This document discusses network security concepts including vulnerabilities in TCP/IP protocols, denial of service attacks, firewalls, and intrusion detection systems. It outlines common attacks like spoofing, flooding, and session hijacking. It then describes how firewalls use packet filtering and proxies to limit access and detect intrusions. Finally, it covers intrusion detection systems using signature-based and anomaly-based approaches to monitor network traffic and host activity for attacks.
Type of DDoS attacks with hping3 exampleHimani Singh
This document summarizes common DDoS attack types and how to execute them using hping3 or other tools. It describes application layer attacks like HTTP floods, protocol attacks like SYN floods, volumetric attacks like ICMP floods, and reflection attacks. It then provides commands to execute various TCP, UDP, ICMP floods and other DDoS attacks using hping3 by spoofing addresses, modifying flags, and targeting ports. Layer 7 attacks exploiting HTTP requests are also summarized.
The document discusses weaknesses in the TCP/IP protocol suite and solutions to address those weaknesses. It outlines security issues with IP, such as a lack of authentication, encryption, and traffic prioritization. Common attacks like spoofing, sniffing, and denial of service are described. Solutions proposed include using IPv6, IPSec, firewalls, and intrusion detection to authenticate devices, encrypt traffic, and monitor networks for attacks.
This document discusses footprinting and information gathering techniques for network security. It defines footprinting as gathering information about potential target systems and networks. Both attacker and defender perspectives are considered. Basic Linux and Windows tools are covered, such as hostname, ifconfig, who, ping, traceroute, dig, nslookup, whois, arp and netstat for gathering system, network topology and user information. Packet sniffers like Wireshark are also introduced for analyzing network traffic. The document emphasizes that even basic tools can provide a lot of useful information to attackers, so defenders should aim to minimize what they reveal.
This document discusses session hijacking, including defining it as taking over an existing TCP session between two machines. It covers the difference between spoofing and hijacking, the steps to conduct a session hijacking attack, types of session hijacking, sequence number prediction, TCP/IP hijacking, and tools and countermeasures for session hijacking.
This document summarizes network components and security techniques. It discusses network segmentation, demilitarized zones, firewalls, routers, switches, wireless networking, encryption, and VPNs. It also covers securing communication channels, voice over IP, multimedia collaboration, and instant messaging protocols. The key topics covered are network design principles, routing, wireless standards, encryption methods, and virtual private networks.
This document summarizes network-based attacks including IP address spoofing, man-in-the-middle attacks, and denial-of-service attacks. IP address spoofing involves forging the source IP address to gain unauthorized access or hide an attacker's identity. Man-in-the-middle attacks allow an attacker to intercept and control communications between two parties. Denial-of-service attacks like SYN flooding, Smurf attacks, and distributed denial-of-service attacks aim to overload systems by exceeding their resources. Specific techniques for each attack are described in further detail.
Capturing Malicious Bots using a beneficial bot and wikiTakashi Yamanoue
This document describes a system that uses a portable remote security device and wiki software to help network administrators monitor for and respond to malicious bots within protected sub-LAN networks. The remote security device can monitor network traffic, filter malicious packets, and intercept and forward suspicious traffic to aid in identifying compromised hosts. The central network manager controls the device using commands written on a wiki page, allowing them to remotely monitor sub-LANs and work with local managers to quickly identify and remove malicious bots.
Type of DDoS attacks with hping3 exampleHimani Singh
This document summarizes common DDoS attack types and how to execute them using hping3 or other tools. It describes application layer attacks like HTTP floods, protocol attacks like SYN floods, volumetric attacks like ICMP floods, and reflection attacks. It then provides commands to execute various TCP, UDP, ICMP floods and other DDoS attacks using hping3 by spoofing addresses, modifying flags, and targeting ports. Layer 7 attacks exploiting HTTP requests are also summarized.
The document discusses weaknesses in the TCP/IP protocol suite and solutions to address those weaknesses. It outlines security issues with IP, such as a lack of authentication, encryption, and traffic prioritization. Common attacks like spoofing, sniffing, and denial of service are described. Solutions proposed include using IPv6, IPSec, firewalls, and intrusion detection to authenticate devices, encrypt traffic, and monitor networks for attacks.
This document discusses footprinting and information gathering techniques for network security. It defines footprinting as gathering information about potential target systems and networks. Both attacker and defender perspectives are considered. Basic Linux and Windows tools are covered, such as hostname, ifconfig, who, ping, traceroute, dig, nslookup, whois, arp and netstat for gathering system, network topology and user information. Packet sniffers like Wireshark are also introduced for analyzing network traffic. The document emphasizes that even basic tools can provide a lot of useful information to attackers, so defenders should aim to minimize what they reveal.
This document discusses session hijacking, including defining it as taking over an existing TCP session between two machines. It covers the difference between spoofing and hijacking, the steps to conduct a session hijacking attack, types of session hijacking, sequence number prediction, TCP/IP hijacking, and tools and countermeasures for session hijacking.
This document summarizes network components and security techniques. It discusses network segmentation, demilitarized zones, firewalls, routers, switches, wireless networking, encryption, and VPNs. It also covers securing communication channels, voice over IP, multimedia collaboration, and instant messaging protocols. The key topics covered are network design principles, routing, wireless standards, encryption methods, and virtual private networks.
This document summarizes network-based attacks including IP address spoofing, man-in-the-middle attacks, and denial-of-service attacks. IP address spoofing involves forging the source IP address to gain unauthorized access or hide an attacker's identity. Man-in-the-middle attacks allow an attacker to intercept and control communications between two parties. Denial-of-service attacks like SYN flooding, Smurf attacks, and distributed denial-of-service attacks aim to overload systems by exceeding their resources. Specific techniques for each attack are described in further detail.
Capturing Malicious Bots using a beneficial bot and wikiTakashi Yamanoue
This document describes a system that uses a portable remote security device and wiki software to help network administrators monitor for and respond to malicious bots within protected sub-LAN networks. The remote security device can monitor network traffic, filter malicious packets, and intercept and forward suspicious traffic to aid in identifying compromised hosts. The central network manager controls the device using commands written on a wiki page, allowing them to remotely monitor sub-LANs and work with local managers to quickly identify and remove malicious bots.
The document discusses vulnerabilities in wireless network selection that can be exploited to attack clients. It describes how an attacker can spoof disassociation frames to force clients to rescan and discover preferred networks, then create a rogue access point with the same SSID to get clients to associate with the attacker's network instead of secure networks. It also demonstrates attacks on Windows and MacOS wireless configuration using tools like KARMA to target and compromise clients.
The document discusses scanning techniques used during penetration testing and hacking. It defines different types of scanning like port scanning, network scanning, and vulnerability scanning. It describes tools like Nmap that can be used to perform these scans and examines techniques like SYN scanning, XMAS scanning, NULL scanning, and IDLE scanning. The document also discusses using proxies and anonymizers to hide one's location while scanning and ways to document results like creating network diagrams of vulnerable systems.
This document provides an overview of scanning techniques used in ethical hacking. It defines scanning as gathering information about IP addresses, operating systems, services, and architectures of target systems. The document outlines common scanning types like port scanning, network scanning, and vulnerability scanning. It also describes popular scanning tools like Nmap and Hping2, and scanning methods like ping sweeps, SYN stealth scans, and Xmas scans. The goal of scanning is to detect live systems, open ports, operating systems, and services to inform later stages of hacking like banner grabbing, vulnerability assessment, and network mapping.
DDoS Attack Detection & Mitigation in SDNChao Chen
This document summarizes a presentation on detecting and mitigating distributed denial of service (DDoS) attacks in software-defined networks. It discusses using sFlow and the Floodlight controller to detect common DDoS attack types like ICMP floods, SYN floods, and DNS amplification. An application was developed in Python to classify attacks and push static flow entries to direct attack traffic to the sFlow collector for analysis. The scheme was tested in a Mininet virtual network and shown to successfully mitigate ICMP and SYN flood attacks. Future work includes testing DNS amplification and UDP floods, implementing adaptive sampling rates and thresholds, and designing an unblocking mechanism.
Mitigating Worm Attacks seminar discusses tools and techniques for responding to worm incidents in an enterprise network, including containment, inoculation, quarantine, and treatment methodology. Key tools covered are ACLs, NetFlow, sinkholes, and remote-triggered black hole routing to detect and isolate infected systems. Incident response processes including preparation, triage, analysis, reaction, and post-mortem are also reviewed.
This document provides an overview of network security. It discusses what security is, why we need it, who is vulnerable, and common security attacks and countermeasures. Security aims to protect vital information while allowing authorized access. Common attacks discussed include firewalls and intrusion detection systems to control access, denial of service attacks to overload systems, TCP hijacking to intercept connections, packet sniffing to capture unencrypted data, and social engineering to trick users into providing sensitive information. A variety of technical and policy approaches are needed to provide security given the challenges of trusting systems and each other on open networks.
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEric Vanderburg
This document discusses port scanning and various tools used for port scanning. It describes what port scanning is, different types of port scans like SYN and ACK scans, and popular port scanning tools like Nmap, Nessus, and Unicornscan. It also covers ping sweeps to identify active hosts and using shell scripting to automate security tasks.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
This document summarizes advanced WiFi attacks that can be performed using inexpensive commodity hardware. It describes how WiFi assumes each station acts fairly, but with specialized hardware this assumption no longer holds. Various attacks are demonstrated, including continuous jamming to render a channel unusable, and selective jamming to block specific packets. The document also explores selfish behavior attacks, continuous and selective jamming implementations, and impacts on higher network layers including attacks on encrypted WPA-TKIP traffic.
The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.
The document discusses several topics relating to cyber security foundations:
1. It outlines various network security concepts like the OSI model and vulnerabilities in core TCP/IP protocols that can be mitigated through encryption and firewall configuration.
2. It then examines vulnerabilities and mitigations for several application layer protocols including DNS, HTTP, FTP and wireless protocols.
3. Router security best practices like access control lists and strong authentication are presented to prevent attacks like man-in-the-middle.
4. Endpoint security solutions using devices like firewalls, antivirus and encryption are recommended to secure mobile devices connecting to the network.
5. Finally, it stresses the importance of physical security for network devices through locking,
1) The document describes a proposed SDN-based system to detect and prevent DDoS attacks. It uses entropy calculations on traffic flow statistics to detect attacks. When an attack is detected, the controller installs rules to block traffic from bot IPs and the server uses CAPTCHAs to authenticate legitimate users.
2) The system was tested using iperf and attack tools on an emulation platform. Results showed it maintained high throughput even during attacks, unlike approaches that overload the controller. It also had lower false positives than other detection algorithms.
3) Future work could include expanding the system to detect attacks targeting different SDN layers and more servers. The approach provides an effective and scalable DDoS defense for
The document discusses network security and provides recommendations for securing various network components and protocols. It covers securing routers, endpoints, physical network devices, and wireless networks. It also describes common network attack vectors and vulnerabilities in protocols like TCP/IP, DNS, and SMB. Recommendations include using encryption, patching systems, firewalls, hardening devices, and disabling unneeded services.
Sniffing is a technique used to capture network traffic for the purposes of hacking or troubleshooting. A sniffer program collects all data passing through a network interface. In passive sniffing on a hub, all data is broadcast to all devices. Active sniffing on a switch requires tricks like MAC flooding or ARP spoofing to redirect traffic. The Dsniff toolset includes programs for sniffing protocols like HTTP, HTTPS, SSH, and DNS. It can reveal passwords and spoof sites. Defenses include using encrypted protocols and static ARP tables, and paying attention to browser/client warnings.
This document discusses Linux firewalls, beginning with an introduction to why firewalls are needed for access control, detection capabilities, and why Linux is a good option. It then covers firewall basics and the different Linux firewall modules - IPChains, which provides basic filtering but no port forwarding, and IPTables, which adds stateful inspection, improved matching, and port forwarding. The document demonstrates how to implement and manage firewall policies using both the command line and GUI tools in Linux. It also discusses typical firewall implementations and tools for compiling IPTables rules.
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
The document discusses buffer overflows, including what they are, reasons for attacks, types of overflows, and countermeasures. It provides details on stack-based overflows, shellcode payloads, detecting overflows, and mutating exploits. Defensive tools mentioned include Return Address Defender, StackGuard, and the Immunix system.
iptables is a user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it store
This document discusses network security concepts like vulnerabilities in TCP/IP protocols, denial of service attacks, firewalls, and intrusion detection systems. It outlines common attacks like spoofing, flooding, and session hijacking. It also describes the functions of packet filtering firewalls and proxy firewalls, as well as signature-based and anomaly-based intrusion detection systems that can monitor networks or individual hosts.
This document provides an overview of network security concepts including vulnerabilities, denial of service attacks, firewalls, and intrusion detection systems. It discusses how TCP/IP was not initially designed with security in mind and is vulnerable to spoofing and man-in-the-middle attacks. Denial of service attacks like SYN flooding aim to overwhelm servers or networks. Firewalls can limit access and traffic between internal and external networks but have limitations. Intrusion detection systems monitor traffic to identify attacks that bypass firewalls.
This document provides an overview of network security concepts including vulnerabilities, denial of service attacks, firewalls, and intrusion detection systems. It discusses how TCP/IP was not initially designed with security in mind and is vulnerable to spoofing and man-in-the-middle attacks. Denial of service attacks like SYN flooding aim to overwhelm servers through excessive connection requests. Firewalls use packet filtering and proxies to restrict network access and traffic based on security rules. Intrusion detection systems monitor network traffic to identify attacks and anomalies beyond what is allowed by firewall rules.
The document discusses network security vulnerabilities like spoofing and flooding attacks. It covers denial of service (DoS) and distributed denial of service (DDoS) attacks. Firewalls like packet filters and proxies are introduced as a way to limit network access and inspect traffic according to security policies. Intrusion detection systems (IDS) are also mentioned for detecting intrusions through signatures or anomalies.
The document discusses vulnerabilities in wireless network selection that can be exploited to attack clients. It describes how an attacker can spoof disassociation frames to force clients to rescan and discover preferred networks, then create a rogue access point with the same SSID to get clients to associate with the attacker's network instead of secure networks. It also demonstrates attacks on Windows and MacOS wireless configuration using tools like KARMA to target and compromise clients.
The document discusses scanning techniques used during penetration testing and hacking. It defines different types of scanning like port scanning, network scanning, and vulnerability scanning. It describes tools like Nmap that can be used to perform these scans and examines techniques like SYN scanning, XMAS scanning, NULL scanning, and IDLE scanning. The document also discusses using proxies and anonymizers to hide one's location while scanning and ways to document results like creating network diagrams of vulnerable systems.
This document provides an overview of scanning techniques used in ethical hacking. It defines scanning as gathering information about IP addresses, operating systems, services, and architectures of target systems. The document outlines common scanning types like port scanning, network scanning, and vulnerability scanning. It also describes popular scanning tools like Nmap and Hping2, and scanning methods like ping sweeps, SYN stealth scans, and Xmas scans. The goal of scanning is to detect live systems, open ports, operating systems, and services to inform later stages of hacking like banner grabbing, vulnerability assessment, and network mapping.
DDoS Attack Detection & Mitigation in SDNChao Chen
This document summarizes a presentation on detecting and mitigating distributed denial of service (DDoS) attacks in software-defined networks. It discusses using sFlow and the Floodlight controller to detect common DDoS attack types like ICMP floods, SYN floods, and DNS amplification. An application was developed in Python to classify attacks and push static flow entries to direct attack traffic to the sFlow collector for analysis. The scheme was tested in a Mininet virtual network and shown to successfully mitigate ICMP and SYN flood attacks. Future work includes testing DNS amplification and UDP floods, implementing adaptive sampling rates and thresholds, and designing an unblocking mechanism.
Mitigating Worm Attacks seminar discusses tools and techniques for responding to worm incidents in an enterprise network, including containment, inoculation, quarantine, and treatment methodology. Key tools covered are ACLs, NetFlow, sinkholes, and remote-triggered black hole routing to detect and isolate infected systems. Incident response processes including preparation, triage, analysis, reaction, and post-mortem are also reviewed.
This document provides an overview of network security. It discusses what security is, why we need it, who is vulnerable, and common security attacks and countermeasures. Security aims to protect vital information while allowing authorized access. Common attacks discussed include firewalls and intrusion detection systems to control access, denial of service attacks to overload systems, TCP hijacking to intercept connections, packet sniffing to capture unencrypted data, and social engineering to trick users into providing sensitive information. A variety of technical and policy approaches are needed to provide security given the challenges of trusting systems and each other on open networks.
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEric Vanderburg
This document discusses port scanning and various tools used for port scanning. It describes what port scanning is, different types of port scans like SYN and ACK scans, and popular port scanning tools like Nmap, Nessus, and Unicornscan. It also covers ping sweeps to identify active hosts and using shell scripting to automate security tasks.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
This document summarizes advanced WiFi attacks that can be performed using inexpensive commodity hardware. It describes how WiFi assumes each station acts fairly, but with specialized hardware this assumption no longer holds. Various attacks are demonstrated, including continuous jamming to render a channel unusable, and selective jamming to block specific packets. The document also explores selfish behavior attacks, continuous and selective jamming implementations, and impacts on higher network layers including attacks on encrypted WPA-TKIP traffic.
The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.
The document discusses several topics relating to cyber security foundations:
1. It outlines various network security concepts like the OSI model and vulnerabilities in core TCP/IP protocols that can be mitigated through encryption and firewall configuration.
2. It then examines vulnerabilities and mitigations for several application layer protocols including DNS, HTTP, FTP and wireless protocols.
3. Router security best practices like access control lists and strong authentication are presented to prevent attacks like man-in-the-middle.
4. Endpoint security solutions using devices like firewalls, antivirus and encryption are recommended to secure mobile devices connecting to the network.
5. Finally, it stresses the importance of physical security for network devices through locking,
1) The document describes a proposed SDN-based system to detect and prevent DDoS attacks. It uses entropy calculations on traffic flow statistics to detect attacks. When an attack is detected, the controller installs rules to block traffic from bot IPs and the server uses CAPTCHAs to authenticate legitimate users.
2) The system was tested using iperf and attack tools on an emulation platform. Results showed it maintained high throughput even during attacks, unlike approaches that overload the controller. It also had lower false positives than other detection algorithms.
3) Future work could include expanding the system to detect attacks targeting different SDN layers and more servers. The approach provides an effective and scalable DDoS defense for
The document discusses network security and provides recommendations for securing various network components and protocols. It covers securing routers, endpoints, physical network devices, and wireless networks. It also describes common network attack vectors and vulnerabilities in protocols like TCP/IP, DNS, and SMB. Recommendations include using encryption, patching systems, firewalls, hardening devices, and disabling unneeded services.
Sniffing is a technique used to capture network traffic for the purposes of hacking or troubleshooting. A sniffer program collects all data passing through a network interface. In passive sniffing on a hub, all data is broadcast to all devices. Active sniffing on a switch requires tricks like MAC flooding or ARP spoofing to redirect traffic. The Dsniff toolset includes programs for sniffing protocols like HTTP, HTTPS, SSH, and DNS. It can reveal passwords and spoof sites. Defenses include using encrypted protocols and static ARP tables, and paying attention to browser/client warnings.
This document discusses Linux firewalls, beginning with an introduction to why firewalls are needed for access control, detection capabilities, and why Linux is a good option. It then covers firewall basics and the different Linux firewall modules - IPChains, which provides basic filtering but no port forwarding, and IPTables, which adds stateful inspection, improved matching, and port forwarding. The document demonstrates how to implement and manage firewall policies using both the command line and GUI tools in Linux. It also discusses typical firewall implementations and tools for compiling IPTables rules.
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
The document discusses buffer overflows, including what they are, reasons for attacks, types of overflows, and countermeasures. It provides details on stack-based overflows, shellcode payloads, detecting overflows, and mutating exploits. Defensive tools mentioned include Return Address Defender, StackGuard, and the Immunix system.
iptables is a user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it store
This document discusses network security concepts like vulnerabilities in TCP/IP protocols, denial of service attacks, firewalls, and intrusion detection systems. It outlines common attacks like spoofing, flooding, and session hijacking. It also describes the functions of packet filtering firewalls and proxy firewalls, as well as signature-based and anomaly-based intrusion detection systems that can monitor networks or individual hosts.
This document provides an overview of network security concepts including vulnerabilities, denial of service attacks, firewalls, and intrusion detection systems. It discusses how TCP/IP was not initially designed with security in mind and is vulnerable to spoofing and man-in-the-middle attacks. Denial of service attacks like SYN flooding aim to overwhelm servers or networks. Firewalls can limit access and traffic between internal and external networks but have limitations. Intrusion detection systems monitor traffic to identify attacks that bypass firewalls.
This document provides an overview of network security concepts including vulnerabilities, denial of service attacks, firewalls, and intrusion detection systems. It discusses how TCP/IP was not initially designed with security in mind and is vulnerable to spoofing and man-in-the-middle attacks. Denial of service attacks like SYN flooding aim to overwhelm servers through excessive connection requests. Firewalls use packet filtering and proxies to restrict network access and traffic based on security rules. Intrusion detection systems monitor network traffic to identify attacks and anomalies beyond what is allowed by firewall rules.
The document discusses network security vulnerabilities like spoofing and flooding attacks. It covers denial of service (DoS) and distributed denial of service (DDoS) attacks. Firewalls like packet filters and proxies are introduced as a way to limit network access and inspect traffic according to security policies. Intrusion detection systems (IDS) are also mentioned for detecting intrusions through signatures or anomalies.
The document discusses various phases of intrusion and techniques used by attackers:
1. Reconnaissance involves gathering information about the target through techniques like searching public databases, domain name records, and social engineering to map the network and discover vulnerabilities.
2. Scanning detects live machines, network topology, firewall configurations, applications, and vulnerabilities using tools like ping sweeps, traceroute, port scanning, and vulnerability scanners.
3. Gaining access exploits known vulnerabilities through buffer overflow attacks or by downloading exploits from hacker sites to compromise systems.
This document discusses various types of network security attacks and methods to prevent them. It covers physical access attacks, social engineering attacks, penetration attacks like scanning and malware. It also discusses attacks on the OSI and TCP/IP models like at the session, transport and network layers. Prevention methods covered include firewalls, proxies, IPSec, security policies and hardening hosts. Specific switch and router vulnerabilities are examined like ARP poisoning, SNMP, spanning tree attacks. Countermeasures for switches include BPDU guard, root guard.
This document summarizes vulnerabilities in several common network protocols including ARP, IP, TCP, FTP, SMTP, and DNS. It discusses issues like ARP spoofing, TCP SYN flooding attacks, lack of encryption in FTP and SMTP allowing eavesdropping, and DNS spoofing techniques. The document provides high-level overviews of how these protocols work and specific security risks, such as IP spoofing, traffic analysis from unencrypted headers, and filling connection queues in DoS attacks.
The document discusses various hacking techniques for Cisco networks, including reconnaissance attacks like port scanning and sniffing, active attacks like password cracking and trust exploitation, and external attacks like IP spoofing and denial of service. It then covers defenses like authentication, encryption, access control lists, rate limiting, DHCP snooping, and storm control to mitigate risks from these hacking methods.
How Secure is TCP/IP - A review of Network Protocolssuserc49ec4
The document summarizes security issues with the TCP/IP protocol and provides solutions. It discusses how TCP/IP packets are transmitted, security flaws in IP and TCP, such as spoofing and predictable sequence numbers. It also outlines general security principles, how attacks occur, and solutions like firewalls, IPv6 improvements, and encryption. The conclusion is that packet networks are less secure than circuits, TCP/IP has security flaws, but layers of protection can help if performance impacts are addressed.
This document summarizes vulnerabilities in network protocols like TCP/IP, ARP, IP, TCP, FTP, Telnet, and SMTP. It outlines issues like spoofing, flooding attacks, lack of authentication and encryption. It discusses how protocols work at different layers and security problems associated with each, such as spoofing of addresses, hijacking connections, sniffing cleartext data, and denial of service attacks. Prevention methods are also briefly covered.
This document provides an overview of basic network security concepts. It discusses what security is, why we need it, who is vulnerable, and common security attacks like denial of service attacks, TCP attacks, packet sniffing, and their countermeasures. It also covers firewalls and intrusion detection systems, explaining what they are used for and how they help address security issues. The document uses examples to illustrate concepts like how firewall rules work and how packet sniffing, man-in-the-middle attacks, and dictionary attacks exploit vulnerabilities.
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
This document discusses techniques for gathering intelligence about a target network or system prior to launching an attack. It covers the main steps of footprinting, scanning, and enumeration. Footprinting involves passive information gathering through tools like DNS queries, network queries, and WHOIS lookups. Scanning actively probes targets to identify live systems and map open ports, services, and operating systems using ping sweeps, port scans, and fingerprinting. Enumeration extracts further details about resources, users, groups, and shares once access is gained. The document provides an overview of various tools used at each stage and strategies for footprinting networks, scanning ports, and enumerating user information.
This document discusses techniques for gathering intelligence about a target network or system prior to launching an attack. It covers the main steps of footprinting, scanning, and enumeration. Footprinting involves passive information gathering through tools like DNS queries, network queries, and WHOIS lookups. Scanning actively probes targets to identify live systems and map open ports, services, and operating systems using ping sweeps, port scans, and fingerprinting. Enumeration extracts further details about resources, users, groups, and shares once access is gained. The document provides an overview of various tools used at each stage and strategies for footprinting networks, scanning ports, and enumerating user information.
There is no doubt that Intrusion Detection Systems should be incorporated into any security infrastructure, however today’s IDS implementations are far from perfect. Security Managers should continue to add layers to their defense strategy and not place too much reliance on this technology, as it’s not easy to create a system that can effectively flag an attack without crashing under the weight of its own logs, operate relatively maintenance free and respond appropriately to benign anomalous events without raising too many false alarms.
This session discusses some of the most common techniques aimed at evading IDS detection order to easily attack the infrastructure sitting behind those systems.
Networking for Games
The document discusses networking concepts relevant for online multiplayer games. It covers basic internet architecture including protocols like TCP and UDP, addressing, and routing. It then discusses challenges for games like latency, jitter, and packet loss. It describes techniques used to compensate for latency including prediction, time warp, data compression, and visual tricks. The document provides an overview of key networking challenges and techniques for online games.
UDP Scanning has always been a slow and painful exercise, and if you add IPv6 on top of UDP, the tool choices get pretty limited. UDP Hunter is a python based open source network assessment tool focused on UDP Service Scanning. With UDP Hunter, we have focused on providing auditing of widely known UDP protocols for IPv6 and IPv4 hosts. As of today, UDP Hunter supports 25 different service probes. The tool allows you to do bulk scanning of large networks as well as targeted host scanning for specific ports and more. Once an open service is discovered, UDP Hunter takes it one step further and even provides you guidance on how you can possibly exploit the discovered services. UDP Hunter provides reports in a neat text format, however, support for more formats is under way.
Webinar: https://www.youtube.com/watch?v=yLEL5XrzFyE
Read More: https://www.gadhiyasavan.com/2020/02/udp-hunter.html
UDP Hunter is an open source Python-based network assessment tool that performs UDP scanning to identify open UDP services on target systems. It supports IPv4 and IPv6, contains 25 predefined UDP probes, and reports any services that respond to the probes. The tool scans IP addresses or ranges, sends UDP packets, and sniffs for any UDP responses to determine open ports. It provides text-based reports and suggestions for further exploitation of identified services.
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
This document discusses denial of service attacks and countermeasures like firewalls and intrusion detection systems. It describes how denial of service attacks can overload servers or consume network resources to disrupt service. Distributed denial of service attacks use multiple compromised machines to launch attacks making them difficult to trace. Firewalls can limit network access and drop unauthorized traffic based on packet headers and rules. Intrusion detection systems monitor network traffic and host activity to detect attacks passing through firewalls.
TCP/IP is a set of protocols that allows networks to interconnect and exchange data. It uses IP for addressing devices and moving data in packets across networks, while higher-level protocols like TCP and UDP provide reliability and port addressing to associate packets with applications. Routers route traffic between networks using IP addressing, while protocols like ARP and DHCP configure IP addresses on devices. TCP provides reliable, connection-oriented communication, while UDP is simpler but unreliable. This layered model has allowed the Internet to scale globally across diverse networks.
This maintenance report summarizes work done on a CNC machine for a customer. It lists the customer and machine details, the requested service which was a new installation, and the service agent who performed the work. The work took 1 hour and included a new installation of the CNC machine. The report provides details of the service hours, travel hours, and parts used for the maintenance work.
This maintenance report summarizes work done on a CNC machine for a customer. It lists the customer and machine details, the requested service which was a routine maintenance check, and the service agent who performed the work. The work took an hour and found no issues, with the machine running normally. The customer signed off on the service work.
The document summarizes the key specifications of the DEHNguard modular surge arrester for TT and TN-S systems. It provides details on the product such as its:
1) Prewired design consisting of a base part and plug-in protection modules.
2) High discharge capacity due to heavy-duty zinc oxide varistors and spark gaps.
3) Reliability from "Thermo Dynamic Control" SPD monitoring device.
The document provides specifications for the L7800 series of positive voltage regulators, including:
- Output voltages ranging from 5V to 24V with output current up to 1.5A
- Features such as thermal overload protection, short circuit protection, and output transition safe operating area protection
- Package options including TO-220, TO-220FP, TO-3, and D2PAK
- Electrical characteristics like line and load regulation, output voltage range, quiescent current, and short circuit current are provided for each fixed output voltage variant.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
3. Security Vulnerabilities
• Security Problems in the TCP/IP Protocol
Suite – Steve Bellovin - 89
• Attacks on Different Layers
– IP Attacks
– ICMP Attacks
– Routing Attacks
– TCP Attacks
– Application Layer Attacks
4. Why?
• TCP/IP was designed for connectivity
– Assumed to have lots of trust
• Host implementation vulnerabilities
– Software “had/have/will have” bugs
– Some elements in the specification were left
to the implementers
5. Security Flaws in IP
• The IP addresses are filled in by the originating host
– Address spoofing
• Using source address for authentication
– r-utilities (rlogin, rsh, rhosts etc..)
InternetInternet
2.1.1.1 C
1.1.1.1 1.1.1.2A B
1.1.1.3 S
•Can A claim it is B to the
server S?
•ARP Spoofing
•Can C claim it is B to the
server S?
•Source Routing
6. Security Flaws in IP
• IP fragmentation attack
– End hosts need to keep the fragments till all the
fragments arrive
• Traffic amplification attack
– IP allows broadcast destination
– Problems?
8. ICMP Attacks
• No authentication
• ICMP redirect message
– Can cause the host to switch gateways
– Benefit of doing this?
• Man in the middle attack, sniffing
• ICMP destination unreachable
– Can cause the host to drop connection
• ICMP echo request/reply
• Many more…
– http://www.sans.org/rr/whitepapers/threats/477.php
9. Routing Attacks
• Distance Vector Routing
– Announce 0 distance to all other nodes
• Blackhole traffic
• Eavesdrop
• Link State Routing
– Can drop links randomly
– Can claim direct link to any other routers
– A bit harder to attack than DV
• BGP
– ASes can announce arbitrary prefix
– ASes can alter path
10. TCP Attacks
Issues?
– Server needs to keep waiting for ACK y+1
– Server recognizes Client based on IP address/port
and y+1
Client
Server
SYN x
SYN y | ACK x+1
ACK y+1
11. TCP Layer Attacks
• TCP SYN Flooding
– Exploit state allocated at server after initial
SYN packet
– Send a SYN and don’t reply with ACK
– Server will wait for 511 seconds for ACK
– Finite queue size for incomplete connections
(1024)
– Once the queue is full it doesn’t accept
requests
12. TCP Layer Attacks
• TCP Session Hijack
– When is a TCP packet valid?
• Address/Port/Sequence Number in window
– How to get sequence number?
• Sniff traffic
• Guess it
– Many earlier systems had predictable ISN
– Inject arbitrary data to the connection
13. TCP Layer Attacks
• TCP Session Poisoning
– Send RST packet
• Will tear down connection
– Do you have to guess the exact sequence
number?
• Anywhere in window is fine
• For 64k window it takes 64k packets to reset
• About 15 seconds for a T1
14. Application Layer Attacks
• Applications don’t authenticate properly
• Authentication information in clear
– FTP, Telnet, POP
• DNS insecurity
– DNS poisoning
– DNS zone transfer
15. An Example
Shimomura (S) Trusted (T)
Mitnick
Finger
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
Showmount -e
SYN
16. An Example
Shimomura (S) Trusted(T)
Mitnick
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• SYN flood T
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
• T won’t respond to packets
Syn flood X
17. An Example
Shimomura (S) trusted (T)
Mitnick (M)
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• SYN flood T
• Send SYN to S spoofing as T
• Send ACK to S with a
guessed number
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
• T won’t respond to packets
• S assumes that it has a session
with T
X
SYN
SYN|ACK
ACK
18. An Example
Shimomura (S) Trusted (T)
Mitnick
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• SYN flood T
• Send SYN to S spoofing as T
• Send ACK to S with a
guessed number
• Send “echo + + > ~/.rhosts”
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
• T won’t respond to packets
• S assumes that it has a session
with T
• Give permission to anyone from
anywhere
X
++ > rhosts
20. Denial of Service
• Objective make a service unusable, usually
by overloading the server or network
• Consume host resources
– TCP SYN floods
– ICMP ECHO (ping) floods
• Consume bandwidth
– UDP floods
– ICMP floods
21. Denial of Service
• Crashing the victim
– Ping-of-Death
– TCP options (unused, or used incorrectly)
• Forcing more computation
– Taking long path in processing of packets
23. Coordinated DoS
Attacker
Victim Victim Victim
Attacker Attacker
• The first attacker attacks a different victim to cover up the real attack
• The Attacker usually spoofed source address to hide origin
• Harder to deal with
25. Distributed DoS
• The handlers are usually very high volume servers
– Easy to hide the attack packets
• The agents are usually home users with DSL/Cable
– Already infected and the agent installed
• Very difficult to track down the attacker
• How to differentiate between DDoS and Flash Crowd?
– Flash Crowd Many clients using a service legimitaly
• Slashdot Effect
• Victoria Secret Webcast
– Generally the flash crowd disappears when the network is
flooded
– Sources in flash crowd are clustered
27. Firewalls
• Lots of vulnerabilities on hosts in network
• Users don’t keep systems up to date
– Lots of patches
– Lots of exploits in wild (no patch for them)
• Solution?
– Limit access to the network
– Put firewalls across the perimeter of the
network
28. Firewalls (contd…)
• Firewall inspects traffic through it
• Allows traffic specified in the policy
• Drops everything else
• Two Types
– Packet Filters, Proxies
InternetInternet
Internal Network
Firewall
29. Packet Filters
• Packet filter selectively passes packets from one
network interface to another
• Usually done within a router between external
and internal networks
– screening router
• Can be done by a dedicated network element
– packet filtering bridge
– harder to detect and attack than screening routers
30. Packet Filters Contd.
• Data Available
– IP source and destination addresses
– Transport protocol (TCP, UDP, or ICMP)
– TCP/UDP source and destination ports
– ICMP message type
– Packet options (Fragment Size etc.)
• Actions Available
– Allow the packet to go through
– Drop the packet (Notify Sender/Drop Silently)
– Alter the packet (NAT?)
– Log information about the packet
31. Packet Filters Contd.
• Example filters
– Block all packets from outside except for
SMTP servers
– Block all traffic to a list of domains
– Block all connections from a specified domain
32. Typical Firewall Configuration
• Internal hosts can access DMZ
and Internet
• External hosts can access DMZ
only, not Intranet
• DMZ hosts can access Internet
only
• Advantages?
• If a service gets compromised
in DMZ it cannot affect internal
hosts
InternetInternet
IntranetIntranet
DMZDMZ
X
X
33. Example Firewall Rules
• Stateless packet filtering firewall
• Rule (Condition, Action)
• Rules are processed in top-down order
– If a condition satisfied – action is taken
34. Sample Firewall Rule
Dst
Port
Alow
Allow
Yes
Any
> 1023
22
TCP22
TCP> 1023
ExtIntOutSSH-2
IntExtInSSH-1
Dst
Addr
Proto
Ack
Set?
ActionSrc Port
Src
Addr
DirRule
• Allow SSH from external hosts to internal hosts
– Two rules
• Inbound and outbound
– How to know a packet is for SSH?
• Inbound: src-port>1023, dst-port=22
• Outbound: src-port=22, dst-port>1023
• Protocol=TCP
– Ack Set?
– Problems?
SYN
SYN/ACK
ACK
Client Server
35. Default Firewall Rules
• Egress Filtering
– Outbound traffic from external address Drop
– Benefits?
• Ingress Filtering
– Inbound Traffic from internal address Drop
– Benefits?
• Default Deny
– Why?
Any
Dst
Port
Any DenyAnyAnyIntAnyIntInIngress
DenyAnyAnyExtAnyExtOutEgress
Any DenyAnyAnyAnyAnyAnyAnyDefault
Dst
Addr
Proto
Ack
Set?
Action
Src
Port
Src
Addr
DirRule
36. Packet Filters
• Advantages
– Transparent to application/user
– Simple packet filters can be efficient
• Disadvantages
– Usually fail open
– Very hard to configure the rules
– Doesn’t have enough information to take actions
• Does port 22 always mean SSH?
• Who is the user accessing the SSH?
37. Alternatives
• Stateful packet filters
– Keep the connection states
– Easier to specify rules
– More popular
– Problems?
• State explosion
• State for UDP/ICMP?
38. Alternatives
• Proxy Firewalls
– Two connections instead of one
– Either at transport level
• SOCKS proxy
– Or at application level
• HTTP proxy
• Requires applications (or dynamically
linked libraries) to be modified to use the
proxy
39. Proxy Firewall
• Data Available
– Application level information
– User information
• Advantages?
– Better policy enforcement
– Better logging
– Fail closed
• Disadvantages?
– Doesn’t perform as well
– One proxy for each application
– Client modification
41. Intrusion Detection Systems
• Firewalls allow traffic only to legitimate
hosts and services
• Traffic to the legitimate hosts/services can
have attacks
– CodeReds on IIS
• Solution?
– Intrusion Detection Systems
– Monitor data and behavior
– Report when identify attacks
43. Signature-based IDS
• Characteristics
– Uses known pattern matching
to signify attack
• Advantages?
– Widely available
– Fairly fast
– Easy to implement
– Easy to update
• Disadvantages?
– Cannot detect attacks for which it has no signature
44. Anomaly-based IDS
• Characteristics
– Uses statistical model or machine learning engine to characterize
normal usage behaviors
– Recognizes departures from normal as potential intrusions
• Advantages?
– Can detect attempts to exploit new and unforeseen vulnerabilities
– Can recognize authorized usage that falls outside the normal pattern
• Disadvantages?
– Generally slower, more resource intensive compared to signature-
based IDS
– Greater complexity, difficult to configure
– Higher percentages of false alerts
45. Network-based IDS
• Characteristics
– NIDS examine raw packets in the network
passively and triggers alerts
• Advantages?
– Easy deployment
– Unobtrusive
– Difficult to evade if done at low level of
network operation
• Disadvantages?
– Fail Open
– Different hosts process packets differently
– NIDS needs to create traffic seen at the
end host
– Need to have the complete network
topology and complete host behavior
46. Host-based IDS
• Characteristics
– Runs on single host
– Can analyze audit-trails, logs, integrity of files and
directories, etc.
• Advantages
– More accurate than NIDS
– Less volume of traffic so less overhead
• Disadvantages
– Deployment is expensive
– What happens when host get compromised?
47. Summary
• TCP/IP security vulnerabilities
– Spoofing
– Flooding attacks
– TCP session poisoning
• DOS and D-DOS
• Firewalls
– Packet Filters
– Proxy
• IDS
– Signature and Anomaly IDS
– NIDS and HIDS