CSE 477: Introduction to

Computer Security
Lecture – 18: Networking Security - 2

Course Teacher: Dr. Md Sadek Ferdous

Assistant Professor, CSE, SUST
E-mail: ripul.bd@gmail.com
Outline
• Active Attacks
• Spoofing
• TCP Session Hijacking
• Dos/DDoS
• ICMP Attacks
• PING Flood
• SMURF
• SYN Flood
• DNS Cache Poisoning
• Network Address Translation
• Firewall
• Intrusion Detection/Prevention System
 ACK (short for “acknowledgment”) flags, known as a SYN-ACK pac
TCP Packet Format indicating that the server wishes to accept the connection. This pac
The format of a TCP packet is depicted in Figure 14. Note that it includes
includes an acknowledgment number, which is set to one more than

TCP Session Hijacking

source and destination ports, which define the communication connection received sequence number, and a new random sequence number. Fina
for this packet and others like it. In TCP, connection sessions are maintained the client responds with an ACK packet to indicate a successful connect
beyond the life of a single packet, so TCP connections have a state, which has been established. The final ACK packet features an acknowledgm
defines the status of the connection. In the course of a TCP communication
session, this state goes from states used to open a connection, to those number set to one more than the most recently received sequence num
used to exchange data and acknowledgments, to those used to close a and the sequence number set to the recently received acknowledgm
connection. number. These choices are meant to defeat attacks against TCP based
!"#$%&'(#$ )*+$ ,*-$ .*/0$ /1*/.$ /2*+/$
predicting initial sequence numbers, which are discussed in Section 4.4.
!" #$%&'(")$&*" +(,-./-$.")$&*"
01" #(2%(.'("3%45(&"
67" 8'9.$:;(<=4(.*"3%45(&" SYN
Header Seq = x
>6" ?@,(*" A(,(&B(<" C;/=," DE.<$:"#EF("
G1H" IJ('9,%4" K&=(.*")$E.*(&"
G6!" ?L-$.,"
SYN-ACK
MN"G6!" +/*/" Seq = y
Ack = x + 1

ACK
Seq = x + 1
Payload
Ack = y + 1

Figure 15: The three-way TCP handshake.

TCP 3-way Handshake
As mentioned above, TCP uses the notion of 16-bit port numbers, wh
Figure 14: Format of a TCP packet.
differentiate multiple TCP connections. TCP packets include both a sou
port (the port from which the packet originated) and a destination port (
port where the packet will be received). Ports may range from 1 to 65,
TCP Session Hijacking
• A security attack over a protected network
• It is an attempt to take control of a network session
• Sessions are server keeping state of a client’s connection
• Servers need to keep track of messages sent between client and the server
and their respective actions
• Most networks follow the TCP/IP protocol
• It has several flavours depending on the location and knowledge of
the attacker
• TCP Sequence Prediction/Complete Session Hijacking
TCP Sequence Prediction
• A TCP sequence prediction attack attempts to guess an initial
sequence number sent by the server at the start of a TCP session, so
as to create a spoofed TCP session
• Early TCP stacks implemented sequence numbers by using a simple
counter that was incremented by 1 with each transmission
• Without using any randomness, it was trivial to predict the next
sequence number, which is the key to this attack
• Modern TCP stack implementations use pseudo-random number
generators to determine sequence numbers, which makes a TCP
sequence prediction attack more difficult, but not impossible
TCP Sequence Prediction
• The attacker launches a denial-of-service attack
against the client victim to prevent that client from
interfering with the attack
• The attacker sends a SYN packet to the target server,
spoofing the source IP address to be that of the client
victim
• After waiting a short period of time for the server to
send a reply to the client (which is not visible to the
attacker and is not acted on by the client due to the
DoS attack), the attacker concludes the TCP
handshake by sending an ACK packet with the
sequence number set to a prediction of the next
expected number (based on information gathered by
other means), again spoofing the source IP to be that
of the client victim
• The attacker can now send requests to the server as if
he was the victim client
 Network Security I

situation, e.g., using the ARP spoofing method discussed in Section 2.3.
Once a man-in-the-middle scenario is in place, the attacker can then per-

TCP Sequence Prediction

form all subsequent actions as if he were the user he is masquerading as
(by spoofed IP source addresses), and he can intercept all responses from
both sides. (See Figure 18.)

Server (target)
Source: 128.220.10.101
Destination: 134
134.22.9.66
22 9 66
Client (victim) 1: Seq. no.: 1873994000
Length: 45

Source: 134.22.9.66
Destination: 128.220.10.101
2: S
Seq. no.: 1052289000
ACK no.: 1873994045 134.22.9.66
128.220.10.101 Length: 220

Source: 128.220.10.101
3: (Man-in-the-middle attack)
Attacker Destination: 134.22.9.66
4: Seq. no.: 1873994045
ACK no.: 1052289220
Length: 75
Mitigating TCP Sequence Prediction
• Countermeasures to TCP session hijacking attacks involve the use of
encryption and authentication
• either at the network layer, such as using IPsec, or at the application layer,
such as using application-layer protocols that encrypt entire sessions
• In addition, web sites should avoid creating sessions that begin with
secure authentication measures but subsequently switch over to
unencrypted exchanges
• Such sessions trade off efficiency for security, because they create a
risk with respect to a TCP session hijacking attack
DoS
• Because bandwidth in a network is finite, the number of connections a web
server can maintain to clients is limited
• Each connection to a server needs a minimum amount of network capacity to
function
• When a server has used up its bandwidth or the ability of its processors to
respond to requests, then additional attempted connections are dropped and
some potential clients will be unable to access the resources provided by the
server
• Any attack that is designed to cause a machine or piece of software to be
unavailable and unable to perform its basic functionality is known as a denial-of-
service (DoS) attack
• This includes any situation that causes a server to not function properly, but most
often refers to deliberate attempts to exceed the maximum available bandwidth
of a server
• Spoofing the source IP address is commonly used to obscure the identity of the
attacker as well as make mitigation of the attack more difficult
PING Flood
• In a ping flood attack, a powerful machine can perform a DoS attack
on a weaker machine
• To carry out the attack, a powerful machine sends a massive amounts
of PING echo requests to a single victim server with the following two
conditions:
• The attacker can create many more ping requests than the victim can process,
and
• The victim has enough network bandwidth to receive all these requests
• If these happen, the victim server will be overwhelmed with the
traffic and start to drop legitimate connections
SMURF (Directed Broadcast) Attack
• The smurfing attack also exploits the ICMP
• Some implementations respond to pings to broadcast addresses
• Idea: Ping a LAN to find hosts, which then all respond to the ping
• Attack:
• Make a packet with a forged source address containing the victim’s IP number
• Send it to a SMURF amplifier, who swamp the target with replies
• The victim then receives a multitude of PING reply by which it can be
overwhelmed if the previous two conditions are met
 Once sent, each packet is received by every machine on the network,
at which point every machine sends a reply ICMP packet to the indicated
source address of the target. This results in an amplification effect that

SMURF (Directed Broadcast) Attack

multiplies the number of packets sent by the number of machines on the
network. In these attacks, the victim may be on the exploited network, or
may be an entirely remote target, in which case the identity of the attacker
is further obscured. An example of a smurf attack is depicted in Figure 19.

Source address
S dd
is spoofed with
Target’s
g IP address Amplifying
echo
Network response

echo
request
echo
response

Attacker echo
response Target

Figure 19: A smurf attack uses a misconfigured network to amplify traffic

intended to overwhelm the bandwidth of a target.
Mitigating SMURF Attack
• To prevent SMURF attacks, administrators should configure hosts on
their networks to ignore broadcast requests
• if a server is relatively weak, it would be wise for it to ignore ping requests
altogether, to avoid ping floods
• In addition, routers should be configured to avoid forwarding packets
directed to broadcast addresses, as this poses a security risk in that
the network can be used as a ping flood amplifier
SYN Flood
• In the SYN flood attack, an attacker sends a large number of SYN packets to
the server, ignores the SYN/ACK replies, and never sends the expected ACK
packets
• In fact, an attacker initiating this attack in practice will probably use
random spoofed source addresses in the SYN packets he sends, so that the
SYN/ACK replies are sent to random IP addresses
• If an attacker sends a large amount of SYN packets with no corresponding
ACK packets, the server’s memory will fill up with sequence numbers that it
is remembering in order to match up TCP sessions with expected ACK
packets
• These ACK packets will never arrive, so this wasted memory ultimately
blocks out other, legitimate TCP session requests
SYN Flood
Mitigating SYN Flood
• SYN cookie: server does not really keep the client’s state until the
handshake is done
• The server sends a specially crafted SYN/ACK packet without creating
a corresponding memory entry
• Server embeds the state in the SYN/ACK number
• This number can be a function of source & destination MAC and IP
addresses, counter, and a secret
• The function may be one-way hash function
• The secret is known only by the server
• This number must be hard to guess
SYN Cookie Limitation
• Windows has not adopted SYN cookies, but they are implemented in
several Linux distributions
• The lack of implementation is due to some restrictions imposed by
SYN Cookie
• The main limitation is that SYN cookies do not ordinarily allow the use
of the TCP options field
• Since this information is usually stored alongside SYN queue entries
• Recent Linux SYN cookie implementations attempt to address this
second limitation by encoding TCP option information in the
timestamp field of TCP packets
Distributed DoS (DDoS)
• A denial-of-service condition can be created by using more than one
attacking machine, in what is known as a distributed denial-of-service
(DDOS) attack
• In this attack, malicious users leverage the power of many machines
(sometimes hundreds or even thousands) to direct traffic against a
single web site in an attempt to create denial-of-service conditions
• Major web sites, such as Yahoo!, Amazon, and Google, have been the
targets of repeated DDOS attacks
• Often, attackers carry out DDOS attacks by using botnets—large
networks of machines that have been compromised and are
controllable remotely
 thousands) to direct traffic against a single web site in an attempt to create
denial-of-service conditions. Major web sites, such as Yahoo!, Amazon, and
Google, have been the targets of repeated DDOS attacks. Often, attackers
Distributed DoS (DDoS)
carry out DDOS attacks by using botnets—large networks of machines that
have been compromised and are controllable remotely. (See Figure 20.)
Botnet Controller (Attacker)

Attack Commands

Botnet:

Network Requests
q

Victim
Mitigating DDoS
• In theory, there is no way to completely eliminate the possibility of a
DDoS attack, since the bandwidth a server is able to provide its users
will always be limited
• Still, measures may be taken to mitigate the risks of DoS attacks
• For example, many servers incorporate DoS protection mechanisms
that analyse incoming traffic and drop packets from sources that are
consuming too much bandwidth
• Unfortunately, IP spoofing may make DDoS prevention more difficult,
by obscuring the identity of the attacker bots and providing
inconsistent information on where network traffic is coming from
DNS – Domain Name System
• DNS services
• Hostname -> IP translation
• Host aliasing
• Mail server aliasing
• Load distribution
• replicated web servers
• set of IP addresses for one canonical name. E.g., amazon.com
• Why not centralise DNS?
• Single point of failure
• Traffic volume
DNS lookup
Distributed, Hierarchical Database
Root DNS Servers

com DNS servers org DNS servers edu DNS servers

pbs.org poly.edu umass.edu

yahoo.com amazon.com
DNS servers DNS servers DNS servers
DNS servers DNS servers

Client wants IP for www.amazon.com; 1st approx:

§ client queries a root server to find com DNS server

• Client wants IP for www.amazon.com; 1st approx:
§ client queries com DNS server to get amazon.com DNS
• client queries a root server to find com DNS server
§ client queries amazon.com DNS server to get IP address for www.amazon.com
• client queries com DNS server to get amazon.com DNS
• client
64
queries amazon.com DNS server to get IP address for www.amazon.com
DNS name resolution
DNS name resolution example
• Host at me.cs.vt.edu root DNS server
§ Host at me.cs.vt.edu
• Wants IP address for 2
§ Wants IP address for gaia.cs.umass.edu
gaia.cs.umass.edu 3
TLD DNS server
4

5
Iterated Query: local DNS server
• contacted server replies with name of server dns.vt.edu
to contact 7 6
1 8
• “I don’t know this name, but ask this server”
authoritative DNS server
dns.umass.edu
requesting host
me.cs.vt.edu

gaia.cs.umass.edu
67
DNS Cache Poisoning
DNS Cache Poisoning
Mitigating DNS Cache Poisoning
• First, most DNS cache poisoning attacks are targeted towards ISP DNS
servers, known as local DNS (LDNS) servers, rather than authoritative
name servers
• Prior to more recent cache poisoning attacks, the practice of leaving
LDNS servers openly accessible to the outside world was common,
but since 2008, most LDNS servers have been reconfigured to only
accept requests from within their internal network
• This prevents all cache poisoning attempts originating from outside of
an ISP’s network
• However, the possibility of attacking from within the network remains
• There are some other techniques not explored here, but the
possibility of DNS Cache Poisoning still exists
Firewall
• Firewalls divide the untrusted outside of a network from the more
trusted interior of a network
• Often they run on dedicated devices
• Less possibilities for compromise – no compilers, linkers, loaders, debuggers,
programming libraries, or other tools an attacker might use to escalate their
attack
• Easier to maintain few accounts
• Physically divide the inside from outside of a network
Firewall
Sample
User User
Network
Card
Desktop
Readers
PCs and
laptops
User Mobile
Devices Wireless
Access Point

Email, web and

application servers Databases
Boundary
Personal Firewall
Devices

User
Router

Home PC 3rd party

Home server
Router Internet
Firewall
• QuestionableQuestionable
things Email, web and
application servers
Desktop
PCs and
come from the internet
things come from laptops

AND from thethelocal

Boundary
internet AND Firewall
from the local
network network Internet
• Firewall applies a set
Firewall of a
applies
rules set of rules Trash

• Based on rules,Basedit allows

on rules, it
Rule Type Source Address Destination Destination Action
or denies theallows
trafficor denies Address Port
the traffic
• Firewalls can Firewalls
also actcan asalso
1 TCP * 192.168.1.* 22 Permit
2 UDP * 192.1681.* 69 Permit
a router deciding where
act a routers 3 TCP 192.168.1.* * 80 Permit
to send trafficdeciding where to 4 TCP * 192.168.1.18 80 Permit
send traffic 5 UDP * 192.168.1.* * Deny

KAMI VANIEA 20
Firewall types
• Key differences include:
• How implemented
• Software – slower, easier to deploy on personal computers
• Hardware – faster, somewhat safer, harder to add in
• Number of OSI levels of processing required
• Packet size (level 1)
• MAC (level 2) filtering
• IP & Port filtering (level 3)
• Deep packet (level 4+)
• Based on these two differences:
• Packet filtering gateway
• Stateful inspection firewall
• Application proxy
• Personal firewall
Packet filtering gateway
• Simplest – compares information found in the headers to the policy
rules
• Operate at TCP/IP level 3
• Source addresses and ports can be forged, which a packet filter
cannot detect
• Design is simple, but tons of rules are needed, so it is challenging to
maintain
 Stateless packet filtering examples
Packet filtering gateway: examples

Policy Firewall Setting

No outside Web access. Drop all outgoing packets to any IP address, port 80

No incoming TCP connections, except those for Drop all incoming TCP SYN packets to any IP
institution’s public Web server only. except 130.207.244.203, port 80

Prevent streaming audio/video from eating up the Drop all incoming UDP packets - except DNS and
available bandwidth. router broadcasts.

Prevent your network from being used for a smurf Drop all ICMP packets going to a “broadcast”
DoS attack. address (eg 130.207.255.255).

Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic

26
Stateful inspection firewall
• Maintains state from one packet to another
• Similar to a packet filtering gateway, but can remember recent events
• For example, if a outside host starts sending packets to many internal
destination ports (aka a port scan) a stateful firewall would record the
number of ports probed and once it is over the threshold specified in
the policy it would block all further traffic
 Stateful inspection firewall
Firewall ruleset
from a custom
home router
Taken from an
ARSTechnica article

Image: http://arstechnica.co.uk/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/
28
Application proxy
• Simulates the (proper) effects of an application at TCP/IP level 5
• Effectively a protective Man In The Middle that screens information at
an application layer
• Allows an administrator to block certain application requests
• For example:
• Block all web traffic containing certain words
• Remove all macros from Microsoft Word files in email
• Prevent anything that looks like a credit card number from leaving a database
Personal firewalls
• Runs on the workstation that it protects (software)
• Provides basic protection, especially for home or mobile devices
• Malicious software can disable part or all of the firewall
• Any rootkit type software can disable the firewall
Limitations of Firewalls
• IP spoofing:
• router can’t know if data “really” comes from the claimed source
• If multiple applications need special treatment, each has own app
gateway
• Client software must know how to contact gateway
• set IP address of proxy in Web browser
• Trade-off: degree of communication with outside world, level of
security
• Many highly protected sites still suffer from attacks
Intrusion Detection Systems (IDS)
• Firewalls are preventative, IDS detects a potential incident in progress
• At some point you have to let some traffic into and out of your
network (otherwise users get upset)
• Most security incidents are caused by a user letting something into
the network that is malicious, or by being an insider threat
themselves
• These cannot be prevented or anticipated in advance
• The next step is to identify that something bad is happening quickly
so you can address it
IDS types
• A Network Intrusion Detection System (NIDS) sits at the perimeter of
a network and detects malicious behaviour based on traffic patterns
and content
• A protocol-based intrusion detection system (PIDS) is specifically
tailored towards detecting malicious behaviours in a specific protocol,
and is usually deployed on a particular network host
• For example, a web server might run a PIDS to analyse incoming HTTP traffic
and drop requests that may be potentially malicious or contain errors
• Finally, a host-based IDS (HIDS) resides on a single system and
monitors activity on that machine, including system calls, inter-
process communication, and patterns in resource usage
 on perceived threats that are not actual attacks. The ideal conditions, the
are as follows. (See Figure 18.)
• True positive: when an alarm is sounded on a malicious event, whi

IDS detection
is an intrusion
• True negative: when an alarm is not sounded on benign activi
which is not an intrusion

Intrusion Attack No Intrusion Attack

• False positive: when an alarm is
sounded on benign activity, which is
not an intrusion
Alarm
• False negative: when an alarm is not Sounded
sounded on a malicious event, which NYPD NYPD

is an intrusion 03539480

True Positive
03539480

False Positive
• True positive: when an alarm is
sounded on a malicious event, which
is an intrusion No
Alarm
• True negative: when an alarm is not Sounded

sounded on benign activity, which is

not an intrusion False Negative True Negative

Figure 18: The four conditions for alarm sounding by an intrusion det
tion system.
IDS
• Deep packet inspection:
• look at packet contents (e.g., check strings in packet against database of
known virus)
• Examine correlation among multiple packets
• port scanning, network mapping, DoS attack
• Generate alerts when it observes potentially malicious traffic
• Passive monitoring
• Two main approaches:
• Signature-based IDS
• Anomaly-based/Heuristic-based IDS
Signature-based IDS
• Signature based IDS maintains a database of attack signatures
• Each signature is a set of rules pertaining to an intrusion activity
• A list of characteristics of a single or a series of packets
• Packet size, source, destination port numbers, protocol type, payload
• Perform simple pattern matching and report situations that match the pattern
• Requires that admin know attack patterns in advance
• Attacker may test attack on common signatures
• High accuracy, low false positives
• Limitations:
• Blind to new attacks (false negatives)
• False alarms (false positives)
• high Costs – ever packet is compared to a large collection of signatures
Heuristic-based IDS
• Dynamically build a model of acceptable or “normal” behaviour and flag
anything that does not match
• Observe normal traffic first, then,
• Look for packet streams that are statistically unusual
• Unusual percentage of ICMP packets
• Sudden exponential growth in port scans and ping echo requests
• Advantage: can detect new attacks (in theory)
• Disadvantage:
• Need to have a lot of training data to see what normal is
• System needs time to warm up to new behaviour
• Hard to distinguish normal from abnormal activities (e.g., stealthy malware)
• Higher false positives, lower accuracy
Intrusion Prevention Systems (IPS)
• Actively filters out suspicious traffic
• Active monitoring
• Terminate connections, blocking access of user accounts, IP addresses
• Respond to detected threats at real time
• Delete malicious content
• Apply patches
• Reconfigure a firewall or router
• Cisco global correlation IPS
• Reputation scores for the sources
• Reputation obtained from centralised databases