csce790-lect3
TRANSCRIPT
-
7/27/2019 CSCE790-lect3
1/33
CSCE 790
Internet Security
Lecture 3
Attacks
-
7/27/2019 CSCE790-lect3
2/33
Internet Security 2
Reading Assignment
Reading assignments for January 22:
Required:
Oppliger: Ch 3. Attacks
Recommended: Maximum Security: Ch. 15 Sniffers
Reading assignments for January 24:
Required:
Oppliger: Ch 5. Cryptographic Tecniques
5.1, 5.2, 5.3
-
7/27/2019 CSCE790-lect3
3/33
Internet Security 3
Attack
RFC 2828:
An assault on system security that derives
from an intelligent threat, i.e., an intelligent
act that is a deliberate attempt (especially in
the sense of a method or technique) to
evade security services and violate thesecurity policy of the system.
-
7/27/2019 CSCE790-lect3
4/33
Internet Security 4
Normal Flow
Information
source
Information
destination
-
7/27/2019 CSCE790-lect3
5/33
Internet Security 5
Interruption
Information
source
Information
destination
Asset is destroyed of becomes unavailable - AvailabilityExample: destruction of hardware, cutting communication
line, disabling file management system, etc.
-
7/27/2019 CSCE790-lect3
6/33
Internet Security 6
Interception
Information
source
Information
destination
Unauthorized party gains access to the assetConfidentiality
Example: wiretapping, unauthorized copying of files
-
7/27/2019 CSCE790-lect3
7/33
Internet Security 7
Modification
Information
sourceInformation
destination
Unauthorized party tampers with the assetIntegrityExample: changing values of data, altering programs, modify
content of a message, etc.
-
7/27/2019 CSCE790-lect3
8/33
Internet Security 8
Fabrication
Information
source
Information
destination
Unauthorized party insets counterfeit object into the systemAuthenticity
Example: insertion of offending messages, addition of records
to a file, etc.
-
7/27/2019 CSCE790-lect3
9/33
Internet Security 9
Passive Attack
Attempts to learn or make use of information
from the system but does not affect system
resources (RFC 2828)
Sniffer
-
7/27/2019 CSCE790-lect3
10/33
Internet Security 10
Sniffers
All machines on a network can hear
ongoing traffic
A machine will respond only to data
addressed specifically to it
Network interface: promiscuous mode
able to capture all frames transmitted onthe local area network segment
-
7/27/2019 CSCE790-lect3
11/33
Internet Security 11
Risks of Sniffers
Serious security threat
Capture confidential information
Authentication information
Private data
Capture network traffic information
-
7/27/2019 CSCE790-lect3
12/33
Internet Security 12
Passive attacks
Interception (confidentiality)
Release of message contents Traffic analysis
-
7/27/2019 CSCE790-lect3
13/33
Internet Security 13
Release of message content
Intruder is able to interpret and extract
information being transmitted
Highest risk:authentication information
Can be used to compromise additional system
resources
-
7/27/2019 CSCE790-lect3
14/33
Internet Security 14
Traffic Analysis
Intruder is not able to interpret and
extract the transmitted information
Intruder is able to derive (infer)information from the traffic characteristics
-
7/27/2019 CSCE790-lect3
15/33
Internet Security 15
Protection against passive
attacks Shield confidential data from sniffers:
cryptography
Disturb traffic pattern: NRL Traffic padding
Onion routing
Modern switch technology: network trafficis directed to the destination interfaces
Detect and eliminate sniffers
-
7/27/2019 CSCE790-lect3
16/33
Internet Security 16
Detection of sniffer tools
Difficult to detect: passive programs
Tools:
SnifftestSunOS and Solaris: can detect sniffers evenif the network interface is not in promiscuous mode
NitwittNetwork Interface Tap: can detect snifferseven if the network interface is not in promiscuousmode
PromiscLinux
cmpSunOS 4.x: detects promiscuous mode AntiSniff(L0pht Heavy Industries, Inc. ): remotely detects
computers that are packet sniffing, regardless of the OS
-
7/27/2019 CSCE790-lect3
17/33
Internet Security 17
Active attacks
Attempts to alter system resources of affect
their operation (RFC 2828)
-
7/27/2019 CSCE790-lect3
18/33
Internet Security 18
Active attacks
Interruption Modification Fabrication
(availability) (integrity) (integrity)
-
7/27/2019 CSCE790-lect3
19/33
Internet Security 19
Active Attacks
Masquerade
Replay
Modification of messages
Denial of service
Degradation of service
Spoofing attacks
Session hijacking
-
7/27/2019 CSCE790-lect3
20/33
Internet Security 20
Masquerade
One entity pretends to be a different entity
Usually involves additional attacks, e.g.,
Authentication sequences captured and replay
-
7/27/2019 CSCE790-lect3
21/33
Internet Security 21
Replay
Passive capture of data unit and its
retransmission
-
7/27/2019 CSCE790-lect3
22/33
Internet Security 22
Modification of messages
Some portion of the legitimate message is
altered or
Message is delayed or reordered
-
7/27/2019 CSCE790-lect3
23/33
Internet Security 23
Denial of service
Prevents of inhibits the normal use or
management of resources
May range from blocking a particularresource or the entire network
Past attacks: aim to crash systems of a
victim
-
7/27/2019 CSCE790-lect3
24/33
Internet Security 24
DoS attacks
E-mail bombing attack: floods victims mailwith large bogus messages
Popular
Free tools available
Smurf attack:
Attacker multicast or broadcast an Internet ControlMessage Protocol (ICMP) with spoofed IP address ofthe victim system
Each receiving system sends a respond to the victim
Victims system is flooded
-
7/27/2019 CSCE790-lect3
25/33
Internet Security 25
DoS attacks
TCP SYN flooding
Client (initiator) Server
Half-open connection: server is waiting
for clients ACK
-
7/27/2019 CSCE790-lect3
26/33
Internet Security 26
TCP SYN flooding
Server: limited number of allowed half-
open connections
Backlog queue:
Existing half-open connections
Full: no new connections can be established
Time-out, reset
-
7/27/2019 CSCE790-lect3
27/33
Internet Security 27
TCP SYN flooding
Attack:
Attacker: send SYN requests to server with IP source
that unable to response to SYN-ACK
Servers backlog queue filled
No new connections can be established
Keep sending SYN requests
Does not affect Existing or open incoming connections
Outgoing connections
-
7/27/2019 CSCE790-lect3
28/33
Internet Security 28
Distributed denial of service
(DDoS) Use additional systems (zombies) on the
Internet to lounge a coordinated attack
-
7/27/2019 CSCE790-lect3
29/33
Internet Security 29
Protection against DoS, DDoS
Hard to provide full protection
Some of the attacks can be prevented
Filter out incoming traffic with local IP address
as source
Avoid established state until confirmation of
clients identity Internet trace back: determine the source of
an attack
-
7/27/2019 CSCE790-lect3
30/33
Internet Security 30
Degradation of Service
Do not completely block service just reduce
the quality of service
-
7/27/2019 CSCE790-lect3
31/33
Internet Security 31
Spoofing attacks
IP spoofing
DNS spoofing
Sequence number guessing
-
7/27/2019 CSCE790-lect3
32/33
Internet Security 32
Sequence number guessing
Weaknesses: TCP/IP host does not verify the authenticity of the source IP
x,y are not randomly generated => attacker may guess value of y with
good accuracy
Client (initiator) Server
-
7/27/2019 CSCE790-lect3
33/33
Internet Security 33
Sequence number guessing
A
C
B
1. SYN(X)
ID(B)
2. SYN(Y), ACK(X)
3. ACK(Y)