A Study on Intrusion Detection Techniques in a TCP/IP Environment
|
|
- Silvester Baldwin
- 5 years ago
- Views:
Transcription
1 A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the most used family of networking protocols. The implementation of these protocols emphasizes in performance rather, than in security. The last years, when the growth of Internet is explosive, many attacks have been realized, leading in loss of valuable data. In this paper we present an easyto-implement technique for detecting and preventing a great number of attacks which are based on a particular attack, namely IP spoofing. Keywords: TCP/IP protocols, active attacks, IP spoofing, SYN flooding 1 Introduction In our days more and more people connect their machines to the Internet, therefore using the TCP/IP protocol suite as the network operating system for their communications needs. This growing usage of the Internet revealed some deficiencies of the design and the implementation of the protocols which form the TCP/IP suite. These deficiencies made possible a number of attacks that may cause serious problems, and possibly the loss of sensitive data. In section 2 we briefly present the terms of TCP/IP that we will use in the following sections. In section 3 we will describe the most common security attacks in a TCP/IP environment. In section 4 we thoroughly examine methods to detect and prevent the most common attacks. In section 5 we present some preliminary results we collected by using a software tool which implements the methods and techniques presented in section 4. Finally, in section 6 some useful extensions to the existing tool are suggested. 2 TCP/IP terminology The TCP/IP protocol suite allows computers running totally different operating systems to communicate with each other. Like many other networking protocols, it is developed in layers, with each layer responsible for different facet of the communication. TCP/IP is a 4-layer system and consists of the following layers: link layer; handles the details of physical transmission network layer; handles the movement of packets around the network (IP) transport layer; provides a flow of data between two hosts for the application application layer; handles the details of a particular application(telnet, ftp...) The attacks that we describe in this paper concern the network and transport layer and exploit the nature and implementation of IP ([5]) and TCP ([7]). Each network interface of a computer connected on a TCP/IP network must have a unique Internet address (also called IP address). These addresses are 32-bit numbers that specify a physical connection to the Internet. That means, that a host must be assigned a unique IP address, in order to communicate with another host on the IP level. The protocols of transport layer (TCP, UDP) use a similar addressing technique in order to determine to which application protocol the incoming data are addressed. The TCP protocol identifies the applications using a 16-bit port
2 number; the pair (IP address, TCP port number) forms a unique end point in an internet. When an application sends data using TCP, TCP pass a unit of data called TCP segment to IP. The unit of data that IP sends to the network interface is called IP datagram. In conclusion, a connection in the TCP/IP environment is a combination of four numbers (remote IP address, remote port number, local IP address, local port number). This identification of the specific connection is transmitted through the network. IP addresses are located in the IP header and TCP ports are in the TCP header. TCP in particular provides a connection oriented, reliable, byte stream service. In order to achieve these goals each TCP segment carries a lot of information except the application s data. That additional data form the TCP header. The fields of TCP header that we are going to use in our analysis are: source and destination ports the sequence number, that identifies the byte order in the stream of data from the sending TCP to the receiving TCP the acknowledgment number, that contains the next sequence number that the sender of the acknowledgment expects to receive the flag field, that contains six flag bits that give special meaning to the TCP segments. The most common flags are: SYN: Denotes the beginning of a session and that TCP segment is carrying the Initial Sequence Number (ISN) ACK: The packet is an acknowledge packet RST: Immediately finishes a connection, i.e. destroys all the data structures in kernel that belong to this particular connection FIN: Gracefully finishes a connection In later sections we will call SYN packet an IP datagram that encapsulates a TCP segment with the SYN flag set. We are going to use the notation: (sip, sport, dip, dport)[flags][seq][ack] in order to describe a packet, where: sip: sport: Sender s IP address Sender s Port number dip: dport: flags: seq: ack: Destination s IP address Destination s Port number TCP header s flags TCP header s sequence number TCP header s acknowledge number 3 Common Active Attacks The attacks we will describe are called active attacks by the fact that the attacker acts upon the victim s system in order to change the data addressed to it. The most common attacks of this type are: Man in the middle attack. In this attack the attacker interfere with the data flow between two hosts (S and C). The attacker usually is located on another machine (A). In order to perform his task he uses a packet sniffer to watch the data hosts S and C are exchanging and a packet generator in order to masquerade himself as one of the communicating hosts. By using properly modified packets, the attacker manages to desynchronize the two hosts, so they cannot receive packets from each other. Of course, they can both receive the attacker s packets. This attack is described in detail in [3]. Blind attack. In this case the attacker pretends to be on a different host (C) and sends a SYN packet to the victim machine (S) trying to contact with it ([1]). The victim responds with its SYN packet, which contains its TCP initial sequence number from which he starts to count the bytes he will send to the specific connection. This packet goes to the address which the attacker pretends to have (C), and not to the attacker s real address (A), so the attacker has to develop a technique in order to calculate or guess the victim s initial sequence number. This can be achieved by monitoring the traffic using a packet sniffer. If the attacker knows this number, he can create the third packet which is needed to complete the connection establishment. This attack cannot be successful if the false address used by the attacker belongs to another host. This happens because when a packet with the initial sequence number arrives to host C, will be rejected, and a RST packet will be sent to host S, which in turn, will close the connection. Morris ([4]) pointed out that the attacker can block a specific port on host C, thus preventing C from receiving the answer from host S, and consequently, no RST packet will be generated.
3 SYN Flood attack. In this attack the attacker (A) sends a lot of SYN packets to a specific port number of the victim host (S). S tries to fulfill these requests by assigning the appropriate resources in order to handle them ([2]). The original TCP implementation did not use a timer in order to timeout these connections, so the attacker could initiate as many connections as needed to block this port. Any consequent packet addressed to this port would be rejected. The active attacks we described above, have something in common. They all use the same technique, namely IP spoofing. IP spoofing is the situation where a packet is transmitted in a TCP/IP network containing in its IP header an address other than the sending host. Of course IP spoofing implies that the attacker creates his own TCP header or alters an existing one (use another port, sequence number). 4 Detecting and Preventing the attacks In this section we are going to present some characteristics of each one attack, that make the attack detectable. But first we are going to explore how to detect IP spoofing, which is the first step of all the attacks we described so far. 4.1 Detection When an attacker impersonates another host, by using a false IP address (spoofed address) in the IP header instead of his IP address, one of the following four cases exists: C-1 The spoofed address does not yet corresponds to an internet host C-2 The spoofed address corresponds to an internet host that is not currently operating (it is down) C-3 The spoofed address corresponds to an internet host that has some TCP ports blocked (SYN flooding attack) C-4 The spoofed address corresponds to an internet host that is up and running From the above cases, case C-4 is the one that every attacker wishes to avoid (except for the case of man-in-the middle attack), because a functioning host can respond to any suspicious packet that arrives, by sending a RST packet. According to the protocol specifications, when a packet arrives to a specific port of a host, and there is not a process listening to this port, or that port does not belong to a server, the packet s arrival cause the generation of a RST packet (for example, the packet (IP1, Port1, IP2, Port2)[*][seq][ack] can create the packet (IP2, Port2, IP1, Port1)[RST][ack] that attempts to destroy the possible connection). In the three first cases the attacker s success is assured, because there is not going to be any response from a host. That way no disastrous for the attacker RST packets are generated. Now we can explain our method for IP spoofing detection. In every case we are using a packet sniffer, to capture the data in any Ethernet frame (IP datagram and consequently TCP segment). Our analysis depends on the source of the suspect packet: In the first case the packet is coming from a host inside our local network and in the second it is coming from a host outside our local network. 1. Packet is coming from the inside: In this case detection is somehow easy, because in a local network there is a factor that can be considered unchangeable, and cannot be spoofed. That factor is the Ethernet address of a host. Every host in a local network (eg. Ethernet segment) has a unique interface (Ethernet) address, which is written in the header of the interface (Ethernet) frame. Furthermore, every host in a local TCP/IP network has a unique IP address. We can therefore create a correlation (in a form of a two row table) between IP address and Ethernet address of any existing host in the local network (in general, there are IP addresses which belong to the local network s address space but there are not assigned to a machine). That correlation can be updated automatically in a specified time period (using ARP protocol), so we can capture any local changes (replacement of a defective NIC, starting the operation of a host etc.). The fact that this correlation contains only the IP addresses that are assigned to a machine in the local network, ensures that an IP address that belongs to the address space of the local network but is not assigned to a host, does not exists in that correlation (in the following, we will call this correlation, table). Using this table, we can detect any IP spoofing attempt from the local network, because:
4 (a) If a packet comes from a host inside our local network with IP address IP1, and the packet s header declares IP2 as source IP address (IP2 belongs to the local network s address space) i. If IP2 does not correspond to a host in the network, does not appears in the table ii. If IP2 corresponds to a host in the local network then, according to the correlation table, this host s Ethernet address is going to be different from the Ethernet address that the table returns, since [IP1, ETHER1] = [IP2, ETHER2]. (b) If a packet comes from a host inside the local network but impersonates a host outside of it, then it will be detected because it is not going to have the Ethernet address of the router (or one of the routers), of the local network. Instead, it will have the Ethernet address of another host in the network. (Nowadays, a router is usually a dedicated machine, which means that it cannot generate a packet). We have observed that if the packet s source is a host inside our local network, then there is a very high possibility to detect attacks that are based on the IP spoofing technique. Every one of the four cases at the beginning of this section, can be detected in a local network. 2. Packet coming from the outside: Unfortunately, in this case the interface address is not known, so we cannot use a technique like the previous one to identify the sending host. The only thing we know for the host is the IP address that can be spoofed easily. Cases C-1 and C-2 (the host does not exist or is not working), can be detected by sending towards the source address of the packets that arrive, one or more special packets to make sure that the sending hosts really exists and is currently up. To select what kind of packets we ll use for testing, we must first make sure that a host that is up and running will always respond to them. Such packets can be ICMP echo requests ([6]) or TCP SYN packets. ICMP echo request packets when arriving to a host cause it to respond immediately with an ICMP echo reply packet. The reason we prefer that type of packets is that they can often travel very quickly in an internet environment and a lot of firewalls allow them to pass, which is not always happening with TCP segments encapsulated in IP datagrams. The test is simple. If in a predefined period of time the sending hosts does not respond to our test packets, then there is a high possibility for the packet to be fake. In case C-3, the previous test is not going to work because the host, which corresponds to the source IP of the packet, exists and can respond with an ICMP echo reply. In this case a port on that hosts is probably blocked by a SYN flood attack, but all other services on that host function perfectly. According to the SYN flooding attack, an attacker can only block a port that is being used by a server. That means that in order an attacker to exploit the case C-3 he must also write in the TCP header of the sending TCP segment the port of a server that has already been blocked by a SYN flooding. Such servers listen to dedicated ports, usually in the range from 1 to 1023 (also known as well known ports ), so that every application knows the port that the server listens. It is also known that no server application can ask a service from another server application, which means that a server cannot initiate a connection. There is a strategy that we can use in order to detect spoofed packets of the case C-3, that is to consider spoofed packets any SYN packets that arrive, having source TCP port less than Using the above notation we conclude to the following rule: the packet (IP1,Port1,IP2,Port2)[SYN][isn1][*] is considered spoofed if port1 is in the range [0, 1023]. In the case C-4, when a packet arrives form outside the local network, it is very hard to detect a IP spoofing attempt. Cases like this must be faced according to the nature of the attack. According to the above analysis of all the possible IP spoofing techniques, we come to the conclusion that blind attacks and SYN flooding attacks can be detected successfully in almost every case, no matter the origin of the attack (inside or outside the local network). That is true because, using spoofed IP addresses that correspond to non-existing machines, or to hosts that are temporarily down, or to hosts with
5 some ports blocked by SYN flooding, is crucial for the success of these attacks. On the other hand, man-in-the-middle attack requires special attention when the attacker is outside the local network. In that case, IP spoofing is impossible to be detected (attacker impersonates both the two hosts that already communicate). It seems unachievable, in that case, to detect the particular attack. However studies of this kind of attack ([3]) have shown that this particular attack has some side effects, including special traffic patterns that are generated in the network, which can be used in order to detect the attack. Such a side effect is the generation of a large number of ACK packets without data, as a result of the desychronization state between client and server during the attack. For example, such an attack to the telnet server generates a vast number of ACK packets compared to these of a normal session. A possible detection of this attack can be implemented using a hash table to store every connection from outside (a connection in the TCP/IP environment can uniquely be defined by the quadruple [source IP, source Port, destination IP, destination Port]). For each packet that arrives in our host from outside the local network, we can find the corresponding position in the hash table (if it is not a SYN packet) and use it to record some statistics for the specific connection. Another way to deal with this attack is to calculate the statistics directly from specific structures in the kernel; TCP protocol holds a structure in the kernel (called tcpcb) in order to gather some specific statistics about the connection. The above analysis make us optimistic concerning the capability to implement a tool, as general as possible, that can detect those kind of attacks. 4.2 Prevention Having the detection of such attacks more or less insured, we can now move a step forward towards the prevention of these attacks. We use the term prevention to denote all the necessary actions we can take, in order to stop the attack from having disastrous effects on our machine. There are two general methods to prevent an attack: 1. Alert the system administrator that the host is under attack, in order to take the necessary precautions to stop the attack. This can be implemented by using some log techniques (like syslog daemon in UNIX). However, this method is relatively slow. Most of the attacks last only a few seconds and in that period is difficult for the administrator to stop the attack in time. Moreover, that method requires the supervision of a person for 24 hours a day. 2. Provide the tool the ability to take some action when it detects an attack. This method is much faster than the previous one (order of msec) and consequently more effective. Such an action is the transmission of RST packets when the tool detects a spoofed IP packet with SYN flag set, back to the host that protects. The reset packet is going to destroy all the protocol control blocks of the specific connection attempt. Another way to prevent an attack is to find the identification number (pid) of the process that corresponds to the specific connection. When we find that pid we can kill the process and stop the attack. The tool that we implemented uses both techniques for preventing an attack. Whenever it detects an attack it sends messages to the syslogd to alert the administrator and tries to destroy the attacker s connection to the server or kills any existing connection that the attacker is trying to compromise. 5 Results The test results of our tool in the local network of our University were very encouraging. The tool we implemented was tested against most types of attacks with very promising results. To be more specific, SYN flooding attack was detected and successfully prevented, whether the attack probes came from inside or outside our network. During the test, the attacker was sending SYN packets continuously, but he could not block a service. We dealt with the blind attack very successfully using our tool, no matter the origin of the probes (inside or outside the network). Every attempt to masquerade as a non existing host and establish a connection to the services of our protected host failed. The method we used to deal with man-in-themiddle attack was successful, when attacker was in the same local network. We have not yet tested the tool against such an attack coming from outside our local network, but from the results we collected when the attack was made from the inside, we believe that such attacks can be detected using TCP statistics (numbers of ACKS, total packets etc.).
6 6 Future work A very important addition to our tool is the ability not only to detect or prevent attacks against the host it runs on, but to detect and prevent attacks against every host in the local network. That is not impossible if we keep in mind that a packet sniffer can show us the traffic in the whole local network. We simply need to implement a mechanism that will allow the host, on which the tool runs, to communicate with all the other hosts in the local network. We can approach this goal by building appropriate client-server applications. The server will run on every machine we want to protect and the client on the machine where the tool runs. When our tool detects an attack against another host, it will send a message to that host, alerting it for the incoming attack. The server on the host is then responsible to handle the attack. 7 Conclusions In this paper we presented our ideas on the implementation of a general purpose tool that it can be used to detect and prevent active attacks against the TCP/IP protocols, attacks that are based mostly on the mechanism of IP spoofing. The methods that were presented here, can be easily implemented in any local network and can provide the desirable security level against those attacks. References [1] S. M. Bellovin. Security problems in the TCP/IP protocol suite. Computer Communication Review, 19(2):32 48, April [2] Marco de Vivo, Gabriela O. de Vivo, and Germinal Isern. Internet security attacks at the basic level. Operating Systems Reviews, pages 4 15, April [3] Laurent Joncheray. Simple active attack against TCP. In Proc. 5th USENIX UNIX Security Symposium, [4] Robert T. Morris. A weakness in the 4.2BSD Unix TCP/IP software. Computing Science Technical Report 117, AT&T Bell Laboratories, [5] J. Postel. RFC 791: Internet Protocol, September [6] J. Postel. RFC 792: Internet Control Message Protocol, September [7] J. Postel. RFC 793: Transmission control protocol, September [8] W. Richard Stevens. TCP/IP Illustrated. Vol 1: The Protocols. Addison-Wesley, 1994.
AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM
1 AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM 2 Introduction (1/2) TCP provides a full duplex reliable stream connection between two end points A connection is uniquely defined by the quadruple
More informationCategory: Informational May 1996
Network Working Group S. Bellovin Request for Comments: 1948 AT&T Research Category: Informational May 1996 Status of This Memo Defending Against Sequence Number Attacks This memo provides information
More informationELEC5616 COMPUTER & NETWORK SECURITY
ELEC5616 COMPUTER & NETWORK SECURITY Lecture 17: Network Protocols I IP The Internet Protocol (IP) is a stateless protocol that is used to send packets from one machine to another using 32- bit addresses
More informationSingle Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking
1 Review of TCP/IP working Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Frame Path Chapter 3 Client Host Trunk Link Server Host Panko, Corporate
More informationCCNA 1 Chapter 7 v5.0 Exam Answers 2013
CCNA 1 Chapter 7 v5.0 Exam Answers 2013 1 A PC is downloading a large file from a server. The TCP window is 1000 bytes. The server is sending the file using 100-byte segments. How many segments will the
More informationNETWORK SECURITY. Ch. 3: Network Attacks
NETWORK SECURITY Ch. 3: Network Attacks Contents 3.1 Network Vulnerabilities 3.1.1 Media-Based 3.1.2 Network Device 3.2 Categories of Attacks 3.3 Methods of Network Attacks 03 NETWORK ATTACKS 2 3.1 Network
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationCYBER ATTACKS EXPLAINED: PACKET SPOOFING
CYBER ATTACKS EXPLAINED: PACKET SPOOFING Last month, we started this series to cover the important cyber attacks that impact critical IT infrastructure in organisations. The first was the denial-of-service
More informationIntroduction to TCP/IP networking
Introduction to TCP/IP networking TCP/IP protocol family IP : Internet Protocol UDP : User Datagram Protocol RTP, traceroute TCP : Transmission Control Protocol HTTP, FTP, ssh What is an internet? A set
More informationChapter 8 roadmap. Network Security
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing
More informationLayer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers
Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled
More informationTCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6
TCP TCP/IP: TCP Network Security Lecture 6 Based on IP Provides connection-oriented, reliable stream delivery service (handles loss, duplication, transmission errors, reordering) Provides port abstraction
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationUser Datagram Protocol
Topics Transport Layer TCP s three-way handshake TCP s connection termination sequence TCP s TIME_WAIT state TCP and UDP buffering by the socket layer 2 Introduction UDP is a simple, unreliable datagram
More informationR (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.
R (2) N (5) Oral (3) Total (10) Dated Sign Experiment No: 1 Problem Definition: Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. 1.1 Prerequisite:
More informationOutline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack
Attacks on TCP Outline What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack TCP Protocol Transmission Control Protocol (TCP) is a core protocol
More informationInternet Protocol and Transmission Control Protocol
Internet Protocol and Transmission Control Protocol CMSC 414 November 13, 2017 Internet Protcol Recall: 4-bit version 4-bit hdr len 8-bit type of service 16-bit total length (bytes) 8-bit TTL 16-bit identification
More informationEE 610 Part 2: Encapsulation and network utilities
EE 610 Part 2: Encapsulation and network utilities Objective: After this experiment, the students should be able to: i. Understand the format of standard frames and packet headers. Overview: The Open Systems
More informationUnit 2.
Unit 2 Unit 2 Topics Covered: 1. PROCESS-TO-PROCESS DELIVERY 1. Client-Server 2. Addressing 2. IANA Ranges 3. Socket Addresses 4. Multiplexing and Demultiplexing 5. Connectionless Versus Connection-Oriented
More informationScanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE
UNIT III STUDY GUIDE Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to: 1. Recall the terms port scanning, network scanning, and vulnerability scanning. 2.
More informationTCP /IP Fundamentals Mr. Cantu
TCP /IP Fundamentals Mr. Cantu OSI Model and TCP/IP Model Comparison TCP / IP Protocols (Application Layer) The TCP/IP subprotocols listed in this layer are services that support a number of network functions:
More informationECE4110 Internetwork Programming. Introduction and Overview
ECE4110 Internetwork Programming Introduction and Overview 1 EXAMPLE GENERAL NETWORK ALGORITHM Listen to wire Are signals detected Detect a preamble Yes Read Destination Address No data carrying or noise?
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More information20-CS Cyber Defense Overview Fall, Network Basics
20-CS-5155 6055 Cyber Defense Overview Fall, 2017 Network Basics Who Are The Attackers? Hackers: do it for fun or to alert a sysadmin Criminals: do it for monetary gain Malicious insiders: ignores perimeter
More informationch02 True/False Indicate whether the statement is true or false.
ch02 True/False Indicate whether the statement is true or false. 1. No matter what medium connects computers on a network copper wires, fiber-optic cables, or a wireless setup the same protocol must be
More informationCSCI-GA Operating Systems. Networking. Hubertus Franke
CSCI-GA.2250-001 Operating Systems Networking Hubertus Franke frankeh@cs.nyu.edu Source: Ganesh Sittampalam NYU TCP/IP protocol family IP : Internet Protocol UDP : User Datagram Protocol RTP, traceroute
More informationProblem Set 7 Due: Start of Class, November 2
CS242 Computer Networks Handout # 14 Randy Shull October 26, 2017 Wellesley College Problem Set 7 Due: Start of Class, November 2 Reading: Kurose & Ross, Sections 3.6, 3.7, 3.8 Wireshark Lab [26] In these
More informationTransport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol
Transport Layer Transport Layer The transport layer is responsible for the delivery of a message from one process to another Types of Data Deliveries Client/Server Paradigm An application program on the
More informationNetwork Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:
Network Forensics: Network OS Fingerprinting Prefix Hijacking Analysis Scott Hand September 30 th, 2011 Outline 1 Network Forensics Introduction OS Fingerprinting 2 Prefix Hijacking Theory BGP Background
More informationPosted by linuxbox Wednesday, April 17, :08 AM EDT
Posted by linuxbox Wednesday, April 17, 2002-06:08 AM EDT IP spoofing is the most exciting topic you will hear wannabe hackers talking about. It is also a subject about which no one knows much. Before
More informationComputer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic
Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition Chapter 2 Investigating Network Traffic Objectives After completing this chapter, you should be able to: Understand network
More informationDDoS Testing with XM-2G. Step by Step Guide
DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial
More informationTCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER
CHAPTER 11 Main Dialog Box To access this dialog box (Figure 11-1), select Global/Filtering/ from the Device View. Figure 11-1 Main Configuration Dialog Box Route Filters Button This button brings up a
More informationARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1
ARP, IP, TCP, UDP CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1 IP and MAC Addresses Devices on a local area network have IP addresses (network layer) MAC addresses (data
More informationSirindhorn International Institute of Technology Thammasat University
Name.............................. ID............... Section...... Seat No...... Thammasat University Final Exam: Semester, 205 Course Title: Introduction to Data Communications Instructor: Steven Gordon
More informationLab - Using Wireshark to Examine TCP and UDP Captures
Topology Part 1 (FTP) Part 1 will highlight a TCP capture of an FTP session. This topology consists of a PC with Internet access. Topology Part 2 (TFTP) Part 2 will highlight a UDP capture of a TFTP session.
More informationRouter and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface
CCNA4 Chapter 5 * Router and ACL By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. *
More informationnetwork security s642 computer security adam everspaugh
network security s642 adam everspaugh ace@cs.wisc.edu computer security today Announcement: HW3 to be released WiFi IP, TCP DoS, DDoS, prevention 802.11 (wifi) STA = station AP = access point BSS = basic
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationConfiguring Flood Protection
Configuring Flood Protection NOTE: Control Plane flood protection is located on the Firewall Settings > Advanced Settings page. TIP: You must click Accept to activate any settings you select. The Firewall
More informationTCP/IP Transport Layer Protocols, TCP and UDP
TCP/IP Transport Layer Protocols, TCP and UDP Learning Objectives Identify TCP header fields and operation using a Wireshark FTP session capture. Identify UDP header fields and operation using a Wireshark
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationInterconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1
Interconnecting Networks with TCP/IP 2000, Cisco Systems, Inc. 8-1 Objectives Upon completion of this chapter you will be able to perform the following tasks: Identify the IP protocol stack, its protocol
More informationNetwork Technology 1 5th - Transport Protocol. Mario Lombardo -
Network Technology 1 5th - Transport Protocol Mario Lombardo - lombardo@informatik.dhbw-stuttgart.de 1 overview Transport Protocol Layer realizes process to process communication data unit is called a
More informationUser Datagram Protocol (UDP):
SFWR 4C03: Computer Networks and Computer Security Feb 2-5 2004 Lecturer: Kartik Krishnan Lectures 13-15 User Datagram Protocol (UDP): UDP is a connectionless transport layer protocol: each output operation
More informationPacket Header Formats
A P P E N D I X C Packet Header Formats S nort rules use the protocol type field to distinguish among different protocols. Different header parts in packets are used to determine the type of protocol used
More informationAttack Prevention Technology White Paper
Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes
More informationMuhammad Farooq-i-Azam CHASE-2006 Lahore
Muhammad Farooq-i-Azam CHASE-2006 Lahore Overview Theory Existing Sniffers in action Switched Environment ARP Protocol and Exploitation Develop it yourself 2 Network Traffic Computers and network devices
More informationSequence Number. Acknowledgment Number. Data
CS 455 TCP, Page 1 Transport Layer, Part II Transmission Control Protocol These slides are created by Dr. Yih Huang of George Mason University. Students registered in Dr. Huang's courses at GMU can make
More informationCHAPTER-2 IP CONCEPTS
CHAPTER-2 IP CONCEPTS Page: 1 IP Concepts IP is a very important protocol in modern internetworking; you can't really comprehend modern networking without a good understanding of IP. Unfortunately, IP
More informationSoftware Engineering 4C03 Answer Key
Software Engineering 4C03 Answer Key DAY CLASS Dr. William M. Farmer DURATION OF EXAMINATION: 2 Hours MCMASTER UNIVERSITY FINAL EXAMINATION April 2002 (1) [2 pts.] Conventional encryption cannot be used
More informationECE 650 Systems Programming & Engineering. Spring 2018
ECE 650 Systems Programming & Engineering Spring 2018 Networking Transport Layer Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) TCP/IP Model 2 Transport Layer Problem solved:
More informationOverview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter
Computer Network Lab 2017 Fachgebiet Technische Informatik, Joachim Zumbrägel Overview Security Type of attacks Firewalls Protocols Packet filter 1 Security Security means, protect information (during
More informationConfiguring IP Services
CHAPTER 8 Configuring IP Services This chapter describes how to configure optional IP services supported by the Cisco Optical Networking System (ONS) 15304. For a complete description of the commands in
More informationPing of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods
Ping of death Land attack Teardrop Syn flood Smurf attack DOS Attack Methods Ping of Death A type of buffer overflow attack that exploits a design flaw in certain ICMP implementations where the assumption
More informationA quick theorical introduction to network scanning. 23rd November 2005
A quick theorical introduction to network ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) http://www.csrrt.org/ 23rd November 2005 IP protocol ACK Network is not exact science When
More informationBusiness Data Networks and Security 10th Edition by Panko Test Bank
Business Data Networks and Security 10th Edition by Panko Test Bank Chapter 2 Network Standards 1) Internet standards are published as. A) RFCs B) IETFs C) TCP/IPs D) Internet Protocols Question: 1a Objective:
More informationEEC-484/584 Computer Networks. Lecture 16. Wenbing Zhao
EEC-484/584 Computer Networks Lecture 16 wenbing@ieee.org (Lecture nodes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall) Outline 2 Review Services provided by transport layer
More informationInterconnecting Networks with TCP/IP
Chapter 8 Interconnecting s with TCP/IP 1999, Cisco Systems, Inc. 8-1 Introduction to TCP/IP Internet TCP/IP Early protocol suite Universal 1999, Cisco Systems, Inc. www.cisco.com ICND 8-2 TCP/IP Protocol
More informationICS 351: Networking Protocols
ICS 351: Networking Protocols IP packet forwarding application layer: DNS, HTTP transport layer: TCP and UDP network layer: IP, ICMP, ARP data-link layer: Ethernet, WiFi 1 Networking concepts each protocol
More informationModule 19 : Threats in Network What makes a Network Vulnerable?
Module 19 : Threats in Network What makes a Network Vulnerable? Sharing Unknown path Many points of attack What makes a network vulnerable? Unknown perimeter Anonymity Complexity of system Categories of
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
More informationNetwork Programming. Introduction to Sockets. Dr. Thaier Hayajneh. Process Layer. Network Layer. Berkeley API
Network Programming Outline Definitions Dr. Thaier Hayajneh Computer Engineering Department Berkeley API Socket definition and types Introduction to Sockets 1 2 Process Process Process Layer TCP SCTP UDP
More informationSignificance of TCP/IP Model Divya Shree Assistant Professor (Resource Person), Department of computer science and engineering, UIET, MDU, Rohtak
Significance of TCP/IP Model Divya Shree Assistant Professor (Resource Person), Department of computer science and engineering, UIET, MDU, Rohtak Abstract: TCP/IP (Transmission Control Protocol/Internet
More informationTRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016
TRANSMISSION CONTROL PROTOCOL ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016 ETI 2506 - TELECOMMUNICATION SYLLABUS Principles of Telecom (IP Telephony and IP TV) - Key Issues to remember 1.
More informationNETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
NETWORK INTRUSION Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Recognize different
More informationINF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi
INF5290 Ethical Hacking Lecture 3: Network reconnaissance, port scanning Universitetet i Oslo Laszlo Erdödi Lecture Overview Identifying hosts in a network Identifying services on a host What are the typical
More informationCCNA Exploration Network Fundamentals. Chapter 04 OSI Transport Layer
CCNA Exploration Network Fundamentals Chapter 04 OSI Transport Layer Updated: 05/05/2008 1 4.1 Roles of the Transport Layer 2 4.1 Roles of the Transport Layer The OSI Transport layer accept data from the
More informationInternet and Intranet Protocols and Applications
Internet and Intranet Protocols and Applications Lecture 1b: The Transport Layer in the Internet January 17, 2006 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu 01/17/06
More information4. The transport layer
4.1 The port number One of the most important information contained in the header of a segment are the destination and the source port numbers. The port numbers are necessary to identify the application
More informationENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics
ENEE 457: Computer Systems Security 11/07/16 Lecture 18 Computer Networking Basics Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 7 Week of March 5, 2018 Question 1 DHCP (5 min) Professor Raluca gets home after a tiring day writing papers and singing karaoke. She opens
More informationTCP/IP Networking. Part 4: Network and Transport Layer Protocols
TCP/IP Networking Part 4: Network and Transport Layer Protocols Orientation Application Application protocol Application TCP TCP protocol TCP IP IP protocol IP IP protocol IP IP protocol IP Network Access
More informationNetwork Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018
Network Security Evil ICMP, Careless TCP & Boring Security Analyses Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018 Part I Internet Control Message Protocol (ICMP) Why ICMP No method
More informationNetworking Technologies and Applications
Networking Technologies and Applications Rolland Vida BME TMIT Transport Protocols UDP User Datagram Protocol TCP Transport Control Protocol and many others UDP One of the core transport protocols Used
More informationThe aim of this unit is to review the main concepts related to TCP and UDP transport protocols, as well as application protocols. These concepts are
The aim of this unit is to review the main concepts related to TCP and UDP transport protocols, as well as application protocols. These concepts are important requirements for developing programs that
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationK2289: Using advanced tcpdump filters
K2289: Using advanced tcpdump filters Non-Diagnostic Original Publication Date: May 17, 2007 Update Date: Sep 21, 2017 Topic Introduction Filtering for packets using specific TCP flags headers Filtering
More informationDENIAL OF SERVICE ATTACKS
DENIAL OF SERVICE ATTACKS Ezell Frazier EIS 4316 November 6, 2016 Contents 7.1 Denial of Service... 2 7.2 Targets of DoS attacks... 2 7.3 Purpose of flood attacks... 2 7.4 Packets used during flood attacks...
More informationEEC-682/782 Computer Networks I
EEC-682/782 Computer Networks I Lecture 16 Wenbing Zhao w.zhao1@csuohio.edu http://academic.csuohio.edu/zhao_w/teaching/eec682.htm (Lecture nodes are based on materials supplied by Dr. Louise Moser at
More informationARP Inspection and the MAC Address Table for Transparent Firewall Mode
ARP Inspection and the MAC Address Table for Transparent Firewall Mode This chapter describes how to customize the MAC address table and configure ARP Inspection for bridge groups. About ARP Inspection
More informationCSc 466/566. Computer Security. 18 : Network Security Introduction
1/81 CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:57:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
More informationAn active intrusion-confronting system using fake session and honeypot
An active intrusion-confronting system using fake session and honeypot Myung-Sub Lee, Chang-Hyeon Park Department of Computer Engineering Yeungnam University, #214-1, Dae-dong, Kyungsan, Kyungbuk, 712-749,
More informationQUIZ: Longest Matching Prefix
QUIZ: Longest Matching Prefix A router has the following routing table: 10.50.42.0 /24 Send out on interface Z 10.50.20.0 /24 Send out on interface A 10.50.24.0 /22 Send out on interface B 10.50.20.0 /22
More informationECE 435 Network Engineering Lecture 9
ECE 435 Network Engineering Lecture 9 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 2 October 2018 Announcements HW#4 was posted, due Thursday 1 HW#3 Review md5sum/encryption,
More informationECE 435 Network Engineering Lecture 10
ECE 435 Network Engineering Lecture 10 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 28 September 2017 Announcements HW#4 was due HW#5 will be posted. midterm/fall break You
More informationDefending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Paper by Rocky K C Chang, The Hong Kong Polytechnic University Published in the October 2002 issue of IEEE Communications
More informationII. Principles of Computer Communications Network and Transport Layer
II. Principles of Computer Communications Network and Transport Layer A. Internet Protocol (IP) IPv4 Header An IP datagram consists of a header part and a text part. The header has a 20-byte fixed part
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationTSIN02 - Internetworking
Lecture 4: Outline Literature: Lecture 4: Transport Layer Forouzan: ch 11-12 RFC? Transport layer introduction UDP TCP 2004 Image Coding Group, Linköpings Universitet 2 The Transport Layer Transport layer
More informationImplementing Firewall Technologies
Implementing Firewall Technologies Network firewalls separate protected from non-protected areas preventing unauthorized users from accessing protected network resources. Technologies used: ACLs Standard,
More informationDenial Of Service Attacks
FISTConference October 2004 Denial Of Service Attacks Gabriel Verdejo Alvarez (gaby@tau.uab.es) Barcelona INDEX Speaker s introduction. Denial Of Service attacks (DOS). Examples. Distributed Denial of
More informationEthernet Wrapper: Extension of the TCP Wrapper
Ethernet Wrapper: Extension of the TCP Wrapper MoonSang Kwon, Jiman Hong, Yookun Cho System Software Research Lab. Dept. of Computer Science and Engineering Seoul National University, 151 742, Seoul, Korea
More informationComputer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key
Computer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key DAY CLASS Dr. William M. Farmer DURATION OF EXAMINATION: 2 Hours MCMASTER UNIVERSITY FINAL EXAMINATION April 2008 THIS EXAMINATION
More informationHands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified 1-11-17 Objectives Describe the TCP/IP protocol stack Explain the basic concepts of IP addressing Explain the
More informationDenial of Service, Traceback and Anonymity
Purdue University Center for Education and Research in Information Assurance and Security Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS Network
More informationDan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University
Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University Why ICMP? UDP and TDP are not designed to report errors Provide a simple way to report errors between
More informationApplied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.
Applied IT Security System Security Dr. Stephan Spitz Stephan.Spitz@de.gi-de.com Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System
More informationTSIN02 - Internetworking
Lecture 4: Transport Layer Literature: Forouzan: ch 11-12 2004 Image Coding Group, Linköpings Universitet Lecture 4: Outline Transport layer responsibilities UDP TCP 2 Transport layer in OSI model Figure
More information