Network Security Lec 1
Network Security Lec 1
3
Network Security
Computer networks are typically a shared resource used by many
applications representing different interests.
4
Who is vulnerable?
Financial institutions and banks
Internet service providers
Pharmaceutical companies
Government and defense agencies
Contractors to various government agencies
Multinational corporations
ANYONE ON THE NETWORK
5
Network Reconnaissance
6
Vulnerability scanner
A vulnerability scanner is a computer program designed to assess computers,
computer systems, networks or applications for weaknesses.
Types:-
Port scanner (e.g. Nmap)
Network vulnerability scanner (e.g. Nessus)
Web application security scanner
Database security scanner
Host based vulnerability scanner (Lynis)
ERP security scanner (ERPScan)
Single vulnerability tests
7
Common security attacks and their
countermeasures
Finding a way into the network
– Firewalls (iptables)
Exploiting software bugs, buffer overflows
– Intrusion Detection Systems
Denial of Service
– Ingress filtering, IDS (snort)
TCP hijacking
– IPSec
Packet sniffing
– Encryption (SSH, SSL, HTTPS)
Social problems
– Education
8
Denial of Service
Purpose: Make a network service unusable, usually by overloading the server or
network
Many different kinds of DoS attacks:
SYN flooding
Smurf
Distributed attacks
9
SYN flooding- Denial of Service
The attack involves having a client repeatedly send SYN (synchronization)packets
to every port on a server, using fake IP addresses.
In a SYN flood, the ACK packet is never sent back by the hostile client.
Instead, the client program sends repeated SYN requests to all the server's ports.
A hostile client always knows a port is open when the server responds10with
a SYN/ACK packet.
Smurf
A smurf attack is an exploitation of the Internet Protocol(IP) broadcast
addressing to create a denial of service.
The attacker uses a program called Smurf to cause the attacked part of a network
to become inoperable.
The smurf program builds a network packet that appears to originate from another
address (this is known as spoofing an IP address).
This packet contains an ICMP ping message that is addressed to an IP
broadcast address.
The echo responses to the ping message are sent back to the "victim" address.
Enough pings and resultant echoes can flood the network making it unusable
for real traffic.
11
Distributed DOS
In a typical DDoS attack, the attacker begins by exploiting a vulnerability in
one computer system and making it the DDoS master.
Configure the services offered by an application in such a way that it never accepts
more than a particular number of requests in a specified time interval
Block a particular IP address, port number or a combination of these.
Install a firewall
Keep backup servers ready
ICMP Flood
A ICMP flood or ping flood is a denial-of-service attack in which the attacker
attempts to overload a targeted device with ICMP echo-request packets,
causing the target to become inaccessible to normal traffic.
The attacker sends many ICMP echo request packets to the targeted server
using multiple devices.
The targeted server then sends an ICMP echo reply packet to each
requesting device’s IP address as a response.
UDP Flood
UDP flood” is a type of Denial of Service (DoS) attack in which the attacker
overloads random ports on the targeted host with IP packets containing UDP
datagrams.
The receiving host checks for applications associated with these datagrams and
—finding none—sends back a “Destination Unreachable” packet.
As more and more UDP packets are received and answered, the system
becomes overloaded and unresponsive to other clients.
In the framework of a UDP flood attack, the attacker may also spoof the IP
address of the packets, both to make sure that the return ICMP packets don’t
reach their host, and to anonymize the attack.
Port Scanning
A port scan is an attack that sends client requests to a range of
server port addresses on a host, with the goal of finding an
active port and exploiting a known vulnerability of that service.
25
ARP Spoofing
• Construct spoofed ARP replies.
27
ARP Spoofing
28
ARP Spoofing
ARP is used to resolve IP addresses to MAC addresses.
In an ARP spoofing attack, a malicious party sends spoofed ARP
messages across a local area network in order to link the attacker’s
MAC address with the IP address of a legitimate member of the
network.
This type of spoofing attack results in data that is intended for the
host’s IP address getting sent to the attacker instead.
ARP Spoofing
Malicious parties commonly use ARP spoofing to:-
steal information
modify data-in-transit or
stop traffic on a LAN.
ARP spoofing attacks can also be used to facilitate other types of
attacks, including:
denial-of-service,
session hijacking and
man-in-the-middle attacks.
Packet Sniffing
31
Packet Sniffing
32
Packet Sniffer
33
Why are Packet Sniffers used?
34
Packet Sniffers-Working
• Packet sniffer works in two types of environment
• Shared Ethernet
• Switched Ethernet
35
Packet Sniffers-Working
• Shared Ethernet
• In a shared Ethernet environment, all the systems are
connected to the same bus
• They are in the same broadcast domain.
• When a message is to be sent to a machine, it is
broadcasted over the network and the machine for which
the message is intended, reads the message.
• A machine running a sniffer, runs in “promiscuous mode”
and can listen to all the traffic on the network.
• This type of sniffing is extremely difficult to detect
36
Packet Sniffers-Working
• Switched Ethernet
• In this environment, the machines are connected to a
switch.
• The switch maintains a MAC table and keeps a track
of each computer’s MAC address and the physical
port on the switch to which the MAC address maps
• The packets are not broadcasted, but instead are
specifically sent to the machines for which they are
intended.
37
Packet Sniffers-Working
• Switched Ethernet
• Even though a switched Ethernet is more secure than
a shared one (using hub), it is not complete secure
• One can still sniff the traffic using techniques like ARP
spoofing, which basically spoofs the MAC address of
the gateway and makes the traffic route through the
machine running the sniffer
38
Session hijacking
Attacker gets access to a session between two hosts
The attacker steals a valid session id which is used to get into
the session and he uses this to snoop data
Session can be hijacked only after the hosts have authenticated
successfully
Session cannot be initiated until the authentication process is
finished
Since most authentication occurs at the start of the session, this
allows attackers to gain access to a machine
39
Session hijacking
40
Session hijacking-Steps
41
TCP hijacking
42
TCP hijacking
43