This false information will offer a name to IP mapping to a wrong IP address. The aim is to divert the requests to another site. This attack can lead to pharming. The new web site might be bogus and offers the same similar products or services as the real web site.
If the user does not notice anything, enters the user name and password, the attacker can steal their credentials. It will impersonate the DNS server and reply to all incoming requests from the clients thus misdirecting them. Most of the DNS attacks have been fixed in the patches.
This protocol can be misused by an attacker by making this service unavailable. This is a denial of service attack. It hosts three protocols which offer different features that can be required by particular types of application.
TCP is a connection oriented protocol, meaning that for to be sent from a sender to a receiver, a connection must be established. The sender needs to know if the receiver is available, and negotiate some parameters for sending the data. To archive this, TCP uses the three way handshake. This is possible because the sequence number is incremented by a constant amount per second and by half that amount each time a connection is initiated.
Sequence number prediction can be overcome by randomizing the generation of initial sequence number increment. Another form of Hijacking that can be done is called TCP blind spoofing. In this attack, the attacker manages to somehow guess both the port number and sequence number of the session that is in process.
If the correct port and sequence number is acquired, the attacker can carry out an injection attack. In this attack, multiple SYN packets are spoofed using a source address that does not exist. They are then sent to the target server. This situation creates a lot of half- opened sessions due to the fact that the expected ACK packets are not received by the server to properly initiate a session.
This can cause the server to be overloaded or can eventually crash. The server will not allow any further connections to be established and legitimate user connection requests will be dropped, thus leading to a denial of service attack. SYN floods can be eradicated by using a firewall to act as a proxy between the server and the client.
The firewall will be responding to the SYN packets from the clients. The firewall will only allow connections to the server after it receives an ACK packet from a client. For instance UDP port 7 is an echo port. An attacker can overwhelm the target machine with multiple requests to these ports creating a lot of traffic on the network.
Any anomaly in the flow of traffic will cause an alarm and a firewall or an intrusion prevention system can be implemented take action. The main protocol at this layer is the Internet Protocol or IP. These protocols pose some serious security vulnerabilities. IP addresses together with a subnet mask uniquely identifies devices on a network.
However, an attacker can easily spoof an IP address and from this, it is possible to carry out a man-in-the-middle attack. Alternatively, an attacker can hijack a connection session. Overcoming this attack can be done by deploying route policy controls that use a strict anti- spoofing and route filters at the edge of the network.
Setting up a firewall with strong filter and anti-spoofing policies can also mitigate such an attack Computer Networks — Basics and Security Issues, Barak Ekici, Yasar University, Turkey. IP source route involves a packet listing the specific routers it took to reach its destination; this path can be used by the recipient to send the data back to the sender.
In a source route attack, the attacker can modify the source route option in the packet. This can lead to a loss of data confidentiality as the attacker will be able to read the data packets.
Dropping or forwarding packets that carry the source route option can solve this issue. RIP Security Attacks Routing Information Protocol is a dynamic routing protocol and an interior gateway protocol that is used to propagate routing information on local networks.
The messages sent are unchecked by the receiver, and so, an attacker can take advantage of this and easily send incorrect routing information or simply forge RIP messages.
The packets can be sent to the attacker for sniffing or perform a man in the middle attack. OSPF uses five message types and these messages have security vulnerabilities that can be exploited. It is used to send error and control messages regard the status of a host or router. ICMP can be abused to wage an attack on a network. There are two kinds of attacks that can be initiated by exploiting ICMP protocol; passive and active attacks.
A passive attack involves monitoring of traffic and available hosts on a network. If successful, a hacker is able to read unencrypted data and can use the information gathered to perform another type of attack. Network reconnaissance attacks can be categorised in the group of passive attacks. The essence of network reconnaissance is an attempt to determine network topology and paths into the network. It uses ICMP packets to offer information that is being probed for.
It gives the attacker a true picture of the network to enable proper planning before launching an active attack. An attacker will be able to better understand the environment and gather information about the target so as to plan the attach approach. He or she is able to determine the number of hops to reach a specific device, where the firewalls are placed on the network, applications and hosts running on the network.
Instead of pinging each individual host, a ping sweep will probe all hosts simultaneously in a given network range with a single command. This makes it very easy for an attacker to know the alive host IP addresses in a network.
Port scanning attack is also another method used for reconnaissance. If the port is opened, it means that a certain application is running and from this information an attack can pin point which particular vulnerability that application has and exploit it.
Apart from gain the knowledge of which services are running, port scanning also gives out information such as; what users own those services, whether anonymous logins are supported, and whether certain network services require authentication SANS Institute of InfoSec Reading Room — Port Scanning Techniques and the Defense Against Them.
Furthermore, it is also possible to know which operating system is being used on a host machine. This is called operating s fingerprinting. Each operating system has a different way in which it handles network traffic. ICMP can be used to determine the underlying operating system. A defence against port scanning is to disable all the ports that are not in use on a server or client. Deploying TCP wrappers can restrict the information gained from port scans.
TCP wrappers allow a network administrator to permit or deny access to the services based upon IP addresses or domain names. It is advisable to carry out a port scan on a device before it goes public online.
A perfect tool that can accomplish a passive attack is traceroute. Trace route is a popular ICMP utility that is used to map a target networking by describing the path in real time from the client to the remote host being contacted Computer Desktop Encyclopedia.
Using the traceroute, the attacker is not only able to trace the path taken by a packet as it travels to the target but also gives information on the topology of the target network. This will allow the attacker to plan his approach when attacking the network. An attacker actually tries to bypass or break into the network and can result in a denial of service.
One important tool used in network diagnosis is the ICMP ping. Ping echo packets can be sent to a broadcast address on a target network which can eventually lead to a traffic overload which can impede normal traffic and can lead to a denial of service. Deploying a firewall can stop ICMP floods from happening. The firewall can check the rate of ICMP packets destined for a specific destination address.
There should be threshold rate and if it is exceeded, then all such subsequent ICMP packets should be dropped. Even when attackers utilize IP spoofing, it is still more difficult to detect attacks on the application layer. To really get our hands dirty with application level attacks, we need to understand the varying types of attacks they represent. These requests are specifically designed to consume considerable resources.
Then, bots start from a given HTTP link and follow all links on the provided website in a recursive way. Slowloris attacks attempt to monopolize system resources by sending HTTP requests that never complete. Therefore, the web server waits indefinitely for requests, eventually consuming all its connection capacity. By exhausting TCP session availability, the server is frozen. The entropy is employed in this paper to measure changes of randomness of requests in a session for a given time interval.
Entropy is applied as a second layer of filtering the suspicious flow. The second filtering mechanism is required to identify an attacker who acts like a legitimate client because, an attacker may behave benignly until it attains a highest trust value and then begin to misbehave. The detection of DDoS attack is carried out as follows: Initially, the client embeds its trust value on the session request and sends it to the server.
The server, on receiving the session request, validates the trust value. If valid, it forwards the request. Otherwise, the session is considered suspicious and dropped. Then the entropy for the incoming requests in a session is calculated and the degree of deviation with the predefined value is estimated.
The greater the deviation, the more suspicious the session is. If the session is found suspicious, then it is assigned with the lowest trust value and dropped immediately. Otherwise, the requests are scheduled to get the service from the web server. The trust value is updated and embedded in the response message of the server for future use. The detection mechanism is deployed at the server. A session connection request first reaches the system, and then the proposed scheme either drops or forwards the requests based on the trust value obtained in the past session, calculates the entropy deviation of request rate.
If the deviation is more exceeds threshold , then drop the session immediately. Otherwise, schedule the session based on the system workload and the trust value of the user. The client who behaves better in past session will obtain higher degree of trust.
The highest trust value first policy is used to schedule the requests for the server. Figure 1. System Architecture 3. Trust value computation Once the request is accepted, the request is forwarded to the application. Let trsbe the time taken by the server to respond for the request req and utdenotes the utility of the request, req.
In this approach, a simple benefit function is used. Here, additive increase multiplicative decrease strategy is used to calculate the new trust value. Entropy calculation Let the request in a session be denoted as rij, where i, j I, a set of positive integers.
Let r j,t denote the number of requests per session j, at a given time t. The well-behaved users will have a little or no deviation. In such case, the legitimate user gets a quicker service.
In addition to the scheduling policy, system workload is also considered before scheduling the request for getting service. Algorithm to compute the entropy from system log Input: system log 1. Extract the request arrivals for all sessions, page viewing time and the sequence of requested objects for each user from the system log.
The proposed scheme provides double check point to detect the malicious flow from the normal flow. This approach not only counters the illegitimate flows but also avoids the flooding of the legitimate flows. Trust value is used to detect the legitimate user from the attackers at the first level. Then, based on the information metric of the current session, the sessions that are assumed to be suspicious are dropped.
The legitimate flows are then scheduled by the scheduler based on the system workload the trust value of the client. Thus the legitimate clients gets more priority in accessing the information and services. Yu, W. Kandula, D. Second Symp. Yu, Z. Li, H. Cabrera, L.
0コメント