This document discusses various network attacks and their mitigations. It begins with a list of common attacks like TCP SYN flood, ICMP flood, ARP spoofing, Smurf attack, IP fragmentation, TCP hijacking, and reflector attacks. It then provides descriptions and usage instructions for tools used in attacks, including hping3, Scapy, Ettercap, and Wireshark. The document proceeds to explain each attack in more detail and provides potential prevention and mitigation techniques. It focuses on techniques like firewall configuration, SYN cookies, ICMP flood protection, private VLANs, filtering, encryption, and VPNs.

1. ATTACKS AND THEIR
MITIGATIONS
BY
MUKESH CHAUDHARI
DIPAK
ABHIJEET
IIS THANE 2015

2. WARNING
This ppt is for educational purpose only
Misuse of it comes under cyber law

3. LIST OF ATTACKS
 TCP SYN FLOOD ATTACK
 ICMP FLOOD ATTACK
 ARP SPOOFING ATTACK
 SMURF ATTACK
 IP FRAGMENTATION ATTACK
 TCP HIJACKING ATTACK
 Reflector attack

4. TOOLS USED
 HPING3
 SCAPY
 ETTERCAP
 WIRESHARK

5. HPING3
 Description
hping3 is a network tool
able to send custom tcp/ip
packets and to display
target replies like ping
program does with icmp
replies. hping3 handle
fragmentation, arbitrary
packets body and size and
can be used in order to
transfer files encapsulated
under supported protocols.
 General syntax
Hping3[options][interface]target
ip
 Uses
 test firewall rules
 advanced port scanning
 path mtu discovery
 tracerout-under different
protocols
 remote os fingureprinting
 tcp/ip stack auditing

6. SOME IMPORTANT OPTIONS TO BE
USED IN HPING3
 -h –help
 -v –version
 -I –interface name
 --flood :Sent packets as
fast as possible, without
taking care to show
incoming replies
 -V –verbose
 -1 –icmp mode
 -2 –udp mode
 -8 –scan mode
 -a –spoof hostname
 -t –time to leave
 -f –fragments
 -p –port
 -w –window
 -F –to set fin flag
 -S –to set SYN flag
 -A –to set ACK flag
 -T –traceroute
 -d –datasize
 -P --push

7. SCAPY
 DESCRIPTION
Scapy is a powerful interactive packet manipulation program.
It is able to forge or decode packets of a wide number of
protocols, send them on the wire, capture them, match
requests and replies, and much more. It can easily
handlemost
tasks like scanning, tracerouting,probing, unit tests, attack
s or network discovery (it can replace hping, 85% of nmap,
arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).
 SYNOPSIS
scapy [-h] [-s file]

8. USAGE
 Starting Scapy
Scapy’s interactive shell is run in a terminal session. Root privileges are
needed to send the packets, so we’re using sudo here:
 $ sudo scapy
Welcome to Scapy (2.0.1-dev)
>>>
 On Windows, please open a command prompt (cmd.exe) and make sure
that you have administrator privileges:
 C:>scapy
INFO: No IPv6 support in kernel
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.0.1-dev)
>>>

9. OPTIONS AND COMMANDS
options
Options for scapy are:
-h display help screen and exit
-s FILE
use FILE to save/load session values (variables, functions,
intances, ...)
COMMANDS
Only the vital commands to begin are listed here for the moment.
ls() lists supported protocol layers. If a protocol layer is given as
parameter, lists its fields and types of fields.
lsc() lists some user commands. If a command is given as parameter,
its documentation is displayed.
conf this object contains the configuration.

10. EXAMPLES
 Test the robustness of a network
stack with invalid packets:
sr(IP(dst="172.16.1.1", ihl=2,
options="0x02",
version=3)/ICMP())
 Packet sniffing and dissection (with
a bpf filter or thetereal-like
output):
a=sniff(filter="tcp port 110")
a=sniff(prn = lambda x:
x.display)
 Sniffed packet reemission:
a=sniff(filter="tcp port 110")
sendp(a)
 Pcap file packet reemission:
sendp(rdpcap("file.cap"))
 Manual TCP traceroute:
sr(IP(dst="www.google.com",
ttl=(1,30))/TCP(seq=RandInt(),
sport=RandShort(), dport=dport)
 Protocol scan:
sr(IP(dst="172.16.1.28",
proto=(1,254)))
 ARP ping:
srp(Ether(dst="ff:ff:ff:ff:ff:ff")/
ARP(pdst="172.16.1.1/24"))
 ACK scan:
sr(IP(dst="172.16.1.28")/TCP(d
port=(1,1024), flags="A"))
 Passive OS fingerprinting:
sniff(prn=prnp0f)
 Active OS fingerprinting:
nmap_fp("172.16.1.232")
 ARP cache poisonning:
sendp(Ether(dst=tmac)/ARP(o
p="who-has", psrc=victim,
pdst=target))
 Reporting:
report_ports("192.168.2.34",
(20,30))

11. ETTERCAP AND WIRESHARK
 ETTERCAP
Ettercap is a free and open
source network security tool
for man-in-the-middle
attacks on LAN. It can be used for
computer network protocol analysis
and security auditing. Ettercap
works by putting the network
interface into promiscuous
mode and by ARP poisoning the
target machines
 WIRESHARK.
Wireshark is a free and open-
source packet analyzer used
for network troubleshooting,
analysis, software
&communications
protocol development, and
education. Wireshark is cross-
platform, using
the GTK+ widget toolkit in
current releases, and Qt in the
development version, to
implement its user interface,
and using pcap to capture
packets

12. TCP SYN FLOOD ATTACK
 TCP SYN Flooding
 Exploit state allocated at server after initial SYN packet
 Send a SYN and don’t reply with ACK
 Server will wait for 511 seconds for ACK
 Finite queue size for incomplete connections (1024)
 Once the queue is full it doesn’t accept requests
Command for SYN flood attack using hping3:
Hping3 –S –V --flood “taregt ip”
Using MSFCONSOLE
Use payload :- use auxilary/dos/tcp/syncflood
and set RHOST

13. PREVENTATION TECHNIQUES AGAINST SYN
FLOOD ATTACK
 Use of Firewall
 Enabling SYN cookies
SYN Cookies prevent an attacker from filling up your SYN queues
and make your services unreachable to the legitimate user.
On Linux, those are some settings you can use to enable and set up
SYN Cookies efficiently:
• echo 1 > /proc/sys/net/ipv4/tcp_syncookies
• echo 2048 /proc/sys/net/ipv4/tcp_max_syn_backlog
• echo 3 > /proc/sys/net/ipv4/tcp_synack_retries

14. ICMP FLOOD ATTACK
 An ICMP flood typically occurs when ICMP echo requests
overload its victim with so many requests that it expends all its
resources responding until it can no longer process valid
network traffic.
 Command for icmp flooding using hping
Hping3 -1 192.168.0.101 –flood

15. PROTECTION AGAINST ICMP FLOOD ATTACKS
 Use Firewall
 Setting up own server
In a ICMP/Ping flood, you can setup your server to ignore Pings, so
an attack will be only half-effective as your server won't consume
bandwidth replying the thousands of Pings its receiving.
You can do that by running this configuration:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
And naturally, add this line to the file /etc/sysctl.conf:
net.ipv4.icmp_echo_ignore_all = 1
 Enabling ICMP Flood Protection by setting the ICMP flood threshold
value.
[edit]
user@host# set security screen ids-option 1000-icmp-flood icmp
flood threshold 1000

16. SMURF ATTACK
 Send ICMP ping packet with
spoofed IP source address to
a LAN which will broadcast to
all hosts on the LAN
 Each host will send a reply
packet to the spoofed IP
address leading to denial of
service
 Command using hping3:
Hping3 –icmp –spoof
‘target ip’ ‘broadcast
ip’ --flood

17. PROTECTION AGAINST SMURF ATTACK
 How to prevent your
network from being the
source of the attack:
 Apply filters to each customer
network
 Ingress:
Allow only those packets
with source addresses
within the customer’s
assigned netblocks
Apply filters to your
upstreams
 Egress:
Allow only those packets with
source addresses within your
netblocks to protect others
 Ingress:
Deny those packets with
source addresses within your
netblocks to protect yourself
 This also prevents other
forms of attacks as well

18. ARP POISONING & IP SPOOFING (MITM)
ATTACK
 A Man-In-The-Middle (MITM) attack is achieved when an attacker
poisons the ARP cache of two devices with the (48-bit) MAC address
of their Ethernet NIC (Network Interface Card). Once the ARP cache
has been successfully poisoned, each of the victim devices send all
their packets to the attacker when communicating to the other
device. This puts the attacker in the middle of the communications
path between the two victim devices; hence the name Man-In-The-
Middle (MITM) attack. It allows an attacker to easily monitor all
communication between victim devices.

19. ARP POISONING & IP SPOOFING (MITM)
ATTACK
 STEPS
• Start ettercap
• Select unifide sniffing
• Scan for host
• Select target 1 and target 2 from host list
• Then start arp poisoning and sniff
• See the packets using WIRESHARK
• Before closing ettercap stop the MIM attack

20. PREVENTION AGAINST ARP POISONING & IP
SPOOFING ATTACK
 Use of private Vlans
 To prevent IP spoofing happen in your network, the following are
some common practices:
1- Avoid using the source address authentication. Implement
cryptographic authentication system-wide.
2- Configuring your network to reject packets from the Net that
claim to originate from a local address.
3- Implementing ingress and egress filtering on the border
routers and implement an ACL (access control list) that blocks
private IP addresses on your downstream interface.
If you allow outside connections from trusted hosts, enable
encryption sessions at the router.

21. FILTERING
if src_addr is from 10.10.0.0
then drop
else forward
if src_addr is from
10.10.0.0
then forward
else drop
10.10.10.0

22. TCP SESSION HIJACKING
 TCP session hijacking is when a
hacker takes over a TCP session
between two machines. Since
most authentication only occurs
at the start of a TCP session, this
allows the hacker to gain access
to a machine.
 Categories of TCP Session
Hijacking
Based on the anticipation of
sequence numbers there are
two types of TCP hijacking:
 Man-in-the-middle (MITM)
 Blind Hijack

23. PREVENT SESSION HIJACKING
 Require the use of SSL encryption on all pages of
your website, or at least those pages that are used
to transmit cookies.
 Ensure your wireless network uses WPA
encryption.
 Provide a VPN to your users when they are away
from the office.
 Be very careful with your organization's social
networking accounts; only grant access to a small
number of well-trained personnel.

24. REFLECTOR ATTACK
sender
dst: reflector
src: victim
reflector
VICTIM
ip spoofed packet
Oops, a lot of
replies without
any request…
Command using hping3:
Hping3 -1 spoof 192.168.0.104 192.168.0.101 –flood
Using scapy:
Send(ip(src=“ip”, dst=“ip”)/icmp())

25. IP FRAGMENTATION ATTACK
 IP fragmentation is the process of breaking up a single Internet
Protocol (IP) datagram into multiple packets of smaller size so as to avoide
detection by network-based Intrusion Detection Systems (IDSs) anf firewall.
 IP allows packets to be broken down into fragments for more efficient transport
across various media
 The TCP packet (and its header) are carried in the IP packet
 One of the type of ip fragmentation attack is TINY FRAGEMENT ATTACK
 The tiny fragment attack is designed to fool a firewall or packet filter by creating an
initial fragment that is very small. It is so small, in fact, that it does not contain the
TCP port number. Instead, the TCP port number follows in the second packet.
 Because the packet filter is looking for the port number to make filtering decisions,
it may allow the tiny initial fragment to pass through. Also, it may allow the second
fragment (which includes the rest of the TCP header, including the port number)
through. Furthermore, an IDS may not process the fragments properly and
therefore may not notice the attack.

26. TINY FRAGMENT ATTACK

27. TINY FRAGMENT ATTACK

28. PREVENTING IP FRAGMENT ATTACK
 Prevention of the Tiny Fragment Attack In a router,
one can prevent this sort of attack by enforcing
certain limits on fragments passing through,
namely, that the first fragment be large enough to
contain all the necessary header information. There
are two ways to guarantee that the first fragment of
a "passed" packet includes all the required fields,
one direct, the other indirect.

29. CONCLUSION
BE SECURE

30. THANK YOU