Network Security Attacks &

Malicious code
• A security attack is any action that compromises
the security of information (i.e. stored or in
transit)

• Malicious code is the term used to describe any

code in any part of a software system that is
intended to cause undesired effects, security
breaches or damage to a system.
• Malicious code includes viruses, worms, Trojan
horses, backdoors, and malicious active content.1
 Main issues
• Security never stops
• New threats constantly emerge
• Security is concerned with risk management
• Security policy not well-understood
• Too much reliance on technology alone for
security
• Most employees do not know the security
policies for their organizations

2
 What makes a network vulnerable
•Complex as many users do not know what their
computers are doing at any moment
•Unknown Perimeter
One host may be a node on two different
networks, causing uncontrolled groups of possibly
malicious users
•Unknown Path
Can have multiple paths from one host to another.

3
 How attackers perpetrate attacks?
a) Port Scan
For a particular IP address, the program will gather network
information. It tells an attacker which standard ports are being
used, which OS is installed on the target system, & what
applications and which versions are present. E.g. ????
b) Social Engineering
Using disguise to solicit information (unauthorized)
c) Intelligence
Gathering all the information and making a plan.
d) Bulletin Boards & Chats
Exchanging information and techniques online

4
 Security goals Vs Attacks

Attacks can be grouped according to the ways in

which they violate security goals namely:
•Confidentiality
•Integrity
•Availability
•Authentication

5
 1) Message Confidentiality Threats
• Mis-delivery
– Message can be delivered to someone other than the intended
recipient e.g. sending email to the wrong recipient

• Exposure
– Passive wiretapping is a source of message exposure. Passive
wiretapping refers to the monitoring or recording of data, such as
passwords transmitted in clear text, over a communication link.
This is done without altering or affecting the data. Can be achieved
through packet sniffing

• Traffic Flow Analysis

– Intercepting both the content of the message & the header
information that identifies the sender and receiver
6
 2) Message Integrity Threats
Message should get to the receiver in its original form(without
alteration)

• Falsification of Messages
– An attacker may change content of the message on the way to the
receiver
– An attacker may destroy or delete a message
– These attacks can be perpetrated by active wiretapping, Man-in-the-
middle, Trojan horse

• Noise
– These are unintentional interferences
7
Man-in-the-middle attack

8
 3) Availability Attacks
• Also known as Denial of Service (DOS)
• Main aim is to stop the victim’s machine from doing
it’s required job
• E.g. Server unable to provide service to legitimate
clients. Damage done varies from minor inconvenience
to major financial losses .
• It can be perpetrated in two forms i.e.
a) Transmission Failure
b) Connection Flooding

9
 3) Availability Attacks contd …
• Transmission Failure
– Network transmission line being down
– Power failure
– Network noise making a packet unrecognizable or
undeliverable
• Connection Flooding
– Sending too much data
– Protocol attacks: TCP, UDP, ICMP (Internet Control
Message Protocol)

10
 Protocol attack a) Sync Flood
• It is the commonest DOS attack.
• Attack uses the TCP protocol suite
• It’s a network connectivity attack
• Usually difficult to trace attack back to its originator
• Web servers and systems connected to Internet providing
TCP-based services like FTP servers, mail servers are
susceptible
• Exploits TCP’s three-way handshake mechanism and its
limitations in maintaining half open connections

11
 Sync Flood contd…
•It prevents a TCP/IP server from servicing other
users.
•It is accomplished by not sending the final
acknowledgment to the server's SYN-ACK
response (SYNchronize-ACKnowledge) in the
handshaking sequence, which causes the server to
keep signaling until it eventually times out.

12
TCP Protocol: Three-way Handshake

Client connecting to TCP port

SYN
LISTEN
Client requests for connection

ACK + SYN
SYN_RCVD
Server agrees for connection request

ACK CONNECTED
Client finishes handshake

Client Mail server

 Synch Flood

Insert diagram

14
 Effects of Sync Flood
•Since the request has not been fully processed,
the excessive SYN signals takes up memory
•Many such SYN packets clog the system and
take up memory
•Eventually the attacked node is unable to process
any requests as it runs out of memory storage
space
•SYN flood attacks can either overload the server
or cause it to crash

15
 b) Smurf attack
• Smurf attacks rely on an ICMP directed
broadcast to create a flood of traffic on a
victim
• Large ICMP (Internet Control Message
Protocol) packets with the intended victim`s
spoofed source IP are broadcast to a network
• Other hosts on this network, by default
respond to this by sending a reply to the source
IP address, resulting in the victim`s computer
being flooded with traffic

16
 Smurf attack contd…
• Smurf attacks rely on an ICMP directed broadcast to
create a flood of traffic on a victim
• Attacker uses a spoofed source address of victim
• A large number of PING requests with spoofed IP
addresses are generated from within the target
network
• Each ping request is broadcast, resulting in a large
number of responses from all nodes on the network
• Clogs the network and prevents legitimate requests
from being processed
• Smurf attack is a DOS that consumes network
bandwidth of victim
17
Smurf attack

Diagram

18
Distributed Denial of Service DDoS
•Consist of sufficient number of compromised
hosts amassed to send useless packets toward a
victim around the same time.
•Consists of sending a large number of attack
packets directly towards a victim.
•Do not rely on particular network protocols or
system design weaknesses.

19
 DDoS Example
• An attacker first plants a Trojan horse on a
target machine. This process is repeated
with many targets.
• Each of these target systems then become
what is known as zombie. Then the attacker
chooses a victim that sends a signal to all the
zombies to launch the attack.
• It means the victim achieves n attacks from
the n zombies all acting at once.
Trojan Horse - is a hacking program that gains privileged access to the OS
while appearing to perform a desirable function but instead drops a malicious
payload, often including a backdoor allowing unauthorized access to system
resources 20
 Some Statistics
Financial loss reported due to attacks ~ $500 million
Not every one reports loss due to attacks

Type of attack Percentage

Virus 85%

Denial of Service 40%

Intrusion 40%

Internet as source of attack: 74%

21
 2)Authentication attacks
• These attacks are associated with falsifying user`s or
system`s identification details or identity theft
• Mostly in the form of Spoofing, thus
a) Web Spoofing
b) Email spoofing
c) DNS / IP Spoofing
• Also replay attacks

22
 a) Spoofing
• Spoofing is the practice of deceiving people into believing an
email or Web site originates from a source that it does not.
The most common type of spoofing is email spoofing, but
Web page spoofing and IP spoofing are also very common.
• In email spoofing the deception is usually accomplished
using software that harvests or generates email addresses
from which messages appear to be sent.
• In Web page spoofing, the hacker will use software to display
a Web page they have created to duplicate the actual Web
page that's targeted.
• In IP spoofing, hackers use software to redirect Web site
visitors to false Web pages.

23
 i) Web Spoofing
• In Web page spoofing, the hacker will use
software to display a Web page they have created
to duplicate the actual Web page that's targeted.
• In this attack the malicious site pretends to be
authentic
• It is a form of man-in-the-middle attack
• This can be accomplished by accessing the victim
website and putting a link to the malicious site on
a legitimate name. For example,
www.nytimes.com could be linked to
www.hackersite.com but the user would not be
aware of this unless they pay attention to the
actual site linked.
24
 ii)DNS / IP Spoofing
• This is similar to web spoofing.
• In IP spoofing, hackers use software to redirect Web site
visitors to false Web pages
• DNS server could be a simple machine placed behind a
firewall
• Hacker gets access to the DNS server and changes in
the lookup table the mapping. For example,
www.nytimes.com is supposed to point to
199.239.136.200. The hacker could redirect it to his
web server instead.

25
 b) Replays
• Replay involves capturing traffic while in
transit and use that to gain access to
systems.
• A sniffer is a program that intercepts and
reads traffic on the network
• Example:
– Hacker sniffs login information of a valid user
– Even if the information is encrypted, the hacker
replays the login information to fool the system
and gains access
26
 Replay Attack Diagram

Valid user

Sniffer Server

w d
a n dp
d i d
n iffe
S

Hacker pwd
an d
y s id
la
r ep

27
 c) Social Engineering
• It is when an intruder convinces others to
share confidential information with them
Example
i. Pop-up windows can be installed by
hackers to look like part of the network and
request that the user reenter the username
and password to fix some sort of problem

28
 Social Engineering Examples
• “Hello, can I speak with Tom Smith from R&D
please?”
• “I'm sorry, he'll be on vacation until next
Monday”
• “OK, may I know who's in charge until he gets
back?”
• “Bob Jones”
• Hacker calls another employee Michael in R&D
and says,
“By the way Michael, just before Tom Smith went on vacation,
he asked me to review the new design. I talked with Bob Jones
and he advised me to get a copy of the new design. Could you
fax that to me at 111-222-3333? Thanks”

29
 Dumpster diving
• Dumpster diving is also part of social
engineering
• This means that any organization that does not
dispose of sensitive documents such as
organizational structure and manuals in a
proper way could be exposing their system to
people who recover documents from dumpsters
• Dumpster could yield office calendars showing
which employees are off when, hardware list,
network diagrams, and phone directories

30
 Man in the middle attack
Write notes

31
 Eavesdropping
Write notes

32
 Safeguards and Counter measures
Safeguards – Mechanisms used to prevent
attacks from occurring . E.g firewall, antivirus

Counter measures – Mechanisms used to

address an attack that has already happened.

33
 Countermeasures
• For SYN-flood attack:
– Firewall can withhold or insert packets into the
data stream, thus providing one means from
letting the SYN packets get through
– Firewall responds immediately to the SYN with
its ACK sent to the spoofed address. This way
the inquiry is not in the open queue taking up
space. Legitimate addresses would respond
immediately and they could be forwarded by
the firewall to the internal systems. SYN-flood
attack packets would not receive a reply from
the spoofed address and so they will be sent a
RST (reset) signal after the timeout set.
34
 Countermeasures
• For Smurf attack:
– Routers should be configured to drop ICMP
messages from outside the network with a
destination of an internal broadcast or multicast
– Newer OSs for routers and workstations have
protection for known smurf attacks

35
 Countermeasures
• For IP Spoofing attack:
– This is a difficult attack to start with for
the hacker
– Hacker should be able to guess correctly
the Initial Sequence Number that the
spoofed IP would generate
– To prevent IP spoofing, disable source
routing on all internal routers
– Filter entering packets with a source
address of the local network
36
 Countermeasures
• For Man in the middle attack:
– Routers should be configured to ignore ICMP redirect
packets
• Intrusion Detection System (IDS) is a software that can
scan traffic in real time and detect anomalies
• Cisco, Computer Associates, Secure Works are some of the
companies that provide IDS software
• Availability of IDS is a requirement in the medical and
financial industry for the business to get its license
• The industry is now moving towards an Intrusion
Prevention System (IPS) as opposed to an IDS

37
 Countermeasures
• For Denial of Service attack:
– Firewalls and routers at network boundaries can use filters
to prevent spoofed packets from leaving the network
– Filter incoming packets with a broadcast address
– Turning off direct broadcasts on all internal routers
– Block known private IP addresses being used as
destination IP (e.g., 10.0.0.0, 172.16.24.0, 192.168.0.0,
224.0.0.0, 127.0.0.1)

38
 Security Scenario to Solve
Intrusion Detection Systems enable the organization
to see in real time the types of data traffic on the
network and try to take corrective action. As a
network specialist you are given the responsibility to :
a) Examine the types of IDS and IPS systems that
are available for implementation.
b) Give a summary of the various types of these
systems, including cost, functionality, ease of use,
etc.
c) In this context find out what industries (e.g.,
medical) require the presence of an IDS for their
accreditation

39
 Malicious Code
1) Software exploitation
• Malicious software (virus and worm)
• Back door- method of bypassing normal authentication
• Logic bombs- code intentionally inserted into systems
software that will trigger a malicious function when
specified conditions are met

2) Failure to practice secure coding

•Race conditions
•Buffer overflow

40
How does malicious software propagate?

a) Virus is meant to replicate itself into executables

(e.g., Melissa)

b) Worm is meant to propagate itself across the network

(e.g., Nimda, Code Red)

b) Trojan horse is meant to entice the unsuspecting

user to execute a worm (e.g., I Love You)

41
 a)Virus
• Virus self-replicates
• Early viruses (1980s to mid-90s) were placed on
boot sector of hard and floppy drives as they
would not show up in the directory listing
• Second type of virus is known as ‘parasitic virus.’
This was prevalent in mid-90s. Parasitic virus
attaches to files and infect files of type exe, sys,
com, dll, bin, drv
• Third virus type is ‘multipartite virus’. This
infected both boot sector and files. This was also
common in the mid-90s.

42
 Virus contd …
• Current virus type is known as ‘macro virus.’
These are application specific as opposed to
operating system specific. They propagate rapidly
through email. Most macro viruses are written in
VB Script and they exploit Microsoft’s
applications such as Outlook.
• Current information on viruses can be obtained
from CERT, McAfee, Symantec etc
• Major viruses:
– Melissa March 1999
– Nimda September 2001

43
 b)Worms
• Worm is a self-contained program that tries to
exploit buffer overflows and remotely attack
a victim’s computer
• Code Red and Code Red II are two of the
well-known worms
• Virus Vs Worms – write notes

44