The document discusses various network attacks that can be detected by intrusion detection systems. It begins by covering Address Resolution Protocol (ARP) attacks like ARP cache poisoning, which allows an attacker to intercept or modify network traffic. It then discusses attacks involving the Internet Protocol like IP spoofing and fragmentation attacks. Next, it outlines different types of ICMP attacks such as ICMP sweep, smurf attack, ping of death, and ICMP flood. The document provides technical details on how these attacks work and vulnerabilities they exploit.
A brief discussion of network security and an introduction to cryptography. We end the presentation with a discussion of the RSA algorithm, and show how it works with a basic example.
The document discusses techniques for evading intrusion detection systems (IDS), firewalls, and honeypots. It provides information on common IDS types and how they detect intrusions. It then describes various methods that can be used to evade detection by IDSes, firewalls, and tools commonly used for this purpose. The document also discusses firewalls, how they operate to filter network traffic, and common firewall types. It concludes with an overview of honeypots and how they can be detected.
Named Data Networking, for Computer Communications course presentation
pictures are cropped from that slides:
http://www.slideshare.net/wanderer_from/named-date?qid=1abab327-219a-4b69-a114-46e7f1634d42&v=qf1
http://www.slideshare.net/haroonrashidlone/named-data-networking?qid=bb7c7b7b-ee1b-4c2f-8df5-c4194282e8e2&v=qf1
http://named-data.net/content-centric-networking-video/
https://hal.inria.fr/file/index/docid/785298/filename/AIMS12_tutorial_CCN.pdf
Dynamic ARP inspection (DAI) is a security feature that prevents man-in-the-middle attacks by validating ARP packets. It relies on DHCP snooping to build a database of valid IP-MAC address bindings. When enabled, DAI will drop ARP packets that do not match entries in the DHCP snooping database, preventing ARP poisoning attacks. The document then demonstrates configuring and testing DAI on a switch to block an ARP poisoning attempt by a rogue workstation.
The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.
This document discusses packet sniffers, which are software applications that can monitor and capture network traffic. It describes how packet sniffers work by putting the network adapter into promiscuous mode to see all network traffic. The document outlines different types of packet sniffers, including commercial and underground varieties. It explains that packet sniffers are used for both legitimate purposes like network debugging and security, as well as illegitimate purposes like hacking. Specific packet sniffer software like Wireshark are profiled, describing their features, capabilities, and limitations. Risks of using packet sniffers like potential security vulnerabilities are also highlighted.
The document discusses various aspects of network forensics and investigating logs. It covers analyzing log files as evidence, maintaining accurate timekeeping across systems, configuring extended logging in IIS servers, and the importance of log file accuracy and authenticity when using logs as evidence in an investigation.
Block ciphers like DES encrypt data in blocks and are based on the Feistel cipher structure. DES encrypts 64-bit blocks using a 56-bit key and 16 rounds of encryption. Modern cryptanalysis techniques like differential and linear cryptanalysis use statistical analysis to reveal weaknesses in block ciphers, though DES remains relatively secure against these attacks. Careful design of block ciphers, including aspects like non-linear substitution boxes and complex key scheduling, aims to provide security against cryptanalysis.
A brief discussion of network security and an introduction to cryptography. We end the presentation with a discussion of the RSA algorithm, and show how it works with a basic example.
The document discusses techniques for evading intrusion detection systems (IDS), firewalls, and honeypots. It provides information on common IDS types and how they detect intrusions. It then describes various methods that can be used to evade detection by IDSes, firewalls, and tools commonly used for this purpose. The document also discusses firewalls, how they operate to filter network traffic, and common firewall types. It concludes with an overview of honeypots and how they can be detected.
Named Data Networking, for Computer Communications course presentation
pictures are cropped from that slides:
http://www.slideshare.net/wanderer_from/named-date?qid=1abab327-219a-4b69-a114-46e7f1634d42&v=qf1
http://www.slideshare.net/haroonrashidlone/named-data-networking?qid=bb7c7b7b-ee1b-4c2f-8df5-c4194282e8e2&v=qf1
http://named-data.net/content-centric-networking-video/
https://hal.inria.fr/file/index/docid/785298/filename/AIMS12_tutorial_CCN.pdf
Dynamic ARP inspection (DAI) is a security feature that prevents man-in-the-middle attacks by validating ARP packets. It relies on DHCP snooping to build a database of valid IP-MAC address bindings. When enabled, DAI will drop ARP packets that do not match entries in the DHCP snooping database, preventing ARP poisoning attacks. The document then demonstrates configuring and testing DAI on a switch to block an ARP poisoning attempt by a rogue workstation.
The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.
This document discusses packet sniffers, which are software applications that can monitor and capture network traffic. It describes how packet sniffers work by putting the network adapter into promiscuous mode to see all network traffic. The document outlines different types of packet sniffers, including commercial and underground varieties. It explains that packet sniffers are used for both legitimate purposes like network debugging and security, as well as illegitimate purposes like hacking. Specific packet sniffer software like Wireshark are profiled, describing their features, capabilities, and limitations. Risks of using packet sniffers like potential security vulnerabilities are also highlighted.
The document discusses various aspects of network forensics and investigating logs. It covers analyzing log files as evidence, maintaining accurate timekeeping across systems, configuring extended logging in IIS servers, and the importance of log file accuracy and authenticity when using logs as evidence in an investigation.
Block ciphers like DES encrypt data in blocks and are based on the Feistel cipher structure. DES encrypts 64-bit blocks using a 56-bit key and 16 rounds of encryption. Modern cryptanalysis techniques like differential and linear cryptanalysis use statistical analysis to reveal weaknesses in block ciphers, though DES remains relatively secure against these attacks. Careful design of block ciphers, including aspects like non-linear substitution boxes and complex key scheduling, aims to provide security against cryptanalysis.
This document discusses cracking WEP encryption on wireless networks. It explains that monitor mode allows a wireless card to capture all network traffic, including unencrypted data. It also describes how to use tools like aircrack-ng, wep_crack, and WEPAttack to perform dictionary attacks and brute force the 5 or 13 byte encryption keys by exploiting weaknesses in the WEP algorithm and capturing large numbers of packets with duplicate initialization vectors. With enough captured packets, these tools can typically recover WEP keys within minutes, regardless of the passphrase complexity.
This document provides an introduction to information security. It discusses the key concepts of security including the layers of security (physical, personal, operations, etc.) and defines information security as protecting information systems and data. The document outlines the critical characteristics of information security - confidentiality, integrity, availability, authorization, authentication, identification, and accountability. It then provides more detail on each of these concepts. The document also discusses emerging security technologies, education in cybersecurity, and the components that make up an information system including software, hardware, data, people, procedures, and networks. It covers types of attacks, securing system components, and the systems development life cycle as a methodology for implementing security.
This document discusses asymmetric key cryptography and the RSA cryptosystem. It begins by distinguishing between symmetric and asymmetric key cryptography, noting they serve complementary roles. It then covers the basics of public key cryptography using two keys: a private key and public key. The RSA cryptosystem is described as the most common public key algorithm, involving key generation, encryption with the public key, and decryption with the private key. Examples are provided to illustrate the RSA process. Potential attacks on RSA like factorization are also summarized along with recommendations to strengthen security.
This document provides an overview of soft skills and technical skills relevant to penetration testing. It covers topics such as engagement lifecycles, relevant UK legal issues like the Computer Misuse Act 1990, and technical protocols including IP, TCP, UDP, ICMP, network architectures, routing protocols like RIP and OSPF, and wireless networking standards. It also discusses concepts like collision and broadcast domains as they relate to different networking devices. The document is intended to outline key knowledge for penetration testers regarding both soft skills around compliance and engagement processes, as well as core technical networking and protocol knowledge.
Information Security Lesson 2 - Attackers and Attacks - Eric VanderburgEric Vanderburg
This document defines and describes different types of attackers and attacks on information security. It identifies hackers, crackers, script kiddies, spies, employees, hacktivists, and cyberterrorists as common attackers with varying levels of skill and motivations. Common attack types include social engineering, buffer overflows, password guessing, man-in-the-middle attacks, and denial of service attacks. Malware threats like viruses, worms, Trojan horses, and spyware are also outlined. The document concludes with descriptions of protection techniques like firewalls and discusses backdoors and rootkits as other access methods.
This document provides an overview of scanning techniques used in ethical hacking. It defines scanning as gathering information about IP addresses, operating systems, services, and architectures of target systems. The document outlines common scanning types like port scanning, network scanning, and vulnerability scanning. It also describes popular scanning tools like Nmap and Hping2, and scanning methods like ping sweeps, SYN stealth scans, and Xmas scans. The goal of scanning is to detect live systems, open ports, operating systems, and services to inform later stages of hacking like banner grabbing, vulnerability assessment, and network mapping.
The document discusses intrusion detection and prevention systems (IDPS), including their detection methods, response behaviors, selection considerations, strengths and limitations, and deployment. It describes the main detection approaches used by IDPS like signature-based, anomaly-based, and stateful protocol analysis. It also covers log file monitors, active vs passive responses, and factors to consider when selecting and deploying an IDPS.
The document provides an overview of IPv6, including its key features and advantages over IPv4. It discusses IPv6 addressing formats and transition mechanisms from IPv4 to IPv6. IPv6 has a 128-bit address space compared to IPv4's 32-bit, allowing for many more addresses. It also supports features like autoconfiguration, mobility, and security that are improvements over IPv4. Transition techniques like dual stacking, tunneling, and translation allow IPv6 and IPv4 networks to interconnect during the transition period.
Packet sniffing involves monitoring network traffic by capturing and analyzing data packets as they flow through a network interface. It can be performed using packet sniffers, which are programs that can intercept and read all network traffic passing through a device's network interface card or wireless adapter. While packet sniffers can be used for troubleshooting network issues, they can also be used maliciously by hackers to intercept sensitive information like usernames and passwords by using techniques like ARP spoofing to fool devices into thinking the hacker's machine has the IP address of another machine on the network. Network administrators can use tools to detect the presence of packet sniffers operating in promiscuous mode and monitor ARP caches for signs of spoofing.
This document provides an overview of IPSec, including:
- IPSec aims to secure IP communications by providing authentication, integrity, and confidentiality. It operates in transport and tunnel modes.
- The Internet Key Exchange (IKE) negotiates and establishes security associations to secure communications between two endpoints.
- IPSec policy defines which encryption, hashing, and authentication methods apply to different network traffic using protection suites and proposals.
The document outlines key performance indicators (KPIs) and key risk indicators (KRIs) for evaluating an organization's asset management performance across several categories. It includes 20 KPIs across areas like asset discovery, utilization, lifecycle management, tracking, maintenance, depreciation, compliance, and security. Each KPI lists 1-2 related KRIs that indicate potential risks to watch out for. The overall goal is to help organizations optimize asset utilization, security, and lifecycle management through monitoring these critical metrics.
This document provides an overview of footprinting and information gathering techniques used during the reconnaissance phase of an ethical hacking engagement. It defines footprinting as gathering a security profile of an organization through open source intelligence prior to an attack. The document outlines various methodologies for passively gathering initial information, locating networks and systems, identifying services and technologies in use, and collecting competitive intelligence. It provides examples of tools and resources that can be used to uncover personnel details, technical infrastructure information, business plans and strategies from competitors through open sources.
Subnets divide a network into smaller sub-networks or subnets. Each subnet is treated as a separate network and can be further divided. When a packet enters a network with subnets, routers will route based on the subnet ID which is a combination of the network ID and subnet portion of the IP address. Subnets are only relevant for routing within an organization and are transparent outside the organization.
This presentation gives a detailed overview about Cloud Computing, its features and challenges faced by it in the market. It gives an insight into cloud security and privacy issues and its measures.
CIDR was introduced to address the exhaustion of IPv4 address space and inefficient allocation of large address blocks. It allows for flexible subnet masks and routing based on the longest prefix match. IPv6 vastly expands the available address space to accommodate future growth. Packet forwarding in both protocols works by routers looking up the destination IP address in their forwarding table to determine the outgoing interface for each packet.
The document describes a packet sniffer program and how it works. It explains that packet sniffing involves capturing network traffic and analyzing it to gather useful information. It then discusses how packet sniffers work by listening to broadcast data on a local network. Finally, it provides details on the types of information that can be gathered from sniffed packets, such as usernames, passwords, emails, and websites visited.
Chapter 4 internetworking [compatibility mode]Sĩ Anh Nguyễn
The document provides an overview of network layer concepts including internetworking, IP addressing, routing protocols, and routing algorithms. Some key points include:
- Internetworking allows different networks to connect through protocols like virtual circuits and tunneling.
- IP addresses identify systems on a network and consist of a network portion and host portion. Private IP addresses are used internally.
- Routing protocols like RIP, OSPF, and BGP allow routers to share route information and determine the best path between networks.
- Subnetting divides network classes into smaller subnets to better manage IP addresses and network design.
The document discusses Internet protocols and TCP/IP. It describes how the Internet protocols were developed in the 1970s to facilitate communication between different computer systems. The key protocols are TCP and IP. TCP provides reliable data transmission and IP provides best-effort delivery of packets across networks. The document outlines the TCP/IP protocol stack and key concepts like IP addressing, ARP, routing, ICMP, TCP connection establishment and sliding windows.
This document discusses cracking WEP encryption on wireless networks. It explains that monitor mode allows a wireless card to capture all network traffic, including unencrypted data. It also describes how to use tools like aircrack-ng, wep_crack, and WEPAttack to perform dictionary attacks and brute force the 5 or 13 byte encryption keys by exploiting weaknesses in the WEP algorithm and capturing large numbers of packets with duplicate initialization vectors. With enough captured packets, these tools can typically recover WEP keys within minutes, regardless of the passphrase complexity.
This document provides an introduction to information security. It discusses the key concepts of security including the layers of security (physical, personal, operations, etc.) and defines information security as protecting information systems and data. The document outlines the critical characteristics of information security - confidentiality, integrity, availability, authorization, authentication, identification, and accountability. It then provides more detail on each of these concepts. The document also discusses emerging security technologies, education in cybersecurity, and the components that make up an information system including software, hardware, data, people, procedures, and networks. It covers types of attacks, securing system components, and the systems development life cycle as a methodology for implementing security.
This document discusses asymmetric key cryptography and the RSA cryptosystem. It begins by distinguishing between symmetric and asymmetric key cryptography, noting they serve complementary roles. It then covers the basics of public key cryptography using two keys: a private key and public key. The RSA cryptosystem is described as the most common public key algorithm, involving key generation, encryption with the public key, and decryption with the private key. Examples are provided to illustrate the RSA process. Potential attacks on RSA like factorization are also summarized along with recommendations to strengthen security.
This document provides an overview of soft skills and technical skills relevant to penetration testing. It covers topics such as engagement lifecycles, relevant UK legal issues like the Computer Misuse Act 1990, and technical protocols including IP, TCP, UDP, ICMP, network architectures, routing protocols like RIP and OSPF, and wireless networking standards. It also discusses concepts like collision and broadcast domains as they relate to different networking devices. The document is intended to outline key knowledge for penetration testers regarding both soft skills around compliance and engagement processes, as well as core technical networking and protocol knowledge.
Information Security Lesson 2 - Attackers and Attacks - Eric VanderburgEric Vanderburg
This document defines and describes different types of attackers and attacks on information security. It identifies hackers, crackers, script kiddies, spies, employees, hacktivists, and cyberterrorists as common attackers with varying levels of skill and motivations. Common attack types include social engineering, buffer overflows, password guessing, man-in-the-middle attacks, and denial of service attacks. Malware threats like viruses, worms, Trojan horses, and spyware are also outlined. The document concludes with descriptions of protection techniques like firewalls and discusses backdoors and rootkits as other access methods.
This document provides an overview of scanning techniques used in ethical hacking. It defines scanning as gathering information about IP addresses, operating systems, services, and architectures of target systems. The document outlines common scanning types like port scanning, network scanning, and vulnerability scanning. It also describes popular scanning tools like Nmap and Hping2, and scanning methods like ping sweeps, SYN stealth scans, and Xmas scans. The goal of scanning is to detect live systems, open ports, operating systems, and services to inform later stages of hacking like banner grabbing, vulnerability assessment, and network mapping.
The document discusses intrusion detection and prevention systems (IDPS), including their detection methods, response behaviors, selection considerations, strengths and limitations, and deployment. It describes the main detection approaches used by IDPS like signature-based, anomaly-based, and stateful protocol analysis. It also covers log file monitors, active vs passive responses, and factors to consider when selecting and deploying an IDPS.
The document provides an overview of IPv6, including its key features and advantages over IPv4. It discusses IPv6 addressing formats and transition mechanisms from IPv4 to IPv6. IPv6 has a 128-bit address space compared to IPv4's 32-bit, allowing for many more addresses. It also supports features like autoconfiguration, mobility, and security that are improvements over IPv4. Transition techniques like dual stacking, tunneling, and translation allow IPv6 and IPv4 networks to interconnect during the transition period.
Packet sniffing involves monitoring network traffic by capturing and analyzing data packets as they flow through a network interface. It can be performed using packet sniffers, which are programs that can intercept and read all network traffic passing through a device's network interface card or wireless adapter. While packet sniffers can be used for troubleshooting network issues, they can also be used maliciously by hackers to intercept sensitive information like usernames and passwords by using techniques like ARP spoofing to fool devices into thinking the hacker's machine has the IP address of another machine on the network. Network administrators can use tools to detect the presence of packet sniffers operating in promiscuous mode and monitor ARP caches for signs of spoofing.
This document provides an overview of IPSec, including:
- IPSec aims to secure IP communications by providing authentication, integrity, and confidentiality. It operates in transport and tunnel modes.
- The Internet Key Exchange (IKE) negotiates and establishes security associations to secure communications between two endpoints.
- IPSec policy defines which encryption, hashing, and authentication methods apply to different network traffic using protection suites and proposals.
The document outlines key performance indicators (KPIs) and key risk indicators (KRIs) for evaluating an organization's asset management performance across several categories. It includes 20 KPIs across areas like asset discovery, utilization, lifecycle management, tracking, maintenance, depreciation, compliance, and security. Each KPI lists 1-2 related KRIs that indicate potential risks to watch out for. The overall goal is to help organizations optimize asset utilization, security, and lifecycle management through monitoring these critical metrics.
This document provides an overview of footprinting and information gathering techniques used during the reconnaissance phase of an ethical hacking engagement. It defines footprinting as gathering a security profile of an organization through open source intelligence prior to an attack. The document outlines various methodologies for passively gathering initial information, locating networks and systems, identifying services and technologies in use, and collecting competitive intelligence. It provides examples of tools and resources that can be used to uncover personnel details, technical infrastructure information, business plans and strategies from competitors through open sources.
Subnets divide a network into smaller sub-networks or subnets. Each subnet is treated as a separate network and can be further divided. When a packet enters a network with subnets, routers will route based on the subnet ID which is a combination of the network ID and subnet portion of the IP address. Subnets are only relevant for routing within an organization and are transparent outside the organization.
This presentation gives a detailed overview about Cloud Computing, its features and challenges faced by it in the market. It gives an insight into cloud security and privacy issues and its measures.
CIDR was introduced to address the exhaustion of IPv4 address space and inefficient allocation of large address blocks. It allows for flexible subnet masks and routing based on the longest prefix match. IPv6 vastly expands the available address space to accommodate future growth. Packet forwarding in both protocols works by routers looking up the destination IP address in their forwarding table to determine the outgoing interface for each packet.
The document describes a packet sniffer program and how it works. It explains that packet sniffing involves capturing network traffic and analyzing it to gather useful information. It then discusses how packet sniffers work by listening to broadcast data on a local network. Finally, it provides details on the types of information that can be gathered from sniffed packets, such as usernames, passwords, emails, and websites visited.
Chapter 4 internetworking [compatibility mode]Sĩ Anh Nguyễn
The document provides an overview of network layer concepts including internetworking, IP addressing, routing protocols, and routing algorithms. Some key points include:
- Internetworking allows different networks to connect through protocols like virtual circuits and tunneling.
- IP addresses identify systems on a network and consist of a network portion and host portion. Private IP addresses are used internally.
- Routing protocols like RIP, OSPF, and BGP allow routers to share route information and determine the best path between networks.
- Subnetting divides network classes into smaller subnets to better manage IP addresses and network design.
The document discusses Internet protocols and TCP/IP. It describes how the Internet protocols were developed in the 1970s to facilitate communication between different computer systems. The key protocols are TCP and IP. TCP provides reliable data transmission and IP provides best-effort delivery of packets across networks. The document outlines the TCP/IP protocol stack and key concepts like IP addressing, ARP, routing, ICMP, TCP connection establishment and sliding windows.
This document discusses Address Resolution Protocol (ARP) spoofing attacks and proposes a new approach called ASHA to secure the ARP cache and prevent ARP spoofing. ARP spoofing allows attackers to associate their own MAC address with the IP address of another host, intercepting traffic. ASHA uses public/private key cryptography and TCP packets to securely exchange IP-MAC pairs between hosts and maintain the ARP cache in static mode. Experiments show that systems using ASHA are protected from ARP attacks.
This document proposes a new approach called ASHA to secure the Address Resolution Protocol (ARP) from spoofing attacks. ARP is currently vulnerable because it exchanges IP and MAC addresses in plain text, allowing attackers to spoof addresses. ASHA would install an agent between the IP and MAC layers on each host. The agent would encrypt the IP/MAC addresses when they are exchanged in ARP requests and replies using public/private key cryptography. It would also maintain the ARP cache in static mode for added security. The approach aims to protect ARP without requiring changes to the operating system kernel or use of additional servers. Experimental results showed the ASHA-installed systems were protected from ARP spoofing attacks.
This slide deck covers Networking Fundamentals, Various Penetration testing standards, OWASP TOP 10 Vulnerabilities of Web Application and the Lab Setup required for Penetration testing.
This document provides an overview of IP addressing and routing. It discusses key topics such as:
- IP addresses being 32-bit numbers written in dotted-decimal format, with the network portion identifying the network and host portion identifying the device.
- Private and public IP addresses, and how Network Address Translation (NAT) allows private networks to connect to the internet using a public IP address.
- Protocols like ARP and DNS that resolve IP addresses to MAC addresses and names.
- Default gateways and how routers use routing tables to determine the best path between networks.
- The differences between routing and switching, with routing using network layer information and switching using data link layer addresses.
The Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses to allow communication between hosts on a local area network (LAN). ARP maintains a cache that maps IP addresses to MAC addresses. Static and dynamic entries are stored in the ARP cache, with dynamic entries expiring after a timeout period. Proxy ARP and other protocols like Reverse ARP and Serial Line ARP provide additional ARP functionality in certain network configurations.
The document discusses Internet Protocol (IP) and its role in networking. It covers the following key points:
- IP is the primary network communication protocol and relays packets called datagrams. It provides identification of computer hosts and location services.
- IP version 4 (IPv4) uses a 32-bit address scheme to uniquely identify hosts. It provides best effort delivery of packets from source to destination.
- Other related protocols discussed include ARP, RARP, ICMP, IGMP, routing protocols, and the differences between static, dynamic and default routing. Distance vector and link state routing algorithms are also covered.
The document discusses networking concepts including:
- The TCP/IP model and its layers of communication from hardware to application.
- How IP addresses are assigned both statically and dynamically and the differences between IPv4 and IPv6 addressing.
- Common networking devices like routers, switches, and protocols like DHCP that manage device connectivity and IP addressing.
This document provides an overview of the Address Resolution Protocol (ARP). It defines ARP as a network layer protocol that maps IP addresses to MAC addresses, allowing communication within a local area network. Key points include:
- ARP resolves logical IP addresses to physical MAC addresses to allow communication on the data link layer.
- IP and MAC addresses are respectively logical and physical identifiers for devices on a network.
- The ARP packet format and work procedure of ARP caching are described.
- ARP requests are broadcast to find MAC addresses, and ARP responses provide the discovered addresses.
- A drawback of ARP is that it is vulnerable to spoofing and denial of service attacks.
1. A host creates a packet and places the destination address in the header.
2. The host sends the packet to the nearest router.
3. Each router uses the destination address to select the next router and forwards the packet.
4. The packet is forwarded from router to router until it reaches the destination router, which delivers it to the final destination host.
Multiplexer takes several inputs and gives a single output, while demultiplexer takes a single input and gives several outputs. They both follow combinational logic and work on different operational principles - multiplexer is many-to-one, while demultiplexer is one-to-many. Multiplexing and demultiplexing at the transport layer allow data from multiple applications to be transmitted simultaneously over a network from source to destination, where it is directed to the appropriate application.
ARP resolves IP addresses to MAC addresses for local network delivery. It uses broadcast datagrams to request MAC addresses and unicasts to reply. Proxy ARP allows routers to answer for hosts on remote networks during subnet transition. RARP and Inverse ARP work in reverse to resolve MAC addresses to IP addresses.
This document provides a summary of network protocols. It defines a network as a set of connected devices that can send and receive data. It explains that network protocols establish detailed rules for how computer systems exchange information. The document then overview Reverse Address Resolution Protocol (RARP) and several other key network protocols, including Internet Protocol (IP), Address Resolution Protocol (ARP), Internet Group Message Protocol (IGMP), and Internet Control Message Protocol (ICMP). For each protocol, it provides high-level descriptions of their functions and operations in 2 sentences or less.
This document provides an overview of topics in the network layer, including IPv4, IPv6, routing algorithms, and routing protocols. It describes the basics of IPv4 addressing and how IPv6 was developed to address limitations in IPv4, notably its limited 32-bit address space. It also outlines link state and distance vector routing algorithms, and examines specific routing protocols like RIP, OSPF, and BGP. The key topics covered provide essential information on the fundamental concepts and components that make up network layer operations.
1. Computers need addresses to communicate with each other over the internet. There are four levels of addresses: physical, logical (IP), port, and specific.
2. The physical address, also called the MAC address, is a unique identifier for each network interface card. It allows packets to be delivered at the hardware level. The logical IP address allows universal communication across different physical networks.
3. The port address is a 16-bit label assigned to individual processes to enable communication between processes on the internet. Specific addresses like email addresses and URLs provide user-friendly labels.
The document provides an overview of the Address Resolution Protocol (ARP). It discusses:
- ARP allows mapping between a host's logical IP address to its physical MAC address on a local area network.
- Each device maintains an ARP cache table to map IP-MAC address pairs for other devices on the network. An ARP request is broadcast to resolve addresses and the responding device unicasts an ARP reply.
- ARP spoofing vulnerabilities exist since ARP does not authenticate requests/replies, allowing an attacker to poison a device's ARP cache with false address mappings and intercept network traffic.
This document provides an overview of network protocols and the TCP/IP model. It describes the purpose of network protocols and the layered architecture of TCP/IP, with protocols operating at different layers to enable communication. The layers include the network access, internet, transport and application layers. Key protocols discussed include IP, ARP, ICMP, TCP and UDP, with explanations of their functions in routing packets, resolving addresses, error checking, and reliable vs. connectionless delivery.
This document discusses IP addresses and subnetting. It begins by explaining that each network interface has a unique IP address. IP addresses are 32 bits long and contain a network and host portion, allowing for a two-level address hierarchy. The document then covers IP address classes and explains subnetting allows a single IP address to span multiple physical networks by using host ID bits as a subnet ID. Subnet masks allow hosts to determine if another IP is on the same subnet.
The document discusses address resolution protocol (ARP) which maps logical IP addresses to physical MAC addresses on a local area network. It explains that ARP broadcasts a request to find the MAC address associated with a given IP address, and the device with that IP address responds with its MAC. This dynamic address mapping is stored in an ARP cache for future use. It also describes how different network protocols may use ARP or similar methods to perform address mapping between logical and physical addresses.
Similar to Network Intrusion Ditection System (20)
Virtualization: A Key to Efficient Cloud ComputingHitesh Mohapatra
The document discusses various types of virtualization used in cloud computing. It describes virtualization as a technique that allows sharing of physical resources among multiple customers. There are two main types of hypervisors - Type 1 hypervisors run directly on hardware while Type 2 hypervisors run on a host operating system. The document also summarizes different types of virtualization including hardware, software, memory, storage, network, and desktop virtualization. Benefits of virtualization include improved efficiency, outsourcing of hardware costs, testing software in isolated environments, and emulating machines beyond physical availability.
Automating the Cloud: A Deep Dive into Virtual Machine ProvisioningHitesh Mohapatra
Virtual machine provisioning allows users to quickly provision new virtual machines through a self-service interface in minutes, rather than the days it previously took to provision physical servers. Virtual machine migration also allows live migration of virtual machines between physical hosts in milliseconds for maintenance or upgrades. Standards like OVF and OCCI help ensure interoperability and portability of virtual machines across platforms. The virtual machine lifecycle includes provisioning, serving requests, and deprovisioning resources when the service is ended.
Harnessing the Power of Google Cloud Platform: Strategies and ApplicationsHitesh Mohapatra
The document discusses Google Cloud Platform (GCP), a suite of cloud computing services provided by Google. It provides infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). GCP allows users to access computing power, storage, databases, and other applications through remote servers on the internet. It offers advantages like scalability, security, redundancy, and cost-effectiveness compared to traditional data centers. Example applications of GCP include enabling collaborative document editing in real-time.
Scheduling refers to allocating computing resources like processor time and memory to processes. In cloud computing, scheduling maps jobs to virtual machines. There are two levels of scheduling - at the host level to distribute VMs, and at the VM level to distribute tasks. Common scheduling algorithms include first-come first-served (FCFS), shortest job first (SJF), round robin, and max-min. FCFS prioritizes older jobs but has high wait times. SJF prioritizes shorter jobs but can starve longer ones. Max-min prioritizes longer jobs to optimize resource use. The choice depends on goals like throughput, latency, and fairness.
This document provides a template for submitting case studies to a case study compendium on cloud computing solutions. The template requests information on the customer organization, industry, location, the cloud solution provider, area of application of the cloud solution, challenges addressed, objectives, timeline of implementation, solution approach, challenges during implementation, benefits to the customer, innovation enabled, partnerships involved, and a customer testimonial. It requests details on the cloud solution type (IaaS, PaaS, or SaaS), quantitative and qualitative benefits realized by the customer, and how the solution helped boost innovation. Contact details of the submitter are also requested. The focus is on how cloud platforms and solutions enabled customer enterprises to innovate and
RAID (Redundant Array of Independent Disks) uses multiple hard disks or solid-state drives to protect data by storing it across the drives in a way that if one drive fails, the data can still be accessed from the other drives. There are different RAID levels that provide varying levels of data protection and performance. A RAID controller manages the drives in an array, presenting them as a single logical drive and improving performance and reliability. Common RAID levels include RAID 0 for performance without redundancy, RAID 1 for disk mirroring, and RAID 5 for striping with parity data distributed across drives. [/SUMMARY]
Cloud load balancing distributes workloads and network traffic across computing resources in a cloud environment to improve performance and availability. It routes incoming traffic to multiple servers or other resources while balancing the load. Load balancing in the cloud is typically software-based and offers benefits like scalability, reliability, reduced costs, and flexibility compared to traditional hardware-based load balancing. Common cloud providers like AWS, Google Cloud, and Microsoft Azure offer multiple load balancing options that vary based on needs and network layers.
ITU-T requirement for cloud and cloud deployment modelHitesh Mohapatra
List and explain the functional requirements for networking as per the ITU-T technical report. List and explain cloud deployment models and list relative strengths and weaknesses of the deployment models with neat diagram.
The document contains descriptions of several LeetCode problems ranging from Medium to Hard difficulty. It provides details about the Maximum Level Sum of a Binary Tree, Jump Game III, Minesweeper, Binary Tree Level Order Traversal, Number of Operations to Make Network Connected, Open the Lock, Sliding Puzzle, and Trapping Rain Water II problems. It also includes pseudocode and explanations for solving the Number of Operations to Make Network Connected and Open the Lock problems.
The document discusses three problems: (1) finding the cheapest flight route between two cities with at most k stops using DFS and pruning; (2) merging k sorted linked lists into one sorted list using a priority queue; (3) using a sequence of acceleration (A) and reversing (R) instructions to reach a target position in the shortest number of steps for a car that can move to negative positions.
Trie Data Structure
LINK: https://leetcode.com/tag/trie/
Easy:
1. Longest Word in Dictionary
Medium:
1. Count Substrings That Differ by One Character
2. Replace Words
3. Top K Frequent Words
4. Maximum XOR of Two Numbers in an Array
5. Map Sum Pairs
Hard:
1. Concatenated Words
2. Word Search II
The document discusses the basics of relational databases. It defines what a database is, the advantages it provides over file-based data storage, and some disadvantages. It also covers relational database concepts like tables, records, fields, keys, and normalization. The document explains how to design a relational database by determining the purpose and entities, modeling relationships with E-R diagrams, and following steps to normalize the data.
The document discusses measures of query cost in database management systems. It explains that query cost can be measured by factors like the number of disk accesses, size of the table, and time taken by the CPU. It further breaks down disk access time into components like seek time, rotational latency, and sequential vs. random I/O. The document then provides an example formula to calculate estimated query cost based on these components.
This document discusses how wireless sensor networks (WSNs) can be used in smart city applications. It first defines WSNs as self-configured, infrastructure-less networks that use sensors to monitor conditions like temperature, sound, and pollution. It then discusses how WSNs can influence lifestyle by enabling applications in areas like healthcare, transportation, the environment and more. Finally, it discusses how WSNs are a primary strength for smart cities by allowing remote and cost-effective monitoring of infrastructure and resources across applications like smart water, smart grid, and smart transportation.
The document provides an overview and syllabus for a course on fundamentals of data structures. It covers topics such as linear and non-linear data structures including arrays, stacks, queues, linked lists, trees and graphs. It describes various data types in C like integers, floating-point numbers, characters and enumerated types. It also discusses operations on different data structures and analyzing algorithm complexity.
Advanced control scheme of doubly fed induction generator for wind turbine us...IJECEIAES
This paper describes a speed control device for generating electrical energy on an electricity network based on the doubly fed induction generator (DFIG) used for wind power conversion systems. At first, a double-fed induction generator model was constructed. A control law is formulated to govern the flow of energy between the stator of a DFIG and the energy network using three types of controllers: proportional integral (PI), sliding mode controller (SMC) and second order sliding mode controller (SOSMC). Their different results in terms of power reference tracking, reaction to unexpected speed fluctuations, sensitivity to perturbations, and resilience against machine parameter alterations are compared. MATLAB/Simulink was used to conduct the simulations for the preceding study. Multiple simulations have shown very satisfying results, and the investigations demonstrate the efficacy and power-enhancing capabilities of the suggested control system.
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Sinan KOZAK
Sinan from the Delivery Hero mobile infrastructure engineering team shares a deep dive into performance acceleration with Gradle build cache optimizations. Sinan shares their journey into solving complex build-cache problems that affect Gradle builds. By understanding the challenges and solutions found in our journey, we aim to demonstrate the possibilities for faster builds. The case study reveals how overlapping outputs and cache misconfigurations led to significant increases in build times, especially as the project scaled up with numerous modules using Paparazzi tests. The journey from diagnosing to defeating cache issues offers invaluable lessons on maintaining cache integrity without sacrificing functionality.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
Comparative analysis between traditional aquaponics and reconstructed aquapon...bijceesjournal
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
Software Engineering and Project Management - Introduction, Modeling Concepts...Prakhyath Rai
Introduction, Modeling Concepts and Class Modeling: What is Object orientation? What is OO development? OO Themes; Evidence for usefulness of OO development; OO modeling history. Modeling
as Design technique: Modeling, abstraction, The Three models. Class Modeling: Object and Class Concept, Link and associations concepts, Generalization and Inheritance, A sample class model, Navigation of class models, and UML diagrams
Building the Analysis Models: Requirement Analysis, Analysis Model Approaches, Data modeling Concepts, Object Oriented Analysis, Scenario-Based Modeling, Flow-Oriented Modeling, class Based Modeling, Creating a Behavioral Model.
3. Address Resolution Protocol (ARP)
• ARP is a protocol used by the network layer to map Internet
Protocol (IP) addresses to Media Access Control (MAC)/
Physical /Ethernet hardware addresses that are used by the
data link layer
• When sending an IP packet, Ethernet uses the ARP to resolve
IP addresses into MAC addresses
• An Internet Protocol address (IP address) is a numerical label
assigned to each device participating in a computer network
that uses the IP for communication (32-bits)
• An IP address is usually assigned by the network administrator
or Internet Service Provider (ISP) either statically at the
beginning or dynamically each time a connection is
established to a network
12/8/2017 3
Hitesh Mohapatra Ph.D
NIDS
4. IP Address and MAC Address
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
4
5. Address Resolution Protocol (ARP)
• A MAC address is a permanent hexadecimal string of numbers
and letters like 00-0F-B5-45-96-A4 (48-bits)
• MAC addresses are most often assigned by the manufacturer
of a Network Interface Card (NIC) and are stored in its
hardware
• Address resolution refers to the process of dynamically finding
a MAC address of a computer on a network
• ARP provides a dynamic mapping between the two different
forms of addresses: the 32-bit IP address and the 48-bit
hardware address
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
5
6. Address Resolution Protocol (ARP)
• Once the destination’s MAC address is determined,
the IP Packet can be encapsulated into an Ethernet
frame and transmitted to the destination host
• There is a one-to-one mapping between the set of IP
addresses and the set of Ethernet addresses
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
6
7. Address Resolution Protocol (ARP)
• The working of ARP is based on the following 4 types of
messages:
– ARP Request: The initiating device first sends an ARP
request broadcast message on the local subnet
– ARP Reply:
• The destination host sends an ARP reply in response to the request
broadcast message giving its MAC address to the source host
• All the other computers ignore this request except the destination
host with the given IP address
– RARP Request: Known as Reverse ARP request, this
requests the IP address of a known MAC address
– RARP Reply: The response gives the IP address from a
requested hardware address
12/8/2017 7
Hitesh Mohapatra Ph.D
NIDS
8. Working of ARP
• To illustrate how ARP works, consider two nodes, X and Y
• If node X wishes to communicate with Y, node X first
broadcasts an ARP request for node Y's hardware address
• The ARP request contains X's IP and hardware addresses,
and Y's IP address
• When Y receives the ARP request, it places an entry for X in
its ARP cache (which is used to map quickly from IP address
to hardware address), then responds directly to X with an
ARP response containing Y's hardware address
• When node X receives Y's ARP response, it places an entry
for Y in its ARP cache
• Once an ARP cache entry exists at X for Y, node X is able to
send packets directly to Y without using ARP
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
8
9. Illustration of ARP Request and ARP Reply
Messages
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
9
10. ARP Caching
• Sending an ARP request/reply for each IP datagram/packet is
inefficient, hosts maintain a cache (ARP Cache) of current
entries (IP to MAC address mappings)
• The ARP cache takes the form of a table containing the
mappings of all the MAC and IP address for the
computers/network devices that this host has already
communicated with
• Each device on the network manages its own ARP cache table
• The system will use this information when initiating a
conversation with another system
• If the destination MAC address is not in the cache table, the
source system will use ARP to determine the MAC address of
the destination system
12/8/2017 10
Hitesh Mohapatra Ph.D
NIDS
11. Types of ARP Cache
• There are two different ways that cache entries can
be put into the ARP cache:
– Static ARP Cache:
• These are hardware/IP address pairs that are manually
added to the cache table for a device and are kept in the
cache on a permanent basis
– Dynamic ARP Cache:
• These are hardware/IP address pairs that are added to a
cache table automatically as a result of successfully
completed past ARP mappings
• An ARP entry (IP address link to Ethernet MAC ) is kept on
the cache for some period of time, as long as it is being used
12/8/2017 11
Hitesh Mohapatra Ph.D
NIDS
13. Vulnerabilities of ARP
• A major flaw in the ARP is lack of authentication. As ARP
does not authenticate requests or replies, ARP Requests
and Replies can be forged
• ARP is Stateless: Systems update their cache when
receiving an ARP reply, regardless of whether they have
actually sent a ARP request or not
• According to the ARP protocol specification, a node
receiving an ARP packet (Request or Reply) must update
its ARP cache with the information
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
13
14. Exploitation of Vulnerabilities in ARP
• The goal of the ARP attack is to associate the attacker's MAC
address with the IP address of a target host, so that any traffic
meant for the target host will be sent to the attacker
• The attacker could then choose to:
– Inspect the packets and then forward the traffic to the actual
destination (interception)
– A forged ARP Request or Reply can be used to update the ARP
cache of a system with a forged entry (ARP cache poisoning)
– Modify the data before forwarding it (man-in-the-middle attack)
– Launch a Denial-of-Service attack by causing some/all of the
packets on the network to be dropped
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
14
15. ARP Cache Poisoning
• “ARP cache poisoning is the act of introducing a
spurious IP-to-Ethernet address mapping in another
host’s ARP cache by a malicious host on the LAN”
• The result of ARP cache poisoning is that the IP traffic
intended for one host is diverted to a different host
• When a malicious host uses another host’s IP
address and sends out a broadcast request, the
genuine host caches the new IP-to-Ethernet address
mapping, thus causing ARP Cache poisoning
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
15
17. Man-In-The-Middle Attacks
• One of the most prevalent network attacks used against
individuals and large organizations are "Man-in-the-middle
attack" (MITM attack)
• MITM attack refers to the type of attack where the attacker
intrudes into the communication channel between the
endpoints on a network to inject false information, modify
information or intercept the data transfer going between the
two parties
• MITM attacks are mainly intended for eavesdropping sensitive
and valuable information
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
17
18. Man-In-The-Middle Attacks
• The attacker tries to come in between the network endpoints,
and proxy all the communications among them
• Once the trial is successful, further attacks to be launched
may include:
– Sniffing the passing packets
– Hijacking already authenticated sessions
– Injecting packets or commands to the server
– Sending the forged responses to the victim client
• The end result is that the attacking host can not only intercept
sensitive data but can also inject and manipulate data stream
to gain further control of its victims
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
18
19. MITM Attack Objectives
• To gain access to the client's messages and modify
them before finally transmitting them to the server
end
• Other objectives of MITM can be to:
– Mislead the communicators at the client or server end, to
intercept relevant information (E.g., identity, address,
password, or any other confidential information for
malicious purposes)
– Manipulate data/transactions
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
19
22. Internet Protocol (IP)
• Internet Protocol (IP) is responsible for the transmission
of packets between network end points
• IP fragmentation is the process of breaking up a single
IP datagram into multiple packets of smaller size
• Every network has a largest size of IP datagram that can
be transmitted, called Maximum Transmission Unit
(MTU)
• IP includes the support for fragmentation of larger
packets into smaller packets when the original packet is
too large as well as reassembly of the smaller packets
to reconstitute the original datagram
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
22
24. IP Fragmentation and Reassembly
• IP datagrams are encapsulated in data link frames
and the larger IP datagrams are forced to be split into
packets of smaller size
• Three fields in the IP header are used to implement
fragmentation and reassembly – "Identification",
"Flags" and "Fragment Offset" fields
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
24
26. Fields in IP Header for Fragmentation
and Reassembly
• Identification (16 bits)
– "Identification field" uniquely identifies the fragments of a
particular datagram
– The source system sets this field to a unique value that must
be unique for that source-destination pair and protocol for
the life time of the datagram on the internet
• Flags (3 bits)
– This field says if the datagram is a part of a fragmented
data frame or not
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
26
27. Fields in IP Header for Fragmentation
and Reassembly
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
27
28. Fields in IP Header for Fragmentation
and Reassembly
• Fragment Offset (13 bits)
– Fragment offset specifies the fragment's position within the
original Datagram, measured in 8-byte units
– Every fragment except the last must contain a multiple of 8
bytes of data
– The last fragment tells the receiving station to start
reassembling the data if all fragments have been received
• The receiver will reassemble the data from fragments
with the same identification field
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
28
29. IP Attacks
• IP fragment overlap (Teardrop Attack)
– A teardrop attack is a denial of service (DoS) attack
conducted by targeting IP fragmentation and
reassembly
– The attack occurs when two fragments within the
same IP datagram have offsets that indicate that they
overlap each other
– This attack causes fragmented packets to overlap one
another on the host receipt
– The host attempts to reconstruct the original
datagram but fails resulting in a DoS attack
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
29
31. IP Attacks
• IP Spoofing
– In a spoofing attack, the intruder sends messages to a
computer indicating that the message has come from a
trusted system
– Any host can send packets pretending to be from any IP
address
– The attacker is fooling (spoofing) the distant computer into
believing that they are a legitimate member of the
network
– The goal of the attack is to establish a connection that will
allow the attacker to gain root access to the host, allowing
the creation of a backdoor entry path into the target
system
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
31
32. IP Attacks
• IP Spoofing – DoS
– Denial of Service (DoS) attacks are aimed at
preventing clients from accessing a service
– IP Spoofing can be used to create DoS attacks
– The attacker spoofs a large number of requests
from various IP addresses to fill a services queue
– With the service queue filled, legitimate users
cannot use the service
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
32
33. IP Spoofing – DoS Attack
Server
Attacker Legitimate Users
Interweb
Fake IPs
Service Requests
Flood of Requests
from Attacker
Server queue full,
legitimate requests
get dropped
Service Requests
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
33
35. Internet Control Message Protocol
(ICMP)
• Internet Control Message Protocol (ICMP) is one of the
core protocols used for reporting network error
conditions like a requested service is not available or a
host or router could not be reached
• ICMP is heavily used by routers, as well as clients and
servers (network endpoints) to determine network errors
and availability, as well as performance statistics through
various types of ICMP Packets
• There is no validation checks on the received ICMP error
messages, which leads to a variety of attacks
• ICMP attacks can result in a DoS, allow the attacker to
intercept packets or redirect network traffic towards
external hosts on a path of his/her choice
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
35
36. ICMP Message Format
• Each ICMP message contains three fields that define its
purpose and provide a checksum (4 bytes)
• They are TYPE, CODE, and CHECKSUM fields
– TYPE field identifies the type of ICMP message
– CODE field provides further information about the associated TYPE
field
– CHECKSUM provides a method for determining the integrity of the
message
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
36
37. ICMP Sweep
• One of the most common technique for discovering the range
of hosts which are alive in the target’s environment is to
perform a ICMP sweep of the entire target’s network range
• ICMP sweep involves sending a series of ICMP request packets
to the target network range and from the list of ICMP replies
infer whether certain hosts are alive and connected to the
target’s network for further probing
• An attacker then can direct a more focused attack toward live
hosts only
• This can be implemented by a very simple command ping or
traceroute or by using automated scanning tools
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
37
38. Types of ICMP Attacks
• ICMP Packet Magnification/ICMP Smurf
• Ping of Death
• ICMP PING Flood Attack
• ICMP Redirect Attack
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
38
39. ICMP Packet Magnification/ICMP
Smurf Attack
• The Smurf Attack is a DoS attack in which large amounts of
ICMP echo request packets are broadcast to a intermediary
computer network
• The target system's (victim's) spoofed source IP address is
broadcast to a intermediary computer network using an IP
Broadcast address
• This causes all the systems on those networks send ICMP echo
replies to the victim, consuming the target system's available
bandwidth and creating a DoS to legitimate traffic
• The three parties involved in this type of DoS attack include
the following:
– Hacker (Instigator of the attack)
– Intermediary Network used to amplify the attack (Amplifier)
– Victim (Target of attack)
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
39
40. ICMP Packet Magnification/ICMP
Smurf Attack
• The attack usually works in the following simple steps:
– Hacker identifies a victim IP address
– Hacker identifies an intermediary site that will amplify the
attack
– Hacker sends a large amount of ICMP traffic (ICMP Echo
Request packets) at the broadcast address of the intermediary
sites
– These packets have the source IP address spoofed to point
towards the victim
– All the hosts which are alive on the LAN each pick up a copy of
the ICMP Echo Request datagram and sends an ICMP Echo
Reply datagram back to what they think is the source
– If many hosts are alive on the LAN, the amplification factor can
be considerably high
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
40
42. Ping of Death
• An attacker sends an ICMP echo request packet that's larger
than the maximum IP packet size allowed by the IP protocol
• Since the received ICMP echo request packet is larger than
the allowed IP packet size, it's fragmented
• The target can't reassemble the packets, so the OS crashes or
reboots
• Ping of death attacks are dangerous because the identity of
the attacker sending the oversized packet could be easily
spoofed and the attacker don’t need to know anything about
the machine they are attacking except for its IP address
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
42
43. ICMP PING Flood Attack
• A ping flood is a simple denial-of-service attack where the attacker
overwhelms the victim/target system with ICMP Echo Request
(ping) packets so that it can't respond to legitimate traffic
• This is most effective by using the flood option of ping which sends
ICMP packets as fast as possible without waiting for replies
• Ping require the user to be privileged (super user) in order to
specify the flood option
• Super users can send hundred or more packets per second using -f
option of ping
• The attacker expects that the victim will respond with ICMP Echo
Reply packets, thus consuming both outgoing bandwidth as well as
incoming bandwidth
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
43
44. ICMP Redirect Attack
• ICMP redirects are used by routers/gateways to specify
better routing paths out of one network or redirect a
source host to use a different gateway that may be closer to
the destination
• ICMP redirects affect the way packets are routed to
destinations
• It is legitimately used by routers to tell hosts that the host is
using a non-optimal route to a particular destination
• The wrong router/gateway sends the host back an ICMP
Redirect packet that tells the host what the correct route
should be and the host then should redirect it's forwarding
accordingly after receiving the redirect message
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
44
45. ICMP Redirect Attack
• Through ICMP redirects, a host can find out which
networks can be accessed from the local network and
which are the routers to be used for each such network
• The security problem comes from the fact that an
attacker can forge ICMP redirect packets in order to
redirect traffic to himself
• The attack can be launched by altering host's routing
tables and possibly subverting the security of the host by
diverting traffic to flow via a path the network manager
didn't intend
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
45
46. ICMP Redirect Attack
• ICMP Redirects also may be employed for DoS attacks,
where a host is sent to a route where it loses its
connectivity or is sent an ICMP Network Unreachable
packet telling it that it can no longer access a particular
network
• ICMP redirects may also be used to set up Man-in-the-
Middle attacks or amplify SMURF or FRAGGLE attacks
• Due to the security risks involved in, it is a recommended
to deny all ICMP redirect requests received by Disabling
ICMP redirect messages from all public interfaces
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
46
50. User Datagram Protocol (UDP)
• User Datagram Protocol (UDP) is a protocol used for transport
of data across an Internet Protocol (IP) based network
• UDP does not perform handshaking as TCP does or check for
errors, or even to see if the transmitted data was received, so
it is referred to as an unreliable, connectionless protocol
• UDP skips the handshaking and is focused on pure
transmission, thus it has lower overhead and is thus faster
than TCP
• Primarily used for broadcasting messages over a network
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
50
51. UDP Datagram Format
• Source Port Number: It is assigned by the local computer when it
transmits data to a remote machine
• Destination Port Number: This field identifies the receiver's port
• Length: Field that specifies the length in bytes of the entire datagram –
header and data
• Checksum: This field is used for error-checking of the header and data
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
51
52. UDP Fraggle Attack
• Similar to the ICMP Smurf attack
• A UDP fraggle attack is a type of DoS attack where an
attacker sends a large amount of UDP echo traffic (UDP
Echo request packets ) to IP broadcast addresses, all of it
having a spoofed source address
• Fraggle attack uses UDP Echo packets in the same way as
the ICMP Echo packets are used in Smurf attack
• All computers reply (amplification) with UDP Echo reply
packets
• Source IP was spoofed, so victim is overwhelmed
creating a DoS to legitimate traffic
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
52
53. UDP Flood Attack
• A UDP flood attack is a DoS attack using the UDP
• This attack is possible when an attacker sends a UDP packet to
a random port on the victim system
• When the victim system receives a UDP packet it will:
– Check for the application listening at that port
– Determines that no application listens at that port
– Replies with an “Destination Unreachable” packet to the
forged source address
• Ultimately, the host sends out so many packets that the
system becomes flooded, and thus unattainable (DoS) to
other clients
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
53
54. UDP Ping Pong
• The ping pong attack takes advantage of UDP
services that respond whenever a packet is sent to
them
• A hacker can spoof an IP packet from one of these
services sent to another service and the two services
will start sending traffic at each other (Ping Pong
effect)
• This consumes machine resources and network
bandwidth
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
54
56. Transmission Control Protocol
(TCP)
• TCP is a connection-oriented protocol used along
with the Internet Protocol (IP) to send data in the
form of message units between computers over the
Internet
• TCP is responsible for ensuring that a message is
divided into packets for efficient routing through the
Internet and IP manages the reassembling the
packets back into the complete message at the other
end
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
56
59. TCP Syn Flooding (Syn Flood Attack)
• A SYN flood is a form of DoS attack in which an
attacker sends a succession of SYN requests to a
target's system in an attempt to consume enough
server resources so as to make the system
unresponsive to legitimate traffic
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
59
60. TCP Three-Way Handshake
• When a client attempts to start a TCP connection to a
server, the client and server exchange a series of
messages which runs like this:
– The client requests a connection by sending a SYN message to
the server
– The server acknowledges this request by sending SYN-ACK back
to the client
– The client responds with an ACK, and the connection is
established
• This is called the TCP three-way handshake
• Once the connection is established, the session remains
open until one of the machines sends a RST (reset) or FIN
(finish)
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
60
62. TCP Syn Flooding
• An attacker sends many SYN packets to create
multiple connections without ever sending an ACK to
complete the connection
• Those SYN packets usually use spoofed IP addresses
• The victim has to keep the half-opened connections
in its memory for certain amount of time until no
new connections can be made, resulting in a DoS to
the legitimate traffic
• If there are so many of these malicious packets, the
victim quickly runs out of memory
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
62
63. 12/8/2017
Hitesh Mohapatra Ph.D
NIDS
63
Syn Flood Attack
The attacker sends several packets but does
not send the "ACK" back to the server. The
connections are half-opened and consume
server resources. A legitimate user, tries to
connect but the server refuses to open a
connection resulting in a DoS
Attacker
User
Server
64. TCP Session Hijacking
• Session hijack attacks are defined as taking over an
active TCP/IP communication session without anyone’s
permission or knowledge
• An active session between a client and a server is
diverted by an intruder who pretends to be the
“legitimate” client
• The intruder communicates with the server and keeps
the legitimate client inactive
• When implemented successfully, attackers assume the
identity of the compromised user, enjoying the same
access to the resources as the compromised user
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
64
65. Types of Session Hijacking
• There are three types of session hijacking
attacks:
– Active Session Hijack Attack
– Passive Session Hijack Attack
– Hybrid Session Hijack Attack
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
65
66. Active Session Hijack Attack
• The attacker will take over the clients’ position in the
communication exchange between the client and the server by
making the client offline
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
66
67. Passive Session Hijack Attack
• Passive attacks keeps the client online and provides the attacker the
ability to monitor network traffic and potentially discover valuable
data or passwords
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
67
68. Hybrid Session Hijack Attack
• This attack is a combination of the active and passive
attacks, which allow the attacker to listen to network
traffic until something of interest is found
• The attacker can then modify the attack by removing
the client computer from the session (making it
offline) and assuming its identity
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
68
69. TCP Session Hijacking
• The most common method of session hijacking is
called IP spoofing, when an attacker uses source-
routed IP packets to insert commands into an active
communication between two nodes on a network
and disguising itself as one of the authenticated
users
• This type of attack is possible because authentication
is done only at the start of a TCP session
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
69
70. TCP RST Attacks
• TCP reset attack also known as "forged TCP resets",
"spoofed TCP reset packets"
• There are stream of packets in a TCP connection, each
containing a TCP header
• Each of these headers contains a bit known as the "reset"
(RST) flag – Aborts a connection in response to an error
• In most packets this bit is set to 0 and has no effect,
however if this bit is set to 1, it indicates to the receiving
computer that kill the TCP connection instantly
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
70
71. TCP RST Attacks
• It is possible for a attacker to monitor the TCP
packets on the connection, and then send a "forged"
packet containing a TCP reset to one or both the
endpoints
• Every field in the TCP header must be set to a
convincing forged value which indicate that it came
from a genuine host, not from the intruder
• Properly formatted forged TCP resets can be a very
effective way to close any active TCP connection
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
71
72. TCP Port Scanning
• A port scan can be defined as an attack that sends
client requests to a range of server port addresses on
a host, with the goal of finding an active port and
exploiting a known vulnerability (method of
discovering exploitable communication channels)
• By port scanning the attacker finds which ports are
available (i.e., being listened to by a service)
• A port scan consists of sending a message to each
port, one at a time
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
72
73. TCP Port Scanning
• The kind of response received indicates whether the
port is used and can therefore be probed further for
weakness
• The result of a scan on a port is usually generalized
into one of three categories:
– Open or Accepted: The host sent a reply indicating that a
service is listening on the port
– Closed or Denied or Not Listening: The host sent a reply
indicating that connections are denied to the port
– Filtered, Dropped or Blocked: There was no reply from the
host
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
73
74. Port Scanning Techniques
• TCP SYN scan:
– Send a SYN packet (Initiates a connection) and wait for a
response
– SYN-ACK indicates the port is listening and a RST is indicative of
a non-listener port
– If a SYN-ACK is received, attacker immediately send a RST packet
to close the connection
• TCP connect() scan:
– The connect() system call can be used to open a connection to
every interesting port on the target machine
– If the port is listening, connect() will succeed, otherwise the
port isn't reachable
– One strong advantage to this technique is that user don't need
any special privileges
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
74
75. Port Scanning Techniques
• FIN Scan:
– A FIN, or "Finish", is a TCP packet used to indicate that the sending
entity will no longer use the session to send or receive data
– These are called "stealth" scans because they send a single frame to a
TCP port without any normal TCP handshaking
– An attacker uses a TCP FIN scan to determine if ports are closed on the
target machine
– If a RST packet is received, the port is considered close
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
75
76. Port Scanning Techniques
• Xmas Tree Scan:
– The Xmas tree scan sends a TCP frame to a remote device with
the URG, PUSH, and FIN flags set
– This is called a Xmas tree scan because of the alternating bits
turned on and off in the flags byte, much like the lights of a
Christmas tree
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
76
77. Port Scanning Techniques
• NULL Scan:
– Null scan is accomplished by sending TCP segments with no
flags set in the packet header
– An attacker uses a TCP NULL scan to determine if ports are
closed on the target machine
– If a port is closed, a RST frame is returned
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
77
78. Port Scanning Techniques
• The response of a null scan to an open port is “no
response”
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
78
79. TCP Sequence Prediction Attack
• When two hosts need to transfer data using the TCP protocol,
the first host that initiated the connection, generates a 32-bit
Initial Sequence Number (ISN)
• This sequence number is included on each transmitted packet
and acknowledged by the opposite host as an
acknowledgement number to inform the sending host that
the transmitted data was received successfully
• A TCP sequence prediction attack is an attempt to predict the
sequence number used to identify the packets in a TCP
connection
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
79
80. TCP Sequence Prediction Attack
• The root of this security problem starts with the way the
ISN is generated
• Every operating system uses its own algorithm to
generate an ISN for every new connection
• Hacker tries to figure out which algorithm is used by the
specific operating system to generate the ISN that will
allow him to predict future ISNs which will be generated
by the source host
• If the attack is successful,
– Hacker will be able to send counterfeit packets to the receiving
host which will seem to originate from the source host
– Can cause premature closure of an existing TCP connection by
the injection of packets with the FIN bit set
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
80
81. TCP Sequence Prediction Attack
• If an attacker can find out current sequence number
that is being used by an existing TCP connection, it
can inject a valid TCP segment into the existing TCP
connection
– If the attacker is within the same LAN, it can sniff the
sequence number (Attacker listens to the conversation
occurring between the trusted hosts, and then issue
counterfeit packets using the same source IP address)
– If the attacker is not within the same LAN, it has to
guess/predict the sequence number
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
81
83. Domain Name Service (DNS)
• Domain Name Service (DNS) is a hierarchical distributed
naming system for computers, services or any resource
connected to the Internet or a private network
• DNS automatically converts the names we type in our Web
browser address bar to the IP addresses of Web servers
hosting those sites
• DNS translates a human readable domain name (such as
example.com) into a numerical IP address that is used to
route communications between nodes
• DNS implements a distributed database to store this name
and address information for all public hosts on the Internet
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
83
84. Unrelated Data Attack
• To improve performance, DNS servers can send back
more information than what the client has asked for to
avoid another likely DNS lookup
• In the older version of DNS servers, the validity of the
extra information is not verified
• The hacker will answer and add in the answer anything
he wants to be cached in the victim DNS’ cache. In this
way, he can poison the cache of the remote DNS server
• The problem has been fixed in BIND (most widely used
DNS S/W on the Internet), by forbidding anything that
is not related to the original request to be cached
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
84
86. Related Data Attack
• The process is the same as the unrelated data attack
• The hacker has to make the “extra” information related
to the original query
– MX: mail server for a domain
– CNAME: canonical name for an alias
– NS: DNS servers for a domain
• The above information is “related” to the original
request, but they can point to totally different
information the hacker wants to be cached
• The problem has also been fixed in BIND, by rejecting
all the “out of zone” information
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
86
87. DNS Cache Poisoning
• To improve efficiency, DNS servers typically store
results in a cache to speed further lookups
• DNS spoofing is malicious cache poisoning where
forged data is placed in the cache of the domain
name servers
• If the forged data gets into the cache, it will affect
future lookups
• One successful cache poisoning attack can therefore
affect many users
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
87
89. DNS Spoofing
• DNS spoofing is a term referring to the action of
answering a DNS request that was intended for another
server
• The hacker “spoofs” the DNS server’s answer by
answering what he wants for a specific request
• For instance, attacker tries to make the
www.mybank.com DNS to answer with the IP of the
hacker’s computer
• The hacker will try to impersonate the DNS reply so that
the “Client Misdirection” occurs, but without touching
the DNS cache of the impersonated DNS
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
89
91. DNS ID Hacking
• It is not enough to spoof a DNS reply as uses ID
number to identify queries and answer
• The hacker needs to find the ID the client is waiting
for (DNS ID Hacking)
• DNS ID hacking is a necessary technique for a hacker
to succeed in impersonating a DNS server (this is the
basis of DNS spoofing)
12/8/2017
Hitesh Mohapatra Ph.D
NIDS
91