CS计算机代考程序代写 dns DHCP PowerPoint Presentation

PowerPoint Presentation

Deakin University CRICOS Provider Code: 00113B

SIT182 – Real World Practices For Cyber Security

Trimester 2 – 2021
Deakin College

Week 4 – Part 2

Deakin University CRICOS Provider Code: 00113B

• Network Security Threats
(ARP Poisoning, Sniff, Spoof, DNS Poisoning, Denial of Service)

2

Topics,

Deakin University CRICOS Provider Code: 00113B

Network Security Threat Model (Dolev-Yao Model)

• End nodes are trusted, the network is unreliable.
• End nodes send messages to the network and receive messages from the network.
• Network will deliver some messages but it can read, delete, modify and replay them.

Deakin University CRICOS Provider Code: 00113B

Media Access Control (MAC)

48 bits = 6 bytes
Example: 0A:BC:00: 00:00:1F

In theory, MAC should be fixed in hardware and never repeat.

In reality:

• Can be changed in some hardware,
• Can be simulated in software,
• Can repeat by accident, manufacturer does not care, ….

Deakin University CRICOS Provider Code: 00113B

Address Resolution Protocol (ARP)

• Translate IP (logical) addresses to MAC (physical) addresses.
• Each host OS has a table of IP to MAC addresses.

• Alice and Bob are two computers on a LAN
• Alice wants to send a packet to Bob, but Alice

only knows Bob’s IP address
• Alice broadcasts ARP request with Bob’s IP

address
• All machines on the local network receive the

broadcast
• Bob replies with its physical address (MAC)
• Alice adds Bob’s MAC address to its table
• Alice delivers packets directly to Bob

Deakin University CRICOS Provider Code: 00113B

ARP Poisoning/ARP Spoofing

• By sending forged ARP replies a target system could be convinced to
send frames destined for a computer to another

Example:

ARP Request:
Sender = 01:02:03: 01:02:03
Content = “ARP who is” IP 192.168.1.3?

ARP Reply: it’s me!
• Not authenticated!
• Me = MAC Address 01:02:03: 01:02:04

From now on, all message intended for 192.168.1.3 will be sent to
01:02:03: 01:02:04, which can be the attacker.

Deakin University CRICOS Provider Code: 00113B

ARP Poisoning/ARP Spoofing – Defences

• Defences:

• Static ARP table – does not change ☺
• Access control based on IP, MAC, and Port.
• Redirect user to a registration page before allowing usage of the network.

• It is also possible to detect through mechanisms such as arpwatch (software tool for
monitoring ARP traffic), Reverse ARP (Retrieves the logical address for a computer from the
server), Bootstrap Protocol (BOOTP) and Dynamic Host Configuration Protocol (DHCP), …

Deakin University CRICOS Provider Code: 00113B

Sniffing Attack

Sniffing = eavesdropping = spying = unauthorized listening

Sniffers:

• Packets are often broadcast on local links ➔ all local nodes can listen.
• Sniffers listen to packets on the network and pick out interesting details, e.g. passwords.
• Hackers install sniffer software on compromised hosts. Tools are available for download.
• Wireless Ethernet most vulnerable; sniffing on switched LANs and core networks is more

difficult.

E.g., FTP, TELNET, HTTP Passwords are sent in clear.
Remember Task 1.4P on OnTrack? ☺

Deakin University CRICOS Provider Code: 00113B

Sniffing – at Switch level

• It is possible for an attacker to sniff traffic at router/switch level too.

• There are tools available such as “dsniff”.

• A smart way of attacking a switch is to directly exploit its memory limitations and make
the switch act as a hub?
• Hub: unlike switch, forwards ALL traffic to ALL connected ports – so, easy sniff ☺

• Remember Week 2 – Part 1?

Deakin University CRICOS Provider Code: 00113B

Sniffing Defence

How do you think you can defend against sniffing attacks?
Hint: Week 1– Part 1, father of the modern computing, and why he created the Enigma machine.

Deakin University CRICOS Provider Code: 00113B

Spoofing

• Spoofing = sending unauthentic messages = using false sender address or identifier

• In the Internet, it is easy to send messages that appear to come from someone else.
A modified version of the application or protocol stack is easy to write.

Examples:
Email spoofing: false FROM field ☺
IP spoofing: false SOURCE IP ADDRESS

Deakin University CRICOS Provider Code: 00113B

Email Spoofing

• In the past, Simple Mail Transfer Protocol (SMTP) did nothing to authenticate the sender
• Still some servers do not have authentication in-place ☺!!

an October 2013 email to a news agency,
spoofed to look like it was from the Swedish
company Fingerprint Cards, saying that
Samsung offered to purchase the company.
The news spread and the stock exchange rate
surged by 50%.

https://en.wikipedia.org/wiki/Fingerprint_Cards
https://en.wikipedia.org/wiki/Samsung

Deakin University CRICOS Provider Code: 00113B

IP Spoofing

What’s happening in this figure?

Deakin University CRICOS Provider Code: 00113B

IP Spoofing

• Easy ☺
• Attacker sends IP packets with false source address. (Anyone can write a software to do this.)
• The destination node usually believes what it sees in the source address field.

✓ Spoofing single packets is easy:

• Attacker sends a packet with source address A and destination B. B believes that the packet came from A.
• Attacker may be anywhere on the Internet.

❖ Spoofing a connection is more difficult:
• Attacker must sniff replies from B in order to continue the conversation.
• Attacker must be on the route between A and B, or control a router on that path.

Deakin University CRICOS Provider Code: 00113B

IP Spoofing – Defence

• Monitoring networks for unusual activity,
• Deploying packet filtering to detect inconsistencies (like outgoing packets with source IP addresses that don’t

match those on the organization’s network),
• Authenticating all IP addresses,
• Firewall

Deakin University CRICOS Provider Code: 00113B

Domain Name Server (DNS)

Deakin University CRICOS Provider Code: 00113B

Domain Name Server (DNS)

Provides a hierarchical name-space:

– Example: www.cs.ucl.ac.uk ↔ 128.16.10.31
– Top-level domain (TLD)s: eg. .uk (.com, .edu, …)
– Delegate names-IP mappings to lower-level
domains:
• eg.ac.uk or .ucl.ac.uk or .cs.ucl.ac.uk

Deakin University CRICOS Provider Code: 00113B

DNS Poisoning Attack – Race Condition

• Attacker observes UDP DNS query sent to well known server on well known port
• First response wins ..
• Second response is silently dropped ☺!!

Deakin University CRICOS Provider Code: 00113B

DNS Hijacking (or, Redirection)

• Route packets to the wrong server,
• A number of commercial ISPs use DNS hijacking for their own purposes, such as

displaying advertisements… 

Deakin University CRICOS Provider Code: 00113B

DNS Attack – Defence

• Secure DNS: DNSSEC = Digitally sign DNS data + use PKI

• From July 2010, DNSSEC was integrated in all Internet root servers

• More recently, DNSCurve – [home reading]: https://dnscurve.org/. ☺

https://dnscurve.org/

Deakin University CRICOS Provider Code: 00113B

Denial of Service (DoS)

• Goal of denial-of-service (DoS) attacks is to prevent authorized users from accessing a resource, or
to reduce the quality of service that they receive.

• Important threat vector:
• > 30000 DoS attacks / day
• Several Bot-herders control >= 1.5 million hosts
• Trend of attacks shifted from script kiddies to crime

Attack types:

• Destroy or disable the resource
• Exhaust the resource

Deakin University CRICOS Provider Code: 00113B

Denial of Service (DoS) – Destruction or Disabling

Examples:

• Formatting the hard disk
• Crashing a server

• These attacks usually exploit a bug in a
system implementation.

• Hence, can be prevented by proper design
and implementation.

Deakin University CRICOS Provider Code: 00113B

Denial of Service (DoS) –
Resource exhaustion attacks

Examples:

• Flooding a web server with requests
• Flooding a communications link with packets

It is difficult to tell the difference between overload
(e.g. slashdotting) and an attack.

March 2020 – COVID-19 related …

Resource exhaustion attacks can never be completely
prevented. Internet servers and communication links are sized
for typical peak demand, not for maximum theoretical demand.

Deakin University CRICOS Provider Code: 00113B

Ping command

Ping: a command-line utility used to test the reachability of a host on an Internet Protocol (IP)
network. It is available for virtually all operating systems that have networking capability …

The ping command sends a request over the network to a specific device. A successful ping
results in a response from the computer that was pinged back to the originating computer. (it’s
just like HELLO, ARE YOU THERE? And YES, HERE I AM ☺)

Deakin University CRICOS Provider Code: 00113B

Question: how could you use PING to execute a DoS attack?

Question

Deakin University CRICOS Provider Code: 00113B

Large ICMP packets:

• ping –l 65527 (Windows)
• ping –s 65527 (Unix)

• Systems used to crash when they received packets so big

• Bug fixed since 1998 ☺ …

Ping of death

Deakin University CRICOS Provider Code: 00113B

• Attacker controls thousands of “zombies”, i.e. computers where a hacker, Trojan or virus has
installed a backdoor.

• The zombies launch a coordinated packet-flooding attack on a high-value target.
• Spoofed source addresses prevent tracing of zombies.

Distributed Denial of Service (DDoS)

https://www.youtube.com/watch?v=NogCN78XN2w[Watch at Home]

Deakin University CRICOS Provider Code: 00113B

Acknowledgement

Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), Dr George
Danezis (University College London, UK), and Dr Michael March (University of Maryland, USA).