SlideShare a Scribd company logo

Network Intrusion Ditection System

Hitesh Mohapatra
Hitesh Mohapatra

The document discusses various network attacks that can be detected by intrusion detection systems. It begins by covering Address Resolution Protocol (ARP) attacks like ARP cache poisoning, which allows an attacker to intercept or modify network traffic. It then discusses attacks involving the Internet Protocol like IP spoofing and fragmentation attacks. Next, it outlines different types of ICMP attacks such as ICMP sweep, smurf attack, ping of death, and ICMP flood. The document provides technical details on how these attacks work and vulnerabilities they exploit.

Engineering
1 of 92
Intrusion Detection Systems Lecture #5 Internet Attacks Network Based Intrusion Detection
Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 2 Hitesh Mohapatra Ph.D NIDS
Address Resolution Protocol (ARP) • ARP is a protocol used by the network layer to map Internet Protocol (IP) addresses to Media Access Control (MAC)/ Physical /Ethernet hardware addresses that are used by the data link layer • When sending an IP packet, Ethernet uses the ARP to resolve IP addresses into MAC addresses • An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the IP for communication (32-bits) • An IP address is usually assigned by the network administrator or Internet Service Provider (ISP) either statically at the beginning or dynamically each time a connection is established to a network 12/8/2017 3 Hitesh Mohapatra Ph.D NIDS
IP Address and MAC Address 12/8/2017 Hitesh Mohapatra Ph.D NIDS 4
Address Resolution Protocol (ARP) • A MAC address is a permanent hexadecimal string of numbers and letters like 00-0F-B5-45-96-A4 (48-bits) • MAC addresses are most often assigned by the manufacturer of a Network Interface Card (NIC) and are stored in its hardware • Address resolution refers to the process of dynamically finding a MAC address of a computer on a network • ARP provides a dynamic mapping between the two different forms of addresses: the 32-bit IP address and the 48-bit hardware address 12/8/2017 Hitesh Mohapatra Ph.D NIDS 5
Address Resolution Protocol (ARP) • Once the destination’s MAC address is determined, the IP Packet can be encapsulated into an Ethernet frame and transmitted to the destination host • There is a one-to-one mapping between the set of IP addresses and the set of Ethernet addresses 12/8/2017 Hitesh Mohapatra Ph.D NIDS 6
Address Resolution Protocol (ARP) • The working of ARP is based on the following 4 types of messages: – ARP Request: The initiating device first sends an ARP request broadcast message on the local subnet – ARP Reply: • The destination host sends an ARP reply in response to the request broadcast message giving its MAC address to the source host • All the other computers ignore this request except the destination host with the given IP address – RARP Request: Known as Reverse ARP request, this requests the IP address of a known MAC address – RARP Reply: The response gives the IP address from a requested hardware address 12/8/2017 7 Hitesh Mohapatra Ph.D NIDS
Working of ARP • To illustrate how ARP works, consider two nodes, X and Y • If node X wishes to communicate with Y, node X first broadcasts an ARP request for node Y's hardware address • The ARP request contains X's IP and hardware addresses, and Y's IP address • When Y receives the ARP request, it places an entry for X in its ARP cache (which is used to map quickly from IP address to hardware address), then responds directly to X with an ARP response containing Y's hardware address • When node X receives Y's ARP response, it places an entry for Y in its ARP cache • Once an ARP cache entry exists at X for Y, node X is able to send packets directly to Y without using ARP 12/8/2017 Hitesh Mohapatra Ph.D NIDS 8
Illustration of ARP Request and ARP Reply Messages 12/8/2017 Hitesh Mohapatra Ph.D NIDS 9
ARP Caching • Sending an ARP request/reply for each IP datagram/packet is inefficient, hosts maintain a cache (ARP Cache) of current entries (IP to MAC address mappings) • The ARP cache takes the form of a table containing the mappings of all the MAC and IP address for the computers/network devices that this host has already communicated with • Each device on the network manages its own ARP cache table • The system will use this information when initiating a conversation with another system • If the destination MAC address is not in the cache table, the source system will use ARP to determine the MAC address of the destination system 12/8/2017 10 Hitesh Mohapatra Ph.D NIDS
Types of ARP Cache • There are two different ways that cache entries can be put into the ARP cache: – Static ARP Cache: • These are hardware/IP address pairs that are manually added to the cache table for a device and are kept in the cache on a permanent basis – Dynamic ARP Cache: • These are hardware/IP address pairs that are added to a cache table automatically as a result of successfully completed past ARP mappings • An ARP entry (IP address link to Ethernet MAC ) is kept on the cache for some period of time, as long as it is being used 12/8/2017 11 Hitesh Mohapatra Ph.D NIDS
ARP Cache Table 12/8/2017 12 Hitesh Mohapatra Ph.D NIDS
Vulnerabilities of ARP • A major flaw in the ARP is lack of authentication. As ARP does not authenticate requests or replies, ARP Requests and Replies can be forged • ARP is Stateless: Systems update their cache when receiving an ARP reply, regardless of whether they have actually sent a ARP request or not • According to the ARP protocol specification, a node receiving an ARP packet (Request or Reply) must update its ARP cache with the information 12/8/2017 Hitesh Mohapatra Ph.D NIDS 13
Exploitation of Vulnerabilities in ARP • The goal of the ARP attack is to associate the attacker's MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker • The attacker could then choose to: – Inspect the packets and then forward the traffic to the actual destination (interception) – A forged ARP Request or Reply can be used to update the ARP cache of a system with a forged entry (ARP cache poisoning) – Modify the data before forwarding it (man-in-the-middle attack) – Launch a Denial-of-Service attack by causing some/all of the packets on the network to be dropped 12/8/2017 Hitesh Mohapatra Ph.D NIDS 14
ARP Cache Poisoning • “ARP cache poisoning is the act of introducing a spurious IP-to-Ethernet address mapping in another host’s ARP cache by a malicious host on the LAN” • The result of ARP cache poisoning is that the IP traffic intended for one host is diverted to a different host • When a malicious host uses another host’s IP address and sends out a broadcast request, the genuine host caches the new IP-to-Ethernet address mapping, thus causing ARP Cache poisoning 12/8/2017 Hitesh Mohapatra Ph.D NIDS 15
Poisoned ARP Cache 12/8/2017 Hitesh Mohapatra Ph.D NIDS 16
Man-In-The-Middle Attacks • One of the most prevalent network attacks used against individuals and large organizations are "Man-in-the-middle attack" (MITM attack) • MITM attack refers to the type of attack where the attacker intrudes into the communication channel between the endpoints on a network to inject false information, modify information or intercept the data transfer going between the two parties • MITM attacks are mainly intended for eavesdropping sensitive and valuable information 12/8/2017 Hitesh Mohapatra Ph.D NIDS 17
Man-In-The-Middle Attacks • The attacker tries to come in between the network endpoints, and proxy all the communications among them • Once the trial is successful, further attacks to be launched may include: – Sniffing the passing packets – Hijacking already authenticated sessions – Injecting packets or commands to the server – Sending the forged responses to the victim client • The end result is that the attacking host can not only intercept sensitive data but can also inject and manipulate data stream to gain further control of its victims 12/8/2017 Hitesh Mohapatra Ph.D NIDS 18
MITM Attack Objectives • To gain access to the client's messages and modify them before finally transmitting them to the server end • Other objectives of MITM can be to: – Mislead the communicators at the client or server end, to intercept relevant information (E.g., identity, address, password, or any other confidential information for malicious purposes) – Manipulate data/transactions 12/8/2017 Hitesh Mohapatra Ph.D NIDS 19
Man-In-The-Middle Attacks 12/8/2017 Hitesh Mohapatra Ph.D NIDS 20
Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 21 Hitesh Mohapatra Ph.D NIDS
Internet Protocol (IP) • Internet Protocol (IP) is responsible for the transmission of packets between network end points • IP fragmentation is the process of breaking up a single IP datagram into multiple packets of smaller size • Every network has a largest size of IP datagram that can be transmitted, called Maximum Transmission Unit (MTU) • IP includes the support for fragmentation of larger packets into smaller packets when the original packet is too large as well as reassembly of the smaller packets to reconstitute the original datagram 12/8/2017 Hitesh Mohapatra Ph.D NIDS 22
IP Fragmentation and Reassembly 12/8/2017 Hitesh Mohapatra Ph.D NIDS 23
IP Fragmentation and Reassembly • IP datagrams are encapsulated in data link frames and the larger IP datagrams are forced to be split into packets of smaller size • Three fields in the IP header are used to implement fragmentation and reassembly – "Identification", "Flags" and "Fragment Offset" fields 12/8/2017 Hitesh Mohapatra Ph.D NIDS 24
IP Header 12/8/2017 Hitesh Mohapatra Ph.D NIDS 25
Fields in IP Header for Fragmentation and Reassembly • Identification (16 bits) – "Identification field" uniquely identifies the fragments of a particular datagram – The source system sets this field to a unique value that must be unique for that source-destination pair and protocol for the life time of the datagram on the internet • Flags (3 bits) – This field says if the datagram is a part of a fragmented data frame or not 12/8/2017 Hitesh Mohapatra Ph.D NIDS 26
Fields in IP Header for Fragmentation and Reassembly 12/8/2017 Hitesh Mohapatra Ph.D NIDS 27
Fields in IP Header for Fragmentation and Reassembly • Fragment Offset (13 bits) – Fragment offset specifies the fragment's position within the original Datagram, measured in 8-byte units – Every fragment except the last must contain a multiple of 8 bytes of data – The last fragment tells the receiving station to start reassembling the data if all fragments have been received • The receiver will reassemble the data from fragments with the same identification field 12/8/2017 Hitesh Mohapatra Ph.D NIDS 28
IP Attacks • IP fragment overlap (Teardrop Attack) – A teardrop attack is a denial of service (DoS) attack conducted by targeting IP fragmentation and reassembly – The attack occurs when two fragments within the same IP datagram have offsets that indicate that they overlap each other – This attack causes fragmented packets to overlap one another on the host receipt – The host attempts to reconstruct the original datagram but fails resulting in a DoS attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 29
IP Attacks – Teardrop Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 30
IP Attacks • IP Spoofing – In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system – Any host can send packets pretending to be from any IP address – The attacker is fooling (spoofing) the distant computer into believing that they are a legitimate member of the network – The goal of the attack is to establish a connection that will allow the attacker to gain root access to the host, allowing the creation of a backdoor entry path into the target system 12/8/2017 Hitesh Mohapatra Ph.D NIDS 31
IP Attacks • IP Spoofing – DoS – Denial of Service (DoS) attacks are aimed at preventing clients from accessing a service – IP Spoofing can be used to create DoS attacks – The attacker spoofs a large number of requests from various IP addresses to fill a services queue – With the service queue filled, legitimate users cannot use the service 12/8/2017 Hitesh Mohapatra Ph.D NIDS 32
IP Spoofing – DoS Attack Server Attacker Legitimate Users Interweb Fake IPs Service Requests Flood of Requests from Attacker Server queue full, legitimate requests get dropped Service Requests 12/8/2017 Hitesh Mohapatra Ph.D NIDS 33
Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 34 Hitesh Mohapatra Ph.D NIDS
Internet Control Message Protocol (ICMP) • Internet Control Message Protocol (ICMP) is one of the core protocols used for reporting network error conditions like a requested service is not available or a host or router could not be reached • ICMP is heavily used by routers, as well as clients and servers (network endpoints) to determine network errors and availability, as well as performance statistics through various types of ICMP Packets • There is no validation checks on the received ICMP error messages, which leads to a variety of attacks • ICMP attacks can result in a DoS, allow the attacker to intercept packets or redirect network traffic towards external hosts on a path of his/her choice 12/8/2017 Hitesh Mohapatra Ph.D NIDS 35
ICMP Message Format • Each ICMP message contains three fields that define its purpose and provide a checksum (4 bytes) • They are TYPE, CODE, and CHECKSUM fields – TYPE field identifies the type of ICMP message – CODE field provides further information about the associated TYPE field – CHECKSUM provides a method for determining the integrity of the message 12/8/2017 Hitesh Mohapatra Ph.D NIDS 36
ICMP Sweep • One of the most common technique for discovering the range of hosts which are alive in the target’s environment is to perform a ICMP sweep of the entire target’s network range • ICMP sweep involves sending a series of ICMP request packets to the target network range and from the list of ICMP replies infer whether certain hosts are alive and connected to the target’s network for further probing • An attacker then can direct a more focused attack toward live hosts only • This can be implemented by a very simple command ping or traceroute or by using automated scanning tools 12/8/2017 Hitesh Mohapatra Ph.D NIDS 37
Types of ICMP Attacks • ICMP Packet Magnification/ICMP Smurf • Ping of Death • ICMP PING Flood Attack • ICMP Redirect Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 38
ICMP Packet Magnification/ICMP Smurf Attack • The Smurf Attack is a DoS attack in which large amounts of ICMP echo request packets are broadcast to a intermediary computer network • The target system's (victim's) spoofed source IP address is broadcast to a intermediary computer network using an IP Broadcast address • This causes all the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a DoS to legitimate traffic • The three parties involved in this type of DoS attack include the following: – Hacker (Instigator of the attack) – Intermediary Network used to amplify the attack (Amplifier) – Victim (Target of attack) 12/8/2017 Hitesh Mohapatra Ph.D NIDS 39
ICMP Packet Magnification/ICMP Smurf Attack • The attack usually works in the following simple steps: – Hacker identifies a victim IP address – Hacker identifies an intermediary site that will amplify the attack – Hacker sends a large amount of ICMP traffic (ICMP Echo Request packets) at the broadcast address of the intermediary sites – These packets have the source IP address spoofed to point towards the victim – All the hosts which are alive on the LAN each pick up a copy of the ICMP Echo Request datagram and sends an ICMP Echo Reply datagram back to what they think is the source – If many hosts are alive on the LAN, the amplification factor can be considerably high 12/8/2017 Hitesh Mohapatra Ph.D NIDS 40
ICMP Smurf Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 41
Ping of Death • An attacker sends an ICMP echo request packet that's larger than the maximum IP packet size allowed by the IP protocol • Since the received ICMP echo request packet is larger than the allowed IP packet size, it's fragmented • The target can't reassemble the packets, so the OS crashes or reboots • Ping of death attacks are dangerous because the identity of the attacker sending the oversized packet could be easily spoofed and the attacker don’t need to know anything about the machine they are attacking except for its IP address 12/8/2017 Hitesh Mohapatra Ph.D NIDS 42
ICMP PING Flood Attack • A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim/target system with ICMP Echo Request (ping) packets so that it can't respond to legitimate traffic • This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies • Ping require the user to be privileged (super user) in order to specify the flood option • Super users can send hundred or more packets per second using -f option of ping • The attacker expects that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth 12/8/2017 Hitesh Mohapatra Ph.D NIDS 43
ICMP Redirect Attack • ICMP redirects are used by routers/gateways to specify better routing paths out of one network or redirect a source host to use a different gateway that may be closer to the destination • ICMP redirects affect the way packets are routed to destinations • It is legitimately used by routers to tell hosts that the host is using a non-optimal route to a particular destination • The wrong router/gateway sends the host back an ICMP Redirect packet that tells the host what the correct route should be and the host then should redirect it's forwarding accordingly after receiving the redirect message 12/8/2017 Hitesh Mohapatra Ph.D NIDS 44
ICMP Redirect Attack • Through ICMP redirects, a host can find out which networks can be accessed from the local network and which are the routers to be used for each such network • The security problem comes from the fact that an attacker can forge ICMP redirect packets in order to redirect traffic to himself • The attack can be launched by altering host's routing tables and possibly subverting the security of the host by diverting traffic to flow via a path the network manager didn't intend 12/8/2017 Hitesh Mohapatra Ph.D NIDS 45
ICMP Redirect Attack • ICMP Redirects also may be employed for DoS attacks, where a host is sent to a route where it loses its connectivity or is sent an ICMP Network Unreachable packet telling it that it can no longer access a particular network • ICMP redirects may also be used to set up Man-in-the- Middle attacks or amplify SMURF or FRAGGLE attacks • Due to the security risks involved in, it is a recommended to deny all ICMP redirect requests received by Disabling ICMP redirect messages from all public interfaces 12/8/2017 Hitesh Mohapatra Ph.D NIDS 46
Man-in-the-Middle Attacks by ICMP Redirect 12/8/2017 Hitesh Mohapatra Ph.D NIDS 47
Man-in-the-Middle Attacks by ICMP Redirect 12/8/2017 Hitesh Mohapatra Ph.D NIDS 48
Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 49 Hitesh Mohapatra Ph.D NIDS
User Datagram Protocol (UDP) • User Datagram Protocol (UDP) is a protocol used for transport of data across an Internet Protocol (IP) based network • UDP does not perform handshaking as TCP does or check for errors, or even to see if the transmitted data was received, so it is referred to as an unreliable, connectionless protocol • UDP skips the handshaking and is focused on pure transmission, thus it has lower overhead and is thus faster than TCP • Primarily used for broadcasting messages over a network 12/8/2017 Hitesh Mohapatra Ph.D NIDS 50
UDP Datagram Format • Source Port Number: It is assigned by the local computer when it transmits data to a remote machine • Destination Port Number: This field identifies the receiver's port • Length: Field that specifies the length in bytes of the entire datagram – header and data • Checksum: This field is used for error-checking of the header and data 12/8/2017 Hitesh Mohapatra Ph.D NIDS 51
UDP Fraggle Attack • Similar to the ICMP Smurf attack • A UDP fraggle attack is a type of DoS attack where an attacker sends a large amount of UDP echo traffic (UDP Echo request packets ) to IP broadcast addresses, all of it having a spoofed source address • Fraggle attack uses UDP Echo packets in the same way as the ICMP Echo packets are used in Smurf attack • All computers reply (amplification) with UDP Echo reply packets • Source IP was spoofed, so victim is overwhelmed creating a DoS to legitimate traffic 12/8/2017 Hitesh Mohapatra Ph.D NIDS 52
UDP Flood Attack • A UDP flood attack is a DoS attack using the UDP • This attack is possible when an attacker sends a UDP packet to a random port on the victim system • When the victim system receives a UDP packet it will: – Check for the application listening at that port – Determines that no application listens at that port – Replies with an “Destination Unreachable” packet to the forged source address • Ultimately, the host sends out so many packets that the system becomes flooded, and thus unattainable (DoS) to other clients 12/8/2017 Hitesh Mohapatra Ph.D NIDS 53
UDP Ping Pong • The ping pong attack takes advantage of UDP services that respond whenever a packet is sent to them • A hacker can spoof an IP packet from one of these services sent to another service and the two services will start sending traffic at each other (Ping Pong effect) • This consumes machine resources and network bandwidth 12/8/2017 Hitesh Mohapatra Ph.D NIDS 54
Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 55 Hitesh Mohapatra Ph.D NIDS
Transmission Control Protocol (TCP) • TCP is a connection-oriented protocol used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet • TCP is responsible for ensuring that a message is divided into packets for efficient routing through the Internet and IP manages the reassembling the packets back into the complete message at the other end 12/8/2017 Hitesh Mohapatra Ph.D NIDS 56
TCP Header 12/8/2017 Hitesh Mohapatra Ph.D NIDS 57
TCP Attacks • TCP SYN Flooding • TCP Session Hijacking • TCP RST Attacks • TCP Port Scanning • TCP Sequence Prediction Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 58
TCP Syn Flooding (Syn Flood Attack) • A SYN flood is a form of DoS attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources so as to make the system unresponsive to legitimate traffic 12/8/2017 Hitesh Mohapatra Ph.D NIDS 59
TCP Three-Way Handshake • When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which runs like this: – The client requests a connection by sending a SYN message to the server – The server acknowledges this request by sending SYN-ACK back to the client – The client responds with an ACK, and the connection is established • This is called the TCP three-way handshake • Once the connection is established, the session remains open until one of the machines sends a RST (reset) or FIN (finish) 12/8/2017 Hitesh Mohapatra Ph.D NIDS 60
Normal Connection Between a User and a Server 12/8/2017 Hitesh Mohapatra Ph.D NIDS 61 User Server
TCP Syn Flooding • An attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection • Those SYN packets usually use spoofed IP addresses • The victim has to keep the half-opened connections in its memory for certain amount of time until no new connections can be made, resulting in a DoS to the legitimate traffic • If there are so many of these malicious packets, the victim quickly runs out of memory 12/8/2017 Hitesh Mohapatra Ph.D NIDS 62
12/8/2017 Hitesh Mohapatra Ph.D NIDS 63 Syn Flood Attack The attacker sends several packets but does not send the "ACK" back to the server. The connections are half-opened and consume server resources. A legitimate user, tries to connect but the server refuses to open a connection resulting in a DoS Attacker User Server
TCP Session Hijacking • Session hijack attacks are defined as taking over an active TCP/IP communication session without anyone’s permission or knowledge • An active session between a client and a server is diverted by an intruder who pretends to be the “legitimate” client • The intruder communicates with the server and keeps the legitimate client inactive • When implemented successfully, attackers assume the identity of the compromised user, enjoying the same access to the resources as the compromised user 12/8/2017 Hitesh Mohapatra Ph.D NIDS 64
Types of Session Hijacking • There are three types of session hijacking attacks: – Active Session Hijack Attack – Passive Session Hijack Attack – Hybrid Session Hijack Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 65
Active Session Hijack Attack • The attacker will take over the clients’ position in the communication exchange between the client and the server by making the client offline 12/8/2017 Hitesh Mohapatra Ph.D NIDS 66
Passive Session Hijack Attack • Passive attacks keeps the client online and provides the attacker the ability to monitor network traffic and potentially discover valuable data or passwords 12/8/2017 Hitesh Mohapatra Ph.D NIDS 67
Hybrid Session Hijack Attack • This attack is a combination of the active and passive attacks, which allow the attacker to listen to network traffic until something of interest is found • The attacker can then modify the attack by removing the client computer from the session (making it offline) and assuming its identity 12/8/2017 Hitesh Mohapatra Ph.D NIDS 68
TCP Session Hijacking • The most common method of session hijacking is called IP spoofing, when an attacker uses source- routed IP packets to insert commands into an active communication between two nodes on a network and disguising itself as one of the authenticated users • This type of attack is possible because authentication is done only at the start of a TCP session 12/8/2017 Hitesh Mohapatra Ph.D NIDS 69
TCP RST Attacks • TCP reset attack also known as "forged TCP resets", "spoofed TCP reset packets" • There are stream of packets in a TCP connection, each containing a TCP header • Each of these headers contains a bit known as the "reset" (RST) flag – Aborts a connection in response to an error • In most packets this bit is set to 0 and has no effect, however if this bit is set to 1, it indicates to the receiving computer that kill the TCP connection instantly 12/8/2017 Hitesh Mohapatra Ph.D NIDS 70
TCP RST Attacks • It is possible for a attacker to monitor the TCP packets on the connection, and then send a "forged" packet containing a TCP reset to one or both the endpoints • Every field in the TCP header must be set to a convincing forged value which indicate that it came from a genuine host, not from the intruder • Properly formatted forged TCP resets can be a very effective way to close any active TCP connection 12/8/2017 Hitesh Mohapatra Ph.D NIDS 71
TCP Port Scanning • A port scan can be defined as an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability (method of discovering exploitable communication channels) • By port scanning the attacker finds which ports are available (i.e., being listened to by a service) • A port scan consists of sending a message to each port, one at a time 12/8/2017 Hitesh Mohapatra Ph.D NIDS 72
TCP Port Scanning • The kind of response received indicates whether the port is used and can therefore be probed further for weakness • The result of a scan on a port is usually generalized into one of three categories: – Open or Accepted: The host sent a reply indicating that a service is listening on the port – Closed or Denied or Not Listening: The host sent a reply indicating that connections are denied to the port – Filtered, Dropped or Blocked: There was no reply from the host 12/8/2017 Hitesh Mohapatra Ph.D NIDS 73
Port Scanning Techniques • TCP SYN scan: – Send a SYN packet (Initiates a connection) and wait for a response – SYN-ACK indicates the port is listening and a RST is indicative of a non-listener port – If a SYN-ACK is received, attacker immediately send a RST packet to close the connection • TCP connect() scan: – The connect() system call can be used to open a connection to every interesting port on the target machine – If the port is listening, connect() will succeed, otherwise the port isn't reachable – One strong advantage to this technique is that user don't need any special privileges 12/8/2017 Hitesh Mohapatra Ph.D NIDS 74
Port Scanning Techniques • FIN Scan: – A FIN, or "Finish", is a TCP packet used to indicate that the sending entity will no longer use the session to send or receive data – These are called "stealth" scans because they send a single frame to a TCP port without any normal TCP handshaking – An attacker uses a TCP FIN scan to determine if ports are closed on the target machine – If a RST packet is received, the port is considered close 12/8/2017 Hitesh Mohapatra Ph.D NIDS 75
Port Scanning Techniques • Xmas Tree Scan: – The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set – This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte, much like the lights of a Christmas tree 12/8/2017 Hitesh Mohapatra Ph.D NIDS 76
Port Scanning Techniques • NULL Scan: – Null scan is accomplished by sending TCP segments with no flags set in the packet header – An attacker uses a TCP NULL scan to determine if ports are closed on the target machine – If a port is closed, a RST frame is returned 12/8/2017 Hitesh Mohapatra Ph.D NIDS 77
Port Scanning Techniques • The response of a null scan to an open port is “no response” 12/8/2017 Hitesh Mohapatra Ph.D NIDS 78
TCP Sequence Prediction Attack • When two hosts need to transfer data using the TCP protocol, the first host that initiated the connection, generates a 32-bit Initial Sequence Number (ISN) • This sequence number is included on each transmitted packet and acknowledged by the opposite host as an acknowledgement number to inform the sending host that the transmitted data was received successfully • A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection 12/8/2017 Hitesh Mohapatra Ph.D NIDS 79
TCP Sequence Prediction Attack • The root of this security problem starts with the way the ISN is generated • Every operating system uses its own algorithm to generate an ISN for every new connection • Hacker tries to figure out which algorithm is used by the specific operating system to generate the ISN that will allow him to predict future ISNs which will be generated by the source host • If the attack is successful, – Hacker will be able to send counterfeit packets to the receiving host which will seem to originate from the source host – Can cause premature closure of an existing TCP connection by the injection of packets with the FIN bit set 12/8/2017 Hitesh Mohapatra Ph.D NIDS 80
TCP Sequence Prediction Attack • If an attacker can find out current sequence number that is being used by an existing TCP connection, it can inject a valid TCP segment into the existing TCP connection – If the attacker is within the same LAN, it can sniff the sequence number (Attacker listens to the conversation occurring between the trusted hosts, and then issue counterfeit packets using the same source IP address) – If the attacker is not within the same LAN, it has to guess/predict the sequence number 12/8/2017 Hitesh Mohapatra Ph.D NIDS 81
Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 82 Hitesh Mohapatra Ph.D NIDS
Domain Name Service (DNS) • Domain Name Service (DNS) is a hierarchical distributed naming system for computers, services or any resource connected to the Internet or a private network • DNS automatically converts the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites • DNS translates a human readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes • DNS implements a distributed database to store this name and address information for all public hosts on the Internet 12/8/2017 Hitesh Mohapatra Ph.D NIDS 83
Unrelated Data Attack • To improve performance, DNS servers can send back more information than what the client has asked for to avoid another likely DNS lookup • In the older version of DNS servers, the validity of the extra information is not verified • The hacker will answer and add in the answer anything he wants to be cached in the victim DNS’ cache. In this way, he can poison the cache of the remote DNS server • The problem has been fixed in BIND (most widely used DNS S/W on the Internet), by forbidding anything that is not related to the original request to be cached 12/8/2017 Hitesh Mohapatra Ph.D NIDS 84
Unrelated Data Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 85
Related Data Attack • The process is the same as the unrelated data attack • The hacker has to make the “extra” information related to the original query – MX: mail server for a domain – CNAME: canonical name for an alias – NS: DNS servers for a domain • The above information is “related” to the original request, but they can point to totally different information the hacker wants to be cached • The problem has also been fixed in BIND, by rejecting all the “out of zone” information 12/8/2017 Hitesh Mohapatra Ph.D NIDS 86
DNS Cache Poisoning • To improve efficiency, DNS servers typically store results in a cache to speed further lookups • DNS spoofing is malicious cache poisoning where forged data is placed in the cache of the domain name servers • If the forged data gets into the cache, it will affect future lookups • One successful cache poisoning attack can therefore affect many users 12/8/2017 Hitesh Mohapatra Ph.D NIDS 87
DNS Cache Poisoning 12/8/2017 Hitesh Mohapatra Ph.D NIDS 88
DNS Spoofing • DNS spoofing is a term referring to the action of answering a DNS request that was intended for another server • The hacker “spoofs” the DNS server’s answer by answering what he wants for a specific request • For instance, attacker tries to make the www.mybank.com DNS to answer with the IP of the hacker’s computer • The hacker will try to impersonate the DNS reply so that the “Client Misdirection” occurs, but without touching the DNS cache of the impersonated DNS 12/8/2017 Hitesh Mohapatra Ph.D NIDS 89
DNS Spoofing 12/8/2017 Hitesh Mohapatra Ph.D NIDS 90
DNS ID Hacking • It is not enough to spoof a DNS reply as uses ID number to identify queries and answer • The hacker needs to find the ID the client is waiting for (DNS ID Hacking) • DNS ID hacking is a necessary technique for a hacker to succeed in impersonating a DNS server (this is the basis of DNS spoofing) 12/8/2017 Hitesh Mohapatra Ph.D NIDS 91
DNS ID Hacking 12/8/2017 Hitesh Mohapatra Ph.D NIDS 92 DNS ID Hacking

Recommended

Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
Adam Reagan
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
Named Data Networking
Named Data NetworkingNamed Data Networking
Named Data Networking
Mustafa Cantürk
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Packet sniffers
Packet sniffers Packet sniffers
Packet sniffers
Ravi Teja Reddy
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
Information Security Awareness Group
 

Recommended

Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
Adam Reagan
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
Named Data Networking
Named Data NetworkingNamed Data Networking
Named Data Networking
Mustafa Cantürk
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Packet sniffers
Packet sniffers Packet sniffers
Packet sniffers
Ravi Teja Reddy
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
Information Security Awareness Group
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
primeteacher32
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)
Alan Mark
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptx
diaa46
 
CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep Notes
NathanAn
 
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric VanderburgInformation Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Eric Vanderburg
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPS
MLG College of Learning, Inc
 
IPv6
IPv6IPv6
IPv6
Talal Alsubaie
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Asset Management KPIs and KRIs
Asset Management KPIs and KRIsAsset Management KPIs and KRIs
Asset Management KPIs and KRIs
Bim Akinfenwa
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
Vi Tính Hoàng Nam
 
Subnetting
SubnettingSubnetting
Subnetting
Gichelle Amon
 
Cloud security
Cloud securityCloud security
Cloud security
Niharika Varshney
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Classless inter domain routing
Classless inter domain routingClassless inter domain routing
Classless inter domain routing
Vikash Gangwar
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
vilss
 
Chapter 4 internetworking [compatibility mode]
Chapter 4 internetworking [compatibility mode]Chapter 4 internetworking [compatibility mode]
Chapter 4 internetworking [compatibility mode]
Sĩ Anh Nguyễn
 
Internet Protocols
Internet ProtocolsInternet Protocols
Internet Protocols
Ramakrishna Kongalla
 

More Related Content

What's hot

Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
primeteacher32
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)
Alan Mark
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptx
diaa46
 
CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep Notes
NathanAn
 
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric VanderburgInformation Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Eric Vanderburg
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPS
MLG College of Learning, Inc
 
IPv6
IPv6IPv6
IPv6
Talal Alsubaie
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Asset Management KPIs and KRIs
Asset Management KPIs and KRIsAsset Management KPIs and KRIs
Asset Management KPIs and KRIs
Bim Akinfenwa
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
Vi Tính Hoàng Nam
 
Subnetting
SubnettingSubnetting
Subnetting
Gichelle Amon
 
Cloud security
Cloud securityCloud security
Cloud security
Niharika Varshney
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Classless inter domain routing
Classless inter domain routingClassless inter domain routing
Classless inter domain routing
Vikash Gangwar
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
vilss
 

What's hot (20)

Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)Cisco Networking (Routing and Switching)
Cisco Networking (Routing and Switching)
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
 
Information Security
Information SecurityInformation Security
Information Security
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptx
 
CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep Notes
 
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric VanderburgInformation Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPS
 
IPv6
IPv6IPv6
IPv6
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
System hacking
System hackingSystem hacking
System hacking
 
Ipsec
IpsecIpsec
Ipsec
 
Asset Management KPIs and KRIs
Asset Management KPIs and KRIsAsset Management KPIs and KRIs
Asset Management KPIs and KRIs
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
 
Subnetting
SubnettingSubnetting
Subnetting
 
Cloud security
Cloud securityCloud security
Cloud security
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Classless inter domain routing
Classless inter domain routingClassless inter domain routing
Classless inter domain routing
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 

Similar to Network Intrusion Ditection System

Chapter 4 internetworking [compatibility mode]
Chapter 4 internetworking [compatibility mode]Chapter 4 internetworking [compatibility mode]
Chapter 4 internetworking [compatibility mode]
Sĩ Anh Nguyễn
 
Internet Protocols
Internet ProtocolsInternet Protocols
Internet Protocols
Ramakrishna Kongalla
 
Volume 2-issue-6-2095-2097
Volume 2-issue-6-2095-2097Volume 2-issue-6-2095-2097
Volume 2-issue-6-2095-2097
Editor IJARCET
 
Volume 2-issue-6-2095-2097
Volume 2-issue-6-2095-2097Volume 2-issue-6-2095-2097
Volume 2-issue-6-2095-2097
Editor IJARCET
 
Basic Foundation For Cybersecurity
Basic Foundation For CybersecurityBasic Foundation For Cybersecurity
Basic Foundation For Cybersecurity
Mohammed Adam
 
IP adress and routing(networking)
IP adress and routing(networking)IP adress and routing(networking)
IP adress and routing(networking)
welcometofacebook
 
Arp config-arp
Arp config-arpArp config-arp
Arp config-arp
Raafat younis
 
Internet Protocol.pdf
Internet Protocol.pdfInternet Protocol.pdf
Internet Protocol.pdf
BIT DURG
 
ch14
ch14ch14
ch14
sadejoseph
 
Arp
ArpArp
Arp
AnusuaBasu
 
Computer network coe351- part3-final
Computer network coe351- part3-finalComputer network coe351- part3-final
Computer network coe351- part3-final
Taymoor Nazmy
 
Transport Layer, Network layer.pptx
Transport Layer, Network layer.pptxTransport Layer, Network layer.pptx
Transport Layer, Network layer.pptx
MuhammadMoosaPanhwar
 
Address resolution protocol
Address resolution protocolAddress resolution protocol
Address resolution protocol
asimnawaz54
 
Nnnnnn
NnnnnnNnnnnn
Nnnnnn
nautami
 
Gohil-Network layer & Address Resolution Protocol.pptx
Gohil-Network layer & Address Resolution Protocol.pptxGohil-Network layer & Address Resolution Protocol.pptx
Gohil-Network layer & Address Resolution Protocol.pptx
Juvil2
 
Addressing
AddressingAddressing
Addressing
Pramod Ithape
 
Networking.pdf
Networking.pdfNetworking.pdf
Networking.pdf
DarshaniKarunarathne
 
Net essentials6e ch5
Net essentials6e ch5Net essentials6e ch5
Net essentials6e ch5
APSU
 
IP Address & Subneting.pdf
IP Address & Subneting.pdfIP Address & Subneting.pdf
IP Address & Subneting.pdf
Hirdesh Sharma
 
Presentation on arp protocol
Presentation on arp protocolPresentation on arp protocol
Presentation on arp protocol
Mohd. Ahmad Siddiqi
 

Similar to Network Intrusion Ditection System (20)

Chapter 4 internetworking [compatibility mode]
Chapter 4 internetworking [compatibility mode]Chapter 4 internetworking [compatibility mode]
Chapter 4 internetworking [compatibility mode]
 
Internet Protocols
Internet ProtocolsInternet Protocols
Internet Protocols
 
Volume 2-issue-6-2095-2097
Volume 2-issue-6-2095-2097Volume 2-issue-6-2095-2097
Volume 2-issue-6-2095-2097
 
Volume 2-issue-6-2095-2097
Volume 2-issue-6-2095-2097Volume 2-issue-6-2095-2097
Volume 2-issue-6-2095-2097
 
Basic Foundation For Cybersecurity
Basic Foundation For CybersecurityBasic Foundation For Cybersecurity
Basic Foundation For Cybersecurity
 
IP adress and routing(networking)
IP adress and routing(networking)IP adress and routing(networking)
IP adress and routing(networking)
 
Arp config-arp
Arp config-arpArp config-arp
Arp config-arp
 
Internet Protocol.pdf
Internet Protocol.pdfInternet Protocol.pdf
Internet Protocol.pdf
 
ch14
ch14ch14
ch14
 
Arp
ArpArp
Arp
 
Computer network coe351- part3-final
Computer network coe351- part3-finalComputer network coe351- part3-final
Computer network coe351- part3-final
 
Transport Layer, Network layer.pptx
Transport Layer, Network layer.pptxTransport Layer, Network layer.pptx
Transport Layer, Network layer.pptx
 
Address resolution protocol
Address resolution protocolAddress resolution protocol
Address resolution protocol
 
Nnnnnn
NnnnnnNnnnnn
Nnnnnn
 
Gohil-Network layer & Address Resolution Protocol.pptx
Gohil-Network layer & Address Resolution Protocol.pptxGohil-Network layer & Address Resolution Protocol.pptx
Gohil-Network layer & Address Resolution Protocol.pptx
 
Addressing
AddressingAddressing
Addressing
 
Networking.pdf
Networking.pdfNetworking.pdf
Networking.pdf
 
Net essentials6e ch5
Net essentials6e ch5Net essentials6e ch5
Net essentials6e ch5
 
IP Address & Subneting.pdf
IP Address & Subneting.pdfIP Address & Subneting.pdf
IP Address & Subneting.pdf
 
Presentation on arp protocol
Presentation on arp protocolPresentation on arp protocol
Presentation on arp protocol
 

More from Hitesh Mohapatra

Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
Hitesh Mohapatra
 
Virtualization: A Key to Efficient Cloud Computing
Virtualization: A Key to Efficient Cloud ComputingVirtualization: A Key to Efficient Cloud Computing
Virtualization: A Key to Efficient Cloud Computing
Hitesh Mohapatra
 
Automating the Cloud: A Deep Dive into Virtual Machine Provisioning
Automating the Cloud: A Deep Dive into Virtual Machine ProvisioningAutomating the Cloud: A Deep Dive into Virtual Machine Provisioning
Automating the Cloud: A Deep Dive into Virtual Machine Provisioning
Hitesh Mohapatra
 
Harnessing the Power of Google Cloud Platform: Strategies and Applications
Harnessing the Power of Google Cloud Platform: Strategies and ApplicationsHarnessing the Power of Google Cloud Platform: Strategies and Applications
Harnessing the Power of Google Cloud Platform: Strategies and Applications
Hitesh Mohapatra
 
Scheduling in Cloud Computing
Scheduling in Cloud ComputingScheduling in Cloud Computing
Scheduling in Cloud Computing
Hitesh Mohapatra
 
Cloud-Case study
Cloud-Case study Cloud-Case study
Cloud-Case study
Hitesh Mohapatra
 
RAID
RAIDRAID
RAID
Hitesh Mohapatra
 
Load balancing in cloud computing.pptx
Load balancing in cloud computing.pptxLoad balancing in cloud computing.pptx
Load balancing in cloud computing.pptx
Hitesh Mohapatra
 
Cluster Computing
Cluster ComputingCluster Computing
Cluster Computing
Hitesh Mohapatra
 
ITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment model
Hitesh Mohapatra
 
Leetcode Problem Solution
Leetcode Problem SolutionLeetcode Problem Solution
Leetcode Problem Solution
Hitesh Mohapatra
 
Leetcode Problem Solution
Leetcode Problem SolutionLeetcode Problem Solution
Leetcode Problem Solution
Hitesh Mohapatra
 
Trie Data Structure
Trie Data Structure Trie Data Structure
Trie Data Structure
Hitesh Mohapatra
 
Reviewing basic concepts of relational database
Reviewing basic concepts of relational databaseReviewing basic concepts of relational database
Reviewing basic concepts of relational database
Hitesh Mohapatra
 
Reviewing SQL Concepts
Reviewing SQL ConceptsReviewing SQL Concepts
Reviewing SQL Concepts
Hitesh Mohapatra
 
Advanced database protocols
Advanced database protocolsAdvanced database protocols
Advanced database protocols
Hitesh Mohapatra
 
Measures of query cost
Measures of query costMeasures of query cost
Measures of query cost
Hitesh Mohapatra
 
Involvement of WSN in Smart Cities
Involvement of WSN in Smart CitiesInvolvement of WSN in Smart Cities
Involvement of WSN in Smart Cities
Hitesh Mohapatra
 
Data Structure and its Fundamentals
Data Structure and its FundamentalsData Structure and its Fundamentals
Data Structure and its Fundamentals
Hitesh Mohapatra
 
WORKING WITH FILE AND PIPELINE PARAMETER BINDING
WORKING WITH FILE AND PIPELINE PARAMETER BINDINGWORKING WITH FILE AND PIPELINE PARAMETER BINDING
WORKING WITH FILE AND PIPELINE PARAMETER BINDING
Hitesh Mohapatra
 

More from Hitesh Mohapatra (20)

Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
 
Virtualization: A Key to Efficient Cloud Computing
Virtualization: A Key to Efficient Cloud ComputingVirtualization: A Key to Efficient Cloud Computing
Virtualization: A Key to Efficient Cloud Computing
 
Automating the Cloud: A Deep Dive into Virtual Machine Provisioning
Automating the Cloud: A Deep Dive into Virtual Machine ProvisioningAutomating the Cloud: A Deep Dive into Virtual Machine Provisioning
Automating the Cloud: A Deep Dive into Virtual Machine Provisioning
 
Harnessing the Power of Google Cloud Platform: Strategies and Applications
Harnessing the Power of Google Cloud Platform: Strategies and ApplicationsHarnessing the Power of Google Cloud Platform: Strategies and Applications
Harnessing the Power of Google Cloud Platform: Strategies and Applications
 
Scheduling in Cloud Computing
Scheduling in Cloud ComputingScheduling in Cloud Computing
Scheduling in Cloud Computing
 
Cloud-Case study
Cloud-Case study Cloud-Case study
Cloud-Case study
 
RAID
RAIDRAID
RAID
 
Load balancing in cloud computing.pptx
Load balancing in cloud computing.pptxLoad balancing in cloud computing.pptx
Load balancing in cloud computing.pptx
 
Cluster Computing
Cluster ComputingCluster Computing
Cluster Computing
 
ITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment model
 
Leetcode Problem Solution
Leetcode Problem SolutionLeetcode Problem Solution
Leetcode Problem Solution
 
Leetcode Problem Solution
Leetcode Problem SolutionLeetcode Problem Solution
Leetcode Problem Solution
 
Trie Data Structure
Trie Data Structure Trie Data Structure
Trie Data Structure
 
Reviewing basic concepts of relational database
Reviewing basic concepts of relational databaseReviewing basic concepts of relational database
Reviewing basic concepts of relational database
 
Reviewing SQL Concepts
Reviewing SQL ConceptsReviewing SQL Concepts
Reviewing SQL Concepts
 
Advanced database protocols
Advanced database protocolsAdvanced database protocols
Advanced database protocols
 
Measures of query cost
Measures of query costMeasures of query cost
Measures of query cost
 
Involvement of WSN in Smart Cities
Involvement of WSN in Smart CitiesInvolvement of WSN in Smart Cities
Involvement of WSN in Smart Cities
 
Data Structure and its Fundamentals
Data Structure and its FundamentalsData Structure and its Fundamentals
Data Structure and its Fundamentals
 
WORKING WITH FILE AND PIPELINE PARAMETER BINDING
WORKING WITH FILE AND PIPELINE PARAMETER BINDINGWORKING WITH FILE AND PIPELINE PARAMETER BINDING
WORKING WITH FILE AND PIPELINE PARAMETER BINDING
 

Recently uploaded

Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
IJECEIAES
 
Computational Engineering IITH Presentation
Computational Engineering IITH PresentationComputational Engineering IITH Presentation
Computational Engineering IITH Presentation
co23btech11018
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
Madan Karki
 
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
171ticu
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Sinan KOZAK
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
KrishnaveniKrishnara1
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
PKavitha10
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
bijceesjournal
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
LAXMAREDDY22
 
john krisinger-the science and history of the alcoholic beverage.pptx
john krisinger-the science and history of the alcoholic beverage.pptxjohn krisinger-the science and history of the alcoholic beverage.pptx
john krisinger-the science and history of the alcoholic beverage.pptx
Madan Karki
 
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
ydzowc
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
abbyasa1014
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
Madan Karki
 
ISPM 15 Heat Treated Wood Stamps and why your shipping must have one
ISPM 15 Heat Treated Wood Stamps and why your shipping must have oneISPM 15 Heat Treated Wood Stamps and why your shipping must have one
ISPM 15 Heat Treated Wood Stamps and why your shipping must have one
Las Vegas Warehouse
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
21UME003TUSHARDEB
 
Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...
Prakhyath Rai
 
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
insn4465
 
Welding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdfWelding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdf
AjmalKhan50578
 
Introduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptxIntroduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptx
MiscAnnoy1
 

Recently uploaded (20)

Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
 
Computational Engineering IITH Presentation
Computational Engineering IITH PresentationComputational Engineering IITH Presentation
Computational Engineering IITH Presentation
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
 
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
 
john krisinger-the science and history of the alcoholic beverage.pptx
john krisinger-the science and history of the alcoholic beverage.pptxjohn krisinger-the science and history of the alcoholic beverage.pptx
john krisinger-the science and history of the alcoholic beverage.pptx
 
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
 
ISPM 15 Heat Treated Wood Stamps and why your shipping must have one
ISPM 15 Heat Treated Wood Stamps and why your shipping must have oneISPM 15 Heat Treated Wood Stamps and why your shipping must have one
ISPM 15 Heat Treated Wood Stamps and why your shipping must have one
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
 
Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...
 
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
 
Welding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdfWelding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdf
 
Introduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptxIntroduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptx
 

Network Intrusion Ditection System

  • 1. Intrusion Detection Systems Lecture #5 Internet Attacks Network Based Intrusion Detection
  • 2. Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 2 Hitesh Mohapatra Ph.D NIDS
  • 3. Address Resolution Protocol (ARP) • ARP is a protocol used by the network layer to map Internet Protocol (IP) addresses to Media Access Control (MAC)/ Physical /Ethernet hardware addresses that are used by the data link layer • When sending an IP packet, Ethernet uses the ARP to resolve IP addresses into MAC addresses • An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the IP for communication (32-bits) • An IP address is usually assigned by the network administrator or Internet Service Provider (ISP) either statically at the beginning or dynamically each time a connection is established to a network 12/8/2017 3 Hitesh Mohapatra Ph.D NIDS
  • 4. IP Address and MAC Address 12/8/2017 Hitesh Mohapatra Ph.D NIDS 4
  • 5. Address Resolution Protocol (ARP) • A MAC address is a permanent hexadecimal string of numbers and letters like 00-0F-B5-45-96-A4 (48-bits) • MAC addresses are most often assigned by the manufacturer of a Network Interface Card (NIC) and are stored in its hardware • Address resolution refers to the process of dynamically finding a MAC address of a computer on a network • ARP provides a dynamic mapping between the two different forms of addresses: the 32-bit IP address and the 48-bit hardware address 12/8/2017 Hitesh Mohapatra Ph.D NIDS 5
  • 6. Address Resolution Protocol (ARP) • Once the destination’s MAC address is determined, the IP Packet can be encapsulated into an Ethernet frame and transmitted to the destination host • There is a one-to-one mapping between the set of IP addresses and the set of Ethernet addresses 12/8/2017 Hitesh Mohapatra Ph.D NIDS 6
  • 7. Address Resolution Protocol (ARP) • The working of ARP is based on the following 4 types of messages: – ARP Request: The initiating device first sends an ARP request broadcast message on the local subnet – ARP Reply: • The destination host sends an ARP reply in response to the request broadcast message giving its MAC address to the source host • All the other computers ignore this request except the destination host with the given IP address – RARP Request: Known as Reverse ARP request, this requests the IP address of a known MAC address – RARP Reply: The response gives the IP address from a requested hardware address 12/8/2017 7 Hitesh Mohapatra Ph.D NIDS
  • 8. Working of ARP • To illustrate how ARP works, consider two nodes, X and Y • If node X wishes to communicate with Y, node X first broadcasts an ARP request for node Y's hardware address • The ARP request contains X's IP and hardware addresses, and Y's IP address • When Y receives the ARP request, it places an entry for X in its ARP cache (which is used to map quickly from IP address to hardware address), then responds directly to X with an ARP response containing Y's hardware address • When node X receives Y's ARP response, it places an entry for Y in its ARP cache • Once an ARP cache entry exists at X for Y, node X is able to send packets directly to Y without using ARP 12/8/2017 Hitesh Mohapatra Ph.D NIDS 8
  • 9. Illustration of ARP Request and ARP Reply Messages 12/8/2017 Hitesh Mohapatra Ph.D NIDS 9
  • 10. ARP Caching • Sending an ARP request/reply for each IP datagram/packet is inefficient, hosts maintain a cache (ARP Cache) of current entries (IP to MAC address mappings) • The ARP cache takes the form of a table containing the mappings of all the MAC and IP address for the computers/network devices that this host has already communicated with • Each device on the network manages its own ARP cache table • The system will use this information when initiating a conversation with another system • If the destination MAC address is not in the cache table, the source system will use ARP to determine the MAC address of the destination system 12/8/2017 10 Hitesh Mohapatra Ph.D NIDS
  • 11. Types of ARP Cache • There are two different ways that cache entries can be put into the ARP cache: – Static ARP Cache: • These are hardware/IP address pairs that are manually added to the cache table for a device and are kept in the cache on a permanent basis – Dynamic ARP Cache: • These are hardware/IP address pairs that are added to a cache table automatically as a result of successfully completed past ARP mappings • An ARP entry (IP address link to Ethernet MAC ) is kept on the cache for some period of time, as long as it is being used 12/8/2017 11 Hitesh Mohapatra Ph.D NIDS
  • 12. ARP Cache Table 12/8/2017 12 Hitesh Mohapatra Ph.D NIDS
  • 13. Vulnerabilities of ARP • A major flaw in the ARP is lack of authentication. As ARP does not authenticate requests or replies, ARP Requests and Replies can be forged • ARP is Stateless: Systems update their cache when receiving an ARP reply, regardless of whether they have actually sent a ARP request or not • According to the ARP protocol specification, a node receiving an ARP packet (Request or Reply) must update its ARP cache with the information 12/8/2017 Hitesh Mohapatra Ph.D NIDS 13
  • 14. Exploitation of Vulnerabilities in ARP • The goal of the ARP attack is to associate the attacker's MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker • The attacker could then choose to: – Inspect the packets and then forward the traffic to the actual destination (interception) – A forged ARP Request or Reply can be used to update the ARP cache of a system with a forged entry (ARP cache poisoning) – Modify the data before forwarding it (man-in-the-middle attack) – Launch a Denial-of-Service attack by causing some/all of the packets on the network to be dropped 12/8/2017 Hitesh Mohapatra Ph.D NIDS 14
  • 15. ARP Cache Poisoning • “ARP cache poisoning is the act of introducing a spurious IP-to-Ethernet address mapping in another host’s ARP cache by a malicious host on the LAN” • The result of ARP cache poisoning is that the IP traffic intended for one host is diverted to a different host • When a malicious host uses another host’s IP address and sends out a broadcast request, the genuine host caches the new IP-to-Ethernet address mapping, thus causing ARP Cache poisoning 12/8/2017 Hitesh Mohapatra Ph.D NIDS 15
  • 16. Poisoned ARP Cache 12/8/2017 Hitesh Mohapatra Ph.D NIDS 16
  • 17. Man-In-The-Middle Attacks • One of the most prevalent network attacks used against individuals and large organizations are "Man-in-the-middle attack" (MITM attack) • MITM attack refers to the type of attack where the attacker intrudes into the communication channel between the endpoints on a network to inject false information, modify information or intercept the data transfer going between the two parties • MITM attacks are mainly intended for eavesdropping sensitive and valuable information 12/8/2017 Hitesh Mohapatra Ph.D NIDS 17
  • 18. Man-In-The-Middle Attacks • The attacker tries to come in between the network endpoints, and proxy all the communications among them • Once the trial is successful, further attacks to be launched may include: – Sniffing the passing packets – Hijacking already authenticated sessions – Injecting packets or commands to the server – Sending the forged responses to the victim client • The end result is that the attacking host can not only intercept sensitive data but can also inject and manipulate data stream to gain further control of its victims 12/8/2017 Hitesh Mohapatra Ph.D NIDS 18
  • 19. MITM Attack Objectives • To gain access to the client's messages and modify them before finally transmitting them to the server end • Other objectives of MITM can be to: – Mislead the communicators at the client or server end, to intercept relevant information (E.g., identity, address, password, or any other confidential information for malicious purposes) – Manipulate data/transactions 12/8/2017 Hitesh Mohapatra Ph.D NIDS 19
  • 21. Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 21 Hitesh Mohapatra Ph.D NIDS
  • 22. Internet Protocol (IP) • Internet Protocol (IP) is responsible for the transmission of packets between network end points • IP fragmentation is the process of breaking up a single IP datagram into multiple packets of smaller size • Every network has a largest size of IP datagram that can be transmitted, called Maximum Transmission Unit (MTU) • IP includes the support for fragmentation of larger packets into smaller packets when the original packet is too large as well as reassembly of the smaller packets to reconstitute the original datagram 12/8/2017 Hitesh Mohapatra Ph.D NIDS 22
  • 23. IP Fragmentation and Reassembly 12/8/2017 Hitesh Mohapatra Ph.D NIDS 23
  • 24. IP Fragmentation and Reassembly • IP datagrams are encapsulated in data link frames and the larger IP datagrams are forced to be split into packets of smaller size • Three fields in the IP header are used to implement fragmentation and reassembly – "Identification", "Flags" and "Fragment Offset" fields 12/8/2017 Hitesh Mohapatra Ph.D NIDS 24
  • 26. Fields in IP Header for Fragmentation and Reassembly • Identification (16 bits) – "Identification field" uniquely identifies the fragments of a particular datagram – The source system sets this field to a unique value that must be unique for that source-destination pair and protocol for the life time of the datagram on the internet • Flags (3 bits) – This field says if the datagram is a part of a fragmented data frame or not 12/8/2017 Hitesh Mohapatra Ph.D NIDS 26
  • 27. Fields in IP Header for Fragmentation and Reassembly 12/8/2017 Hitesh Mohapatra Ph.D NIDS 27
  • 28. Fields in IP Header for Fragmentation and Reassembly • Fragment Offset (13 bits) – Fragment offset specifies the fragment's position within the original Datagram, measured in 8-byte units – Every fragment except the last must contain a multiple of 8 bytes of data – The last fragment tells the receiving station to start reassembling the data if all fragments have been received • The receiver will reassemble the data from fragments with the same identification field 12/8/2017 Hitesh Mohapatra Ph.D NIDS 28
  • 29. IP Attacks • IP fragment overlap (Teardrop Attack) – A teardrop attack is a denial of service (DoS) attack conducted by targeting IP fragmentation and reassembly – The attack occurs when two fragments within the same IP datagram have offsets that indicate that they overlap each other – This attack causes fragmented packets to overlap one another on the host receipt – The host attempts to reconstruct the original datagram but fails resulting in a DoS attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 29
  • 30. IP Attacks – Teardrop Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 30
  • 31. IP Attacks • IP Spoofing – In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system – Any host can send packets pretending to be from any IP address – The attacker is fooling (spoofing) the distant computer into believing that they are a legitimate member of the network – The goal of the attack is to establish a connection that will allow the attacker to gain root access to the host, allowing the creation of a backdoor entry path into the target system 12/8/2017 Hitesh Mohapatra Ph.D NIDS 31
  • 32. IP Attacks • IP Spoofing – DoS – Denial of Service (DoS) attacks are aimed at preventing clients from accessing a service – IP Spoofing can be used to create DoS attacks – The attacker spoofs a large number of requests from various IP addresses to fill a services queue – With the service queue filled, legitimate users cannot use the service 12/8/2017 Hitesh Mohapatra Ph.D NIDS 32
  • 33. IP Spoofing – DoS Attack Server Attacker Legitimate Users Interweb Fake IPs Service Requests Flood of Requests from Attacker Server queue full, legitimate requests get dropped Service Requests 12/8/2017 Hitesh Mohapatra Ph.D NIDS 33
  • 34. Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 34 Hitesh Mohapatra Ph.D NIDS
  • 35. Internet Control Message Protocol (ICMP) • Internet Control Message Protocol (ICMP) is one of the core protocols used for reporting network error conditions like a requested service is not available or a host or router could not be reached • ICMP is heavily used by routers, as well as clients and servers (network endpoints) to determine network errors and availability, as well as performance statistics through various types of ICMP Packets • There is no validation checks on the received ICMP error messages, which leads to a variety of attacks • ICMP attacks can result in a DoS, allow the attacker to intercept packets or redirect network traffic towards external hosts on a path of his/her choice 12/8/2017 Hitesh Mohapatra Ph.D NIDS 35
  • 36. ICMP Message Format • Each ICMP message contains three fields that define its purpose and provide a checksum (4 bytes) • They are TYPE, CODE, and CHECKSUM fields – TYPE field identifies the type of ICMP message – CODE field provides further information about the associated TYPE field – CHECKSUM provides a method for determining the integrity of the message 12/8/2017 Hitesh Mohapatra Ph.D NIDS 36
  • 37. ICMP Sweep • One of the most common technique for discovering the range of hosts which are alive in the target’s environment is to perform a ICMP sweep of the entire target’s network range • ICMP sweep involves sending a series of ICMP request packets to the target network range and from the list of ICMP replies infer whether certain hosts are alive and connected to the target’s network for further probing • An attacker then can direct a more focused attack toward live hosts only • This can be implemented by a very simple command ping or traceroute or by using automated scanning tools 12/8/2017 Hitesh Mohapatra Ph.D NIDS 37
  • 38. Types of ICMP Attacks • ICMP Packet Magnification/ICMP Smurf • Ping of Death • ICMP PING Flood Attack • ICMP Redirect Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 38
  • 39. ICMP Packet Magnification/ICMP Smurf Attack • The Smurf Attack is a DoS attack in which large amounts of ICMP echo request packets are broadcast to a intermediary computer network • The target system's (victim's) spoofed source IP address is broadcast to a intermediary computer network using an IP Broadcast address • This causes all the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a DoS to legitimate traffic • The three parties involved in this type of DoS attack include the following: – Hacker (Instigator of the attack) – Intermediary Network used to amplify the attack (Amplifier) – Victim (Target of attack) 12/8/2017 Hitesh Mohapatra Ph.D NIDS 39
  • 40. ICMP Packet Magnification/ICMP Smurf Attack • The attack usually works in the following simple steps: – Hacker identifies a victim IP address – Hacker identifies an intermediary site that will amplify the attack – Hacker sends a large amount of ICMP traffic (ICMP Echo Request packets) at the broadcast address of the intermediary sites – These packets have the source IP address spoofed to point towards the victim – All the hosts which are alive on the LAN each pick up a copy of the ICMP Echo Request datagram and sends an ICMP Echo Reply datagram back to what they think is the source – If many hosts are alive on the LAN, the amplification factor can be considerably high 12/8/2017 Hitesh Mohapatra Ph.D NIDS 40
  • 41. ICMP Smurf Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 41
  • 42. Ping of Death • An attacker sends an ICMP echo request packet that's larger than the maximum IP packet size allowed by the IP protocol • Since the received ICMP echo request packet is larger than the allowed IP packet size, it's fragmented • The target can't reassemble the packets, so the OS crashes or reboots • Ping of death attacks are dangerous because the identity of the attacker sending the oversized packet could be easily spoofed and the attacker don’t need to know anything about the machine they are attacking except for its IP address 12/8/2017 Hitesh Mohapatra Ph.D NIDS 42
  • 43. ICMP PING Flood Attack • A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim/target system with ICMP Echo Request (ping) packets so that it can't respond to legitimate traffic • This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies • Ping require the user to be privileged (super user) in order to specify the flood option • Super users can send hundred or more packets per second using -f option of ping • The attacker expects that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth 12/8/2017 Hitesh Mohapatra Ph.D NIDS 43
  • 44. ICMP Redirect Attack • ICMP redirects are used by routers/gateways to specify better routing paths out of one network or redirect a source host to use a different gateway that may be closer to the destination • ICMP redirects affect the way packets are routed to destinations • It is legitimately used by routers to tell hosts that the host is using a non-optimal route to a particular destination • The wrong router/gateway sends the host back an ICMP Redirect packet that tells the host what the correct route should be and the host then should redirect it's forwarding accordingly after receiving the redirect message 12/8/2017 Hitesh Mohapatra Ph.D NIDS 44
  • 45. ICMP Redirect Attack • Through ICMP redirects, a host can find out which networks can be accessed from the local network and which are the routers to be used for each such network • The security problem comes from the fact that an attacker can forge ICMP redirect packets in order to redirect traffic to himself • The attack can be launched by altering host's routing tables and possibly subverting the security of the host by diverting traffic to flow via a path the network manager didn't intend 12/8/2017 Hitesh Mohapatra Ph.D NIDS 45
  • 46. ICMP Redirect Attack • ICMP Redirects also may be employed for DoS attacks, where a host is sent to a route where it loses its connectivity or is sent an ICMP Network Unreachable packet telling it that it can no longer access a particular network • ICMP redirects may also be used to set up Man-in-the- Middle attacks or amplify SMURF or FRAGGLE attacks • Due to the security risks involved in, it is a recommended to deny all ICMP redirect requests received by Disabling ICMP redirect messages from all public interfaces 12/8/2017 Hitesh Mohapatra Ph.D NIDS 46
  • 47. Man-in-the-Middle Attacks by ICMP Redirect 12/8/2017 Hitesh Mohapatra Ph.D NIDS 47
  • 48. Man-in-the-Middle Attacks by ICMP Redirect 12/8/2017 Hitesh Mohapatra Ph.D NIDS 48
  • 49. Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 49 Hitesh Mohapatra Ph.D NIDS
  • 50. User Datagram Protocol (UDP) • User Datagram Protocol (UDP) is a protocol used for transport of data across an Internet Protocol (IP) based network • UDP does not perform handshaking as TCP does or check for errors, or even to see if the transmitted data was received, so it is referred to as an unreliable, connectionless protocol • UDP skips the handshaking and is focused on pure transmission, thus it has lower overhead and is thus faster than TCP • Primarily used for broadcasting messages over a network 12/8/2017 Hitesh Mohapatra Ph.D NIDS 50
  • 51. UDP Datagram Format • Source Port Number: It is assigned by the local computer when it transmits data to a remote machine • Destination Port Number: This field identifies the receiver's port • Length: Field that specifies the length in bytes of the entire datagram – header and data • Checksum: This field is used for error-checking of the header and data 12/8/2017 Hitesh Mohapatra Ph.D NIDS 51
  • 52. UDP Fraggle Attack • Similar to the ICMP Smurf attack • A UDP fraggle attack is a type of DoS attack where an attacker sends a large amount of UDP echo traffic (UDP Echo request packets ) to IP broadcast addresses, all of it having a spoofed source address • Fraggle attack uses UDP Echo packets in the same way as the ICMP Echo packets are used in Smurf attack • All computers reply (amplification) with UDP Echo reply packets • Source IP was spoofed, so victim is overwhelmed creating a DoS to legitimate traffic 12/8/2017 Hitesh Mohapatra Ph.D NIDS 52
  • 53. UDP Flood Attack • A UDP flood attack is a DoS attack using the UDP • This attack is possible when an attacker sends a UDP packet to a random port on the victim system • When the victim system receives a UDP packet it will: – Check for the application listening at that port – Determines that no application listens at that port – Replies with an “Destination Unreachable” packet to the forged source address • Ultimately, the host sends out so many packets that the system becomes flooded, and thus unattainable (DoS) to other clients 12/8/2017 Hitesh Mohapatra Ph.D NIDS 53
  • 54. UDP Ping Pong • The ping pong attack takes advantage of UDP services that respond whenever a packet is sent to them • A hacker can spoof an IP packet from one of these services sent to another service and the two services will start sending traffic at each other (Ping Pong effect) • This consumes machine resources and network bandwidth 12/8/2017 Hitesh Mohapatra Ph.D NIDS 54
  • 55. Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 55 Hitesh Mohapatra Ph.D NIDS
  • 56. Transmission Control Protocol (TCP) • TCP is a connection-oriented protocol used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet • TCP is responsible for ensuring that a message is divided into packets for efficient routing through the Internet and IP manages the reassembling the packets back into the complete message at the other end 12/8/2017 Hitesh Mohapatra Ph.D NIDS 56
  • 58. TCP Attacks • TCP SYN Flooding • TCP Session Hijacking • TCP RST Attacks • TCP Port Scanning • TCP Sequence Prediction Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 58
  • 59. TCP Syn Flooding (Syn Flood Attack) • A SYN flood is a form of DoS attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources so as to make the system unresponsive to legitimate traffic 12/8/2017 Hitesh Mohapatra Ph.D NIDS 59
  • 60. TCP Three-Way Handshake • When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which runs like this: – The client requests a connection by sending a SYN message to the server – The server acknowledges this request by sending SYN-ACK back to the client – The client responds with an ACK, and the connection is established • This is called the TCP three-way handshake • Once the connection is established, the session remains open until one of the machines sends a RST (reset) or FIN (finish) 12/8/2017 Hitesh Mohapatra Ph.D NIDS 60
  • 61. Normal Connection Between a User and a Server 12/8/2017 Hitesh Mohapatra Ph.D NIDS 61 User Server
  • 62. TCP Syn Flooding • An attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection • Those SYN packets usually use spoofed IP addresses • The victim has to keep the half-opened connections in its memory for certain amount of time until no new connections can be made, resulting in a DoS to the legitimate traffic • If there are so many of these malicious packets, the victim quickly runs out of memory 12/8/2017 Hitesh Mohapatra Ph.D NIDS 62
  • 63. 12/8/2017 Hitesh Mohapatra Ph.D NIDS 63 Syn Flood Attack The attacker sends several packets but does not send the "ACK" back to the server. The connections are half-opened and consume server resources. A legitimate user, tries to connect but the server refuses to open a connection resulting in a DoS Attacker User Server
  • 64. TCP Session Hijacking • Session hijack attacks are defined as taking over an active TCP/IP communication session without anyone’s permission or knowledge • An active session between a client and a server is diverted by an intruder who pretends to be the “legitimate” client • The intruder communicates with the server and keeps the legitimate client inactive • When implemented successfully, attackers assume the identity of the compromised user, enjoying the same access to the resources as the compromised user 12/8/2017 Hitesh Mohapatra Ph.D NIDS 64
  • 65. Types of Session Hijacking • There are three types of session hijacking attacks: – Active Session Hijack Attack – Passive Session Hijack Attack – Hybrid Session Hijack Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 65
  • 66. Active Session Hijack Attack • The attacker will take over the clients’ position in the communication exchange between the client and the server by making the client offline 12/8/2017 Hitesh Mohapatra Ph.D NIDS 66
  • 67. Passive Session Hijack Attack • Passive attacks keeps the client online and provides the attacker the ability to monitor network traffic and potentially discover valuable data or passwords 12/8/2017 Hitesh Mohapatra Ph.D NIDS 67
  • 68. Hybrid Session Hijack Attack • This attack is a combination of the active and passive attacks, which allow the attacker to listen to network traffic until something of interest is found • The attacker can then modify the attack by removing the client computer from the session (making it offline) and assuming its identity 12/8/2017 Hitesh Mohapatra Ph.D NIDS 68
  • 69. TCP Session Hijacking • The most common method of session hijacking is called IP spoofing, when an attacker uses source- routed IP packets to insert commands into an active communication between two nodes on a network and disguising itself as one of the authenticated users • This type of attack is possible because authentication is done only at the start of a TCP session 12/8/2017 Hitesh Mohapatra Ph.D NIDS 69
  • 70. TCP RST Attacks • TCP reset attack also known as "forged TCP resets", "spoofed TCP reset packets" • There are stream of packets in a TCP connection, each containing a TCP header • Each of these headers contains a bit known as the "reset" (RST) flag – Aborts a connection in response to an error • In most packets this bit is set to 0 and has no effect, however if this bit is set to 1, it indicates to the receiving computer that kill the TCP connection instantly 12/8/2017 Hitesh Mohapatra Ph.D NIDS 70
  • 71. TCP RST Attacks • It is possible for a attacker to monitor the TCP packets on the connection, and then send a "forged" packet containing a TCP reset to one or both the endpoints • Every field in the TCP header must be set to a convincing forged value which indicate that it came from a genuine host, not from the intruder • Properly formatted forged TCP resets can be a very effective way to close any active TCP connection 12/8/2017 Hitesh Mohapatra Ph.D NIDS 71
  • 72. TCP Port Scanning • A port scan can be defined as an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability (method of discovering exploitable communication channels) • By port scanning the attacker finds which ports are available (i.e., being listened to by a service) • A port scan consists of sending a message to each port, one at a time 12/8/2017 Hitesh Mohapatra Ph.D NIDS 72
  • 73. TCP Port Scanning • The kind of response received indicates whether the port is used and can therefore be probed further for weakness • The result of a scan on a port is usually generalized into one of three categories: – Open or Accepted: The host sent a reply indicating that a service is listening on the port – Closed or Denied or Not Listening: The host sent a reply indicating that connections are denied to the port – Filtered, Dropped or Blocked: There was no reply from the host 12/8/2017 Hitesh Mohapatra Ph.D NIDS 73
  • 74. Port Scanning Techniques • TCP SYN scan: – Send a SYN packet (Initiates a connection) and wait for a response – SYN-ACK indicates the port is listening and a RST is indicative of a non-listener port – If a SYN-ACK is received, attacker immediately send a RST packet to close the connection • TCP connect() scan: – The connect() system call can be used to open a connection to every interesting port on the target machine – If the port is listening, connect() will succeed, otherwise the port isn't reachable – One strong advantage to this technique is that user don't need any special privileges 12/8/2017 Hitesh Mohapatra Ph.D NIDS 74
  • 75. Port Scanning Techniques • FIN Scan: – A FIN, or "Finish", is a TCP packet used to indicate that the sending entity will no longer use the session to send or receive data – These are called "stealth" scans because they send a single frame to a TCP port without any normal TCP handshaking – An attacker uses a TCP FIN scan to determine if ports are closed on the target machine – If a RST packet is received, the port is considered close 12/8/2017 Hitesh Mohapatra Ph.D NIDS 75
  • 76. Port Scanning Techniques • Xmas Tree Scan: – The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set – This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte, much like the lights of a Christmas tree 12/8/2017 Hitesh Mohapatra Ph.D NIDS 76
  • 77. Port Scanning Techniques • NULL Scan: – Null scan is accomplished by sending TCP segments with no flags set in the packet header – An attacker uses a TCP NULL scan to determine if ports are closed on the target machine – If a port is closed, a RST frame is returned 12/8/2017 Hitesh Mohapatra Ph.D NIDS 77
  • 78. Port Scanning Techniques • The response of a null scan to an open port is “no response” 12/8/2017 Hitesh Mohapatra Ph.D NIDS 78
  • 79. TCP Sequence Prediction Attack • When two hosts need to transfer data using the TCP protocol, the first host that initiated the connection, generates a 32-bit Initial Sequence Number (ISN) • This sequence number is included on each transmitted packet and acknowledged by the opposite host as an acknowledgement number to inform the sending host that the transmitted data was received successfully • A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection 12/8/2017 Hitesh Mohapatra Ph.D NIDS 79
  • 80. TCP Sequence Prediction Attack • The root of this security problem starts with the way the ISN is generated • Every operating system uses its own algorithm to generate an ISN for every new connection • Hacker tries to figure out which algorithm is used by the specific operating system to generate the ISN that will allow him to predict future ISNs which will be generated by the source host • If the attack is successful, – Hacker will be able to send counterfeit packets to the receiving host which will seem to originate from the source host – Can cause premature closure of an existing TCP connection by the injection of packets with the FIN bit set 12/8/2017 Hitesh Mohapatra Ph.D NIDS 80
  • 81. TCP Sequence Prediction Attack • If an attacker can find out current sequence number that is being used by an existing TCP connection, it can inject a valid TCP segment into the existing TCP connection – If the attacker is within the same LAN, it can sniff the sequence number (Attacker listens to the conversation occurring between the trusted hosts, and then issue counterfeit packets using the same source IP address) – If the attacker is not within the same LAN, it has to guess/predict the sequence number 12/8/2017 Hitesh Mohapatra Ph.D NIDS 81
  • 82. Outline • ARP Attacks • IP Attacks • ICMP Attacks • UDP Attacks • TCP Attacks • DNS Attacks 12/8/2017 82 Hitesh Mohapatra Ph.D NIDS
  • 83. Domain Name Service (DNS) • Domain Name Service (DNS) is a hierarchical distributed naming system for computers, services or any resource connected to the Internet or a private network • DNS automatically converts the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites • DNS translates a human readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes • DNS implements a distributed database to store this name and address information for all public hosts on the Internet 12/8/2017 Hitesh Mohapatra Ph.D NIDS 83
  • 84. Unrelated Data Attack • To improve performance, DNS servers can send back more information than what the client has asked for to avoid another likely DNS lookup • In the older version of DNS servers, the validity of the extra information is not verified • The hacker will answer and add in the answer anything he wants to be cached in the victim DNS’ cache. In this way, he can poison the cache of the remote DNS server • The problem has been fixed in BIND (most widely used DNS S/W on the Internet), by forbidding anything that is not related to the original request to be cached 12/8/2017 Hitesh Mohapatra Ph.D NIDS 84
  • 85. Unrelated Data Attack 12/8/2017 Hitesh Mohapatra Ph.D NIDS 85
  • 86. Related Data Attack • The process is the same as the unrelated data attack • The hacker has to make the “extra” information related to the original query – MX: mail server for a domain – CNAME: canonical name for an alias – NS: DNS servers for a domain • The above information is “related” to the original request, but they can point to totally different information the hacker wants to be cached • The problem has also been fixed in BIND, by rejecting all the “out of zone” information 12/8/2017 Hitesh Mohapatra Ph.D NIDS 86
  • 87. DNS Cache Poisoning • To improve efficiency, DNS servers typically store results in a cache to speed further lookups • DNS spoofing is malicious cache poisoning where forged data is placed in the cache of the domain name servers • If the forged data gets into the cache, it will affect future lookups • One successful cache poisoning attack can therefore affect many users 12/8/2017 Hitesh Mohapatra Ph.D NIDS 87
  • 88. DNS Cache Poisoning 12/8/2017 Hitesh Mohapatra Ph.D NIDS 88
  • 89. DNS Spoofing • DNS spoofing is a term referring to the action of answering a DNS request that was intended for another server • The hacker “spoofs” the DNS server’s answer by answering what he wants for a specific request • For instance, attacker tries to make the www.mybank.com DNS to answer with the IP of the hacker’s computer • The hacker will try to impersonate the DNS reply so that the “Client Misdirection” occurs, but without touching the DNS cache of the impersonated DNS 12/8/2017 Hitesh Mohapatra Ph.D NIDS 89
  • 91. DNS ID Hacking • It is not enough to spoof a DNS reply as uses ID number to identify queries and answer • The hacker needs to find the ID the client is waiting for (DNS ID Hacking) • DNS ID hacking is a necessary technique for a hacker to succeed in impersonating a DNS server (this is the basis of DNS spoofing) 12/8/2017 Hitesh Mohapatra Ph.D NIDS 91
  • 92. DNS ID Hacking 12/8/2017 Hitesh Mohapatra Ph.D NIDS 92 DNS ID Hacking