Chapter 1: Foundation

1
Security in Computing, 4th Ed, Pfleeger
Chapter 7
Security in Networks
Part 1 Threats in Networks
2
Chapter 7. Security in Networks

• In this chapter
• Networks vs. stand-alone applications and
  environments differences and similarities
• Threats against networked applications, including
  denial of service, web site defacements,
  malicious mobile code, and protocol attacks
• Controls against network attacks physical
  security, policies and procedures, and a range of
  technical controls
• Firewalls design, capabilities, limitations
• Intrusion detection systems
• Private e-mail PGP and S/MIME

3
The importance of the Networks

• We interact with networks daily, when we perform
  banking transactions, make telephone calls, or
  ride trains and planes, and many others.
• Life without networks would be considerably less
  convenient, and many activities would be
  impossible.
• Not surprisingly, then, computing networks are
  attackers' targets of choice
• Fortunately, your bank, your utility company, and
  even your Internet service provider take network
  security very seriously.
• assess their risks and learn about the latest
  attack types and defense mechanisms so that they
  can maintain the protection of their networks.

4
In This Chapter

• we describe what makes a network similar to and
  different from an application program or an
  operating system, which you have studied in
  earlier chapters.
• you will learn how the concepts of
  confidentiality, integrity, and availability
  apply in networked settings
• you will see that the basic notions of
  identification and authentication, access
  control, accountability, and assurance are the
  basis for network security, just as they have
  been in other settings.

5
Network Concepts

• Networks involve not only the pieces but also
  importantly the connections among them
• single point of failure vs. resilience (or fault
  tolerance)
• Single failure fails the system or you can find
  ways around!
• Complex routing algorithms reroute the flow not
  just around failures but also around overloaded
  segments

6
Network Views
Simple View
Complex View
7
Environment of Use

• Although some networks are located in protected
  spaces (for example, a local area network in a
  single laboratory or office), at least some
  portion of most networks is exposed, often to
  total strangers.

8
Network Characteristics

• Anonymity. You may have seen the cartoon image
  that shows a dog typing at a workstation, and
  saying to another dog, "On the Internet, nobody
  knows you're a dog.

9
Network Characteristics

• Automation. In some networks, one or both
  endpoints, as well as all intermediate points,
  involved in a given communication may be machines
  with only minimal human supervision.
• Distance. Many networks connect endpoints that
  are physically far apart. Although not all
  network connections involve distance, the speed
  of communication is fast enough that humans
  usually cannot tell whether a remote site is near
  or far.

10
Network Characteristics (Cont.)

• Opaqueness. Users cannot distinguish whether they
  are connected to a node in an office, school,
  home, or warehouse, or whether the node's
  computing system is large or small, modest or
  powerful. In fact, users cannot tell if the
  current communication involves the same host with
  which they communicated the last time.
• Routing diversity. To maintain or improve
  reliability and performance, routings between two
  endpoints are usually dynamic. That is, the same
  interaction may follow one path through the
  network the first time and a very different path
  the second time. In fact, a query may take a
  different path from the response that follows a
  few seconds later.

11
Threats in Networks

• Threats aimed to compromise confidentiality,
  integrity, or availability, applied against data,
  software, and hardware by nature, accidents,
  nonmalicious humans, and malicious attackers.

12
What Makes a Network Vulnerable?

• Consider how a network differs from a stand-alone
  environment
• Anonymity. An attacker can mount an attack from
  thousands of miles away and never come into
  direct contact with the system, its
  administrators, or users. The potential attacker
  is thus safe behind an electronic shield. The
  attack can be passed through many other hosts in
  an effort to disguise the attack's origin.
• Many points of attack--both targets and
  origins--. A simple computing system is a
  self-contained unit. Access controls on one
  machine preserve the confidentiality of data on
  that processor. However, when a file is stored in
  a network host remote from the user, the data or
  the file itself may pass through many hosts to
  get to the user. One host's administrator may
  enforce rigorous security policies, but that
  administrator has no control over other hosts in
  the network. Thus, the user must depend on the
  access control mechanisms in each of these
  systems. An attack can come from any host to any
  host, so that a large network offers many points
  of vulnerability.

13
What Makes a Network Vulnerable? (Cont.)

• Consider how a network differs from a stand-alone
  environment
• Sharing. Because networks enable resource and
  workload sharing, more users have the potential
  to access networked systems than on single
  computers. Perhaps worse, access is afforded to
  more systems, so that access controls for single
  systems may be inadequate in networks.
• Complexity of system. A network combines two or
  more possibly dissimilar operating systems.
  Therefore, a network operating/control system is
  likely to be more complex than an operating
  system for a single computing system. And because
  an average computer is so powerful, most users do
  not know what their computers are really doing at
  any moment. This complexity diminishes confidence
  in the network's security.

14
What Makes a Network Vulnerable? (Cont.)

• Consider how a network differs from a stand-alone
  environment
• Unknown perimeter. A network's expandability also
  implies uncertainty about the network boundary.
  One host may be a node on two different networks,
  so resources on one network are accessible to the
  users of the other network as well. Although wide
  accessibility is an advantage, this unknown or
  uncontrolled group of possibly malicious users is
  a security disadvantage. A similar problem occurs
  when new hosts can be added to the network. Every
  network node must be able to react to the
  possible presence of new, untrustable hosts.
  Figure 7-11 points out the problems in defining
  the boundaries of a network. Notice, for example,
  that a user on a host in network D may be unaware
  of the potential connections from users of
  networks A and B. And the host in the middle of
  networks A and B in fact belongs to A, B, C, and
  E. If there are different security rules for
  these networks, to what rules is that host
  subject?

15
What Makes a Network Vulnerable? (Cont.)

• Consider how a network differs from a stand-alone
  environment
• Unknown perimeter.

Figure 7-11  Unclear Network Boundaries.
16
What Makes a Network Vulnerable? (Cont.)

• Consider how a network differs from a stand-alone
  environment
• Unknown path. Figure 7-12 illustrates that there
  may be many paths from one host to another.
  Suppose that a user on host A1 wants to send a
  message to a user on host B3. That message might
  be routed through hosts C or D before arriving at
  host B3. Host C may provide acceptable security,
  but not D. Network users seldom have control over
  the routing of their messages.

Figure 7-12  Uncertain Message Routing in a
Network.
17
Attackers Motives

• challenge or power, fame, money, and ideology.
• Challenge Some attackers enjoy the intellectual
  stimulation of defeating the supposedly
  undefeatable. However, the vast majority of
  attackers repeat well-known and even
  well-documented attacks
• Fame other attackers seek recognition for their
  activities. That is, part of the challenge is
  doing the deed another part is taking credit for
  it.
• Money and Espionage financial reward motivates
  attackers (read in the book for some examples)
• Ideology many security analysts believe that the
  Code Red worm of 2001 was launched by a group
  motivated by the tension in U.S. - China relations

18
Reconnaissance

• We turn to how attackers perpetrate their attacks
• Attackers do not ordinarily sit down at a
  terminal and launch an attack.
• A clever attacker investigates and plans before
  acting
• a network attacker learns a lot about a potential
  target before beginning the attack
• We study the precursors to an attack so that if
  we can recognize characteristic behavior, we may
  be able to block the attack before it is
  launched.
• Because most vulnerable networks are connected to
  the Internet, the attacker begins preparation by
  finding out as much as possible about the target.

19
Port Scan

• A program that, for a particular IP address,
  reports which ports respond to messages and which
  of several known vulnerabilities seem to be
  present
• Port scanning tells an attacker three things
• which standard ports or services are running and
  responding on the target system
• what operating system is installed on the target
  system
• what applications and versions of applications
  are present.
• This information is readily available for the
  asking from a networked system
• it can be obtained quietly, anonymously, without
  identification or authentication, drawing little
  or no attention to the scan.

20
Social Engineering

• Social engineering involves using social skills
  and personal interaction to get someone to reveal
  security-relevant information and perhaps even to
  do something that permits an attack.
• The point of social engineering is to persuade
  the victim to be helpful
• The attacker often impersonates someone inside
  the organization who is in a bind
• Ex., "I have to get out a very important report
  quickly and I can't get access to the following
  thing.
• This attack works especially well if the attacker
  impersonates someone in a high position
• We as humans like to help others when asked
  politely.

21
Intelligence

• From a port scan the attacker knows what is open.
  From social engineering, the attacker knows
  certain internal details.
• But a more detailed floor plan would be nice.
• Intelligence is the general term for collecting
  information. In security it often refers to
  gathering discrete bits of information from
  various sources and then putting them together
  like the pieces of a puzzle.
• One commonly used intelligence technique is
  called "dumpster diving."
• It involves looking through items that have been
  discarded in rubbish bins or recycling boxes.
• It is amazing what we throw away without thinking
  about it
• Gathering intelligence may also involve
  eavesdropping.
• Trained spies may follow employees to lunch and
  listen in from nearby tables as coworkers discuss
  security matters. Or spies may befriend key
  personnel in order to co-opt, coerce, or trick
  them into passing on useful information.

22
Operating System and Application Fingerprinting

• An attacker can use a port scan to find out that
  port 80 is open and supports HTTP, the protocol
  for transmitting web pages.
• Related information which commercial server
  application is running, what version, and what
  the underlying operating system and version are.
• The network protocols are standard and vendor
  independent.
• Still, each vendor's code is implemented
  independently, so there may be minor variations
  in interpretation and behavior.
• Ex., coordinating sequence numbers to implement
  the connection of a TCP session
• Some implementations respond with a given
  sequence number, others respond with the number
  one greater, and others respond with an unrelated
  number.

23
Operating System and Application Fingerprinting

• Also, new features offer a strong clue A new
  version will implement a new feature but an old
  version will reject the request.
• Sometimes the application identifies itself.
  Usually a client-server interaction is handled
  completely within the application according to
  protocol rules
• "Please send me this page OK but run this
  support code thanks, I just did."
• The attacker might use an application to send
  meaningless messages to another application
• Ports such as 80 (HTTP), 25 (SMTP), 110 (POP),
  and 21 (FTP) may respond with something like
• Server Netscape-Commerce/1.12 Your browser sent
  a non-HTTP compliant message.
• or
• Microsoft ESMTP MAIL Service, Version
  5.0.2195.3779

24
Bulletin Boards and Chats

• Numerous underground bulletin boards and chat
  rooms support exchange of information.
• Attackers can post their latest exploits and
  techniques, read what others have done, and
  search for additional information on systems,
  applications, or sites.

25
Availability of Documentation

• The vendors themselves sometimes distribute
  information that is useful to an attacker.
• For example, Microsoft produces a resource kit by
  which application vendors can investigate a
  Microsoft product in order to develop compatible,
  complementary applications.
• This toolkit also gives attackers tools to use in
  investigating a product that can subsequently be
  the target of an attack.

26
Reconnaissance Concluding Remarks

• A good thief, that is, a successful one, spends
  time understanding the context of the target.
• The best defense against reconnaissance is
  silence.
• Give out as little information about your site as
  possible, whether by humans or machines.

27
Threats in Transit Eavesdropping and Wiretapping

• Because a network involves data in transit, we
  look first at the harm that can occur between a
  sender and a receiver
• The easiest way to attack is simply to listen in
• An attacker can pick off the content of a
  communication passing in the clear
• The term eavesdrop implies overhearing without
  expending any extra effort
• A more hostile term is wiretap, which means
  intercepting communications through some effort
• Passive wiretapping is just "listening," much
  like eavesdropping.
• But active wiretapping means injecting something
  into the communication
• A wiretap can be done covertly so that neither
  the sender nor the receiver of a communication
  knows that the contents have been intercepted

28
Wiretapping

• Wiretapping works differently depending on the
  communication medium used.
• Cable, WiFi, Microwave, Satellite, Fiber Optics

29
Cable

• Putting the network card (NIC) in promiscuous
  mode
• The card allows all frames through, thus allowing
  the computer to read frames intended for other
  machines or network devices.
• A device called a packet sniffer can retrieve all
  packets on the LAN
• Ordinary wire (and many other electronic
  components) emit radiation. By a process called
  inductance an intruder can tap a wire and read
  radiated signals without making physical contact
  with the cable.

30
Wireless (WiFi)

• Wireless networking is becoming very popular,
  with good reason.
• With wireless (also known as WiFi), people are
  not tied to a wired connection
• they are free to roam throughout an office,
  house, or building while maintaining a
  connection.
• A wireless signal is strong for approximately 100
  to 200 feets
• The difficulties of wireless arise in the ability
  of intruders to intercept and spoof a connection.
• You may react to that threat by assuming that
  encryption will address it. Unfortunately,
  encryption is not always used for wireless
  communication, and the encryption built into some
  wireless devices is not as strong as it should be
  to deter a dedicated attacker.

31
Wireless (WiFi)

• Theft of Service
• Wireless also admits a second problem the
  possibility of rogue use of a network connection.
• Many hosts run the Dynamic Host Configuration
  Protocol (DHCP), by which a client negotiates a
  one-time IP address and connectivity with a host.
• Unless the host authenticates users before
  assigning a connection, any requesting client is
  assigned an IP address and network access.
• But is it legal? In separate cases Benjamin Smith
  III in Florida in July 2005 and Dennis Kauchak in
  Illinois in March 2006 were convicted of remotely
  accessing a computer wirelessly without the
  owner's permission. Kauchak was sentenced to a
  250 fine.
• So, even though you are able to connect, it may
  not be legal to do so.

32
Summary of Wiretapping

• There are many points at which network traffic is
  available to an interceptor.
• From a security standpoint, you should assume
  that all communication links between network
  nodes can be broken.
• For this reason, commercial network users employ
  encryption to protect the confidentiality of
  their communications, as we demonstrate later in
  this chapter

33
Protocol Flaws

• Internet protocols are publicly posted for
  scrutiny by the entire Internet community
• Each accepted protocol is known by its Request
  for Comment (RFC) number.
• But protocol definitions are made and reviewed by
  fallible humans. Likewise, protocols are
  implemented by fallible humans.
• For example, TCP connections are established
  through sequence numbers. The client (initiator)
  sends a sequence number to open a connection, the
  server responds with that number and a sequence
  number of its own, and the client responds with
  the server's sequence number. Suppose (as pointed
  out by Morris) someone can guess a client's next
  sequence number. That person could impersonate
  the client in an interchange.

34
Impersonation

• In many instances, there is an easier way than
  wiretapping for obtaining information on a
  network
• Impersonate another person or process
• In an impersonation, an attacker has several
  choices
• Authentication Foiled by Guessing
• Authentication Foiled by Eavesdropping or
  Wiretapping
• Authentication Foiled by Avoidance
• Nonexistent Authentication

35
Spoofing

• When an attacker falsely carries on one end of a
  networked interchange.
• Examples of spoofing are masquerading,
• session hijacking, and man-in-the-middle
  attacks.

36
Masquerade

• In a masquerade one host pretends to be another.
• A common example is URL confusion
• Domain names can easily be confused, or someone
  can easily mistype certain names.
• Thus xyz.com, xyz.org, and xyz.net might be three
  different organizations, or one bona fide
  organization (for example, xyz.com) and two
  masquerade attempts from someone who registered
  the similar domain names.
• Names with or without hyphens (coca-cola.com
  versus cocacola.com) and easily mistyped names
  (l0pht.com versus lopht.com, or citibank.com
  versus citybank.com) are candidates for
  masquerading.
• A variation of this attack is called phishing.
  You send an e-mail message, perhaps with the real
  logo of Blue Bank, and an enticement to click on
  a link, supposedly to take the victim to the Blue
  Bank web site.

37
Session Hijacking

• Session hijacking is intercepting and carrying on
  a session begun by another entity.
• Suppose two entities have entered into a session
  but then a third entity intercepts the traffic
  and carries on the session in the name of the
  other.

38
Man-in-the-Middle Attack

• Our hijacking example requires a third party
  involved in a session between two entities.
• A man-in-the-middle attack is a similar form of
  attack, in which one entity intrudes between two
  others.
• The difference between man-in-the-middle and
  hijacking is that a man-in-the-middle usually
  participates from the start of the session,
  whereas a session hijacking occurs after a
  session has been established. The difference is
  largely semantic and not too significant.

39
Man-in-the-Middle Attack

• Man-in-the-middle attacks are frequently
  described in protocols.
• To see how an attack works
• suppose you want to exchange encrypted
  information with your friend
• You contact the key server and ask for a secret
  key with which to communicate with your friend
• The key server responds by sending a key to you
  and your friend
• One man-in-the-middle attack assumes someone can
  see and enter into all parts of this protocol
• A malicious middleman intercepts the response key
  and can then eavesdrop on, or even decrypt,
  modify, and reencrypt any subsequent
  communications between you and your friend

40
Man-in-the-Middle Attack
Figure 7-15  Key Interception by a
Man-in-the-Middle Attack.
41
Man-in-the-Middle Attack

• Man-in-the-middle attacks in public keys
• The man-in-the-middle intercepts your request to
  the key server and instead asks for your friend's
  public key
• The man-in-the-middle passes to you his own
  public key, not your friend's.
• You encrypt using the public key you received
  (from the man-in-the-middle)
• the man-in-the-middle intercepts and decrypts,
  reads, and reencrypts, using your friend's public
  key and your friend receives.
• In this way, the man-in-the-middle reads the
  messages and neither you nor your friend is aware
  of the interception.

42
Message Confidentiality Threats

• Eavesdropping and impersonation attacks can lead
  to a confidentiality or integrity failure.
• Here we consider several other vulnerabilities
  that can affect confidentiality.
• Misdelivery
• a destination address is modified or some handler
  malfunctions, causing a message to be delivered
  to someone other than the intended recipient
• Exposure
• intercepting the message at its source,
  destination, or at any intermediate node can lead
  to its exposure
• Traffic Flow Analysis
• Sometimes not only is the message itself
  sensitive but the fact that a message exists is
  also sensitive

43
Message Integrity Threats

• Falsification of Messages
• change some or all of the content of a message
• replace a message entirely, including the date,
  time, and sender/receiver identification
• reuse (replay) an old message
• combine pieces of different messages into one
• change the apparent source of a message
• redirect a message
• destroy or delete a message
• Noise
• Signals sent over communications media are
  subject to interference from other traffic on the
  same media

44
Format Failures

• Malformed Packets
• Packets and other data items have specific
  formats, depending on their use.
• Field sizes, bits to signal continuations, and
  other flags have defined meanings and will be
  processed appropriately by network service
  applications called protocol handlers.
• These services do not necessarily check for
  errors, however.
• For example, in 2003 Microsoft distributed a
  patch for its RPC (Remote Procedure Call)
  service. If a malicious user initiated an RPC
  session and then sent an incorrectly formatted
  packet, the entire RPC service failed, as well as
  some other Microsoft services.
• Attackers try all sorts of malformations of
  packets.
• the result can be denial of service, complete
  failure of the system, or some other serious
  result.

45
Format Failures

• Protocol Failures and Implementation Flaws
• Certain network protocol implementations have
  been the source of many security flaws
• Examples, SNMP (network management), DNS
  (addressing service), and e-mail services such as
  SMTP and S/MIME
• the protocol itself may be incomplete If the
  protocol does not specify what action to take in
  a particular situation, vendors may produce
  different results. So an interaction on Windows,
  for example, might succeed while the same
  interaction on a Unix system would fail.

46
Web Site Vulnerabilities

• A web site is especially vulnerable because it is
  almost completely exposed to the user.
• In short, the attacker has some advantages that
  can be challenging to control.
• If you use an application program, you do not
  usually get to view the program's code.
• With a web site, the attacker can download the
  site's code for offline study over time.
• With a program, you have little ability to
  control in what order you access parts of the
  program
• but a web attacker gets to control in what order
  pages are accessed
• The attacker can also choose what data to supply
  and can run experiments with different data
  values to see how the site will react

47
Web Site Vulnerabilities

• The list of web site vulnerabilities is too long
  to explore completely here.
• Web Site Defacement
• Because of the large number of sites that have
  been defaced and the visibility of the result,
  the attacks are often reported in the popular
  press.
• A defacement is common not only because of its
  visibility but also because of the ease with
  which one can be done.
• Web sites are designed so that their code is
  downloaded
• enabling an attacker to obtain the full hypertext
  document and all programs directed to the client
  in the loading process
• An attacker can even view programmers' comments
  left in as they built or maintained the code

48
Web Site Vulnerabilities

• Buffer Overflows
• The attacker simply feeds a program far more data
  than it expects to receive. A buffer size is
  exceeded, and the excess data spill over into
  adjoining code and data locations.
• Some web servers are vulnerable to extremely long
  parameter fields, such as passwords of length
  10,000 or a long URL padded with space or null
  characters

49
Web Site Vulnerabilities

• Dot-Dot-Slash
• Web server code should always run in a
  constrained environment.
• Ideally, the web server should never have
  editors, xterm and Telnet programs, or even most
  system utilities loaded.
• By constraining the environment in this way, even
  if an attacker escapes from the web server
  application, no other executable programs will
  help the attacker use the web server's computer
  and operating system to extend the attack.
• But many web applications programmers are naïve.
• They expect to need to edit a web application in
  place, so they install editors and system
  utilities on the server to give them a complete
  environment in which to program.

50
Web Site Vulnerabilities

• Dot-Dot-Slash
• A second, less desirable, condition for
  preventing an attack is to create a fence
  confining the web server application
• With such a fence, the server application cannot
  escape from its area and access other potentially
  dangerous system areas (such as editors and
  utilities).
• The server begins in a particular directory
  subtree, and everything the server needs is in
  that same subtree.
• In both Unix and Windows, '..' is the directory
  indicator for "predecessor." And '../..' is the
  grandparent of the current location.
• So someone who can enter file names can travel
  back up the directory tree one .. at a time.
• For example, passing the following URL causes the
  server to return the requested file, autoexec.nt,
  enabling an attacker to modify or delete it.
• http//yoursite.com/webhits.htw?CiWebHitsFile
  ../../../../../winnt/system32/autoexec.nt

51
Web Site Vulnerabilities

• Application Code Errors
• the web server passes context strings to the
  user, making the user's browser reply with full
  context. A problem arises when the user can
  modify that context.
• Assume you have selected one CD and are looking
  at a second web page. The web server has passed
  you a URL similar to
• http//www.CDs-r-us.com/buy.asp?i1459012p11599
  
• This URL means you have chosen CD number 459012,
  and its price is 15.99. You now select a second
  and the URL becomes
• http//www.CDs-r-us.com/ buy.asp?i1459012p11599
  i2365217p21499
• you realize that you can edit the URL in the
  address window of your browser
• Consequently, you change each of 1599 and 1499 to
  199.
• This failure is an example of the time-of-check
  to time-of-use flaw that we discussed in Chapter
  3.
• The server sets (checks) the price of the item
  when you first display the price, but then it
  loses control of the checked data item and never
  checks it again.

52
Web Site Vulnerabilities

• Server-Side Include
• more serious problem
• web pages can be organized to invoke a particular
  function automatically
• For example, many pages use web commands to send
  an e-mail message in the "contact us" part of the
  displayed page.
• One of the server-side include commands is exec,
  to execute an arbitrary file on the server. For
  instance, the server-side include command
• lt!exec cmd"/usr/bin/telnet "gt
• opens a Telnet session from the server running in
  the name of (that is, with the privileges of) the
  server. An attacker may find it interesting to
  execute commands such as chmod (change access
  rights to an object), sh (establish a command
  shell), or cat (copy to a file).

53
Denial of Service

• So far, we have discussed attacks that lead to
  failures of confidentiality or integrity problems
  
• Availability attacks, sometimes called
  denial-of-service or DOS attacks, are much more
  significant in networks than in other contexts
• Transmission Failure
• Communications fail for many reasons.
• a line is cut. Or network noise makes a packet
  unrecognizable or undeliverable. A machine along
  the transmission path fails for hardware or
  software reasons. A device is removed from
  service for repair or testing. A device is
  saturated and rejects incoming data until it can
  clear its overload. Many of these problems are
  temporary or automatically fixed (circumvented)
  in major networks, including the Internet.
• From a malicious standpoint, you can see that
  anyone who can sever, interrupt, or overload
  capacity to you can deny your service.

54
Denial of Service (DoS)

• Connection Flooding
• The most primitive denial-of-service attack is
  flooding a connection.
• If an attacker sends you as much data as your
  communications system can handle, you are
  prevented from receiving any other data.
• Some Protocols are used to launch Connection
  flooding attacks, such as ICMP. ICMP protocols
  include
• ping, which requests a destination to return a
  reply, intended to show that the destination
  system is reachable and functioning
• echo, which requests a destination to return the
  data sent to it, intended to show that the
  connection link is reliable (ping is actually a
  version of echo)
• destination unreachable, which indicates that a
  destination address cannot be accessed
• source quench, which means that the destination
  is becoming saturated and the source should
  suspend sending packets for a while

55
Denial of Service (DoS)

• Connection Flooding
• Echo-Chargen
• This attack works between two hosts.
• Chargen is a protocol that generates a stream of
  packets to test the network's capacity
• The attacker sets up a chargen process on host A
  that generates its packets as echo packets with a
  destination of host B
• Then, host A produces a stream of packets to
  which host B replies by echoing them back to host
  A
• This series puts the network infrastructures of A
  and B into an endless loop
• If the attacker makes B both the source and
  destination address of the first packet, B hangs
  in a loop, constantly creating and replying to
  its own messages.

56
Denial of Service (DoS)

• Connection Flooding
• Ping of Death
• Since ping requires the recipient to respond to
  the ping request, all the attacker needs to do is
  send a flood of pings to the intended victim.
• The ping packets will saturate the victim's
  bandwidth.

57
Denial of Service (DoS)

• Connection Flooding
• Smurf
• a variation of a ping attack with two extra
  twists
• First, the attacker chooses a network of
  unwitting victims. The attacker spoofs the source
  address in the ping packet so that it appears to
  come from the victim.
• Then, the attacker sends this request to the
  network in broadcast mode by setting the last
  byte of the address to all 1s

Figure 7-16  Smurf Attack.
58
Denial of Service (DoS)

• Connection Flooding
• Syn Flood

Figure 7-17  Three-Way TCP Connection Handshake.
59
Denial of Service (DoS)

• Connection Flooding
• Syn Flood
• This attack uses the TCP protocol suite, making
  the session-oriented nature of these protocols
  work against the victim.
• The destination maintains a queue called the
  SYN_RECV connections, tracking those items for
  which a SYN/ACK has been sent but no
  corresponding ACK has yet been received.
• Normally, these connections are completed in a
  short time. If the SYNACK or the ACK packet is
  lost, eventually the destination host will time
  out the incomplete connection and discard it from
  its waiting queue.
• The attacker can deny service to the target by
  sending many SYN requests and never responding
  with ACKs, thereby filling the victim's SYN_RECV
  queue
• Typically, the SYN_RECV queue is quite small,
  such as 10 or 20 entries.
• So the attacker need only send a new SYN request
  every few seconds and it will fill the queue.

60
Denial of Service (DoS)

• Connection Flooding
• Teardrop
• To support different applications and conditions,
  the datagram protocol permits a single data unit
  to be fragmented, that is, broken into pieces and
  transmitted separately.
• Each fragment indicates its length and relative
  position within the data unit.
• The receiving end is responsible for reassembling
  the fragments into a single data unit.
• In the teardrop attack, the attacker sends a
  series of datagrams that cannot fit together
  properly.
• In an extreme case, the operating system locks up
  with these partial data units it cannot
  reassemble, thus leading to denial of service.

61
Denial of Service (DoS)

• Traffic Redirection
• So if an attacker can corrupt the routing,
  traffic can disappear.
• Routers use complex algorithms to decide how to
  route traffic.
• No matter the algorithm, they essentially seek
  the best path (where "best" is measured in some
  combination of distance, time, cost, quality, and
  the like).
• Each router advises its neighbors about how well
  it can reach other network addresses.
• Suppose a router advertises to its neighbors that
  it has the best path to every other address in
  the whole network.
• Soon all routers will direct all traffic to that
  one router.
• The one router may become flooded, or it may
  simply drop much of its traffic. In either case,
  a lot of traffic never makes it to the intended
  destination.

62
Denial of Service (DoS)

• Traffic Redirection
• DNS Attacks
• A domain name server (DNS) is a table that
  converts domain names like ATT.COM into network
  addresses like 211.217.74.130
• this process is called resolving the domain name
• A domain name server queries other name servers
  to resolve domain names it does not know
• For efficiency, it caches the answers it receives
  so it can resolve that name more rapidly in the
  future.
• By overtaking a name server or causing it to
  cache spurious entries (called DNS cache
  poisoning), an attacker can redirect the routing
  of any traffic, with an obvious implication for
  denial of service.

63
Distributed Denial of Service (DDoS)

• an attacker can construct a two-stage attack that
  multiplies the effect many times.
• This multiplicative effect gives power to
  distributed denial of service.
• In the first stage, the attacker uses any
  convenient attack to plant a Trojan horse on a
  target machine.
• That Trojan horse may not be noticed.
• The attacker repeats this process with many
  targets.
• Each of these target systems then becomes what is
  known as a zombie
• The target systems carry out their normal work,
  unaware of the resident zombie.
• In the second stage, the attacker chooses a
  victim and sends a signal to all the zombies to
  launch the attack.
• instead of the victim's trying to defend against
  one denial-of-service attack from one malicious
  host, the victim must try to counter n attacks
  from the n zombies all acting at once.

64
Distributed Denial of Service (DDoS)
Figure 7-18  Distributed Denial-of-Service Attack.
65
Threats in Active or Mobile Code

• Active code or mobile code is a general name for
  code that is pushed to the client for execution.
• A more efficient use of (server) resources is to
  download a program that runs on the client's
  machine
• you probably are saying to yourself,
• "You mean a site I don't control, which could
  easily be hacked by teenagers, is going to push
  code to my machine that will execute without my
  knowledge, permission, or oversight?" Welcome to
  the world of (potentially malicious) mobile code.
• In fact, there are many different kinds of active
  code, and here we look at the related potential
  vulnerabilities.

66
Threats in Active or Mobile Code

• Cookies
• cookies are not active code They are data files
  that can be stored and fetched by a remote server
• However, cookies can be used to cause unexpected
  data transfer from a client to a server, so they
  have a role in a loss of confidentiality.
• A cookie is a data object that can be held in
  memory (a per-session cookie) or stored on disk
  for future access (a persistent cookie).
• keystrokes the user types, the machine name,
  connection details (such as IP address), date and
  type, and so forth
• On command a browser will send to a server the
  cookies saved for it.

67
Threats in Active or Mobile Code

• Cookies
• Per-session cookies are deleted when the browser
  is closed
• persistent cookies are retained until a set
  expiration date, which can be years in the
  future.
• Cookies provide context to a server.
• Using cookies, certain web pages can greet you
  with "Welcome back, James Bond" or reflect your
  preferences, as in "Shall I ship this order to
  you at 135 Elm Street?"
• However, anyone possessing someone's cookie
  becomes that person in some contexts
  (impersonation)
• What information about you does a cookie contain?
• Even though it is your information, most of the
  time you cannot tell what is in a cookie, because
  the cookie's contents are encrypted under a key
  from the server.
• The philosophy behind cookies seems to be "Trust
  us, it's good for you."

68
Threats in Active or Mobile Code

• Scripts
• Clients can invoke services by executing scripts
  on servers.
• Typically, a web browser displays a page.
• As the user interacts with the web site via the
  browser, the browser organizes user inputs into
  parameters to a defined script
• it then sends the script and parameters to a
  server to be executed.
• But all communication is done through HTML.
• The server cannot distinguish between commands
  generated from a user at a browser completing a
  web page and a user's handcrafting a set of
  orders.
• The server should never trust anything received
  from a client
• because the remote user can send the server a
  string crafted by hand, instead of one generated
  by a benign procedure the server sent the client
• if you allow someone else to run a program on
  your machine, you can no longer be confident that
  your machine is secure

69
Threats in Active or Mobile Code

• Active Code
• To take advantage of the processor's power, the
  server may download code to be executed on the
  client. This executable code is called active
  code. The two main kinds of active code are Java
  code and ActiveX controls.

70
Threats in Active or Mobile Code

• Active Code
• A hostile applet is downloadable Java code that
  runs with the privileges of its invoking user
  and can cause harm on the client's system.
• Necessary conditions for secure execution of
  applets
• The system must control applets' access to
  sensitive system resources, such as the file
  system, the processor, the network, the user's
  display, and internal state variables.
• The language must protect memory by preventing
  forged memory pointers and array (buffer)
  overflows.
• The system must prevent object reuse by clearing
  memory contents for new objects the system
  should perform garbage collection to reclaim
  memory that is no longer in use.
• The system must control inter-applet
  communication as well as applets' effects on the
  environment outside the Java system through
  system calls.

71
Threats in Active or Mobile Code

• Active Code
• ActiveX Controls
• Microsoft's answer to Java technology is the
  ActiveX series.
• Using ActiveX controls, objects of arbitrary type
  can be downloaded to a client.
• If the client has a viewer or handler for the
  object's type, that viewer is invoked to present
  the object.
• For example, downloading a Microsoft Word .doc
  file would invoke Microsoft Word on a system on
  which it is installed.
• Files for which the client has no handler cause
  other code to be downloaded.
• Thus, in theory, an attacker could invent a type,
  called .bomb, and cause any unsuspecting user who
  downloaded a web page with a .bomb file also to
  download code that would execute .bombs.
• To prevent arbitrary downloads, Microsoft uses an
  authentication scheme under which downloaded code
  is cryptographically signed and the signature is
  verified before execution.
• But the authentication verifies only the source
  of the code, not its correctness or safety.

72
Threats in Active or Mobile Code

• Auto Exec by Type
• Data files are processed by programs.
• file type is implied by the file extension, such
  as .doc for a Word document, .pdf (Portable
  Document Format) for an Adobe Acrobat file, or
  .exe for an executable file.
• On many systems, when a file arrives with one of
  these extensions, the operating system
  automatically invokes the appropriate processor
  to handle it.
• Microsoft embeds within a file what type it
  really is.
• Double-clicking the file in a Windows Explorer
  window brings up the appropriate program to
  handle that file.
• The file might contain malicious macros or invoke
  the opening of another, more dangerous file.
• Generally, we recognize that executable files can
  be dangerous, text files are likely to be safe,
  and files with some active content, such as .doc
  files, fall in between.

73
Threats in Active or Mobile Code

• Bots (robots)
• are pieces of malicious code under remote
  control.
• These code objects are Trojan horses that are
  distributed to large numbers of victims'
  machines.
• Because they may not interfere with or harm a
  user's computer (other than consuming computing
  and network resources), they are often
  undetected.
• Bots coordinate with each other and with their
  master through ordinary network channels, such as
  Internet Relay Chat (IRC) channels or
  peer-to-peer networking (which has been used for
  sharing music over the Internet).
• a network of bots, called a botnet, is not
  subject to failure of any one bot or group of
  bots
• Botnets are used for distributed
  denial-of-service attacks, launching attacks from
  many sites in parallel against a victim. They are
  also used for spam and other bulk email attacks

74
Complex Attacks

• Script Kiddies
• Attacks can be scripted.
• an underground establishment has written scripts
  for many of the popular attacks.
• With a script, attackers need not understand the
  nature of the attack or even the concept of a
  network.
• The attackers merely download the attack script
  (no more difficult than downloading a newspaper
  story from a list of headlines) and execute it
• The script takes care of selecting an appropriate
  (that is, vulnerable) victim and launching the
  attack.
• People who download and run attack scripts are
  called script kiddies.

75
Complex Attacks

• Building Blocks
• A dedicated attacker who targets one location can
  put together several pieces of an attack to
  compound the damage.
• Often, the attacks are done in series so that
  each part builds on the information gleaned from
  previous attacks.
• For example, a wiretapping attack may yield
  reconnaissance information with which to form an
  ActiveX attack that transfers a Trojan horse that
  monitors for sensitive data in transmission.
• Putting the attack pieces together like building
  blocks expands the number of targets and
  increases the degree of damage.

76
Summary of Network Vulnerabilities
Check the handout