FACULTAD DE CIENCIAS FISICO MATEMATICAS

IP SPOOFING

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP)
packets with a false source IP address, for the purpose of hiding the identity of the sender or
impersonating another computing system. One technique which a sender may use to maintain
anonymity is to use a proxy server.

The basic protocol for sending data over the Internet network and many other computer networks
is the Internet Protocol (IP). The protocol specifies that each IP packet must have a header which
contains, among other things, the IP address of the sender of the packet. The source IP address is
normally the address that the packet was sent from, but the sender's address in the header can be
altered, so that to the recipient it appears that the packet came from another source. The protocol
requires the receiving computer to send back a response to the source address, so that spoofing is
mainly used when the sender can anticipate the network response or does not care about the
response.

COVERT CHANNEL
In computer security, a covert channel is a type of computer security attack that creates a
capability to transfer information objects between processes that are not supposed to be allowed
to communicate by the computer security policy. The term, originated in 1973 by Lampson is
defined as channels "not intended for information transfer at all, such as the service program's
effect on system load" to distinguish it from Legitimate channels that are subjected to access
controls by COMPUSEC.

A covert channel is so called because it is hidden from the access control mechanisms of ultra-
high-assurance secure operating systems since it does not use the legitimate data transfer
mechanisms of the computer system such as read and write, and therefore cannot be detected or
controlled by the hardware based security mechanisms that underlie ultra-high-assurance secure
operating systems. Covert channels are exceedingly hard to install in real systems, and can often
be detected by monitoring system performance; in addition, they suffer from a low signal-to-noise
ratio and low data rates (on the order of a few bits per second). They can also be removed
manually with a high degree of assurance from secure systems by well established covert channel
analysis strategies.

TCP SYN/FLOOD

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN
requests to a target's system in an attempt to consume enough server resources to make the
system unresponsive to legitimate traffic.

Normally when a client attempts to start a TCP connection to a server, the client and server
exchange a series of messages which normally runs like this:
The client requests a connection by sending a SYN (synchronize) message to the server.

The server acknowledges this request by sending SYN-ACK back to the client.

The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established
using the TCP protocol.

A SYN flood attack works by not responding to the server with the expected ACK code. The
malicious client can either simply not send the expected ACK, or by spoofing the source IP address
in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an
ACK because it "knows" that it never sent a SYN.

The server will wait for the acknowledgement for some time, as simple network congestion could
also be the cause of the missing ACK. However, in an attack, the half-open connections created by
the malicious client bind resources on the server and may eventually exceed the resources
available on the server. At that point, the server cannot connect to any clients, whether legitimate
or otherwise. This effectively denies service to legitimate clients. Some systems may also
malfunction or crash when other operating system functions are starved of resources in this way.

TCP / FIN CLOSSING CONNECTION

In the normal case, each side terminates its end of the connection by sending a special message
with the FIN (finish) bit set. This message, sometimes called a FIN, serves as a connection
termination request to the other device, while also possibly carrying data like a regular segment.
The device receiving the FIN responds with an acknowledgment to the FIN to indicate that it was
received. The connection as a whole is not considered terminated until both sides have finished
the shut down procedure by sending a FIN and receiving an ACK.

Thus, termination isn't a three-way handshake like establishment: it is a pair of two-way

handshakes. The states that the two devices in the connection move through during a normal
connection shutdown are different because the device initiating the shutdown must behave
differently than the one that receives the termination request. In particular, the TCP on the device
receiving the initial termination request must inform its application process and wait for a signal
that the process is ready to proceed. The initiating device doesn't need to do this, since the
application is what started the ball rolling in the first place.

TCP CONNECTION HIJACKING

Session hijacking, also known as TCP session hijacking, is a method of taking over a Web user
session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once
the user's session ID has been accessed (through session prediction), the attacker can masquerade
as that user and do anything the user is authorized to do on the network.
ARP SPOOFING
In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique
by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local
area network. Generally, the aim is to associate the attacker's MAC address with the IP address of
another host, such as the default gateway, causing any traffic meant for that IP address to be sent
to the attacker instead.

ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or
stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service,
man in the middle, or session hijacking attacks.

The attack can only be used on networks that use the Address Resolution Protocol, and is limited
to local network segments