Network Threats

And
Attack Lab.
1

Experiment List
S. No.

Name of Experiments

1.

Study of various reconnaissance tools

2.

Study of packet sniffer tools

3.

Implement a code to simulate buffer overflow attack

4.

Download, install and use nmap for open port scan, tcp port scan, udp port scan and ping
scan

5.

Detect ARP spoofing using open source tool ARPWATCH

6.

Scan the network for vulnerabilities using NESSUS tool

7.

Create firewalls in Linux using iptables

8.

Install IDS (e.g. SNORT) and study the logs.

9.

Set up IPSEC under LINUX

10.

Mini project

Network Security

What is Security

Dictionary.com says:
1. Freedom from risk or danger; safety.
2. Freedom from doubt, anxiety, or fear; confidence.
3. Something that gives or assures safety, as:
1. A group or department of private guards: Call building security
if a visitor acts suspicious.
2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
3. Measures adopted, as by a business or homeowner, to prevent
a crime such as burglary or assault: Security was lax at the firm's
smaller plant.

etc.
4

What is Security

Dictionary.com says:
1. Freedom from risk or danger; safety.
2. Freedom from doubt, anxiety, or fear; confidence.
3. Something that gives or assures safety, as:
1. A group or department of private guards: Call building security
if a visitor acts suspicious.
2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
3. Measures adopted, as by a business or homeowner, to prevent
a crime such as burglary or assault: Security was lax at the firm's
smaller plant.

etc.
5

What is Security

Dictionary.com says:
1. Freedom from risk or danger; safety.
2. Freedom from doubt, anxiety, or fear; confidence.
3. Something that gives or assures safety, as:
1. A group or department of private guards: Call building security
if a visitor acts suspicious.
2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
3. Measures adopted, as by a business or homeowner, to prevent
a crime such as burglary or assault: Security was lax at the firm's
smaller plant.

etc.
6

What is Security

Dictionary.com says:
1. Freedom from risk or danger; safety.
2. Freedom from doubt, anxiety, or fear; confidence.
3. Something that gives or assures safety, as:
1. A group or department of private guards: Call building security
if a visitor acts suspicious.
2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
3. Measures adopted, as by a business or homeowner, to prevent
a crime such as burglary or assault: Security was lax at the firm's
smaller plant.

etc.
7

Why do we need security?

Protect

vital information while still allowing

access to those who need it
Trade secrets, medical records, etc.

Provide

authentication and access control for

resources
Guarantee availability of resources

Who is vulnerable?
Financial

institutions and banks

Internet service providers
Pharmaceutical companies
Government and defense agencies
Contractors to various government agencies
Multinational corporations
ANYONE ON THE NETWORK
9

Network Reconnaissance
Network

Reconnaissance means obtaining

information about the victim
Network Reconnaissance, an "exploration or
enumeration of network infrastructure
including network addresses, available
communication ports, and available services

10

Vulnerability scanner
A vulnerability

scanner is a computer
program designed to assess computers,
computer systems, networks or applications
for weaknesses.

They

can be run either as part of vulnerability

management by those tasked with protecting
systems - or by black hat attackers looking to
gain unauthorized access.
11

Types
Port

scanner (e.g. Nmap)

Network vulnerability scanner (e.g. Nessus)
Web application security scanner (e.g w3af)
Database security scanner
Host based vulnerability scanner (Lynis)
ERP security scanner (ERPScan)
Single vulnerability tests

12

Common security attacks and

their countermeasures

Finding a way into the network

Firewalls (iptables)

Exploiting software bugs, buffer overflows

Intrusion Detection Systems

Denial of Service
Ingress filtering, IDS (snort)

TCP hijacking
IPSec

Packet sniffing

Secure
Shell

Encryption (SSH, SSL, HTTPS)

Social problems
Education

Secure
SocketLayer
13

Firewalls

Basic problem many network applications and

protocols have security problems that are fixed over
time
Difficult for users to keep up with changes and
keep host secure
Solution
Administrators limit access to end hosts by using a
firewall
Firewall is kept up-to-date by administrators
14

Firewalls
Internet
Firewall

Firewall

Web server, email

server, web proxy,
etc

Intranet
15

Denial of Service
Purpose:

Make a network service unusable,

usually by overloading the server or network
Many different kinds of DoS attacks
SYN flooding
Smurf
Distributed attacks

16

TCP handshaking

17

SYN flooding- Denial of Service

The attack involves having a client repeatedly send SYN
(synchronization)packets to every port on a server, using
fake IP addresses.
The server responds to each attempt with a SYN/ACK
(synchronization acknowledged) packet from each
open port, and with a RST (reset) packet from each
closed port.
In a SYN flood, the ACK packet is never sent back by the
hostile client. Instead, the client program sends repeated
SYN requests to all the server's ports. A hostile client
always knows a port is open when the server responds
18
with a SYN/ACK packet.

Smurf

A smurf attack is an exploitation of the Internet Protocol(IP)

broadcast addressing to create a denial of service. The
attacker uses a program called Smurf to cause the attacked
part of a network to become inoperable.

The smurf program builds a network packet that appears to

originate from another address (this is known as spoofing an
IP address).

The packet contains an ICMP ping message that is

addressed to an IP broadcast address.The echo responses
to the ping message are sent back to the "victim" address.
Enough pings and resultant echoes can flood the network
making it unusable for real traffic.
19

Smurf-Denial of Service
I C M P e c h o ( s p o o f e d s o u r c e a d d r e s s o f v ic t im )
S e n t to IP b ro a d c a s t a d d re s s
IC M P e c h o r e p ly

In te rn e t

P e rp e tra to r

V ic t im

20

Distributed DOS

In a typical DDoS attack, the attacker begins by

exploiting a vulnerability in one computer system
and making it the DDoS master. The attack master,
identifies and infects other vulnerable systems
with malware.
Eventually, the attacker instructs the controlled
machines to launch an attack against a specified
target.
A computer under the control of an intruder is
known as a zombie
21

TCP Attacks
If

an attacker learns the associated TCP

state for the connection, then the connection
can be hijacked!
Attacker can insert malicious data into the
TCP stream, and the recipient will believe it
came from the original source
Ex. Instead of downloading and running new
program, you download a virus and execute it
22

TCP Attacks
Say

hello to Alice, Bob and Mr. Big Ears

23

TCP Attacks
Alice

and Bob have an established TCP

connection

24

TCP Attacks
Mr.

Big Ears lies on the path between Alice

and Bob on the network
He can intercept all of their packets

25

TCP Attacks
First,

Mr. Big Ears must drop all of Alices

packets since they must not be delivered to
Bob

Packets
TheVoid

26

TCP Attacks

Initial
Sequenceno.

Then,

Mr. Big Ears sends his malicious

packet with the next ISN(sniffed from the
network)

ISN,SRC=Alice

27

TCP Attacks
How

do we prevent this?
IPSec
Provides source authentication, so Mr. Big Ears
cannot pretend to be Alice
Encrypts data before transport, so Mr. Big Ears
cannot talk to Bob without knowing what the
session key is

28

Packet Sniffing
Recall

how Ethernet works

When someone wants to send a packet to
some else
They put the bits on the wire with the
destination MAC address
And remember that other hosts are listening
on the wire to detect for collisions
It couldnt get any easier to figure out what
data is being transmitted over the network!
29

Packet Sniffing
This

works for wireless too!

In fact, it works for any broadcast-based
medium

30

Packet Sniffing
What

kinds of data can we get?

Asked another way, what kind of information
would be most useful to a malicious user?
Answer: Anything in plain text
Passwords are the most popular

31