NETWORK ATTACKS

Security Vulnerabilities
 Security Problems in the TCP/IP Protocol Suite
 Attacks on Different Layers
 IPAttacks
 ICMP Attacks

 Routing Attacks

 TCP Attacks

 Application Layer Attacks

Why?
 TCP/IP was designed for connectivity
 Assumed to have lots of trust

 Host implementation vulnerabilities

 Software“had/have/will have” bugs
 Some elements in the specification were left to the
implementers
Network Attacks
 Reconnaissance
 Sniffing / Eavesdropping / Mapping
 Access Control
 Spoofing

 Hijacking

 Trojans

 Denial of Service (DoS)

 Social engineering
Reconnaissance Attacks

 Reconnaissance - information gathering activities by

which hackers collect data that is used to later
compromise networks
 Software tools, such as sniffers and scanners, are used to
map out and exploit potential weaknesses in home
computers, web servers and applications
 Example – password cracking software
 Reconnaissance attacks can consist of:
 Internet information lookup
 Ping sweeps
 Port scans
 Packet sniffers
Eavesdropping
 Before attacking a network, attackers would like to know the IP
address of machines on the network, the operating systems
they use, and the services that they offer.
 With this information, their attacks can be more focused and
are less likely to cause alarm.
 The process of gathering this information is known as mapping.
 In general, the majority of network communications occur in an
unsecured or "clear text" format, which allows an attacker who
has gained access to data paths in your network to "listen in"
or interpret the traffic.
 When an attacker is eavesdropping on your communications, it
is referred to as sniffing or snooping.
Sniffing …
 Any mischievous machine can examine any packet
on a BROADCAST medium
 Ethernet (using HUBs) is BROADCAST at least on the
segments over which it travels generally referred as
collision domain
 Collision domains are also found in Wi-Fi
 Getting passwords is the first step in exploiting a
machine
 email if not secured is in plaintext and vulnerable
What does one sniff?
 passwords
 email
 financial account information
 confidential information
 low-level protocol info to attack
 hardware addresses
 IP addresses

 routing, etc
Prevention of Sniffing
 Avoid unencrypted password transmission
 Kerberos
 PGP public keys
Eavesdropping tools
 Network intruders can use Internet tools, such as the
nslookup and whois utilities, to easily determine the IP
address space assigned to a given organization or network.
 Simple tools like Wireshark and Comview can be used to
sniff network traffic especially handy in Wi-Fi networks.
 There are automate ping sweep tool which an attacker can
use, such as fping or pinger or hping, these tools
methodically pings all network addresses in a given range or
subnet.
 The intruder or attacker uses a port scanner (Nmap or
Superscan -softwares designed to search a network host for
open ports) to determine which network services or ports are
active on the active IP addresses.
bci.edu.pk
google.com
CommView
Wire shark
Wire shark
Ping sweep
Port scan …
Network Attacks
 Reconnaissance
 Sniffing / Eavesdropping / Mapping
 Access Control
 Spoofing

 Hijacking

 Trojans

 Denial of Service (DoS)

 Social engineering
Spoofing
David is that you?

Yes I’m here!

Aaron Tom David

Spoofing Attacks
 A spoofing attack is a situation in which one person or
program successfully masquerades as another by
falsifying data and thereby gaining an illegitimate
advantage.
 Spoofing attacks are a combination of both local and
remote attacks.
 Hardware address spoofing
 ARP spoofing

 IP route spoofing
 ICMP spoofing
 DNS spoofing
 TCP/IP datagram spoofing
Spoofing & OSI

 Penetration techniques
TCP socket
exploit any and all
levels of the model
IP
DNS  Attacks vary based
IP ARP upon the vulnerability
at that level

Physical ethernet
Hardware Address Spoofing
 When a packet is received on Ethernet, the source address is
assumed to be valid.
 However, most NICs have the ability to use software-controlled
hardware addresses, so an address can be faked.
 01-01-01-01-01-01 or 12-34-56-78-90-AB

 E.g.,
 SMAC (freeware)
 Technitium MAC Address Changer 5.0 R3
 Changing MAC via system registry (Windows XP)
SMAC
ARP Introduction
 low level network protocol
 operates at Layer 2 of the OSI model which
is usually implemented in the device drivers
of network operating systems.
 used by the Internet Protocol (IP),
specifically IPv4, to map IP network
addresses to the hardware addresses used by
a data link protocol.
 ARP packets are one of the most frequent
packets found on a local area network
When ARP is Used
 For two hosts on the same network and one host
desires to send a packet to the other
 For two hosts on different networks while using a
gateway/router

 For a router that needs to forward a packet for

one host through another router
 For a router that needs to forward a packet from
one host to the destination host on the same
network
Operation of ARP
hostname
hostname
resolver (1) FTP
IP addr (2) Establish connection
with IP address
TCP
(3) Send IP datagram
to IP address
(4) IP
(5) ARP
(6) (8) (9)
Ethernet driver
ARP request (Ethernet broadcast)

Ethernet driver Ethernet driver

ARP (7) ARP IP

TCP
ARP OPERATION
1. Get IP address of target.
2. Create a request ARP message
– Fill sender physical address
– Fill sender IP address
– Fill target IP address
– Target physical address is filled with 0
3. The message is passed to the data link layer where it
is encapsulated in a frame.
– Source address: physical address of the sender.
– Destination address: broadcast address.
ARP OPERATION
4. Every host or router on the LAN receives the frame.
– All stations pass it to ARP.
– All machines except the one targeted drop the packet.
5. The target machine replies with an ARP message that
contains its physical address.
– A unicast message.
6. The sender receives the reply message and knows
the physical address of the target machine.
 ARP Packet Format
 Format of ARP request or reply packet when used
on an Ethernet.

Ethernet Ethernet frame

destination addr Source addr type
6 6 2

Ethernet header
hard size prot size
hard prot Sender Sender target target
op
type type Ethernet addr IP addr Ethernet addr IP addr
2 2 1 1 2 6 4 6 4

28 byte ARP request/reply

 Direct and Indirect Routing
31

Host A
204.240.18.10
204.240.18.1
Direct Routing:
Packets sent Router Internet
directly using
MAC address of A
Host B
204.240.18.20

Host C
Indirect Routing: 36.14.0.200
Packets sent to the MAC address
of the router. At the IP level, B is
The source and C is the destination
Some Facts about ARP
 To avoid having to send an ARP request packet each
time, a host can cache the IP and the corresponding
host addresses in its ARP table (ARP cache).
 Each entry in the ARP table is usually “aged” so that
the contents are erased if no activity occurs within a
certain period (windows XP time of aging is 2 to10min).
 When a computer receives an ARP reply, it will update
its ARP cache.
 ARP is a stateless protocol, most operating systems will
update their cache if a reply is received, regardless of
whether they have sent out an actual request.
arp …
ARP Spoofing
 Construct spoofed ARP replies.
 By sending FALSE ARP reply packets, Target
computer could be convinced to send frames
destined for computer A to go to computer B.
 Computer A will have no idea that this redirection
took place.
 This process of updating a target computer’s ARP
cache is referred to as “ARP poisoning”.
 Spoofed ARP reply Spoofed ARP reply
IP:10.0.0.2 IP:10.0.0.2
MAC:cc:cc:cc:cc MAC:cc:cc:cc:cc

switch

A B Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc

ARP cache ARP cache

IP MAC IP MAC
10.0.0.2 bb:bb:bb:bb 10.0.0.1 aa:aa:aa:aa
 switch

A B Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc

ARP cache ARP cache

IP MAC IP MAC
10.0.0.2 cc:cc:cc:cc 10.0.0.1 aa:aa:aa:aa
A’s cache is poisoned
ARP Attack
ARP Poisoning
 Now all the packets that A intends to send to B will
go to the hacker’s machine.
 Cache entry would expire, so it needs to be
updated by sending the ARP reply again.
 How often?
 depends on the particular system.

 Usually every 40s should be sufficient.

Man-in-the-Middle Attack
 A hacker inserts his computer between the
communications path of two target computers.
 The hacker will forward frames between the two
target computers so communications are not
interrupted.
 E.g., Cain & Abel, Hunt, Ettercap, dsniff etc.
 Can be obtained easily in many web archives
 Reading material and List of arp poisoning tools
Man-in-the-Middle
 The attack is performed as follows:
 Suppose X is the hacker’s computer
 T1 and T2 are the targets
1. X poisons the ARP cache of T1 and T2.
2. T1 associates T2’s IP with X’s MAC.
3. T2 associates T1’s IP with X’s MAC.
4. All of T1 and T2’s traffic will then go to X first,
instead of directly to each other.
 Spoofed ARP reply Spoofed ARP reply
IP:10.0.0.2 IP:10.0.0.2
MAC:cc:cc:cc:cc MAC:cc:cc:cc:cc

switch

T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc

ARP cache ARP cache

IP MAC IP MAC
10.0.0.2 bb:bb:bb:bb 10.0.0.1 aa:aa:aa:aa
 switch

T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc

ARP cache ARP cache

IP MAC IP MAC
10.0.0.2 cc:cc:cc:cc 10.0.0.1 aa:aa:aa:aa
T1’s cache is poisoned
 Forged ARP replies
IP:10.0.0.1
MAC:cc:cc:cc:cc

switch

T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc

ARP cache ARP cache

IP MAC IP MAC
10.0.0.2 cc:cc:cc:cc 10.0.0.1 aa:aa:aa:aa
 switch

T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc

ARP cache ARP cache

IP MAC IP MAC
10.0.0.2 cc:cc:cc:cc 10.0.0.1 cc:cc:cc:cc

T2’s cache is poisoned

 Message intended to send to T2

switch

Hacker will
relay the
message

T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc

ARP cache ARP cache

IP MAC IP MAC
10.0.0.2 cc:cc:cc:cc 10.0.0.1 cc:cc:cc:cc
 Hacker will relay the message

switch

Message
intended to
send to T1

T1 T2 Hacker
IP:10.0.0.1 IP:10.0.0.2 IP:10.0.0.3
MAC:aa:aa:aa:aa MAC:bb:bb:bb:bb MAC:cc:cc:cc:cc

ARP cache ARP cache

IP MAC IP MAC
10.0.0.2 cc:cc:cc:cc 10.0.0.1 cc:cc:cc:cc
ARP Mitigation
 Many of the modern switches are now equipped
with mechanism to detect false or invalid ARP
packets.
 E.g., Cisco switches (Catalyst 6500) come with DAI
Dynamic Arp Inspection mechanism that creates a
trusted IP to ARP mapping based on DHCP.
IP spoofing
 IP spoofing is a technique used to gain
unauthorized access to computers, where by
the attacker sends messages to a computer
with a fake IP address indicating that the
message is coming from a trusted host.
 Attacker puts an internal, or trusted, IP address
as its source. The access control device sees the
IP address as trusted and lets it through.
IP Spoofing

 Two general techniques are used during IP spoofing:

 A hacker uses an IP address that is within the
range of trusted IP addresses.
 A hacker uses an authorized external IP address
that is trusted.
 Uses for IP spoofing include the following:
 IP spoofing is usually limited to the injection of
malicious data or commands into an existing
stream of data.
 A hacker changes the routing tables to point to
the spoofed IP address, then the hacker can
receive all the network packets that are
addressed to the spoofed address and reply just
as any trusted user can.
 Basic Concept of IP Spoofing

A www.carleton.ca
10.10.10.1 134.117.1.60
http://www.carleton.ca

10.10.10.1 134.117.1.60 Any (>1024) 80

Src_IP dst_IP Src_port dst_port

spoofed

11.11.11.1 134.117.1.60 Any (>1024) 80

Src_IP dst_IP Src_port dst_port
IP Spoofing
Why IP Spoofing is easy?
 Problem with the Routers.
 Routers look at Destination addresses only.
 Authentication based on Source addresses only.
 To change source address field in IP header field is
easy.
Spoofing Attacks:
There are a few variations on the types of attacks that
use IP spoofing.
Spoofing is classified into :-
1.non-blind spoofing
This attack takes place when the attacker is on the
same subnet as the target that could see sequence
and acknowledgement of packets. Can be used for
hijacking attack.
TCP Session Hijacking
TCP Session hijacking done using non-blind spoofing
http session hijacking
 Spoofing Attacks:
impersonation

sender
partner

Oh, my partner sent me

a packet. I’ll process this.
victim
Spoofing Attacks:
2. Blind spoofing
This attack may take place from outside where
sequence and acknowledgement numbers are
unreachable.
 IP spoofing is almost always used in denial of service
attacks (DoS), in which attackers are concerned with
consuming bandwidth and resources by flooding the
target with as many packets as possible in a short
amount of time.
Today, most OSs implement random sequence number
generation, making it difficult to predict them
accurately.
 Spoofing Attacks:
flooding attack

sender

Oops, many packets are

coming. But, who is the
real source?
victim
SYN Attack
 Spoofing Attacks:
reflection
ip spoofed packet
sender src: victim
dst: reflector reflector

Oops, a lot of
replies without any
request… victim
Prevention of IP Spoofing:
To prevent IP spoofing in your network, the following are some common
practices:

1- Avoid using the source address authentication. Implement

cryptographic authentication system-wide.

2- Configuring your network to reject packets from the Net that

claim to originate from a local address.

3- Implementing ingress and egress filtering on the border routers

and implement an ACL (access control list) that blocks private IP
addresses on your downstream interface.

If you allow outside connections from trusted hosts, enable

encryption sessions at the router.
ICMP-Based Route Spoofing
 Here’s how a route spoof can occur:
1. A machine always sends a transmission to the default router
first.
2. If the default router is not the best choice for the transmission,
it sends an ICMP redirect message back to the host on the
same network segment, and forwards the datagram to the
appropriate router.
3. The redirect message basically says “it would be best to
send datagrams to a router with IP address A.B.C.D for
network W.X.Y.Z”
4. Host machine updates its routing table so it doesn’t make the
mistake again.
ICMP-Based Route Spoofing
 A machine can create ICMP redirect messages and
send them to any other machine in the network!
 The routing table could be unusable. DoS attack.
 A machine could send an ICMP redirect with it’s own IP
address, and pose as a router, therefore filtering ALL traffic!
 Simplest way to avoid ICMP spoofing is disable ICMP
redirect messages, in both the hosts and the routers!
Domain Name System Spoofing
 Overview: A machine (nameserver) holds a
mapping between IP addresses and names
(www.cnn.com, for example).
 A client sends a request to the nameserver for the IP
address of www.cnn.com, and the nameserver
replies with the address.
Domain Name Spoofing (cont.)
 Hosts commonly trust other machines based on their names.
 If the nameserver is compromised, then the domain names are
subsequently compromised.
 Security-oriented TCP programs do a two-way lookup to
authorize machines:
 Forward lookup (name to IP address)
 Reverse lookup (IP address to name)
 If both match, then machine is authorized.
Domain Name Spoofing (cont.)
 In order to make attackers’ lives more difficult,
administrators commonly put the “forward zone”
and the “reverse zone” on two separate machines,
so BOTH must be compromised.
 Also DNS records commonly exist on two separate
authoritative nameservers, so multiple queries to
differing nameservers is also another level of
authentication.
TCP Spoofing
 An attacker only needs to estimate the sequence number to be
assigned to the next data byte to be sent by the legitimate
user.
 If the correct next-sequence number is guessed, the attacker
can send a forged datagram containing the tainted data that
will be processed as valid data by the receiver.
 If the attacker sends tainted data after the legitimate data,
the target machine may completely discard the forged
datagram if it contains less data than the legitimate datagram.
TCP Spoofing (cont.)
 If the tainted datagram contains more data than
the legitimate datagram, only the length of the
legitimate datagram is rejected. The rest of the
tainted transmission would be accepted as being
valid.
 On the other hand, if the forged datagram arrives
before the legitimate datagram, the forgery will be
discarded.
TCP Spoofing (cont.)
 If the attacker guesses a number that’s a bit too
high, the receiver will take the datagram and put in
in the buffer.
 Some of the bytes at the end of the datagram may
be discarded because they may not fit in the space
allocated by the window advertisement.
 Later, the legitimate datagram will arrive and fill
the wholes in the entire transmission.
A TCP Spoofing Example
 Consider a user logging into a timesharing machine and
leaving the session idle.
 An attacker merely has to guess the total data bytes that the
user sent to the server. Usually, the username, password, and a
few commands are sent before the connection lies idle.
 If the attacker estimates within 100 bytes, they are usually
close enough to hit the advertisement window.
 All the attacker has to do is send a forged datagram with a
sequence of bytes that correspond to a command, and it will
be executed as if the logged in user typed it!
Reducing TCP Spoofing Risks
1. Log out of unused terminals and open new ones
only when necessary.
2. Use a interactive protocol (telnet, rlogin) that adds
overhead to make guessing the sequence number
more difficult.
3. Use encrypted-based terminal sessions (ssh).