EECS 565 Homework 4 Network Security Your name Audrey Pino 1 Assume an attacker controls a large botnet He wants to attack a victim web server 1 First he wants to use the TCP SYN flooding attack Please describe how this attack works TCP SYN flooding is a type of DDoS attack where an attacker sends a large quantity of TCP SYN packets or connections requests flooding to the target server oftentimes from many different sources with a technique called spoofing This type of attack capitalizes on the vulnerability of the three way handshake After the attacker floods the target server with connection requests they skip the next step of the three way handshake sending an ACK packet back to the server leaving the connection half open As the server remains waiting for the ACK packet its resources become exhausted eventually leaving the server in an unresponsive state thus denying legitimate users from accessing using the server 2 Suppose the victim web server uses SYN cookies to protect itself Will the attack still succeed Why or why not If the victim web server uses SYN cookies the TCP SYN flooding attack will not succeed As SYN cookies prevent the server from allocating resources for a connection until it receives an ACK packet from the client they serve as an effective defense mechanism used to mitigate the effects of SYN flooding attacks Further when a server receives a SYN request it generates a SYN ACK packet that contains a cryptographic hash of the client s IP address and other information expecting the hash value to be included in client s response ACK packet In TCP SYN flooding attacks the client does not complete the connection process by returning the expected ACK packet thus the server does not allocate resources preventing resource exhaustion as well as the TCP SYN flooding attack 3 The attacker then wants to use the TCP flooding attack Will this attack work Why or why not Regardless of the victim web server implementing SYN cookies the server is still vulnerable to TCP flooding attacks Regardless of the victim web server implementing SYN cookies the server is still vulnerable to TCP flooding attacks TCP flooding is a type of DDoS attack where the attacker sends a large quantity of TCP packets to the target server with hopes of overwhelming its resources Unlike SYN flooding TCP flooding does not rely on exploiting vulnerabilities in the TCP handshake process and therefore SYN cookies cannot be used to mitigate this type of attack In a TCP flooding attack the target server is flooded with complete TCP connection requests including the three way handshake overwhelming the server s resources with a large number of established connections TCP flooding attacks are still effective even if the target server has implemented SYN cookies to mitigate SYN flooding attack half open connections because TCP flooding attacks aim to overwhelm the target server resources through established and malicious connections 2 What is an amplification DDoS attack Choose one UDP based amplification attack as an example to explain how it is amplified An amplification Distributed Denial of Service DDoS attack occurs when an attacker sends relatively small request packets to a vulnerable intermediary network that then returns a much larger response packet to the target victim The attacker uses a spoofed source address in order to redirect the vulnerable server s large response to the victim s server amplifying the attacker s traffic A Smurf attack is a type of UDP based amplification attack In a Smurf attack the attacker spoofs their IP address and sends a large quantity of Internet Control Message Protocol ICMP packets to a network broadcast address As the attacker s IP address is spoofed the network devices in the broadcast domain respond with ICMP echo replies to the spoofed IP address target victim The attacker is able to send a large number of packets without establishing a connection with the target victim because ICMP packets are transmitted over the Internet Protocol IP which is a connectionless protocol Moreover the attacker may use IP packet fragmentation to further amplify the attack by breaking up large packets into smaller fragments that are sent to the broadcast address which are then reassembled by the victim 3 Link to link encryption and end to end encryption can be used to protect data transmitted over networks Which means is used by VPN In most cases Virtual Private Network VPN uses end to end encryption to protect data transmitted over networks This is because End to end encryption ensures that data is encrypted at the source and decrypted at the destination as well as ensuring the encryption keys are only known to the sender and intended recipient VPNs encrypt the data from the user s device and send it to the VPN server through an encrypted tunnel The VPN server then decrypts the data and forwards it to the destination Thus administering a secure and private communication channel between the user s device and the destination while also protecting the data from interception and eavesdropping On the contrary Link to link encryption only encrypts data between adjacent network devices and does not provide end to end protection Thus making it less secure for transmitting sensitive data over public networks 4 What security services are provided by TLS Choose one attack and explain how TLS prevents it Transport Layer Security TLS provides several security services such as confidentiality integrity and authentication Confidentiality is ensured through encryption which scrambles the data so that it cannot be read by unauthorized parties Integrity is maintained through message authentication codes MACs which verify that the data has not been altered in transit Authentication is provided through digital certificates which verify the identity of the communicating parties An example of an attack that is prevented by TLS is the man in the middle MitM attack MitM attacks occur when an attacker intercepts and alters communications between two parties without their knowledge TLS is able to prevent MitM attacks through use of digital certificates in order to authenticate the identity of the communicating parties as well as establish a secure channel For example a user connects to a website over TLS the website then sends a digital certificate with its public key to the user s browser which then allows the browser to verify the certificate s authenticity and uses the website s public key to encrypt