Lecture-3 (Layer 2 Security)

Carrier- Frames ( Data Link Layer carries frames instead of packets, While Layer 1 carries bits)
Multiplexing (Muxing of data, error checking, error correction performed on Data Link Layer)
Ethernet Protocol mostly used protocol (IEEE802.3) but not only protocol on Layer-2
ATM (Asynchronous Transfer Mode) and SDH (Synchronous Digital Hierarchy), SONET
(Synchronous Optical Network) SONET American Standard and SDN ITU Standard, Layer 2
had some interesting Issues,
Point-to-Point Protocol (PPP)

Ethernet
Originally a shared medium (10BASE5 coax)
•Developed at Xerox in 1973/4
•Competing with Token Ring and Token Bus
•Hubs – 'dumb' electrical repeaters (Hubs are dumb devices and works like electrical repeaters
for amplification of signals)
Then bridges
•...Then multi-port bridges (Switches)
•...Then nothing but switches – today

Ethernet Attacks
Shared medium – everyone sees your packets (like wireless) Only in Hubs
• Switches prevent this... but...
• Switches have a Content Addressable Memory (CAM) table, Store ethernet Media
Access Control addresses (MAC addresses) and what physical port they are on
• Fill the CAM table (by MAC spoofing or unknown bogus MAC addresses)
• Switch acts like a hub for new addresses
• Poisoning CAM table , which leads to MAC Flooding (by Over Flow MAC Table)

Ethernet Attacks – Mitigation

Only move frames for a certain number of MAC addresses per physical port (port
security – Multiple actions)
•Include some time-outs for legitimate hardware changes
•Detect (easy) and report

ARP (IPv4) & NDP (IPv6)

•I am a PC
•My IP is 172.16.1.1/24
•I have created a packet destined for 172.16.1.100
•How do I know what MAC address to put in the
destination field of the ethernet frame?
•ARP (IPV4 -> MAC Address)
•Broadcast an 'ARP request'
•Wait for 'ARP reply
•`arp -a` - to see your machine's ARP table
ARP attack
•Someone issues an ARP request:
• You reply first.
• Receive their packets (ARP Spoofing before receiving on actual machine attacker get packet and spoof)
• Look (& change)
• Send on to real host
•This is ARP spoofing (not always bad (HSRP[1])
Proxy ARP [2](almost always bad!))
•Mitigation
• Static ARP table entries (hard to manage)
• Dynamic ARP Inspection (DAI) [3]
• Detection

Interpretation of data
•Difficult – so much of it – and what does it mean?
Definition - Data analysis and interpretation is the process of assigning meaning to the collected
information and determining the conclusions, significance, and implications of the findings [1]
•You can't look at everything
•Automated systems might help … but ...
•Tuned too sensitive and you'll still be overwhelmed
•Tuned the other way, and you'll miss things
•Too many alerts means you'll ignore them [1]
•Bottom line - you need to know your network and know what is 'normal' before you know
what 'abnormal' is
•Monitoring and Detection (NIDS)
•Made worse when you take the output of automated systems and use them to block/allow
traffic

Ports and services

•What is a port? What is a service?
•Does http have to run on port 80?
Spoofing packets
•With root access on a machine, I can generate any packet I want – even if it makes no “sense”
•I can fake an IP packet's source address OR a frame's MAC address
•Not actually useful for pretending to be someone or somewhere else (TCP)
•But very effective for Denial Of Service Attacks
•DoS

Preventing spoofing
•Everyone should “BCP38” http://tools.ietf.org/html/bcp38
•You should only let packet exit your network that have valid source addresses
•Might seem obvious but few do it
•Why?

Wi-Fi
IEEE Frequency/Medi Transmission Access
Speed Topology
Standard um Range Method
1 to Ad
802.11 2.4GHz RF 20 feet indoors. CSMA/CA
2Mbps hoc/infrastructure
25 to 75 feet
Up to Ad indoors; range can
802.11a 5GHz CSMA/CA
54Mbps hoc/infrastructure be affected by
building materials.
Up to 150 feet
Up to Ad indoors; range can
802.11b 2.4GHz CSMA/CA
11Mbps hoc/infrastructure be affected by
building materials.
Up to 150 feet
Up to Ad indoors; range can
802.11g 2.4GHz CSMA/CA
54Mbps hoc/infrastructure be affected by
building materials.
Up to 175+ feet
Up to Ad indoors; range can
802.11n 2.4GHz/5.4GHz CSMA/CA
600Mbps hoc/infrastructure be affected by
building materials.
. Wi-Fi is simply a trademarked term meaning IEEE 802.11x (x here means the specific standard
like 802.11ab, there is no 802.11x standard exist ☺ )
.Does not stands for “Wireless Fidelity”
. IEEE 802.11x Standards

Wireless security (802.11)

•Originally defined so that 'nothing' was an option
•Because the protocol has optional security, it's often disabled
•By default
•Or... By an end user who can't get authentication working
•Many fully open access points out there
•With DHCP servers to happily offer you an IP

WEP
•The first go at security - encrypts transmitted data
• WEP's major weakness is its use of static encryption keys.
•A 'broken' protocol
•With an 'active' attack
•Where packets are solicited from the access point
•104-bit WEP key, probability of being broken - 50%, with 40,000 captured packets
•95% of cases, 85,000 packets
•ie. Less than 60 seconds at 802.11g speeds
•Don't use it.

WPA & WPA2

•Wi-Fi Protected Access
• WPA 2 replaced the original WPA technology on all certified Wi-Fi hardware since 2006 and
is based on the IEEE 802.11i technology standard for data encryption
• WPA's encryption method is the Temporal Key Integrity Protocol (TKIP). TKIP addresses the
weaknesses of WEP by employs a per-packet key system and scrambles the keys using a hashing
algorithm and a message integrity check to determine if an attacker had captured or altered
packets passed between the access point and client
•Can use a shared key, often used in small deployments
•Home
•Small offices
•Use WPA2

Rogue AP
•eg: I bring an access point into Swinburne's grounds
•Configure it with ssid `eduroam` (or 'freeWiFi')
•Attempt to lure Swinburne students to use it
•Sniff their packets as they go past
•802.1x will prevent this from working though (you will learn more about this in lecture 7)
•OR
•eg. I, a staff member, bring an access point into Swinburne
•Plug it into my desk port, because I want better wifi in my office
•I don't secure it
•Now anyone can connect to this AP and be 'inside' Swinburne's network
Detecting Rouge AP Attacks
Whitelist all legitimate access points by bssid and MAC address
• Evil Twin attack - Still attackers can spoof both bssid and MAC and become an Evil Twin of
the legitimate AP Detection - Hard
• In an Evil Twin scenario, pay attention to signal strength. Place wireless sniffer spread across
the network. Baseline signal strength between sniffer and legitimate AP.
• When Evil Twins are established, signal strength will deviate from baseline.
• Karma attack – Sophisticated Rouge AP attack
• Rouge AP listens for probe requests from nearby WiFi clients and responds to all probe
requests.
WiFi Client A: hey “Swin WiFi” are you there ?
Rouge AP: yes am here, am “Swin WiFi”
WiFi Client B: hey “Starbucks WiFi” are you there ?
Rouge AP: yes am here, am “Starbucks WiFi”
• De-authenticate legitimate WiFi network, While the clients are forced to Connect to the Rouge
AP
• Detection – Easy
• Send probe requests for a series of different ESSIDs. Single access point should not respond to
probe requests for multiple ESSIDs
• Legitimate access point receives huge traffic of De-authentication packets, Wireless Intrusion
Detection Systems (WIDS) will start alerting
Existing Soultions: Airwave (Aruba Networks), Fluke Networks (Analyzer Pro), Cisco
Aironet 600 series
How about Raspberry Pi with wireless Adapter?
Lecture 4 (Network Layer Security)
Layer 3 - the Internet starts here
Layer 3 and upwards, protocols are developed by IETF
• Internet Engineering Task Force [1] (part of the Internet Society (ISOC)) [2]
• (Do you remember who stand behind Ethernet?)
• Internet Protocol defined a packet switched network
• Original research ARPANET expanded into the Internet
• Defined in RFC791 – the document has still current status Internet Protocol, DARPA
INTERNET PROGRAM, Protocol Specification [1]
• Multiple independent interconnected networks
• The IP protocol implements two functions only
• addressing
• fragmentation
• Fully decentralized system
• Network operations are decentralized - neither central node nor network

Internetworking
• How to combine multiple networks together into one single
larger network?
• Connect a host on one network to another host on the other
network as though that was a single network
• Difficult as there are variety of data-link technologies
• IEEE 802.3 (Wired Ethernet), IEEE 802.11 (Wireless Ethernet),etc.
• Token-Ring, xDSL, etc.
• Frame-Relay, MPLS, etc.
• How they operate internally, e.g.:
• datagrams vs. virtual circuits (VCs)
• Addressing
• datagram size (MTU)
• Internet Protocol (IP) dominant solution for internetworking
• Exchange IP packets (datagrams) between hosts
otherwise we would have mandated a single layer2 technology
§ Routers connect networks and maintain routing tables
§ Network prefix
§ Next hop address, exit interface
§ Destination IP address matched against network prefix
§ Packets forwarded to the exit interface
IP addressing (IPv4)
(Recapitulation)
§ 32-bits per address
§ Written in dotted-decimal notation (common convention)
§ Four 8-bit decimal values separated by dots
123
01234567890123456789012345678901
aaaaaaaabbbbbbbbccccccccdddddddd (A.B.C.D)
11000000001100110110010000000001 (192.51.100.1)
IP prefixes (IPv4)
§ IP prefixes define blocks of addresses
§ Addresses in L-bit prefix have the same top L bits
§ There are 232-L addresses aligned on 232-L boundary
§ Written in address/length notation
§ Address is lowest IP address in the block, length is prefix bits
§ e.g. 192.51.100.0/24 represents a block from 192.51.100.0 to 192.51.100.255
Network portion Host portion
Prefix length = L bits 32 – L (bits) 32-bits
11111111111111111111111100000000
§ IP prefixes are useful for routing tables
§ Routers maintain routes in their routing tables
format: network prefix, next hop address and/or exit interface
§ IP addresses on one network belong to the same prefix

Packet forwarding
Packets are forwarded by routers
Routing tables determine where to forward each packet
Routing table contains routes:
Destination network prefix, next hop address/exit interface
Entries can be created by:
dynamic routing or static configuration
Internet IP addresses
§ Public addresses
§ Valid destination across the Internet (globally)
§ Must be assigned to before can be used (IANA - more in week 11)
§ Mostly exhausted, hence need for IPv6
§ Private addresses
§ Used freely on private networks (home or corporate)
§ Are separated from the Internet (good for security)
§ Require address translation (NAT) to access to the Internet
• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
Spoofing packets
If one gains root access on a network host:
• can generate any packet
• even if it does not follow the protocol (makes no sense)
Details in the headers can be spoofed:
• packet's source IP address
• frame's source MAC address
Not effective when one wants to:
pretend to be another host (on the network)
pretend to be somewhere else (e.g. TCP)
Very effective to run Denial Of Service (DoS) attacks

IP source address spoofing

Host A is sending spoofed packets to Host B
Host B must reply with TCP:ACK to the source of the TCP:SYN
Host C is not expecting TCP:ACK hence will sent TCP:RST
Spoofing mitigation (BCP 38)
§ Network Ingress Filtering
Defeating Denial of Service Attacks which employ IP Source Address Spoofing
§ Recommended in BCP38 http://tools.ietf.org/html/bcp38
Best Current Practice by IETF
§ Solution: only let packets exit your network that have
legitimate source addresses
§ Might seem obvious but few do it. Why?

Fragmentation
Layer 2 networks have different Maximum Transmission Unit
(largest packet size that can fit through the link)
Ethernet 1500bytes, WiFi 2300 bytes
§ Larger packet size results in greater efficiency
§ Host A does know the whole path to Host B
§ Routers fragment packet to fit through to the next hop
§ MF flag in IP header (if is set it says More Fragments to follow)
§ Routers in the path do not reassemble fragmented packets
§ Destination host needs to store them and wait for all
fragments before passing datagram on to the higher layer
§ What Host B will do one of the fragmented packets is lost?
§ What Host B do if one crafts a series of malformed packets with MF flag set?
Fragmentation as a security issue (1)
§ Host B needs to store fragments for a set time
§ It will take resource at the host (e.g. memory)
§ An attack can be mounted to exploit it
§ Linux Kernel has some ipv4 variables to control reassembly
§ ipfrag_time, ipfrag_high_thresh, ipfrag_low_thresh, ipfrag_max_dist
§ Examples of IP fragmentation exploits:
§ Tinny fragment attack
§ Fragment overlap attack
§ (research fragrouter toolkit for more details)
§ Also useful to penetrate firewalls, evade IDS/IPS
§ Best practise: drop all fragmented packets at the firewall…
§ and enforce connecting hosts to use MTU Path Discovery mechanism

Path MTU Discovery

§ Mechanism to avoid fragmentation used in modern systems
§ Hosts can test path trying to send larger packets
§ IP header has a flag DF (do not fragment) to tell routers it
§ if any router in the path cannot fit through the packet while DF is set (do-not-fragment)
§ It sends feedback (ICMP messages) telling what size would fit
(MTU of the link to the next hop router)
§ the source host will record that value and use it when has to send following packets to the same
destination
§ If the path contains a link with even smaller MTU another ICMP
§ paths in the network changes over time
§ if path MTU increases the host will try to send larger packets again
§ Otherwise another router will message the host with its MTU

Nmap: Network Mapper (1)

Indispensable tool in security :
• Network discovery and mapping
• Network penetrations (testing and attacking)
Actively developed for 21 years
• most recent release 7.8 (10 Aug 2019)
Transmits raw IP packets to determine:
• hosts available on the network;
• services available on those hosts;
• operating systems versions;
• filters/firewalls in use;
Nmap: how it works(2)
Nmap exploits IP suite protocols in a way not
intended to be used, send traffic to scanned
networks:
• open TCP 3-way handshake but not continuing
• send TCP-FIN when there is no open connection
• TCP header with SYN and FIN flags set
• analyse sequence numbers, time stamps, etc.
• compare values of other fields in IP, TCP, UDP

Nmap: how to use it (3)

Basic interface via CLI
• Target specified in arguments, e.g.:
• scan entire subnet:
• nmap 192.168.100.0/24
• Scan type selected with switches, e.g.:
• perform TCP-SYN scan:
• nmap <target > -sS
Large network ranges and extensive scans take time
Refer to manual (man nmap) for more options

Nmap: Network Mapper (4)

Remember the TCP handshake to setup a transport layer connection:

Nmap: port scanning (5)

Port scanning is core functionality
Granular port states - more that open/close
open – TCP-SYN-ACK segment received
closed – TCP-RST segment received
filtered – port not accessible – possible firewall
(network or host based) rules dropping TCP-SYN
the state cannot not determined
unfiltered – possible state when performing ACK
scan, port accessible (used to map firewall
rulesets)
open|filtered, close|filtered (advanced scanning)

Nmap: port scanning techniques (6)

Most scans require root access to OS
Scanning techniques:
TCP SYN scan – half;
TCP connect scan (no root user);
UDP scan – protocol specific payload;
TCP NULL, FIN, Xmas scan – exploiting
flags in TCP header

Nmap: Fingerprinting (7)

Send a series of packets/commands:
• Some can be legitimate
• Some might be not legitimate
Use internal logic to guess OS version based on replies
Every version will reply in slightly different ways
Reason: determine existing vulnerabilities on scanned hosts:
• Customize exploits
• Network inventory and security audit
• Detecting unauthorized (read dangerous) devices
•
Social engineering

Access Control Lists (ACLs)

Essential network filtering mechanism
Permitting or denying selected packets, based on:
Source IP address
Destination IP address
Specific transport layer ports
Other characteristics (e.g. fragmentation, TCP flags)
Implemented on routers, effectively acts as static firewall
Needs to be assigned to interfaces (router has multiple of them)
Ingress (flow incoming via the interface from the network)
Egress (flow outgoing via the interface to the network)
Implementation
Netfilter/iptables (packet filtering framework in Linux Kernel)
Preventing IP spoofing as ingress packet filtering (BCP38)
ACLs are lists of rules, every rule is a statement:
Permit, Deny, Deny and log
Every rule specifies:
Destination and source targets
Network protocol and associated function or ports
Additional flags and identifiers
Every incoming/outgoing IP packet is tried against the list
Rules in the list are processed sequentially
Once a rule is matched, processing of ACL is finished
Packet is either permitted or denied (possibly logged)

Questions:
Internet Protocol (IP) provides two essential functions for internetworking: addressing and
fragmentation.
§ Explain why was it necessary to introduce packet fragmentation in this internetworking
protocol?
§ Outline how this mechanism in implemented in IP networks?
§ Explain: what particular security issue does this fragmentation mechanism introduce; and how
network hosts should be protected against attacks exploiting fragmentation?
§ Discuss what method has been implemented in modern operating systems to overcome
fragmentation mechanism?

Lecture -5
Ports
A port is a endpoint of communication, where a specific service/process can be identified
Port number is a 16 bit unsigned integer, ranging from 0 to 65535 (Source Port/Destination Port:
every application on application layer assigned a port for IP packet that traverse from application
layer to bottom layer)

Services
A network based application service/process that runs on a specific port can be client/server or
P2P. Well Known port numbers 0-1024
http: 80
https: 443
DNS: 53
SSH: 22
Can SSH server run on a different port ?
SSH is by default configured to listen to port 22 and only on port 22. You can configure your
SSH server to run on other ports, and extending the same method allows you to configure
your SSH server to run on more than one port.

Protocols
Protocols defines the rules/semantics of communication method in networks Layer 4 Protocols
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
There are more protocols on other layers
• Routing
• File Transfer
• Bluetooth
• Automation
• …… and more

TCP
Connection oriented Protocol, 3 way handshake (SYN, SYN+ACK, ACK)
• Used where reliability, Order of packet arrival and error-check is important
• Email, File Transfer (Use TCP for transportation of Data)
(Sender node send SYN message to Received node to establish a connection, Received node
sends back SYN+ACK message to sender node in response and Sender node again sends ACK
message to Receiver node and connection is established)

TCP Session Hijacking

Attacker sends fake SYN+ACK message to sender node for receiving ACK
message from Sender node and create fake TCP connections, this process is
known as TCP Session Hijacking.
UDP
• Connection-Less Protocol
• Used where dropping packets is preferable than waiting for packets delayed due to
transmission
• DNS, SNMP, DHCP (Use UDP for transportation of Data)
• Session hijacking becomes easy with UDP
• UDP flood

Defense Against Protocol Security issues (Use Secure Protocols like HTTPS,
FTPS)
• Encrypted Protocol medium – SSl , SSH, VPN
• Use Cryptographically random ISNs
• Firewalling, ACLs
Still does not prevent against Denial-of-Service attacks

Firewall (Stateless, Stateful and Dynamic Firewalls)

• layer 3 & 4 device
Can be an imprecise term – some use the term to mean “security appliances” - devices that do
everything and anything to do with security (UTM)
In this subject we will not use the term in this way
• Can be built into other devices, or part of an OS
• Come in three broad types Static, Dynamic, Deep packet inspecting

Firewalls (static)
•Bit-level rules applied to headers then...
•Allow
OR
•Deny (& log)
•Silently
or
•ICMP “Destination unreachable” sent to source
•Separate rules must be written for incoming and outgoing traffic flows.

Firewalls (dynamic)
•Bit-level rules applied to packets &
•Layer 4 (TCP, UDP) state taken into account
•For example
•An out-bound packet to a web server, from an internal client
•Return packets are automatically allowed
•(with a rule time-out)
•But an inbound packet without the corresponding outbound packet
•Block

Firewalls (deep packet inspection)

•“Understands” application protocols
• Inspect data payload
•Enforces “proper” application behavior
•Prevent tunneling (more on this later)
•Might be able to also match signatures of:
•Viruses
•Known malicious behaviors

Before DNS
•“host” file
•Transferred between machines [1]
•This did not scale
[1] L. Peter Deutsch, RFC606, "Host Names Online", Dec 1973
Now that we finally have an official list of host names, it seems about time to put an end to the
absurd situation where each site on the network must maintain a different, generally outofdate,
host list for the use of its own operating system or user programs.
For example, each of the TENEX
( SRIARC, BBNTENEX, USCISI,
different mapping between host sites to which and PARCMAXC) names and host
I have access has a slightly addresses: none
is complete, and I believe each one differs in some way from the official List. [1]
hosts.txt
•It is most likely you still have a hosts file on your device
•Can be used for your own entries
•Still operating systems check hosts file first before DNS.
•Also can be used to re-direct you unknowingly
•Some viruses modify your hosts file
•www.bank.com now maps to the wrong IP
(when you open a site, provides URL, system checks it own host.txt file for name resolution and
if not found then contact to DNS server. Some Viruses modify these host files and send you on
wrong website)

DNS
•1984/5 (continued development)
•Human-readable names to IP addresses (& vice-versa)
•Various record types can be returned
Field Description
A (Address) Maps host names to IP addresses, Identifies an IPv4 Host Address
CNAME (Canonical
An alias for an A record
Name)
MX (Mail
Identifies an Email server
Exchange)
PTR (Pointer) Maps IP addresses to host names.
AAAA Identifies an IPv6 Host Address
SRV Identifies a service in the domain

Forward and Reverse LookupZones

Namespace: training.contoso.com
DNS Round Robin
DNS
•Hierarchical distributed database
•eg: www.caia.swin.edu.au
•A hierarchy from right to left
•A common DNS server is BIND [1]
•“Berkeley Internet Name Domain”
•University of California at Berkeley - 1980s
•Used by root DNS servers.

DNS Queries – Recursive

There are two type of queries:
• Recursive queries.
• Iterative queries.
• Recursive query: Queries on a client behalf until the DNS server returns either
an answer or an error. The DNS server cannot just refer the DNS client to
a different DNS server.
• Iterative queries: An iterative name query is one in which If the queried DNS server
does not have an exact match for the queried name, it refers the client to
another server.
•Servers can also cache responses for speed and to ease the load of recursion

DNS root servers

•But wait. How do we know the addresses of
the root servers?
•“Hard coded”
• `named.root` file from BIND:
• Root servers hold a list of the authoritative name servers for the
appropriate top-level domain.
• The root zone file is a small (about 1 MB) data set
•Original DNS spec allowed for max packet size of 512 bytes
• So, with only 13 servers, can they be taken down with a (R)DDoS? …
• Someone claiming to be from anonymous:
•http://pastebin.com/XZ3EGsbc (Feb 12th, 2012)
•Anycast
•An IP address prefix, for example 136.186.50.0/24
•Configured & advertised from multiple places
•but the same service(s) at each location
• End-user hosts will have their packets routed to the 'closest' 136.186.50.0/24
•'closest' machine in terms of routing, but this is a good approximation of 'best' (physically
closest/lowest cost)
•Effectively spreads load (including DDoS)
• Keeps malicious traffic localized
•Anycast + huge amounts of bandwidth
•This kind of attack is near impossible
•Nothing came of the attack
•Attack later denied by Anonymous
•I guess this is what happens when you have a name and structure like Anonymous

DNS problems [1,2]

•No security
•“Man in the middle” attack (including censorship)
•Cache poisoning

DNS Cache poisoning

•http://www.youtube.com/watch?v=1d1tUefYn4U
•Make a DNS server perform a lookup
•Blast it with the wrong answer
•Varying the unique ID (a 16 bit number)
•Also maybe varying the source port (if it's not 53)
•Hope the wrong answer has the right ID and
source port - and is accepted as legitimate

Conclusion:
•DNS is critical
•Control the DNS, control what people see
•It is still a shared delusion though
•You could setup your own root servers and start
your own system
•Put in any entries you want, pointing anywhere you want
•Would anyone use your servers?
•Who knows, but no one will stop you.

DNSSEC
•DNS responses digitally signed
•So a chain of trust can be created back to the root
•Note: not full encryption
•An interceptor can still see what you are querying for
•Still not widely deployed
•Fully defined, software exists
•So I suspect it will be soon
•There is the small issue of no indication of DNSSEC usage to the user in most applications, yet
•Remember
•One piece of the puzzle
•Does not stop any other exploits
•You can run DNSSEC but still have your website defaced... get infected...heartbleed… etc
•Partial deployment is possible
•You main DNS server could be doing secure
lookups externally
•Returning insecure responses to your DNSSEC
unaware clients inside your network
•Better than nothing?
•Partial deployment is possible
•You main DNS server could be doing secure
lookups externally
•Returning insecure responses to your DNSSEC
unaware clients inside your network
•Better than nothing?

Questions
• When an nmap scan for operating system detection is complete. Based on the scan
results how is it able to predict the target operating system ?
• Can Nmap scan detect a new operating system not commercially known ?

Lecture-6 (Application Layer Security 1)

Services (application layer)
• Up to now discussed security vulnerabilities of lower layers:
• protocols for transporting, networking, link-layer or physical
• technically obscure, complex protocols,
• typically require root access to hosts,
• or dedicated devices and physical access to medium.
• Upper layers (applications) have even more vulnerabilities:
• anyone can (and many do) develop network connected program,
• not all know potential threats,
• high complexity at this layer,
• many things can go wrong as a result of bad coding.
• Two common security issues at application layer:
• buffer overflow
• bad input validation
• Securing applications is very extensive field (beyond networking)

Service exploits: buffer overflow

• An attempt to write more data into a memory buffer, than it was intended to store [1]
• Results in buffer overrun, an anomaly where code, while writing data to that buffer, overruns
its boundary and overwrites adjacent memory space
• Casually result in Segmentation Fault error:
• and often cause a service to crash (denial of service),
• but not allows remote code execution.
• Purpose injected data (machine code) allows remote execution of code [2]
• worse if it enables an attacker to execute arbitrary code at the same privilege level
as the service;
• the worst if the vulnerable service is run with the root user privileges;
• any code executed with root privileges have full control over the system;
• Some languages (e.g. C/C++) do not control array boundaries, thus the software
developer needs to use proper coding techniques [1]
Buffer overflow defense (1)
• Writing secure code
• Eliminate root-cause of the vulnerability, but:
• very expensive approach
• performance over security and correct coding prevails
• no built-in protection in C/C++ agains out-of-bound access
• Standard C library functions e.g. strcpy, strcat, gets - unsafe functions
• Analyzing source code or disassembled code:
• static analysis only
• no runtime-information
• many false-positives
• dynamic analysis - selecting susceptible buffers, creating buffer overruns:
• find locations calling unsafe library functions on buffers,
• find nonlibrary functions that read or copy user input,
• calculates the return address that attackers would
overwrite to inject string containing code.
• Microsoft anti-buffer overflow mechanisms:
• cookies to protect heap block structures:
• PEB (Process Environment Block),
• SEH (Structure Exception Handling),
• VEH (Vector Exception Handling) [1].

• Array bounds checking:

• compiler checking,
• memory access checking,
• high level languages e.g. Java, environments e.g. .NET,
• downside: decreased code execution performance.
• Runtime instrumentation:
• insert a small value called canary (StackGuard)
• create a global array with return addresses, then checks
it when function returns (Return Address Defender)
Service exploits: user input
• User input validation:
• Input handling – how application (system) handles the input from users, client systems, other
data received via network;
• Input validation – validating user input to ensure it is safe before its use
• Input data validation:
• the most effective technical controls for application security;
• Mitigate numerous vulnerabilities such as:
• Cross-site scripting
• Various forms of injections
• Some buffer overflows
Never take input the user provided to use it without validating (checking)
• Example – SQL injection:
• An application takes input from users,
• and stores that input in a variable,
• to execute the following SQL query to database:
• query = "SELECT * FROM users WHERE name = '"+ username +"';"
• Case 1: the user enters expected input: Ryan
• userName = ”Ryan”
query = "SELECT * FROM users WHERE name = ‘Ryan';"
• Case 2: what if the user types in: ' or '1'='1
• userName = ”’ OR ’1’=’1”
query = "SELECT * FROM users WHERE name = '' OR '1'='1';"
• Calling CLI programs: Bash scripting example
• (grep prints lines that contains a matching pattern)
• if grep ${USERNAME} user_list.txt 2>/dev/null; then
• authenticate_user
• else
• invalid_user
• fi
• user_list.txt:
• Bob
• Joe
• Tom
• Case 1: if input is Ryan, grep returns null and invalid_user function is called
• Case 2: if input is --invert-match Ryan, grep returns lines not containing string
Ryan resulting in calling authenticated_user function

Service exploits: mitigation

• Check and clean all input coming to your system
• Clean: remove or escape “bad” characters
• html:
• html can be manipulated easily
• Don't trust input, even if it is from a drop-down list
• Web Application firewalls can thoroughly check packets to prevent common
attacks
• Do check for packets as well as the application layer
• We know that packets can be manipulated however we want
• Do not trust packets, if you are working at that layer
• Checking applications can be done by experts in the field, or as part of wider
penetration testing
Proxy
• Network host that acts on behalf of other hosts
• Operate at application layer (layer 7)
• Always application specific:
Web proxy, DNS proxy, FTP proxy
• Act as intermediary between client and server
• Terminate connections
• that differs proxies from firewalls
• Often do caching, examples:
• example: caching web proxy
• Not done as much anymore
• Why? (hint: how web content is generated?)
• Might come back though...

Forward proxy

• Mask internal resources

• Privacy and security
• Outbound filtering (e.g. block “time-wasters”)
• Client-side caching: optimize bandwidth usage
• Additional content inspection (e.g. attachments)
Reverse proxy

• Proxy creates “a gap”: terminates clientconnections

• inspect, manipulate or drop incoming traffic
• Web Application Firewall
• Possible to inspect responses from the server

• SSL offload:
• terminating secure connection (optionally opens new secure connection)
• clear-text connection between proxy and servers
• Encryption process not need to be done by servers
• Load balancing
• no need to separate sessions for each client (proxy multiplexing connections)

SOCKS (Proxy)
SOCKet Secure (SOCKS)
• Network protocol at Session Layer
• application neutral and terminate any TCP stream
• Client software need to support SOCKS
• any modern will support it
• Original SOCKS4 protocol had no authentication
• SOCKS Protocol 5 extends SOCKS4 protocol
• Includes authentication
• Supports IPv6
• Relays UDP packets (e.g. to perform DNS lookups)

Web applications
Software offering services on the Internet using
Web technologies (application layer):
• virtually any digital device has a web browser,
• users not need to install software on the client end,
• growing machine-to-machine communication;
Potential threats:
• Open to the Internet – inherently untrusted network
• Developer not following best coding techniques
They might be the cheapest for a reason
• Deliver an application full of what we have just discussed
How do we provide additional security...?

Web application firewall

• Web Application Firewall ( WAF):
filters, monitors, and blocks HTTP traffic to and from a web application.
• WAF is differentiated from a regular firewall in that a WAF is able to filter the content of
specific web applications while regular firewalls serve as a safety gate between servers.
• By inspecting HTTP traffic, WAF can prevent attacks stemming from web application security
flaws, such as SQL injection, cross-site scripting (XSS) and security misconfigurations.

Apache HTTP Server

• Most successful Web Server
• Used to be most common, recently in decline[1]
• Flexible modular (plug-in) architecture
• Dynamic Shared Objects (DSO) support
• Example (see httpd.conf):
• # LoadModule foo_module Modules/mod_foo.so
• LoadModule bar_module Modules/mod_bar.so
• modules compiled as DSOs separated from httpd
• no need to rebuild Web Server to add a module

ModSecurity
• loadable module to Apache HTTP Server
• Provides an additional layer of security
• Acts as an application layer firewall
• Real-time web security monitoring and access control
• Full HTTP traffic logging
• Continuous passive security assessment
• Open source and Core Rule Set (CRS)
• Positive or Negative security model
• Negative : Don't allow X, Y and Z, allow all else
• Positive: Only allow A, B and C, deny all else
• Takes all input to an apache server and can block/allow/manipulate it based on your rules
• Signature based (can also do some basic threshold)
• The authors of the software suggested use:
a temporary fix for an exploit where there is no application patch yet
Can run in “reverse proxy” mode
A server “in front” of other web server(s) – 'protecting' them
A reverse proxy can be a good thing anyway
e.g.:
http://www.site.com/thing1/ -proxies through to
http://192.168.1.1
http://www.site.com/thing2/ -proxies through to
http://192.168.1.2
Scripts under /thing1/ get hacked – no problemsfor
192.168.1.2
•(But make sure the reverse proxy is not a
bottleneck, or a central point of failure)

ModSecurity: rule example (4)

• We want to be sure that access to a specific URI on the server is blocked. We want to respond
to such a request with HTTP status 403. We write the rule for this in the ModSecurity rule
section in the configuration and assign it ID 10000 (service-specific before core-rules).
• SecRule REQUEST_FILENAME "/phpmyadmin"
"id:10000,phase:1,deny,log,t:lowercase,t:
normalisePath,\ msg:'Blocking access to %{MATCHED_VAR}.',tag:'Blacklist Rules'"

DHCP
• Dynamic Host Configuration Protocol [1]
• Can be used for IPv4 or IPv6
• Originally not needed
• Computers never moved
• IPs manually, statically configured
• As number of hosts grow (and move)
• this does not scale
• Server / Client application
• Client gets a lease of an IP address for a period of time
• Can also transfer other useful information to hosts
• Default gateway
• DNS server
• NTP server
• Proxy server
• Works via broadcast frames
• Client: I'd like an address.
• Server: Here you go.
• DHCP relaying is possible
• A process picks up on the broadcast and relays it to
DHCP server as unicast
Benefits of Using DHCP
DHCP reduces the complexity and amount
of administrative work by using automatic IP configuration
Automatic IP Configuration Manual IP Configuration
IP addresses are supplied
IP addresses are entered manually
automatically
Correct configuration information is IP address could be entered
ensured incorrectly
Client configuration is updated Communication and network issues
automatically can result
A common source of network Frequent computer moves increase
problems is eliminated administrative effort
DORA

DHCP Lease Generation

1. DHCP client broadcasts a DHCPDISCOVER packet

2. DHCP servers broadcast a DHCPOFFER packet
3. DHCP client broadcasts a DHCPREQUEST packet
4. DHCP Server1 broadcasts a DHCPACK packet
What Is a DHCP Relay Agent?
A DHCP relay agent listens for DHCP broadcasts from DHCP clients and
then relays them to DHCP servers in different subnets

DHCP problems
• Protocol has no build-in authentication / security
• Security issues
• Rogue DHCP server
• Unauthorised client (mitigation: Lecture 7)
• Malicious client (mitigation: Lecture 7)

Rogue DHCP server

• Another DHCP server comes onto a segment andstarts handing out addresses (with wrong
gateway... etc.)
• Not always a purposeful attack
• Turning on network sharing on a windows laptop and walking into a new network will do it
• Mitigation
• Layer 2 firewall rules - DHCP snooping
• Detection

Questions
• How deep packet inspection is similar to WAF?
• What is the difference between them?
• Would you still implement Web Application
Firewalls if your network is protected by a firewall
and traffic is watched by an IDS?
Lecture-7 (Application Layer Security-2)
DHCP Snooping
• Problem Rogue DHCP Server

• DHCP Snooping Binding table is build by snooping the DHCP reply to the client
• Entries stay in table until DHCP lease time expires
• DHCP Snooping table can be written to bootflash, ftp, tftp in the event of failure

Layer 2 Firewall
• “Bump on the wire” or “stealth firewall”
• To introduce a layer 3 firewall on the network, needs resubnetting and operates on routed
packets
• Layer 2 transparent firewall does not require layer 3
separation between networks and operates on bridged
packets
• IP Packets that are embedded within these ports are
inspected as normal IP packets

Difference
Zone-Base Firewall Transparent Firewall
Operates at Layer 3 Operates at Layer 2
Two interfaces are in different Both the interfaces can belong
subnets to the same subnet
Since both the interface are
Packets are routed between bridged, packets are
interfaces forwarded after inspection
and ACL checks
• A zone based firewall can be configured in Transparent mode

Unauthorised client
•Any client will be given an IP, no questions asked
•No way to authenticate
•You can use MAC address to identify a client on theserver
• Return results based on this
•MAC addresses are easily changed though
•Mitigation:
Layer 2 authentication (i.e. 802.1x)
802.1x
•Uses central authentication server
•Good for when a shared key would not work
•Works over a wired, or wireless network
•Good for adding (an additional layer of) security to the physical Ethernet ports that are all
around a building 802.1x is called,
EAPoL when applied to 802.3 (Ethernet)
EAPoW for 802.11 link-layer (WiFi)
•Used at Swinburne for `eduroam`
• 802.1x is based on EAP (Extensible Authentication Protocol) to facilitate communication in
layer 2 between client and access point or switch.
• EAP is a framework protocol to provide authentication methods.
• EAP messages are exchanged between the client (Supplicant) and the authentication server
(e.g. RADIUS).
• APs and switches (Authenticator) forward those messages, while terminated the link-layer
exchange.
• RADIUS server (Authentication Server) maintains user credentials, and gives or reject access
to the network.
• The strongest security is achieved using cryptographic method incorporating TLS (Transport
Layer Security), where mutual authentication is achieved through a certificate exchange by
implementing PKI solution.
• Swinburne Eduroam has deployed a network of proxy RADIUS servers, while using
cryptographic method the supplicant submits username and password to RADIUS server at the
home institution via TLS tunnel.
Advantages
• Can prevent hosts that connect to network even before assigned an IP address
Limitation
• Not all of the Network Elements can support 802.1x
• Printers & copiers, AS-400, and other legacy equipment
• In those scenarios “MAC Sticky” or MAC based authentication is done, where MAC spoofing
is trivial
• Windows XP has major issues when the VLAN/IP address changes after 802.1X user
validation. Windows PE miss the EAP Host system (So no support for 802.1x)
• Implementing a solution based on 802.1x is high considering time, cost, resources,
infrastructure upgrade
• Inline Devices behind a NAT or Run a VM on top of a 802.1x authenticated host, simple

Malicious Client
• A client comes onto the network
• Takes all the IP addresses
Randomises it's MAC address
Make another request, accept
• 'IP address denial of resource attack'
• Not always bad for a client to want more
than one IP address (remember greynets)
• You would most likely configure your DHCP server
with 'knowledge' of your greynet addresses though
• Macof sends random source MAC and IP
addresses
• Macof -i eth1 2> /dev/null
• This will fill the CAM table on the switch, after which traffic
without CAM entry is flooded to every port on VLAN (hub)
• Also fills CAM tables of adjacent switches
• Port Security Limit Best Practice
• Allow only 1 MAC address per port
• Upon violation link should shutdown
• Upon link shutdown can send a SNMP trap
• Sticky port settings needs to set to survive
reboots
• Static MAC entries are favourable with
servers
Mitigation:
limit the MAC addresses per port ( port
security ) limit DHCP requests per port

Bluetooth Low Energy - Case study

• Malicious/Rogue/Unauthorised clients are easy to address in a Wired/wireless
Network with 802.1x, port security and monitoring
• How about in new wireless protocols
• Bluetooth Low Energy
• Zigbee
• LORA
• Heavily used in IOT devices
• Referred as Bluetooth Smart
• Operationally there are some overlaps with Bluetooth but BLE has completely different
lineage – Wibree.
• Sniffing on Bluetooth was hard, but sniffing in BLE is less challenging
• Less frequency hopping, hence energy consumption is less.
• Battery replacement is only needed after 2 years ( depends on device usage )
• Protocol Stack of BLE
GATT
ATT
L2CAP
Link Layer
PHY
• Since BLE is specifically designed for low powered devices, it does not
include all the common internet protocols
• GATT/ATT
• Services which are group of characteristics
• Each characteristic represents an operation
• Identified by 128 bit ID or 16 bits
• Example: 0x2A35 – Blood pressure
measurement, 0x2A76 - Location and speed

Bluetooth Low Energy – Case Study

• How to sniff BLE traffic?
GATT
ATT
L2CAP
Link Layer
PHY
• Ubertooth – Hardware capable of sniffing
Bluetooth traffic in monitor mode
• Problem:
• Replay attack
• Clear text
• No authentication
• Pairing method does not defend against
eavesdropper
• Issues
• Easy to say don’t use Smart Locks, but how
about Medical implants with BLE
• Glucose monitor
• 802.1x ?, Port security ?, Monitoring ?
• Remediation:
• Secure Simple Pairing
• Eavesdropping protection: ECDH
• Some vendors have their own security layer on top of
GATT – Has it been assessed by a cryptographer ?
• ECDH is costly
• ~ 5 seconds on a 8-bit CPU
• Defeats the purpose of low energy
• Battery replacement needs to be often (can be hard in
case of medical implants)

Questions:
• Difference between forward and reverse proxy ?
• How does caching proxy help in a incident response situation ?

Lecture- 8 (Attacks)
DoS
“Denial of Service” attack
•Broad, fairly imprecise term
•Can mean:
•Stopping / crashing / degrading of a
service
•Buffer overflow
•Using up all of a server's limited resources
•RAM
•Disk space
•CPU
•Bandwidth
Crashing (stopping) a service
•Requires an exploit / vulnerability
•Buffer overflow
•Can be triggered by quite a small packet, or set of
packets
•Sent often enough, and the service will be
effectively off, even if it's set to restart
automatically
RAM exhaustion
•Layer 7
•Application specific (send through lots of requests you know take server RAM)
•Layer 4 – SYN flood
•Send through many TCP SYN packets (and nothing else)
•State created and kept on in the server's RAM for each of these pending connections
• It will eventually run out of space to keep all these 'hanging' connection attempts
•Randomise IP source address so they can't easily filter you
CPU
•Layer 7
•Application specific (Know that a site search takes the server a long time? Blast site with search
requests.)
•Disk
•Difficult
•Create many log entries? Probably not the best way.
•Layer 7
•Application specific
Bandwidth
•Not application specific
•Popular
•Note: You need to have more bandwidth than they do
Bandwidth amplification is possible
• Any situation where a single packet solicits a larger response
• Bandwidth amplification must be performed with IP spoofing (Attacker spoofs the
victim’s IP address)
•For example:
•DNS
•Game server discovery process

DDoS
Distributed Denial of Service attack
•Commander controls multiple sources of attack...and they might all use an amplification method
• Commander uses 'C&C' (command and control) channel to command infected ('zombie') hosts
to all send traffic at the same time
•C&C channel could be anything
•IRC chat room, SSH, sophisticated tunnel...

Reflected DDoS
Same as above, but zombies send packets to a 3rd party with a forged source address of
the victim (Spoofing)
•Hides the zombies locations from the victim – added layer of anonymity for the perpetrators
• Amplifies attack: 3rd party resends TCP SYN/ACK packet multiple times
(D)DoS Mitigation
Very difficult
•If they're doing it right, simple firewall rules wont work
•Make sure you have enough RAM, Disk space and CPU
•To prevent TCP SYN based attacks use 'SYN cookies'
•Allows a server to keep minimal state (and thus RAM usage) during the TCP three-way
handshake
•Available in most operating systems
Prevent bandwidth exhaustion by filtering
unwanted traffic “up stream”
•Very hard to do
•If it happens, who do you call? Will they even care?
•A protocol for “push back” signaling? [1]
•No wide implementation of any strategy
•Some companies provide a “scrubbing” service
•Your traffic goes to them and their well provisionednetwork first
•Only the 'clean' traffic comes to you via a VPN/tunnel

Clustering
More than one server, acting as one
•Load sharing
•All servers work at the same time
•Fail-over
•One (or more) servers active with one (or more) standing by
•Load sharing requires a device to share the load
•Allows for scaling, but the load sharing device will cost
money
•Fail-over is cheaper
•eg. The backup can just detect when the primary fails, and
take over
Load sharing
•Can be done through DNS
•Query can return multiple (randomised) answers
[wharrop3:~] wharrop% host google.com
google.com has address 74.125.224.68
google.com has address 74.125.224.70
google.com has address 74.125.224.66
google.com has address 74.125.224.73
google.com has address 74.125.224.69
google.com has address 74.125.224.65
google.com has address 74.125.224.64
google.com has address 74.125.224.67
google.com has address 74.125.224.78
google.com has address 74.125.224.72
google.com has address 74.125.224.71
google.com has IPv6 address 2001:4860:4001:801::1009
google.com mail is handled by 40
alt3.aspmx.l.google.com.
google.com mail is handled by 20
alt1.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 30
alt2.aspmx.l.google.com.
google.com mail is handled
Load sharing
•Also done through hardware load balancing
devices
•Keep track of flows and make sure that where required,
a client is always handled by the same back-end
machine
•Or software
•Squid (http://www.squid-cache.org/)
•Pound (http://www.apsis.ch/pound/)
•And more...
Fail-over
•There will be hardware to do this
•You could make your own though
•Backup machine pings (or attempts to connect to a
service on) the main server once a second (or so)
•If no ping comes through for a given time
•Backup machine adds IP of main server to its interface
•There are issues keeping the machines in sync
however...
•You don't want to fail-over to a machine who has
content out of date

“The cloud”
just on-demand servers in a data centre (somewhere)
•Good for rapidly scaling (up and down)
•But there can be:
•Management and security/privacy issues

Zero-day exploits
•Preferred exploit discovery process:
•White-hat discovers exploit
•Alert vendor
•Vendor releases patch
•Users are alerted (finder credited)
•Users update their software
•Exploit code created
•Only un-patched users potentially infected
•Another exploit discovery process:
•Black-hat discovers exploit
•Sells exploit
•Users get hacked – no warning
•Exploit is finally reverse engineered
•Patch release and announcement
•Worse if this is a remote (un-authenticated)
exploit (i.e. heartbleet)
•“Remote zero-day exploits”

Privacy as a security issue

•You would be concerned
•If a memory stick of information left your network because of a physical breakin
•You were hacked and information was taken
•...But you're leaking sensitive information all the time
•eg. Search terms, entries left in other people's web logs, location history
•How did we guess that Apple was developing the iPad
•Big orders for 9.7 inch screens
•Think of the anti-competitive advantage Google might have over your company (if
they were evil)
•They see all the engineer's search terms
•They know what you were considering putting inside your new product
•Your employees and any social media:
•“Boy I hate working late”
•“Don't buy our product. It does not work.”
•“Anyone know how to do X, in programing language Z?”
•“What's the best single chip implementation of a DAB+ receiver?”
Questions
There were two types of problem that can occur from a buffer-overflow. What are these?

Lecture -9 (Defense in Depth Model)

IDS
•Intrusion detection system
•Takes raw data and classifies it into “good” & “bad” using various (tunable) methods
•Used inside your network
•Could be outside, but that would create a lot of data, as we've seen
•Can be network or host based
•Four broad types
•Signature (any layer)
•Anomaly (any layer)
•Darknet/Greynet (layers 3 & 4)
•Honeypot (layer 7)
•Don't have to be used in isolation Actual IDS implementation may blend the above types

IDS – signature
•Look for a known binary sequence, or events
•Issues:
•Signatures need to be updated
•Only known issues can be detected

IDS – anomaly
•Algorithms / Thresholds
•Trigger when values deviate from “normal”
•eg. Bandwidth, flows per second, hits on a http
server, number of VoIP calls to overseas ...
•Issues
• Tuning to “normal”
•Too sensitive and they produce too many alarms
•Not sensitive enough and you'll miss real problems

IDS – Darknet
Darknet
(or network telescope, internet motion sensor, black hole)
•Has been used for research
•Take a large unused contiguous group of public IP addresses
•/24 or more (the more the better for research purposes)
•Passively monitor inbound packets
•Why?
•All that traffic should not be heading there
•Traffic consists of:
•Directed attacks (i.e. nmap (SYN), viruses that perform network scanning)
•Backscatter (i.e. DoS attacks which employ spoofing)
•The bounce packet (i.e. SYN-ACK) from a victim when they are attacked with traffic that has
random source addresses set

IDS – Greynet
•A distributed enterprise darknet [1]
•Put the darknet inside your network .Can have a Graynet subnet, or a/few Graynet host(s) inside
every subnet (passively listen to traffic and don’t reply)
•Distribute 'dark' IPs amongst 'lit' IPs
•Makes the dark space harder to detect and avoid
•Any connection attempts to these IP addresses probably mean the source host is infected (or
nmap scanning)
•Simple and lightweight method compared to deep packet inspecting IDS

IDS – Honeypot
•Set a trap
•Instantiate unused 'hackable' servers/services (eg. An old Win2k machine called 'accounts',
running an exploitable IIS web server)
•Could be done with virtualisation
•Hope that intruders go for these first
•Set alarms on these services/files
2 Types
Low interaction
- Easy to deploy
- Low risk - simulation of real host
- Less control for attacker
High interaction
- difficult to deploy
- high risk - Involves real host
- more control for attacker

IDS Data interpretation

•Can auto-configure a response to an IDS
•IPS (Intrusion Prevention System)
•Is this a good thing?
•That is up to you.
•How often does it get things wrong & make you mad?
•A web attack! Or just the website getting popular?
•VoIP hack! Or the company got a new contract?
•Human interpretation
•Issues with being overwhelmed with data

IDS – evasion
•Difficult, but if you know the IDS well enough...
•Hide actions through tunnels / encryption
•Go very slowly (threshold based)
•Go really fast
•Overwhelm the administrator with false positive alarms
•Then attack
•Change the meaning of “normal” activity on the network [1]
•Then attack
Encryption
•Use a secret key to scramble a message
•Highly improbable that anyone else can undo in a reasonable amount of time, without the key
•Symmetric
•We each need the key – it en- & de-crypts
•Examples: DES – Triple DES – AES
•Key distribution problem
•Asymmetric
•Also known as public & private key cryptography
•We each have a public, and a private key
•One decrypts messages encrypted with the other
•Can be used for authentication and encryption ( how?)
•Can't derive private key from public
•Mostly solved the key distribution problem
•Can occur at any layer
•Layer 2 - 802.1x
•Layer 3 - IPSEC
•Layer 6 - SSL/TLS
•Layer 7 – SSH

VPN
•Virtual Private Network
•Broad term covering a lot of technologies
•Commonly an encrypted connection created over the public Internet to allow two networks to
securely communicate
•Even more common – allow a single device secure access to a corporate network
•Usually IP over:
•IP
OR
•UDP or TCP (to get though restrictive firewalls)
•Results in a device with a pseudo Ethernet device
•With an IP from the corporate network
•We now send all packets to that interface
• Except packets for the VPN server!

Tunnels
•All ports closed on a network, except 80 and 443
•How could we use IMAP to check email? Tunnel.
• The protocol stack is only a suggestion...
•IP packet inside another IP packet? Sure.
•IP packet inside a UDP packet? Sure.
•Ethernet frame inside a UDP packet? Sure.
•TCP connection over a HTTP connection? Sure.
•NOTE! We need two parties to tunnel
•One at each end to en- & de-capsulate the traffic
•Examples:
•SSH – feature built in
• ssh L [local port]:[remote machine]:[remote port]
•httptunnel [1]
•Server: hts F server.test.com:23 80
•Client: htc F 23 server.test.com:80
•How will firewall react to this?
•Can you detect this? How?
•Is this much different to a VPN?
•Is it legal?

Defence-In-Depth
Buying all the security products in the market and using them is not defence-in-depth
Implementing/using layers of needed controls to reduce the impact of an attack is defence-in-
depth
• Every attack should be time-consuming and sophisticated for an attacker to perform, which
eventually makes to give up the attack
• Risk + Likelihood = Impact
What if its nation-state or state-sponsored, well funded attack
• Its war, All you can do is be prepared
• Cost($) of Damage and Risk – is the language the business teams will understand, not the
technicalities

File Permissions
*nix Systems:
• Each file has 3 sets of permissions
• Permissions for Everyone, Owning Group, Owning user
• Each of these permissions can be defined by rRead, w-Write, x-Execute
• Now roger needs access to the test file.
• Add roger and support to a new group and
change file ownership to new groups name.
• chgrp – to change ownership
• chmod – to change file persmission
Permission ---- Owner---- ---- Last Modified Time
--------- # of hard links1 root support File Size date
Filetype- rwx(user group other) User-group
• Windows took File permission to next level (NTFS and ReFS)
• FAT32 does not support Permissions at all
• Every file permission can be assigned to any number of users, groups or “Everyone”
using ACLs
• Everyone (built-in security group) in windows – encompass authenticated users, built-in
guest account and other special accounts .
• Fine-Grained permissions at folder level set for inheritance bysubfolders and children
• Any change to parent folder, replicates to child subfolders
• Security-Enhanced Linux(SELinux) enforced application-level and network-level
permissions
• Only certain applications can access specific folders
• Fine-grained application level permission can take time to harden a SOE image
• Windows dominates End-User technology and corporate domains, while *nix dominates
the Application server and datacentre world
• Business competitiveness is driving each product to other kernel’s dominant spaces too

Network Shares
• Samba – open source software implementation of networking protocol to share files
• Share files between *nix and windows machines
• Printer services
• Integration with windows AD
• Read only – controls the ability of not creating or modifying files
• Guest ok – no password needed to access file
• Writeable – write privileges
• Server Message Block (SMB)
• Windows Specific File share protocol running at application layer
• SMB v1 was also known as Common Internet File system (CIFS)
• Access to Files, Printers, serial ports and other communication in network
• SMB signing adds additional capability to digitally sign the SMB connections
• Security issues found so far mainly within the protocol itself, Other vulnerabilities
primarily around lack of support for newer authentication protocols like NTLMv2 and
Kerberos
• If you have accessed a files in your network share, then you have already used SMB protocol
• Eternal Blue Exploit – Affecting Older version of SMB and Samba
• Timeline
• 2012 or even earlier - NSA identifies the vulnerability and develops an exploit tools
based on it called EternalBlue. Tools is locked down only for use by NSA
• Early Mid 2016 – Hacking group “Shadow Brokers” gains access to NSA systems obtains
documents related to vulnerability and tools
• Jan 2017 – Shadow Brokers begin selling tools related to eternal blue
• Early Feb 2017 – NSA tells Microsoft about the vulnerability exploited by Eternal Blue
• Feb 14th 2017 – Microsoft announces Feb patch Tuesday updates will be postponed.
“We have discovered a last minute issue that could impact some customers”
• (Timeline Continued)
• What was the SMB exploit ?
• CVE-2017-0144
• 1st bug - in the process of converting File Extended Attributes from OS2 structure to NT
structure by SMB (srv.sys driver) lead to a buffer overflow in the non-paged kernel pool
• 2nd - Parsing bug between a word to Dword
• 3rd – with 1st bug that lets you allocate a memory in the kernel pool with specified size , now
by increasing the data size the data in adjacent memory can be overwritten
• Combining all 3 bugs, EternalBlue tool was built to exploit and gain access to systems via
SMB

• (Timeline Continued)
• Late Feb 2017 – SMB Vulnerability exploited by EternalBlue was publicly identified as
CVE-2017-0144
Defence-in-Depth : Intel
• At this point in time – if you have a threat intel team, or threat
subscription, the CVE description has highlighted there an SMB
specific vulnerability
• Which should allow you start gathering the SMB version in use,
and where it is being used within your oganisation
• March 14 2017 – Microsoft release patch for CVE-2017-0144, MS17-010 with Risk
rating CRITICAL (https://technet.microsoft.com/library/security/MS17-010)
Defence-in-Depth : Patching
• At this point in time – you should be ready to run the patch across all system without blockers
• Legacy/un-patchable systems must be segregated, added compensating controls and Monitoring
should be placed.
• (Timeline Continued)
• April 14, 2017 – Shadow Brokers released 300 MB of NSA tools in github, including
EternalBlue
Defence-in-Depth : Threat Monitoring
• At this point in time – Update your Security control’s by adding signatures for the released
tools, so when attacker uses it against your organisation, you get alerted and perform IR
Defence-in-Depth : Risk
• At this point in time – Calculate the Risk around the impact and likelihood of an attack, also
attribute it to cost.
• (Timeline Continued)
• May 12, 2017 – Exploitcode was used by Malware authors to create a ransomware that
was name “Wannacry”
Defence-in-Depth : Threat Monitoring
• At this point in time – Update your Security control’s by adding signatures for wannacry, so
when attacker uses it against your organisation, you get alerted and perform IR
• Monitor for new variants
Defence-in-Depth : Re-calculate Risk
• At this point in time – Calculate the Risk around the impact and likelihood of an wannacry
infection, also attribute it to cost.
• Employee plugs in an wannacry infected USB disk, how many systems can get locked
down ? Have you analysed ?
Defence-in-Depth : Pentest
• At this point in time – Once you have enough assurance that your network defences are good,
run a Penetration test exercise to see how good was the implementation to identify and harden
further.
• Did the patching go well, any system got missed ?
• Was there an implementation problem ?
• Legacy systems are good well guareded ?
• Can the monitoring team pickup your attack as per signatures ?
• (Timeline Continued)
• Mid May 2017 – CVE 2017-7494 was released, Eternal Blue Exploit for Samba
(SambaCry)
• There you go – Defence-in-depth lifecycle starts again !
• March 14 2017 (patch released) to May 12 2017 (first Etnernalblue ransomware). ~3
month window for patching
• Still systems are infected by wannacry and ransom payment is being made to the get
disks decrypted
• Last payment was on 14-02-2018 -
https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
• Does take a lot of effort to explain and get support from both Business and technical
Administration teams

Lecture-10 (User Authentication)

User Accounts
•User account in business
• Naming conventions
• Password Policies
• Account Expiry
• Number of Password attempts
•Groups added for privileges
How the environment can be
monitored?
Bloodhound tool
How to trust the user from misuse privilege?!
•Internal Threats
• External Threats
Internal Threats
- User Access and Rights
- Issue: 3rd Party exposure
- Using IGP (Identity – Group – Permission) method
- Defence/Resolution: Contractual/compliance
- Using IGDLP or IGUDLP methods
- User Access and Rights
- Issue: Nesting Groups or high privilege group membership
- Privilege can slip via nested groups
- Compromising PDC by attacker and add
himself/herself to the high privilege groups
- Defence/Resolution: Recurring Auditing and Constant Monitoring
- Identifying Nesting by some tools like Bloodhound
Internal Threats
- User Access and Rights
- Issue: Nesting Groups or high privilege group membership
- Privilege can slip via nested groups
- Compromising PDC by attacker and add himself/herself to the high privilege groups
- Defence/Resolution: Recurring Auditing and Constant Monitoring
- Identifying Nesting by some tools like Bloodhound
External Threats
- User Access and Rights
- Issue: Losing the data on the hard drives of
desktop/mobile computers
- Defence/Resolution: BitLocker
- The entire drive could be encrypted and not allowing access to data without key when
unlocking the drive
- Make easier of retrieving of key for computers on the domain to recover data
Authentication
• Popular Term
AAA (Authentication, Authorisation, Accounting)
• Authentication
• A way of identifying a user
1. Typically by having the user enter a valid user name and valid password
2. AAA server or authentication server checks provided credentials and compare with defined
one in database
3. The user is granted access or prevent of access to a specific resource(s)
MFA (Multi-Factor Authentication)
• Method of identifying user via presenting two or more pieces of evidences (factors)
1. Typically by having the user enter a valid user name and valid password
2. User needs to present (an)other method(s) of factors to
AAA server or authentication server:
• Knowledge (Something the user knows)
• Possession (Something the user has)
• Inherence (something the user is)
3. The user is granted access or prevent of access to a specific resource(s)
Difference between 2SV and 2FA?
The main differences between these verification methods are:
Two-step verification (2SV) requires choosing a particular trusted device to be challenged, and
this will be the device that receives the code via SMS, email, etc.
Two-factor authentication (2FA) challenges all trusted devices. When a trusted device is
challenged with 2FA, it doesn't receive anything, it actually generates the code, such as yubikey,
Google Authentication, smartcard, etc.
Knowledge (Something the user knows)
The knowledge factor is the most common category of credentials used for authentication
• Password
• Personal Identification number (PIN)
• Pattern
Possession (Something the user has)
In a security context, is a category of user authentication credentials based on items that the user
has with them, such as a hardware device (yubikey – http://www.yubico.com)
• Security Token (Hardware or Software)
• Mobile phones (with Software Token)
• Smart card (or Virtual Smart Card)
Inherence (Something the user is)
Consisting of elements that are integral to the individual in question, in the form of biometric
data.
• DNA
• Fingerprints
• Eye retinas
• Voice Pattern
• Facial patterns

Password cracking
•John The Ripper (included in practical software)
•Take a password file line:
• lslowman:$1$fWl69cRs$gCB.nqb82/VG2BJkH3Qq7/:15592:0:99999:7:::
•We can not directly reverse the hash (red)
• BUT
•We can take common words and hash them
•Compare the hashes
•People :
•Use common words as passwords
•Use common methods to make them 'complicated'

GPUs
•Graphics Processing Unit (GPU)
•3D (and 2D) graphics
•Can do more than 3D though
•Video decompression
•Any “embarrassingly parallel” tasks
•Programming interfaces
•CUDA
•OpenCL
•Computation specific

Super computers – with GPUs

•http://astronomy.swin.edu.au/supercomputing/
•gSTAR - 50 machines
•2 six-core Westmere processors at 2.66 GHz
•48 GB RAM
•2 NVIDIA Tesla C2070 GPUs (each with 6
GB RAM)

Password cracking with GPUs

•Get the GPU to do:
•The hashing and with some programs
•Password manipulation
•Dictionary word: hello
•Card tries:
hello, Hello, HELLO, hello1, hello2..., h3llo,
h31lo, h311o ...

GPUs – speed
•Massive speed increases
•md5 hashes (from a Linux password file) and john:
•CentOS VM ≈ 1,000 attempts/sec
•4 core Intel FreeBSD ≈ 34,000 attempts/sec
•1 CUDA device ≈ 731,000 attempts/sec
•Brute force with oclhashcat-plus
• 1 CUDA device ≈ 1,600,000,000 attempts/sec

GPUs – more than 1...

•25-GPU cluster cracks every standard Windows password in < 6 hours
• It can try an astounding 958 combinations in just 5.5 hours, enough to brute force every
possible eight-character password containing upper- and lower-case letters, digits, and symbols

Passwords
•You need to use strong passwords
•You need to use different passwords
•“Passwords: how to choose one and why we need them ” P. Branch

Lecture-11(The Internet)
The Internet
• Global network of networks
• Converged telecommunication system
• Based on the Internet Protocol specification
• Initially based on IP version 4
• Currently IP version 6 in the roll out
• Extremely lengthy process
• Initial specification in December 1995 (RFC 1883)
• Updated specification in December 1998 (RFC 2460)
• Approved specification in July 2017 (RFC 8200)
• Architecture based on layer 4
• Internet Layer of TCP/IP stack
• Allows connect networks together
• Applied global and universal addressing
• Abstracts underlaying networks and data transmission
• Provides end-to-end data transfer independently from network technologies and changes
• Often presented as hourglass architecture (image source: Wikipedia)

Internet Numbers Registry System

Internet Corporation for Assigned Names and Numbers
• Non-profit organisation (registered in the USA)
• Coordinate of Internet namespace (DNS)
• Oversee global IP addressing (IANA) and other numbers
• Internet Assigned Numbers Authority (IANA)
• “is a role, not an organisation” (IETF RFC 7020)
• Currently fulfilled by a department in ICANN)
• manages the global pool of IP and AS numbers allocation
• Delegates Internet resources to RIRs
• Managing Internet protocols’ numbering systems
• Service Name and Transport Protocol Port Number Registry
Regional Internet Registry (RIR)
• ARIN (American Registry for Internet Numbers)
• RIPE NCC (RIPE (Réseaux IP Européens) Network
Coordination Centre)
• APNIC (Asia Pacific Network Information Centre)
• AFRINIC (The Internet Numbers Registry of Africa)
• LACNIC (Latin America and Caribbean Network Information
Centre)
• Assign PI (Provide Independent) addresses to ISPs
• ISPs may subnet it further and provide PA (Provider
Aggregatable) address space to its customers

Regional Internet Registries (RIRs)

Addressing space types
Provider Aggregable Address Space (PA addresses)
• classless inter-domain routing (CIDR) [RFC1519]
• assigned by an Internet service provider (ISP) to customers
• routing information for many customers aggregated outside of the ISP’s routing domain
• Bound number of routes in the Internet to acceptable level
• Propagating routes to every customer throughout the inter-domain routing would have an
adverse result.
• Why? Think how IP traffic is being forwarded by routers
• Provider Independent address space (PI addresses)
• assigned to its user permanently
• Typically PI addresses assigned by the registries (RIRs)
• Advantage: the user does not have to reconfigure their hosts and routers if they decide to leave
a particular service provider
• Disadvantage: expensive to route, typically aggregation is not possible.
• All early Internet address space assignments were PI (provider independent)

Security implications
• ICANN (IANA function) maintain policies regulating use of IP addressing space across the
Internet
• Remember: defense in depth security model? Policies form one on the security layers
• IANA Global Addressing Policies:
• Regulate how addressing space is delegated to RIRs
• https://www.icann.org/resources/pages/global-addressing- 2012-02-25-en
• RIRs, NIRs, LIRs define own policies
• e.g. APNIC Internet Number Resource Policies
https://www.apnic.net/community/policy/resources

Routing in networks
• Routing protocols
• implement algorithms for computing routes
• selecting a path for traffic across multiple networks
• construct routing tables to direct packet forwarding
• Routing tables
• record routes to various network destinations
• usually built with assistance of routing protocols
• entries can be specified manually
• large networks topology changes constantly
• manual construction of routing tables unfeasible
• Two broad categories of routing protocols
• Interior gateway protocols
• Exterior gateway protocols
• Interior gateway protocols
• Within a system managed according to one routing policy
• Dynamic protocols, core routing decisions computed
• Routing tables converge based on calculated path costs
• Implementations: RIP, EIGRP, OSPF, IS-IS
• Exterior gateway protocols
• Between independent systems (Autonomous Systems)
• path based, network policies, or rule-sets
• Network administrators make core routing decisions

Routing in the Internet: BGP Basics

• The Internet
• collection of interconnected Autonomous Systems
• BGP provides the routing mechanism between these ASes
• BGP is the glue of The Internet
• Path-vector routing protocol
• Policy-base: ISPs will implement their routing policy
• BGP is the only routing protocol to use TCP
• OSPF and EIGRP operate directly over IP.
• IS-IS is at the network layer, but is network neutral.
• RIP uses the UDP for its transport layer

Autonomous Systems (AS)

Connected group of IP prefixes run by one or more network operators which has a SINGLE and
CLEARLY DEFINED routing policy [1].
• Multihomed: connected to more than one other AS
• Stub: connected to only one other AS
• may have private peering not reflected in the Internet
• Transit: AS providing connections through itself
• Internet Exchange Points (IXP)
• physical location where different IP networks meet to exchange local traffic with each other via
a switch

AS: Internet Service Providers

• Internet Service Providers
• Connect consumers and businesses to their network
• provides (usually sells) access to the global Internet
• Tier 3 ISPs
• Network operators who solely purchase IP transit from other networks to reach the Internet
• Tier 2 ISPs
• peering with other networks (free and reciprocal connection)
• also purchases IP transit to reach some portion of the Internet
• most common Internet service providers
• Tier 1 ISPs
• large ISPs have access to the entire Internet Region
• only maintain free and reciprocal peering agreements

AS: ISP tiers

Image Description
AS Numbers (ASNs)
• The current AS pool of addresses was predicted to run out by 2012.
• For this reason, the IETF has released RFC 4893 and RFC 5398.
• These RFCs describe BGP extensions to increase the AS number from the two-octet (16-bit)
field to a four-octet
(32-bits) field, increasing the pool size from 65,536 to 4,294,967,296 values.

BGP (2)
An example routing topology:
BGP is the sole routing protocol used for inter-AS peering (eBGP).
A single AS can be multi-homed within the same eBGP session (AS2-AS3 and AS3-AS4) or use
multiple eBGP sessions for the purpose (AS1-AS3/AS1-AS4 and AS4-AS3/AS4-AS1). Each AS
deploys its own IGP (RIPv2, IS-IS, OSPF) to route between internal subnets (not depicted) and
uses iBGP to connect the BGP boundary routers of the AS internally in a full mesh or using
Route Reflectors. [1]

BGP – Entry growth

“Active BGP entries (FIB)”

BGP security
• So it appears we all just get together and we believe each other's rumours.
• So what is the method with which we prevent incorrect or malicious advertisements from being
propagated?
• Cryptography? Public, private keys?
• King of the Internet? Both?
• Protocol is simple, configuration complex
• Entire world can see your mistakes (and will be impacted)
• So what is the method with which we prevent incorrect or malicious advertisements from
being propagated?
• There is none.

BGP Security: YouTube Hijacking

• 24 Feb 2008 - Pakistan Telecom sends out an unauthorized announcement of the prefix
208.65.153.0/24
• PCCW Global, an upstream provider (ISP for ISP) forwarded this announcement to the rest of
the Internet
• Assumed to be a local censorship attempt gone wrong
• The telecom operator tried to block YouTube website
• Fixed in a matter of hours

BGP Security: national outage

• 23rd Feb 2012 – Telstra accepts “bad” announcements from Dodo (a peer)
• Telstra internet stops working as all traffic flows to Dodo
• Industry sources said the network issue came as a result of Dodo mistakenly issuing new IP
route addresses from its system that confused Telstra's systems and caused blackouts on the
AS1221 upstream router.[1]
A memo purportedly from Optus, … indicated Dodo had "decided to advertise all the global
routes it knows to Telstra and for some unknown reason Telstra then accepted these as 'best path'
which in effect meant ALL traffic originating from the Telstra network would try and route
traffic via Dodo".[1]

BGP problems
• How do we talk? (Integrity)
The manner in which the BGP session between the BGP speakers is secured such that the
conversation is not altered, disrupted or hijacked and is protected from unauthorised
eavesdropping.
• Whom am I talking to?
Verifying the identity of the other party and verifying that they are authorised to speak for the
routing entity that they purport to represent.
• What are you saying?
Verifying the authenticity and completeness of the routing information being passed in the BGP
session.
• Should I believe you? (trust)
• Verifying that the routing information actually represents the state of the forwarding system.
• How recent is your information and is it still valid?
• Verifying for how long routing information is valid.
• Most of these can be considered open issues
• BGP has almost no security at all.
• This leads to the news stories...

Internet Protocols: IPv6

• Two publicly available Network Protocols
• The current version 4 (IPv4)
• initially deployed starting 1983
• the next version 6 (IPv6)
• Introduced in 1998 by IETF
• In deployment since 1999
• Addressing models:
• Unicast
• Multicast
• Anycast
• (no broadcast like found in IPv4)
• Still not widely deployed by Internet Providers
• No clear incentive for Service Providers
• Migration techniques are available:
• Dual-stack
• Run IPv6 stack concurrently to IPv4 stack
• Tunnelling
• Transport IPv6 traffic through IPv4 network backbone
• Protocol translation
• NAT64 as an exchange between IPv6 and IPv4 network

Internet Protocols: IPv4 exhaustion

Exhaustion of IPv4 address space
• ARIN maintains waiting list for unmet IPv4 requests
• RIPE NCC allocates address space from the last /8
• APNIC maintains waiting list for unmet IPv4 requests
• AFRINIC – nearly exhausted (daily updated chart)
• LACNIC – final phase of IPv4 exhaustion

IPv6
• Primary advantage:
• larger address space of 128bit (among other less pressing
features)
• IPv4: 232 = 4,294,967,296 ≈ 4.3 billion (1 billion = 109)
• IPv6: 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 ≈
340 undecillion (1 undecillion = 1036) or 3.4x 1038
• to compare:
• estimated total human 7,442,000,000 = 7.442 billion [1]
• estimated human cell number is
37,200,000,000,000=3.72×1013=37.2 trillion [2]
• It shares many base concepts from IPv4
• But not compatible with IPv4 at all
• i.e. devices that support IPv4 only, do not work with IPv6
• Major security risk with IPv6:
• It is still new
• Very few have a clue what it is
• Many will deploy it with little understanding
• You mean I needed to have a firewall for IPv6 too?

IPv6 vulnerabilities
• Some issues still exist
• few examples – more reading here [1]
• Neighbor Discovery (ND) process to find MAC addresses[2]
• (ARP is not supported to convert IP to MAC any more in IPv6)
• using ICMPv6 Neighbor Solicitation to send to the link-local multicast address
• this packet will reach all active link-local addresses on the network
• multicast address FF02::1 can be used to send ICMPv6 Echo Request
• all active local hosts should reply to that from their link-local address
• DHCP6 + Router discovery (Man-in-the-Middle)
• ICMPv6 Router Discovery+ Router Advertisement

• In some ways, things are better

• IPsec (was mandated, but now is not)
• But, a larger number of IPv6 hosts will do IPsec
• Network scanning is far less effective
• An IPv6 subnet has 2^64 (18 446 744 073 709 551 615) addresses
• Less network scanning and more bandwidth based DoS
• that does not mean that devices can not be discovered [1,2]

Modbus Protocol
• Serial communication protocol used with PLCs
• Maintained by Modbus Organization since 2004
• Originally published by Schneider Electric
• Common communication protocol
• Commonly used in industrial networks
• Connecting controllers (PLCs) to
• SCADA (supervisory systems)
• DCS (distributed control systems)
• Master/Slave protocol
• Master polls slave devices regularly to get information
• Each device assigned its unique address on a data-link
• One device designated as Master can send commands
• Address + Function Code + Data + Error Check
• Command types
• Read discrete inputs (1 bit – on/off)
• Force/write or read coil(s) (1 bit – on/off)
• Read input registers (measurements and statuses)
• Preset/write or read holding registers (configurations values)

Modbus TCP security implications

• Modbus TCP (or Modbus TCP/IP)
• a variant adopted on top of Ethernet TCP/IP networks
• the same data format is now sent over a TCP connection
• Default connection over TCP port 502 Protocol Security?
• Clear Text (ASCII Mode)
• Each byte is encoded as two hex characters
• easy to decode Modbus protocol when capturing IP traffic
• No Authentication
• Anyone can send Modbus request and…
• Activate a coil, modify configuration registries
• No object description
• request returns plain values
• no context, no unit of measurement

What is BCP38?
BCP38 – also known as “Network Ingress Filtering” is concept where we filter incoming
packets from end customers and allow packets ONLY from IP's assigned to them. ... Now e.g IP
pool for User-1 is 192.168. 1.0/24 and is using 192.168. 1.2 out of it while IP pool for User-2 is
192.168.

CAM (Content Addressable Memory) MAC Address Memory, a Table in a switch that
contains IP Address against MAC Addresses.
Mac Flooding -Fill the CAM table (by MAC address spoofing) its mitigation is
Mitigation
•Limit the number of MAC addresses allowed per-port
•Detect and report

An attack: (Arp Spoofing) its mitigation is

Mitigation
•Static ARP table entries (hard to manage)
.Dynamic ARP Inspection (DAI)
•Detection

•VPN
•Virtual private network
•Encrypted tunnel between end points (most often created across the internet)
•Usually IP over IP
•or TCP/UDP (for firewall traversal)

Tunnels
•Encapsulate one protocol inside another on onehost
•Send across network
•De-encapsulate at other host
•Vice-versa for reverse direction
•Tunneled traffic appears to (stupid) intermediate hosts as the outer encapsulation
•Can be used to transfer data in and out of company in stealth
•RDDoS (Reflected DDoS)
•Reflected DDoS
•Zombies forge source address to be that of victim
•Send packets to other hosts on the internet
•Amplification if eg. TCP SYNs are used, as SYN/ACKs are retransmitted if there is no response