7/27/2019 CSCE790-lect3

1/33

CSCE 790

Internet Security

Lecture 3

Attacks

7/27/2019 CSCE790-lect3

2/33

Internet Security 2

Reading Assignment

Reading assignments for January 22:

Required:

Oppliger: Ch 3. Attacks

Recommended: Maximum Security: Ch. 15 Sniffers

Reading assignments for January 24:

Required:

Oppliger: Ch 5. Cryptographic Tecniques

5.1, 5.2, 5.3

7/27/2019 CSCE790-lect3

3/33

Internet Security 3

Attack

RFC 2828:

An assault on system security that derives

from an intelligent threat, i.e., an intelligent

act that is a deliberate attempt (especially in

the sense of a method or technique) to

evade security services and violate thesecurity policy of the system.

7/27/2019 CSCE790-lect3

4/33

Internet Security 4

Normal Flow

Information

source

Information

destination

7/27/2019 CSCE790-lect3

5/33

Internet Security 5

Interruption

Information

source

Information

destination

Asset is destroyed of becomes unavailable - AvailabilityExample: destruction of hardware, cutting communication

line, disabling file management system, etc.

7/27/2019 CSCE790-lect3

6/33

Internet Security 6

Interception

Information

source

Information

destination

Unauthorized party gains access to the assetConfidentiality

Example: wiretapping, unauthorized copying of files

7/27/2019 CSCE790-lect3

7/33

Internet Security 7

Modification

Information

sourceInformation

destination

Unauthorized party tampers with the assetIntegrityExample: changing values of data, altering programs, modify

content of a message, etc.

7/27/2019 CSCE790-lect3

8/33

Internet Security 8

Fabrication

Information

source

Information

destination

Unauthorized party insets counterfeit object into the systemAuthenticity

Example: insertion of offending messages, addition of records

to a file, etc.

7/27/2019 CSCE790-lect3

9/33

Internet Security 9

Passive Attack

Attempts to learn or make use of information

from the system but does not affect system

resources (RFC 2828)

Sniffer

7/27/2019 CSCE790-lect3

10/33

Internet Security 10

Sniffers

All machines on a network can hear

ongoing traffic

A machine will respond only to data

addressed specifically to it

Network interface: promiscuous mode

able to capture all frames transmitted onthe local area network segment

7/27/2019 CSCE790-lect3

11/33

Internet Security 11

Risks of Sniffers

Serious security threat

Capture confidential information

Authentication information

Private data

Capture network traffic information

7/27/2019 CSCE790-lect3

12/33

Internet Security 12

Passive attacks

Interception (confidentiality)

Release of message contents Traffic analysis

7/27/2019 CSCE790-lect3

13/33

Internet Security 13

Release of message content

Intruder is able to interpret and extract

information being transmitted

Highest risk:authentication information

Can be used to compromise additional system

resources

7/27/2019 CSCE790-lect3

14/33

Internet Security 14

Traffic Analysis

Intruder is not able to interpret and

extract the transmitted information

Intruder is able to derive (infer)information from the traffic characteristics

7/27/2019 CSCE790-lect3

15/33

Internet Security 15

Protection against passive

attacks Shield confidential data from sniffers:

cryptography

Disturb traffic pattern: NRL Traffic padding

Onion routing

Modern switch technology: network trafficis directed to the destination interfaces

Detect and eliminate sniffers

7/27/2019 CSCE790-lect3

16/33

Internet Security 16

Detection of sniffer tools

Difficult to detect: passive programs

Tools:

SnifftestSunOS and Solaris: can detect sniffers evenif the network interface is not in promiscuous mode

NitwittNetwork Interface Tap: can detect snifferseven if the network interface is not in promiscuousmode

PromiscLinux

cmpSunOS 4.x: detects promiscuous mode AntiSniff(L0pht Heavy Industries, Inc. ): remotely detects

computers that are packet sniffing, regardless of the OS

7/27/2019 CSCE790-lect3

17/33

Internet Security 17

Active attacks

Attempts to alter system resources of affect

their operation (RFC 2828)

7/27/2019 CSCE790-lect3

18/33

Internet Security 18

Active attacks

Interruption Modification Fabrication

(availability) (integrity) (integrity)

7/27/2019 CSCE790-lect3

19/33

Internet Security 19

Active Attacks

Masquerade

Replay

Modification of messages

Denial of service

Degradation of service

Spoofing attacks

Session hijacking

7/27/2019 CSCE790-lect3

20/33

Internet Security 20

Masquerade

One entity pretends to be a different entity

Usually involves additional attacks, e.g.,

Authentication sequences captured and replay

7/27/2019 CSCE790-lect3

21/33

Internet Security 21

Replay

Passive capture of data unit and its

retransmission

7/27/2019 CSCE790-lect3

22/33

Internet Security 22

Modification of messages

Some portion of the legitimate message is

altered or

Message is delayed or reordered

7/27/2019 CSCE790-lect3

23/33

Internet Security 23

Denial of service

Prevents of inhibits the normal use or

management of resources

May range from blocking a particularresource or the entire network

Past attacks: aim to crash systems of a

victim

7/27/2019 CSCE790-lect3

24/33

Internet Security 24

DoS attacks

E-mail bombing attack: floods victims mailwith large bogus messages

Popular

Free tools available

Smurf attack:

Attacker multicast or broadcast an Internet ControlMessage Protocol (ICMP) with spoofed IP address ofthe victim system

Each receiving system sends a respond to the victim

Victims system is flooded

7/27/2019 CSCE790-lect3

25/33

Internet Security 25

DoS attacks

TCP SYN flooding

Client (initiator) Server

Half-open connection: server is waiting

for clients ACK

7/27/2019 CSCE790-lect3

26/33

Internet Security 26

TCP SYN flooding

Server: limited number of allowed half-

open connections

Backlog queue:

Existing half-open connections

Full: no new connections can be established

Time-out, reset

7/27/2019 CSCE790-lect3

27/33

Internet Security 27

TCP SYN flooding

Attack:

Attacker: send SYN requests to server with IP source

that unable to response to SYN-ACK

Servers backlog queue filled

No new connections can be established

Keep sending SYN requests

Does not affect Existing or open incoming connections

Outgoing connections

7/27/2019 CSCE790-lect3

28/33

Internet Security 28

Distributed denial of service

(DDoS) Use additional systems (zombies) on the

Internet to lounge a coordinated attack

7/27/2019 CSCE790-lect3

29/33

Internet Security 29

Protection against DoS, DDoS

Hard to provide full protection

Some of the attacks can be prevented

Filter out incoming traffic with local IP address

as source

Avoid established state until confirmation of

clients identity Internet trace back: determine the source of

an attack

7/27/2019 CSCE790-lect3

30/33

Internet Security 30

Degradation of Service

Do not completely block service just reduce

the quality of service

7/27/2019 CSCE790-lect3

31/33

Internet Security 31

Spoofing attacks

IP spoofing

DNS spoofing

Sequence number guessing

7/27/2019 CSCE790-lect3

32/33

Internet Security 32

Sequence number guessing

Weaknesses: TCP/IP host does not verify the authenticity of the source IP

x,y are not randomly generated => attacker may guess value of y with

good accuracy

Client (initiator) Server

7/27/2019 CSCE790-lect3

33/33

Internet Security 33

Sequence number guessing

A

C

B

1. SYN(X)

ID(B)

2. SYN(Y), ACK(X)

3. ACK(Y)