UNIT - I

Security Attacks (Interruption, Interception, Modification and Fabrication), Security Services

(Confidentiality, Authentication, Integrity, Non-repudiation, access Control and Availability) and
Mechanisms, A model for Internetwork security, Internet Standards and RFCs, Buffer overflow
& format string vulnerabilities, TCP session hijacking, ARP attacks, route table modification,
UDP hijacking, and man-in-the-middle attacks.

LEARNINIG OBJECTIVES

At the End of this UNIT student should be able to:

• Define security attacks

• Define security services

• List and Explain security mechanisms

• Describe the model for internet security

• Define internet standards

• Explain buffer overflow

• Describe format string vulnerabilities

• Explain TCP session hijacking

• Define ARP attacks

• Describe route table modification

• Define UDP hijacking

• List the man in middle attacks

Introduction:
1
The terms network security and information security are often used interchangeably. Network
security is generally taken as providing protection at the boundaries of an organization by
keeping out intruders or hackers. Information security, however, explicitly focuses on protecting
data resources from malware attack or simple mistakes by people within an organization by use
of data loss prevention (DLP) techniques. Network security starts from authenticating the user,
commonly with a username and a password. Once authenticated, a firewall enforces access
policies such as what services are allowed to be accessed by the network users.

Security management:

Security Management for networks is different for all kinds of situations. A small home or an
office would only require basic security while large businesses will require high maintenance
and advanced software and hardware to prevent malicious attacks from hacking and spamming.

Threats:

Threats are an abuse of computer base information system. It means an occurrence or activity
which could result in loss of security. It is a breach of security as was stated before, which can be
either natural, physical, or accidental examples of these include flood, fire, earthquake, electrical
spark, manufacturer error, vandalism and so on. We can classify the security attacks as

1. Passive attacks: A passive attack attempts to learn or make use of information

from the system but does not affect the system resources. The passive attackers are in the
nature of eavesdropping on, or monitoring of transmissions with a goal of obtaining
information being transmitted. The passive attacks are very difficult to detect because they
do not involve any alteration of data. Measures are available to prevent their success. Two
types of passive attacks are release of message content and traffic analysis.

Release of message content: The process of preventing an opponent from learning the
contents of transmissions

Traffic analysis: The process of guessing the information being transmitted by observing
the frequency and length of message being exchanged.

2. Active attack: Active attacks attempts to alter system resources or affects their
operation. It is very difficult to prevent active attacks absolutely.

Classification of active attacks/threats:

According to sources, attacks on the security of a computer can be characterized best by viewing
how the computer functions when sending and receiving information. The normal and accurate
flow of information from one source (Source A) to another source, which is the destination (B),
is shown in the diagram below:

2
 A Information flow A to B B

Information Information

Source A Destination B
Normal flow

However deviations from the normal flow of information will happen if there is an attack or a
threat:

These threats can be classified as:

• Interruption
• Interception
• Modification
• Fabrication

Interruption:

This happens when an asset is destroyed or becomes unavailable or cannot be used. This is an
attack on the availability of the system. Diagram (b) shows how interruption can occur.

A B

Flow of information from A

to B is stopped
Interruption

Examples of interruption are destruction of a piece of hardware, the cutting of cable and
disabling of a file management system.

Interception:

Interception occurs when any unauthorized unit gains access to an asset. This attack means that
there is no privacy therefore it is an attack on confidentiality. The unauthorized unit or party
could be an individual, a program or even another computer. Diagram (c) reveals the nature of
interception.

Information goes to B
A B

Same information
also
Examples of interception can be seen ingoes to C – C to capture data into a network and coping
wiretapping
incorrect
of files which is not permitted.
destination
Interception
Modification:
3
If an unauthorized party gains access to a system and make some changes to it, then this
tampering is known as Modification. This medication is an attack on the integrity of the system
or the organization. Diagram (d) depicts this attack.

A B
C sends
Information
goes to C - changed
incorrect C information to B
destination
Modification

Examples of such tampering includes the changing of values in a file, altering a program so that
it performs differently and changing the contents of messages that are sent over the network.

Fabrication:

If an unauthorized party gains access to the system and inserts false objects into it, this is
Fabrication and it degrades the authenticity of the system. Diagram (e) reflects this information.

A B

Source C sends
information to B, C
B thinks that it is
coming from A
Fabrication
Examples of such an attack include a hacker gaining access to a person’s email and sending
messages. This makes the recipients believe that it is indeed the person sending the message
when it is in fact not so OR it could be addition of records to a file.

Security services: It enhances the security of a data processing system and the information
transfer of an organization. The services are intended to counter the security
attacks and they make use of one or more security mechanisms to provide the
service. Security services are as follow.

Confidentiality:

Confidentiality is the term used to prevent the disclosure of information to unauthorized

individuals or systems. For example, a credit card transaction on the Internet requires the credit
card number to be transmitted from the buyer to the merchant and from the merchant to a
transaction processing network. The system attempts to enforce confidentiality by encrypting the
card number during transmission, by limiting the places where it might appear and by restricting
access to the places where it is stored. If an unauthorized party obtains the card number in any
way, a breach of confidentiality has occurred. Breaches of confidentiality take many forms.
Permitting someone to look over your shoulder at your computer screen while you have
confidential data displayed on it could be a breach of confidentiality. If a laptop computer
4
containing sensitive information about a company's employees is stolen or sold, it could result in
a breach of confidentiality. Giving out confidential information over the telephone is a breach of
confidentiality if the caller is not authorized to have the information. Confidentiality is necessary
for maintaining the privacy of the people whose personal information a system holds.

Integrity:

In information security, integrity means that data cannot be modified undetectably. This is not
the same thing as referential integrity in databases, although it can be viewed as a special case of
Consistency as understood in the classic ACID model of transaction processing. Integrity is
violated when a message is actively modified in transit. Most cipher systems provide message
integrity along with privacy as part of the encryption process. Messages that have been tampered
with in flight will not decrypt successfully.

Availability:

For any information system to serve its purpose, the information must be available when it is
needed. This means that the computing systems used to store and process the information, the
security controls used to protect it, and the communication channels used to access it must be
functioning correctly. High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system upgrades. Ensuring
availability also involves preventing denial-of-service attacks.

Authenticity:

In computing, e-Business and information security it is necessary to ensure that the data,
transactions, communications or documents are genuine. It is also important for authenticity to
validate that both parties involved are who they claim they are.

Non-repudiation:

In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also
implies that one party of a transaction cannot deny having received a transaction nor can the
other party deny having sent a transaction. Electronic commerce uses technology such as digital
signatures and encryption to establish authenticity and non-repudiation.

Access control

Access to protected information must be restricted to people who are authorized to access the
information. The computer programs, and in many cases the computers that process the
information, must also be authorized. This requires that mechanisms be in place to control the
access to protected information.

Security mechanism: A mechanism that is designed to detect, prevent or recover the system
from the security attacks. The security mechanisms are as follow.

Encipherment: The use of mathematical algorithms to transfer the data into a form that is not
readily intelligible.
5
Digital signatures: Used to protect the data against forgery. Digital signature appended to the
data unit that allows a recipient of the data unit to prove the source and integrity of the data unit.

Access Control: These mechanisms enforce access rights to resources.

Data integrity: A variety of mechanisms are used to assure the integrity of data unit.

Authentication exchange: A mechanism intended to ensure the identity of an entity by means of

information exchange.

Traffic padding: The insertion of bits into gaps in a data stream to control traffic analysis
attacks

Notarization: The use of trusted third party to assure certain properties of a data exchange.

Routing control: Enables selection of particular physically secure routes for certain data and
allows routing changes.

A Model for network security: A message is to be transferred from one party to another party
across some sort of internet, then two parties who are the principals in this transaction must
cooperate for the exchange take place. When it is necessary to protect the information
transmission from attacker, then security aspects come into play. A model for network security
contains six different parts.

o Plain text: The message with the sender

o Encryption algorithm: which will convert the plain text into unreadable form
o Cipher text: It consists of scrambled information.
o Decryption algorithm: Which will convert the cipher text into plain text back
o Sender : The device which is sending the message
o Receiver: The device which is receiving the message.

All the techniques for providing security have two components

• A security related transformation on the information to be sent. For

example encryption of the message.
• Some secret information shared by the two communicating parties,
and it is hoped unknown to the opponent. For example encryption key.

Always there is a chance for opponent to access data from information channel, but opponent
can’t access data from the trusted third party because these are trusted channels. A third party
may be needed to arbitrate disputes between the two principals concerning the authenticity of a
message transmission.

6
 Trusted third party

Security Security
related related
transfor transfor
mation mation

message

message
Message

Message
Secure

Secure
Inf

ati
on

an
ne
ch
or
m

l
Secret Secret
information information

Opponent
sender receiver

A model for network security

This general model shows that there are four basic tasks in designing a security service:

1) Designing an algorithm for performing the security related transformation.

2) Generate the secret information to be used with the algorithm

3) Develop a method for distribution and sharing of the secret information

4) Specify a protocol to be used by the two principals that make use of security algorithm
and the secret information to achieve a particular security service.

Internet standards and the internet society:

Internet society: Internet society is responsible for the development and publication of standards
for the use over the internet. The internet society is a professional membership organization that
oversees a number of boards and task forces involved in internet development and
standardization. The internet society is the coordinating committee for internet design,
engineering, and management. Three organizations under the internet society are responsible for
the actual work of standards development and publication.

• Internet Architecture Board (IAB): Responsible for defining the overall architecture of
the internet, providing guidance and broad direction to the IETF.

• Internet Engineering Task Force (IETF): The protocol engineering and development
arm of the internet.

• Internet Engineering Steering Group(IESG): Responsible for technical management

of IETF activities and the internet standards.

7
RFC(request for comment) publication: The actual development of new standards and
protocols for the internet is carried out by the working groups chartered by IETF. Member ship
in a working group is voluntary, any interested party may participate. The RFCs are the working
notes of the internet research and development community.

Internet RFC publication process

Internet draft

Proposed standard Best current practice Experimental Informational

Draft standard

Internet standard

Historic

• The left hand side of the figure shows the series of steps called standards track that a
specification goes through to become a standard.

• The steps involve increasing amount of scrutiny and testing.

• At each step, The IETF must make a recommendation for advancement of the protocol
and IESG must ratify it.

• The process begins when the IESG approves the publication of an internet draft
document as an RFC with the status of proposed standard.

• Here the white boxes represent the temporary states, which should be occupied for the
minimum practical time. The gray boxes represent long term states that may be occupied
for years.

• For a specification to be advanced to draft standard status, there must be at least two
independent and interoperable implementations from which adequate operational
experience has been obtained.

8
 • After significant implementation and operational experience has obtained, specification
may be elevated to internet standard. At this point the specification is assigned an STD
number as well as an RFC number.

• When a protocol becomes obsolete it is assigned to the Historic state.

Standardization process: For standardization the following specifications must meet

• Be stable and well understood

• Be technically competent

• Having multiple, independent, and interoperable implementations with substantial

operational experience.

• Enjoy significant public support

• Be recognizably useful in some or all parts of the internet.

Internet standards categories: All the internet standards fall into one of two categories:

• Technical specification(TS): A TS defines a protocol, service, procedure, format. Most

internet standards are TSs.

• Applicability Statement(AS): An AS specifies how, under what circumstances, one or

more TSs may be applied to support particular internet capability.

Buffer overflow: In computer security and programming, a buffer overflow, or buffer

overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's
boundary and overwrites adjacent memory. A buffer overflow attack occurs when the attacker
intestinally enter the more data than a program was written to handle.

• It may occur accidentally through programming error, it is increasingly common type of

security attack on data integrity. In buffer overflow attacks, the extra data may contain
codes designed to trigger specific actions, in effect sending new instructions to the
attacked computer.
• Buffer overflows may result in erratic program behavior, including memory access
errors, incorrect results, a crash, or a breach of system security.
• C and C++ Programming languages commonly associated with buffer overflows, which
provide no built-in protection against accessing or overwriting data in any part of
memory and do not automatically check that data written to an array is within the
boundaries of that array.

• Bounds checking can prevent buffer overflows.

Format string vulnerabilities: Format string attacks are a class of software vulnerability
discovered around 1999. Format string attacks can be used to crash a program or to execute

9
harmful code. The problem stems from the use of unfiltered user input as the format string
parameter in certain C functions that perform formatting, such as printf().

For example: C functions take format string as a parameter that describes how the other
parameters should be interpreted. The string %d specifies the parameter should be displayed as a
decimal integer, while the %s specifies that a parameter should be displayed as an ASCII string.
Format strings gives us a lot of control over how the data is to be interpreted. Through format
string vulnerability attack, this control can be abused to read and write memory in arbitrary
locations.

• A malicious user may use the %s and %x format tokens, among others, to print data from
the stack or possibly other locations in memory.

• One may also write arbitrary data to arbitrary locations using the %n format token, which
commands printf() and similar functions to write the number of bytes formatted to an
address stored on the stack

• Format string vulnerability attacks fall into three categories.

i) Denial of service attacks: These kinds of attacks are characterized by utilizing

multiple instances of the %s format specifier to read the data from the stack until the
program attempts to read data from an illegal address, which will cause the program
to crash.

ii) Reading attacks: These attacks typically utilize the %x format specifier to print
sections of memory that we do not normally have access to.

iii) Writing attacks: These attacks utilizes the %d , %u, %x format specifiers to over
write the instruction pointer.

TCP session hijacking: In computer science, session hijacking refers to the exploitation of a
valid computer session also called a session key—to gain unauthorized access to information or
services in a computer system. TCP session hijacking takes place when a hacker takes over a
TCP session between two machines. Since most authentications only occur at the start of a TCP
session, this allows the hacker to gain access to a machine. In particular, it is used to refer to the
theft of a magic cookie used to authenticate a user to a remote server.

• A popular method is using source-routed IP packets. This allows a hacker at point A on

the network to participate in a conversation between B and C by encouraging the IP
packets to pass through its machine.
• If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses
the responses of the two machines. Thus, the hacker can send a command, but can never
see the response. However, a common command would be to set a password allowing
access from somewhere else on the net.

10
 • A hacker can also be "inline" between B and C using a sniffing program to watch the
conversation. This is known as a "man-in-the-middle attack".
• A common component of such an attack is to execute a denial-of-service (DoS) attack
against one end-point to stop it from responding. This attack can be either against the
machine to force it to crash, or against the network connection to force heavy packet loss.
• TCP session hijacking is much more complex and difficult attack. The purpose of this
attack is not to deny service, but to pretend to be an authorized user in order to gain
access to a system.
• Based on the anticipation of sequence numbers there are two types of TCP hijackings

a) Man-in-the-middle
b) Blind Hijacking.

ARP attacks: Address Resolution Protocol (ARP) spoofing, also known as ARP flooding or
ARP poisoning, is a technique used to attack an Ethernet wired or wireless network. ARP
Spoofing may allow an attacker to sniff data frames on a local area network (LAN) and modify
the traffic, or stop the traffic altogether. The attack can only be used on networks that actually
make use of ARP and not another method of address resolution.

• The principle of ARP spoofing is to send fake ARP

messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC
address with the IP address of another node (such as the default gateway). Any traffic
meant for that IP address would be mistakenly sent to the attacker instead.
• The attacker could then choose to forward the traffic to the
actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-
the-middle attack).
• The attacker could also launch a denial-of-service attack
against a victim by associating a nonexistent MAC address to the IP address of the
victim's default gateway.
• ARP spoofing attacks can be run from a compromised host
or from an attacker's machine that is connected directly to the target Ethernet segment.

Route table modification: In some situations, an attacker attempts to alter the route table
remotely. One common attack is snooping of Internet Control Message Protocol (ICMP) and
redirecting of packets there by fooling the hosts by allowing them to retransmit their packets
through the attackers IP address. This process continues till the connection between two hosts is
completely terminated. If an attacker is able to set his system across the routing path between the
two hosts, his task becomes much easier.

Man-in-the-middle attacks: man-in-the-middle attack (often abbreviated MITM), is a form

of active eavesdropping in which the attacker makes independent connections with the victims
and relays messages between them, making them believe that they are talking directly to each
other over a private connection, when in fact the entire conversation is controlled by the attacker.

• The attacker must be able to intercept all messages going between the two victims and
inject new ones, which is straightforward in many circumstances (for example, an
attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert
himself as a man-in-the-middle).
11
 • A man-in-the-middle attack can succeed only when the attacker can impersonate each
endpoint to the satisfaction of the other—it is an attack on mutual authentication. Most
cryptographic protocols include some form of endpoint authentication specifically to
prevent MITM attacks. For example, SSL authenticates the server using a mutually
trusted certification authority.

Brute force attack: A brute force attack or exhaustive key search is a strategy that can in
theory be used against any encrypted data by an attacker which involves systematically checking
all possible keys until the correct key is found. In the worst case, this would involve traversing
the entire search space.

• The key length used in the encryption determines the practical feasibility of performing a
brute force attack, with longer keys exponentially more difficult to crack than shorter
ones.
• One of the measures of the strength of an encryption system is how long it would
theoretically take an attacker to mount a successful brute force attack against it.
• Brute-force attacks are an application of brute-force search, the general problem-solving
technique of enumerating all candidates and checking each one.

UDP hijacking: To avoid the overhead problems associated with TCP protocol a connection less
protocol called User Datagram Protocol (UDP) will be used. The UDP protocol designer must be
responsible for implementing the equivalent features of TCP on the top of UDP. By hijacking the
UDP attacker can affect the communication between client and server. Here attacker may use
appropriate tools for obtaining the request from the client, and then produces a response of his
choice and insert it on the transmission line.

Questions from previous exam papers:

1) Explain different kinds of security attacks and services.

2) Explain TCP and UDP hijacking.
3) What is the difference between passive attacks and active attacks?
4) With a neat diagram explain the network security model.
5) What is meant by security service? Explain various services.
6) Write a short note on security mechanism.
7) Write a short note on internet standards and RFCs.
8) Explain the buffer overflow attack? How it can be handled.
9) Explain the format string vulnerability attack.
10) Briefly discuss about ARP attacks.
11) Write a note on man-in-the-middle attacks and brute force attack.

Objective type Questions:

1) A --------------------- is a mathematical scheme for demonstrating the authenticity of a

digital message or document. ( digital signature)
2) --------------------is a system which enables an authority to control access to areas and
resources in a given physical facility (Access control )
3) Expand RFC ----------------------- ( Request For Comments )
4) A -------------- attack attempts to learn or make use of information from the system but
does not affect the system resources (passive )
12
5) An attack on the availability of the system is called--------------- (Interruption )
6) The process of an unauthorized party gaining access to the system and inserts false
objects into it is------------------------ ( Fabrication )
7) -----------------------is the term used to prevent the disclosure of information to
unauthorized individuals or systems (Confidentiality )
8) The use of mathematical algorithms to transfer the data into a form that is not readily
intelligible--------------------- ( Encipherment )
9) Any action that compromises the security of information owned by an organization
is----------------------------- ( security attack )
10) ----------------- involves the passive capture of data unit and its subsequent
retransmissions to produce an authorization effect. ( replay )
11) ----------------- prevents either sender or receiver from denying a transmitted message.
( non repudiation)
12) Expand IESG ---------------( Internet Engineering Steering Group )
13) ----------- is the protocol engineering and development arm of the internet ( IETF )
14) The ---------------- is the coordinating committee for internet design, engineering and
management. ( Internet Society )
15) All internet standards fall into -------------- categories ( Two )
16) ------------------involves systematically checking all possible keys until the correct key is
found for decrypting cipher text. ( Brute force attack )
17) The exploitation of a valid computer session is called ------------ ( session hijack )
18) ------------- is a technique used to attack an Ethernet wired or wireless network ( ARP
flooding )
19) When a process tries to store more data in a buffer than it was intended to hold is
called---------------------- ( buffer overflow )
20) Expand IAB----------- ( Internet Architecture Board )

********************* All the Best ***********************

13