isys20261 lecture 06

Computer Security Management(ISYS20261)Lecture 6 - Network-based Attacks (1)

Module Leader: Dr Xiaoqi Ma

School of Science and Technology

Computer Security Management

Last week …

• Host-based attacks:– Malicious Code

– Malicious Software

• Malicious Code– Backdoors

– Computer Viruses

• Malicious Software (Malware)– Computer Worms

– Trojan Horses (Trojans)

– Rootkits

– Spyware


Today ...

• Computer networking

• Network-based attacks


Computer networking

• Need for communication between computer systems or devices

• Systems are connected via physical networks and talk to each other using standard protocols

• Networking, routers, routing protocols, etc., are specified by the Internet Engineering Task Force (IETF)

• Published in Requests for Comments (RFCs)

• ISO standard for worldwide communication: Open Systems Interconnect (OSI) reference model


The OSI Reference Model (1)

• abstract description for layered communications and computer network protocol design

• it divides network architecture into seven layers – Application

– Presentation

– Session

– Transport

– Network

– Data-Link

– Physical Layer

• Layer: collection of conceptually similar functions that provide services to the layer above it and receives service from the layer below it



• Application Layer– interacts with software applications that implement a communicating

component

– Examples: File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), etc.

• Presentation Layer – establishes a context between Application Layer entities

• Session Layer – controls the dialogues/connections (sessions) between computers

– establishes, manages and terminates the connections between the local and remote application

• Transport Layer– provides transparent transfer of data between end users

– provides reliable data transfer services to the upper layers



• Network Layer– provides the functional and procedural means of transferring variable length

data sequences from a source to a destination via one or more networks

– Maintains the quality of service requested by the Transport Layer

• Data Link Layer– provides the functional and procedural means to transfer data between network

entities

– detects and possibly corrects errors that may occur in the Physical layer

• Physical Layer – defines the electrical and physical specifications for devices

– includes the layout of pins, voltages, cable specifications, Hubs, repeaters, network adapters, Host Bus Adapters, etc



Layer Data Unit Function

Application 7

Data

Network process to application

Presentation 6 Data representation and encryption

Session 5 Inter-host communication

Transport 4 Segment End-to-end connections and reliability

Network 3 PacketPath determination and logical addressing

Data link 2 Frame Physical addressing (MAC & LLC)

Physical 1 Bit Media, signal and binary transmission


OSI Reference Model vs. TCP/IP

Layer OSI Reference Model TCP/IP

7 Application

6 Presentation Application

5 Session

4 Transport Transport

3 Network Internet

2 Data link Network access

1 Physical


Network devices (1)

• Network Interface Card (NIC) – computer hardware

– designed to allow computers to communicate over a computer network

– provides physical access to a networking media and often provides a low-level addressing system through the use of Media Access Control (MAC) addresses

• Repeater– electronic device that receives a signal and retransmits it at a higher power

level so that the signal can cover longer distances without degradation

– Example: in most twisted pair Ethernet configurations, repeaters are required for cable runs longer than 100 meters away from the computer


Network devices (2)

• Hub– contains multiple ports

– when a packet arrives at one port, it is copied to all the ports of the hub for transmission

• Example:

Hub

Network

Workstation

Workstation

Workstation


Network devices (3)

• Router– networking device that forwards data packets between networks using headers

and forwarding tables to determine the best path to forward the packets

– work at the network layer of the TCP/IP model or layer 3 of the OSI model

– Embedded computer system running dedicated OS, e.g. IOS (Cisco) or JUNOS (Juniper Networks)

• Example:

LANLAN

Router Router

Internet


Network devices (4)

• Switch– Hardware that allow traffic to be sent only where it is needed

– Ethernet switch: operates at the data-link layer to create a different collision domains (segments) per switch port

• Example:

Switch

Network

Workstation A

Workstation CWorkstation D

Workstation B


Network-based attacks

• Primary attempt to – forge or steal data

– gain unauthorised access to a system

• Means– Sniffing data

– Redirecting data

• Take advantage of vulnerabilities of OS and by exploiting inherent weaknesses of the Internet, Transport, and/or Application layer of TCP/IP

• Usually involves a sequence of preceding steps to identify a potential vulnerability that can be exploited– Reconnaissance

– Scanning


Reconnaissance phase

• Information gathering step

• intruder ties to gather as much information about the network and the target computer(s) as possible

• avoids to raise alarms about his/her activities

• collects data regarding network settings, subnet ids, router configurations, host names, DNS server information, security level settings, etc.

• Application servers are often targets of attacks– web servers

– DNS servers

– SMTP mail servers

– Etc.


Scanning phase

• Network scanning– Sending probing packets to the identified network-specific devices to gain

information about their configuration settings

– Example: get IP address from DNS server etc.

• Host scanning– Connect to target host

– probe target machine to check if any known vulnerabilities specific to the OS are present

– Example: using port scanning to identify services running on the host system


Attacks (1)

• Sniffing

• IP address spoofing

• Man-in-the-middle attack

• Denial-of-service attack (DoS)– SYN flooding

– Smurf attack

– Distributed Denial of Service attack (DDoS)


Attacks (2)

• OS-based attacks– Stack smashing

– Buffer overflows

– Password attacks

• Web application attacks– Phishing

– Pharming

– Session Hijacking

– Cross-site scripting (XSS)


Sniffing (1)

• computer software or computer hardware (sniffer) intercepts and logs traffic passing over a digital network (eavesdropping)

• Works on data link layer of TCP/IP

• as data streams flow across the network, the sniffer captures each packet and eventually decodes and analyses its content according to the appropriate specifications, e.g. RFC

• Not only done by criminals: legally used by network administrator, e.g. for fault detection

• In the UK: it is legal to monitor network traffic only if you get official permission from the dedicated network administrator


Sniffing (2)

• sniffer needs to be placed inside the network

• When nodes are connected to a hub: easy to monitor traffic

• When nodes are connected to a switch port rather than a hub the sniffer will be unable to read the data due to the intrinsic nature of switched networks

• Exception: when a network switch with a so-called monitoring port is in use it is easy to monitor all data packets in a LAN


Sniffing (3)

• Legally used for:– Analyse network problems

– Detect network intrusion attempts

– Gain information for affecting a network intrusion

– Monitor network usage

– Gather and report network statistics

– Filter suspect content from network traffic

– Debug client/server communications

– Debug network protocol implementations

• Criminal use:– Spy on other network users and collect sensitive information, e.g. passwords

– Reverse engineer protocols used over the network


Sniffing (4)

• Sniffers usually software based

• tcpdump – common packet sniffer used on UNIX machines

– runs under the command line

– allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached

• Wireshark:– Free tool

– Available for a wide range of OSs, including Linux, Mac OS, MS Windows, etc.

– similar to tcpdump but offers a graphical user interface

– More information: www.wireshark.org

• Commercial tools– E.g. Microsoft Network Monitor, NetScout, etc.


Sniffing (5)

• Hardware network sniffers: Network Taps

• Network Tap– hardware device for monitoring the network traffic between two points in the

network

– has at least three ports: A port, a B port, and a monitor port

– To place the Tap between points A and B, the network cable between point A and point B is replaced with a pair of cables, one going to the Tap's A port, one going to the Tap's B port

– The Tap passes through all traffic between A and B, so A and B still think they are connected to each other, but the Tap also copies the traffic between A and B to its monitor port, enabling a third party to listen

• Problem: expensive to monitor all data in a 10Gbit network

• Solution: use of filterable Tap, parse off the data, applications, VLAN...etc to a 1 Gig port for deep analysis and monitoring


Next week …

… we will continue looking at network-based attacks

isys20261 lecture 06

Documents

network layer

physical layer physical

datalink layer

network devices

presentation layer

network adapters

network process

logical network