Subject: Cryptography & Network Security

Topic: Module 5

Difficulty: Medium/High

$\underline{\textbf{TCP Vulnerabilities (layerwise)}}$

1. Application Layer

Protocols used: HTTP, FTP, telnet, SMTP, DHCP

a) HTTP: we communicate to the internet via a web browser, the web browser by default use HTTP as a communication protocol to transfer files that makeup web pages from the web server.

• These transfers are done in plaintext and thus an intruder can easily read the data packets, instead, we use HTTPS (Hypertext transfer protocol secure) which is managed by a security protocol called ‘Security Socket Layer (SSL)’
• SSL provides encryption of data transmitted between web server & web client or browser.
• It uses key encryption to exchange a ‘symmetric key’ between the client & the server to encrypt the HTTP transaction (both request and response)
• data transfer will be unreadable to an attacker using a packet capturing tool.

b) Session hijacking: It happens when the attacker steals an HTTP session after observing and capturing packets using a packet sniffer.

• This will lead to change communication from client to the web server.
• possible when weak authentication between client and web server during the initialization of the session

c) Replay attack:

1. Resends sent data by modifying it.
2. Spoof client’s IP address and redirect machine

d) Cookie poisoning: Saving information, a message from cache

e) Cross-site scripting: hacker inject malicious code into a web browser or application & it is executed at the client side.

f) DHCP: It is used to automatically assign a temporary IP address to client machine after a request, logging into an IP n/w.

• DHCP server is configured with a pool of IP addresses that are leased to a client machine after a request.
• It is misused by an attacker by making this service unavailable.
• DHCP starvation attack: is the consuming of IP address apace allocated by the DHCP server.
• An attacker can send a lot of DHCP request broadcasts using spoofed MAC addresses.
• The DHCP server simply leases out its IP addresses one by one until it simply runs out of IPs to give out.
• When a genuine user wants to access the n/w, the server will not offer any IP address automatically & the user will not be granted access into the n/w. This is DOS attack i.e. Denial of Service.

Remedy: Port security, only specified number of MAC addresses per port.

2. Transport Layer:

Protocols used: TCP (connection-oriented, 3-way handshake), UDP (connectionless) Three-way handshake

How three-way handshake work?

1. The source (client) sends an SYN packet to the destination system (server/host)
2. The destination system replies with an SY packet & acknowledges the source system’s SYN packet by sending an ACK packet.

3. The source system sends an ACK packet to acknowledge the SYN/ACK packet sent by the host. Thus the connection is established between the source system and host.

   • $\underline{\text{TCP seq number prediction}}$: a hacker can predict the sequence number is incremented by a constant amount per second & half that amount each time a connection is inhibited, i.e session hijacking + TCP injection
   • $\underline{\text{TCP blind spoofing}}$: Attacker guess both sequence no. and port no. If guessed correct TCP injection attack.
   • $\underline{\text{SYN flood}}$: (It works by exploiting the 3-way handshake)
   • The idea behind an SYN flooding is to flood the target system with connection requests from spoofed source addresses.

4. Multiple SYN packets are spoofed using source address that does not exist.

5. After receiving the fake ‘SYN’ packets, the server replies with SYN-ACK packet to the source address that is unreachable.

6. This situation creates a lot of half-opened sessions due to the fact that the expected Ack packets are not received by the server to properly initiate a session

This can cause the server to be overloaded or eventually crash.

1. The server will not allow any further connection to be established & genuine/legitimate user connection requests will be dropped thus leading to DOS.

Solution:

• Firewall (act as a proxy between server and client)
• Reduce the duration of time required for a connection to timeout.
• Increase the no. of connection requests that can be accepted by the host at one time.

• Install vendor-specific updates & patches

• $\underline{\text{Port scanning}}$: Port scanning is the art of scanning the target system to obtain a list of open ports that are listening for communications i.e port scanning is carried out to determine a list of open ports on a remote host that have certain services.

  • In port scanning, the attacker connects to various TCP & UDP ports & tries to determine which ports are in listening mode.
• This technique of information gathering is crucial for an attacker because it helps the determine the list of open ports on the target system, the services running on them & any vulnerability that might exist.

e) Connection Hijacking:

• An attacher can allow normal authentication to proceed between the two hosts & then seize contrast of the connection, there are two types to do so

a) During TCP, 3-Way handshake,

b) In Middle of an established connection.

• When two hosts are desynchronized enough, they will ignore packets from each other an attacher can than inject forged packets with the correct sequence no. Attacher might also modify or add commands to the communication.

3) Network Layer:- Protocol used IP

A) IP Spoofing:- (Most advance trick/attack that can be executed on a computer system)

• If Done correctly, it is one of the smoothest & hardest attacks on the internet.
• Very complicated attack.

It is a process that enables the attackers to hide the real identity when communicating with the target system, therefore, the data packets the attackers send will appear to originate at another system.

Eg:- Suppose source IP address is 203.45.98.01 & the address of the target system is 202.14.12.1. when the source sends a msg to the target system detect source IP address when we use spoof IP address.

B) Packet Sniffing:-

• Sniffers could capture, interpret & save packets send across a network for analysis purposes when they were developed as a test for debugging network problems.
• Pocket sniffing is the act of capturing packets of data flowing across a computer network. The software or device used to do this is called a packet sniffer.
• Packet sniffing has a legitimate use to monitor network performance or troubleshoot problems with network communications.

C) RIP Security Attack:-

• Routing Information Protocol is a dynamic routing protocol & an interior gateway protocol i.e. used to propagate routing information on local networks.
• The msgs received are unchecked by the reciever & so an attacker can take advantage of this.
• The Attackers intent can be to implement a route to a parcticular host that us unused.

Solution:-

• Disable $RIPV_1$ & $RIPV_2$ & enable MO5 based authentication.

• Replace RIP with OSPF(Open Shorted Path First) which uses MO5 authentication.

4] Data link layer:- Portocol used: Ethernet, ARP a) ARP Spoofing:-

• data link layer uses the ARP(Adderess Resolution Protocol) to translate the IP adderess to the MAC adderess.

• The client begins by first sending a broadcast ARP message for a given IP address.

• The switch broadcast the ARP message to all ports except for the source port.

• When the intended destination IP address gets the ARP, it replies with it MAC address & all others hosts on the switch will drop.

• Gratitutions ARP is another flavour of the traditional ARP. It is used by hosts "announnie" their IP address to the local Network.

• There is no authentication in the ownership of IP & MAC address so an attacker can spoof an ARP packet to announce an IP & the legit user can be kicked out of the network causing a denial of source.

• Further this attack can allow switched environment to start delivering traffic to the hosts because the CAM(Content addressable memory) table has been altered with IP & MAC bindings.

b) ARP Cache poisioning:-

• ARP keeps its physical to logical bindings in an ARP cachs.

• An Attacker can modify this table & give incorrect mapings this attack is called ARP cache poisioning.

• when a client machine wants to send data , it looks up at the poisioned data & sends the data to the attacker.

• ARP cache poisoning requires that the attacker is in the same subnet as the target machine because ARP does not cross the router boundaries.

5] Physical Layer:-

• This layer consists of the actual connections to & within the network; routers, switches, servers, cabels & wireless media.

• The type of attacker that can be performed at this layer is dependent on the communication media being used; wired or wireless communication environments.

• If an attacker is about to gain access to any of them, then he or she can easily cause a denial of service attack by making the causing the organisation application unavailabe into the network.

• If an attacker gets the knowledge of the ethernet cabling standard (568A or 568B), he can easily tap cable without being detected i.e. (ethernet copper twisted pair cables)

• Wire equivalent privacy is one of the most common wireless authentication standards that is widely used. however it uses a very weak RC4 encryption algorithm and a determined hacker can easily crack it by using dictionary attacker or bruter force.

• Wi-fi protected access overcomes the weakness that WEP has.

• It offers a sophisticated hierarchy that generates new encryption keys each time a mahile device connects to the network,Wireless access points can be spoofed.

• An attacker can set up a rogue acccess point give it the same service set identifier of the genuine network also configure the wireless network authentication password to the same. When users login to this network the attacker has full access to their machines.

• Wireless media is susceptible to radio frequency interference an attacker can join the wifis radio frequency by placing a device that can distart the wave lenght and amplitude of the signals making the network unusable.

Solution:

• To contact these attacks,there is need to control the physical access to the networking devices for eg. the server should be locked and only authorized individuals sholud be allowed inside.
• Backup power should also be available in case there is power outage.
• To avoid data loss,there is need to backup the data at regular intervalsand have a good disaster recovery plan.
• Backups sholud be stored in a remote site in case the sever room has same catastrophe.

$\underline{\textbf{Denial Of Service (DOS)}}$

A denial of service attack is an attack that clogs up so much memory on the target system that it can not serve its users, or it causes the target system to crash, rebout or otherwise deny services to legitimatic users.

Classic DOS Attacks:-

• Ping of Death
• Teardrop attacks
• SYN-flood attacks
• Land attacks
• Smwf attacks
• UDP-flood attacks
• Distributed DOS attacks
• ICMP flood

1] Ping Of Death:-

• The 'Ping' command makes use of the ICMP(Internet Control message protocol) echo request & echo reply messages & us commonly used to determine whw=ether the remote host is alive.

• In a 'ping of Death' attack, ping causes the remote system to hang, reboot or crash. To do so, the attackers make use of ping command in conjunction with the -l argument (used to specify the size of the packet sent) to ping the target system with a data packet by TCP/IP(65,536).

Eg:- c:....>ping -l 65540 hostname

pinging hostname [xx.yy.cc.ss] with 65,540 bytes of data reply from 204.92.242.61 : bytes = 65540 time = 134 ms TTL=61

2] Teardrop Attacks(also known as fragmentation Attack):-

• whenever data is sent over the internet, it is broken into fragments at the source system & reassembled at the destination system.
• Each packet has an offset field in its TCP heads part that specifies the range of data (i.e. specific bytes of data) bing carried by that particular data packet. This, along with the value in the sequence number field, helps the data packets in the correct order.
• In a teardrop attack, the target system connot reassemble the packets & is forced to crash, hang or reboot.

Eg:-

Normal Circumstances

----------------------------------------------------------------------.packets

(Bytes 1-1500)(Bytes 1501-3000)(Bytes 3001-4500)

However in a teardrop attack, the data packets sent to the target computer contain bytes that overlap with each other.

-------------------------------------------------------------------------.Packets

(Bytes 1-1500)(Bytes 1501-3000)(Bytes 1001-3600)

when the target system receives a series of packets as shown above, it cannot reassemble the data & therefore will crash, hang & reboot.

3] SYN-Flood Attacks:- (Covered in Transport layer vulnerabilities)

4] land-Attacks:-

• A land attack we similar to a SYN attack, the only difference bieng that instead of including an invalid IP address, the SYN packets include the IP address of the target system upset.
• As a result , an infinte loop is created within the target system, which ultimately hangs 7 crashes.

Solution:- to install a firewall or filtering utility that filters out outgoing packets as the IP address of the local system.

5] Smurf Attack:-

• It is a kind of bruts force DOS attack in which a huge number of 'ping' requests containing spoofed source IP addresses within that network.

• whent the router gets a 'ping' or echo request message, it sends an echo reply message to the sppoffed IP address, flooding the network with packets, there by loggong the network & preventing legimate users from obtaining network services.

6] UDP-flood Attacks:-

• This attack explicts the target systems charger or echo services to create an infinte loop.

• When a connection is established between two UDP services, each of which produces output. Anyone with network connectivity can launch an attack; no account access is needed.

• For eg:- by connecting a host charger service to the echo service on the same or another machine, all affected machines may be effectively taken out of service because of the excessively high number of packets produced.

• This Attack takes advantage of UDP service that replies to requests.

eg:- UDP port cave an echo port. Another UDP port that replies to queries is the charger port (https://www.cve.org)

• An Attacker can overwhelm the target machine with multiple requests to these ports creating a lot of traffic on the network.

7] Distributed DOS Attacks:-

• In case of DOS attacks discussed above, chances are high that the computer criminal will leave a sufficient taut by which savvy system administrators or government authorities could trace him.

• Distributed DOS(DDOS) attacks are completely Different. These types of attacks enable hackers to remain anonymous while disabling entire networks of large organizations.

• DDOS attacks have proved to be a big security threat.

• Due to the shortcomings associated with regular DOS attacks, many hackers came up with an evolved form of DOS attack known as DDOS attacks.

• In a typical DOS attacks, their is a single attackes who uses his system as a spoofed address & tries to bring the target system down. the number of target computer is normally 1:1 such aratio may not favorable from attackers point of view & there is a high possibility that the attack may fail. this is why distributed DOS attackes are so good.

In DDOS attack, the attacks follows following steps:

1. In DDos attack, instead of directly attacking the target computer, the attacks first identifies a less secure decay network, the attacker chooses this decoy network in such a manner that it is not so secure & has a relatively large number of computers say 100.
2. The attacks then breaks into the less secure delay network & takes control of all its system. After this, the attacker then install distributed DOS attack tools or agents on each system that is part of the decoy network.
3. finally, the attacker uses all 100 computers/systems of the decoy network. The attacker is able to control over 100 systems with a single command line instruction.

Thus, in DDOS attack there are 100 different attackers/systems attacking the single target system. This raises the ratio of number of attackers to the number of target system to 100:1.

As a result, due to the higher number of attackers, DDOS attacks are far more effective & more dangerous than regular DOS attacks.

Tools used for DDOS:-

• TFN(Trial flood Network)
• Trin00
• Stacheldraht(Barbed nure)
• Shaft

8] ICMP flood:- (Internet Control Message protocol)

• ICMP is basic network management protocol of the ICP1IP. it is used to send error & control messages regard the status of a host or router.

• There are two kinds of attacks that can be initiated by exploting ICMP protocol; passive & attacks.

ICMP active attacks:-

• These types of attacks are more than monitoring & analysis of traffic.

• An attacker actually tries to bypass or break into the network & can result in DOS.

• tool used for networking diagnosis is the ICMP ping.

• ping echo packets can be sent to a broadcast address on a target network which can eventually lead to traffic overloaded which can improve normal traffic & can lead to DOS.

ICMP passive attacks:-

• passive attacks involves monitoring of traffic & available hosts on a network.

• It uses ICMP packets to offer information that is being proved for .

• It gives the attackers a true picture of the network to enable proper planning before launching an active attack.

• An attacker null be able to better understand the environment & gather information above the target so as to plan the attack approach. he or she is able to determine the number of hops to reach a specific device, & hosts running on the network.

• ICMP sweep. Ping sweep or IP sweep involves discovering all the host IP addersses which are alive in the entire target network.

Solution:- Deplaying a firewall can ICMP floods.

The firewall can check the rate of ICMP packets destined for a specific destination address. There should be thershold rate & if it is extended, then all such subsequent ICMP packets should be dropped.