Professional Documents
Culture Documents
Internetwork
message 1
Attacker has
no input.
...
message N
Active Attacks …
• Masquerade attack
Messages with false
Attacker source ID pretended to be
from Bob.
message 1
...
message M
• Masquerade attack
An attacker uses the identity of another user or a random ID as the
source ID in a message, in order for the message to:
gain access to the network
be accepted by the target host or user
hide the real origin of the message
If the ID is a networking address, e.g. IP or MAC address, it is
usually called IP (address) spoofing or MAC (address) spoofing.
• A spoofing attack may lead to modifying information
stored on the target end entity.
• Replay attack
Makes use of a previously sent and copied message from the sender
Re-sends the message to the sender or receiver.
If the message is sent back to the original sender, it is usually
referred to as a reflection attack.
Attacker
Message is delayed
and resent.
message n
message n
Alice
Bob message 1 ... message N
Attacker
Messages are interrupted or Messages are resent possibly
captured by Attacker. with some modifications.
message 1 message’ M
Bob
... ...
message M message’ 1
Alice
… Active Attacks
Attacker Alice
Security Services
• CIAAAA
Confidentiality, Integrity, Authenticity, Availability, Accountability
(non-repudiation), Auditing
• For network security of information transmitted over the
Internet or any public network, the three most basic
security services are Confidentiality, Integrity, and
Authenticity (CIA).
These security services are used to satisfy the four secure
communication requirements in the previous slide.
• For system security of information stored on the system or
of the system itself,
Apart from the basic CIA security services
Other AAA security services are usually required, i.e.,
Availability, Accountability, and Auditing
Target
Network Layer …
IP Header IP Payload
… Network Layer …
Attacker
Running a packet sniffer,
e.g., Wireshark
NIC configured in
promiscuous mode
(usually done
automatically by the
packet sniffer)
Capturing all data
frames passing
through this point
… Network Layer …
• Some forms of active attacks by inserting IP datagrams
Packet injection: sending (useless) packets to a target so as to ‘jam’
it from carrying out normal operations.
A common method is to use the Internet Control Message Protocol
(ICMP) packets, which firewalls may not block.
• In a symmetric attack, a single host launching the attack
may not have any impact on the target host.
Distributed Denial of Service (DDoS) attacks are needed.
• [10.5 Examples of Simple DDoS Attacks]
A large
number of
attacking
…
Attacker computers Target
… Network Layer
• (Source) IP (address) spoofing or simply IP spoofing
• Using another source IP address so as to
• impersonate or gain trust
Attacker
Target
Attacker replaces the
source IP address in the Return path of packets
source IP address field due to IP spoofing
by another IP address.
Transport Layer
SYN, ACK
Sever running a
Client ACK
TCP service
Networks
There is more information being transmitted in the messages not shown in
the above diagram.
• A client sends a TCP SYN packet, i.e., with SYN flag set.
• A server, if accepting the connection, will reply with a TCP
SYN-ACK packet.
• At this point, the server
stores the state of the half-open connection
waits for the client to send the last TCP ACK packet
If the client does not respond, then the server will drop the
half-open connection after a time-out period.
If a large number of SYN packets are sent to a server, they can
overflow the temporary storage for half-open connections.
The server can no longer accept new TCP connection requests
for that service.
It does not affect existing established TCP connections.
Attacker
Attacker Target
Flooding packets
Packet filters to block packets A more powerful Host and network intrusion
with obviously spoofed IP intermediate device to detection/prevention systems to
addresses detect and block IP detect a flooding attack and to
spoofed packets reduce its impact
Packet Builder
• A packet builder is
a program to create, craft, edit, send/receive frames.
actually a frame builder, while it is commonly called a packet
builder
to send the built packets and receive replies if any
• There are high-level packet builders with a friendly GUI.
• A packet builder can also be developed using a scripting
language.
• Scapy is a packet builder written in Python.
• A packet in Scapy is
built by using command-line commands, such as Ether, ARP, IP,
TCP.
sent by using commands, e.g., srp, sendp.
• Scapy website: http://www.secdev.org/projects/scapy/
ans will contain the ARP reply if the query is successful, while
unans will contain packets sent with no replies.
• sendp(a)
ICMP packet: b = Ether()/IP(dst=“192.168.0.10”)/ICMP()
TCP segment:
c = Ether()/IP(dst=“192.168.0.3”)/TCP(sport=1234, dport=80)
Layer 3 or
IP Layer
or another ls command
protocol shows the
carried by contents of a
the layer 2 packet in a
protocol variable.