Isys20261 lecture 06

Computer Security Management
(ISYS20261)
Lecture 6 - Network-based Attacks (1)

Module Leader: Dr Xiaoqi Ma
School of Science and Technology

Last week …

• Host-based attacks:
– Malicious Code
– Malicious Software

• Malicious Code
– Backdoors
– Computer Viruses

• Malicious Software (Malware)
– Computer Worms
– Trojan Horses (Trojans)
– Rootkits
– Spyware

Page 2

Today ...

• Computer networking
• Network-based attacks

Page 3

Computer networking

• Need for communication between computer systems or devices
• Systems are connected via physical networks and talk to each other
using standard protocols
• Networking, routers, routing protocols, etc., are specified by the
Internet Engineering Task Force (IETF)
• Published in Requests for Comments (RFCs)
• ISO standard for worldwide communication: Open Systems
Interconnect (OSI) reference model

Page 4

The OSI Reference Model (1)

• abstract description for layered communications and computer
network protocol design
• it divides network architecture into seven layers
– Application
– Presentation
– Session
– Transport
– Network
– Data-Link
– Physical Layer

• Layer: collection of conceptually similar functions that provide
services to the layer above it and receives service from the layer
below it

Page 5


• Application Layer
– interacts with software applications that implement a communicating component
– Examples: File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP),
etc.

• Presentation Layer
– establishes a context between Application Layer entities

• Session Layer
– controls the dialogues/connections (sessions) between computers
– establishes, manages and terminates the connections between the local and
remote application

• Transport Layer
– provides transparent transfer of data between end users
– provides reliable data transfer services to the upper layers

Page 6


• Network Layer
– provides the functional and procedural means of transferring variable length
data sequences from a source to a destination via one or more networks
– Maintains the quality of service requested by the Transport Layer

• Data Link Layer
– provides the functional and procedural means to transfer data between network
entities
– detects and possibly corrects errors that may occur in the Physical layer

• Physical Layer
– defines the electrical and physical specifications for devices
– includes the layout of pins, voltages, cable specifications, Hubs, repeaters,
network adapters, Host Bus Adapters, etc

Page 7


Layer Data Unit Function

Application 7 Network process to application

Presentation 6 Data Data representation and encryption

Session 5 Inter-host communication
End-to-end connections and
Transport 4 Segment
reliability
Path determination and logical
Network 3 Packet
addressing
Data link 2 Frame Physical addressing (MAC & LLC)

Physical 1 Bit Media, signal and binary transmission

Page 8

OSI Reference Model vs. TCP/IP

Layer OSI Reference Model TCP/IP

7 Application

6 Presentation Application

5 Session

4 Transport Transport

3 Network Internet

2 Data link Network access

1 Physical

Page 9

Network devices (1)

• Network Interface Card (NIC)
– computer hardware
– designed to allow computers to communicate over a computer network
– provides physical access to a networking media and often provides a low-level
addressing system through the use of Media Access Control (MAC) addresses

• Repeater
– electronic device that receives a signal and retransmits it at a higher power level
so that the signal can cover longer distances without degradation
– Example: in most twisted pair Ethernet configurations, repeaters are required
for cable runs longer than 100 meters away from the computer

Page 10

Network devices (2)

• Hub
– contains multiple ports
– when a packet arrives at one port, it is copied to all the ports of the hub for
transmission

• Example:

Workstation

Network
Hub
Workstation

Workstation

Page 11

Network devices (3)

• Router
– networking device that forwards data packets between networks using headers
and forwarding tables to determine the best path to forward the packets
– work at the network layer of the TCP/IP model or layer 3 of the OSI model
– Embedded computer system running dedicated OS, e.g. IOS (Cisco) or JUNOS
(Juniper Networks)

• Example:

LAN
LAN

Internet
Router Router

Page 12

Network devices (4)

• Switch
– Hardware that allow traffic to be sent only where it is needed
– Ethernet switch: operates at the data-link layer to create a different collision
domains (segments) per switch port

• Example:

Workstation A Workstation B

Network
Switch

Workstation D Workstation C

Page 13

Network-based attacks

• Primary attempt to
– forge or steal data
– gain unauthorised access to a system

• Means
– Sniffing data
– Redirecting data

• Take advantage of vulnerabilities of OS and by exploiting inherent
weaknesses of the Internet, Transport, and/or Application layer of
TCP/IP
• Usually involves a sequence of preceding steps to identify a
potential vulnerability that can be exploited
– Reconnaissance
– Scanning

Page 14

Reconnaissance phase

• Information gathering step
• intruder ties to gather as much information about the network and
the target computer(s) as possible
• avoids to raise alarms about his/her activities
• collects data regarding network settings, subnet ids, router
configurations, host names, DNS server information, security level
settings, etc.
• Application servers are often targets of attacks
– web servers
– DNS servers
– SMTP mail servers
– Etc.

Page 15

Scanning phase

• Network scanning
– Sending probing packets to the identified network-specific devices to gain
information about their configuration settings
– Example: get IP address from DNS server etc.

• Host scanning
– Connect to target host
– probe target machine to check if any known vulnerabilities specific to the OS are
present
– Example: using port scanning to identify services running on the host system

Page 16

Attacks (1)

• Sniffing
• IP address spoofing
• Man-in-the-middle attack
• Denial-of-service attack (DoS)
– SYN flooding
– Smurf attack
– Distributed Denial of Service attack (DDoS)

Page 17

Attacks (2)

• OS-based attacks
– Stack smashing
– Buffer overflows
– Password attacks

• Web application attacks
– Phishing
– Pharming
– Session Hijacking
– Cross-site scripting (XSS)

Page 18

Sniffing (1)

• computer software or computer hardware (sniffer) intercepts and
logs traffic passing over a digital network (eavesdropping)
• Works on data link layer of TCP/IP
• as data streams flow across the network, the sniffer captures each
packet and eventually decodes and analyses its content according to
the appropriate specifications, e.g. RFC
• Not only done by criminals: legally used by network administrator,
e.g. for fault detection
• In the UK: it is legal to monitor network traffic only if you get
official permission from the dedicated network administrator

Page 19

Sniffing (2)

• sniffer needs to be placed inside the network
• When nodes are connected to a hub: easy to monitor traffic
• When nodes are connected to a switch port rather than a hub the
sniffer will be unable to read the data due to the intrinsic nature of
switched networks
• Exception: when a network switch with a so-called monitoring port
is in use it is easy to monitor all data packets in a LAN

Page 20

Sniffing (3)

• Legally used for:
– Analyse network problems
– Detect network intrusion attempts
– Gain information for affecting a network intrusion
– Monitor network usage
– Gather and report network statistics
– Filter suspect content from network traffic
– Debug client/server communications
– Debug network protocol implementations

• Criminal use:
– Spy on other network users and collect sensitive information, e.g. passwords
– Reverse engineer protocols used over the network

Page 21

Sniffing (4)

• Sniffers usually software based
• tcpdump
– common packet sniffer used on UNIX machines
– runs under the command line
– allows the user to intercept and display TCP/IP and other packets being
transmitted or received over a network to which the computer is attached

• Wireshark:
– Free tool
– Available for a wide range of OSs, including Linux, Mac OS, MS Windows, etc.
– similar to tcpdump but offers a graphical user interface
– More information: www.wireshark.org

• Commercial tools
– E.g. Microsoft Network Monitor, NetScout, etc.

Page 22

Sniffing (5)

• Hardware network sniffers: Network Taps
• Network Tap
– hardware device for monitoring the network traffic between two points in the
network
– has at least three ports: A port, a B port, and a monitor port
– To place the Tap between points A and B, the network cable between point A
and point B is replaced with a pair of cables, one going to the Tap's A port, one
going to the Tap's B port
– The Tap passes through all traffic between A and B, so A and B still think they
are connected to each other, but the Tap also copies the traffic between A and B
to its monitor port, enabling a third party to listen

• Problem: expensive to monitor all data in a 10Gbit network
• Solution: use of filterable Tap, parse off the data, applications,
VLAN...etc to a 1 Gig port for deep analysis and monitoring

Page 23

Next week …

… we will continue looking at network-based attacks

Page 24

Isys20261 lecture 06

More Related Content

What's hot

Similar to Isys20261 lecture 06

More from Wiliam Ferraciolli

Isys20261 lecture 06