PowerPoint Presentation
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 4 – Part 2
Deakin University CRICOS Provider Code: 00113B
• Network Security Threats
(ARP Poisoning, Sniff, Spoof, DNS Poisoning, Denial of Service)
2
Topics,
Deakin University CRICOS Provider Code: 00113B
Network Security Threat Model (Dolev-Yao Model)
• End nodes are trusted, the network is unreliable.
• End nodes send messages to the network and receive messages from the network.
• Network will deliver some messages but it can read, delete, modify and replay them.
Deakin University CRICOS Provider Code: 00113B
Media Access Control (MAC)
48 bits = 6 bytes
Example: 0A:BC:00: 00:00:1F
In theory, MAC should be fixed in hardware and never repeat.
In reality:
• Can be changed in some hardware,
• Can be simulated in software,
• Can repeat by accident, manufacturer does not care, ….
Deakin University CRICOS Provider Code: 00113B
Address Resolution Protocol (ARP)
• Translate IP (logical) addresses to MAC (physical) addresses.
• Each host OS has a table of IP to MAC addresses.
• Alice and Bob are two computers on a LAN
• Alice wants to send a packet to Bob, but Alice
only knows Bob’s IP address
• Alice broadcasts ARP request with Bob’s IP
address
• All machines on the local network receive the
broadcast
• Bob replies with its physical address (MAC)
• Alice adds Bob’s MAC address to its table
• Alice delivers packets directly to Bob
Deakin University CRICOS Provider Code: 00113B
ARP Poisoning/ARP Spoofing
• By sending forged ARP replies a target system could be convinced to
send frames destined for a computer to another
Example:
ARP Request:
Sender = 01:02:03: 01:02:03
Content = “ARP who is” IP 192.168.1.3?
ARP Reply: it’s me!
• Not authenticated!
• Me = MAC Address 01:02:03: 01:02:04
From now on, all message intended for 192.168.1.3 will be sent to
01:02:03: 01:02:04, which can be the attacker.
Deakin University CRICOS Provider Code: 00113B
ARP Poisoning/ARP Spoofing – Defences
• Defences:
• Static ARP table – does not change ☺
• Access control based on IP, MAC, and Port.
• Redirect user to a registration page before allowing usage of the network.
• It is also possible to detect through mechanisms such as arpwatch (software tool for
monitoring ARP traffic), Reverse ARP (Retrieves the logical address for a computer from the
server), Bootstrap Protocol (BOOTP) and Dynamic Host Configuration Protocol (DHCP), …
Deakin University CRICOS Provider Code: 00113B
Sniffing Attack
Sniffing = eavesdropping = spying = unauthorized listening
Sniffers:
• Packets are often broadcast on local links ➔ all local nodes can listen.
• Sniffers listen to packets on the network and pick out interesting details, e.g. passwords.
• Hackers install sniffer software on compromised hosts. Tools are available for download.
• Wireless Ethernet most vulnerable; sniffing on switched LANs and core networks is more
difficult.
E.g., FTP, TELNET, HTTP Passwords are sent in clear.
Remember Task 1.4P on OnTrack? ☺
Deakin University CRICOS Provider Code: 00113B
Sniffing – at Switch level
• It is possible for an attacker to sniff traffic at router/switch level too.
• There are tools available such as “dsniff”.
• A smart way of attacking a switch is to directly exploit its memory limitations and make
the switch act as a hub?
• Hub: unlike switch, forwards ALL traffic to ALL connected ports – so, easy sniff ☺
• Remember Week 2 – Part 1?
Deakin University CRICOS Provider Code: 00113B
Sniffing Defence
How do you think you can defend against sniffing attacks?
Hint: Week 1– Part 1, father of the modern computing, and why he created the Enigma machine.
Deakin University CRICOS Provider Code: 00113B
Spoofing
• Spoofing = sending unauthentic messages = using false sender address or identifier
• In the Internet, it is easy to send messages that appear to come from someone else.
A modified version of the application or protocol stack is easy to write.
Examples:
Email spoofing: false FROM field ☺
IP spoofing: false SOURCE IP ADDRESS
Deakin University CRICOS Provider Code: 00113B
Email Spoofing
• In the past, Simple Mail Transfer Protocol (SMTP) did nothing to authenticate the sender
• Still some servers do not have authentication in-place ☺!!
an October 2013 email to a news agency,
spoofed to look like it was from the Swedish
company Fingerprint Cards, saying that
Samsung offered to purchase the company.
The news spread and the stock exchange rate
surged by 50%.
https://en.wikipedia.org/wiki/Fingerprint_Cards
https://en.wikipedia.org/wiki/Samsung
Deakin University CRICOS Provider Code: 00113B
IP Spoofing
What’s happening in this figure?
Deakin University CRICOS Provider Code: 00113B
IP Spoofing
• Easy ☺
• Attacker sends IP packets with false source address. (Anyone can write a software to do this.)
• The destination node usually believes what it sees in the source address field.
✓ Spoofing single packets is easy:
• Attacker sends a packet with source address A and destination B. B believes that the packet came from A.
• Attacker may be anywhere on the Internet.
❖ Spoofing a connection is more difficult:
• Attacker must sniff replies from B in order to continue the conversation.
• Attacker must be on the route between A and B, or control a router on that path.
Deakin University CRICOS Provider Code: 00113B
IP Spoofing – Defence
• Monitoring networks for unusual activity,
• Deploying packet filtering to detect inconsistencies (like outgoing packets with source IP addresses that don’t
match those on the organization’s network),
• Authenticating all IP addresses,
• Firewall
Deakin University CRICOS Provider Code: 00113B
Domain Name Server (DNS)
Deakin University CRICOS Provider Code: 00113B
Domain Name Server (DNS)
Provides a hierarchical name-space:
– Example: www.cs.ucl.ac.uk ↔ 128.16.10.31
– Top-level domain (TLD)s: eg. .uk (.com, .edu, …)
– Delegate names-IP mappings to lower-level
domains:
• eg.ac.uk or .ucl.ac.uk or .cs.ucl.ac.uk
Deakin University CRICOS Provider Code: 00113B
DNS Poisoning Attack – Race Condition
• Attacker observes UDP DNS query sent to well known server on well known port
• First response wins ..
• Second response is silently dropped ☺!!
Deakin University CRICOS Provider Code: 00113B
DNS Hijacking (or, Redirection)
• Route packets to the wrong server,
• A number of commercial ISPs use DNS hijacking for their own purposes, such as
displaying advertisements…
Deakin University CRICOS Provider Code: 00113B
DNS Attack – Defence
• Secure DNS: DNSSEC = Digitally sign DNS data + use PKI
• From July 2010, DNSSEC was integrated in all Internet root servers
• More recently, DNSCurve – [home reading]: https://dnscurve.org/. ☺
https://dnscurve.org/
Deakin University CRICOS Provider Code: 00113B
Denial of Service (DoS)
• Goal of denial-of-service (DoS) attacks is to prevent authorized users from accessing a resource, or
to reduce the quality of service that they receive.
• Important threat vector:
• > 30000 DoS attacks / day
• Several Bot-herders control >= 1.5 million hosts
• Trend of attacks shifted from script kiddies to crime
Attack types:
• Destroy or disable the resource
• Exhaust the resource
Deakin University CRICOS Provider Code: 00113B
Denial of Service (DoS) – Destruction or Disabling
Examples:
• Formatting the hard disk
• Crashing a server
• These attacks usually exploit a bug in a
system implementation.
• Hence, can be prevented by proper design
and implementation.
Deakin University CRICOS Provider Code: 00113B
Denial of Service (DoS) –
Resource exhaustion attacks
Examples:
• Flooding a web server with requests
• Flooding a communications link with packets
It is difficult to tell the difference between overload
(e.g. slashdotting) and an attack.
March 2020 – COVID-19 related …
Resource exhaustion attacks can never be completely
prevented. Internet servers and communication links are sized
for typical peak demand, not for maximum theoretical demand.
Deakin University CRICOS Provider Code: 00113B
Ping command
Ping: a command-line utility used to test the reachability of a host on an Internet Protocol (IP)
network. It is available for virtually all operating systems that have networking capability …
The ping command sends a request over the network to a specific device. A successful ping
results in a response from the computer that was pinged back to the originating computer. (it’s
just like HELLO, ARE YOU THERE? And YES, HERE I AM ☺)
Deakin University CRICOS Provider Code: 00113B
Question: how could you use PING to execute a DoS attack?
Question
Deakin University CRICOS Provider Code: 00113B
Large ICMP packets:
• ping –l 65527 (Windows)
• ping –s 65527 (Unix)
• Systems used to crash when they received packets so big
• Bug fixed since 1998 ☺ …
Ping of death
Deakin University CRICOS Provider Code: 00113B
• Attacker controls thousands of “zombies”, i.e. computers where a hacker, Trojan or virus has
installed a backdoor.
• The zombies launch a coordinated packet-flooding attack on a high-value target.
• Spoofed source addresses prevent tracing of zombies.
Distributed Denial of Service (DDoS)
https://www.youtube.com/watch?v=NogCN78XN2w[Watch at Home]
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), Dr George
Danezis (University College London, UK), and Dr Michael March (University of Maryland, USA).