Download IP spoofing - University Of Worcester

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
Document related concepts

Net bias wikipedia , lookup

Zigbee wikipedia , lookup

Airborne Networking wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Computer network wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Network tap wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Wireless security wikipedia , lookup

TCP congestion control wikipedia , lookup

Hacker wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

Computer security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Internet protocol suite wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Transcript 
COMP3357
Cyber Security
Richard Henson
University of Worcester
March 2017
Week 6:
Risks from External Threats

Objectives:
 Explain clearly the difference between an internal
threat and external threat
 Explain different approaches to managing external
threats so vulnerabilities are not exploited
 Explain why a solely technical solution to external
threats is very likely to fail…
NOT about
“the insider threat”(!)
Much of this module has been about the
internal organisation structure…
 Analysis of risk not complete without
looking at specifically external threats to
an organisation’s infrastructure

many ways the network’s defences could
be tested… and breached… without help
from the malign or dopey insider!
Can’t see everything when
inside looking out!

The network team should do all they
can to ensure that their network is safe,
and secure against unauthorised
intruders
but team are working on the inside

Outsiders looking in may see something
that insider can’t…
e.g. security “hole”
The “good” outsider

An increasing number of organisations
actually pay people to try to hack into
their network!
professional service, provide report
» low level prodding… vulnerability testing

fairly inexpensive – needed for CE+ standard
» higher level “hacking”… penetration testing

expensive – needed for PCI-DSS standard
Ethical Hacking principles

If not done by a professional, with
permission… illegal!
even if legal, may not be ethical!

Even law-enforcement Professionals only
hack without permission if they believe a
law is being broken!
Ethical Hacking Guidelines

Remember… you are the good guys, so
be good!!!
ALWAYS ask permission
otherwise definitely unethical
» and if more than just vulnerability scanning


may be illegal…
“gaining access without permission” (Computer
Misuse Act)
A Bit of Theory

The Internet, and most networks, use a
7-layer software model called OSI
(1978)
Why 7 layers? Compromise to get all
International players to agree
» top layer – application (app)
» bottom layer – physical (hardware)
» web apps have to engage with the seven
layers!
TCP/IP and the Seven Layers
screen
TCP

app
vulnerab…
port
vulnerab…
IP
TCP (Transport Control Protocol)
and IP (Internet Protocol) only
make up part (layers 3 & 4) of the
seven layers
 upper layers interface with TCP to
produce the screen display
 lower layer packets required to
interface with hardware to
network create/convert electrical signals
vulnerab…

hardware
Each layer represents a potential
security vulnerability (!)
OSI layers and Hacking

Application layer connects to transport
layer, through…
session layer
used for logon

Popular way to hack…
bypass the session layer
program as “anonymous”.
Secure HTTP
and the session layer

Application layer protocols
communicate with TCP
layer through unique TCP
logical ports via (optional)
session layer logon

Anonymous ftp, http, etc…
bypass session layer
Layer 7
“Session”
Layer 4
 no authentication
Security
and the session layer
Layer 7
“Session”
Layer 4

App user security therefore
imposed, by authenticating
at the “logon” layer
 username/password check is
required before data can
pass the session layer and
be displayed by the browser
Network Layers and Hacking

Schematic TCP/IP stack interacting at higher
level OSI levels (application, transport, network)
HTTP
ports
X
FTP
X
HTTPS
X
TCP
NFS
DNS
X
X
UDP
IP
SNMP
X
TCP & UDP ports

Hackers exploit vulnerable software using
transport layer ports to get inside firewalls etc.

Essential to know the most frequently
“scanned” ports (e.g. by hacking software):
 20, 21 ftp
 22 ssh
 23 telnet
 25 smtp
 53 dns
 60 tftp
80 http
88 Kerberos
110 pop3
135 smb
137-9 NetBIOS
161 SNMP
389 Ldap
443 https
636 Ldap/SSL
Typical Types of
External Attacks - 1

Obtaining valid passwords and masquerading
as a legitimate user…
 Dictionary
» Compare password characters for a match, against
words in the dictionary
 Exhaustive
» “brute force” attacks using all possible combinations of
passwords to gain access
 Inference
» if a default password has never been changed…
» taking educated guesses on passwords, based on
information gleaned through “social engineering” and
other “footprinting” techniques
Types of External Attacks - 2

TOC/TOU (Time of check/Time of use)
 hacking tool that “watches” access to web apps
via the TCP/UDP port
 depends on the fact that a user privilege change
doesn’t come into effect until they log out and log
in again
» TOC is when the user logs on…
» TOU is when that web app is actually used by the user
» hacker exploits the contradictory message…
Types of External Attacks - 3

1. use of a “sniffer” (e.g. keylogger) to capture
log on data for a valid network user operating
outside the organisation
 perhaps logging in to the organisational Extranet
(see diagram… next slide)

2. (later…) using captured data & machine IP
address (obtained through footprinting) in an
attempt to impersonate the original user/client
 may even be able to escalate privileges for that
user to cause even more disruption…
Intranet
 Misunderstood term
» achieved by organisations using http to share data
internally in a www-compatible format
» Many still call a protected file structure on its own an
Intranet… (technically incorrect!)
» uses secure user authentication
» uses secure data transmission system
 Implemented as EITHER:
» single LAN (domain) with a web server (see diagram)
» several interconnected LANs (trusted domains)

cover a larger geographic area
Extranet

An extension of the Intranet beyond organisation
boundary to cover selected trusted “links”
 e.g. customers and business partners
 uses the public Internet as its transmission system
 requires authentication to gain access

Can provide secure TCP/IP access to:





paid research
current inventories
internal databases
any unpublished
information
Typical Types of
External Attacks – 4, 5, 6

Three other types of attacks that
firewalls should be configured to
protect against:
 denial of service (DOS) attacks
 distributed denial of service (DDOS)
attacks
 IP Spoofing (pretence that the data is
coming from a “safe” source IP address)
Attacks through Website

Cross-site Scripting
clone whole website
put cloned website on another server
(proxy)
Set traffic to reroute to proxy server

SQL Injection
use SQL “trigger” code on HTML form to
gain access to a database… then full
range of SQL commands available to
hacker…
“Scanning” Methodology for
Ethical Hackers
Check for Live Systems
 Check for open ports


Note web page error page used

e.g. “bad html request”
exploit this… “Banner Grabbing”
Scan for vulnerabilities
 Draw Network diagram(s)
 Prepare proxies… (next slide)

then tell the (shocked?) client…
A LAN-Internet connection
via Proxy Server
INTERNET/EXTERNAL NETWORK
e.g. TCP/IP
Proxy Server – local IP addresses
local protocol
Internal
Network
...
Cyber Security careers

https://www.eventbrite.co.uk/e/careersin-cyber-security-panel-talk-tickets32320787345
How can hackers exploit TCP
& UDP ports?

This is what “back door” entry is all
about…
“front door” is via username/password
“back door” is using anonymous access
and a software vulnerability
» result of bad programming?
» virus manipulating functionality
» “hole” deliberate programmed in…
Port “holes”

Web applications use HTTP (application
layer) linking to TCP or UDP (transport
layer)
vulnerabilities to cause bypass of login
(session layer) completely!!!
» “anonymous” login
can also use vulnerabilities created by
malware (e.g. “Back Door Trojan”)
What can hackers do, via
exploited TCP & UDP ports?

Range of options available:
Denial of Service (DoS) attack
» using TCP port utilised by “ping”
Distributed Denial of Service (DDoS)
attack
» Ping from multiple (may be many thousands!) of
“Internet-ready” devices
IP spoofing
» disguising data packets by changing “IP header”
addresses
“Ping” Attacks

Also called “The Ping of Death“
 exploits TCP port 161; ICMP service
 ICMP cannot just be turned off or blocked – used
for important network management purposes

Protection not that difficult:
 block ICMP echo requests and replies
 ensure there is a rule blocking "outgoing time
exceeded" & "unreachable" messages
“Ping” Attacks (2)

Can take two forms (both stopped by
restricting ICMP):
 the attacker deliberately creates a very large ping
packet and then transmits it to a victim
» ICMP can't deal with large packets
» the receiving computer is unable to accept delivery and
crashes or hangs
 an attacker will send thousands of ping requests
to a victim so that its processor time is taken up
answering ping requests, preventing the processor
from responding to other, legitimate requests
Denial of Service (DoS) Attacks


Attempt to harm a network server by
flooding it with traffic so it is
overwhelmed and unable to provide
services
Uses Ping:
sends a brief request to a remote computer
asking it to echo back its IP address
again, and again, and again…
Distributed Denial of Service
(DDoS) Attacks

Related to DoS:
 A DDOS attack has occurred when attacker:
» gains access to a wide number of computers/devices
» uses them to launch a coordinated attack against the IP
address of a “victim” computer
 historically, relied on home computers
» less frequently protected

can also use worms and viruses already there…
 with more and more “flawed” electronic devices
now “Internet ready” (IP addresses and TCP/IP)
» often imperfectly written applications, can be exploited…
IP Spoofing

Hackers can gain access to a PC within a
protected network (Intranet – see next slide)




use footprinting to obtain its IP address
write this into packet headers
dodgy packets of data will be routed to that PC!
can then reassemble as malware, then devastate
that PC…
 or the whole network!
Intranet
 Often implemented as a single LAN (domain)
with a web server (see above)
» Internal IP addresses should be protected b y
networking software, but IP spoofing is a
threat…
Protection against DDOS
& IP Spoofing


Block traffic coming into the network that contains
IP addresses from the internal network…
In addition, block the following private IP, illegal
and unroutable addresses:
 Illegal/unroutable:
» 255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0
 “Private” addresses useful for NAT, or Proxy Servers (RFC 1918):
» 10.0.0.0-10.255.255.255
» 172.16.0.0-172.31.255.255
» 192.168.0.0-192.168.255.255

Finally, keep anti-virus software up-to-date, &
firewall software patched and up-to-date
Conclusion

External threats are unlikely to
disappear, even with good
organisational policy, followed avidly by
all users

Technical expertise and the right
tools/equipment are vital to make sure
the network is, and remains, safe for all
authorised users
Related documents
TCP/IP Configuration
TCP/IP Configuration
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
Reference Models - UT School of Information
Reference Models - UT School of Information
How the Internet Works
How the Internet Works
Interview Questions
Interview Questions
Troubleshooting TCP/IP
Troubleshooting TCP/IP
Networking - Institute of Mathematics and Informatics
Networking - Institute of Mathematics and Informatics
Proposed Differentiated Services on the Internet
Proposed Differentiated Services on the Internet
e-Business - CyberStrategies, Inc
e-Business - CyberStrategies, Inc
chapter2ccna
chapter2ccna