Isys20261 lecture 07


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Isys20261 lecture 07

  1. 1. Computer Security Management(ISYS20261)Lecture 7 - Network-based Attacks (2) Module Leader: Dr Xiaoqi Ma School of Science and Technology
  2. 2. Last week …• Network-based attacks• Primary attempt to – forge or steal data – gain unauthorised access to a system – force system downtime• Means – Sniffing data – Redirecting data• Preparatory activities – Reconnaissance – scanning• Packet sniffingComputer Security ManagementPage 2
  3. 3. Today ...• IP address spoofing• Man-in-the-middle attack• Denial-of-service attack (DoS) – SYN flooding – Smurf attack – Distributed Denial of Service attack (DDoS)Computer Security ManagementPage 3
  4. 4. IP address spoofing (1)• Used to hide the identity of an attacker and to gain access by exploiting existing trust between host systems• Takes advantage of security weakness in the TCP/IP protocol: – Attacker forges the source IP address information in every IP packet with a different address – It appears that the packet was sent by a different computer• Can be used for – Denial-of-Service attacks – Session hijacking – Man-in-the-Middle attacksComputer Security ManagementPage 4
  5. 5. IP address spoofing (2)• TCP/IP protocol: Application Layer Application Layer Data Data Transport Layer Transport Layer TCP 1 TCP 2 TCP 1 TCP 2 Network Layer Network Layer IP TCP 1 IP TCP 2 IP TCP 1 IP TCP 2 Data Link Layer Data Link Layer Ethernet IP TCP 1 Ethernet IP TCP 2 Ethernet IP TCP 1 Ethernet IP TCP 2 Physical LayerComputer Security ManagementPage 5
  6. 6. IP address spoofing (3)• IP address spoofing is mainly used to defeat network security – firewall rules that rely on IP address-based authentication – IP address-based (trust based) access control – Etc.• Attacker needs to know about the established trust between systems (see reconnaissance and scanning phase!)• Difficulties with IP address spoofing: – any reply is send to the forged IP address! – Difficult to guess the sequence numberComputer Security ManagementPage 6
  7. 7. IP address spoofing (4)• TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection• attacker normally cant see any reply packets, hence they have to guess the sequence number in order to hijack a connection• poor implementation in many older operating systems means that TCP sequence numbers can be predicted• if sequence numbers are compromised, data could be sent to the target blindly, e.g. creating a new user account using host-based authentication services• Two different types of IP address spoofing – Non-blind – blindComputer Security ManagementPage 7
  8. 8. Non-Blind Spoofing• attacker is on the same subnet as the victim• sequence and acknowledgement numbers can be observed (sniffed), no need for calculating them accurately• Biggest threat of Non-blind spoofing: session hijacking – corrupting the data stream of an established connection – re-establishing it based on correct sequence and acknowledgement numbers with the attack machine• Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connectionComputer Security ManagementPage 8
  9. 9. Blind Spoofing• sequence and acknowledgement numbers are unreachable• In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers• In the past: machines used basic techniques for generating sequence numbers• It was relatively easy to discover the exact formula by studying packets and TCP sessions (sequence guessing)Computer Security ManagementPage 9
  10. 10. Man-in-the-middle attack (1)• A malicious party intercepts a legitimate communication between two friendly parties• The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient• In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipientComputer Security ManagementPage 10
  11. 11. Man-in-the-middle attack (2)• Example: Alice Ivan Bob Message1() Message1() (Bob) Message1() (Alice) Message2() Message2() Message2() (Alice) (Bob)Computer Security ManagementPage 11
  12. 12. Man-in-the-middle attack (3)• The most common implementation: – attacker bypasses online banking security by receiving login and transaction information – attacker passes it on to the banking site with any required alterations – attacker receives data from the banking site – sends the banking sites details back to the victim, again with minor alterations so the victim is unaware of the attack• Man-in-the-middle techniques are particularly difficult to detect and protect against, as they usually take place on a different system from the victim and their bank• It is also possible to bypass strong security measures such as two- factor authentication and one-time passwords using such techniquesComputer Security ManagementPage 12
  13. 13. Denial-of-Service (DoS) attack• Attempts to prevent a piece of software, system, web server or website from functioning• Tries to overloads the system by exceeding its recourses, e.g. bandwidth, memory, CPU time, etc.• Denial-of-service attacks – SYN flooding – Smurf attack – Distributed Denial of Service attack (DDoS)Computer Security ManagementPage 13
  14. 14. SYN flooding (1)• TCP connection set-up: three way handshake – The active open is performed by the client sending a SYN to the server – In response, the server replies with a SYN-ACK – Finally the client sends an ACK back to the server Client Server SYN() SYN+ACK() ACK()Computer Security ManagementPage 14
  15. 15. SYN flooding (2)• If client skips the sending of the ACK message before the connection is established: server waits for a predefined period of time• If server is flooded with SYN requests that are not acknowledged the server will denying connection requests from legitimate users Client Server SYN() SYN+ACK() SYN() SYN+ACK()Computer Security ManagementPage 15
  16. 16. Smurf attack (1)• Uses spoofed ping messages to flood a target system• Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite• ICMP echo is used by TCP to determine – whether a host is reachable – the time it takes for the packet to get to and from the hostComputer Security ManagementPage 16
  17. 17. Smurf attack (2)• Attacker sends long stream of ping packets (ICMP echo requests) to all IP addresses within a network (amplifier network) via a gateway/router that acts as a broadcaster• Ping packets are spoofed with IP address of target system• Each ICMP echo request message produces an echo response message• All hosts of the network will send their echo to the spoofed IP address• Sheer number of echo response messages brings target host downComputer Security ManagementPage 17
  18. 18. Smurf attack (3)• Amplification: Amplifier Network Attacker Router Host1 Host2 Server broadcast ICMP echo() enabled ICMP echo() ICMP echo reply() ICMP echo() ICMP echo reply()Computer Security ManagementPage 18
  19. 19. Distributed-Denial-of-Service Attacks (DDoS)• Multiple compromised host systems (Bot net) sending IP address spoofed packets to the same destination address, i.e. the target• Malware can carry DDoS attack mechanisms• DDoS is difficult to block since the attack are launched on different source systems• Difficult to trace the attacerComputer Security ManagementPage 19
  20. 20. Next week …… we will continue looking at network-based attacksComputer Security ManagementPage 20