Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Similar documents
Abstract. Introduction. Section I. What is Denial of Service Attack?

CS5008: Internet Computing

Security Technology White Paper

Chapter 8 Security Pt 2

BASIC ANALYSIS OF TCP/IP NETWORKS

1. Firewall Configuration

Denial Of Service. Types of attacks

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Attack Lab: Attacks on TCP/IP Protocols

Ethernet. Ethernet. Network Devices

Brocade NetIron Denial of Service Prevention

Internet Control Protocols Reading: Chapter 3

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

How do I get to

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Chapter 28 Denial of Service (DoS) Attack Prevention

Frequent Denial of Service Attacks

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Denial of Service. Tom Chen SMU

Linux Network Security

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

A Very Incomplete Diagram of Network Attacks

Gaurav Gupta CMSC 681

Introduction to Network Operating Systems

co Characterizing and Tracing Packet Floods Using Cisco R

RARP: Reverse Address Resolution Protocol

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Networking Test 4 Study Guide

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Intrusion Detection System: Security Monitoring System

E-BUSINESS THREATS AND SOLUTIONS

DDoS Protection Technology White Paper

General Network Security

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Security vulnerabilities in the Internet and possible solutions

Networks: IP and TCP. Internet Protocol

How To Protect A Dns Authority Server From A Flood Attack

Chapter 7 Protecting Against Denial of Service Attacks

How To Stop A Ddos Attack On A Website From Being Successful

CSCE 465 Computer & Network Security

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Firewall Firewall August, 2003

DOMAIN NAME SECURITY EXTENSIONS

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

10 Configuring Packet Filtering and Routing Rules

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

A S B

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Security: Attack and Defense

Network Layers. CSC358 - Introduction to Computer Networks

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

Application. Transport. Network. Data Link. Physical. Network Layers. Goal

Transport Layer Protocols

SECURING APACHE : DOS & DDOS ATTACKS - I

Content Distribution Networks (CDN)

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

The Trivial Cisco IP Phones Compromise

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

The OSI model has seven layers. The principles that were applied to arrive at the seven layers can be briefly summarized as follows:

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Guideline for setting up a functional VPN

ACHILLES CERTIFICATION. SIS Module SLS 1508

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Computer Networks/DV2 Lab

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Chapter 10 Troubleshooting

Denial of Service Attacks

Attack and Defense Techniques

Introduction to Analyzer and the ARP protocol

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Internet Concepts. What is a Network?

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

About Firewall Protection

Linux MDS Firewall Supplement

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

Introduction to Network Security Lab 1 - Wireshark

Denial of Service (DoS)

TCP/IP and the Internet

IP Filter/Firewall Setup

CMPT 471 Networking II

CloudFlare advanced DDoS protection

Linux MPS Firewall Supplement

Safeguards Against Denial of Service Attacks for IP Phones

Implementing Secure Converged Wide Area Networks (ISCW)

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Technical Support Information Belkin internal use only

Surviving DNS DDoS Attacks. Introducing self-protecting servers

Life of a Packet CS 640,

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

SECURITY FLAWS IN INTERNET VOTING SYSTEM

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Transcription:

Contents Topic 1: Analogy... 2 TCP/IP: Understanding the Layers... 2 Topic 2: Module Introduction... 4 Topic 3: Domain Name System Basics... 5 Introduction to Domain Name System... 5 DNS Zones... 6 DNS Query Types... 8 Topic 4: Domain Name System Attacks... 13 DNS Spoofing... 13 DNS Cache Poisoning... 15 Activity: Analyzing a Spoofing Attack... 18 Topic 5: TCP Session Hijacking... 29 Introduction to TCP Session Hijacking... 29 Activity: Analyzing TCP Session Hijacking... 31 Topic 6: Denial of Service Attacks... 34 Introduction... 34 Ping of Death... 35 SYN Flooding... 36 Teardrop, LAND, and Smurf Attacks... 39 Activity: Identify the DoS Attack... 43 Topic 7: Summary... 44 Glossary... 45 UMUC 2012 Page 1 of 45

Topic 1: Analogy TCP/IP: Understanding the Layers TCP/IP Vulnerabilities Module 4 TCP/IP: Understanding the Layers To better understand how Transmission Control Protocol/Internet Protocol (TCP/IP) is structured, it is helpful to compare TCP/IP with the U.S. Postal Service (USPS). The USPS consists of many post offices and several administrative departments spread over a wide geographic area. Each post office carries out specific functions and works both independently and in cooperation with the other post offices. Similarly, TCP/IP is divided into layers that play a role in transferring data across the Internet. Each layer works independently, and together these layers help to transfer data and communication between computers. U.S. Postal Service Kylie Sends a Letter Kylie writes a letter to her friend Samantha, who has recently moved to New York. She drops the letter in a local mailbox in Sacramento, California. Samantha is unaware that Kylie has written to her. However, when Samantha receives and reads the letter, she is happy to hear from Kylie. Kylie did not think about how the letter would reach New York, and Samantha did not consider how the letter arrived at her home. Both Kylie and Samantha are unaware of the underlying delivery mechanism that enabled the letter to travel from Sacramento to New York. Address Check During Transportation Postal employees check addresses while letters are in transit. If Kylie writes an incorrect address on the envelope and that letter arrives in New York, a postal employee will stamp the letter "address unknown" and the letter will be returned to Kylie. Kylie would remain unaware of the details of the steps taken to return the letter, and it would be up to her to decide what to do next. Letters Move Between Cities Since Kylie and Samantha live in two different states that are separated by thousands of miles, Kylie's letter will travel through many cities before it reaches Samantha. Letters such as Kylie's are transported by airplanes between cities. The pilot of the airplane carrying the letters is concerned only with delivering the cargo to its destination he or she knows nothing about the contents, senders, or recipients of the letters. Letter Reaches Samantha Within a city, letters are taken by trucks from airports to their destination post offices. Kylie s letter is sent to a post office in New York by a truck. Samantha finds the letter from Kylie in her mailbox, and Samantha opens the envelope to read the letter. When Kylie wrote the letter, she used old-fashioned physical tools such as a pen and paper. UMUC 2012 Page 2 of 45

TCP/IP Protocol Application Layer Kylie wants to write an e-mail to Samantha. She requests a Web page from a remote Web server by typing a URL into a browser in the application layer. The server receives the request, locates the requested site on its hard drive, and sends the data back to Kylie. Kylie is unaware of how the data was delivered whether it was transmitted over wireless connections or the number of routers it passed through. This e-mail goes through five layers, the first one being the application layer. Transport Layer Transport layer software performs the function of establishing a connection between a client and server and monitoring the connection for errors. Transport layer software also slows transmission if data transmission is too fast to handle at the recipient s end. Transport layer software is not concerned with how the data is transmitted choosing the method of transmission is the responsibility of lower-level software. There are two transport layer protocols TCP, which is considered reliable, and User Datagram Protocol (UDP), which is fast but unreliable. If TCP tries to transmit data repeatedly and errors in the connection persist, TCP informs its "boss," the application program, of the problem. Internet Layer Internet layer programs move data between networks. IP software is responsible only for moving data from one point to another, regardless of the contents of the data. When the data reaches its destination local area network (LAN), the Internet layer hands the data over to the data link layer software or firmware for delivery to the intended computer. Data Link Layer Data link layer programs transport incoming and outgoing data within LANs. Ethernet is the most common protocol for the data link layer. A data link program is concerned solely with the transmission of data within the LAN and is not responsible for how data enters or leaves the LAN. The responsibility of managing the entering and leaving of data from a LAN lies with the Internet layer. Physical Layer Physical layer protocols specify the means of representing ones and zeros or bits. The protocols also specify how bits should be transmitted between two points using wire, fiber, and so on. There are several types of physical layer protocols that represent and transmit bits uniquely. The e-mail that Kylie sends to Samantha passes through these five layers twice and reaches Samantha s inbox. Breaking the Rules In an ideal situation, each component of the postal network or the TCP/IP protocol performs its function as desired. However, there can be deviations. For example, a mail carrier might read a letter or choose not to deliver it. Similarly, on the Internet, a Web router may be programmed to process data packets from a competing service slowly or to intercept them. For example, routers can be programmed to send copies of packets containing certain data to a government security agency. The postal service has laws against tampering with mail. It has been recommended that network neutrality laws be implemented for the Internet to protect against the differential treatment of packets. UMUC 2012 Page 3 of 45

Topic 2: Module Introduction The TCP/IP protocol suite has a number of inherent vulnerabilities and security flaws. These vulnerabilities are often used by hackers to launch denial of service (DoS) attacks, TCP connection hijackings, and other attacks. Most of the weaknesses in the TCP/IP suite probably exist because the protocols are outdated, having been developed in the mid-1970s. Vendors of network equipment and operating systems have made code improvements over time to disable many of the attacks. However, some vulnerabilities continue to exist and are exploited by malicious users to disrupt and damage users and organizations. This module explores the basics of the Domain Name System (DNS), such as its structure, query types, and zones. It also covers major TCP/IP security problems, namely DNS attacks, TCP session hijackings, and DoS attacks. UMUC 2012 Page 4 of 45

Topic 3: Domain Name System Basics Introduction to the Domain Name System The Domain Name System (DNS) is based on a naming system that consists of a hierarchical and logical tree structure known as the domain name space. The top-level domains within the DNS hierarchy are.com,.edu,.gov,.mil,.int,.org, and.net. Each node or branch in the DNS tree represents a unique fully qualified domain name (FQDN). The FQDN indicates the position of a domain within the tree. A FQDN consists of labels such as IT, UMUC, edu separated by a period. Some examples of FQDN are.edu, UMUC.edu, Berkeley.edu, and IT.UMUC.edu. When data is requested from a node, a host server uses DNS to translate the domain name to an IP address. DNS Hierarchy UMUC 2012 Page 5 of 45

Topic 3: Domain Name System Basics DNS Zones It is inefficient and unreliable to store DNS information in a single server. The solution is to distribute DNS information among many entities called DNS servers. Each DNS server is responsible, or authoritative, for large or small domains. As a result, there is a hierarchy of DNS servers similar to the hierarchy of domain names. A DNS server stores information about and is authoritative for a part of the DNS called a zone. A single server may be authoritative for many zones. A zone is a portion of a domain. Each zone will have a primary name server and a secondary name server. A primary server maintains a zone file, which is a text file that describes the zone. Any updates to the zone are made on the primary server. The secondary server maintains a copy of the zone data, which is periodically transferred from the primary server. The DNS answers any queries about the hosts in its zone. Step 1 In this example, it is assumed that a UMUC system administrator creates two subdomains, Physics.UMUC.edu and IT.UMUC.edu, under the UMUC.edu domain. There are three authoritative DNS servers responsible for the three zones: UMUC.edu, Physics.UMUC.edu, and IT.UMUC.edu, respectively. UMUC 2012 Page 6 of 45

Step 2 The top authoritative DNS server is responsible for the UMUC.edu zone, and the two subauthoritative DNS servers are responsible for the two subzones, Physics.UMUC.edu and IT.UMUC.edu. Step 3 The zone UMUC.edu contains only DNS information for UMUC.edu and references to the two authoritative name servers for the subdomains; Physics.UMUC.edu and IT.UMUC.edu. The system administrator or network engineer will determine how to create multiple zones and authoritative DNS servers responsible for one or more zones. Step 4 For example, the IT.UMUC.edu domain name server is responsible for any queries for its Web server www.it.umuc.edu. Generally, the domain name structure is divided into zones based on how the name space will be administered. UMUC 2012 Page 7 of 45

Topic 3: Domain Name System Basics DNS Query Types The two types of queries for common DNS name resolutions are recursive and iterative queries. The example below shows how recursive queries work. How Recursive Queries Work Step 1 A client sends a recursive query to its configured DNS server, requesting an IP address that corresponds to the name www.umuc.edu. UMUC 2012 Page 8 of 45

Step 2 The local DNS server checks its zone and does not find any zone that corresponds to the requested domain name. It then sends a query for www.umuc.edu to the root name server. Step 3 The root name server is authoritative for the root domain. The server has information about name servers for top-level domain names such as.com,.edu,.org, and others. The root name server responds with the IP address of a name server for the.edu domain. UMUC 2012 Page 9 of 45

Step 4 The local DNS server sends a query for www.umuc.edu to the name server that is authoritative for the.edu domain. Step 5 The.edu name server responds with the IP address of the name server that is authoritative for the.umuc.edu domain. UMUC 2012 Page 10 of 45

Step 6 The local DNS server sends a query for www.umuc.edu to the authoritative name server for the.umuc.edu domain. Step 7 The UMUC.edu name server replies with the IP address corresponding to the www.umuc.edu domain. UMUC 2012 Page 11 of 45

Step 8 The local DNS server sends the IP address of www.umuc.edu to the client that made the request. UMUC 2012 Page 12 of 45

Topic 4: Domain Name System Attacks DNS Spoofing Every DNS query has a unique identification number known as a transaction ID. The transaction ID allows the recipient of the response to identify the corresponding query. When the UDP or TCP port number, IP address, and transaction ID from a remote host are provided, the recipient accepts the DNS reply. In a DNS spoofing attack, an attacker uses spoofed or fake DNS replies to direct a victim to a malicious Web site or device. This example looks at how an attacker launches a DNS spoofing attack on a network. It is assumed that both the target and the attacker are on the same LAN. Example of a DNS Spoofing Attack Step 1 The target sends a query to the DNS server to resolve www.umuc.edu to an IP address. A cache entry of the IP address of www.umuc.edu does not exist in the target s Address Resolution Protocol (ARP) table. The responses to previous ARP requests are cached in the ARP table. Every PC caches an ARP table in its local file system. In this example, it is assumed that the target s ARP table is empty in the beginning. The attacker observes the DNS query that the target has made. UMUC 2012 Page 13 of 45

Step 2 Before the original DNS reply arrives, the attacker sends a spoofed DNS reply to the target. The spoofed reply has the same transaction ID used by the target. In the spoofed DNS reply, the IP address of the malicious device such as the Web server is included. Step 3 The target uses the IP address provided in the spoofed DNS reply and accesses the malicious Web site instead of www.umuc.edu. UMUC 2012 Page 14 of 45

Topic 4: Domain Name System Attacks DNS Cache Poisoning Jamie is accessing a golf Web site from his office computer. Sarah, a hacker, has initiated a DNS cache poisoning attack against the company s DNS server. Using the DNS cache poisoning attack, Sarah is able to maliciously modify entries in the DNS server of Jamie s company. As a result, Jamie s computer receives a reply from the company server containing the IP addresses of the malicious hosts. Since Sarah is on a network different from the network of Jamie s company, she cannot observe the transaction ID that Jamie uses. Step 1 Sarah has sent a series of bogus DNS queries to the DNS server of Jamie s company. Sarah sends spoofed responses to the company s DNS server before the Web site s DNS replies reach the company s DNS server. Sarah creates the spoofed responses using transaction IDs that she guesses. She hopes to guess the correct transaction ID by sending an increasing number of simultaneous queries with different transaction IDs that the server has to resolve. DNS Cache Poisoning Here is an explanation of the first step in a DNS cache poisoning attack. It is assumed that the DNS server for Jamie s company has an ARP table that is initially empty. Sarah first sends a DNS query to the company s DNS server. Unable to find a matching cache entry in its ARP table, the server sends the query to another DNS server with a DNS transaction ID. Immediately, Sarah sends a spoofed DNS reply to the company s DNS server with a guessed transaction ID that tries to match the ID sent by it earlier. She sends spoofed replies until the transaction ID matches the ID used by the company s DNS server. Step 2 UMUC 2012 Page 15 of 45

The spoofed DNS replies from the attacker to the DNS server are successful. The DNS replies from the legitimate DNS server are rejected. Step 3 Jamie types a URL in his browser, sending a request to his company s DNS server for a Web page. Jamie s computer receives a DNS reply with a bogus IP address from the compromised company DNS server. UMUC 2012 Page 16 of 45

Step 4 Jamie s computer is directed to a malicious device set up by Sarah with the bogus IP address. UMUC 2012 Page 17 of 45

Topic 4: Domain Name System Attacks Activity: Analyzing a Spoofing Attack Introduction A DNS spoofing attack is often difficult to detect, and the victim is unwittingly directed to a malicious Web site that an attacker can use to gain confidential information or to infect the user s computer. Ernest and Sons LLC is a reputable law firm based in New Jersey. An Internet hacker is seeking to direct unsuspecting users on the company s network to a malicious Web page. What are the signs that a system administrator at Ernest and Sons should look out for to determine whether the company s network is the target of a spoofing attack? Workspace Review the details of the spoofing attack on the Ernest and Sons network by clicking the Attack Details button. Then answer each question below. Attack Details The LAN of Ernest and Sons is shown below. View the animation to understand how the attacker launches the DNS spoofing attack. Step 1 A user on Ernest and Sons LAN is trying to access the Web site www.umuc.edu. The ARP spoofing attack causes the victim s DNS request the IP address of www.umuc.edu to be forwarded to the attacker s host. UMUC 2012 Page 18 of 45

Step 2 The attacker provides a spoofed DNS response to make the victim s computer believe the response is coming from the desired host. The response includes the malicious Web server s IP address, 192.168.195.130, that the hacker has set up. Step 3 The victim makes a HTTP Web request to the malicious Web server, believing it is the UMUC Web server. UMUC 2012 Page 19 of 45

Step 4 The server set up by the hacker returns a malicious Web page to the victim. Question 1: Which one of the following screenshots indicates the DNS request sent by the victim? a. Screenshot A Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 20 of 45

b. Screenshot B Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option b Feedback: The source IP address 192.168.195.133 and the MAC address 00-0C-29-28-85-76 shown in the screenshot are those of the victim. Due to the ARP spoofing attack, the MAC address for the gateway cached in the victim s ARP table is changed to that of the attacker s. As a result, the victim uses the right destination IP address, 192.168.195.2, which is the IP address of the gateway. However, the polluted destination MAC address, 00-0C-29-48-03-59, is cached in the victim s ARP table. UMUC 2012 Page 21 of 45

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 22 of 45

Question 2: Here is a screenshot of the victim s DNS request. What is the DNS transaction ID used in the DNS request? a. 0x54ac b. 0xe161 c. 0x0100 Screenshot Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option b UMUC 2012 Page 23 of 45

Feedback: The DNS transaction ID 0xe161 is displayed in the DNS header in the screenshot. This transaction ID uniquely identifies the DNS query and response. Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 24 of 45

Question 3: Here is a screenshot of the attacker s DNS response. Which aspect of the request is suspicious? a. The destination MAC address used by the attacker is suspicious. b. The TCP sequence number used by the attacker is suspicious. c. The value of the DNS transaction ID is too small. d. The source MAC address used by the attacker is suspicious. e. None of the above the DNS response is normal. Screenshot Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option d UMUC 2012 Page 25 of 45

Feedback: The source MAC address 00-0C-29-48-03-59 does not match the source IP address 192.168.195.2, which is the IP address of the gateway router. The source MAC address actually belongs to the attacker. Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Review The attacker successfully launched a DNS spoofing attack on Ernest and Sons network. The following animation depicts the queries and responses exchanged by the victim and the malicious Web server. The Attack on Ernest and Sons Network As a result of the DNS spoofing attack, the victim unknowingly makes an HTTP Web request to the malicious Web server. UMUC 2012 Page 26 of 45

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. The malicious Web server set up by the attacker responds with an HTTP Web request to the victim. Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 27 of 45

As a result, the following message is displayed in the victim s Web browser. Further Challenges Do you think a network intrusion detection system (IDS) can detect a discrepancy between the IP address and the corresponding MAC address? For example, will the IDS detect that the victim s machine is using the attacker s MAC address and the gateway s IP address when sending a request? UMUC 2012 Page 28 of 45

Topic 5: TCP Session Hijacking Introduction to TCP Session Hijacking If an attacker can predict or sniff a TCP sequence number that a target and its communication partner use, then the attacker can hijack the established TCP connection. When the session is hijacked, the attacker can assume the identity of the compromised user and access the resources stored on the communication partner as the compromised user. Here is a simple example of a TCP session hijack that takes place within a LAN. An Example of a TCP Session Hijacking Attack Step 1 An attacker monitors TCP packets between Host A and Host B. Host B is the target. UMUC 2012 Page 29 of 45

Step 2 The attacker jumps into the exchanged communication, sending TCP packets to Host B by: a. Forging the source IP address IP address of Host A of the TCP packets. The source IP address of the bogus packet becomes 192.168.1.1. b. Embedding the IP address of Host B in the bogus packet, making the destination IP address of the bogus packet 192.168.2.2. c. Forging the TCP sequence number of the TCP packets, which is the TCP sequence number that Host B expects to see. Since Host B expects to see the sequence 10045, the TCP sequence number of the bogus packet becomes 10045. The acknowledged TCP sequence number of the bogus packet becomes 20020 since the packet previously sent by the Host B has 20000 as the TCP sequence number and the length of the packet is 20 (20000 + 20 = 20020). UMUC 2012 Page 30 of 45

Topic 5: TCP Session Hijacking Activity: Analyzing TCP Session Hijacking This activity shows a simple TCP/IP hijacking attack that involves an attacker hijacking a currently established Telnet (TCP) connection between two hosts and injecting an authenticlooking reset (RST) packet to disrupt the connection. Attack Details In the attack, the target client makes a Telnet connection to the Linux server and executes a Linux command through the Telnet connection. The attacker is listening to the communication between the server and the client. At some point, after the client is authenticated to the server, the attacker hijacks the TCP connection and injects an RST packet to reset the connection. UMUC 2012 Page 31 of 45

Activity The packet shown in the screenshot represents the last active TCP connection between the client and server before the attacker launches a TCP reset attack. It shows that the packet is sent from the server 192.168.195.130 to the client 192.168.195.128. Then, the attacker 192.168.195.133 hijacks and resets this connection. Question: Based on the details in the screenshot, what are the source IP address, source MAC address, and TCP sequence number of the reset frame sent to the Telnet client by the attacker? a. Source IP: 192.168.195.133 Source MAC: 00-0C-29-28-85-76 TCP sequence: 2364602049 b. Source IP: 192.168.195.130 Source MAC: 00-0C-29-33-73-46 TCP sequence: 2364602050 c. Source IP: 192.168.95.130 Source MAC: 00-0C-29-28-85-76 TCP sequence: 2364602050 Screenshot Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option c Feedback: To hijack the active connection between the server and the client, the attacker must send an IP packet with a valid TCP sequence number and source IP address. For RST, the attacker must use the TCP sequence number of the active connection. Since 2364602049 is the TCP sequence number of the last packet, the correct TCP sequence number is 2364602050. Also, the attacker should use the source IP address of the current connection 192.168.195.130. Finally, the MAC address cannot be forged since the frame must originate from the attacker. UMUC 2012 Page 32 of 45

Thus, the MAC address must be the attacker s, which is 00-0C-29-28-85-76. The actual frame is shown below: Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 33 of 45

Topic 6: Denial of Service Attacks Introduction System resources such as network bandwidth, number of connections a server can properly handle, CPU usage, and memory are finite and limited. Any attack designed to render a computer resource unavailable to its intended users and unable to perform its basic functionality is known as a denial of service (DoS) attack. For example, a Web server needs a minimum amount of network bandwidth to function properly. In addition, it has a maximum number of connections it can maintain based on its limitation of CPU and memory resources. If the server reaches its resource limit, additional connections are rejected and some potential clients are not able to access the server. In a DoS attack, an attacker can create a flood of server requests, causing the targeted server to reject any further requests. This is a "denial of service" because users cannot access a resource. Attack Symptoms The following are possible symptoms of a DoS attack: Unusually slow network performance, such as difficulty accessing files or Web sites Unavailability of a particular Web site or any Web sites Dramatic increase in the amount of spam in the user s mailbox UMUC 2012 Page 34 of 45

Topic 6: Denial of Service Attacks Ping of Death A ping of death attack is one of the earliest types of DoS attacks. The ping of death is especially effective on systems running on Windows 95, Windows 98, Linux 6.0, or any earlier operating system. This attack uses an oversized ICMP packet to create a DoS effect. The maximum allowable size of an IP packet is 65535 bytes. An Internet Control Message Protocol (ICMP) echo request is an IP packet with an ICMP header. An IP header has a size of 20 bytes and the ICMP header is 8 bytes. This means that the data portion of an ICMP packet cannot be larger than 65507 bytes. A ping of death attack exploits the following facts: Many ping implementations allow a user to specify a packet size larger than 65507 bytes due to the way the IP fragmentation is performed. An attacker can specify an ICMP data packet with a size larger than 65507 bytes and then divide the packet into pieces. Many early computer systems could not handle a ping of death packet larger than the maximum IP packet size of 65535 bytes. When the recipient system reassembles the packet, it is too big for the receiver s buffer, and the receiving host crashes, reboots, or freezes. What is malicious about this attack is that a huge IP packet can be transmitted to a target network via IP fragmentation and cause a victim machine to crash. Attack Details The ping command and the host IP address is typed on a Linux or Windows computer in the Run dialog box. An example of a ping command would be ping n 100 60000 192.168.10.2. Explanation: 100 ICMP packets with the size of 60,000 bytes are transmitted to the IP address 192.168.10.2. Each ICMP packet is fragmented into several pieces during the transmission. UMUC 2012 Page 35 of 45

Topic 6: Denial of Service Attacks SYN Flooding An SYN flood attack is an early form of DoS attack. The attack creates disruptions and slows connections by exploiting the three-way handshake used to establish TCP connections. In a TCP three-way handshake, a client sends an SYN request to a server or network resource to initiate the connection. The server or network resource responds with an SYN-ACK request back to the client. Finally, the client responds with an ACK to the server to complete the handshake and establish the connection. Steps in an SYN Flood Attack Step 1 An attacker sends a large number of SYN packets to a victim server to initiate a three-way handshake. The SYN packets probably have randomly generated spoofed source addresses. UMUC 2012 Page 36 of 45

Step 2 The server sends numerous SYN-ACK responses to the spoofed IP addresses. Step 3 The attacker does not send the corresponding ACK packets to the server. This omission creates a large number of half-open connections. UMUC 2012 Page 37 of 45

Step 4 The attacker keeps sending SYN packets with spoofed source IP addresses until the server reaches its resource limit. UMUC 2012 Page 38 of 45

Topic 6: Denial of Service Attacks Teardrop, LAND, and Smurf Attacks Teardrop Attack In a normal TCP packet transmission, a packet is fragmented into three different packets: packet 1, packet 2, and packet 3. Each fragment packet has the proper offset value in the IP header. In a teardrop attack, an attacker sends fragments with invalid overlapping TCP values in the offset field of the IP header. Attack Details In the diagram, the normal transmission has packets with sequence numbers that begin and end correctly. In an abnormal packet transmission, the attacker has put an offset value in the IP field in such a way that the first 20 bytes of packet 2 will overlap with the last 20 bytes of UMUC 2012 Page 39 of 45

packet 1. The data bytes from 170 to 210 will not be transmitted on purpose to confuse the data receiver. LAND Attack In a local area network denial (LAND) attack, an attacker sends a TCP SYN packet to the target machine that uses the target s address as the source and destination address. The attack causes the targeted machine to reply to itself continuously and eventually crash. Smurf Attack Smurf attacks are directed at a single target in a distributed way to crash the target. The attack needs three main components: the attacker s computer, a target host, and packet amplifiers. Step 1 To run a Smurf attack, an attacker must discover a network to which ICMP request packets can be broadcast. The network referred to as an amplifier should be able to respond with the ICMP reply messages to the target address on a different network. UMUC 2012 Page 40 of 45

Step 2 Once an attacker discovers an amplifier network, a broadcast ICMP is sent to the amplifier network. The source address of the broadcast ICMP requests is forged to include the address of the target. Step 3 The hosts on the amplifier network respond with the broadcast ICMP request and send ICMP reply messages to the target address. UMUC 2012 Page 41 of 45

Step 4 The target server or host is inundated with the ICMP reply messages from the amplifier network. UMUC 2012 Page 42 of 45

Topic 6: Denial of Service Attacks Activity: Identify the DoS Attack Question: Review the screenshot and determine the type of DoS attack it illustrates. a. Ping of death b. SYN flood c. Teardrop d. LAND attack Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Correct answer: Option b Feedback: The screenshot shows that numerous SYN packets with different source addresses are sent to the single host with the IP address of 192.168.195.130. Therefore, the attack is an SYN flooding attack. UMUC 2012 Page 43 of 45

Topic 7: Summary We have come to the end of Module 4. The key concepts covered in this module are listed below. The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol is divided into multiple layers: application, transport, Internet, data link, and physical. The Domain Name System (DNS) consists of a hierarchical structure of nodes and domains that determines the position of a domain within the system. The DNS structure for an organization is determined based on which domains require independent administration. Two of the key DNS attacks are DNS spoofing and DNS cache poisoning. In a TCP session hijacking, an attacker predicts or sniffs the TCP sequence number used between the target and a host to hijack the communication and gain unauthorized access to the target. A ping of death attack is a type of denial of service (DoS) attack in which the attacker sends an oversized Internet Control Message Protocol (ICMP) packet to the target that causes the target to freeze, crash, or reboot. In an SYN flood attack, an attacker sends numerous SYN requests to a server and then does not complete the three-way handshake, resulting in pending requests to the server that cause a denial of service. Teardrop, local area network denial (LAND), and Smurf are some other commonly used DoS attacks. UMUC 2012 Page 44 of 45

Glossary Term ARP Table DNS Echo Request FQDN ICMP MAC Address TCP UDP Definition An ARP table is a short-term memory of all the IP addresses and MAC addresses that a device has already matched. The ARP table helps to avoid having to repeat ARP requests for devices that have been communicated with earlier. The Domain Name System (DNS) is a protocol that translates a computer's domain name into an IP address. An echo request is an Internet Control Message Protocol (ICMP) request that expects to receive an echo or identical reply. A fully qualified domain name (FQDN) is a domain name that exactly specifies its position within the hierarchy of the Domain Name System (DNS). Internet Control Message Protocol (ICMP) is a protocol that sends error messages or query messages. A Media Access Control (MAC) address is a unique identifying code assigned to every piece of hardware that accesses the Internet. The Transmission Control Protocol (TCP) is one of the core protocols of the Internet and enables the reliable transfer of data bytes across the Internet. The User Datagram Protocol (UDP) is one of the core protocols of the Internet that enables computers to send datagrams to other systems over the Internet without requiring prior communication channels to be established. UMUC 2012 Page 45 of 45

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information