0% found this document useful (0 votes)
105 views8 pages

Attacks & Defense Mechanisms For TCP/ IP Based Protocols: January 2014

Download as pdf or txt
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 8

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/260877113

Attacks & Defense Mechanisms for TCP/ IP Based Protocols

Article · January 2014

CITATIONS READS

2 6,118

2 authors, including:

Jatinderkumar R. Saini
Symbiosis Institute of Computer Studies and Research
164 PUBLICATIONS   726 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Natural Language Processing (NLP) View project

Software Engineering View project

All content following this page was uploaded by Jatinderkumar R. Saini on 19 March 2014.

The user has requested enhancement of the downloaded file.


International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668

Attacks & Defense Mechanisms for TCP/ IP Based


Protocols
Alok Pandey Dr. Jatinderkumar R. Saini
Sr. Systems Manager, Department of Computer Science Director (I/C) & Associate Professor,
Engineering, Birla Institute of Technology, Narmada College of Computer Application,
Mesra, Jaipur Campus, Rajasthan, INDIA Bharuch, Gujarat, INDIA.
Email: alokpandey1965@yahoo.co.in Email: saini_expert@yahoo.com

Abstract - TCP/IP protocol suite is the most widely used headers are critical and maintain specific set of
communication protocol and has become the de facto information needed for functional & administrative
standard for internet based communications. It is a set of reasons for that particular layer.
robust protocols originally designed to provide reliable
communication services that allow co-operating computers to
share resources across networks.
The networking of resources also brought in many
potential threats to the network community like
unauthorized access to private information, malicious break-
in to other organizations’ systems, to make them unusable or
unreliable, due to some inherent security problems in the
underlying protocols as their development was based upon
the concept of implicit trust between the communicating
systems.
Due to the design faults and faulty implementations of
TCP / IP protocol suite several vulnerabilities have been
reported. Different types of network based attacks have been
Fig.1. TCP/IP Protocol Stack
identified which adopt the computer networks as
transportation mechanism to carry out the intrusion or
attack the communication system itself. Some of such attacks
are sniffing, spoofing, denial of service, session hijacking,
traffic redirection, authentication and routing attacks.
Several tools and defence mechanisms have been developed
to identify, analyse and mitigate such attacks. We describe
some of these attacks against TCP/IP suite, analysis tools and
various defence mechanisms.

Keywords – Computer Security, Hacking, Network


Security, Security Tools, TCP/IP Security.

I. INTRODUCTION
TCP/IP suite is a collection of network based Fig.1. (a) TCP/IP Protocols
communication protocols that provide and support various
kinds of services running over the network. It establishes, Internet Protocol (IP) – IP (Internet Protocol) is the
maintains and terminates connections between the end workhorse protocol of the TCP/IP protocol suite, which
points and provides full-duplex end to end connectivity. It provides an unreliable, connectionless datagram delivery
also formats data, addresses, routes the data packets over service. All TCP, UDP (User Datagram Protocol), ICMP
the network and ensures they are delivered to the recipient (Internet Control Message Protocol) and IGMP (Internet
[1] [2]. Two main components of the TCP/IP protocol Group Management Protocol) data are transmitted as IP
suite are Transmission Control Protocol TCP and Internet datagrams.
Protocol IP. IP stands for the Internet Protocol that deals with routing
1.1 TCP/IP Protocol Hierarchy packets of data from one computer to another or from one
TCP/IP protocol suite is designed through a highly router to another till they reach the destination [3]. Neither
structured and layered approach, with each layer does it engage in handshaking process nor does it provide
responsible for a different facet of communications. This flow control, error detection and control. Hence it does not
hierarchical architecture, as shown in fig. 1 & 1(a) makes provide any reliable connection between the hosts on a
it possible for each layer to provide a unique set of network. The structure of IP header is as shown in fig 2.
functions. Data encapsulation is achieved by various The IP header contains important information like source
headers among different layers like IP header, TCP header IP address, destination IP Address etc. which help in
or application headers as seen in fig. 1 & 1(a). These routing the packet around the networks.
Copyright © 2014 IJEIR, All right reserved
17
International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668

The TCP header contains the port numbers that are used
to uniquely identify the process at the sending and
receiving sides as TCP at the sending side is responsible
for ensuring that the data segment is received at a specific
port on the receiving side and properly acknowledged.
Every byte that is sent by a host is marked with a sequence
number and is acknowledged by the receiver using this
sequence number. The sequence number is essential in
keeping the sending and receiving datagram in proper
order. There are six flag bits with the TCP header, namely
Fig.2. IP Header URG, ACK, PSH, RST, SYN and FIN which play specific
roles in the connection establishment, connection
User Datagram Protocol (UDP) - is a transport layer termination or other control purposes. For maintaining
protocol, but it does not offer much more functionality proper flow control, the size of the communication
other than port addressing. The checksum field in UDP window is advertised between the communicating
header provides only a limited ability for error checking. partners. Before actually transmitting data segments TCP
The header of UDP is shown in Fig 3. follows the process of 3-way handshaking which ensures
reliable transmission of the packets. Each packet sent is
properly acknowledged [4].

Fig.3. UDP Header

Transmission Control Protocol (TCP) – The user


processes interact with the IP Layer through the Transport
Layer. TCP is the most common transport layer protocol Fig.5. Three-way handshake
used in modern networking environments. Through
handshaking and exchange of acknowledgement packets, The process of 3-way handshake between a source and a
TCP provides a reliable delivery service for data segments destination can be seen in fig 5.The source system sends a
with flow and congestion control. The connection is SYN packet to destination system, telling its desire to
uniquely defined by the unique combination of IP address establish a connection and setting its own ISN (Initial
of sender, TCP port number of the sender, IP address of Sequence Number) in sequence number field.
the receiver, TCP port number of the receiver. Upon receiving the request packet, the destination host
TCP provides a full duplex reliable connection between sends back a SYN_ACK packet with its own ISN and the
two end systems. It ensures the end to end delivery of the incremented ISN from source host. Finally, the source host
data packets. It also breaks the larger packets into smaller will transmit an ACK packet and data transfer can take
segments and numbers them properly and then passes place. If the sender S did not send any SYN packet but
them to the IP. At the receiving end TCP ensures that all received a SYN_ACK packet from destination D, it would
the segments are received, arranged properly and just send back a RST packet to reset the connection.
reassembled after taking care of the error checking &
retransmissions. It works on top of IP and provides flow II. SOME OF THE HACKING TECHNIQUES
control, error detection and error correction. It is
responsible for the reliable delivery using the port The network hackers utilize the security holes of TCP/IP
numbers, sequence numbers, acknowledgement numbers to perform various network attacks. Three of the
and timers etc. A TCP Header is shown in fig 4. commonly used hacking techniques used to exploit the
vulnerabilities of TCP/IP protocol suite are as follows:-
2.1 IP Address Spoofing
Source and destination address contained in the IP
header are the only information needed for routing the
packet. Anyone who has access to the IP layer can easily
spoof the packet’s IP source address and then masquerade
it as from another host in the network. The IP address
spoofing is based upon maliciously creating TCP/IP
packets using someone else’s IP address as source address
so as to either conceal own identity or impersonate the
Fig.4. TCP Header identity of the user of the spoofed IP address being used
[5].

Copyright © 2014 IJEIR, All right reserved


18
International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668

The packets are routed by the router to the destination. easily by the attacker is done by sending the victim
Upon receipt the recipient uses the IP address of the machine a large packet with user names or file names
source to reply to the packet. Since the source address is larger than 256 characters long. Email delivery processes
spoofed, the recipient will reply to the spoofed address and are also a popularly exploited mechanism for deploying
not to the original sender who had deliberately changed his this type of excessively long file or user name attack.
IP address in the original packet. Since the address has 2.1.1.7. SYN Attacks - A SYN attack occurs when an
been changed intentionally it will be difficult to trace back attacker exploits the use of the buffer space during the
to the attacker. Using this concept the following types of Transmission Control Protocol (TCP) session initialization
attacks are normally carried out. - three-way handshake. The receiving machine (usually a
2.1.1 Denial of Services Attacks (DoS) server) can maintain multiple concurrent conversations all
Using the above trick the attacker can send a large established using the same small “in-process” buffer pool.
number of packets to the victim [6]. As he will not receive
any packet from the victim, all the replies will be directed
towards the spoofed IP addresses and causes the victim to
go out of services. Using DoS an attacker can disrupt the
normal functioning of the network and carry out the
following attacks:-
2.1.1.1 Storage Consumption Attacks – The attacker
tries to consume all the available local storage space on
the target machine to slowly bring it to a grinding halt. A Fig.6. A SYN Attack
simple trick of sending emails with very large attachments
can be used for launching this type of DoS. Multiple large To instigate such attack an attacker simply floods the
DVD VOB files and uncompressed JPEG or BMP target system’s queue with connection requests, but when
(bitmap) images of very high resolution are common file the target system replies with a SYN-ACK
types used to accomplish such attacks. acknowledgement packet the attacker simply ignores it
2.1.1.2. Subnet Mask Corruption Attacks – The (fig 6) rather than replying with an ACK packet which the
attacker may send a message which causes the target target will be waiting for. By not responding deliberately
machine to reset its subnet mask and so disrupt the target’s to the SYN-ACK sent by the server he leaves the
subnet routing. connections half opened. Thus the target system will “time
2.1.1.3. Connection Resources Consumption Attacks out” as it will keep waiting for the proper response. The
– By sending very large numbers of erroneous requests for server will be unable to respond to further connection
TCP session establishment an attacker can consume all of request because of exhaustion of resources and denial of
the target’s available connection resources thereby service takes place [7]. The target will generally assume
resulting in the target being unable to service any new that either its SYN-ACK packet or the attacker’s ACK
authentic connection requests. reply packets have been lost in transit and so it will reissue
2.1.1.4. Buffer Overflow Attacks – A buffer overflow its SYN-ACK packet.
attack occurs when a process receives much more data After some time the target system will become unstable,
than expected and if it has no programmed routine to deal hang, crash or become unusable. As a result the target
with this excessive amount of data, it may act in system will have to be rebooted. Once rebooted; the attack
unexpected ways that an attacker can exploit. There are will continue afresh for as long as the attacker wants or
numerous variations and forms of buffer overflow attack until the network administrator discovers that they are
that have been formulated over the years, with the most being attacked and take appropriate steps to counteract it.
common of all being the “Ping of Death”. 2.1.1.8. Smurf Attacks – Here a combination of IP
2.1.1.5. Ping of Death Attacks - The Ping of Death Address Spoofing and ICMP flooding are used to saturate
attack is also referred to as the “Large Packet Ping a target network with traffic so that the normal traffic is
Attack”. The attacker initiates a “ping of death” attack by disrupted thereby causing a Denial of Service (DoS)
using network utility PING of Internet Control Message attack. Smurf attacks consist of the source site, the bounce
Protocol (ICMP) to “ping” the target with an illegally site and the target site.
modified and very large IP datagram. This will result in First the attacker selects a bounce site (usually a very
overfilling of the target system’s buffers causing the target large network). The attacker then modifies a PING packet
to reboot or hang. PING can be configured to send the so that it contains the address of the target site as the PING
“illegal” IP datagram packets in bursts or as a continual packet’s source address.
stream. In the case of a continual stream the target will be Now the attacker sends the spoofed PING packet to the
immediately under attack once it reboots and will thus broadcast address of the target site. As a result the bounce
hang or reboot continually until something is done to stop site will broadcast the spoofed packet to all devices
it receiving the attacker’s packets. configured to receive messages from that broadcast
2.1.1.6. Long File or User Name Attacks – Another address. The bounce site network devices receiving this
basic buffer overflow attack that can be initiated very misinformation will not know that it is false information

Copyright © 2014 IJEIR, All right reserved


19
International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668

and so they will automatically respond to the ping request hackers some clues. Since UDP is unreliable hence neither
with a reply to the intended victim target site. UDP packets nor the ICMP messages are guaranteed to
As a result the target site is overwhelmed by a large arrive.
number of erroneous replies from the bounce site. This
oversaturation of ping replies will consume all of the III. DEFENDING MECHANISMS
target site’s “in-process” buffer resources and hang or
reboot the system. Some simple prevention mechanisms like password
protecting the system to avoid unauthorized use have
2.1.2. Defeating the Network Security – These attacks
become widely popular.
are aimed against IP based authentication environments,
where the internal machines are configured to trust 3.1 Firewalls - Firewalls are systems designed to prevent
communication from internal IP addresses. No login or unauthorized access to or from a network. A firewall is a
passwords are required for access [8]. By spoofing the dedicated appliance or software running on a system
connection an attacker can get unauthorized access to a which inspects network traffic passing through it and
victim machine without authentication. denies or permits passage based on a set of rules. Firewalls
can be implemented in both hardware and software or a
2.1.3. Man- in-the-middle Attack - It is based upon
combination of both. Firewalls can be of the following
hijacking an authenticated network session between two
types:-
hosts. The attacker implants itself after they have finished
the authentication steps. The attacker can spoof the IP Packet filter:- It inspects each packet entering or
address of a victim that was authenticated by other host or leaving the network and rejects or accepts based on
server and gets packets that pass between these hosts [9]. defined rules. It is effective and transparent but difficult to
The attacker uses IP address of two hosts to receive and configure. IP spoofing can be easily done for packet filter
send packets firewalls.
2.2 TCP Sequence Number Prediction Application Gateway:- Decision to allow or disallow
It is possible for the attacker to predict the sequence depends upon specific application for e.g. ftp, Telnet etc. It
numbers based upon the ISNs which are being used for is very effective but imposes performance degradation.
Sending and Acknowledging between two genuinely Circuit-level Gateway:- It applies security mechanism
communicating hosts. Based upon this technique, the when a TCP or UDP connection is established. After the
sessions can be hijacked by the attacker. connection establishment no further checking is done and
2.3 Port Scanning packets could flow between hosts.
It is not a technique used directly to perform an attack. Proxy server:- It sits between the client and server. A
Instead, its goal is to discover an exploitable client requires some services such as a file, connection
communication channel and then launch the real attack. web page or other resources available on a different
The reason for doing port scanning is that some vulnerable server. The proxy server validates the request with its filter
services may not use a fixed port number. rules and after the request is validated by the filter, the
There are several ways to detect a potential proxy provides the resources by connecting to the relevant
communication channel. For a listening TCP server, the servers and requesting services on behalf of clients. Some
most basic approach is to try to make a real connection. of the commonly used firewalls are :-
Another method is SYN scanning, which sends a SYN Netfilter: It is an open source, firewall written in C that
packet to the victim as if it will create a real connection. supports different IPV4 protocols and can be used with
As already discussed in TCP three-way handshake, a command line interface [10].
SYN_ACK packet will indicate an active server and a IPFilter: is an open source firewall that supports both
RST message tells a port with no listener. IPv4 and IPv6. It works on different types of operating
These two methods above have obvious disadvantages. systems like AIX, BSD/OS, and some other flavours of
The first one is easy to be audited and the last one will not BSD and Solaris [11].
work with some firewalls or packet filters specially 3.2. A virtual private network (VPN) – A VPN is a
designed to block SYN packets to non-permitted ports. private network that uses a public network such as internet
Other way of port scanning is by TCP FIN scanning. to connect remote sites or users together. Instead of using
Instead of sending SYN probes in SYN scanning, this a dedicated, real world connection such as leased line
method adopts FIN packet, then it waits for RST packet VPN uses “virtual” connections routed through the
from a closed port. In case of an active listener, it will just internet from the company’s private network to the remote
discard this FIN packet silently without sending anything site. It is implemented as an additional logical layer on top
back. of an existing larger network.
UDP is a connectionless protocol. Its simplicity makes 3.3. Authentication - Computer Security authentication
port scanning actually more difficult as there is no three- means verifying the identity of a user logging onto a
way handshake as in TCP, so UDP server will not network. Authentication is the process of determining
acknowledge any probe packet. On the other hand, for a whether the person is genuinely the person whose identity
closed port, no UDP error message is returned. Most hosts he or she is claiming to be. In other words authentication
send ICMP “port unreachable” message as a reply to the is the process of verification of the identity of a user. It is
packets sent to an unused UDP port. This may give typically based on:
Copyright © 2014 IJEIR, All right reserved
20
International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668

 Something user knows: Passwords or PINs. monitors the entire network traffic from the device and
 Something user has: This could be a key or a token or a would alert the user or administrator whenever suspicious
smart card or a disk or some other device. activities are observed.
 Something user is: It includes biometric authentication 3.4.5. Signature based Intrusion Detection System:-
such as fingerprints, voice recognition, retina or iris A Signature based Intrusion Detection System will
scans. monitor packets on the network and compare them against
Authentication procedures can be categorized as follows: a database of signature or attributes from known malicious
3.3.1. Two-party authentication:- In two-party threats.
authentication there are two ways 3.4.6. Anomaly based Intrusion Detection System:-
 One way authentication -The client authenticates with An IDS which is anomaly based will monitor the network
server by giving username and password. If it is correct traffic and compare it against an established baseline. This
then client is allowed to login to the server. baseline generally contains what is normal traffic for the
 Two way authentication - In two way authentication network, what sort of bandwidth is generally used what
the client authenticates with server by giving username protocols are used, what ports and devices generally
and password. Similarly the server authenticates with connect to each other and it would alert an administrator
client by giving username and password. If it is correct when traffic detected is different or having an anomaly
then it is assured that the client is communicating with with the baseline.
the correct server. 3.4.7 Some commonly used IDS are :-
3.3.2. Third party authentication:- In third party Firestorm: It is a Cross platform Network Intrusion
authentication there is a third party security server. The Detection System that uses libpcap to capture, analyse and
clients communicate with security server by giving detect any malicious patterns in network traffic for
username and password. The security-server authenticates different protocols [12]. It uses anomaly detection method
the client if the username and password are correct. and fully supports Snort [13] rules.
Similarly on the other side the server authenticates with Prelude: Is a hybrid IDS, that uses several sensors in
security-server by giving username and password. After the network to capture and detect any malicious packet. It
both the client and server are authenticated the client and can work on Linux, BSD and some other operating
server exchange keys for securely transmitting the data. systems [14].
After that the data is transferred in a secure way. Dragon: Dragon is a commercial host & network
3.3.3. Single sign on: Users can access several network intrusion detection system, which uses rule and signature
resources by logging on once to a security server. based detection techniques and has extensive libraries
3.4. Intrusion Detection System (IDS) – An intrusion [15].
detection system is a software / hardware designed to 3.5. Intrusion Prevention System (IPS)
detect some unwanted attempts to access, manipulate An Intrusion Prevention System (IPS) uses rule based
and/or disable computer system. These attempts are detection technique for detecting malicious traffic and
generally generated from a network such as internet. It preventing attacks. IPS is the advancement of intrusion
monitors network and/or system activities for malicious detection system IDS.
activities or policy violations. It is the process of 3.6 Some popular IDS being used are :-
monitoring the events occurring in a system or networks. Snort: It is an open source IDS that works on
It also analyzes them for violations of security policies. application layer and network layer. It can detect and
Intrusion Detection system can be of the following types:- prevent different attacks like buffer overflow, denial of
3.4.1. Network intrusion detection system (NIDS):- service attack, port scan, SMB probes and some other
NIDS is an independent platform which examines network attacks.
traffic and monitors multiple hosts. It gains access to Suricata: It is an open source network intrusion
network traffic by connecting to a hub or network switch detection and prevention system that works on rule based
which is configured for port mirroring or network tap. and anomaly based detection concepts. It works on
3.4.2. Protocol-based intrusion detection system application and network layers [16].
(PIDS):- PIDS is an intrusion detection system which is 3.7. Some commonly used mitigating techniques against
typically installed on a web server and is used in the IP Spoofing include use of encrypted session in router,
monitoring and analysis of the communications protocol in using Access Control List for applying the security
use by the computing system. policies, application of defence mechanisms of upper
3.4.3. Application protocol-based intrusion detection layers [17].
system (APIDS):- APIDS is an intrusion detection 3.8 Counteracting Ping of Death Attack – Techniques
system that focuses its monitoring and analysis on a like changing the LAN IP address, use of filtering devices
specific application protocol or protocols in use by the such as routers and dedicated firewall to drop all incoming
system. (ICMP) packets are commonly used to defend against such
3.4.4. Host based intrusion detection system attacks.
(HIDS):- Host based intrusion detection system are run 3.9. Mitigating Smurf Attack – For countering a smurf
on individual hosts or devices on the network. A HIDS the commonly used techniques include “state-full”
Copyright © 2014 IJEIR, All right reserved
21
International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668

inspection at firewall and to deny external ICMP traffic Nmap: It is a free open source tool used for network
access to the internal network. discovery, port scanning and security auditing of the target
3.10. Countermeasures for Long File or User Name network [23]. It can also be used to do finger printing of
Attacks – Such attacks can be countered by configuring operating system and network device.
the network filtering device to automatically drop the Netcat: It allows reading and writing of data to network
traffic which contains file names and user names that are connections using the TCP/IP protocol. Packet can be
more than 255 character long. constructed and dispatched using Netcat. Malformed
3.11. SYN Attack Countermeasures - Identifying the packets can be crafted for testing the protocol responses
source IP Addresses of the attack packets and then using a [24].
firewall or router to block all traffic from this source. hping: It is a command line open source TCP/IP packet
assembler analysis tool. It supports multiple protocols
IV. TCP/IP SECURITY TOOLS including ICMP, TCP, UDP and RAW-IP protocols [25].

Several Security tools are available. Some of the most V. CONCLUSION


common tools are :-
4.1 Network Sniffers Several types of attacks based upon TCP /IP Protocols
Network sniffers and analysers are software and / or have been discussed in this paper. We have also
hardware based tools that sniff data through a connection. highlighted some of the tools that are used for analyzing
They normally work in passive mode and are used to tap the different vulnerabilities of a network.
into a connection for listening to the ongoing packet With a lot of emphasis on security these days, it
exchange without altering or redirecting them. becomes necessary that the networking professionals
Wireshark: It is an open source sniffer tool used for should not only know how to find the vulnerabilities of
sniffing and analyzing packets. It captures live packets of their network but also should know what are the
Ethernet, IEEE 802.11, PPP, etc. and can analyze them in techniques to guard against them.
offline mode. It can work on Windows, Linux, Solaris, With the implementation of IPV6 some of these security
NetBSD, FreeBSD and others [18]. holes have been plugged, but a lot has to be done in this
Tcpdump: It is a free software that can be used for direction.
analyzing packets on TCP/IP using a command line
interface. This tool works on Linux, Solaris, BSD, Mac, REFERENCES
AIX. For Windows it works through WinDump [19].
[1] Braden, Robert. "RFC-1122: Requirements for internet hosts."
Ettercap: It is open source software for sniffing and Request for Comments (1989): 356-363.
analyzing packets written in C and works on Microsoft [2] Barden, R. "RFC 1123: Requirements for InterNet Hosts-
Windows, Linux, Mac, BSD and Solaris [20]. Application and Support." InterNet Network Working Group
(1989).
4.2. Vulnerabilities scanners [3] Deering, Stephen, and Robert Hinden. "Internet protocol."
Vulnerability scanning is performed to know (1998).
weaknesses in a system or network to attack it or it could [4] Chappell, Laura. "Inside the TCP Handshake." NetWare
be performed by a network administrator to know the Connection (2000).
[5] Tanase, Matthew. "IP spoofing: an introduction." Security
weaknesses of a system or network so that he could Focus 11 (2003).
reconfigure the network to secure it. [6] Ferguson, Paul. "Network ingress filtering: Defeating denial of
MBSA (Microsoft Baseline Security Analyzer: service attacks which employ IP source address spoofing."
(2000).
MBSA will scan the system and identify if there are any
[7] CERT, "CERT Advisory CA-1996-21 TCP SYN Flooding and
patches missing for products such as the Windows IP Spoofing Attacks," September 1996.
Operating System, Internet Information Server(IIS) etc. [8] Heberlein, L. Todd, and Matt Bishop. "Attack class: Address
Nessus: Nessus is a comprehensive vulnerability spoofing."Proceedings of the 19th National Information
Systems Security Conference. 1996.
scanning program. Its goal is to detect potential or [9] Trabelsi, Zouheir, and Khaled Shuaib. "NIS04-4: Man in the
confirmed weaknesses on the tested network. It is a cross- Middle Intrusion Detection." Global Telecommunications
platform tool and works on Linux, Mac OS X, and Conference, 2006. GLOBECOM'06. IEEE. IEEE, 2006.
Microsoft Windows [21]. [10] Yao, Xiaoyu, and Chen ZHAO. "Research on Implementation
and Application of Linux Kernel Firewall Netfilter [J]."
Retina: It is being used by industry for multi-platform Computer Engineering 8 (2003): 042.
vulnerability management as it identifies known & zero- [11] Reed, D.: IP Filter. Online. http://coombs. anu. edu. Au /
day vulnerabilities along with detailed security risk avalon/ip-filter.html (Last accessed 31 May 2013)
[12] Leach, John, and Gianni Tedesco. "Firestorm network intrusion
assessment [22].
detection system." Firestorm Documentation (2003).
4.3 Penetration test tools [13] Roesch, Martin. "Snort-lightweight intrusion detection for
These are the tools which are used by both attackers and networks."Proceedings of the 13th USENIX conference on
the penetration testing professionals to check the network. System administration. 1999.
[14] Zaraska, Krzysztof. "Prelude IDS: current state and
Following are some of the notable penetration testing tools development perspectives."URL http://www. Prelude -ids.
for TCP/IP: org/download/misc/pingwinaria/2003/paper. pdf(2003).

Copyright © 2014 IJEIR, All right reserved


22
International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668

[15] Allan, Ant. "Enterasys Networks Dragon Intrusion Detection


System (IDS)." (2002).
[16] “Suricata Intrusion Detection System”, online, http://suricata-
ids.org/ (last accessed 31 May 2013)
[17] Bellovin, Steven M. "A look back at." Computer Security
Applications Conference, 2004. 20th Annual. IEEE, 2004.
[18] “Wireshark”, online, www.wireshark.org.
[19] “TCPdump and libpcap”, online, http://www.tcpdump.org/”
[20] “ETTERCAP”, online, http://ettercap.github.io/ettercap
[21] “NESSUS vulnerability scanner”, online, http://www.tenable.
com/products/nessus
[22] “Retina Network Security Scanner”, online, http://www.
beyondtrust.com/Products/ Retina Network SecurityScanner
[23] “Nmap”, online, http://nmap.org
[24] “What is netcat?”, online, http://netcat.sourceforge.net
[25] “hping”, online, http://www.hping.org

AUTHOR’S PROFILE

Alok Pandey
is Senior Systems manager and faculty member at B.I.T. (MESRA),
Jaipur Campus. His qualifications include B.E.(EEE), MBA. He has also
done MCSE, RHCE, CCNA, IBM Certified E-Commerce and diploma in
Cyber law. He has a rich industrial working experience of more than 17
years and also a teaching experience of about 9 years in the areas of Data
Communication and Computer Networks, Information Security, E-
Commerce, Systems Management, ERP etc. He is also a member of CSI,
IAENG and ISOC. His research interests include Computer Networks
and Network Security.

Dr. Jatinderkumar R. Saini


is Ph.D. from Veer Narmad South Gujarat University, Surat, Gujarat,
India. He secured first rank in all three years of MCA in college and has
been awarded gold medals for this. He is also a recipient of silver medal
for B.Sc. (Computer Science). He is an IBM Certified Database
Associate-DB2 as well as IBM Certified Associate Developer-RAD. He
has presented several papers in international and national conferences
supported by agencies like IEEE, AICTE, IETE, ISTE, INNS etc. One of
his papers has also won the ‘Best Paper Award’. 11 of his papers have
been accepted for publication at international level and 13 papers have
been accepted for national level publication. He is a chairman of many
academic committees. He is also a member of numerous national and
international professional bodies and scientific research academies and
organizations.

Copyright © 2014 IJEIR, All right reserved


23

View publication stats

You might also like