DOS

1. Chapter 4
Chapter 4

2.  Describe the goals of creating secure networks.
 Explain how denial-of-service attacks work.
 Explain how ARP poisoning works.
 Know why access controls are important for networks.
 Explain how to secure Ethernet networks.
 Describe wireless (WLAN) security standards.
 Describe potential attacks against wireless networks.
2

3. 4.1 Introduction
4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.3 ARP Poisoning
4.4 Access Control for Networks
4.4 Access Control for Networks
4.5 Ethernet Security
4.5 Ethernet Security
4.6 Wireless Security
4.6 Wireless Security
3

4.  Cryptography provides confidentiality,
authenticity, and message integrity
 Modern networks have additional vulnerabilities
◦ Means of delivering the messages could be stopped,
slowed, or altered
◦ The route the messages took could be altered
◦ Messages could be redirected to false recipients
◦ Attackers could gain access to communication channels
that were previously considered closed and confidential
4

5. Goals of Creating Secure Networks
1. Availability—users have uninterrupted access to
information services and network resources
2. Confidentiality—prevent unauthorized users from
gaining information about the network
3. Functionality—preventing attackers from altering the
capabilities, or normal operation of the network
4. Access control—keep attackers, or unauthorized
employees, from accessing internal resources
5

6.  The “castle” model
◦ Good guys on the inside, attackers on the outside, and a
well-guarded point of entry
 Death of the Perimeter
◦ It is impractical, if not impossible, to force all information
in an organization through a single point in the network
◦ New means of attacking networks (i.e. smart phones) are
constantly emerging
◦ Lines between “good guys” and “bad guys” has become
blurred
7

7.  The “city” model
◦ No distinct perimeter, and there are multiple ways
of entering the network
◦ Like a real city, who you are will determine which
buildings you will be able to access
◦ Greater need for:
 Internal intrusion detection
 Virtual LANs
 Central authentication servers
 Encrypted internal traffic
9

8. 4.1 Introduction
4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.3 ARP Poisoning
4.4 Access Control for Networks
4.4 Access Control for Networks
4.5 Ethernet Security
4.5 Ethernet Security
4.6 Wireless Security
4.6 Wireless Security
10

9.  What is a DoS attack?
◦ An attempt to make a server or network unavailable
to legitimate users by flooding it with attack packets
 What is NOT a DoS attack?
◦ Faulty coding that causes a system to fail
◦ Referrals from large websites that overwhelm smaller
websites
11

10. Copyright Pearson Prentice-Hall 2013 12

11.  Ultimate goal of DoS attacks is to cause harm
◦ Harm includes: losses related to online sales,
industry reputation, employee productivity,
customer loyalty, etc.
 The two primary means of causing harm via
DoS attacks include:
1.Stopping critical services
2.Slowly degrading services
13

12.  Direct DoS Attack
◦ An attacker tries to flood a victim with a stream of
packets directly from the attacker’s computer
 Indirect DoS Attack
◦ The attacker’s IP address is spoofed (i.e., faked)
and the attack appears to come from another
computer
14

13. 15
SYN FLOOD ATTACK

14. 16

15.  Bots
◦ Updatable attack programs
◦ Botmaster can update the software to change the
type of attack the bot can do
 May sell or lease the botnet to other criminals
◦ Botmaster can update the bot to fix bugs
 Botmaster can control bots via a handler
◦ Handlers are an additional layer of compromised
hosts that are used to manage large groups of bots
17

16. Copyright Pearson Prentice-Hall 2013 18

17. 19

18.  Types of packets sent:
20

19. 21

20.  Peer-to-peer (P2P) redirect DoS attack
◦ Uses many hosts to overwhelm a victim using normal P2P
traffic
◦ Attacker doesn’t have to control the hosts, just redirect their
legitimate P2P traffic
22

21. 23

22.  Reflected DoS attack
◦ Responses from legitimate services flood a victim
◦ The attacker sends spoofed requests to existing
legitimate servers (Step 1)
◦ Servers then send all responses to the victim (Step 2)
◦ There is no redirection of traffic
24

23. Copyright Pearson Prentice-Hall 2013 25
What is DrDoS?
DrDoS stands for Distributed Reflection Denial of Service attack. DrDoS
techniques usually involve multiple victim machines that unwittingly
participate in a DDoS attack on the attacker’s target. Requests to the victim
host machines are redirected, or reflected, from the victim hosts to the target.
Usually they also elicit an amplified amount of attack traffic.

24. 26

25.  Smurf Flood
◦ The attacker sends a spoofed ICMP echo request to an incorrectly configured
network device (router)
◦ Broadcasting enabled to all internal hosts
◦ The network device forwards the echo request to all internal hosts
(multiplier effect)
27

26. 28

27.  Black holing
◦ Drop all IP packets from an attacker
◦ We lead all of the criminal traffic to a so-called ‘black hole’
◦ Not a good long-term strategy because attackers can quickly
change source IP addresses
◦ An attacker may knowingly try to get a trusted corporate partner
black holed
29

28.  Validating the handshake
◦ Whenever a SYN segment arrives, the firewall itself sends
back a SYN/ACK segment, without passing the SYN
segment on to the target server (false opening)
◦ When the firewall gets back a legitimate ACK the firewall
send the original SYN segment on to the intended server
 Rate limiting
◦ Used to reduce a certain type of traffic to a reasonable
amount
◦ Can frustrate attackers, and legitimate users
30

29. 31

30. 4.1 Introduction
4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.3 ARP Poisoning
4.4 Access Control for Networks
4.4 Access Control for Networks
4.5 Ethernet Security
4.5 Ethernet Security
4.6 Wireless Security
4.6 Wireless Security
32

31.  ARP Poisoning
◦ Network attack that manipulates host ARP tables to
reroute local-area network (LAN) traffic
◦ Possible man-in-the-middle attack
◦ Requires an attacker to have a computer on the
local network
◦ An attack on both the functionality and
confidentiality of a network
33

32.  Address Resolution Protocol (ARP)
◦ Used to resolve 32-bit IP addresses (e.g., 55.91.56.21)
into 48-bit local MAC addresses (e.g., 01-1C-23-0E-1D-
41)
◦ ARP tables store resolved addresses (below)
34

33. 35

34.  The problem: ARP requests and replies do NOT require
authentication or verification
◦ All hosts trust all ARP replies
◦ ARP spoofing uses false ARP replies to map any IP address to any
MAC address
◦ An attacker can manipulate ARP tables on all LAN hosts
◦ The attacker must send a continuous stream of unsolicited ARP
replies
36

35. 37

36.  ARP DoS Attack
◦ Attacker sends all internal hosts a continuous stream
of unsolicited spoofed ARP replies saying the gateway
(10.0.0.4) is at E5-E5-E5-E5-E5-E5 (Step 1)
◦ Hosts record the gateway’s IP address and
nonexistent MAC address (Step 2)
◦ The switch receives packets from internal hosts
addressed to E5-E5-E5-E5-E5-E5 but cannot deliver
them because the host does not exist
◦ Packets addressed to E5-E5-E5-E5-E5-E5 are dropped
38

37. 39

38.  Preventing ARP Poisoning
◦ Static ARP tables are manually set
 Most organizations are too large, change too
quickly, and lack the experience to effectively
manage static IP and ARP tables
◦ Limit Local Access
 Foreign hosts must be kept off the LAN
40

39.  Stateless Address Auto Configuration
(SLAAC) attack
◦ An attack on the functionality and confidentiality of a
network
◦ This attack occurs when a rogue IPv6 router is
introduced to an IPv4 network
◦ All traffic is automatically rerouted through the IPv6
router, creating the potential for a MITM attack
41

40. 42

41. 43

42. 4.1 Introduction
4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.3 ARP Poisoning
4.4 Access Control for Networks
4.4 Access Control for Networks
4.5 Ethernet Security
4.5 Ethernet Security
4.6 Wireless Security
4.6 Wireless Security
44

43. 45

44. 4.1 Introduction
4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.3 ARP Poisoning
4.4 Access Control for Networks
4.4 Access Control for Networks
4.5 Ethernet Security
4.5 Ethernet Security
4.6 Wireless Security
4.6 Wireless Security
46

45. 47
IEEE 802.1X is an IEEE Standard for port-based Network Access
Control (PNAC). It provides an authentication mechanism to devices wishing to
attach to a LAN or WLAN.
IEEE 802.1X defines the encapsulation of the Extensible Authentication
Protocol (EAP) over IEEE 802, which is known as "EAP over LAN" or EAPOL.

46. 48
802.1X authentication involves three parties: a supplicant, an authenticator,
and an authentication server.
The supplicant is a client device (such as a laptop) that wishes to attach to
the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to
the software running on the client that provides credentials to the
authenticator.
The authenticator is a network device which provides a data link between
the client and the network and can allow or block network traffic between the
two, such as an Ethernet switch or wireless access point.
The authentication server is typically a trusted server that can receive
and respond to requests for network access, and can tell the authenticator if
the connection is to be allowed, and various settings that should apply to
that client's connection or setting. Authentication servers typically run
software supporting the RADIUS and EAP protocols.

47. 49

48. 50

49. 51
Challenge-Handshake
Authentication
Protocol, CHAP

50. 52

51. 4.1 Introduction
4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.3 ARP Poisoning
4.4 Access Control for Networks
4.4 Access Control for Networks
4.5 Ethernet Security
4.5 Ethernet Security
4.6 Wireless Security
4.6 Wireless Security
53