Presentation is loading. Please wait.

Presentation is loading. Please wait.

NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.

Published byReynard Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security."— Presentation transcript:

1 NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security

2 Overview Denial of service attacks –DoS and DDoS –Flood attacks –SYN flood Man-in-the-middle attack –ARP poisoning –IP spoofing 2

3 Denial of Service Attacks Denial-of-service (DoS): attacker sends large number of connection or information requests to a target. –Target system cannot handle other, legitimate service requests. –May result in system crash or inability to perform ordinary functions. Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously. 3

4 Types of DoS Voluntary DoS –Occurs when the administrator has allowed the system to perform a variety of services without considering the system’s limitations. Involuntary DoS –Takes place regardless of preparation and readiness by the administrator. –Usually is malicious.

5 Flood Attacks The basic approach to creating a DoS attack is to consume the limited resources of a computer or a network by transmitting a large number of packets as quickly as possible. A flood attack can occur under the following conditions: –Sending connection requests –Consuming the bandwidth –Consuming target’s local resources 5

6 SYN Flood Goal: to overwhelm the target with SYN packets. Works by taking advantage of the TCP three-way handshake. –The attacker initiates a connection with a SYN packet. –The target replies with a SYN/ACK packet. –The attacker doesn’t reply with an ACK packet. 6

7 SYN Flood The number of connections a system can support is finite. –Typically 128 to 1024 “slots” in the connection queue. Once the target sends the SYN/ACK response, it waits for the third step in the handshake to happen. –The timeout value often is > 1 min. by default. If the attacker sends requests faster than the time-out can eliminate them, the system is filled with requests. –SYN flood creates numerous half-open connections that take up “slots” in the queue. Once the queue is filled up, further requests will be dropped and legitimate users who want to connect to the target system will not be able to do so. 7

8 SYN Flood Many SYN flood tools send SYN packets using spoofed (fake) source address. –To hide the identity of the attacker. –If the address is used by a real host, the host whose address was spoofed will receive the SYN/ACK packet from the target. Since the host never initiated a connection, it will send a RST packet to the target to refuse a connection. The “half-open” connection will be shut down immediately, before timing out. –If the address is not assigned to a real host, the “half-open” connection will not be shut down until time-out is reached. –Thus attackers prefer bogus addresses. 8

9 Distributed Denial of Service A DoS attack implemented by staging a DoS attack against a target from multiple systems simultaneously. Takes advantage of the distributed nature of the Internet to create a massive flood of packets against the victim. The attacker first breaks into and gains control of a large number of machines (“zombies”, “bots”, or “agents”). The attacker installs zombie software (“daemon”) on the zombies. –Popular programs include: Tribe Flood Network (TFN), Trin00, Stacheldraht. Daemons on the zombies wait for commands from a master. 9

10 Botnets A bot is a program that surreptitiously installs itself on a computer so it can be controlled by an attacker. A botnet is a network of robot, or zombie, computers. –Can harness their collective power to do damage –Or send out huge amounts of junk e-mail 10

11 DDoS: Raising the Dead The attacker communicates with a small number of “masters” via control software (“client”) installed on those masters. The attacker uses the masters to summon the zombies to life and orders all the zombies to wage an attack simultaneously. –The commands are often issued into a shared IRC (Internet Relay Chat) channel used by all of the attacker’s zombies. When the zombies receive their masters’ command, they spring into action and conduct a DoS attack against the target. The two layers of communication (attacker-master, master- zombie) make it difficult to hunt down the attacker. 11

12 Distributed Denial of Service 12

13 Smurf The attacker sends an echo request packet to the broadcast address of a network, e.g., 132.170.255.255. –Directed broadcast can be initiated from within or outside the network. –When a packet coming from outside a local network is addressed to the network’s broadcast address, the packet is also sent to every machine on the network. The source address of the packet is spoofed and belongs to the target. All other hosts on network will reply with an echo reply packet and send it to the target’s address, inundating the target. 13

14 Fraggle Similar to a smurf attack, but uses UDP instead of ICMP. Sends packets to a broadcast address with a destination UDP port set to: –A service that will generate a response, e.g., echo service (Port 7). When the hosts on the network receive the packet, they will send back a response containing exactly the same data they received. –A closed port. Many systems will respond with an ICMP Port Unreachable message. In both cases, the target will receive packets from all the hosts on the network. 14

15 Man-in-the-Middle Attacks Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network. It is technically possible for the attacker to control what data are sent between the two hosts. Can be achieved by ARP poisoning. –The attacker sets up two NICs and sends packets to each host, falsely notifying the host of the other host’s MAC address, which in fact belongs to one of the attacker’s NICs. 15

16 ARP Poisoning Computers resolve IP addresses to MAC addresses using ARP. –The IP-MAC mappings are stored in the ARP cache for a limited amount of time. After it times out, a record is deleted from the cache. Resolution has to be done again if a packet needs to go to that IP. –Computers welcome unsolicited updates of the mappings (just like websites and the postal services welcome your unsolicited update on your address). 16

17 ARP Poisoning An attacker can “poison” a computer’s ARP cache by sending it a bogus record mapping a target’s IP address to the attacker’s MAC address. Packets going from the “duped” computer to the target then will be sent to the attacker. 17

18 IP Address Spoofing TCP/IP doesn’t have a mechanism to prevent the insertion of a fake source IP address. An attacker can make packets look like they are from a different host than the real originator. –Helpful for attackers who don’t want to have their actions traced back. Often used to “impersonate” another (authenticated) host to get around authentication. –A Dos attack usually is waged against the real McCoy so that the other party of the communication (the attack target) won’t be alerted. 18

19 IP Address Spoofing If the attacker’s purpose simply is to obfuscate investigation by faking her identity, such as in the cases of spamming or in a DoS attack, spoofing is relatively easy. The goal is to change the “source IP address” field in the header (blind spoofing). This can be done by: –Changing NIC properties (Windows) or ifconfig (*nix) command. –Packet crafting tools like Hping2, Nemesis, and NetDude. Works fine when the attacker doesn’t expect a response from the target. Won’t work if the attacker desires an interactive session with the target. 19

Download ppt "NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Similar presentations

Ads by Google