NS Lecture 1 Security Concepts & Threats

Network Security: Lecture 1
300143 Network Security
1. Network Security Concepts and Threats
• Reference: [Chapter 1] and [Section 10.11]

 Notation [X] means that X is in the textbook.
• This lecture covers more details, especially with regard to:
 Security Concepts and Threats
 An overview of the above, with regard to the lower layers of
the OSI Network Model.
 OSI and TCP/IP Models
 Some security aspects of each of the OSI or TCP/IP layers.
• Figures and tables in the textbook, which are relevant to a

lecture will be quoted.
 Lecture slides do not include those figures and tables.
© 2020.2 WSU Lecture No. 1-1

Security Concepts and Threats
• A simple model illustrating security attacks:
Network security attacks

occur or originate here
Sender Receiver(s)
Internetwork
• Network security issues arise when a third party, an

adversary, is present somewhere on the internetwork.
 Passive attacks: The adversary adopts the role of a receiver.
 Active attacks: The adversary adopts the role of a sender.

Passive Attacks ...
• [Figure 1.2(a) Passive attacks]
Copied messages from

Attacker the communications
between Bob and Alice
message 1
Attacker has
no input.
...
message N
message 1 ... message N Alice

Bob
Other attacks may involve copying of messages.

... Passive Attacks …
• Passive attacks mainly involve observing or copying the

information being transmitted between the two end entities.
• A message being transmitted usually consists of two parts:
 Message header containing
 Information about the information carried in the message body,
e.g., type of message, size, date, etc.
 Delivery information such as network addresses
 Message payload (or body) containing
 Information contents as far as this message is concerned
 Some protocol may have a Trailer which usually contains header
information placed at the back of a message.
• “Message” is a general term.
 A specific term, e.g., packet, is used at a particular OSI layer.
Header Payload (or Body) Trailer

... Passive Attacks

• A major aspect of the passive attack is related how a copied
message is used.
• Two kinds of passive attacks depending on what message
information is used by an attacker:
 Unauthorized release of message contents
 from the message payload
 Traffic analysis
 Observing and using information about the message, i.e.
• Message header information, e.g. sender and receiver IDs
• Information about the contents of the message, such as
sizes of messages being sent, frequency, times, and so on.
• Passive attacks are
 Hard to detect when information is just being copied or observed,
and attackers do not have inputs to the communications.
 Sometimes detected or revealed later when the copied information
is being used by the attacker.
Active Attacks …
• [Figure 1.2(b) Active Attacks]
• Masquerade attack
Messages with false
Attacker source ID pretended to be
from Bob.
message 1
...
message M
Bob who may just be a

random end entity Alice

... Active Attacks …
• Masquerade attack
 An attacker uses the identity of another user or a random ID as the
source ID in a message, in order for the message to:
 gain access to the network
 be accepted by the target host or user
 hide the real origin of the message
 If the ID is a networking address, e.g. IP or MAC address, it is
usually called IP (address) spoofing or MAC (address) spoofing.
• A spoofing attack may lead to modifying information
stored on the target end entity.
Message with false contents
Alice may update

Message from an attacker
information about Bob
pretending to be Bob by
according to the false
using Bob’s ID as the source
contents, if she accepts the
ID
message.

... Active Attacks …
• Replay attack
 Makes use of a previously sent and copied message from the sender
 Re-sends the message to the sender or receiver.
 If the message is sent back to the original sender, it is usually
referred to as a reflection attack.
Attacker
Message is delayed
and resent.
message n
message n
Alice
Bob message 1 ... message N

… Active Attacks ...

• Modification attack:
 An attacker intercepts or interrupts a message, modifies it, and
sends the modified copy to the receiver.
 Modification also includes message stream modification, e.g. re-
ordering or deleting messages in a sequence of related messages.
 Bi-directional modification attack is sometimes called Man-in-the-
Middle (MiM) attack.
Attacker
Messages are interrupted or Messages are resent possibly
captured by Attacker. with some modifications.
message 1 message’ M
Bob
... ...
message M message’ 1
Alice
Messages may also be intercepted or copied instead.

… Active Attacks
• Denial of service (DoS) attack

 Sending bogus or crafted messages to a receiver (which can be a
computer or a network) to adversely affect its operation.
 May be classified as:
 Asymmetric: the attacker uses little resource to perform a DoS
attack on a larger or more powerful target.
 Symmetric: the attacker and the target have more or less the
same amount of resources.
• Distributed denial of service (DDoS) attack
 DoS attack performed by a large number of attackers or
compromised computers.
Lots of garbage messages or a

few crafted messages
Attacker Alice

Secure Communication Requirements

• (End entity) authentication
 The sender’s and/or the recipient’s identities need to be uniquely
identified and verified by the other side.
• (Message) integrity
 The transmitted information is not modified on purpose or by
accident, without the receiver realizing that.
 This includes message stream integrity of related messages.
• Message (origin) authentication
 The link between the transmitted information and the sender’s
identity needs to be verified. Also for non-repudiation purpose.
• Confidentiality (protection)
 Protection against unauthorized release of transmitted information
including: message contents and/or information about the message
• Additional requirements depending on an individual or
organization’s security policy
• Words in () may be omitted.
Security Services
• CIAAAA
 Confidentiality, Integrity, Authenticity, Availability, Accountability
(non-repudiation), Auditing
• For network security of information transmitted over the
Internet or any public network, the three most basic
security services are Confidentiality, Integrity, and
Authenticity (CIA).
 These security services are used to satisfy the four secure
communication requirements in the previous slide.
• For system security of information stored on the system or
of the system itself,
 Apart from the basic CIA security services
 Other AAA security services are usually required, i.e.,
 Availability, Accountability, and Auditing

Data Link Layer …
• Information at this layer is encapsulated in frames.

• Frame format (Ethernet):
Header Frame Data FCS
Contents include: contains upper layer protocol data unit

• Destination MAC (PDU) which is normally an IP packet
address • If privacy protection is used at this layer,
• Source MAC that means the Data portion is encrypted,
address including the IP packet header and payload.
IP Header IP Payload IP Packet
• On a broadcast LAN, in theory, every host attached to the

network have access to any frame being transmitted.

… Data Link Layer

• Passive attack is possible by changing the mode of a NIC to
promiscuous mode to capture all the frames transmitted on
the LAN.
• Privacy protection:
 Frame Data can only be encrypted as a whole at this layer.
 If the destination is on another LAN, a frame has to pass through
routers which need to decrypt the frame data to reveal the
destination IP address.
Destination IP address Frame data is
is encrypted and cannot usually an IP packet.
be read by the router
Header Frame Data Outside

LAN Network
Router

Results of ARP Cache Poisoning

PC2’s ARP Cache Router’s ARP
(normal)
Attacker Cache is attacked,
IP Address MAC Address
but it is not the
192.168.1.1 MAC_Router
real target

192.168.1.2 MAC_PC2
192.168.1.4 MAC_PC3
Target
Router’s ARP Cache

(poisoned)
IP Address MAC Address • ARP Cache Poisoning Attacks This should be

MAC_PC4
192.168.1.1 MAC_PC3
 Two examples of attack results
192.168.1.2 MAC_PC2
 Performed by changing (or poisoning) the
MAC Address part of an entry in the target
PC4’s ARP Cache computer’s or a network device’s ARP cache
(poisoned) This should be
MAC_Router

ARP Cache Poisoning Attack

• ARP cache poisoning attack using an ARP query
1. ARP query with
• Source IP address = 192.168.1.1
2. Target replies to the • Source MAC address = MAC_PC3 or a random one
ARP query, but also • Destination IP address = 192.168.1.4
places the source IP and
MAC address pair in the
query into its ARP cache, Attacker
due to the nature of ARP.

192.168.1.1 MAC_PC3
PC4’s ARP Cache

Target

Network Layer …
• Information at this layer is encapsulated in IP datagrams (or

packets) in the case of TCP/IP.
• IPv4 datagram:
IP Header IP Payload
Contents include: contains upper layer protocol data unit

• Various information (PDU) which is normally, but not
about the packet necessarily, a TCP segment.
• Destination IP • During transmission through networks, an
address (large) IP payload is usually fragmented
• Source IP address into smaller blocks which are carried by a
number of IP packets.
• Options

… Network Layer …
• Normally, an attacker may perform:

 Passive attacks by observing IP datagrams
 By using packet sniffers
Attacker
Running a packet sniffer,
e.g., Wireshark
NIC configured in
promiscuous mode
(usually done
automatically by the
packet sniffer)
Capturing all data
frames passing
through this point
• Nowadays, a PC is usually connected to a switch which will not

normally broadcast the traffic to all PCs.
• Packet sniffing on wired LANs requires more efforts.

… Network Layer …
• Some forms of active attacks by inserting IP datagrams
 Packet injection: sending (useless) packets to a target so as to ‘jam’
it from carrying out normal operations.
 A common method is to use the Internet Control Message Protocol
(ICMP) packets, which firewalls may not block.
• In a symmetric attack, a single host launching the attack
may not have any impact on the target host.
 Distributed Denial of Service (DDoS) attacks are needed.
• [10.5 Examples of Simple DDoS Attacks]
A large
number of
attacking
…
Attacker computers Target

… Network Layer
• (Source) IP (address) spoofing or simply IP spoofing
• Using another source IP address so as to
• impersonate or gain trust
• hide the source of the packet
• A side-effect of IP spoofing is that any returned IP packet from the

destination will be sent to the spoofed IP address, not to the original
sender/attacker.
Attacker
Target
Attacker replaces the
source IP address in the Return path of packets
source IP address field due to IP spoofing
by another IP address.

DoS Attacks using ICMP Packets
• ICMP packets are often used in DoS attacks at the network

layer.
 There are a number of classical ICMP DoS attacks.
 These attacks may be outdated, but their principles are common.
• They include:
 Ping of Death
 A single crafted oversized ICMP packet to crash a computer
 Coordinated or Distributed Ping Attack

 A large number of Pings sent to the target at the same time by
a large number of hosts
 Smurf Attack
 IP spoofed ICMP echo request packets
 “multipliers” on networks to create a large number of ICMP

echo reply packets to the target

Transport Layer
• There are two protocols at this layer in the case of TCP/IP,

i.e. TCP and UDP, where UDP is just IP datagram plus
UDP port numbers.
• TCP segment contents:
 Header:
 Source Port, Destination Port, Sequence Number, Acknowledge
Number, HLEN
 Code Bits including
• SYN flag, ACK flag

 Window, Checksum, Urgent Pointer, Options
 Data (upper layer PDU)

• TCP is a reliable, connection-oriented transport protocol.
 It establishes a communication session between the source and
destination first before any data are sent.

TCP Three-Way Handshaking
• TCP three-way handshaking

 A server running a TCP service opens a port to accept a client’s
connection request for that particular service.
 The connection is established by a three-way handshaking
procedure:
TCP packet with SYN flag set • A half-open
connection state
• Server needs to
SYN remember this.
SYN, ACK
Sever running a
Client ACK
TCP service
Networks
There is more information being transmitted in the messages not shown in
the above diagram.

TCP SYN Flood Attack …
• A client sends a TCP SYN packet, i.e., with SYN flag set.
• A server, if accepting the connection, will reply with a TCP
SYN-ACK packet.
• At this point, the server
 stores the state of the half-open connection
 waits for the client to send the last TCP ACK packet
 If the client does not respond, then the server will drop the
half-open connection after a time-out period.
 If a large number of SYN packets are sent to a server, they can
overflow the temporary storage for half-open connections.
 The server can no longer accept new TCP connection requests
for that service.
 It does not affect existing established TCP connections.

… TCP SYN Flood Attack
Attacker
Replies from Sever running a

Server are sent TCP service
to the spoofed IP ...
addresses
Time-out half-
• IP spoofing is always used by Incoming SYN open connections
attackers to hide the sources of packets
attacks.
 The ACK-SYN packets are sent
to the spoofed IP address. Storage overflows
sooner or later
 The attacker would not be able to
reply by sending the last ACK Temporary storage for
packets to the server even if the half-open connections
attacker wanted to do so.
Defence Against Flooding Attacks
Flooding packets are assumed

to be always IP spoofed.
Attacker Target
Flooding packets
Packet filters to block packets A more powerful Host and network intrusion
with obviously spoofed IP intermediate device to detection/prevention systems to
addresses detect and block IP detect a flooding attack and to
spoofed packets reduce its impact

Packet Builder
• A packet builder is
 a program to create, craft, edit, send/receive frames.
 actually a frame builder, while it is commonly called a packet
builder
 to send the built packets and receive replies if any
• There are high-level packet builders with a friendly GUI.
• A packet builder can also be developed using a scripting
language.
• Scapy is a packet builder written in Python.
• A packet in Scapy is
 built by using command-line commands, such as Ether, ARP, IP,
TCP.
 sent by using commands, e.g., srp, sendp.
• Scapy website: http://www.secdev.org/projects/scapy/

Packet Builder: Layer 2 Frame

• A Scapy command to build and send an ARP query:
ans,unans=srp(Ether(dst=“ff:ff:ff:ff:ff:ff”)/ARP(pdst=“192.168.0.1”),
timeout=2, iface=“eth0”)
 ans and unans are the output parameters of the function srp which is
used to send the “packet” specified in the function’s 1st parameter:
 Ether(dst=“ff:ff:ff:ff:ff:ff”)/ARP(pdst=“192.168.0.1”)
• an Ethernet frame with an ARP payload and / is a stacking

operator to encapsulate the ARP PDU in the Ether frame
• dst and pdst are MAC and IP destination addresses.
 timeout specifies the max time to wait for a reply, and iface the
interface to send the packet out and receive any reply.
 Parameters not specified, e.g., source MAC and IP addresses are
assigned default values.
 Non-atomic values, e.g., a string, are enclosed in “”.
 ans will contain the ARP reply if the query is successful, while
unans will contain packets sent with no replies.

Scapy ARP Query
• ans.show() shows the replied packet in the output variable

ans in a high-level format.
 MAC address of 192.168.0.1 is 00:50:56:c0:00:08.

Packet Builder: IP and TCP Packets

• Packets can be built by stacking the IP and TCP PDUs on
top of lower layer PDUs.
• Scapy command to build:
 IP Packet: a = Ether()/IP(dst=“192.168.0.1”)
 a is a variable and it contains the built IP packet with a
destination IP address, dst=“192.168.0.1”.
 The packet can be sent by using the Scapy srp or sendp.
• sendp(a)
 ICMP packet: b = Ether()/IP(dst=“192.168.0.10”)/ICMP()
 TCP segment:
 c = Ether()/IP(dst=“192.168.0.3”)/TCP(sport=1234, dport=80)
 sport and dport are source and destination ports, respectively.
• Parameter names and default values can be found out by

using the ls command, e.g., ls(IP).

Scapy ls command and Packet Contents
Layer 2 or Built packet in

Mac Layer a variable b
Layer 3 or
IP Layer
or another ls command
protocol shows the
carried by contents of a
the layer 2 packet in a
protocol variable.
Layer 4 or Contents are

TCP Layer shown in OSI
or another layers from Layer
protocol 2, Layer 3, …,
carried by with each layer
IP, e.g., separated by --.
ICMP

Building and Sending Packets
• A built packet in a variable can be sent using

 srp if reply packets are wanted
 sendp otherwise.
*** End ***


NS Lecture 1 Security Concepts &amp; Threats

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NS Lecture 1 Security Concepts &amp; Threats

Uploaded by

Copyright:

Available Formats

Network Security: Lecture 1

300143 Network Security

1. Network Security Concepts and Threats

• Reference: [Chapter 1] and [Section 10.11]

• Figures and tables in the textbook, which are relevant to a

© 2020.2 WSU Lecture No. 1-1

Security Concepts and Threats

• A simple model illustrating security attacks:

Network security attacks

• Network security issues arise when a third party, an

© 2020.2 WSU Lecture No. 1-2

Passive Attacks ...

• [Figure 1.2(a) Passive attacks]

Copied messages from

message 1 ... message N Alice

Other attacks may involve copying of messages.

© 2020.2 WSU Lecture No. 1-3

... Passive Attacks …

• Passive attacks mainly involve observing or copying the

Header Payload (or Body) Trailer

© 2020.2 WSU Lecture No. 1-4

... Passive Attacks

• [Figure 1.2(b) Active Attacks]

Bob who may just be a

© 2020.2 WSU Lecture No. 1-6

... Active Attacks …

Message with false contents

Alice may update

© 2020.2 WSU Lecture No. 1-7

... Active Attacks …

© 2020.2 WSU Lecture No. 1-8

… Active Attacks ...

Messages may also be intercepted or copied instead.

© 2020.2 WSU Lecture No. 1-9

• Denial of service (DoS) attack

Lots of garbage messages or a

© 2020.2 WSU Lecture No. 1-10

Secure Communication Requirements

© 2020.2 WSU Lecture No. 1-12

Data Link Layer …

• Information at this layer is encapsulated in frames.

Header Frame Data FCS

Contents include: contains upper layer protocol data unit

IP Header IP Payload IP Packet

• On a broadcast LAN, in theory, every host attached to the

© 2020.2 WSU Lecture No. 1-13

… Data Link Layer

Header Frame Data Outside

© 2020.2 WSU Lecture No. 1-14

Results of ARP Cache Poisoning

IP Address MAC Address

Router’s ARP Cache

IP Address MAC Address • ARP Cache Poisoning Attacks This should be

© 2020.2 WSU Lecture No. 1-15

ARP Cache Poisoning Attack

IP Address MAC Address

PC4’s ARP Cache

© 2020.2 WSU Lecture No. 1-16

• Information at this layer is encapsulated in IP datagrams (or

Contents include: contains upper layer protocol data unit

© 2020.2 WSU Lecture No. 1-17

• Normally, an attacker may perform:

• Nowadays, a PC is usually connected to a switch which will not

© 2020.2 WSU Lecture No. 1-18

NS Lecture 1 Security Concepts & Threats

NS Lecture 1 Security Concepts & Threats

* End *