Classical Network Attacks (5).pdf

Full Transcript

Introduction to Information Security
Unit 4 - Week 11 – Classical Network Attacks
1

Unit 4 Learning Objectives
• Demonstrate the vulnerabilities in computer networks.
• Define the classical network attacks.
• Present solutions to prevent or reduce network attacks.

2

Activity
• In pairs and based on your personal experience, list what you
believe to be the current, most popular network attacks.
• Individually, search the internet to confirm and expand your
answer to the previous question.
• Retain your answers and compare them at the end of the
lecture with what is presented here later on.

3

Classical Network Attacks
Threats in Transit
• Network Interface Card (NIC) re-configuration.

4

Classical Network Attacks
Threats in Transit
• Network Interface Card (NIC) re-configuration.
o Every NIC of every host in a network is uniquely identified
by a hardware address (MAC address).
o The NIC is programmed to accept packets destined only to:
▪ its own hardware address.
▪ its group’s multicast hardware address.
▪ the broadcast hardware address.

5

Classical Network Attacks
Threats in Transit
What would an intruder do regarding the Network Interface card to
get access to other hosts’ packets?
1. Network Interface Card (NIC) re-configuration by re-programming
the NIC with the hardware address of another host computer in
the network.
2. Such , that the intruder accepts packets destined to the other
host.
3. The intruder sends a copy of that packet back out to the network
to avoid being caught.
6

Classical Network Attacks
Threats in Transit - Wiretapping
o It is the process of extracting data as it flows through the
wire.
o There are different methods of wiretapping, depending on
the medium type.
o In cables, it is done through a packet sniffer or through
inductance.

7

Classical Network Attacks
Threats in Transit - Wiretapping
o Wireless signals use the air medium and therefore are more
susceptible for tapping.
o Microwave signals are fairly wide. The wider they are the
easiest it is to interfere with the line of sight.
o In satellite communications there is also a trade-off between
coverage and security.

8

Classical Network Attacks
Threats in Transit - Wiretapping
• A solution to wiretapping, when a cable is present, is the use of
optical fibre.
o Made of thin glass strands, carry light pulses over long
distances, not affected much by interference.
o Optical fibres are more secure because:
▪ they are fine tuned to achieve total internal reflection.
▪ they carry light and not electrical signals. Inductance is
not possible.

9

Classical Network Attacks
TCP Session Hijacking
Research how TCP and its features, Remember the numbering of TCP
packets.
In pairs groups of 2 demonstrate how packets are exchanged
between hosts in a TCP session

10

Classical Network Attacks
TCP Session Hijacking
• The attacker takes over an already established TCP session.
• Then injects packets into the stream.
• These packets are received at the other end as if they are
coming from the authentic owner of the TCP session.

11

Classical Network Attacks
TCP Session Hijacking
• First, the attacker has to de-synchronize the TCP session.

12

Classical Network Attacks
TCP session de-synchronization.
• Predict the sequence number that is about to be used by the
client.
• How can an attacker predict the sequence number?
• Use this sequence number and inject a packet before the client.
• The server will send an ACK (acknowledgment) back to the client to
confirm the reception of the injected packet.
• The ACK sequence number is not expected by the client.
• The client will attempt to re-synchronize with the server. It will
send an ACK with the sequence number that it is expecting.
• The server receives the ACK, but the sequence number is not
expected and will resend its last ACK packet.
13

Classical Network Attacks
TCP Session Hijacking
• This cycle continues and
creates a TCP ACK storm.
• What will happen if the
attacker injects another
packet?

14

Classical Network Attacks
Man in the Middle (MITM)
• With MITM an attacker can read, modify and
inserts messages between 2 hosts.
• Neither of the 2 hosts knows that the link
between them is compromised.
• An example of an MITM attack on public-key
cryptography is presented in the next slide.
•
•
•
•
•
•
•
•

A and B are the 2 hosts. M is the attacker.
M can intercept the communication channel between A and B.
B sends its public key to A, but M gets access to it.
M sends its own public key to A, claiming that this comes from B. A thinks this packets
comes from B.
Now M has access to both A’s and B’s public keys.
In addition, A believes that M’s key is B’s key and B believes that M’s key is A’s key.
M can now read and modify messages sent between A and B.
M can also insert new messages destined to either A or B claiming the other host’s 15

Classical Network Attacks
Smurf Attack

16

Classical Network Attacks
Smurf Attack
• An attacker sends a spoofed Echo-Request message to the
network’s broadcast address.
• The Echo-Request message contain the victim’s IP address as the
source address.
• Every host in the network receives the Echo-Request and replies
back to the source IP address with an Echo-Reply message.
• The victim is flooded with replies.
There are currently 2 solutions against Smurf attacks.
• Routers do not forward messages having as destination address
the broadcast IP address.
• Hosts do not reply to Echo-Request messages when they are 17
received as broadcast messages.

Classical Network Attacks
Traffic Redirection

18

Classical Network Attacks
Traffic Redirection
• An attacker first needs to compromise (get access and reconfigure) a router.
• The compromised router sends false route update messages to
all its neighbours.
• The messages contain the information that the source router
knows the shortest path to all networks on the Internet.\
• All neighbours, as they are programmed to look for shortest
paths to destination networks, will forward all their traffic to
the compromised router.
• The router will eventually get flooded with data from its
neighbours and start dropping them.
19
• The data packets never make it to their destinations.

Classical Network Attacks
Domain Names Service (DNS) attacks

20

Classical Network Attacks
Domain Names Service (DNS) attacks
• A DNS server is a machine that holds a table (DNS cache)
mapping the domain names to IP addresses.
• If the DNS server does not have a resolution for an IP address
in its cache it queries another DNS server higher up in the
hierarchy.
• DNS cache poisoning is an attack in which a DNS server is given
a false name – IP address mapping entry.
• While poisoned, the server affects hosts that query the specific
cache entry.
• In that way, the host contacts a ghost server, instead of the
21
intentioned, legitimate one.

Classical Network Attacks
• Distributed Denial of Service (DDoS)

22

Classical Network Attacks
Distributed Denial of Service (DDoS)
• In this type of attack hundreds or thousands of machines take
part in the attack.
• The attacker installs malicious software on the compromised
machines (zombies) and controls them for launching
coordinated attacks on victim sites.
It s aims are as follows:
• Exhaust the network bandwidth.
• Overwhelm a router’s processing capacity.
• Break network connectivity for the victims.
• To gain control of the future machines (called zombies) and
23
attack further systems.

Classical Network Attacks
Syn Flood Attack

24

Classical Network Attacks
Syn Flood Attack
• Remember the TCP connection establishment process.
• The server maintains a SYN_RECV queue to keep track of connection
requests.
• The server also sends back to the client requesting a connection a
SYN/ACK message.
• If the client does not ACK back, the request eventually times out and
is deleted.
• An attacker can launch a DDoS by sending several SYN connection
requests. Spoofed non existing IP addresses are used to represent
different, fake clients.
• The server sends back a SYN/ACK for every request and updates the
SYN_RECV queue.
25
• The attacker never sends back an ACK and the server gets filled up

Activity – Syn Flood Attack
In pairs since the connection requests sent by the attacker will
eventually time out, discuss why syn flood attacks are a threat?

26

Possible Answer – Syn Flood Attack
• Nothing can prevent the attacker from continuously sending
fake requests to the server.
• The server cache is constantly overloaded and full.
• Even if the attacks are short, whilst the server cache full, no
genuine users/clients can establish a TCP connection.

27

Unit 4 Summary What you should know
You should be able to:
• Demonstrate the vulnerabilities in computer networks.
• Define the classical network attacks.
• Present solutions to prevent or reduce network attacks.

For more information refer to the handout on attacks

28