ATTACKS AND THEIR MITIGATIONS BY MUKESH CHAUDHARI DIPAK ABHIJEET IIS THANE 2015
ATTACKS AND THEIR MITIGATIONS
BYMUKESH CHAUDHARI
DIPAKABHIJEET
IIS THANE 2015
WARNING
This ppt is for educational purpose onlyMisuse of it comes under cyber law
LIST OF ATTACKS TCP SYN FLOOD ATTACK ICMP FLOOD ATTACK ARP SPOOFING ATTACK SMURF ATTACK IP FRAGMENTATION ATTACK TCP HIJACKING ATTACK Reflector attack
TOOLS USED HPING3 SCAPY ETTERCAP WIRESHARK
HPING3 Description hping3 is a network tool
able to send custom tcp/ip packets and to display target replies like ping program does with icmp replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols.
General syntaxHping3[options]
[interface]target ip Uses test firewall rules advanced port scanning path mtu discovery tracerout-under different
protocols remote os fingureprinting tcp/ip stack auditing
SOME IMPORTANT OPTIONS TO BE USED IN HPING3
-h –help -v –version -I –interface name --flood :Sent packets as
fast as possible, without taking care to show incoming replies
-V –verbose -1 –icmp mode -2 –udp mode -8 –scan mode -a –spoof hostname
-t –time to leave -f –fragments -p –port -w –window -F –to set fin flag -S –to set SYN flag -A –to set ACK flag -T –traceroute -d –datasize -P --push
SCAPY DESCRIPTION
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handlemost tasks like scanning, tracerouting,probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).
SYNOPSIS
scapy [-h] [-s file]
USAGE Starting Scapy Scapy’s interactive shell is run in a terminal session. Root
privileges are needed to send the packets, so we’re using sudo here:
$ sudo scapy Welcome to Scapy (2.0.1-dev) >>> On Windows, please open a command prompt (cmd.exe) and make
sure that you have administrator privileges: C:\>scapy INFO: No IPv6 support in kernel WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.0.1-dev) >>>
OPTIONS AND COMMANDS options
Options for scapy are:
-h display help screen and exit
-s FILE use FILE to save/load session values (variables, functions, intances, ...)
COMMANDS Only the vital commands to begin are listed here for the moment.
ls() lists supported protocol layers. If a protocol layer is given as parameter, lists its fields and types of fields.
lsc() lists some user commands. If a command is given as parameter, its documentation is displayed.
conf this object contains the configuration.
EXAMPLES Test the robustness of a network stack
with invalid packets: sr(IP(dst="172.16.1.1", ihl=2, options="0x02", version=3)/ICMP())
Packet sniffing and dissection (with a bpf filter or thetereal-like output): a=sniff(filter="tcp port 110") a=sniff(prn = lambda x: x.display)
Sniffed packet reemission: a=sniff(filter="tcp port 110") sendp(a)
Pcap file packet reemission: sendp(rdpcap("file.cap"))
Manual TCP traceroute: sr(IP(dst="www.google.com", ttl=(1,30))/TCP(seq=RandInt(), sport=RandShort(), dport=dport)
Protocol scan: sr(IP(dst="172.16.1.28", proto=(1,254)))
ARP ping:
srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.16.1.1/24"))
ACK scan: sr(IP(dst="172.16.1.28")/TCP(dport=(1,1024), flags="A"))
Passive OS fingerprinting: sniff(prn=prnp0f)
Active OS fingerprinting: nmap_fp("172.16.1.232")
ARP cache poisonning: sendp(Ether(dst=tmac)/ARP(op="who-has", psrc=victim, pdst=target))
Reporting: report_ports("192.168.2.34", (20,30))
ETTERCAP AND WIRESHARK ETTERCAP Ettercap is a free and open source
network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. Ettercap works by putting the network interface into promiscuous mode and by ARP poisoning the target machines
WIRESHARK. Wireshark is a
free and open-source packet analyzer used for network troubleshooting, analysis, software &communications protocol development, and education. Wireshark is cross-platform, using the GTK+ widget toolkit in current releases, and Qt in the development version, to implement its user interface, and using pcap to capture packets
TCP SYN FLOOD ATTACK TCP SYN Flooding
Exploit state allocated at server after initial SYN packet
Send a SYN and don’t reply with ACK Server will wait for 511 seconds for ACK Finite queue size for incomplete connections
(1024) Once the queue is full it doesn’t accept requests
Command for SYN flood attack using hping3:Hping3 –S –V --flood “taregt ip”
Using MSFCONSOLEUse payload :- use auxilary/dos/tcp/syncflood and set RHOST
PREVENTATION TECHNIQUES AGAINST SYN FLOOD ATTACK
Use of Firewall Enabling SYN cookies SYN Cookies prevent an attacker from filling up your SYN
queues and make your services unreachable to the legitimate user.
On Linux, those are some settings you can use to enable and set up SYN Cookies efficiently:
• echo 1 > /proc/sys/net/ipv4/tcp_syncookies • echo 2048 /proc/sys/net/ipv4/tcp_max_syn_backlog • echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
ICMP FLOOD ATTACK An ICMP flood typically occurs when ICMP echo
requests overload its victim with so many requests that it expends all its resources responding until it can no longer process valid network traffic.
Command for icmp flooding using hping Hping3 -1 192.168.0.101 –flood
PROTECTION AGAINST ICMP FLOOD ATTACKS
Use Firewall Setting up own server In a ICMP/Ping flood, you can setup your server to ignore
Pings, so an attack will be only half-effective as your server won't consume bandwidth replying the thousands of Pings its receiving.
You can do that by running this configuration: echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all And naturally, add this line to the file /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_all = 1 Enabling ICMP Flood Protection by setting the ICMP flood
threshold value. [edit] user@host# set security screen ids-option 1000-icmp-
flood icmp flood threshold 1000
SMURF ATTACK Send ICMP ping packet
with spoofed IP source address to a LAN which will broadcast to all hosts on the LAN
Each host will send a reply packet to the spoofed IP address leading to denial of service
Command using hping3: Hping3 –icmp –
spoof ‘target ip’ ‘broadcast ip’ --
flood
PROTECTION AGAINST SMURF ATTACK
How to prevent your network from being the source of the attack:
Apply filters to each customer network
Ingress: Allow only those
packets with source addresses within the customer’s assigned netblocks
Apply filters to your upstreams
Egress: Allow only those packets
with source addresses within your netblocks to protect others
Ingress: Deny those packets with
source addresses within your netblocks to protect yourself
This also prevents other forms of attacks as well
ARP POISONING & IP SPOOFING (MITM) ATTACK
A Man-In-The-Middle (MITM) attack is achieved when an attacker poisons the ARP cache of two devices with the (48-bit) MAC address of their Ethernet NIC (Network Interface Card). Once the ARP cache has been successfully poisoned, each of the victim devices send all their packets to the attacker when communicating to the other device. This puts the attacker in the middle of the communications path between the two victim devices; hence the name Man-In-The-Middle (MITM) attack. It allows an attacker to easily monitor all communication between victim devices.
ARP POISONING & IP SPOOFING (MITM) ATTACK
STEPS• Start ettercap• Select unifide sniffing• Scan for host• Select target 1 and target 2 from host list• Then start arp poisoning and sniff• See the packets using WIRESHARK• Before closing ettercap stop the MIM attack
PREVENTION AGAINST ARP POISONING & IP SPOOFING
ATTACK Use of private Vlans To prevent IP spoofing happen in your network, the
following are some common practices:
1- Avoid using the source address authentication. Implement cryptographic authentication system-wide.
2- Configuring your network to reject packets from the Net that claim to originate from a local address.
3- Implementing ingress and egress filtering on the border routers and implement an ACL (access control list) that blocks private IP addresses on your downstream interface.
If you allow outside connections from trusted hosts, enable encryption sessions at the router.
FILTERING
Internet
B
IDS
Router Firewall
if src_addr is from 10.10.0.0then dropelse forward
if src_addr is from 10.10.0.0then forwardelse drop
10.10.10.0
TCP SESSION HIJACKING TCP session hijacking is
when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.
Categories of TCP Session Hijacking
Based on the anticipation of sequence numbers there are two types of TCP hijacking: Man-in-the-middle
(MITM)
Blind Hijack
PREVENT SESSION HIJACKING
Require the use of SSL encryption on all pages of your website, or at least those pages that are used to transmit cookies.
Ensure your wireless network uses WPA encryption.
Provide a VPN to your users when they are away from the office.
Be very careful with your organization's social networking accounts; only grant access to a small number of well-trained personnel.
REFLECTOR ATTACK
senderdst:
reflector
src: victimreflector
src: re
flecto
rds
t: vict
im
VICTIM
ip spoofed packet
reply
pack
et
Oops, a lot of replies
without any request…
Command using hping3:Hping3 -1 spoof 192.168.0.104 192.168.0.101 –flood
Using scapy: Send(ip(src=“ip”, dst=“ip”)/icmp())
IP FRAGMENTATION ATTACK
IP fragmentation is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of smaller size so as to avoide detection by network‑based Intrusion Detection Systems (IDSs) anf firewall.
IP allows packets to be broken down into fragments for more efficient transport across various media
The TCP packet (and its header) are carried in the IP packet One of the type of ip fragmentation attack is TINY FRAGEMENT ATTACK The tiny fragment attack is designed to fool a firewall or packet filter by
creating an initial fragment that is very small. It is so small, in fact, that it does not contain the TCP port number. Instead, the TCP port number follows in the second packet.
Because the packet filter is looking for the port number to make filtering decisions, it may allow the tiny initial fragment to pass through. Also, it may allow the second fragment (which includes the rest of the TCP header, including the port number) through. Furthermore, an IDS may not process the fragments properly and therefore may not notice the attack.
TINY FRAGMENT ATTACK
TINY FRAGMENT ATTACK
PREVENTING IP FRAGMENT ATTACK
Prevention of the Tiny Fragment Attack In a router, one can prevent this sort of attack by enforcing certain limits on fragments passing through, namely, that the first fragment be large enough to contain all the necessary header information. There are two ways to guarantee that the first fragment of a "passed" packet includes all the required fields, one direct, the other indirect.
CONCLUSION
BE SECURE
THANK YOU