NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Similar documents
CIT 380: Securing Computer Systems. Network Security Concepts

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Chapter 2. Switch Concepts and Configuration. Part II

Switching & ARP Week 3

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

ELEC5616 COMPUTER & NETWORK SECURITY

NETWORK SECURITY. Ch. 3: Network Attacks

AN INTRODUCTION TO ARP SPOOFING

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

CSE 127: Computer Security Network Security. Kirill Levchenko

20-CS Cyber Defense Overview Fall, Network Basics

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

VoIP Security Threat Analysis

DDoS Testing with XM-2G. Step by Step Guide

Ethical Hacking and Prevention

2. INTRUDER DETECTION SYSTEMS

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

Computer Network Routing Challenges Associated to Tackle Resolution Protocol

CSC 574 Computer and Network Security. TCP/IP Security

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

CSE 565 Computer Security Fall 2018

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Man In The Middle Project completed by: John Ouimet and Kyle Newman

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Wireless LAN Security (RM12/2002)

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CCNA 1 Chapter 5 v5.0 Exam Answers 2013

CIS 5373 Systems Security

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Lab 9.8.1: Address Resolution Protocol (ARP)

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Man in the middle. Bởi: Hung Tran

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

ECCouncil Certified Ethical Hacker. Download Full Version :

Network Security. Thierry Sans

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Network and Internet Vulnerabilities

Potential threats in tactical networks

CCNP Switch Questions/Answers Securing Campus Infrastructure

Ruijie Anti-ARP Spoofing

CSCI 680: Computer & Network Security

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner

Virtual Dispersive Networking Spread Spectrum IP

Network and Internet Vulnerabilities

Keywords: ARP Protocol; ARP Cache; ARP Spoofing Attack; Reverse ARP Poisoning, Active IP Probing

CSC Network Security

Detecting and Preventing Network Address Spoofing

A Framework for Optimizing IP over Ethernet Naming System

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

A Study on Intrusion Detection Techniques in a TCP/IP Environment

CSE 565 Computer Security Fall 2018

Sniffing & Keylogger. Deff Arnaldy, M.Si

Introduction to Network. Topics

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

2. What is a characteristic of a contention-based access method?

ARP Inspection and the MAC Address Table

Homework 3 Discussion

Configuring Dynamic ARP Inspection

Address Resolution Protocol (ARP), RFC 826

Switched environments security... A fairy tale.

Configuring Dynamic ARP Inspection

Introduction to Computer Security

On the Internet, nobody knows you re a dog.

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

CSE 565 Computer Security Fall 2018

Wireless Network Security Fundamentals and Technologies

What action do you want to perform by issuing the above command?

IP: Addressing, ARP, Routing

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring Advanced Firewall Settings

Chapter 11: Networks

Bank Infrastructure - Video - 1

::/Topics/Configur...

CISNTWK-440. Chapter 5 Network Defenses

Denial of Service, Traceback and Anonymity

TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the local terminal appears to be the

Linux Network Administration

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

How Insecure is Wireless LAN?

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

CSC 574 Computer and Network Security. DNS Security

Computer Networks. Wenzhong Li. Nanjing University

Telecom Systems Chae Y. Lee. Contents. Overview. Issues. Addressing ARP. Adapting Datagram Size Notes

ICS 351: Networking Protocols

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Defeating All Man-in-the-Middle Attacks

CSC 6575: Internet Security Fall 2017

Transcription:

NETWORK INTRUSION Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1

Learning Objectives Students should be able to: Recognize different mechanisms for ARP Poisoning and Session Hijacking. Identify vulnerabilities associated with these types of attacks. Decide upon defenses to protect against these attacks. 2

ARP Each node connected to the Ethernet LAN has two addresses MAC address & IP address MAC address is hardwired into the specific network interface card (NIC) of the node MAC addresses are globally unique and with this address the Ethernet protocol sends the data back and forth. Ethernet builds data frames that contain the MAC address of the source and destination computer. IP address is a virtual address and is assigned by software. IP communicates by constructing packets which are different from frame structure. These packets are delivered by the network layer (Ethernet) that splits the packets into frames, adds an Ethernet header and sends them to a network component. 3

ARP IP and Ethernet work together. Packets are sent over Ethernets. Ethernet devices do not understand the 32-bit IPv4 addresses. They transmit Ethernet packets with 48-bit Ethernet addresses. An Ethernet frame is built from IP packet, but for the construction of Ethernet frame the MAC address of the destination computer is required. An IP driver must translate an IP destination address into an Ethernet destination address. The Address Resolution Protocol (ARP) is used to determine these mappings. For efficiency the ARP allows the address translation to be cached in the routers. 4

ARP There is considerable risk here if un trusted nodes have write access to the local net. Such a machine could emit phony ARP queries or replies and divert all traffic to itself; it could then either impersonate some machines or simply modify the data streams en passant. This is called ARP spoofing 5

ARP Poisoning In ARP poisoning the hacker updates the target computer s ARP cache with a forged ARP request and reply packets in an effort to change the MAC address to one that the attacker can monitor. Since ARP replies are forged, the target computer sends frames that were meant for the original destination to the attacker s computer first so the frames can be read. A successful ARP attempt is invisible to the user 6

ARP Poisoning Static ARP table entries Scalability Issues Critical Machines Only Separation of Servers and Workstations Permanent not always permanent RFC compliance Network Segmentation Economic Factors Added Complexity Attack Detection Packet Anomalies ARP Traffic Anomalies Ethernet Fields\ARP fields do not match Monitor for ARP Reply\Request matches Monitor ARP traffic for abnormally high percentages of certain MAC addresses 7

Session Hijacking: Definitions Definition: Hacker takes over an existing active session and exploits the existing trust relationship Process: User makes a connection to the server by authenticating using his user ID and password. After the user authenticates, the user has access to the server as long as the session lasts. Hacker takes the user offline by denial of service Hacker gains access to the user by impersonating the user Typical Behaviors: Attacker usually monitors the session, periodically injects commands into session and can launch passive and active attacks from the session. 8

Session Hijacking: Process Bob Bob telnets to Server Bob authenticates to Server Server Die! Hi! I am Bob Protection: Use Encryption Use a secure protocol Limit incoming connections Minimize remote access Have strong authentication Attacker 9

Session Hijacking Process Reliable Transport At sending end file broken to packets At receiving end packets assembled into files Sequence numbers are 32-bit counters used to: Tell receiving machines the correct order of packets Tell sender which packets are received and which are lost Receiver and Sender have their own sequence numbers 10

Session Hijacking Process When two parties communicate the following are needed: IP addresses Port Numbers Sequence Number IP addresses and port numbers are easily available Hacker usually has to make educated guesses of the sequence number Once attacker gets server to accept the guessed sequence number he can hijack the session. 11

Session Hijacking Popular Programs Juggernaut Network sniffer that that can also be used for hijacking Get from http://packetstorm.securify.com Hunt Can be use to listen, intercept and hijack active sessions on a network http://lin.fsid.cvut.cz/~kra/index.html TTY Watcher Freeware program to monitor and hijack sessions on a single host http://www.cerias.purdue.edu IP Watcher Commercial session hijacking tool based on TTY Watcher http://www.engrade.com 12

Session Hijacking Protection Use Encryption Use a secure protocol Limit incoming connections Minimize remote access Have strong authentication 13

Network Intrusions (Other) Summary The network protocols were not designed with intrinsic security Weaknesses in the protocols can be exploited to launch attacks Two attacks that have been discussed ARP Attacks Session Hijacking attacks 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback