Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic Elements of Attacks and Their Detection. Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46.

Published byAusten Chambers Modified over 9 years ago

Similar presentations

Presentation on theme: "Basic Elements of Attacks and Their Detection. Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46."— Presentation transcript:

1 Basic Elements of Attacks and Their Detection

2 Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46

3 IP address –IPv4: a 32 bit number usually presented as 4 dotted fields – field1.field2.field3.field4 Example: 194.147.191.31 –IPv6: a 128 bit number arranged as 8 groups of 16 bits each separated by colons. Example: 00DC:BA02:5644:A201:1FAB:BA5C:7000:001D Multiple 0s can be replaced by double colon All IPv4 addresses fit in the rightmost 8 digits of an IPv6 address, e.g. IPv6 ::C293:BF1F is IPv4 194.147.191.31 (C2 hex =194 10 etc.) Elements of TCP/IP addressing 3/46

4 Elements of TCP/IP addressing Encapsulation is extensively used in packet data transmission –A lower level protocol is seen as data at the immediately higher level –These levels are called layers. 4/46

5 Layers in Internet communication Layers relevant for Internet packet communication –Hardware (link) layer –IP layer –Protocol (transport) layer –Application layer 5/46

6 Layers in Internet communication Hardware (link) layer –Interfaces with the network hardware (e.g. Ethernet, IEEE 802.11 etc.) –Packets physically sent/received –Handles specific information about the local hardware (e.g. MAC address). 6/46

7 Layers in Internet communication IP layer –Implements the IP protocol –Reads IP addresses –IP is unreliable: no guarantee whatsoever that a packet will arrive –Packets may be broken into fragments if necessary and this layer handles the fragmentation. 7/46

8 Layers in Internet communication IP header 8/46

9 Layers in Internet communication IP header fields –Version (4 bits): IP version number (4 or 6). –Length (4 bits): number of 4-byte words in the header (maximum 60 bytes). –Type of service (1 byte): routing preference: Minimize delay Maximize throughput Maximize reliability Minimize monetary cost. 9/46

10 Layers in Internet communication IP header fields (cont.) –Total Packet Length (2 bytes): total number of bytes of the IP datagram. –Identification (2 bytes): unique identifier for the packet. –Flags (3 bits): flags indicating fragmentation status. –Fragment Offset (13 bits): offset of fragmented packet. 10/46

11 Layers in Internet communication IP header fields (cont.) –Time to Live (1 byte): how many routers to allow the packet to traverse. –Protocol (1 byte): code indicating what protocol is used in the protocol header. –Header Checksum (2 bytes): error checking code to ensure the packet is not corrupted in transit. 11/46

12 Layers in Internet communication IP header fields (cont.) –Source IP Address (4 bytes): address of the source host. –Destination IP Address (4 bytes): address of the destination host. –Options: rarely used nowadays and often not implemented at all. 12/46

13 Layers in Internet communication Protocol (transport) layer –Reliability of communication is implemented here. –TCP, UDP or ICMP may be implemented at this level, unlike the IP layer where only IP packets may exist. 13/46

14 Layers in Internet communication TCP protocol –Provides a reliable mode of communication between applications –Implements “ports” –Two-way communication –Implements a communication “channel” with mechanisms to ensure packets arrive or are resent as needed. –Web, ftp, telnet, SSH, E-mail use TCP. 14/46

15 Layers in Internet communication TCP header 15/46

16 Layers in Internet communication TCP header fields –Source Port (2 bytes): communications port number –Destination Port (2 bytes): communications port number for the destination application –Sequence Number (4 bytes): unique number for the packet (they are sequential in the session) 16/46

17 Layers in Internet communication TCP header fields (cont.) –Acknowledgement Number (4 bytes): like the sequence number. –Length (4 bits): length of the header in 4 byte words. –Reserved (6 bits): reserved bits. –Flags (6 bits): flags controlling the communications session. 17/46

18 Layers in Internet communication TCP header fields (cont.) –Window Size (2 bytes): number of bytes in the transfer buffer. –Checksum (2 bytes): checksum for the TCP header. –Urgent Pointer (2 bytes): control for emergency aborts. –Options: various options. 18/46

19 Layers in Internet communication UDP protocol –Provides a mode of communication between applications –Each packet has a “port” number that indicates the application –Does not implement any guarantees of service. –One way communication –Applications must implement necessary checks. 19/46

20 Layers in Internet communication UDP header 20/46

21 Layers in Internet communication UDP header fields –Source Port (2 bytes): communications port number; 65,536 possible values –Destination Port (2 bytes): communications port number for the destination application; usually fixed for given applications (80 - Web) –Length (2 bytes): total length of the UDP datagram in bytes –Checksum (2 bytes): checksum for the UDP header. 21/46

22 Layers in Internet communication ICMP protocol –The control and error message mechanism for the Internet –Each packet has a type/code indicator telling what kind of information is in the packet –Different types of ICMP packets have slightly different headers/data –Automatically generated (almost always). 22/46

23 Layers in Internet communication ICMP header – ordinary ICMP header – echo request/reply 23/46

24 Layers in Internet communication ICMP header fields –Type (1 byte): type of control message the packet represents (0 – echo reply, 8 – echo request, 3 – destination unreachable etc.) –Code (1 byte): indicator of what sub-type of message the packet contains –Checksum (2 bytes): checksum for the ICMP header. 24/46

25 Layers in Internet communication Application layer –Applications run at this level, i.e. application protocols are implemented here –Common applications: Web ftp E-mail telnet SSH... 25/46

26 Layers in Internet communication Protocol headers give information about: –source and destination –protocol details –application The data give information about: –login, password information –commands attempted –files accessed. 26/46

27 Phases of an attack Four phases in the attacking process: –Planning phase –Reconnaissance phase –Attack phase –Post attack phase. The attack process is in general cyclic –After completing an attack, another attack is planned – an extension of the previous one. 27/46

28 Phases of an attack 28/46

29 Planning phase –Can take many different forms. –The attacker often makes use of the system in its intended manner before making the attack. –Example: the attacker may sign up for an account on an online e-commerce system or log onto a public server. –This type of publicly available legitimate access helps the attacker define the scope and goals of the attack. Phases of an attack 29/46

30 Planning phase (cont.) –After the initial preparation is complete, the attacker decides on the scope of the attack. –The attacker may have various goals: Denial of service Escalation of legitimate privileges Unauthorized access Data manipulation –The motivation behind an attack often dictates which of these goals are chosen. Phases of an attack 30/46

31 Reconnaissance phase –The attacker next gathers information or performs reconnaissance on the targeted network. –The attacker carries out a variety of different inquiries with the goal of pinpointing a specific method of attack (port scanning etc.) –The goal of the attacker in this phase is to narrow down the field of thousands of possible exploits to a small number of vulnerabilities that are specific to the targeted host/network. Phases of an attack 31/46

32 Reconnaissance phase (cont.) –The attacker attempts to make this reconnaissance as hard to notice as possible. –Even so, there are many different means of reconnaissance and some of them can be detected by an intrusion detection system. –Sources of information for the attacker: Legitimate public data (forums, public databases, public monitoring tools, etc.) Vulnerability scanning (ping, TCP connect, OS and version scanning, etc.) Phases of an attack 32/46

33 Attack phase –The traffic generated from attacks can take many different forms. –Types of attacks: Denial of service Remote exploits Trojans and backdoor programs Misuse of legitimate access Phases of an attack 33/46

34 Attack phase (cont.) –Denial of service (DoS) Any attack that disrupts the function of a system so that legitimate users can no longer access it. Possible on most network equipment: routers, servers, firewalls, remote access machines, etc. Can be specific to a service (e.g. FTP attack), or an entire machine. Categories of DoS –Resource depletion –Malicious packet attacks. Phases of an attack 34/46

35 Phases of an attack Attack phase (cont.) –Denial of service (DoS) (cont.) Resource depletion DoS attack –Functions by flooding a service with so much normal traffic that legitimate users cannot access the service. –An attacker inundating a service with normal traffic can exhaust finite resources such as bandwidth, memory and processor cycles. –Examples: SYN flood, Smurf, etc. 35/46

36 Attack phase (cont.) –Denial of service (DoS) (cont.) Malicious packet DoS attacks –Function by sending abnormal traffic to a host to cause the service or the host itself to crash. –Occur when software is not properly coded to handle abnormal or unusual traffic. –Such traffic can cause software to react unexpectedly and crash. –Attackers can use these attacks to bring down even IDS. –Examples: Microsoft FTP DoS, SNORT ICMP DoS, etc. Phases of an attack 36/46

37 Phases of an attack Attack phase (cont.) –Denial of service (DoS) (cont.) Malicious packet DoS attacks (cont.) –In addition to unusual traffic, malicious packets can contain payloads that cause a system to crash. –A packet's payload is taken as input into a service. –If this input is not properly checked, the application can be brought down. 37/46

38 Phases of an attack Attack phase (cont.) –Denial of service (DoS) (cont.) DoS attacks commonly utilize spoofed IP addresses because the attack is successful even if the response is misdirected. The attacker requires no response, and in cases like the Smurf attack, wants at all costs to avoid a response. This can make DoS attacks difficult to defend from, and even more difficult to detect. 38/46

39 Attack phase (cont.) –Remote exploits Attacks designed to take advantage of improperly coded software to compromise and take control of a vulnerable host. Can function in the same manner as the malicious payload traffic DoS attacks. Take advantage of improperly checked input or configuration errors. Examples: buffer overflow, Unicode exploit, Cookie poisoning, SQL injection, etc. Phases of an attack 39/46

40 Attack phase (cont.) –Trojans and Backdoor programs By installing a backdoor program or a Trojan, an attacker can bypass normal security controls and gain privileged unauthorized access to a host. A backdoor program can be deployed on a system in a variety of different ways. E.g. a malicious software engineer can add a backdoor program into legitimate software code. Backdoor programs might be added for legitimate maintenance reasons in the software development life cycle, but later forgotten. Phases of an attack 40/46

41 Attack phase (cont.) –Trojans and Backdoor programs (cont.) A Trojan is defined as software that is disguised as a benign application. Remote control Trojans typically listen on a port like a genuine application. Through this open port, an attacker controls them remotely. Trojans can be used to perform any number of functions on the host. Phases of an attack 41/46

42 Attack phase (cont.) –Trojans and Backdoor programs (cont.) Some Trojans include portscanning and DoS features. Others can take screen and Webcam captures and send them back to the attacker. Trojans and backdoor programs have traditionally listened on a TCP or UDP port, making it easy to detect them and undertake countermeasures. Phases of an attack 42/46

43 Attacks phase (cont.) –Trojans and Backdoor programs (cont.) Because of that, Trojans have evolved so they no longer need to listen on a TCP or UDP port. Instead, they listen for a specific sequence of events before processing commands. It may be a combination of predetermined source addresses, TCP header information, or false destination ports that do not match to a listening service. Phases of an attack 43/46

44 Phases of an attack Attack phase (cont.) –Misuse of Legitimate Access Attackers often attempt to gain unauthorized use of legitimate accounts by getting authentication information. This can be performed by means of technical and/or social engineering methods. IDS, especially the anomaly detection ones, may be used to detect such activities. 44/46

45 Phases of an attack Post-attack phase –After an attacker has successfully penetrated into a host on the targeted network, further actions he will take are in general unpredictable. –In this phase, the attacker carries out his plan and makes use of information resources as he considers appropriate. 45/46

46 Phases of an attack Post-attack phase –Possible post-attack activities: Covering tracks Penetrating deeper into network infrastructure Using the host to attack other networks Gathering, manipulating, or destroying data Handing over the host to a friend or a hacker group Walking or running away without doing anything. 46/46

Download ppt "Basic Elements of Attacks and Their Detection. Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Chapter 5: TCP/IP and OSI Business Data Communications, 5e.

Chapter 5: TCP/IP and OSI Business Data Communications, 5e.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module A.  This is a module that some teachers will cover while others will not  This module is a refresher on networking concepts, which are important.

Module A.  This is a module that some teachers will cover while others will not  This module is a refresher on networking concepts, which are important.
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Similar presentations

Ads by Google