization hijacking attacks? 2. Research attack scenarios and tools that you find in literature or on the Internet. Describe two attack scenarios and the tools required (if any) that would enable you to break into the WPI network from outside. Don’t actually break in, or try to!!

58 EE579T/7 #58 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Homework - 2 3. Describe how a SMURF attack works (don’t just parrot the textbook description). Describe how to stop it.

59 EE579T/7 #59 Spring 2001 © 2000, 2001, Richard A. Stanley WPI Assignment for Next Week Read course text, Chapter 14 Next week’s topic: More Network-Based Attacks

Download ppt "EE579T/7 #1 Spring 2001 © 2000, 2001, Richard A. Stanley WPI EE579T Network Security 7: An Introduction to Network-Based Attacks Prof. Richard A. Stanley."

Similar presentations

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CCNA – Network Fundamentals

CCNA – Network Fundamentals
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
EE579T_GD/5 #1 Summer 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 5: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.

EE579T_GD/5 #1 Summer 2003 © , Richard A. Stanley EE579T Network Security 5: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
EE579T/9 #1 Spring 2002 © 2000-2002, Richard A. Stanley WPI EE579T Network Security 9: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.

EE579T/9 #1 Spring 2002 © , Richard A. Stanley WPI EE579T Network Security 9: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
EE579T/7 #1 Spring 2005 © 2000-2005, Richard A. Stanley EE579T Network Security 7: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.

EE579T/7 #1 Spring 2005 © , Richard A. Stanley EE579T Network Security 7: An Introduction to Network-Based Attacks Prof. Richard A. Stanley.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google