NS03 - Network Attacks

7/29/2019 NS03 - Network Attacks

1/43

NETWORK

SECURITY03 NETWORK ATTACKS


2/43

Contents

3.1 Network Vulnerabilities

3.1.1 Media-Based

3.1.2 Network Device

3.2 Categories of Attacks

3.3 Methods of Network Attacks

03NETWORKATTACKS 2


3/43


Two broad categories of networkvulnerabilities:

those found in network transport media, andnetwork devices.

03NETWORKATTACKS 3


4/43


3.1.1 Media-Based Vulnerabilities

Monitoring traffic can be done in two ways: Byport mirroringon a manageable switch, that

allow traffic redirection from all or some ports to a

designated port and analyze by a protocol analyzer

(also called a sniffer)

A second method for monitoring traffic is to install anetwork tap

03NETWORKATTACKS 4


5/43


03NETWORKATTACKS 5


6/43


03NETWORKATTACKS 6


7/43


Just as network taps and protocol analyzerscan be used for legitimate purposes, they also

can be used by attackers to intercept andview network traffic.

By default, a switch sends packets only to theintended recipient.

However, there are several techniques thatcan be used to circumvent this limitation.

03NETWORKATTACKS 7


8/43


03NETWORKATTACKS 8


9/43


3.1.2 Network Device Vulnerabilities

Common network device vulnerabilitiesinclude:

some factors cause many network administratorsto use weak passwords, or those that

compromise security.

default accounts, is a user account on a devicethat is created automatically by the device insteadof by an administrator.

03NETWORKATTACKS 9


10/43


a back door , an account that is secretly set upwithout the administrators knowledge or

permission.

privilege escalation, it is possible to exploit avulnerability in the network devices software to

gain access to resources.

03NETWORKATTACKS 10


11/43


There are a number of different categoriesof attacks that are conducted against

networks.

These categories include denial of service,spoofing, man-in-the-middle, and replay

attacks.

03NETWORKATTACKS 11


12/43


3.2.1 Denial of Service (DoS)

A DoS attack attempts to consume networkresources so that the network or its devices

cannot respond to legitimate requests.DoS attacks can take several forms:

Overwhelm a network Overwhelm a server Bring down a server

03NETWORKATTACKS 12


13/43


SYN Flood Attacks

The earliest DoS attacks were launched froma single source computer.

The attacker launches packets from his or hermachine that compromise the victim.

One of the earliest to appear was the SYNflood attackwhich takes advantage of the

TCP three-way handshake.

03NETWORKATTACKS 13


14/43


The general technique of the attack is to senda flood of SYN segments to the victim with

spoofedand usually invalidsource IP

addresses.

As a result, the victim slows down and canthandle legitimate traffic in an acceptable time

frame.

03NETWORKATTACKS 14


15/43


16/43


Ping of Death

A simple way to mount a DoS attack is toflood the victim system with multiple,

oversized ping requests.The attacker sends a ping in a packet that has

too much data in its data field, creating a

packet that is too long (more than 65,536

octets).

The victim receives these oversized packetsand is likely to crash, hang, or even reboot.

03NETWORKATTACKS 16


17/43


18/43


The router sends the packet to all systems on itsnetwork.

Each system that received the echo requestpacket responds to the victim, flooding the victimwith packets that tie up its network bandwidth.

03NETWORKATTACKS 18


19/43


UDP Flood Attacks

A UDP flood attack (sometimes calledpingpong) takes advantage of the chargen

(useless) service, which is used legitimately totest hosts and networks.

An attacker mounts it in the following manner: The attacker spoofs the return IP address of a

UDP datagram that makes a request of thechargen service. Typically, the spoofed return

address will point to a host on the victim network.

03NETWORKATTACKS 19


20/43


21/43


DoS attacks can be used against wirelessnetworks as well.

An attacker can flood the radio frequency (RF)spectrum with enough radiomagneticinterference.

However, these attacks generally are notwidespread because sophisticated and

expensive equipment is necessary

03NETWORKATTACKS 21


22/43


03NETWORKATTACKS 22


23/43


Most successful wireless DoS attacks take adifferent approach.

Attackers can take advantages ofCSMA/CAand explicit frame ACKto perform a wirelessDoS.

Another wireless DoS attack usesdisassociation frames. A disassociation

frame is sent to a device to force it totemporarily disconnect from the wireless

network.

03NETWORKATTACKS 23


24/43


03NETWORKATTACKS 24


25/43


A variant of the DoS is the distributed denialof service (DDoS) attack.

Instead of using one computer, a DDoS mayuse hundreds or thousands of zombiecomputers in a botnet to flood a device with

requests.

This makes it virtually impossible to identifyand block the source of the attack.

03NETWORKATTACKS 25


26/43


03NETWORKATTACKS 26


27/43


28/43


03NETWORKATTACKS 28


29/43


TrinooSimilar to that of TFN (the attacker

communicating with daemons on a

compromised host).However, it is used to launch UDP flood

attacks from multiple sources.

03NETWORKATTACKS 29


30/43


StacheldrahtA variation of TFN and Trinoo.The client communicates with handlers using

encrypted communication from a commandline.

Handlers are password protected.

Stacheldraht uses both TCP and ICMP tomount attacks.

03NETWORKATTACKS 30


31/43


32/43


33/43


03NETWORKATTACKS 33


34/43


DNS SpoofingA method for redirecting users to a Web site

other than the one to which a domain name is

actually registered.The most common variation is malicious

cache poisoning, which involves the

modification of data in the cache of a domain

name server. Any name server thatspecifically isnt protected against this type of

attack is vulnerable.

03NETWORKATTACKS 34


35/43


03NETWORKATTACKS 35


36/43


03NETWORKATTACKS 36


37/43


38/43


Web SpoofingWeb spoofing involves tricking a user into

thinking he or she is interacting with a trusted

Web site.Spoofed Web sites look very much like the

site they are imitating.

03NETWORKATTACKS 38


39/43


3.2.3 Man-in-the-MiddleThis type of attack makes it seem that two

computers are communicating with each

other,

when actually they are sending and receivingdata with a computer between them, or the

man-in-the-middle.

03NETWORKATTACKS 39


40/43


41/43


Man-in-the-middle attacks can be active orpassive.

In a passive attack, the attacker captures the datathat is being transmitted, records it, and then

sends it on to the original recipient without hispresence being detected.

In an active attack, the contents are interceptedand altered before they are sent on to the

recipient.

03NETWORKATTACKS 41


42/43


43/43

3.3 Methods of Net. Attacks

next week .. be there :D

NS03 - Network Attacks

Documents

Transcript of NS03 - Network Attacks