NETWORK ATTACKS

Dr. Andy Wu

BCIS 4630 Fundamentals of IT Security

2

Overview

• Denial of service attacks– DoS and DDoS– Flood attacks– SYN flood

• Man-in-the-middle attack– ARP poisoning– IP spoofing

3

Denial of Service Attacks• Denial-of-service (DoS): attacker sends large

number of connection or information requests to a target.– Target system cannot handle other, legitimate service

requests.– May result in system crash or inability to perform

ordinary functions.• Distributed denial-of-service (DDoS): coordinated

stream of requests is launched against target from many locations simultaneously.

Types of DoS

• Voluntary DoS– Occurs when the administrator has allowed the

system to perform a variety of services without considering the system’s limitations.

• Involuntary DoS– Takes place regardless of preparation and

readiness by the administrator.– Usually is malicious.

5

Flood Attacks

• The basic approach to creating a DoS attack is to consume the limited resources of a computer or a network by transmitting a large number of packets as quickly as possible.

• A flood attack can occur under the following conditions:– Sending connection requests– Consuming the bandwidth– Consuming target’s local resources

6

SYN Flood• Goal: to overwhelm the target with SYN packets. • Works by taking advantage of the TCP three-way handshake.

– The attacker initiates a connection with a SYN packet.– The target replies with a SYN/ACK packet.– The attacker doesn’t reply with an ACK packet.

7

SYN Flood• The number of connections a system can support is finite.

– Typically 128 to 1024 “slots” in the connection queue. • Once the target sends the SYN/ACK response, it waits for the

third step in the handshake to happen.– The timeout value often is > 1 min. by default.

• If the attacker sends requests faster than the time-out can eliminate them, the system is filled with requests.– SYN flood creates numerous half-open connections that take up “slots”

in the queue.• Once the queue is filled up, further requests will be dropped and

legitimate users who want to connect to the target system will not be able to do so.

8

SYN Flood• Many SYN flood tools send SYN packets using spoofed

(fake) source address.– To hide the identity of the attacker.– If the address is used by a real host, the host whose address

was spoofed will receive the SYN/ACK packet from the target. Since the host never initiated a connection, it will send a RST packet to the target to refuse a connection. The “half-open” connection will be shut down immediately, before timing out.

– If the address is not assigned to a real host, the “half-open” connection will not be shut down until time-out is reached.

– Thus attackers prefer bogus addresses.

9

Distributed Denial of Service• A DoS attack implemented by staging a DoS attack against a

target from multiple systems simultaneously.• Takes advantage of the distributed nature of the Internet to

create a massive flood of packets against the victim.• The attacker first breaks into and gains control of a large

number of machines (“zombies”, “bots”, or “agents”).• The attacker installs zombie software (“daemon”) on the

zombies.– Popular programs include: Tribe Flood Network (TFN), Trin00,

Stacheldraht.• Daemons on the zombies wait for commands from a master.

10

Botnets

• A bot is a program that surreptitiously installs itself on a computer so it can be controlled by an attacker.

• A botnet is a network of robot, or zombie, computers.– Can harness their collective power to do

damage– Or send out huge amounts of junk e-mail

11

DDoS: Raising the Dead• The attacker communicates with a small number of “masters” via

control software (“client”) installed on those masters.• The attacker uses the masters to summon the zombies to life and

orders all the zombies to wage an attack simultaneously.– The commands are often issued into a shared IRC (Internet Relay

Chat) channel used by all of the attacker’s zombies.• When the zombies receive their masters’ command, they spring

into action and conduct a DoS attack against the target.• The two layers of communication (attacker-master, master-

zombie) make it difficult to hunt down the attacker.

12

Distributed Denial of Service

13

Smurf• The attacker sends an echo request packet to the broadcast

address of a network, e.g., 132.170.255.255.– Directed broadcast can be initiated from within or outside the

network.– When a packet coming from outside a local network is addressed to

the network’s broadcast address, the packet is also sent to every machine on the network.

• The source address of the packet is spoofed and belongs to the target.

• All other hosts on network will reply with an echo reply packet and send it to the target’s address, inundating the target.

14

Fraggle• Similar to a smurf attack, but uses UDP instead of ICMP.• Sends packets to a broadcast address with a destination

UDP port set to: – A service that will generate a response, e.g., echo service (Port

7). When the hosts on the network receive the packet, they will send back a response containing exactly the same data they received.

– A closed port. Many systems will respond with an ICMP Port Unreachable message.

• In both cases, the target will receive packets from all the hosts on the network.

15

Man-in-the-Middle Attacks• Man-in-the-middle: attacker monitors network

packets, modifies them, and inserts them back into network.

• It is technically possible for the attacker to control what data are sent between the two hosts.

• Can be achieved by ARP poisoning.– The attacker sets up two NICs and sends packets to

each host, falsely notifying the host of the other host’s MAC address, which in fact belongs to one of the attacker’s NICs.

16

ARP Poisoning

• Computers resolve IP addresses to MAC addresses using ARP.– The IP-MAC mappings are stored in the ARP cache

for a limited amount of time. After it times out, a record is deleted from the cache. Resolution has to be done again if a packet needs to go to that IP.

– Computers welcome unsolicited updates of the mappings (just like websites and the postal services welcome your unsolicited update on your address).

17

ARP Poisoning

• An attacker can “poison” a computer’s ARP cache by sending it a bogus record mapping a target’s IP address to the attacker’s MAC address.

• Packets going from the “duped” computer to the target then will be sent to the attacker.

18

IP Address Spoofing• TCP/IP doesn’t have a mechanism to prevent the insertion

of a fake source IP address.• An attacker can make packets look like they are from a

different host than the real originator.– Helpful for attackers who don’t want to have their actions traced

back.• Often used to “impersonate” another (authenticated) host

to get around authentication.– A Dos attack usually is waged against the real McCoy so that the

other party of the communication (the attack target) won’t be alerted.

19

IP Address Spoofing• If the attacker’s purpose simply is to obfuscate investigation

by faking her identity, such as in the cases of spamming or in a DoS attack, spoofing is relatively easy.

• The goal is to change the “source IP address” field in the header (blind spoofing). This can be done by:– Changing NIC properties (Windows) or ifconfig (*nix) command.– Packet crafting tools like Hping2, Nemesis, and NetDude.

• Works fine when the attacker doesn’t expect a response from the target.

• Won’t work if the attacker desires an interactive session with the target.