CSE 477: Introduction to

Computer Security
Lecture – 17: Networking Security - 1

Course Teacher: Dr. Md Sadek Ferdous

Assistant Professor, CSE, SUST
E-mail: ripul.bd@gmail.com
Outline
• Networking background
• Passive Attacks
• Sniffing
• Scanning
• Active Attacks
• Spoofing
• TCP Session Hijacking
• Dos/DDoS
• DNS Cache Poisoning
Data Data networking
Networks

• A set of interconnected
of interconnected nodes exchange nodes exchanging information
information
• Sharing
ng of the of the
transmission transmission
circuits= via circuit/packet "switching”
"switching".
packet
allow more• than oneswitching becoming
path between more2 popular
every nodes. for data transmission
• Links allow more than one path between every 2 nodes
ork must select an appropriate path for each required connection.
• Network must select an appropriate path for each required
connection
Internet Air
architecture – layered
travel organized approach
into layers
ticket (purchase) ticket (complain) ticket

baggage (check) baggage (claim) baggage

gates (load) gates (unload) gate

runway takeoff runway landing takeoff/landing

airplane routing airplane routing airplane routing

departure airport airplane routing arrival airport

§ layers: each layer implements a service

§ via its own internal-layer actions
§ relying on services provided by layer below

A simplifying example using Air Travel

 Internet layers – OSI layer model
Internet architecture – OSI/TCP-IP layer

Application Application

Transport Transport

Network Network Network Network

Link Link Link Link

Fiber
Ethernet Wi-Fi
Optics

Physical Layer
Internet packet
Internetencapsulation
Packet Encapsulation
Application
Message Application Layer
What you
care about
Segment
Segment Data
Header Transport Layer

What gets
sent Packet
Header Packet Data Network Layer

Frame
Header Frame Data Frame
Footer
Link Layer
Internet packet encapsulation
source
message M application
segment Ht M transport
datagram Hn Ht M network
frame Hl Hn Ht M link
physical
link
physical
switch

destination Hn Ht M network
M application Hl Hn Ht M link Hn Ht M
Ht M transport physical
Hn Ht M network
Hl Hn Ht M link router
physical

1-18
 Internet protocol stack
Internet protocol stack
§ application: supporting network applications
• Application:
§ FTP, SMTP, HTTP application
• supporting network applications - FTP, SMTP, HTTP
§ transport: process-process data transfer
• Transport: transport
§ TCP, UDP
• process-process data transfer - TCP, UDP
• Network:
§ network: routing datagrams network
• routing datagrams
§ IP, routing - IP, routing protocols
protocols
• Link:
§ link: data transfer between neighboring network elements link
• data transfer between neighbouring network elements - Ethernet
§ PPP, Ethernet
• Physical: physical
§ physical: bits on the wire
• bits “on the wire”

1-19
Types of Attack
• Active attack
• enables an attacker to modify, misconfigure or disrupt a target
• e.g. modifying a process, system or data; disrupting a communication channel
and so on
• Passive attack
• allows an attacker to observe a target without modifying it
Types of Threat
• Interception
• Unauthorised viewing of information (Confidentiality) Passive attack

• Modification
• Unauthorized changing of information (Integrity)
• Fabrication
• Unauthorised creation of information (Integrity) Active attack
• Interruption
• Preventing authorized access (Availability)
Passive Attacks
• Eavesdropping (Sniffing)
• Listen to packets from other parties
• Footprinting (Network Mapping)
• Test to determine/acquire information (e.g. software installed) on the target
system
Man In The Middle (MITM) Attack
Your Computer The Internet Website Server

Alice Bob
Man In The Middle (MITM) Attack
Your Computer The Internet Website Server

Alice Bob

Charlie
Man In The Middle (MITM) Attack Your Computer The Internet Website Server

• Charlie is in the middle between Alice and Bob

• Charlie can:
• View traffic
• Change traffic
• Add traffic Alice Bob

• Delete traffic
• Charlie could be:
Charlie

• Internet service provider

• Virtual Private Network (VPN) provider
• WIFI provider such as a coffee shop
• An attacker re-routing your connection
Man In The Middle (MITM) Scenario

Your Computer The Internet Destination Server

Level Three

Verizon Comcast
 Man In The Middle (MITM) Scenario

Alice goes to her favorite coffee

shop and tries to visit BBC News

Alice

Alice
 Man In The Middle (MITM) Scenario

Alice goes to her favorite coffee

shop and tries to visit BBC News

Alice

Alice
Packet Sniffing
• Packet sniffing enables “reading” information traversing a network
• Packet sniffers intercept network packets, possibly using ARP cache poisoning
• Can be used as legitimate tools to analyse a network
• Monitor network usage
• Filter network traffic
• Analyse network problems
• Can also be used maliciously
• Steal information (i.e. passwords, conversations, etc.)
• Analyse network information to prepare an attack
• Packet sniffers (tools used for packet sniffing) can be either software or
hardware based
• Sniffers are dependent on network setup
 attacker to examine all data transmitted over a particular network segment,
potentially recovering sensitive information such as passwords and other

Packet Sniffing
data. Combined with network analysis tools such as Wireshark, this data
can be extracted from the raw packets. (See Figure 13.)
Detecting Sniffers
• Sniffers are almost always passive
• They simply collect data
• This can make them extremely hard to detect
• A solution on switched hubs is ARP watch
• An ARP watch monitors the ARP cache for duplicate entries of a machine
• If such duplicates appear, raise an alarm – Problem: false alarms
• Specifically, DHCP networks can have multiple entries for a single
machine
Stopping Sniffers
• The best way is to encrypt packets securely
• Sniffers can capture the packets, but they are meaningless
• Capturing a packet is useless if it just reads as garbage
• SSH is also a much more secure method of connection
• Private/Public key pairs makes sniffing virtually useless
• On switched networks, almost all attacks will be via ARP spoofing
• Add machines to a permanent store in the cache
• This store cannot be modified via a broadcast reply
• Thus, a sniffer cannot redirect an address to itself
Footprinting (Scanning)
• Footprinting sometime is the first phase of attacking in which the
attacker gains information about a potential target
• Via scanning, an attacker can discover more about the target system
• such as what operating system is used
• what services are running, and
• whether or not there are any configuration lapses in the target system
• Types of Scanning
• Network scanning - IP addresses
• Port scanning - Open ports and services
• Vulnerability scanning - Presence of known weaknesses
Objectives of Scanning
• Discovering live hosts and IP addresses of live hosts running on the
network
• Discovering open ports:
• Open ports are the best means to break into a system or network
• Detecting the associated network service of each port
• Discovering operating systems and system architecture of the
targeted system:
• This is also referred to as fingerprinting
• Here the attacker will try to launch the attack based on the operating system's
vulnerabilities
Network Scanning – Non-targeted Host
Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
S can n in g N e tw o rk s

• ICMP Scanning via ping

W here
• to determine which hosts in a network are up by pinging them all
<query> is one of:
• Ping scan involves sending ICMP ECHO requests to a host
-t: icm p tim e sta m p request (default)
• If the host is-mlive, it will return an ICMP ECHO reply
: icm p address mask request

• This scan is useful -d: delayfor locating

to sleep betw eenactive
packets isdevices or determining if ICMP is
in microseconds.

passing through
-T - specifies a ber
the n um firewall
o f seconds to w a it fo r a host to respond. The d e fa u lt is 5.

A ta rg e t is a list o f hostnam es or addresses.

*iJN:::::::::::::ft:::::::::::::
ICMP Echo Request /* V

V / ICMP Echo Reply

Source (192.168.168.3) Destination (192.168.168.5)

FIGURE 3.2: ICMP Q u e ry Diagram

Ping Scan O u tp u t Using Nm ap

Scanning Methods – Ping Sweep
Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1
S can n in g N e tw o rk s

• Ping Sweep is a basic network

scanning technique to determine ICMP Echo Request

which range of IP addresses map to 1 9 2 .1 6 8 .1 6 8 .5

live hosts (computers)

a
ICMP Echo Request

<
• There are lots of tools available for ICMP Echo Reply
1 9 2 .1 6 8 .1 6 8 .6

scanning
> W
• nmap is the most widely used tool Source
ICMP Echo Request

available for this 1 9 2 .1 6 8 .1 6 8 .3

1 9 2 .1 6 8 .1 6 8 .7

< ICMP Echo

ICMP Echo Request

1 9 2 .1 6 8 .1 6 8 .8

FIGURE 3.4: Ping Sweep Diagram

TCP/IP Packet
Network Scanning – Targeted Host
• Use DNS to determine the IP address of a known server
• Remember the nslookup command!
Port Scanning
• Once the IP address of the target is found,
use the port scanning method to determine
which ports are open in Port scan
the host
• Remember, ports are like An
doors of aishouse
attacker
looking for
• Port scanning resembles knocking
applicationsthe doors
to check which one is openlistening on ports
• Some are well known open ports:IP web
A single address
server:80, FTP: 21, SMTP:(right)
25 is contacting
many ports (left)
• However, some others ports also
to see remain
if any
open for different applications
respond
• There are tools for checking an opening
port:
• nmap! Image: http://chrislee.dhs.org/projects/visualfirewall.html 27
Active Attacks
• Spoofing
• ARP Spoofing
• IP Spoofing
• TCP Session Hijacking
• DoS/DDoS
• DNS Cache Poisoning
ARP
• A wants to send a datagram to B, having B’s IP address
• B’s MAC address not in A’s ARP table
• A broadcasts ARP query packet, containing B's IP address
• Dest MAC address = FF-FF-FF-FF-FF-FF
• All nodes on LAN receive ARP query packet
• B receives ARP packet, replies to A with its (B's) MAC address
• Frame sent to A’s MAC address (unicast)
ARP Spoofing
• The ARP protocol is simple and effective, but it lacks an
authentication scheme
• Any computer on the network could claim to have the requested IP
address
• In fact, any machine that receives an ARP reply, even if it was not
preceded by a request, will automatically update its ARP cache with
the new association
• Because of this shortcoming, it is possible for malicious parties on a
LAN to perform the ARP spoofing attack
ARP Spoofing Network Security I

IP: 192.168.1.1 IP: 192.168.1.105

MAC: 00:11:22:33:44:01 MAC: 00:11:22:33:44:02
Data

Internet 192.168.1.1 is at
00:11:22:33:44:01 Alice
Bob
192.168.1.105 is at
00:11:22:33:44:02

ARP Cache ARP Cache

192.168.1.105 00:11:22:33:44:02 192.168.1.1 00:11:22:33:44:01
(a) Before ARP spoofing

IP: 192.168.1.106
MAC 00:11:22:33:44:03 Eve

Data Data
Internet 192.168.1.105 is at 192.168.1.1 is at
00:11:22:33:44:03 00:11:22:33:44:03
Alice
Bob

Poisoned ARP Cache Poisoned ARP Cache

192.168.1.105 00:11:22:33:44:03 192.168.1.1 00:11:22:33:44:03
(b) After ARP spoofing
Figure 8: ARP spoofing enables a man-in-the-middle attack: (a) Before the
ARP spoofing attack. (b) After the attack.
ARP Spoofing – mitigation
• ARP spoofing can occur because of its lack of identity verification in the
Internet’s underlying mechanisms
• Fortunately, there are several means of preventing ARP spoofing, besides
restricting LAN access to trusted users
• One simple technique involves checking for multiple occurrences of the
same MAC address on the LAN
• Usually, one MAC address should belong to one equipment. Multiple occurrences of
the same MAC address implies that the address might be spoofed
• Another solution:
• Static ARP table configured by the admin in different routers/switches in the network
• However, it is inconvenient
 structure before transmitting that data to the network. Such modification
of the source address to something other than the sender’s IP address is
called IP spoofing. (See Figure 12.) IP spoofing does not actually allow an
attacker to assume a new IP address by simply changing packet headers,

IP Spoofing however, because his actual IP address stays the same.

Bit Offset 0-3 4-7 8-15 16-18 19-31

0 Version Header Service Type Total Length
• IP Spoofing is an attempt by length

an intruder to send packets 32

64
Identification
Time to Live Protocol
Flags Fragment Offset
Header Checksum
from one IP address that 96 Source Address

appear to originate at 128 Destination Address

another 160
160+
(Options)
Data

• If the server thinks it is

Data Over-write
Data source address
receiving messages from the Data
Data
with a different
IP address
real source after Data
Data

authenticating a session, it Data

Data

could inadvertently behave Data

Data

maliciously Data
…

Figure 12: How IP spoofing works. The source address in the header of an
IP Spoofing
• The TCP/IP protocol requires that
“acknowledgement” numbers be
sent across sessions
• Makes sure that the client is
getting the server’s packets and
vice versa
• Need to have the right sequence of
acknowledgment numbers to spoof https://www.lifewire.com/thmb/uw63pSPbgC9daiNgY5aXwXxF2aE=/768x0/filters:no_upscale():max_bytes(150000):stri
p_icc():format(webp)/tcp-header-56a1adc85f9b58b7d0c1a24f.png

an IP identity
 TCP Packet Format
The format of a TCP packet is depicted in Figure 14. Note that it includes

IP Spoofing
source and destination ports, which define the communication connection
for this packet and others like it. In TCP, connection sessions are maintained
beyond the life of a single packet, so TCP connections have a state, which
defines the status of the connection. In the course of a TCP communication
session, this state goes from states used to open a connection, to those
used to exchange data and acknowledgments, to those used to close a
connection.
• IP Spoofing knowing the acknowledgment
sequence pattern
!"#$%&'(#$ )*+$ ,*-$ .*/0$ /1*/.$ /2*+/$
!" #$%&'(")$&*" +(,-./-$.")$&*"

• Done on the same subnet

01" #(2%(.'("3%45(&"
67" 8'9.$:;(<=4(.*"3%45(&"
Header

• Use a packet sniffer to analyse the sequence

>6" ?@,(*" A(,(&B(<" C;/=," DE.<$:"#EF("
G1H" IJ('9,%4" K&=(.*")$E.*(&"

pattern G6!"
MN"G6!"
?L-$.,"
+/*/"

• Packet sniffers intercept network packets

• Eventually decodes and analyses the packets
sent across the network
Payload

• Determine the acknowledgment sequence

pattern from the packets
Figure 14: Format of a TCP packet.
• Send messages to server with actual client's
IP address and with validly sequenced
acknowledgment number
Motivation of IP Spoofing
• If an attacker sends an IP packet with a spoofed source address,
• He will not receive any response from the destination server
• The response will return back to the machine having the spoofed address
• So, what is the motivation of an attacker for IP spoofing?
• Use IP spoofing to carry out another attacks for which:
• The attacker does not care about any responses for these packets or
• He has some other way of receiving responses
• For example, in denial-of-service attacks,
• The attacker doesn’t want to receive any responses back
• He just wants to overwhelm some other Internet host with data requests.
• Also, it can be used for other attacks such as for circumventing firewall
policy or TCP session hijacking
• In such cases, the attacker uses a different approach to receive the response back
Mitigating IP Spoofing
• Unfortunately, IP spoofing cannot be prevented!
• But they can be handled in a different way!
• Borders routers connecting two sub-nets, can be configured to block any
packet with the source address outside their domain
• IP spoofing can be combated by implementing IP traceback techniques
• IP traceback involves methods for tracing the path of a packet back to its
actual source address
• Given this information, requests can then be made to the various
autonomous systems along this path to block packets from this location
• The ISP controlling the actual source address can also be asked to block
suspicious machines entirely until it is determined that they are clean of
any malware or malicious users.