Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Transcription

1 Contents Topic 1: Analogy... 2 TCP/IP: Understanding the Layers... 2 Topic 2: Module Introduction... 4 Topic 3: Domain Name System Basics... 5 Introduction to Domain Name System... 5 DNS Zones... 6 DNS Query Types... 8 Topic 4: Domain Name System Attacks DNS Spoofing DNS Cache Poisoning Activity: Analyzing a Spoofing Attack Topic 5: TCP Session Hijacking Introduction to TCP Session Hijacking Activity: Analyzing TCP Session Hijacking Topic 6: Denial of Service Attacks Introduction Ping of Death SYN Flooding Teardrop, LAND, and Smurf Attacks Activity: Identify the DoS Attack Topic 7: Summary Glossary UMUC 2012 Page 1 of 45

2 Topic 1: Analogy TCP/IP: Understanding the Layers TCP/IP Vulnerabilities Module 4 TCP/IP: Understanding the Layers To better understand how Transmission Control Protocol/Internet Protocol (TCP/IP) is structured, it is helpful to compare TCP/IP with the U.S. Postal Service (USPS). The USPS consists of many post offices and several administrative departments spread over a wide geographic area. Each post office carries out specific functions and works both independently and in cooperation with the other post offices. Similarly, TCP/IP is divided into layers that play a role in transferring data across the Internet. Each layer works independently, and together these layers help to transfer data and communication between computers. U.S. Postal Service Kylie Sends a Letter Kylie writes a letter to her friend Samantha, who has recently moved to New York. She drops the letter in a local mailbox in Sacramento, California. Samantha is unaware that Kylie has written to her. However, when Samantha receives and reads the letter, she is happy to hear from Kylie. Kylie did not think about how the letter would reach New York, and Samantha did not consider how the letter arrived at her home. Both Kylie and Samantha are unaware of the underlying delivery mechanism that enabled the letter to travel from Sacramento to New York. Address Check During Transportation Postal employees check addresses while letters are in transit. If Kylie writes an incorrect address on the envelope and that letter arrives in New York, a postal employee will stamp the letter "address unknown" and the letter will be returned to Kylie. Kylie would remain unaware of the details of the steps taken to return the letter, and it would be up to her to decide what to do next. Letters Move Between Cities Since Kylie and Samantha live in two different states that are separated by thousands of miles, Kylie's letter will travel through many cities before it reaches Samantha. Letters such as Kylie's are transported by airplanes between cities. The pilot of the airplane carrying the letters is concerned only with delivering the cargo to its destination he or she knows nothing about the contents, senders, or recipients of the letters. Letter Reaches Samantha Within a city, letters are taken by trucks from airports to their destination post offices. Kylie s letter is sent to a post office in New York by a truck. Samantha finds the letter from Kylie in her mailbox, and Samantha opens the envelope to read the letter. When Kylie wrote the letter, she used old-fashioned physical tools such as a pen and paper. UMUC 2012 Page 2 of 45

3 TCP/IP Protocol Application Layer Kylie wants to write an to Samantha. She requests a Web page from a remote Web server by typing a URL into a browser in the application layer. The server receives the request, locates the requested site on its hard drive, and sends the data back to Kylie. Kylie is unaware of how the data was delivered whether it was transmitted over wireless connections or the number of routers it passed through. This goes through five layers, the first one being the application layer. Transport Layer Transport layer software performs the function of establishing a connection between a client and server and monitoring the connection for errors. Transport layer software also slows transmission if data transmission is too fast to handle at the recipient s end. Transport layer software is not concerned with how the data is transmitted choosing the method of transmission is the responsibility of lower-level software. There are two transport layer protocols TCP, which is considered reliable, and User Datagram Protocol (UDP), which is fast but unreliable. If TCP tries to transmit data repeatedly and errors in the connection persist, TCP informs its "boss," the application program, of the problem. Internet Layer Internet layer programs move data between networks. IP software is responsible only for moving data from one point to another, regardless of the contents of the data. When the data reaches its destination local area network (LAN), the Internet layer hands the data over to the data link layer software or firmware for delivery to the intended computer. Data Link Layer Data link layer programs transport incoming and outgoing data within LANs. Ethernet is the most common protocol for the data link layer. A data link program is concerned solely with the transmission of data within the LAN and is not responsible for how data enters or leaves the LAN. The responsibility of managing the entering and leaving of data from a LAN lies with the Internet layer. Physical Layer Physical layer protocols specify the means of representing ones and zeros or bits. The protocols also specify how bits should be transmitted between two points using wire, fiber, and so on. There are several types of physical layer protocols that represent and transmit bits uniquely. The that Kylie sends to Samantha passes through these five layers twice and reaches Samantha s inbox. Breaking the Rules In an ideal situation, each component of the postal network or the TCP/IP protocol performs its function as desired. However, there can be deviations. For example, a mail carrier might read a letter or choose not to deliver it. Similarly, on the Internet, a Web router may be programmed to process data packets from a competing service slowly or to intercept them. For example, routers can be programmed to send copies of packets containing certain data to a government security agency. The postal service has laws against tampering with mail. It has been recommended that network neutrality laws be implemented for the Internet to protect against the differential treatment of packets. UMUC 2012 Page 3 of 45

4 Topic 2: Module Introduction The TCP/IP protocol suite has a number of inherent vulnerabilities and security flaws. These vulnerabilities are often used by hackers to launch denial of service (DoS) attacks, TCP connection hijackings, and other attacks. Most of the weaknesses in the TCP/IP suite probably exist because the protocols are outdated, having been developed in the mid-1970s. Vendors of network equipment and operating systems have made code improvements over time to disable many of the attacks. However, some vulnerabilities continue to exist and are exploited by malicious users to disrupt and damage users and organizations. This module explores the basics of the Domain Name System (DNS), such as its structure, query types, and zones. It also covers major TCP/IP security problems, namely DNS attacks, TCP session hijackings, and DoS attacks. UMUC 2012 Page 4 of 45

5 Topic 3: Domain Name System Basics Introduction to the Domain Name System The Domain Name System (DNS) is based on a naming system that consists of a hierarchical and logical tree structure known as the domain name space. The top-level domains within the DNS hierarchy are.com,.edu,.gov,.mil,.int,.org, and.net. Each node or branch in the DNS tree represents a unique fully qualified domain name (FQDN). The FQDN indicates the position of a domain within the tree. A FQDN consists of labels such as IT, UMUC, edu separated by a period. Some examples of FQDN are.edu, UMUC.edu, Berkeley.edu, and IT.UMUC.edu. When data is requested from a node, a host server uses DNS to translate the domain name to an IP address. DNS Hierarchy UMUC 2012 Page 5 of 45

6 Topic 3: Domain Name System Basics DNS Zones It is inefficient and unreliable to store DNS information in a single server. The solution is to distribute DNS information among many entities called DNS servers. Each DNS server is responsible, or authoritative, for large or small domains. As a result, there is a hierarchy of DNS servers similar to the hierarchy of domain names. A DNS server stores information about and is authoritative for a part of the DNS called a zone. A single server may be authoritative for many zones. A zone is a portion of a domain. Each zone will have a primary name server and a secondary name server. A primary server maintains a zone file, which is a text file that describes the zone. Any updates to the zone are made on the primary server. The secondary server maintains a copy of the zone data, which is periodically transferred from the primary server. The DNS answers any queries about the hosts in its zone. Step 1 In this example, it is assumed that a UMUC system administrator creates two subdomains, Physics.UMUC.edu and IT.UMUC.edu, under the UMUC.edu domain. There are three authoritative DNS servers responsible for the three zones: UMUC.edu, Physics.UMUC.edu, and IT.UMUC.edu, respectively. UMUC 2012 Page 6 of 45

7 Step 2 The top authoritative DNS server is responsible for the UMUC.edu zone, and the two subauthoritative DNS servers are responsible for the two subzones, Physics.UMUC.edu and IT.UMUC.edu. Step 3 The zone UMUC.edu contains only DNS information for UMUC.edu and references to the two authoritative name servers for the subdomains; Physics.UMUC.edu and IT.UMUC.edu. The system administrator or network engineer will determine how to create multiple zones and authoritative DNS servers responsible for one or more zones. Step 4 For example, the IT.UMUC.edu domain name server is responsible for any queries for its Web server Generally, the domain name structure is divided into zones based on how the name space will be administered. UMUC 2012 Page 7 of 45

8 Topic 3: Domain Name System Basics DNS Query Types The two types of queries for common DNS name resolutions are recursive and iterative queries. The example below shows how recursive queries work. How Recursive Queries Work Step 1 A client sends a recursive query to its configured DNS server, requesting an IP address that corresponds to the name UMUC 2012 Page 8 of 45

9 Step 2 The local DNS server checks its zone and does not find any zone that corresponds to the requested domain name. It then sends a query for to the root name server. Step 3 The root name server is authoritative for the root domain. The server has information about name servers for top-level domain names such as.com,.edu,.org, and others. The root name server responds with the IP address of a name server for the.edu domain. UMUC 2012 Page 9 of 45

10 Step 4 The local DNS server sends a query for to the name server that is authoritative for the.edu domain. Step 5 The.edu name server responds with the IP address of the name server that is authoritative for the.umuc.edu domain. UMUC 2012 Page 10 of 45

11 Step 6 The local DNS server sends a query for to the authoritative name server for the.umuc.edu domain. Step 7 The UMUC.edu name server replies with the IP address corresponding to the domain. UMUC 2012 Page 11 of 45

12 Step 8 The local DNS server sends the IP address of to the client that made the request. UMUC 2012 Page 12 of 45

13 Topic 4: Domain Name System Attacks DNS Spoofing Every DNS query has a unique identification number known as a transaction ID. The transaction ID allows the recipient of the response to identify the corresponding query. When the UDP or TCP port number, IP address, and transaction ID from a remote host are provided, the recipient accepts the DNS reply. In a DNS spoofing attack, an attacker uses spoofed or fake DNS replies to direct a victim to a malicious Web site or device. This example looks at how an attacker launches a DNS spoofing attack on a network. It is assumed that both the target and the attacker are on the same LAN. Example of a DNS Spoofing Attack Step 1 The target sends a query to the DNS server to resolve to an IP address. A cache entry of the IP address of does not exist in the target s Address Resolution Protocol (ARP) table. The responses to previous ARP requests are cached in the ARP table. Every PC caches an ARP table in its local file system. In this example, it is assumed that the target s ARP table is empty in the beginning. The attacker observes the DNS query that the target has made. UMUC 2012 Page 13 of 45

14 Step 2 Before the original DNS reply arrives, the attacker sends a spoofed DNS reply to the target. The spoofed reply has the same transaction ID used by the target. In the spoofed DNS reply, the IP address of the malicious device such as the Web server is included. Step 3 The target uses the IP address provided in the spoofed DNS reply and accesses the malicious Web site instead of UMUC 2012 Page 14 of 45

15 Topic 4: Domain Name System Attacks DNS Cache Poisoning Jamie is accessing a golf Web site from his office computer. Sarah, a hacker, has initiated a DNS cache poisoning attack against the company s DNS server. Using the DNS cache poisoning attack, Sarah is able to maliciously modify entries in the DNS server of Jamie s company. As a result, Jamie s computer receives a reply from the company server containing the IP addresses of the malicious hosts. Since Sarah is on a network different from the network of Jamie s company, she cannot observe the transaction ID that Jamie uses. Step 1 Sarah has sent a series of bogus DNS queries to the DNS server of Jamie s company. Sarah sends spoofed responses to the company s DNS server before the Web site s DNS replies reach the company s DNS server. Sarah creates the spoofed responses using transaction IDs that she guesses. She hopes to guess the correct transaction ID by sending an increasing number of simultaneous queries with different transaction IDs that the server has to resolve. DNS Cache Poisoning Here is an explanation of the first step in a DNS cache poisoning attack. It is assumed that the DNS server for Jamie s company has an ARP table that is initially empty. Sarah first sends a DNS query to the company s DNS server. Unable to find a matching cache entry in its ARP table, the server sends the query to another DNS server with a DNS transaction ID. Immediately, Sarah sends a spoofed DNS reply to the company s DNS server with a guessed transaction ID that tries to match the ID sent by it earlier. She sends spoofed replies until the transaction ID matches the ID used by the company s DNS server. Step 2 UMUC 2012 Page 15 of 45

16 The spoofed DNS replies from the attacker to the DNS server are successful. The DNS replies from the legitimate DNS server are rejected. Step 3 Jamie types a URL in his browser, sending a request to his company s DNS server for a Web page. Jamie s computer receives a DNS reply with a bogus IP address from the compromised company DNS server. UMUC 2012 Page 16 of 45

17 Step 4 Jamie s computer is directed to a malicious device set up by Sarah with the bogus IP address. UMUC 2012 Page 17 of 45

18 Topic 4: Domain Name System Attacks Activity: Analyzing a Spoofing Attack Introduction A DNS spoofing attack is often difficult to detect, and the victim is unwittingly directed to a malicious Web site that an attacker can use to gain confidential information or to infect the user s computer. Ernest and Sons LLC is a reputable law firm based in New Jersey. An Internet hacker is seeking to direct unsuspecting users on the company s network to a malicious Web page. What are the signs that a system administrator at Ernest and Sons should look out for to determine whether the company s network is the target of a spoofing attack? Workspace Review the details of the spoofing attack on the Ernest and Sons network by clicking the Attack Details button. Then answer each question below. Attack Details The LAN of Ernest and Sons is shown below. View the animation to understand how the attacker launches the DNS spoofing attack. Step 1 A user on Ernest and Sons LAN is trying to access the Web site The ARP spoofing attack causes the victim s DNS request the IP address of to be forwarded to the attacker s host. UMUC 2012 Page 18 of 45

19 Step 2 The attacker provides a spoofed DNS response to make the victim s computer believe the response is coming from the desired host. The response includes the malicious Web server s IP address, , that the hacker has set up. Step 3 The victim makes a HTTP Web request to the malicious Web server, believing it is the UMUC Web server. UMUC 2012 Page 19 of 45

20 Step 4 The server set up by the hacker returns a malicious Web page to the victim. Question 1: Which one of the following screenshots indicates the DNS request sent by the victim? a. Screenshot A Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 20 of 45

21 b. Screenshot B Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option b Feedback: The source IP address and the MAC address 00-0C shown in the screenshot are those of the victim. Due to the ARP spoofing attack, the MAC address for the gateway cached in the victim s ARP table is changed to that of the attacker s. As a result, the victim uses the right destination IP address, , which is the IP address of the gateway. However, the polluted destination MAC address, 00-0C , is cached in the victim s ARP table. UMUC 2012 Page 21 of 45

22 Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 22 of 45

23 Question 2: Here is a screenshot of the victim s DNS request. What is the DNS transaction ID used in the DNS request? a. 0x54ac b. 0xe161 c. 0x0100 Screenshot Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option b UMUC 2012 Page 23 of 45

24 Feedback: The DNS transaction ID 0xe161 is displayed in the DNS header in the screenshot. This transaction ID uniquely identifies the DNS query and response. Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 24 of 45

25 Question 3: Here is a screenshot of the attacker s DNS response. Which aspect of the request is suspicious? a. The destination MAC address used by the attacker is suspicious. b. The TCP sequence number used by the attacker is suspicious. c. The value of the DNS transaction ID is too small. d. The source MAC address used by the attacker is suspicious. e. None of the above the DNS response is normal. Screenshot Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option d UMUC 2012 Page 25 of 45

26 Feedback: The source MAC address 00-0C does not match the source IP address , which is the IP address of the gateway router. The source MAC address actually belongs to the attacker. Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Review The attacker successfully launched a DNS spoofing attack on Ernest and Sons network. The following animation depicts the queries and responses exchanged by the victim and the malicious Web server. The Attack on Ernest and Sons Network As a result of the DNS spoofing attack, the victim unknowingly makes an HTTP Web request to the malicious Web server. UMUC 2012 Page 26 of 45

27 Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. The malicious Web server set up by the attacker responds with an HTTP Web request to the victim. Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 27 of 45

28 As a result, the following message is displayed in the victim s Web browser. Further Challenges Do you think a network intrusion detection system (IDS) can detect a discrepancy between the IP address and the corresponding MAC address? For example, will the IDS detect that the victim s machine is using the attacker s MAC address and the gateway s IP address when sending a request? UMUC 2012 Page 28 of 45

29 Topic 5: TCP Session Hijacking Introduction to TCP Session Hijacking If an attacker can predict or sniff a TCP sequence number that a target and its communication partner use, then the attacker can hijack the established TCP connection. When the session is hijacked, the attacker can assume the identity of the compromised user and access the resources stored on the communication partner as the compromised user. Here is a simple example of a TCP session hijack that takes place within a LAN. An Example of a TCP Session Hijacking Attack Step 1 An attacker monitors TCP packets between Host A and Host B. Host B is the target. UMUC 2012 Page 29 of 45

30 Step 2 The attacker jumps into the exchanged communication, sending TCP packets to Host B by: a. Forging the source IP address IP address of Host A of the TCP packets. The source IP address of the bogus packet becomes b. Embedding the IP address of Host B in the bogus packet, making the destination IP address of the bogus packet c. Forging the TCP sequence number of the TCP packets, which is the TCP sequence number that Host B expects to see. Since Host B expects to see the sequence 10045, the TCP sequence number of the bogus packet becomes The acknowledged TCP sequence number of the bogus packet becomes since the packet previously sent by the Host B has as the TCP sequence number and the length of the packet is 20 ( = 20020). UMUC 2012 Page 30 of 45

31 Topic 5: TCP Session Hijacking Activity: Analyzing TCP Session Hijacking This activity shows a simple TCP/IP hijacking attack that involves an attacker hijacking a currently established Telnet (TCP) connection between two hosts and injecting an authenticlooking reset (RST) packet to disrupt the connection. Attack Details In the attack, the target client makes a Telnet connection to the Linux server and executes a Linux command through the Telnet connection. The attacker is listening to the communication between the server and the client. At some point, after the client is authenticated to the server, the attacker hijacks the TCP connection and injects an RST packet to reset the connection. UMUC 2012 Page 31 of 45

32 Activity The packet shown in the screenshot represents the last active TCP connection between the client and server before the attacker launches a TCP reset attack. It shows that the packet is sent from the server to the client Then, the attacker hijacks and resets this connection. Question: Based on the details in the screenshot, what are the source IP address, source MAC address, and TCP sequence number of the reset frame sent to the Telnet client by the attacker? a. Source IP: Source MAC: 00-0C TCP sequence: b. Source IP: Source MAC: 00-0C TCP sequence: c. Source IP: Source MAC: 00-0C TCP sequence: Screenshot Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option c Feedback: To hijack the active connection between the server and the client, the attacker must send an IP packet with a valid TCP sequence number and source IP address. For RST, the attacker must use the TCP sequence number of the active connection. Since is the TCP sequence number of the last packet, the correct TCP sequence number is Also, the attacker should use the source IP address of the current connection Finally, the MAC address cannot be forged since the frame must originate from the attacker. UMUC 2012 Page 32 of 45

33 Thus, the MAC address must be the attacker s, which is 00-0C The actual frame is shown below: Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 33 of 45

34 Topic 6: Denial of Service Attacks Introduction System resources such as network bandwidth, number of connections a server can properly handle, CPU usage, and memory are finite and limited. Any attack designed to render a computer resource unavailable to its intended users and unable to perform its basic functionality is known as a denial of service (DoS) attack. For example, a Web server needs a minimum amount of network bandwidth to function properly. In addition, it has a maximum number of connections it can maintain based on its limitation of CPU and memory resources. If the server reaches its resource limit, additional connections are rejected and some potential clients are not able to access the server. In a DoS attack, an attacker can create a flood of server requests, causing the targeted server to reject any further requests. This is a "denial of service" because users cannot access a resource. Attack Symptoms The following are possible symptoms of a DoS attack: Unusually slow network performance, such as difficulty accessing files or Web sites Unavailability of a particular Web site or any Web sites Dramatic increase in the amount of spam in the user s mailbox UMUC 2012 Page 34 of 45

35 Topic 6: Denial of Service Attacks Ping of Death A ping of death attack is one of the earliest types of DoS attacks. The ping of death is especially effective on systems running on Windows 95, Windows 98, Linux 6.0, or any earlier operating system. This attack uses an oversized ICMP packet to create a DoS effect. The maximum allowable size of an IP packet is bytes. An Internet Control Message Protocol (ICMP) echo request is an IP packet with an ICMP header. An IP header has a size of 20 bytes and the ICMP header is 8 bytes. This means that the data portion of an ICMP packet cannot be larger than bytes. A ping of death attack exploits the following facts: Many ping implementations allow a user to specify a packet size larger than bytes due to the way the IP fragmentation is performed. An attacker can specify an ICMP data packet with a size larger than bytes and then divide the packet into pieces. Many early computer systems could not handle a ping of death packet larger than the maximum IP packet size of bytes. When the recipient system reassembles the packet, it is too big for the receiver s buffer, and the receiving host crashes, reboots, or freezes. What is malicious about this attack is that a huge IP packet can be transmitted to a target network via IP fragmentation and cause a victim machine to crash. Attack Details The ping command and the host IP address is typed on a Linux or Windows computer in the Run dialog box. An example of a ping command would be ping n Explanation: 100 ICMP packets with the size of 60,000 bytes are transmitted to the IP address Each ICMP packet is fragmented into several pieces during the transmission. UMUC 2012 Page 35 of 45

36 Topic 6: Denial of Service Attacks SYN Flooding An SYN flood attack is an early form of DoS attack. The attack creates disruptions and slows connections by exploiting the three-way handshake used to establish TCP connections. In a TCP three-way handshake, a client sends an SYN request to a server or network resource to initiate the connection. The server or network resource responds with an SYN-ACK request back to the client. Finally, the client responds with an ACK to the server to complete the handshake and establish the connection. Steps in an SYN Flood Attack Step 1 An attacker sends a large number of SYN packets to a victim server to initiate a three-way handshake. The SYN packets probably have randomly generated spoofed source addresses. UMUC 2012 Page 36 of 45

37 Step 2 The server sends numerous SYN-ACK responses to the spoofed IP addresses. Step 3 The attacker does not send the corresponding ACK packets to the server. This omission creates a large number of half-open connections. UMUC 2012 Page 37 of 45

38 Step 4 The attacker keeps sending SYN packets with spoofed source IP addresses until the server reaches its resource limit. UMUC 2012 Page 38 of 45

39 Topic 6: Denial of Service Attacks Teardrop, LAND, and Smurf Attacks Teardrop Attack In a normal TCP packet transmission, a packet is fragmented into three different packets: packet 1, packet 2, and packet 3. Each fragment packet has the proper offset value in the IP header. In a teardrop attack, an attacker sends fragments with invalid overlapping TCP values in the offset field of the IP header. Attack Details In the diagram, the normal transmission has packets with sequence numbers that begin and end correctly. In an abnormal packet transmission, the attacker has put an offset value in the IP field in such a way that the first 20 bytes of packet 2 will overlap with the last 20 bytes of UMUC 2012 Page 39 of 45

40 packet 1. The data bytes from 170 to 210 will not be transmitted on purpose to confuse the data receiver. LAND Attack In a local area network denial (LAND) attack, an attacker sends a TCP SYN packet to the target machine that uses the target s address as the source and destination address. The attack causes the targeted machine to reply to itself continuously and eventually crash. Smurf Attack Smurf attacks are directed at a single target in a distributed way to crash the target. The attack needs three main components: the attacker s computer, a target host, and packet amplifiers. Step 1 To run a Smurf attack, an attacker must discover a network to which ICMP request packets can be broadcast. The network referred to as an amplifier should be able to respond with the ICMP reply messages to the target address on a different network. UMUC 2012 Page 40 of 45

41 Step 2 Once an attacker discovers an amplifier network, a broadcast ICMP is sent to the amplifier network. The source address of the broadcast ICMP requests is forged to include the address of the target. Step 3 The hosts on the amplifier network respond with the broadcast ICMP request and send ICMP reply messages to the target address. UMUC 2012 Page 41 of 45

42 Step 4 The target server or host is inundated with the ICMP reply messages from the amplifier network. UMUC 2012 Page 42 of 45

43 Topic 6: Denial of Service Attacks Activity: Identify the DoS Attack Question: Review the screenshot and determine the type of DoS attack it illustrates. a. Ping of death b. SYN flood c. Teardrop d. LAND attack Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option b Feedback: The screenshot shows that numerous SYN packets with different source addresses are sent to the single host with the IP address of Therefore, the attack is an SYN flooding attack. UMUC 2012 Page 43 of 45

44 Topic 7: Summary We have come to the end of Module 4. The key concepts covered in this module are listed below. The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol is divided into multiple layers: application, transport, Internet, data link, and physical. The Domain Name System (DNS) consists of a hierarchical structure of nodes and domains that determines the position of a domain within the system. The DNS structure for an organization is determined based on which domains require independent administration. Two of the key DNS attacks are DNS spoofing and DNS cache poisoning. In a TCP session hijacking, an attacker predicts or sniffs the TCP sequence number used between the target and a host to hijack the communication and gain unauthorized access to the target. A ping of death attack is a type of denial of service (DoS) attack in which the attacker sends an oversized Internet Control Message Protocol (ICMP) packet to the target that causes the target to freeze, crash, or reboot. In an SYN flood attack, an attacker sends numerous SYN requests to a server and then does not complete the three-way handshake, resulting in pending requests to the server that cause a denial of service. Teardrop, local area network denial (LAND), and Smurf are some other commonly used DoS attacks. UMUC 2012 Page 44 of 45

45 Glossary Term ARP Table DNS Echo Request FQDN ICMP MAC Address TCP UDP Definition An ARP table is a short-term memory of all the IP addresses and MAC addresses that a device has already matched. The ARP table helps to avoid having to repeat ARP requests for devices that have been communicated with earlier. The Domain Name System (DNS) is a protocol that translates a computer's domain name into an IP address. An echo request is an Internet Control Message Protocol (ICMP) request that expects to receive an echo or identical reply. A fully qualified domain name (FQDN) is a domain name that exactly specifies its position within the hierarchy of the Domain Name System (DNS). Internet Control Message Protocol (ICMP) is a protocol that sends error messages or query messages. A Media Access Control (MAC) address is a unique identifying code assigned to every piece of hardware that accesses the Internet. The Transmission Control Protocol (TCP) is one of the core protocols of the Internet and enables the reliable transfer of data bytes across the Internet. The User Datagram Protocol (UDP) is one of the core protocols of the Internet that enables computers to send datagrams to other systems over the Internet without requiring prior communication channels to be established. UMUC 2012 Page 45 of 45