VI Network Security-OSI Attacks Firewall IDS

V: NETWORK SECURITY
Ms. Stevina Correia

TCP/ IP vulnerabilities
 Vulnerabilities at each layer:
 Layer 1: Physical Layer
 Fiber/cable cuts
 Wireless link jamming
 Copper cables influenced by electromagnetic fields
 Application of high voltage on copper wire
Prof. Stevina Correia-DJSCOE

Layer 2: Data Link Layer
 CAM (Content Addressable Memory) Table Overflows: affects the
switches in the network.
 Switches operate by building a reference table of MAC addresses and

corresponding switch ports.
 Based on the destination MAC address, the switch knows which port to
forward the frames to.
 CAM is a physical part of the switch that stores information about MAC
addresses available on each physical port and their associated parameters.
 CAM is limited in size

 The Macof tool floods a switch with invalid MAC addresses.
 When the CAM table of the switch fills up with these addresses,
the switch begins to forward all frames that it receives to every
port.
 The switch will flood all ports with incoming traffic because it
cannot find the port number for a particular MAC address in
the CAM table.

 MAC Address Spoofing:
 Attackerreplaces CAM table entry of a known MAC
address on another port.
 Hence,packet destined for a port will be redirected to

another port (generally attackers port).
 Attacker may spoof forge packets and resent to original

destination.

 DHCP attacks:
 DHCP starvation attack:
 DHCP is used to obtain IP addresses, subnet mask, default mask
from a server running DHCP server software.
 The server grants IP address to client on lease basis.
 InDHCP starvation attack, the attacker can broadcast DHCP

request using spoofed MAC addresses.
 DHCP server will lease its IP addresses  run out of available

IP addresses  denial of service attack
 Fake DHCP server
 Attacker sets a forged DHCP server, serving clients in the n/w
with false details.
 Because DHCP responses typically include default

gateway and Domain Name System (DNS) server
information, network attackers can supply their own
system as the default gateway and DNS server resulting in
a man-in-the-middle attack .
 All traffic passes through the attackers PC, making easy to

sniff n/w packets

ARP Function Overview
• Before a station can talk to another station it must do an ARP
request to map the IP address to the MAC address
• All computers on the subnet will receive and process the ARP
request; the station that matches the IP address in the request will
send an ARP reply

 ARP Attacks/ ARP Spoofing/ ARP cache poisoning:
 In ARP Spoofing attacker sends falsified ARP messages over a local area
network.
 The aim is to associate the attacker's MAC address with the IP address of
another host (eg: default gateway), causing any traffic meant for that IP
address to be sent to the attacker instead.
 Often used to facilitate other attacks such as:

 denial of service
 DoS link multiple IP addresses with a single target’s MAC address. As a result, traffic
that is intended for many different IP addresses will be redirected to the target’s MAC
address, overloading the target with traffic.
 man in the middle

 session hijacking attacks

Protection against ARP Spoofing
 Packet Filtering
 Avoid trust relationships
 Use ARP spoofing detection s/w
 Use cryptographic n/w protocols
 TLS, SSH, HTTPS

Layer 3: Network Layer
 Packet Sniffing:
 Sniffing: Capturing packets
 Data from upper layers is encapsulated into IP packets
 Protocols like POP3, SMTP, SNMP transmit password in
plaintext.
 IP Spoofing/ source address spoofing:
 Attacker sends packet with malicious content.
 Victim is unaware that packet is not from a trusted source
 Attacker must find IP of trusted host, then modify packet
headers so that it appears that packets are coming from that
host.

Types of IP Spoofing
 Non blind:
 Attacker and victim are on the same subnet
 Attacker is aware of the sequence of the packets. Thus the attack is
called the non-blind spoofing.
 Blind:
 In this type of attack, the attacker transmits multiple packets to his
intended target to receive a series of numbers which are generally used
to assemble packets in the order in which they intended to read the
packets.
 The attacker is not aware of how the transmissions takes place on this
network so he needs to coax the machine into responding to his own
requests so that he can analyze the sequence numbers.
 Now the attacker can inject data into the stream of packets without
having authenticated himself when the connection was first established.

 Man in the middle Attack:
 When two machines are communicating with each other, the
attacker intercepts the packets sent by the systems and alters the
packets with the sending and receiving machines unaware their
communication has been tampered.
 Denial of Service
 When a DDoS attack is launched, the IP spoofing is used not to
identify the exact machines from where the requests are coming.
This makes the DDoS attack more powerful because, it will be
difficult to identify the senders and block them.

Defending against IP spoofing
 Filtering at the router:
 Implement ingress and egress filtering on border routers
 Implement Access control list that blocks private IP on downstream interface
 This interface should not accept addresses with your internal range as the
source, since this is one of the most common spoofing technique used to
bypass firewall.
 On upstream interface restrict source addresses outside your valid range that
will prevent someone on your n/w from sending spoofed traffic o the internet
 Encryption and authentication

 implemented in ipv6
 Eliminate host based authentication that are common for machines on same
subnet

 RIP Routing Attack:
 Seen in routers that implement original RIP
 RIP is used to distribute routing information (routes,
shortest path)
 Original RIP has no authentication and information in
RIP packet is used without verification.
 Attacker can forge an RIP packet claiming his host has
shortest path out of n/w.

 Fragmentation Attack:
 Actual purpose of packet is disguised by breaking it into
fragments.
 Receiving host can determine purpose of a packet after
reassembling all fragments.
 Fragmentation opens doors to
 DoS
 UDP and ICMP fragmentation attacks
 involve the transmission of fraudulent UDP or ICMP packets that are
larger than the network’s MTU. As these packets are fake, and are unable
to be reassembled, the target server’s resources are quickly consumed,
resulting in server unavailability.
 TCP fragmentation attacks (a.k.a. Teardrop)
 target TCP/IP reassembly mechanisms, preventing them from putting
together fragmented data packets. As a result, the data packets overlap and
quickly overwhelm the victim’s servers, causing them to fail.
 ICMP Attacks:
 ICMP isused by networked computers OS to send
error messages
 Service not available
 Host/ router could not be reached
 ICMP does not authenticate packets

 Easyto interpret and transmit spoofed ICMP packets
 DoS can be formulated using ICMP packets
 Destination unreachable
 Time to live: for how much time the packet is active

A few popular ICMP messages

 PING FLOOD (ICMP FLOOD)
 A ping flood is a simple denial-of-service attack where the
attacker overwhelms the victim with ICMP "echo request"
(ping) packets.
 The victim will respond with ICMP "echo reply" packets, thus
consuming both outgoing bandwidth as well as incoming
bandwidth.
 If the target system is slow enough, it is possible to consume

enough of its CPU cycles for a user to notice a significant
slowdown.
Ping of death
 Ping of Death (a.k.a. PoD) is a type of Denial of Service (DoS)
attack in which an attacker attempts to crash, destabilize, or freeze
the targeted computer or service by sending malformed or
oversized packets using a simple ping command.
 Ping of death attacks were particularly nasty

 identity of the attacker sending the oversized packet could be
easily spoofed
 the attacker didn't need to know anything about the machine
they were attacking except for its IP address.

Ping of death is a denial of service (DoS) attack caused by an
attacker deliberately sending an IP packet larger than the
65,536 bytes allowed by the IP protocol.
Many operating systems didn't know what to do when they
received an oversized packet, so they froze, crashed, or
rebooted. By the end of 1997, operating system vendors
had made patches available to avoid the ping of death.
 Still, many Web sites continue to block Internet

Control Message Protocol (ICMP) ping messages at
their firewalls to prevent any future variations of this
kind of denial of service attack.
Smurf attack
 Is a distributed denial-of-service attack in which large numbers
of Internet Control Message Protocol (ICMP) packets with the
intended victim's spoofed source IP are broadcast to a computer
network using an IP broadcast address.
 Most devices on a network will, by default, respond to this by

sending a reply to the source IP address.
 If the number of machines on the network that receive and

respond to these packets is very large, the victim's computer will
be flooded with traffic. This can slow down the victim's
computer to the point where it becomes impossible to work on.

Layer 4: Transport Layer
 TCP land Attack
 Is a Denial of Service (DoS) attack in which, the attacker sets
the source and destination information of a TCP segment to be
the same. A vulnerable machine will crash or freeze due to the
packet being repeatedly processed by the TCP stack.
 UDP flooding Attack
 Flooding a machine with forged UDP requests
 Machine will try to determine the application that the packet is
destined for.
 If large number of packets are fired, the attacked machine might
be overloaded resulting in DoS or machine crash.

 TCP/ UDP port scanning
 Launching variety of attacks through port scanning
 Connection Hijacking
 Attacker can allow normal authentication to proceed
between 2 hosts, and then seize control of the
connection.
 2 possible ways to do this:
 During TCP, 3 way handshake
 In the middle of an established connection

 TCP SYN Attack
3 way handshake
 Sender sends SYN
 Receiver sends SYN ACK
 Sender sends ACK of SYN ACK
 Receiver maintains q of finite size (empties quickly as ACK
arrives in few milliseconds)
 By generating a number of fake TCP SYN packets from
random IP addresses at a rapid rate, it is possible to fill up
the connection q and deny TCP services to legitimate users.

 Defence against TCP SYN Attack
 Devices behind firewall:
 Use of access list to limit inbound access to a few selected
IPs
 Devices offering public services (mail server):
 Increase size of connection q
 Reduce time out waiting for 3 way handshake
 Use of specific patches to address TCP SYN ACK attack

Port Scanning
 Search a n/w host for open ports.
 Used by n/w admin to check security of n/w.
 Used by hackers to compromise the security
 Portscan: scan for listening ports on a single target
host
 Portsweep: scan multiple host for specific listening
port

Types of port scan
 TCP connect (not stealth)
 Uses TCP open system call provided by OS kernel to
connect to specified ports on target host.
 Completes the 3 way handshake.
 Application listening on the destination port will

respond to the connection attempt.
 Application will log the connection attempt therefore
not stealthy

 TCP SYN/ half open (Stealth):
 This type of scanning causes the scanner to send a
SYN packet to the target host.
 If target is listening it will send SYN ACK else send
RST packet.
 Does not complete 3 way handshake
 Not logged by target host hence stealthy

 FIN
 FIN packet is sent to target host
 If host is alive but not listening it will respond with
RST packet.
 If target is listening it will not respond

Denial of Service
 DoS– this type of attack is performed by a single host
 Distributed DoS– this type of attack is performed by a

number of compromised machines that all target the
same victim. It floods the network with data packets.
 Classic DoS attacks

 methods of DoS attacks:
 flooding services or crashing services.
 Exhaustion of scarce, limited, or renewable resources
 Altering or destructing the configuration information

Resource Exhaustion
 Connectivity of n/w:
 Prevent host or n/ws from communicating on n/w.
 SYN Flood
 Sabotaging of resources:
 Use of forged UDP packets to connect echo service on
1 m/c to the useless service of another m/c.
 2 services consume n/w bandwidth between them 
affects n/w connectivity for all machines on same n/w

 Exhaustion of bandwidth:
 Consume bandwidth by generating large no. of packets
directed to a n/w.
 ICMP echo packets
 Buffer overflow attacks
 The most common DoS attack. The concept is to send more
traffic to a network address than the programmers have built
the system to handle.
 sending emails with file names that have 256 characters.

Other DoS Attacks
 Ping of Death
 sends data packets above the maximum limit (65,536 bytes)
that TCP/IP allows.
 Smurf
 Teardrop
 This type of attack uses larger data packets.
 TCP/IP breaks them into fragments that are assembled on
the receiving host.
 The attacker manipulates the packets as they are sent so that
they overlap each other.
 This can cause the intended victim to crash as it tries to re-
assemble the packets.

Distributed DoS
 A Distributed Denial of Service (DDoS) attack is a
variant of a DoS attack that employs very large
numbers of attacking computers to overwhelm the
target with bogus traffic.
 DDoS are often performed by botnets

Features of DDoS
 The (often worldwide) distribution of attacking
systems makes it very difficult to detect where the
actual attacking party is located.
 It is difficult for the target server to recognize the

traffic as illegitimate and reject it an entry because of
the seemingly random distribution of attacking
systems.
Example of DDoS
 In January 2012, hacktivist cyber group Anonymous
conducted an attack multiple major supporters of the
Stop Online Piracy Act (SOPA).
 Attackers disabled websites of Federal Bureau of

Investigations (FBI), the White House, the Motion
Picture Association of America (MPAA), the
Recording Industry Association of America (RIAA),
Universal Music Group, and Broadcast Music, Inc
(BMI)
 Attackers built its botnet using an unconventional
model that allowed users wishing to support the
organization to offer their computers as a bot for
the attacks.
 Users who wanted to volunteer support could join

the Anonymous botnet by clicking links that the
organization posted in various locations online,
such as Twitter.

Altering or Destructing
configuration information
 Attacker may alter or destroy configuration
information that prevents user from accessing his
computer.
 Eg: if attacker is able to change routing information in

routers, entire n/w may get disabled
 Ifattacker can alter registry on windows machine ,

certain functions may be unavailable

 DNS Spoofing
 Art of making a DNS entry to point to another IP
 Eg:users may be directed to web sites other than intended
destination
 DNS overflows
 Occurs when there is no mechanism to check and verify
length of hostname.
 If l(hostname)>maximum limit allowed, surplus data is
send to DNS server, resulting in the DNS buffer overflow
on that DNS server.

Tools
 Nemesy– this tool can be used to generate random
packets.
 Land and LaTierra– this tool can be used for IP
spoofing and opening TCP connections
 Panther- this tool can be used to flood a victim’s
network with UDP packets.
 Botnets– these are multitudes of compromised
computers on the Internet that can be used to
perform a distributed denial of service attack.
Defence
 Attacks such as SYN flooding take advantage of bugs in
the operating system. Installing security patches
can help reduce the chances of such attacks.
 Intrusion detection systems can also be used to identify
and even stop illegal activities
 Firewalls can be used to stop simple DoS attacks by
blocking all traffic coming from an attacker by identifying
his IP.
 Routers can be configured via the Access Control List to
limit access to the network and drop suspected illegal
traffic.
Firewall
 Determines what to let into and out of the n/w.
 Examines requests to access the n/w and decides

whether they are allowed or not.
 Acts as a form of access control for the n/w

3 types of firewalls
 Packet filter: a firewall that operates at n/w layer
 Stateful packet filter/ circuit level: a firewall that

operates at transport layer
 Application Proxy: a firewall that operates at

application layer where it functions as a proxy.

Packet Filter
 Examines packets up to n/w layer
 Can filter packets based on information available at

n/w layer
 Source and destination IP address
 Source and destination ports
 TCP flag bits
 Can filter packets based on ingress or egress (different

filtering rules)
Advantages Disadvantages
 Faster 1. Blind to application data

 Less complicated 2. Stateless, hence not
 efficiency suitable for application
layer protocols

Stateful packet filter/ circuit level
 Adds state to packet filter firewall
 Keeps track of TCP connection and remember UDP

connections
 Keep track of ongoing connection

Advantages Disadvantages
 Faster than application 1. Slower than packet

layer firewall filtering firewall as
 More secure than packet more processing is
filter firewall required
 Protects against spoofing of 2. Cannot perform
packets, TCP ACK scan security check on
higher level protocols

Application Proxy
 Advantages:
 Processes packets all the way up to the application layer
 Isable to verify that packet appears to be legitimate and

data inside the packet is safe.
 Has complete view of connections and application data.
 Is able to filter bas data at application layer(viruses)and

filter bad packets at transport layer
 Disadvantages
 Slow thus lead to degradation in performance

IDS: intrusion detection system
 Intrusion detection is the process of monitoring the
events occurring in a computer system or n/w.
 2 methods of ID:
 Signature based IDSs: detect attacks based on known
signatures or patterns (similar to signature based virus
detection)
 Anomaly based IDSs: attempt to define a baseline , or
normal, behaviour of a system and provide a warning
whenever the system strays too far from the baseline
Architectures for IDSs
 Host Based IDS
 Apply detection methods on activities occurring on host
 Designed to detect attacks such as buffer overflow
 Have little or no view of n/w activities
 N/W based IDS

 Apply detection methods to n/w traffic
 Designed to detect attacks such DoS, malformed packets
 May have some overlap with firewalls
 Have little or no direct view of host based attacks

FIREWALL IDS
A firewall is a hardware and/or software which functions in a An Intrusion Detection System (IDS) is a software or hardware
networked environment to block unauthorized access while device installed on the network (NIDS) or host (HIDS) to detect and
permitting authorized communications. report intrusion attempts to the network.
A firewall can block an unauthorized access to network (E.g. A An IDS can only report an intrusion; it cannot block it (E.g. A CCTV
watchman standing at gate can block a thief) camera which can alert about a thief but cannot stop it)
A firewall cannot detect security breaches for traffic that does not IDS is fully capable of internal security by collecting information
pass through it (E.g. a gateman can watch only at front gate. He is from a variety of system and network resources and analyzing the
not aware of wall-jumpers) symptoms of security problems
Firewall doesn’t inspect content of permitted traffic. (A gateman will IDS keeps a check of overall network
never suspect an employee of the company )
No man-power is required to manage a firewall. An administrator (man-power) is required to respond to threats

issued by IDS
Firewalls are most visible part of a network to an outsider. Hence, IDS are very difficult to be spotted in a network (especially stealth
more vulnerable to be attacked first. (A gateman will be the first mode of IDS).
person attacked by a thief!!)

Honeypots
 Modern IDS use honeypots.
 Detect malicious traffic by appearing as an attractive target
to attackers.
 Worms that exploit these applications are attracted to the
honeypots (just as nectar attracts bees).
 Once malware enters the honeypot, carefully designed s/w
in the honeypots inspects the malware
 Honeypots attempt to study which applications are targeted,
where are the attack sources and what are the worm
signatures

 Designed to do the following:
 Divert the attention of intruder from critical system
 Collect information about intruders action
 Provide encouragement to the intruder so as to stay for

some time, allowing admin to detect this and swiftly
act on it

 Honeypots are designed with following goals:
 Make them look like real life systems
 Put as much of real-looking (but fabricated)
information into them
 Do not allow any legitimate users know about or
access them
 Anyone trying to access a honeypot is a potential
intruder.
 Honeypots are armed with sensors and loggers,
which alarm the administrators

VI Network Security-OSI Attacks Firewall IDS

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VI Network Security-OSI Attacks Firewall IDS

Uploaded by

Copyright:

Available Formats

V: NETWORK SECURITY

Ms. Stevina Correia

 Vulnerabilities at each layer:

 Layer 1: Physical Layer

Prof. Stevina Correia-DJSCOE

 Switches operate by building a reference table of MAC addresses and

 CAM is limited in size

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 Hence,packet destined for a port will be redirected to

 Attacker may spoof forge packets and resent to original

Prof. Stevina Correia-DJSCOE

 The server grants IP address to client on lease basis.

 InDHCP starvation attack, the attacker can broadcast DHCP

 DHCP server will lease its IP addresses  run out of available

 Because DHCP responses typically include default

 All traffic passes through the attackers PC, making easy to

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 Often used to facilitate other attacks such as:

 man in the middle

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 Encryption and authentication

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 ICMP does not authenticate packets

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 If the target system is slow enough, it is possible to consume

 Ping of death attacks were particularly nasty

Prof. Stevina Correia-DJSCOE

 Still, many Web sites continue to block Internet

 Most devices on a network will, by default, respond to this by

 If the number of machines on the network that receive and

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 Application listening on the destination port will

Prof. Stevina Correia-DJSCOE

 Not logged by target host hence stealthy

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 Distributed DoS– this type of attack is performed by a

 Classic DoS attacks

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 DDoS are often performed by botnets

Prof. Stevina Correia-DJSCOE

 It is difficult for the target server to recognize the

 Attackers disabled websites of Federal Bureau of

 Users who wanted to volunteer support could join

Prof. Stevina Correia-DJSCOE

 Eg: if attacker is able to change routing information in

 Ifattacker can alter registry on windows machine ,