1

Different Attack
DOS/DDOS
Spoofing
Man in the Middle
Replay
TCP/IP Hijacking
Social Engineering
Password Guessing

2
Security attack: Any action that compromises the security of
information owned by an organization.
•Threat:
–A potential for violation of security, which exists when
there is a circumstance, capability, action, or event that
could breach security and cause harm. That is, a threat is a
possible danger that might exploit vulnerability.
•Attack :
– An assault on system security that derives from an
intelligent threat; that is, an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to
evade security services and violate the security policy of a
system.

3
 TYPES OF ATTACKS

Nontechnical attack Technical attack

Denial-of-service
Malicious code Sniffing Spoofing
attack

Virus

Worm

Trojan horse

4
 Definitions of DoS and DDoS attacks
• A DoS (Denial of Service) attack aims at preventing, for
legitimate users, authorized access to a system resource . The
attacker uses specialized software to send a flood of data
packets to the target computer with the aim of overloading
its resources.

• DDoS ( Distributed Denial of Service attacks)

A denial-of-service attack in which the attacker gains
illegal administrative access to as many computers on the
Internet as possible and uses the multiple computers to
send a flood of data packets to the target computer.
Distributed Denial-of-service (DDoS) attack
 Classification of DoS attacks
1. Bandwidth consumption:
Attacks will consume all available Network bandwidth
2. Resource starvation:
Attacks will consume system resources (mainly CPU,
memory, storage space)
3. Programming flaw:
Failures of applications or OS components to handle
exceptional conditions (i.e. unexpected data is sent to a
vulnerable component).
4. Routing and DNS attacks:
 Manipulate routing tables.
 Changing routing tables to route to attacker’s net or
black hole.
 Attack to DNS servers, again route to attackers or black
hole.

7
 EXAMPLES
Syn flood
TCP three-way handshake:
The client requests a connection by sending a SYN
(synchronize) message to the server.
The server acknowledges this request by sending SYN-ACK
back to the client, which, Responds with an ACK, and the
connection is established.
How it work………???

 Attacker sends SYN packet to victim forging non-existent IP

address
 Victim replies with Syn/Ack but neither receives Ack nor RST from
non-existent IP address
 Victim keeps potential connection in a queue in Syn_Recv state, but
the queue is small and takes some time to timeout and flush the
queue, e.g 75 seconds
 If a few SYN packets are sent by the attacker every 10 seconds, the
victim will never clear the queue and stops to respond.
 2. TCP Session Hijacking

TCP HEADER FORMAT

9
 TCP
For eachSLIDING WINDOWS
TCP connection each hosts keep two Sliding
Windows,
• Send sliding window, and
• Receive sliding window
to make sure the correct transmission of Traffic
between the send and receiver.
Each byte sent from the sender to the receiver has a
unique Sequence Number associated with it.

10
THREE-WAY
HANDSHAKING
Client Server

SYN (seq# = x)

SYN / ACK

ack# = x+1
seq# = y

ACK (seq# = x ; ack# = y+1)

11
 TCP SESSION
HIJACKING
TCP session hijacking is when a hacker takes over a TCP
session between two machines.
Since most authentication only occurs at the start of a TCP
session, this allows the hacker to gain access to a machine.

12
 CATEGORIES OF TCP SESSION
HIJACKING

Based on the anticipation of sequence numbers there

are two types of TCP hijacking:
• Man-in-the-middle (MITM)
• Blind Hijack.

13
A. MAN-IN-THE-MIDDLE
(MITM)
A hacker can also be "inline" between B and C
using a sniffing[inhale] program to watch the
sequence numbers and acknowledge numbers in
the IP packets transmitted between B and C. And
then hijack the connection. This is known as a
"man-in-the-middle attack".

14
MAN IN THE MIDDLE ATTACK USING
PACKET SNIFFERS

This technique involves using a packet sniffer to

intercept the communication between client and the
server. Packet sniffer comes in two categories:
• Active sniffers
• Passive sniffers.

15
PASSIVE SNIFFERS
Passive sniffers monitors and sniff packet from a network having
same collision Domain i.e. network with a hub, as all packets are
broadcasted on each port of hub.

16
ACTIVE SNIFFERS
One way of doing so is to change the default gateway of
the client’s machine so that it will route its packets via
the hijacker’s machine.
This can be done by ARP spoofing (i.e. by sending
malicious ARP packets mapping its MAC address to the
default gateways address so as to update the ARP cache
on the client , to redirect the traffic to hijacker).

17
B. BLIND HIJACKING
If you are not able to sniff the packets and guess
the correct sequence number expected by server,
you have to implement “Blind Session Hijacking”.
You have to brute force 4 billion combinations of
sequence number which will be an unreliable task.

18
 3. IP SPOOFING
IP spoofing is a technique used to gain unauthorized access
to computers, where by the attacker sends messages to a
computer with a forging IP address indicating that the
message is coming from a trusted host.
Attacker puts an internal, or trusted, IP address as its
source. The access control device sees the IP address as
trusted and lets it through.

19
IP SPOOFING
• IP spoofing occurs when a hacker inside or outside a
Network impersonates the conversations of a trusted
computer.
• Two general techniques are used during IP spoofing:
• A hacker uses an IP address that is within the range
of trusted IP addresses.
• A hacker uses an authorized external IP address that
is trusted.

20
 Basic Concept of IP Spoofing

A www.carleton.ca
10.10.10.1 134.117.1.60
http://
www.carleton.ca

10.10.10.1 134.117.1.60 Any (>1024) 80

Src_IP dst_IP Src_port dst_port

spoofed

11.11.11.1 134.117.1.60 Any (>1024) 80

Src_IP dst_IP Src_port dst_port

21
IP SPOOFING

22
 SPOOFING ATTACKS:
There are a few variations on the types of attacks that
using IP spoofing.
Spoofing is classified into :-
1.non-blind spoofing
This attack takes place when the attacker is on the same
subnet as the target that could see sequence and
acknowledgement of packets.
Using the spoofing to interfere with a connection that
sends packets along your subnet.

23
 SPOOFING ATTACKS:
Impersonation

sender
ip
s po partner
ofe
src dp
:p ack
dst art et
: v ner
icti
m

Oh, my partner sent

me a packet. I’ll
victim
process this.

24
SPOOFING ATTACKS:
2. Blind spoofing
This attack may take place from outside where
sequence and acknowledgement numbers are
unreachable.
Attackers usually send several packets to the target
machine in order to sample sequence numbers, which
is doable in older days .

25
 SPOOFING ATTACKS:
flooding attack

sender ip
s po
ofe
src dp
: ack
dst rand et
:v o
icti m
m

Oops, many packets

are coming. But, who
is the real source?
victim

26
SPOOFING ATTACKS:
3.Man in the Middle Attack
This is also called connection hijacking. In this attacks,
a malicious party intercepts a legitimate communication
between two hosts to controls the flow of communication
and to eliminate or alter the information sent by one of
the original participants without their knowledge.

27
 SPOOFING ATTACKS:
reflection
ip spoofed packet
sender src: victim
dst: reflector reflector

et

icti or
ck
t: v ct
pa

m
ds efle
ly
rep

:r
Oops, a lot of src
replies without any
request… victim

28
 DETECTION OF IP SPOOFING:
1. If you monitor packets using network-monitoring
software such as netlog, look for a packet on your
external interface that has both its source and
destination IP addresses in your local domain.
If you find one, you are currently under attack.

29
 DETECTION OF IP SPOOFING:
2. Another way to detect IP spoofing is to compare the
process accounting logs between systems on your internal
network.
If the IP spoofing attack has succeeded on one of your
systems, you may get a log entry on the victim machine
showing a remote access;
On the apparent source machine, there will be no
corresponding entry for initiating that remote access.

30
Source Address Validation :
 Check the source IP address of IP packets
 filter invalid source address
 filter close to the packets origin as possible
 filter precisely as possible
 If no networks allow IP spoofing, we can eliminate these
kinds of attacks

31
 PREVENTION IP
SPOOFING FIREWAL
The best method of preventing the IP spoofing problem is to
install a filtering router that restricts the input to your external
interface (known as an input filter) by not allowing a packet
through if it has a source address from your internal network.
In addition, you should filter outgoing packets that have a
source address different from your internal network in order to
prevent a source IP spoofing attack originating from your site.

32
 FILTERING

If src_addr is from 10.10.0.0

then drop else forward
Internet

Router Firewall
10.10.0.0

IDS
10.10.10.0

if src_addr is from 10.10.0.0 B

then forward else drop

33
4. Replay: involves the re-use of captured data at a later time than
originally intended in order to repeat some action of benefit to
the attacker: for example, the capture and replay of an
instruction to transfer funds from a bank account into one under
the control of an attacker. This could be foiled by confirmation
of the freshness of a message.

34
 5. WHAT IS SOCIAL
ENGINEERING?
Social engineering is a Collection
of techniques used to
manipulate people into performing actions or divulging
confidential information.
Social engineering is emerging as one of the biggest
challenges, as there is no technical defense against the
exploitation of human weaknesses.
• Easier than technical hacking Hard to detect and
track.

35
GOALS OF A SOCIAL
ENGINEER
Someone who tries to gain unauthorized access to
your computer systems.
The mind of a Social Engineer make the victim
want to give them the information they need.
It affects all kinds of systems.

36
 RELATED CONCEPTS
Phishing
- Deceiving a user into using a fake web site
Identity theft
- pretend to be someone else, e.g., calling support while on a
trip (with no way to authenticate the call)
Trojans - Deceiving a user into running a malicious program

37
SOCIAL ENGINEERING THREATS AND
DEFENSES

Online
Telephone
Waste management
Personal approaches

38
•Online threat
• Obtaining private information
• Download Malware
• Download Hackers software
•Telephone Threat
– Request information.
– Gain access to “free” telephone usage.
– Gain access to communications network.
• Waste Management Threats
– Huge amount of information in the trash
– Most of it does not seem to be a threat
– Company Confidential. Shared all company confidential waste
documents before disposal in any bin.
– Private. Shared all private waste documents before disposal in any bin.

39
PERSONAL
APPROACHES
The simplest and cheapest way for a hacker to get information is
for them to ask for it directly.
Persuasion. The most common forms of persuasion
include flattery or name dropping.
Intimidation. This approach may involve the
impersonation of an authority figure to coerce/force a
target to comply with a request.
Ingratiation. This approach is usually a more long
term ploy, in which a subordinate or peer coworker
builds a relationship to gain trust and, eventually,
information from a target.

40
ASSIGNMENT ONE
Write the defense of social engineering problem

41
 6. Password Guessing
Passwords are the most widely used means of
authentication
Humans have a tendency to choose relatively
short and simple passwords
Thus, passwords bring along with them, the
threat of dictionary attacks

42
Dictionary attacks
Dictionary attack means guessing the password and
somehow check whether it is valid or not
If the rate of guessing and validating is reasonably
high, the attacker stands a good chance of breaking
the password
Two types: offline and online

43
Offline dictionary attacks
The attacker somehow gets access to some data which
allow him to test passwords without any interaction with
the server

44
Online dictionary attacks

For each password validation, interaction with the server is

required
By attempting a login, it is always possible to test for password
validity and hence, these attacks cannot be totally prevented
Common countermeasures like account locking and delayed
response are not satisfactory

45
How are passwords broken – GUESSING AND CRACKING.
Guessing – Find or guess a user’s identifier
Create a list of possible passwords
Try each one
On success you are in, else keep trying
Hampered by unsuccessful login timeout – If (n) attempts are
unsuccessful, lock the system for (m) minutes – n & m
variable.

46
Most cracking is done off-line to avoid the timeout problem.
Major steps: Find user ids
Get encrypted or hashed passwords or password files
Create a list of trial passwords
Encrypt or hash the trial passwords
See if there is a match
Attacks: Dictionary attacks (build a dictionary of passwords).
Brute force (try all possible passwords).
Hybrid attacks (modified dictionary attack using altered
dictionary words (party becomes ).
This really is still guessing – these systems don’t break encryption!

47
PASSWORD CRACKING – HOW DO WE
GET THE PASSWORDS?

If administrator – Dump the hashes to a file

If not administrator – Sniff the passwords off the network
 Get administrator privilege
 Boot another OS and read the file
 Copy from backup
 Copy from emergency repair disk
Reminder to physically protect the system and all media.
Also to install patches that allow intrusions that result in root
or
administrator access.

48
SECURITY THREATS

Security Threats

Human Natural Disasters

Malicious Non-Malicious
Floods
Fires
Earthquakes
Outsiders Hurricanes
like Insiders ….
Crackers like Ignorant
and Disgruntled Employees
Hackers Employees
49
 CONTD.
1. Natural Disaster:- Nobody can stop nature from taking its course.
 Earthquakes, hurricane, floods, lightning, and fire can cause severe
damage to computer systems.
 Information can be lost, downtime or loss of productivity can occur,
and damage to hardware can disrupt other essential services.
 Few safeguards can be implemented against natural disasters.
 The best approach is to have disaster recovery plans and
contingency plans in place.
 Other threats such as riot, wars, and terrorist attacks could be
included here.
 Although they are human-caused threats, they are classified as
disastrous. 50
 CONTD.
2. Human Threats:- Malicious threats consist of inside attacks by
disgruntled or malicious employees and outside attacks by non-
employees just looking to harm and disrupt an organization.
 Insiders are the most dangerous attackers, because they know many of
the codes and security measures that are already in place .
 Insiders can plant viruses, Trojan horses, or worms, and they can
browse through the file system.
 By browsing through a system, an insider can learn confidential
information.
 Insiders can affect availability by overloading the system's processing
or storage capacity, or by causing the system to crash.
 Disgruntled employees can create both mischief and sabotage on a
computer system. 51
COMMON EXAMPLES OF COMPUTER-RELATED EMPLOYEE
SABOTAGE INCLUDE:
i. Changing/Deleting Data
ii. Destroying data or programs with logic bombs
iii. Crashing systems
iv. Holding data hostage
v. Destroying hardware or facilities
vi. Entering data incorrectly.
 Outsiders like hackers and crackers are also some of the security
human threats.
A. Hackers are people who either break in to systems for which they
have no authorization or intentionally overstep their bounds on
systems for which they don’t have legitimate access.
 Hacker usually is a programmer who constantly seeks further
knowledge, freely share what they have discovered, and 52
never
intentionally damage data.
 CONTD.
B. Crackers are people who breaks into or otherwise violates system integrity
with malicious intent.

 They destroy vital data or cause problems for their targets.

 Common methods for gaining access to a system include password

cracking, exploiting known security weaknesses, network spoofing,
and social engineering.
 Malicious attackers normally will have a specific goal, objective,
or motive for an attack on a system:
 Denial of Service

 Stealing Information or hardware (Resources).

53
 WAYS TO GAIN ACCESS OR DENY SERVICES
 Malicious attackers can gain access or deny services in numerous
ways. Here are some of them:-

1. Viruses:- Attackers can develop harmful codes, called viruses, and

plant them into systems.

 Viruses can also be spread via e-mail and disks.

2. Trojan horses:- are malicious programs or software code hidden inside
what looks like a normal program.

 When a user runs the normal program, the hidden code runs as well.
 It can then start deleting files and causing other damage to the computer.
 Trojan horses are normally spread by e-mail attachments.
 Trojan horses are a threat to both the integrity and confidentiality of
information in the system. 54
 CONTD.
3. Worms:- are programs that copy themselves from one system to
another over a network, without the assistance of a human being.
 Worms usually propagate themselves by transferring from computer
to computer via e-mail.
4. Password cracking:- is a technique attackers use to surreptitiously
gain system access through another user's account.
 This is possible because users often select weak passwords.
 The two major problems with passwords is:
i. when they are easy to guess based on knowledge of the user (for
example, wife's maiden name) and
ii. when they are susceptible to dictionary attacks (that is, using a
dictionary as the source of guesses).
55
 id e
sl
xt
Ne

56