Isys20261 lecture 07

Computer Security Management(ISYS20261)Lecture 7 - Network-based Attacks (2)

Module Leader: Dr Xiaoqi Ma

School of Science and Technology

Computer Security Management

Last week …

• Network-based attacks

• Primary attempt to – forge or steal data

– gain unauthorised access to a system

– force system downtime

• Means– Sniffing data

– Redirecting data

• Preparatory activities– Reconnaissance

– scanning

• Packet sniffing


Today ...

• IP address spoofing

• Man-in-the-middle attack

• Denial-of-service attack (DoS)– SYN flooding

– Smurf attack

– Distributed Denial of Service attack (DDoS)


IP address spoofing (1)

• Used to hide the identity of an attacker and to gain access by exploiting existing trust between host systems

• Takes advantage of security weakness in the TCP/IP protocol:– Attacker forges the source IP address information in every IP packet with a

different address

– It appears that the packet was sent by a different computer

• Can be used for– Denial-of-Service attacks

– Session hijacking

– Man-in-the-Middle attacks



• TCP/IP protocol: Application Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

Data

Application Layer

Transport Layer

Network Layer

Data Link Layer

TCP 1 TCP 2

TCP 1 TCP 2IPIP

TCP 1 TCP 2IPIP EthernetEthernet

Data

TCP 1 TCP 2

TCP 1 TCP 2IPIP

TCP 1 TCP 2IPIP EthernetEthernet



• IP address spoofing is mainly used to defeat network security– firewall rules that rely on IP address-based authentication

– IP address-based (trust based) access control

– Etc.

• Attacker needs to know about the established trust between systems (see reconnaissance and scanning phase!)

• Difficulties with IP address spoofing: – any reply is send to the forged IP address!

– Difficult to guess the sequence number



• TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection

• attacker normally can't see any reply packets, hence they have to guess the sequence number in order to hijack a connection

• poor implementation in many older operating systems means that TCP sequence numbers can be predicted

• if sequence numbers are compromised, data could be sent to the target blindly, e.g. creating a new user account using host-based authentication services

• Two different types of IP address spoofing– Non-blind

– blind


Non-Blind Spoofing

• attacker is on the same subnet as the victim

• sequence and acknowledgement numbers can be observed (sniffed), no need for calculating them accurately

• Biggest threat of Non-blind spoofing: session hijacking– corrupting the data stream of an established connection

– re-establishing it based on correct sequence and acknowledgement numbers with the attack machine

• Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection


Blind Spoofing

• sequence and acknowledgement numbers are unreachable

• In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers

• In the past: machines used basic techniques for generating sequence numbers

• It was relatively easy to discover the exact formula by studying packets and TCP sessions (sequence guessing)


Man-in-the-middle attack (1)

• A malicious party intercepts a legitimate communication between two friendly parties

• The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient

• In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient



• Example:

Alice Bob

Message1()

Message2()

Alice Bob

Message1()

Message2'()

Ivan

Message1'()

Message2()

(Bob)

(Bob)

(Alice)

(Alice)



• The most common implementation:– attacker bypasses online banking security by receiving login and transaction

information

– attacker passes it on to the banking site with any required alterations

– attacker receives data from the banking site

– sends the banking site's details back to the victim, again with minor alterations so the victim is unaware of the attack

• Man-in-the-middle techniques are particularly difficult to detect and protect against, as they usually take place on a different system from the victim and their bank

• It is also possible to bypass strong security measures such as two-factor authentication and one-time passwords using such techniques


Denial-of-Service (DoS) attack

• Attempts to prevent a piece of software, system, web server or website from functioning

• Tries to overloads the system by exceeding its recourses, e.g. bandwidth, memory, CPU time, etc.

• Denial-of-service attacks– SYN flooding

– Smurf attack

– Distributed Denial of Service attack (DDoS)


SYN flooding (1)

• TCP connection set-up: three way handshake– The active open is performed by the client sending a SYN to the server

– In response, the server replies with a SYN-ACK

– Finally the client sends an ACK back to the server

Client Server

SYN()

SYN+ACK()

ACK()


SYN flooding (2)

• If client skips the sending of the ACK message before the connection is established: server waits for a predefined period of time

• If server is flooded with SYN requests that are not acknowledged the server will denying connection requests from legitimate users

Client Server

SYN()

SYN+ACK()

SYN()

SYN+ACK()


Smurf attack (1)

• Uses spoofed ping messages to flood a target system

• Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite

• ICMP echo is used by TCP to determine – whether a host is reachable

– the time it takes for the packet to get to and from the host


Smurf attack (2)

• Attacker sends long stream of ping packets (ICMP echo requests) to all IP addresses within a network (amplifier network) via a gateway/router that acts as a broadcaster

• Ping packets are spoofed with IP address of target system

• Each ICMP echo request message produces an echo response message

• All hosts of the network will send their echo to the spoofed IP address

• Sheer number of echo response messages brings target host down


Smurf attack (3)

• Amplification:

Attacker ServerHost1 Host2Router

ICMP echo()

ICMP echo()

ICMP echo()

ICMP echo reply()

ICMP echo reply()

Amplifier Network

broadcastenabled


Distributed-Denial-of-Service Attacks (DDoS)

• Multiple compromised host systems (Bot net) sending IP address spoofed packets to the same destination address, i.e. the target

• Malware can carry DDoS attack mechanisms

• DDoS is difficult to block since the attack are launched on different source systems

• Difficult to trace the attacer


Next week …

… we will continue looking at network-based attacks

Isys20261 lecture 07

Documents

Transcript of Isys20261 lecture 07