isys20261 lecture 06
TRANSCRIPT
Computer Security Management(ISYS20261)Lecture 6 - Network-based Attacks (1)
Module Leader: Dr Xiaoqi Ma
School of Science and Technology
Computer Security ManagementPage 2
Last week …
• Host-based attacks:– Malicious Code
– Malicious Software
• Malicious Code– Backdoors
– Computer Viruses
• Malicious Software (Malware)– Computer Worms
– Trojan Horses (Trojans)
– Rootkits
– Spyware
Computer Security ManagementPage 3
Today ...
• Computer networking
• Network-based attacks
Computer Security ManagementPage 4
Computer networking
• Need for communication between computer systems or devices
• Systems are connected via physical networks and talk to each other using standard protocols
• Networking, routers, routing protocols, etc., are specified by the Internet Engineering Task Force (IETF)
• Published in Requests for Comments (RFCs)
• ISO standard for worldwide communication: Open Systems Interconnect (OSI) reference model
Computer Security ManagementPage 5
The OSI Reference Model (1)
• abstract description for layered communications and computer network protocol design
• it divides network architecture into seven layers – Application
– Presentation
– Session
– Transport
– Network
– Data-Link
– Physical Layer
• Layer: collection of conceptually similar functions that provide services to the layer above it and receives service from the layer below it
Computer Security ManagementPage 6
The OSI Reference Model (2)
• Application Layer– interacts with software applications that implement a communicating
component
– Examples: File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), etc.
• Presentation Layer – establishes a context between Application Layer entities
• Session Layer – controls the dialogues/connections (sessions) between computers
– establishes, manages and terminates the connections between the local and remote application
• Transport Layer– provides transparent transfer of data between end users
– provides reliable data transfer services to the upper layers
Computer Security ManagementPage 7
The OSI Reference Model (3)
• Network Layer– provides the functional and procedural means of transferring variable length
data sequences from a source to a destination via one or more networks
– Maintains the quality of service requested by the Transport Layer
• Data Link Layer– provides the functional and procedural means to transfer data between network
entities
– detects and possibly corrects errors that may occur in the Physical layer
• Physical Layer – defines the electrical and physical specifications for devices
– includes the layout of pins, voltages, cable specifications, Hubs, repeaters, network adapters, Host Bus Adapters, etc
Computer Security ManagementPage 8
The OSI Reference Model (4)
Layer Data Unit Function
Application 7
Data
Network process to application
Presentation 6 Data representation and encryption
Session 5 Inter-host communication
Transport 4 Segment End-to-end connections and reliability
Network 3 PacketPath determination and logical addressing
Data link 2 Frame Physical addressing (MAC & LLC)
Physical 1 Bit Media, signal and binary transmission
Computer Security ManagementPage 9
OSI Reference Model vs. TCP/IP
Layer OSI Reference Model TCP/IP
7 Application
6 Presentation Application
5 Session
4 Transport Transport
3 Network Internet
2 Data link Network access
1 Physical
Computer Security ManagementPage 10
Network devices (1)
• Network Interface Card (NIC) – computer hardware
– designed to allow computers to communicate over a computer network
– provides physical access to a networking media and often provides a low-level addressing system through the use of Media Access Control (MAC) addresses
• Repeater– electronic device that receives a signal and retransmits it at a higher power
level so that the signal can cover longer distances without degradation
– Example: in most twisted pair Ethernet configurations, repeaters are required for cable runs longer than 100 meters away from the computer
Computer Security ManagementPage 11
Network devices (2)
• Hub– contains multiple ports
– when a packet arrives at one port, it is copied to all the ports of the hub for transmission
• Example:
Hub
Network
Workstation
Workstation
Workstation
Computer Security ManagementPage 12
Network devices (3)
• Router– networking device that forwards data packets between networks using headers
and forwarding tables to determine the best path to forward the packets
– work at the network layer of the TCP/IP model or layer 3 of the OSI model
– Embedded computer system running dedicated OS, e.g. IOS (Cisco) or JUNOS (Juniper Networks)
• Example:
LANLAN
Router Router
Internet
Computer Security ManagementPage 13
Network devices (4)
• Switch– Hardware that allow traffic to be sent only where it is needed
– Ethernet switch: operates at the data-link layer to create a different collision domains (segments) per switch port
• Example:
Switch
Network
Workstation A
Workstation CWorkstation D
Workstation B
Computer Security ManagementPage 14
Network-based attacks
• Primary attempt to – forge or steal data
– gain unauthorised access to a system
• Means– Sniffing data
– Redirecting data
• Take advantage of vulnerabilities of OS and by exploiting inherent weaknesses of the Internet, Transport, and/or Application layer of TCP/IP
• Usually involves a sequence of preceding steps to identify a potential vulnerability that can be exploited– Reconnaissance
– Scanning
Computer Security ManagementPage 15
Reconnaissance phase
• Information gathering step
• intruder ties to gather as much information about the network and the target computer(s) as possible
• avoids to raise alarms about his/her activities
• collects data regarding network settings, subnet ids, router configurations, host names, DNS server information, security level settings, etc.
• Application servers are often targets of attacks– web servers
– DNS servers
– SMTP mail servers
– Etc.
Computer Security ManagementPage 16
Scanning phase
• Network scanning– Sending probing packets to the identified network-specific devices to gain
information about their configuration settings
– Example: get IP address from DNS server etc.
• Host scanning– Connect to target host
– probe target machine to check if any known vulnerabilities specific to the OS are present
– Example: using port scanning to identify services running on the host system
Computer Security ManagementPage 17
Attacks (1)
• Sniffing
• IP address spoofing
• Man-in-the-middle attack
• Denial-of-service attack (DoS)– SYN flooding
– Smurf attack
– Distributed Denial of Service attack (DDoS)
Computer Security ManagementPage 18
Attacks (2)
• OS-based attacks– Stack smashing
– Buffer overflows
– Password attacks
• Web application attacks– Phishing
– Pharming
– Session Hijacking
– Cross-site scripting (XSS)
Computer Security ManagementPage 19
Sniffing (1)
• computer software or computer hardware (sniffer) intercepts and logs traffic passing over a digital network (eavesdropping)
• Works on data link layer of TCP/IP
• as data streams flow across the network, the sniffer captures each packet and eventually decodes and analyses its content according to the appropriate specifications, e.g. RFC
• Not only done by criminals: legally used by network administrator, e.g. for fault detection
• In the UK: it is legal to monitor network traffic only if you get official permission from the dedicated network administrator
Computer Security ManagementPage 20
Sniffing (2)
• sniffer needs to be placed inside the network
• When nodes are connected to a hub: easy to monitor traffic
• When nodes are connected to a switch port rather than a hub the sniffer will be unable to read the data due to the intrinsic nature of switched networks
• Exception: when a network switch with a so-called monitoring port is in use it is easy to monitor all data packets in a LAN
Computer Security ManagementPage 21
Sniffing (3)
• Legally used for:– Analyse network problems
– Detect network intrusion attempts
– Gain information for affecting a network intrusion
– Monitor network usage
– Gather and report network statistics
– Filter suspect content from network traffic
– Debug client/server communications
– Debug network protocol implementations
• Criminal use:– Spy on other network users and collect sensitive information, e.g. passwords
– Reverse engineer protocols used over the network
Computer Security ManagementPage 22
Sniffing (4)
• Sniffers usually software based
• tcpdump – common packet sniffer used on UNIX machines
– runs under the command line
– allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached
• Wireshark:– Free tool
– Available for a wide range of OSs, including Linux, Mac OS, MS Windows, etc.
– similar to tcpdump but offers a graphical user interface
– More information: www.wireshark.org
• Commercial tools– E.g. Microsoft Network Monitor, NetScout, etc.
Computer Security ManagementPage 23
Sniffing (5)
• Hardware network sniffers: Network Taps
• Network Tap– hardware device for monitoring the network traffic between two points in the
network
– has at least three ports: A port, a B port, and a monitor port
– To place the Tap between points A and B, the network cable between point A and point B is replaced with a pair of cables, one going to the Tap's A port, one going to the Tap's B port
– The Tap passes through all traffic between A and B, so A and B still think they are connected to each other, but the Tap also copies the traffic between A and B to its monitor port, enabling a third party to listen
• Problem: expensive to monitor all data in a 10Gbit network
• Solution: use of filterable Tap, parse off the data, applications, VLAN...etc to a 1 Gig port for deep analysis and monitoring
Computer Security ManagementPage 24
Next week …
… we will continue looking at network-based attacks