DOC PREVIEW
WUSTL CSE 571S - TCP/IP Security Attacks

This preview shows page 1-2-3-26-27-28 out of 28 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

3-1©2009 Raj JainCSE571SWashington University in St. LouisTCP/IP TCP/IP Security AttacksSecurity AttacksRaj Jain Washington University in Saint LouisSaint Louis, MO [email protected] slides are available on-line at:http://www.cse.wustl.edu/~jain/cse571-09/3-2©2009 Raj JainCSE571SWashington University in St. LouisOverviewOverview1. TCP Segment Format, Connection Setup, Disconnect2. IP: Address Spoofing, Covert Channel, Fragment Attacks, ARP, DNS3. TCP Flags: Syn Flood, Ping of Death, Smurf, Fin4. UDP Flood Attack5. Connection Hijacking6. Application: E-Mail, Web spoofing3-3©2009 Raj JainCSE571SWashington University in St. LouisTCP Segment FormatTCP Segment Format! Urgent: Deliver immediately at destination! Push: Leave source immediately! First data byte is ISN+1. Ack is next byte expected. Expecting Ack to Ack+window-1 next.Source Port Destination PortSequence Number Ack NumberData Offset Res Urg Ack Push Reset Syn Fin WindowChecksum Urgent PointerOptions PaddingData3-4©2009 Raj JainCSE571SWashington University in St. LouisTCP Connection SetupTCP Connection Setup! Three way handshakeSyn, ISN=10Syn, Ack 33, ISN=22Ack 44Start connectionestablishment timer(half-open connection)3-5©2009 Raj JainCSE571SWashington University in St. LouisTCP DisconnectionTCP Disconnection! Fin ⇒ No more data. Connection can be closed.! Four-way handshakeFinAckAckFin3-6©2009 Raj JainCSE571SWashington University in St. LouisIP Address SpoofingIP Address Spoofing! Send requests to server with someone X's IP address. The response is received at X and discarded. Both X and server can be kept busy ⇒ DoS attackHacker Victim VVictim XSA=X |DA=VSA=V |DA=X3-7©2009 Raj JainCSE571SWashington University in St. LouisCovert ChannelCovert Channel! Loki - a client server application, " Uses ICMP echo to send covert commands" http://xforce.iss.net/xforce/xfdb/1452! Timing Channel - CPU load indicates a 0 or 1(Two processes on the same machine)! Storage Channel - Print queue length large = 1, small=0HighSecurityMachineLowSecurityMachine3-8©2009 Raj JainCSE571SWashington University in St. LouisIP Fragment AttacksIP Fragment Attacks! Fragments can overlap! Final packets can be too large3-9©2009 Raj JainCSE571SWashington University in St. LouisTCP FlagsTCP Flags! Invalid Combinations! May cause recipient to crash or hang3-10©2009 Raj JainCSE571SWashington University in St. LouisSyn FloodSyn Flood! A sends Syn request with IP address of X to Server V.! V sends a syn+ack to X! X discards syn+ack leaving an half open connection at V.! Many open connections exhausts resources at V ⇒ DoSHacker Victim VVictim XSA=X |DA=V, SynSA=V |DA=X, Syn+Ack3-11©2009 Raj JainCSE571SWashington University in St. LouisPing of DeathPing of Death! Send a ping with more than 64kB in the data field.! Most systems would crash, hang or reboot.3-12©2009 Raj JainCSE571SWashington University in St. LouisSmurfSmurf! Send a broadcast echo request with the V's source address.! All the echo replies will make V very busy.3-13©2009 Raj JainCSE571SWashington University in St. LouisFinFin! In the middle of conversation between X and V.! H sends a packet with Fin flag to V.! V closes the connection and disregards all further packets from X.! RST flag can be used similarlyHacker Victim VVictim XSA=X |DA=V, FinSA=V |DA=X, Fin+Ack3-14©2009 Raj JainCSE571SWashington University in St. LouisUDP Flood AttackUDP Flood Attack! Character Generator (Chargen) request results in a response with random characters being returned.! Used to diagnose lost packets on the path between two hosts.! Uses TCP/UDP port 19.! H can send a chargen request from X to V.! V can respond to X wasting their bandwidth.Hacker Victim VVictim XSA=X |DA=V, ChargenSA=V |DA=X, Char3-15©2009 Raj JainCSE571SWashington University in St. LouisConnection HijackingConnection Hijacking! H sends packets to server V which increments the sequence number for connection from X.! All further packets from X are discarded at V.! Responses for packets from H are sent to V - confusing him.Hacker H Victim VVictim XSA=X |DA=V, SN=110SA=X |DA=V, SN=223-16©2009 Raj JainCSE571SWashington University in St. LouisARP SpoofingARP Spoofing! X tries to find the MAC address of Victim V! Hacker H responds to ARP request pretending to be V.! All communication for V is captured by H.! Hacker may flood fraudulent ARP requests and replies! Countermeasure: Use static ARPX Victim V Hacker HDoes anyone know V?Yes, V’s address is H.3-17©2009 Raj JainCSE571SWashington University in St. LouisDNS SpoofingDNS Spoofing! DNS server is compromised to provide H's IP address for V! Virus can modify hosts files! Access router modified to point to poisoned DNS ⇒ Pharming! Phishing: security patch from www.microsoft.com.128.252.160.33/download! DNS zone transfer ⇒ Ask DNS for all domain names and addresses ⇒ Allows attackers to footprintXCompromised DNSHackerWhat’s IP address for v.com?IP address forv.com is H.3-18©2009 Raj JainCSE571SWashington University in St. LouisEE--Mail SpoofingMail Spoofing! From address is spoofed.! Malware attachment comes from a friendly address.! From: [email protected]©2009 Raj JainCSE571SWashington University in St. LouisWeb SpoofingWeb Spoofing! The web site looks like another! Southwest Airline, http://airlines.ws/southwest-airline.htm! For every .gov site there is a .com, .net giving similar information: nsf.com, tsa.com, whitehouse.com! For misspellings of popular businesses, there are web sites: microshoft.com3-20©2009 Raj JainCSE571SWashington University in St. LouisSummarySummary1. TCP port numbers, Sequence numbers, ack, flags2. IP addresses are easy to spoof. ARP and DNS are not secure. 3. Flags: Syn Flood, Fin4. Ping of Death, Smurf, Connection Hijacking5. UDP Flood Attack6. Application addresses are not secure3-21©2009 Raj JainCSE571SWashington University in St. LouisReferencesReferences1. Jan L. Harrington, “Network Security,” Morgan Kaufmann, 2005, ISBN:01231163332. Gert De Laet and Gert Schauwers, “Network Security Fundamentals,” Cisco Press, 2005, ISBN:15870516723-22©2009 Raj JainCSE571SWashington University in St. LouisLab Homework 3Lab Homework 3! This lab consists of using the following tools:! XP Keylogger, http://www.bestvistadownloads.com/download/t-free-xp-keylogger-download-zhtdqdgn.html! SMBdie: A tool to crash windows server described athttp://www.windowsecurity.com/articles/SMBDie_Crashing_Windows_Servers_with_Ease.html download from


View Full Document

WUSTL CSE 571S - TCP/IP Security Attacks

Documents in this Course
IP sec

IP sec

28 pages

Load more
Download TCP/IP Security Attacks
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view TCP/IP Security Attacks and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view TCP/IP Security Attacks 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?