Network Security

Lecture 6

Presented by: Dr. Munam Ali Shah

 Summary of the previous lecture

 We discussed different types of security attacks

 We looked how viruses, worms and Trojan can
be harmful for a computing environment.
 Outlines
 Botnets
 More discussion on DoS attacks
 Cost of a DoS attacks
 ICMP Echo Datagrams
 TCP 3-Way Handshake
 TCP SYNC Flood attack
 Objectives

 To be able to distinguish between different types of

security attacks
 To identify and classify which security attacks leads to

which security breach category

 Botnets
 A virus or worm often doesn’t do any immediate damage
in order to stay invisible
 and spy on users (log keystrokes, steal serial numbers
etc.)
 or add affected machine to a botnet (the machine
becomes a bot)
 Botnet – a network of “owned” machines (bots)
 controlled usually via IRC protocol or P2P network
 used to send spam, launch DDoS attacks; also phishing,

click fraud, further spread of viruses and worms etc.

 size: 100, 1000, 10k … up to > 1M of nodes
 access to bots and botnets can be bought (from $0.01
per bot)
 Logic Bomb
 Logic Bomb
 Program that initiates a security incident under certain circumstances
 It waits for certain conditions to occur.
 Stack and Buffer Overflow
 Exploits a bug in a program (overflow either the stack or memory
buffers)
 Failure to check bounds on inputs, arguments
 Write pass arguments on the stack into the return address on stack
 When routine returns from call, returns to hacked address
 Pointed to code loaded onto stack that executes malicious code
 Unauthorized user or privilege escalation
 Virus Dropper

 Virus dropper inserts virus onto the system

 Many categories of viruses, literally many thousands of viruses

 File / parasitic
 Boot / memory
 Macro
 Source code
 Polymorphic to avoid having a virus signature
 Encrypted
 Stealth
 Tunneling
 Multipartite
 Armored
 Keystroke logger
 Attacks still common, still occurring
 Attacks moved over time from science experiments to tools of organized
crime
 Targeting specific companies
 Creating botnets to use as tool for spam and DDOS delivery
 Keystroke logger to grab passwords, credit card numbers

 Why is Windows the target for most attacks?

 Most common
 Everyone is an administrator
 Licensing required?
 Monoculture considered harmful
Definitions of DoS and DDoS attacks

 A DoS (Denial of Service) attack aims at preventing, for

legitimate users, authorised access to a system resource
or the delaying of system operations and functions

 DDoS are distributed Denial of Service attacks that

achieve larger magnitude by launching coordinated
attacks by using a framework of “handlers” and “agents”.
A DDoS is innovative in the form of coordination of the
attack.
 DoS attacks in the news
 On February 2000, several serious DDoS attacks
targeted some of the largest Internet web sites, including
Yahoo, Buy.com, Amazon, CNN and eBay.

10
 Costs of DoS attacks
 Denial of Service is currently the most expensive
computer crime for victim organisations:
 Classification of DoS attacks
1. Bandwidth consumption
- Attacks will consume all available network
bandwidth

2. Resource starvation
- Attacks will consume system resources (mainly
CPU, memory, storage space)

3. Programming flaws
- Failures of applications or OS components to handle
exceptional conditions (i.e. unintended or
unexpected data is sent to a vulnerable component)
- OS components’ crash
 Modes of attacks

1. Network connectivity attacks

 Flooding
 malformed traffic
2. Consumption of resources
 Filling-up of data structures
 storage (i.e. intentionally generating errors that must
be logged)
 side effect of other forms of attack
 from a virus (i.e. SQL slammer virus)
 accounts locked-out during a password cracking
 ICMP “echo” datagrams
 ICMP “echo” datagrams are typically used to test
network connectivity.

 A destination host is expected to respond with

an
 ICMP ECHO_REPLY message when “pinged” with an
ICMP ECHO_REQUEST message
 Ping of death

 In the IP specification, the maximum datagram size is 64

KB.

 Some systems react in an unpredictable fashion when

receiving oversized (>64 KB) IP datagrams, causing
systems crashing, freezing or rebooting, and resulting in
a denial of service.

 Example of a DoS that exploits a programming flaw: the

IP implementation is unable to deal with the exceptional
condition posed by the oversized datagram.
 Yet another simple form of DoS: ICMP
(ping) flood

 Attackers flood a network link with ICMP

ECHO_REQUEST messages using the “ping” command

 Exploits a characteristic of the IP layer, that answers with

ICMP ECHO_REPLY messages upon reception of ICMP
ECHO_REQUEST messages
 Directed broadcast addresses

 The directed broadcast address is an IP address with all

the host address set to 1s in host portion. It is used to
simultaneously address all hosts within the same
network.
 i.e., the directed broadcast address for the network class
B 151.100.0.0 has IP address 151.100.255.255

 For subnetted networks, the directed broadcast address

is an IP address with all the host address set to 1 within
the same subnet.
 “ping” to a directed broadcast
address

 All hosts in the broadcast domain answer back

 Network traffic “amplification”: 1 datagram generates n

datagrams in response (where n is the number of
systems replying to a broadcast ICMP
ECHO_REQUEST)
 Smurf attack
 In a Smurf attack, the attacker sends ping requests to a
broadcast address, with the source address of the IP
datagram set to the address of the target system under
attack (spoofed source address)
 Smurf attack Cont
.
 All systems within the broadcast domain will answer
back to the target address, thus flooding the target
system with ICMP traffic and causing network congestion
=> little or no bandwidth left for legitimate users
 Smurf attack protection
 Hosts can be configured not to respond to ICMP
datagrams directed to IP broadcast addresses. Most OS
have specific network settings to enable/disable the
response to a broadcast ICMP ping message.

 Disable IP-directed broadcasts at your leaf routers: to

deny IP broadcast traffic onto your network from other
networks (in particular from the Internet)

 A forged source is required for the attack to succeed.

Routers must filter outgoing packets that contain source
addresses not belonging to local subnetworks.
 RFC 2827
 Defeating DoS which employ IP Spoofing
 Router can check any traffic it is passsing for the valid
source addres
 Network administrator log information on packet which
provide basis for monitoring and suspicious activity.
 TCP’s three-way handshake

 The "three-way handshake" is the procedure used to

establish a connection.
TCP’s three-way handshake Cont.
 TCP SYN flood
 A TCP SYN flood is an attack based on bogus TCP
connection requests, created with a spoofed source IP
address, sent to the attacked system. Connections are
not completed, thus soon it will fill up the connection
request table of the attacked system, preventing it from
accepting any further valid connection request.

 The source host for the attack sends a SYN packet to

the target host. The target hosts replies with a SYN/ACK
back to the legitimate user of the forged IP source
address. Since the spoofed source IP address is
unreachable, the attacked system will never receive the
corresponding ACK packets in return, and the
connection request table on the attacked system will
soon be filled up.
TCP SYN flood Cont.
 TCP SYN flood Cont.

 The attack works if the spoofed source IP address is not

reachable by the attacked system. If the spoofed source
IP address is reachable by the attacked system, then the
legitimate owner of the source IP address would respond
with a RST packet back to the target host, closing the
connection and defeating the attack.

 TCP SYN flood is a denial of service attack that sends a

host more TCP SYN packets than the protocol
implementation can handle.

 This is a resource starvation DoS attack because once

the connection table is full, the server is unable to
service legitimate requests.
 TCP SYN flood protection
 Apply Operating System fixes:
 Systems periodically check incomplete connection
requests,and randomly clear connections that have
not completed a three-way handshake. This will
reduce the likelihood of a complete block due to a
successful SYN attack, and allow legitimate client
connections to proceed.

 Configure TCP SYN traffic rate limiting

 Install IDS (Intrusion Detection Systems)

capable of detecting TCP SYN flood attacks.
 TCP SYN flood protection Cont.

 Filter network traffic:

 Static packet filtering – stateless IP filtering
 Static packet filtering is a firewall and routing capability that provides
network packet filtering based only on packet information in the current
packet and administrator rules.
 Stateless IP filters are very inexpensive
 A static IP filter does little more than simply route traffic, it is very good
for traffic management.
 Static filters are vulnerable to IP spoofing attacks
 Summary of today’s lecture
 In today’s lecture, we discussed in detail about DoS
attacks and its classification.
 Ping of Death Attack
 TCP datagram attack through SYN floods
 Next lecture topics
 How to secure a Wireless Network
 How different mechanisms could be used to ensure
security in a wireless network
The End