CSCE 465 Lecture 16

From Notes
Jump to navigation Jump to search

« previous | Tuesday, March 19, 2013 | next »


Vulnerability Analysis

Given hardware/software version, is it secure?

Example TCP/IP Vulnerabilities

  • IP spoofing ✔
  • TCP attacks
    • SYN flooding attack
    • TCP RST attack
    • TCP Session Hijacking
  • ARP cache poisoning
  • ICMP attacks ✔
threat / vulnerability
potential violation of security
failure of security policies, procedures, and controls that allow a subject (attacker) to commit attacks
attack
action that violate security
active vs. passive

Steps of Analysis

  1. Define/classify network or system resources
  2. Assign levels of importance to each resource
  3. Identify threats in each resource
  4. Develop strategy to deal with most serious potential problems first
  5. Define and implement ways to minimize consequences if an attack occurs.

TCP/IP Review

Recall Stack and Example Protocols:

  • Application Layer (e.g. DNS) Data
  • Transport Layer (e.g. TCP/UDP) TCP/UDP Header | Data
  • Network Layer (e.g. IP/ICMP) IP/ICMP Header | TCP/UDP Header | Data
  • Data Link Layer (e.g. ARP) Frame Header | IP/ICMP Header | TCP/UDP Header | Data

Port Scanning

  • Ports dynamically address (bind) sockets and IP packets to a process.
  • Ports range from 0 to 65535
  • Ports 0–1023 are reserved for well-known services. (require root access to listen on these ports
  • UDP vs. TCP ports: usually same port number assigned for both TCP and UDP

OS Fingerprinting

Detecting remote host's OS using information leaked by TCP stack implementation:

  • analyze response to carefully crafted packets (active)
  • observing captured network traffic (passive)

Using nmap

  • FIN probe: send FIN packet (or any packet without ACK or SYN flag) to an open port and wait for a response.

IP Spoofing

  • Most routers only care about destination address.
  • Attack packets with spoofed IP address help hide the attacking source.
  • IPv4 Does not have source authentication
    • Router/firewall filtering (ISP should always do this)
    • TCP handshake

SYN Flooding Attack

TCP 3-way handshake:

  1. Client → server (I'm connecting)
  2. Server → client (OK, acknowledge this...)
  3. Client → server (OK, acknowledged.)

Attack involves not sending the last handshake.

TCP RST Attack

In event of catastrophic failure, client sends a reset signal to close and reopen the TCP connection to the server.

RST Attack involves sending spoofed RESET packet to terminate TCP connection

TCP Session Hijacking

Classic Man-In-Middle with TCP/IP SEQ headers

Retrieved from "https://notes.komputerwiz.net/w/index.php?title=CSCE_465_Lecture_16&oldid=3013"