Classical Network Attacks (5).pdf

Full Transcript

Introduction to Information Security Unit 4 - Week 11 – Classical Network Attacks 1 Unit 4 Learning Objectives • Demonstrate the vulnerabilities in computer networks. • Define the classical network attacks. • Present solutions to prevent or reduce network attacks. 2 Activity • In pairs and base...

Introduction to Information Security Unit 4 - Week 11 – Classical Network Attacks 1 Unit 4 Learning Objectives • Demonstrate the vulnerabilities in computer networks. • Define the classical network attacks. • Present solutions to prevent or reduce network attacks. 2 Activity • In pairs and based on your personal experience, list what you believe to be the current, most popular network attacks. • Individually, search the internet to confirm and expand your answer to the previous question. • Retain your answers and compare them at the end of the lecture with what is presented here later on. 3 Classical Network Attacks Threats in Transit • Network Interface Card (NIC) re-configuration. 4 Classical Network Attacks Threats in Transit • Network Interface Card (NIC) re-configuration. o Every NIC of every host in a network is uniquely identified by a hardware address (MAC address). o The NIC is programmed to accept packets destined only to: ▪ its own hardware address. ▪ its group’s multicast hardware address. ▪ the broadcast hardware address. 5 Classical Network Attacks Threats in Transit What would an intruder do regarding the Network Interface card to get access to other hosts’ packets? 1. Network Interface Card (NIC) re-configuration by re-programming the NIC with the hardware address of another host computer in the network. 2. Such , that the intruder accepts packets destined to the other host. 3. The intruder sends a copy of that packet back out to the network to avoid being caught. 6 Classical Network Attacks Threats in Transit - Wiretapping o It is the process of extracting data as it flows through the wire. o There are different methods of wiretapping, depending on the medium type. o In cables, it is done through a packet sniffer or through inductance. 7 Classical Network Attacks Threats in Transit - Wiretapping o Wireless signals use the air medium and therefore are more susceptible for tapping. o Microwave signals are fairly wide. The wider they are the easiest it is to interfere with the line of sight. o In satellite communications there is also a trade-off between coverage and security. 8 Classical Network Attacks Threats in Transit - Wiretapping • A solution to wiretapping, when a cable is present, is the use of optical fibre. o Made of thin glass strands, carry light pulses over long distances, not affected much by interference. o Optical fibres are more secure because: ▪ they are fine tuned to achieve total internal reflection. ▪ they carry light and not electrical signals. Inductance is not possible. 9 Classical Network Attacks TCP Session Hijacking Research how TCP and its features, Remember the numbering of TCP packets. In pairs groups of 2 demonstrate how packets are exchanged between hosts in a TCP session 10 Classical Network Attacks TCP Session Hijacking • The attacker takes over an already established TCP session. • Then injects packets into the stream. • These packets are received at the other end as if they are coming from the authentic owner of the TCP session. 11 Classical Network Attacks TCP Session Hijacking • First, the attacker has to de-synchronize the TCP session. 12 Classical Network Attacks TCP session de-synchronization. • Predict the sequence number that is about to be used by the client. • How can an attacker predict the sequence number? • Use this sequence number and inject a packet before the client. • The server will send an ACK (acknowledgment) back to the client to confirm the reception of the injected packet. • The ACK sequence number is not expected by the client. • The client will attempt to re-synchronize with the server. It will send an ACK with the sequence number that it is expecting. • The server receives the ACK, but the sequence number is not expected and will resend its last ACK packet. 13 Classical Network Attacks TCP Session Hijacking • This cycle continues and creates a TCP ACK storm. • What will happen if the attacker injects another packet? 14 Classical Network Attacks Man in the Middle (MITM) • With MITM an attacker can read, modify and inserts messages between 2 hosts. • Neither of the 2 hosts knows that the link between them is compromised. • An example of an MITM attack on public-key cryptography is presented in the next slide. • • • • • • • • A and B are the 2 hosts. M is the attacker. M can intercept the communication channel between A and B. B sends its public key to A, but M gets access to it. M sends its own public key to A, claiming that this comes from B. A thinks this packets comes from B. Now M has access to both A’s and B’s public keys. In addition, A believes that M’s key is B’s key and B believes that M’s key is A’s key. M can now read and modify messages sent between A and B. M can also insert new messages destined to either A or B claiming the other host’s 15 Classical Network Attacks Smurf Attack 16 Classical Network Attacks Smurf Attack • An attacker sends a spoofed Echo-Request message to the network’s broadcast address. • The Echo-Request message contain the victim’s IP address as the source address. • Every host in the network receives the Echo-Request and replies back to the source IP address with an Echo-Reply message. • The victim is flooded with replies. There are currently 2 solutions against Smurf attacks. • Routers do not forward messages having as destination address the broadcast IP address. • Hosts do not reply to Echo-Request messages when they are 17 received as broadcast messages. Classical Network Attacks Traffic Redirection 18 Classical Network Attacks Traffic Redirection • An attacker first needs to compromise (get access and reconfigure) a router. • The compromised router sends false route update messages to all its neighbours. • The messages contain the information that the source router knows the shortest path to all networks on the Internet.\ • All neighbours, as they are programmed to look for shortest paths to destination networks, will forward all their traffic to the compromised router. • The router will eventually get flooded with data from its neighbours and start dropping them. 19 • The data packets never make it to their destinations. Classical Network Attacks Domain Names Service (DNS) attacks 20 Classical Network Attacks Domain Names Service (DNS) attacks • A DNS server is a machine that holds a table (DNS cache) mapping the domain names to IP addresses. • If the DNS server does not have a resolution for an IP address in its cache it queries another DNS server higher up in the hierarchy. • DNS cache poisoning is an attack in which a DNS server is given a false name – IP address mapping entry. • While poisoned, the server affects hosts that query the specific cache entry. • In that way, the host contacts a ghost server, instead of the 21 intentioned, legitimate one. Classical Network Attacks • Distributed Denial of Service (DDoS) 22 Classical Network Attacks Distributed Denial of Service (DDoS) • In this type of attack hundreds or thousands of machines take part in the attack. • The attacker installs malicious software on the compromised machines (zombies) and controls them for launching coordinated attacks on victim sites. It s aims are as follows: • Exhaust the network bandwidth. • Overwhelm a router’s processing capacity. • Break network connectivity for the victims. • To gain control of the future machines (called zombies) and 23 attack further systems. Classical Network Attacks Syn Flood Attack 24 Classical Network Attacks Syn Flood Attack • Remember the TCP connection establishment process. • The server maintains a SYN_RECV queue to keep track of connection requests. • The server also sends back to the client requesting a connection a SYN/ACK message. • If the client does not ACK back, the request eventually times out and is deleted. • An attacker can launch a DDoS by sending several SYN connection requests. Spoofed non existing IP addresses are used to represent different, fake clients. • The server sends back a SYN/ACK for every request and updates the SYN_RECV queue. 25 • The attacker never sends back an ACK and the server gets filled up Activity – Syn Flood Attack In pairs since the connection requests sent by the attacker will eventually time out, discuss why syn flood attacks are a threat? 26 Possible Answer – Syn Flood Attack • Nothing can prevent the attacker from continuously sending fake requests to the server. • The server cache is constantly overloaded and full. • Even if the attacks are short, whilst the server cache full, no genuine users/clients can establish a TCP connection. 27 Unit 4 Summary What you should know You should be able to: • Demonstrate the vulnerabilities in computer networks. • Define the classical network attacks. • Present solutions to prevent or reduce network attacks. For more information refer to the handout on attacks 28

Use Quizgecko on...
Browser
Browser