Scribd
Upload
50 views

Feleke Comp Network Security Part 3

The document discusses various attacks on TCP/IP networks and methods of mitigating them. It outlines attacks at different layers of the TCP/IP model including ARP attacks at the link layer, IP spoofing and sniffing at the network layer, and transport layer attacks. The document also discusses security services and protocols that can help defend against these attacks, such as IPsec at the network layer and SSL/TLS at the transport layer.

Uploaded by

Abni boo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
50 views

Feleke Comp Network Security Part 3

The document discusses various attacks on TCP/IP networks and methods of mitigating them. It outlines attacks at different layers of the TCP/IP model including ARP attacks at the link layer, IP spoofing and sniffing at the network layer, and transport layer attacks. The document also discusses security services and protocols that can help defend against these attacks, such as IPsec at the network layer and SSL/TLS at the transport layer.

Uploaded by

Abni boo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 63

Attacks on TCP/IP Networks

&
Attack Mitigation

Source: Feleke Merin (Dr. – Engr.)


Senior Asst. Professor
Outline
• Network Security services

• Types of attacks

• Network Security/Protocols and vulnerabilities

• Attacks on TCP/IP Networks

• ARP attack

• Network Layer: IP security (IPSec)

• Transport layer attacks

• Application layer attacks

Source: Feleke Merin (Dr.-Engr.) 2


Computer Network Security

Source: Feleke Merin (Dr.-Engr.) 3


Computer Network Security
• Security Services
Confidentiality

Authentication

Integrity

Non Repudiation

Access Control

Availability
Source: Feleke Merin (Dr.-Engr.) 4
Computer Network Security

• Introduction
• In today’s highly networked world, we can’t talk of
computer security without talking of network security.

• Focus is on:

 Internet/Intranet security (TCP/IP based networks)

 Attacks that use security holes of the network protocol and

 their defense mechanisms

Source: Feleke Merin (Dr.-Engr.) 5


Computer Network Security
• Applications, systems, and networks can be made secure
through the use of security protocols,

which provide a wide range of encryption and authentication


services.

• Each security protocol is placed within several layers of a


computing infrastructure,

that is, network, transport, and application layers.

Source: Feleke Merin (Dr.-Engr.) 6


Computer Network Security
TCP/IP Layering
application
HTTP …
FTP DNS …

SMTP SNMP

transport
TCP UDP

network
ICMP IP IGMP

link
hardware
ARP RARP
interface

Source:
MediaFeleke Merin (Dr.-Engr.) 7

Levente Buttyán
Computer Network Security

• Application specific security services


 Embedded within specific application
 Best examples are SET (Secure Electronic Transaction) on

top of HTTP and MIME on SMTP.

Source: Feleke Merin (Dr.-Engr.) 8


Computer Network Security

• Security just above TCP


 SSL: Secure Socket Layer
 TLS: Transport Layer Security

 SSL/TLS could be provided as part of the underlying

protocol suite => Transparent to applications


 Alternatively, can be embedded into applications
 Example: Netscape and Microsoft Explorer browsers are
equipped with SSL

Source: Feleke Merin (Dr.-Engr.) 9


Computer Network Security

Attacks on TCP/IP Networks

• TCP/IP was designed to be used by a trusted group of users

• The protocols are not designed to withstand attacks

• Internet is now used by all sorts of people

• Attackers exploit vulnerabilities of every protocol to achieve their goals

• The next slides show some attacks at each layer of the TCP/IP stack

Source: Feleke Merin (Dr.-Engr.) 10


Types of Network Security Attacks

• Spoofing attack:
a situation in which one person or program
successfully imitate another by falsifying data and
thereby gaining an illegitimate advantage.
 IP spoofing
 Putting a wrong IP address in the source IP address of an IP packet

 DNS spoofing
 Changing the DNS information so that it directs to a wrong machine

Source: Feleke Merin (Dr.-Engr.) 11


Types of Network Security Attacks

• URL spoofing/Webpage phishing

 A legitimate web page such as a bank's site is reproduced in "look

and feel" on another server under control of the attacker

• URL spoofing/Webpage phishing

 This technique often directs users to enter detailed information at a

fake website which appears almost identical to the legitimate one.

Source: Feleke Merin (Dr.-Engr.) 12


Types of Network Security Attacks

• Popular method of phishing is:


sending legitimate looking email containing a link to the fake
website.

Registering fake website with a misspelled URL of popular


websites

(www.microsoft.com www.microshoft.com) or a different


domain (www.whitehouse.gov www.whitehouse.com)

Source: Feleke Merin (Dr.-Engr.) 13


Types of Network Security Attacks

• ARP cache poisoning:

– In this attack, an attacker uses spoofed ARP message in LAN to associate

MAC address and IP address in a malicious way.

• Attackers can launch a DoS attack against a victim by


associating a nonexistent MAC address to the IP address of the
victim’s default gateway.

Source: Feleke Merin (Dr.-Engr.) 14


Types of Network Security Attacks
• Link Layer: ARP spoofing
Request
08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp req | target IP: 140.252.13.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp rep | sender IP: 140.252.13.5 | sender eth: 00:34:CD:C2:9F:A0

Source: Feleke Merin (Dr.-Engr.) 15


Types of Network Security Attacks

ICMP: Internet Control Message Protocol

• Used by hosts & routers to communicate network-level


information

error reporting: unreachable host, network, port, protocol

echo request/reply (used by ping)

• Network-layer “above” IP:

ICMP msgs carried in IP datagrams

Source: Feleke Merin (Dr.-Engr.) 16


Types of Network Security Attacks
Type Code description
• ICMP message: 0 0 echo reply (ping)
3 0 dest. network unreachable
3 1 dest host unreachable
type, code plus 3 2 dest protocol unreachable
3 3 dest port unreachable
first 8 bytes of IP 3 6 dest network unknown
3 7 dest host unknown
datagram causing 4 0 source quench (congestion
control - not used)
error 8 0 echo request (ping)
9 0 route advertisement
10 0 router discovery
11 0 TTL expired
12 0 bad IP header
Source: Feleke Merin (Dr.-Engr.) 17
Types of Network Security Attacks

Network Layer: IP Vulnerabilities


• Packet Sniffing: consists of capturing packets from the
network traffic and extracting information, which can help
attackers for further malicious acts.
– Information such as the source and destination IP can be used for
traffic analysis.
– Packets can also provide sensitive information, like username and
password, database contents…

• IP Spoofing: Attacker takes up the IP address and pretends to


be a trusted host.
– This may reduce the attacker from security checks.

Source: Feleke Merin (Dr.-Engr.) 18


Types of Network Security Attacks
Network Layer: IP Vulnerabilities
• Ping of Death: The attacker sends maximum length
fragmented ICMP packets.
– The receiver defragments the packets.
– The defragmentation leads to a packet whose size is more than
the maximum ICMP packet size (65535 Bytes).
– The result is system crash due to buffer overflow leads to DoS.

• Smurf: The attacker sends a multicast/broadcast ICMP echo


request to a group of users using a victim’s IP address.
– Receiving the multicast, the hosts respond to the victim, which
will be congested and cannot respond to any more requests.
– The victim’s computer will be flooded with traffic leads to DoS.
Source: Feleke Merin (Dr.-Engr.) 19
Types of Network Security Attacks
Network Layer: IP Vulnerabilities
• ICMP Redirect Message: This type of message is sent by
routers when a better route is identified.
– If an attacker gets into the routing table, he/she can route the
traffic to any direction of interest and manipulate the data.
– In another option, the packets of a host are routed to itself and
end up in an infinite loop.

• ICMP Destination Unreachable: This type of attack happens


when an attacker sends an ICMP “destination unreachable” error
message to either of the hosts in a TCP connection.
– The error message may indicate that either the network, the host,
or the port is unreachable.
– After receiving this packet the hosts terminates the connection
immediately. Source: Feleke Merin (Dr.-Engr.) 20
Types of Network Security Attacks
Network Layer: IP Vulnerabilities, summary
• IP packets can be intercepted:
- In the LAN broadcast
- In the router, switch
• Since the packets are not protected, they can be easily read
• Since IP packets are not authenticated, they can be easily
modified
• Even if the user encrypts his/her data, it will still be vulnerable to
traffic analysis attack
• Information exchanged between routers to maintain their routing
tables is not authenticated
 All sort of problems can happen if a router is compromised
Source: Feleke Merin (Dr.-Engr.) 21
Computer Network Security Attacks
Transport Layer attacks
• TCP SYN Flood attack: TCP operates using synchronized
connections, initiated with 3 way handshake.
• TCP SYN flood attack exploits the vulnerability at this
stage of TCP connection.
The attacker sends TCP SYN packets by impersonating the
IP address of an inactive host.
The target machine responds SYN acknowledgment
waiting for the inactive host to respond.
However, instead of opening a session, the attacker
continuously sends SYN requests and the victim’s buffer
will be flooded and cannot respond to other requests.

Source: Feleke Merin (Dr.-Engr.) 22


Computer Network Security Attacks
Transport Layer :
• TCP sequence number attack: Each time a TCP message
is sent, the sender generates a 32 bit sequence number.
• The attacker intercepts and responds with a sequence
number similar to the one used in the original session.
• This means, the attacker hijacks the session and gains
access; hence this type of attack is also called
TCP session hijacking.
– If the connection is one that allows command execution, malicious
code could be executed.
– There are some programs, e.g. Wireshark, that allow to view TCP
sequence number.
Source: Feleke Merin (Dr.-Engr.) 23
Computer Network Security Attacks

TCP Attacks

• If an attacker learns the associated TCP state for the


connection, then the connection can be hijacked!

• Attacker can insert malicious data into the TCP


stream, and the recipient will believe it came from
the original source
Ex. Instead of downloading and running new program,
you download a virus and execute it
Source: Feleke Merin (Dr.-Engr.) 24
Computer Network Security Attacks
TCP Attacks…
• Say hello to Alice, Bob and Mr. Big Ears

Source: Feleke Merin (Dr.-Engr.) 25


Computer Network Security Attacks

TCP Attacks…

• Alice and Bob have an established TCP connection

Source: Feleke Merin (Dr.-Engr.) 26


Computer Network Security Attacks

TCP Attacks…
• Mr. Big Ears lies on the path between Alice and Bob
on the network
He can intercept all of their packets

Source: Feleke Merin (Dr.-Engr.) 27


Computer Network Security Attacks
TCP Attacks…
• First, Mr. Big Ears must drop all of Alice’s packets
since they must not be delivered to Bob

Packets

The Void

Source: Feleke Merin (Dr.-Engr.) 28


Computer Network Security Attacks

TCP Attacks…
• Then, Mr. Big Ears sends his malicious packet with
the next ISN (sniffed from the network)

ISN, SRC=Alice

Source: Feleke Merin (Dr.-Engr.) 29


Computer Network Security Attacks
TCP Attacks…
• Why are these types of TCP attacks so dangerous?

• Malicious user can send a virus to the trusting web client,


instead of the program they thought they were downloading.

Web server Trusting web client

Malicious user
Source: Feleke Merin (Dr.-Engr.) 30
Computer Network Security Attacks
TCP Attacks…
• How do we prevent this?

• IPSec
Provides source authentication, so Mr. Big Ears cannot
pretend to be Alice

Encrypts data before transport, so Mr. Big Ears cannot talk


to Bob without knowing what the session key is

Source: Feleke Merin (Dr.-Engr.) 31


Computer Network Security Attacks
Application layer : DNS spoofing

• An attacker can change the DNS server entries in such a


way that a URL is associated with a wrong IP address.

Ex: redirecting www.ebay.com to map to own (attacker’s)


IP address

• The cache of a DNS name server can be poisoned with


false information using some simple techniques

Source: Feleke Merin (Dr.-Engr.) 32


Computer Network Security Attacks
Application layer : SMTP attack:

• Mail bombing is a type of DoS attack achieved by


flooding the mail server and the network with thousands
of email messages.

• The server and the network become congested so that


they can no longer accept messages.

• The server might run out of storage space as well.

Source: Feleke Merin (Dr.-Engr.) 33


Computer Network Security Attacks
Application layer: Web browsers as threats

• We obtain most of our browsers on-line


 How do we make sure that some Trojan horse is not
inserted

• Potential problems that can come from malicious code


within the browser
 Inform the attacker the activities of the user
 Inform the attacker passwords typed in by the user
 Downgrade browser security

Source: Feleke Merin (Dr.-Engr.) 34


Computer Network Security Attacks
Application layer: Web browsers as threats…

• Mobile code
 Java applets and ActiveX controls
 normally run within a controlled environment (sandbox) and access
to local resources is strictly controlled by a security manager
 however, an applet may escape from the sandbox due to some bugs
in the implementation of the Java Virtual Machine for example
• Cookies
 cookies are set by web servers and stored by web browsers
 A cookie set by a server is sent back to the server when the
browser visits the server again
 Cookies can be used to track what sites the user visits (can lead
to serious privacy violation!)
Source: Feleke Merin (Dr.-Engr.) 35
Computer Network Security Attacks
Application layer: Web browsers as threats…

• Interactive web sites are based on forms and scripts


 By writing malicious scripts the client can
 Crash the server (ex. Buffer overflow)
 Gain control over the server

Source: Feleke Merin (Dr.-Engr.) 36


Attack Mitigation

Mitigating network attacks using protocols

Source: Feleke Merin (Dr.-Engr.) 37


Security-Enhanced Protocols

• Application Layer Security Protocols

Source: Feleke Merin (Dr.-Engr.) 38


Security-Enhanced Protocols

• Providing Security using S/MIME, PGP, SET Protocols

Source: Feleke Merin (Dr.-Engr.) 39


Security-Enhanced Protocols

• HTTPS

Source: Feleke Merin (Dr.-Engr.) 40


Security-Enhanced Protocols

• Pretty Good Privacy (PGP)

Source: Feleke Merin (Dr.-Engr.) 41


Security-Enhanced Protocols
Application layer: E-mail Security
• E-mails transit through various servers before reaching
their destinations
• By default, they are visible by anybody who has access to
the servers
• SMTP protocol itself has some security holes
• E-mail security can be improved using some tools and
protocols
 Example: PGP, S-MIME
 PGP: Pretty Good Privacy
 S-MIME: Secure Multi-Purpose Internet Mail Extension
Source: Feleke Merin (Dr.-Engr.) 42
Security-Enhanced Protocols

• S/MIME

Source: Feleke Merin (Dr.-Engr.) 43


Security-Enhanced Protocols

Security services within S/MIMEv3:


• Digest and hashing algorithms These must support MD5
and SHA-1.
• Digital signature algorithms Both sending and receiving
agents must support DSA and should also support RSA.
• Key encryption algorithms Sending and receiving agents
must support Diffie-Hellman and should also support RSA
encryption.
• Data encryption (session key) algorithms Sending agents
should support RC2/40-bit key, RC2/128-bit key, and Triple DES.
– Receiving agents should support RC2/128 and Triple DES but
must support RC2/40.

Source: Feleke Merin (Dr.-Engr.) 44


Security-Enhanced Protocols

• DNSSEC

Source: Feleke Merin (Dr.-Engr.) 45


Security-Enhanced Protocols
Application layer: Security-enhanced application protocols
• Solution to most application layer security problems have
been found by developing security-enhanced application
protocols
• Examples
 For FTP => FTPS

 For HTTP => HTTPS

 For SMTP => SMTPS

 For DNS => DNSSEC

Source: Feleke Merin (Dr.-Engr.) 46


Security-Enhanced Protocols

Transport Layer Security Protocols


Secure Socket Layer (SSLTLS)

Secure Shell Protocol

Source: Feleke Merin (Dr.-Engr.) 47


Security-Enhanced Protocols
• Providing Security using TLS/SSL Protocol

Source: Feleke Merin (Dr.-Engr.) 48


Security-Enhanced Protocols
• TLS/SSL

Source: Feleke Merin (Dr.-Engr.) 49


Security-Enhanced Protocols

• SSL Handshake

Source: Feleke Merin (Dr.-Engr.) 50


Security-Enhanced Protocols
• Advantages of TLS

Source: Feleke Merin (Dr.-Engr.) 51


Security-Enhanced Protocols

• Applications using TLS/SSL

Source: Feleke Merin (Dr.-Engr.) 52


Security-Enhanced Protocols

• Secure Shell Protocol (SSH)

Source: Feleke Merin (Dr.-Engr.) 53


Security-Enhanced Protocols
Network Layer Security Protocol
• IPSec

Source: Feleke Merin (Dr.-Engr.) 54


Security-Enhanced Protocols
• Providing Security using IPSec Protocol

Source: Feleke Merin (Dr.-Engr.) 55


Security-Enhanced Protocols
Benefits of IPSec

Source: Feleke Merin (Dr.-Engr.) 56


Security-Enhanced Protocols

• Benefits of IPSec (contd.)

Source: Feleke Merin (Dr.-Engr.) 57


Security-Enhanced Protocols
• Benefits of IPSec (contd.)

Source: Feleke Merin (Dr.-Engr.) 58


Security-Enhanced Protocols

• Data Link-Layer Security protocols

Source: Feleke Merin (Dr.-Engr.) 59


Security-Enhanced Protocols

• Layer 2 Forwarding Protocol (L2TP)

Source: Feleke Merin (Dr.-Engr.) 60


Security-Enhanced Protocols

• Point to Point Tunneling Protocol

Source: Feleke Merin (Dr.-Engr.) 61


Security-Enhanced Protocols

• Layer 2 Tunneling Protocol (L2TP)

Source: Feleke Merin (Dr.-Engr.) 62


Security-Enhanced Protocols

• PPP over Ethernet (PPPoE)

============ The End ! =============

Source: Feleke Merin (Dr.-Engr.) 63

You might also like