Module 5

Network Security and Applications

Module 5
Why do we need security?

 Protect vital information while still allowing access to those who

need it
– Trade secrets, medical records, etc.
 Provide authentication and access control for resources
 Guarantee availability of resources

3
 Network Security
 Computer networks are typically a shared resource used by many
applications representing different interests.

 The Internet is particularly widely shared, being used by many people

including opportunistic criminals.

 Unless security measures are taken, a network conversation or a

distributed application may be compromised by an adversary

4
 Who is vulnerable?
 Financial institutions and banks
 Internet service providers
 Pharmaceutical companies
 Government and defense agencies
 Contractors to various government agencies
 Multinational corporations
 ANYONE ON THE NETWORK

5
 Network Reconnaissance

 Network Reconnaissance means obtaining information about the

victim

 Network Reconnaissance, an "exploration or enumeration of

network infrastructure including network addresses, available
communication ports, and available services“

6
 Vulnerability scanner
 A vulnerability scanner is a computer program designed to assess computers,
computer systems, networks or applications for weaknesses.
Types:-
 Port scanner (e.g. Nmap)
 Network vulnerability scanner (e.g. Nessus)
 Web application security scanner
 Database security scanner
 Host based vulnerability scanner (Lynis)
 ERP security scanner (ERPScan)
 Single vulnerability tests
7
Common security attacks and their
countermeasures
 Finding a way into the network
– Firewalls (iptables)
 Exploiting software bugs, buffer overflows
– Intrusion Detection Systems
 Denial of Service
– Ingress filtering, IDS (snort)
 TCP hijacking
– IPSec
 Packet sniffing
– Encryption (SSH, SSL, HTTPS)
 Social problems
– Education
8
 Denial of Service
 Purpose: Make a network service unusable, usually by overloading the server or
network
Many different kinds of DoS attacks:
 SYN flooding
 Smurf
 Distributed attacks

9
 SYN flooding- Denial of Service
 The attack involves having a client repeatedly send SYN (synchronization)packets
to every port on a server, using fake IP addresses.

 The server responds to each attempt with a SYN/ACK (synchronization

acknowledged) packet from each open port, and with a RST (reset) packet from
each closed port.

 In a SYN flood, the ACK packet is never sent back by the hostile client.

 Instead, the client program sends repeated SYN requests to all the server's ports.

 A hostile client always knows a port is open when the server responds10with
a SYN/ACK packet.
 Smurf
 A smurf attack is an exploitation of the Internet Protocol(IP) broadcast
addressing to create a denial of service.
 The attacker uses a program called Smurf to cause the attacked part of a network
to become inoperable.
 The smurf program builds a network packet that appears to originate from another
address (this is known as spoofing an IP address).
 This packet contains an ICMP ping message that is addressed to an IP
broadcast address.
 The echo responses to the ping message are sent back to the "victim" address.
 Enough pings and resultant echoes can flood the network making it unusable
for real traffic.
11
 Distributed DOS
 In a typical DDoS attack, the attacker begins by exploiting a vulnerability in
one computer system and making it the DDoS master.

 The attack master, identifies and infects other vulnerable systems

with malware.

 Eventually, the attacker instructs the controlled machines to launch an

attack against a specified target.

 A computer under the control of an intruder is known as a zombie

12
 Defenses Against DOS attacks

Investigate the incoming packets and look for a particular pattern. If such a pattern
emerges, the try blocking incoming packets from the concerned IP address


Configure the services offered by an application in such a way that it never accepts
more than a particular number of requests in a specified time interval


Block a particular IP address, port number or a combination of these.


Install a firewall


Keep backup servers ready
 ICMP Flood

A ICMP flood or ping flood is a denial-of-service attack in which the attacker
attempts to overload a targeted device with ICMP echo-request packets,
causing the target to become inaccessible to normal traffic.


The attacker sends many ICMP echo request packets to the targeted server
using multiple devices.


The targeted server then sends an ICMP echo reply packet to each
requesting device’s IP address as a response.
 UDP Flood
 UDP flood” is a type of Denial of Service (DoS) attack in which the attacker
overloads random ports on the targeted host with IP packets containing UDP
datagrams.

 The receiving host checks for applications associated with these datagrams and
—finding none—sends back a “Destination Unreachable” packet.

 As more and more UDP packets are received and answered, the system
becomes overloaded and unresponsive to other clients.

 In the framework of a UDP flood attack, the attacker may also spoof the IP
address of the packets, both to make sure that the return ICMP packets don’t
reach their host, and to anonymize the attack.
Port Scanning
 A port scan is an attack that sends client requests to a range of
server port addresses on a host, with the goal of finding an
active port and exploiting a known vulnerability of that service.

 The idea behind port scan is to probe as many listeners as

possible, and keep track of the ones that are receptive or useful
to your particular need.
Port Scanning
 Types of scan:-
 Ping scan
 SYN scan
 FIN scan
 Stealth scan
 X-mas scan
 Spoofing attacks
 A spoofing attack is when a malicious party impersonates another
device or user on a network in order to launch attacks.
 These attacks can be against network hosts, steal data, spread
malware or bypass access controls.
 Different types of spoofing attacks:-
 IP address spoofing attacks
 ARP spoofing attacks and
 DNS server spoofing attacks.
 DNS Spoofing
 DNS Cache Poisoning is one of the ways to achieve DNS Spoofing
 The cache of a DNS name server is poisoned with false information
 A poisoned DNS cache does not redirect traffic to the legitimate IP address
when resolving a domain name
 Many end users use the same cache, where the registries that are stored
correlate each IP address with a domain.
 Attackers manage to manipulate a DNS entry in this registry,
 The internet service providers that use this cache would accept it as
authentic, even if it has been manipulated to point to a fake website.
 IP Spoofing
 An attacker sends IP packets from a false (or “spoofed”) source
address in order to disguise itself.
 Denial-of-service attacks often use IP spoofing to overload
networks and devices with packets that appear to be from
legitimate source IP addresses.
 IP Spoofing
 There are two ways that IP spoofing attacks can be used to
overload targets with traffic.
 One method is to simply flood a selected target with packets
from multiple spoofed addresses.
 This method works by directly sending a victim more data

than it can handle.

IP Spoofing
 The other method is to spoof the target’s IP address and
send packets from that address to many different recipients
on the network.
 When another machine receives a packet, it will

automatically transmit a packet to the sender in

response.
 Since the spoofed packets appear to be sent from the

target’s IP address, all responses to the spoofed packets

will be sent to (and flood) the target’s IP address.
Address Resolution Protocol (ARP)
Address Resolution Protocol (ARP)
ARP
 To avoid having to send an ARP request packet each time, a host can
cache the IP and the corresponding host addresses in its ARP table
(ARP cache).
 When a computer receives an ARP reply, it will update its ARP cache.
 ARP is a stateless protocol, most operating systems will update their
cache if a reply is received, regardless of whether they have sent out
an actual request.

25
ARP Spoofing
• Construct spoofed ARP replies.

• A target computer could be convinced to send frames destined for

computer A to instead go to computer B.

• Computer A will have no idea that this redirection took place.

• This process of updating a target computer’s ARP cache is referred to

as “ARP poisoning”.
26
ARP Spoofing

27
ARP Spoofing

28
 ARP Spoofing

ARP is used to resolve IP addresses to MAC addresses.

In an ARP spoofing attack, a malicious party sends spoofed ARP
messages across a local area network in order to link the attacker’s
MAC address with the IP address of a legitimate member of the
network.

This type of spoofing attack results in data that is intended for the
host’s IP address getting sent to the attacker instead.
 ARP Spoofing

Malicious parties commonly use ARP spoofing to:-
 steal information
 modify data-in-transit or
 stop traffic on a LAN.

ARP spoofing attacks can also be used to facilitate other types of
attacks, including:
 denial-of-service,
 session hijacking and
 man-in-the-middle attacks.
Packet Sniffing

• Packet sniffing is a technique of capturing packets that flows

in the network
• The software or device used to do this is called a packet
sniffer.
• Example:- tcpdump, wireshark

31
Packet Sniffing

• What kind of data can we get?

• OR what kind of information would be most useful to a

malicious user?
• Answer: Anything in plain text

• Passwords are the most popular

32
Packet Sniffer

33
Why are Packet Sniffers used?

• Detection of clear-text passwords and usernames from the

network.
• Conversion of data to human readable format so that people
can read the traffic.
• Performance analysis to discover network bottlenecks.
• Troubleshoot network related problems
• Network intrusion detection in order to discover hackers.

34
Packet Sniffers-Working
• Packet sniffer works in two types of environment
• Shared Ethernet
• Switched Ethernet

35
Packet Sniffers-Working
• Shared Ethernet
• In a shared Ethernet environment, all the systems are
connected to the same bus
• They are in the same broadcast domain.
• When a message is to be sent to a machine, it is
broadcasted over the network and the machine for which
the message is intended, reads the message.
• A machine running a sniffer, runs in “promiscuous mode”
and can listen to all the traffic on the network.
• This type of sniffing is extremely difficult to detect

36
Packet Sniffers-Working
• Switched Ethernet
• In this environment, the machines are connected to a
switch.
• The switch maintains a MAC table and keeps a track
of each computer’s MAC address and the physical
port on the switch to which the MAC address maps
• The packets are not broadcasted, but instead are
specifically sent to the machines for which they are
intended.

37
Packet Sniffers-Working
• Switched Ethernet
• Even though a switched Ethernet is more secure than
a shared one (using hub), it is not complete secure
• One can still sniff the traffic using techniques like ARP
spoofing, which basically spoofs the MAC address of
the gateway and makes the traffic route through the
machine running the sniffer

38
Session hijacking
 Attacker gets access to a session between two hosts
 The attacker steals a valid session id which is used to get into
the session and he uses this to snoop data
 Session can be hijacked only after the hosts have authenticated
successfully
 Session cannot be initiated until the authentication process is
finished
 Since most authentication occurs at the start of the session, this
allows attackers to gain access to a machine

39
Session hijacking

40
Session hijacking-Steps

41
TCP hijacking

 If an attacker learns the associated TCP state for the

connection, then the connection can be hijacked.
 Attacker can insert malicious data into the TCP stream,
and the recipient will believe it came from the original
source
 Ex. Instead of downloading and running new
program, you download a virus and execute it

42
TCP hijacking

 How do we prevent this?

 IPSec
– It provides source authentication. Hence Eve
(attacker) cannot pretend to be Alice
– It Encrypts data before transport, so Eve
(attacker) cannot talk to Bob without knowing what the
session key is

43