Attacks and their mitigations

ATTACKS AND THEIR MITIGATIONS

BYMUKESH CHAUDHARI

DIPAKABHIJEET

IIS THANE 2015

WARNING

This ppt is for educational purpose onlyMisuse of it comes under cyber law

LIST OF ATTACKS TCP SYN FLOOD ATTACK ICMP FLOOD ATTACK ARP SPOOFING ATTACK SMURF ATTACK IP FRAGMENTATION ATTACK TCP HIJACKING ATTACK Reflector attack

TOOLS USED HPING3 SCAPY ETTERCAP WIRESHARK

HPING3 Description hping3 is a network tool

able to send custom tcp/ip packets and to display target replies like ping program does with icmp replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols.

General syntaxHping3[options]

[interface]target ip Uses test firewall rules advanced port scanning path mtu discovery tracerout-under different

protocols remote os fingureprinting tcp/ip stack auditing

SOME IMPORTANT OPTIONS TO BE USED IN HPING3

-h –help -v –version -I –interface name --flood :Sent packets as

fast as possible, without taking care to show incoming replies

-V –verbose -1 –icmp mode -2 –udp mode -8 –scan mode -a –spoof hostname

-t –time to leave -f –fragments -p –port -w –window -F –to set fin flag -S –to set SYN flag -A –to set ACK flag -T –traceroute -d –datasize -P --push

SCAPY DESCRIPTION

 Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them  on the  wire,  capture them, match requests and replies, and much more. It can easily handlemost tasks  like  scanning,  tracerouting,probing,  unit  tests,  attacks  or  network  discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal,  p0f, etc.).

SYNOPSIS      

scapy [-h] [-s file]

USAGE Starting Scapy Scapy’s interactive shell is run in a terminal session. Root

privileges are needed to send the packets, so we’re using sudo here:

$ sudo scapy Welcome to Scapy (2.0.1-dev) >>> On Windows, please open a command prompt (cmd.exe) and make

sure that you have administrator privileges: C:\>scapy INFO: No IPv6 support in kernel WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.0.1-dev) >>>

OPTIONS AND COMMANDS options

       Options for scapy are:

       -h     display help screen and exit

-s FILE              use  FILE  to  save/load  session  values (variables, functions,              intances, ...)

COMMANDS       Only the vital commands to begin are listed here for the moment.

       ls()   lists supported protocol layers. If a protocol layer is given as              parameter, lists its fields and types of fields.

       lsc()  lists  some  user  commands. If a command is given as parameter,              its documentation is displayed.

       conf   this object contains the configuration.

EXAMPLES Test the robustness of a network stack

with invalid packets:       sr(IP(dst="172.16.1.1", ihl=2, options="0x02", version=3)/ICMP())

Packet sniffing and dissection (with a  bpf  filter  or  thetereal-like       output):       a=sniff(filter="tcp port 110")       a=sniff(prn = lambda x: x.display)

Sniffed packet reemission:       a=sniff(filter="tcp port 110")       sendp(a)

Pcap file packet reemission:       sendp(rdpcap("file.cap"))

Manual TCP traceroute:       sr(IP(dst="www.google.com", ttl=(1,30))/TCP(seq=RandInt(), sport=RandShort(), dport=dport)

Protocol scan:       sr(IP(dst="172.16.1.28", proto=(1,254)))

ARP ping:

       srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.16.1.1/24"))

ACK scan:       sr(IP(dst="172.16.1.28")/TCP(dport=(1,1024), flags="A"))

Passive OS fingerprinting:       sniff(prn=prnp0f)

Active OS fingerprinting:       nmap_fp("172.16.1.232")

ARP cache poisonning:       sendp(Ether(dst=tmac)/ARP(op="who-has", psrc=victim, pdst=target))

Reporting:       report_ports("192.168.2.34", (20,30))

ETTERCAP AND WIRESHARK ETTERCAP Ettercap is a free and open source 

network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. Ettercap works by putting the network interface into promiscuous mode and by ARP poisoning the target machines

WIRESHARK. Wireshark is a 

free and open-source packet analyzer used for network troubleshooting, analysis, software &communications protocol development, and education. Wireshark is cross-platform, using the GTK+ widget toolkit in current releases, and Qt in the development version, to implement its user interface, and using pcap to capture packets

TCP SYN FLOOD ATTACK TCP SYN Flooding

Exploit state allocated at server after initial SYN packet

Send a SYN and don’t reply with ACK Server will wait for 511 seconds for ACK Finite queue size for incomplete connections

(1024) Once the queue is full it doesn’t accept requests

Command for SYN flood attack using hping3:Hping3 –S –V --flood “taregt ip”

Using MSFCONSOLEUse payload :- use auxilary/dos/tcp/syncflood and set RHOST

PREVENTATION TECHNIQUES AGAINST SYN FLOOD ATTACK

Use of Firewall Enabling SYN cookies SYN Cookies prevent an attacker from filling up your SYN

queues and make your services unreachable to the legitimate user.

On Linux, those are some settings you can use to enable and set up SYN Cookies efficiently:

• echo 1 > /proc/sys/net/ipv4/tcp_syncookies • echo 2048 /proc/sys/net/ipv4/tcp_max_syn_backlog • echo 3 > /proc/sys/net/ipv4/tcp_synack_retries

ICMP FLOOD ATTACK An ICMP flood typically occurs when ICMP echo

requests overload its victim with so many requests that it expends all its resources responding until it can no longer process valid network traffic.

Command for icmp flooding using hping Hping3 -1 192.168.0.101 –flood

PROTECTION AGAINST ICMP FLOOD ATTACKS

Use Firewall Setting up own server  In a ICMP/Ping flood, you can setup your server to ignore

Pings, so an attack will be only half-effective as your server won't consume bandwidth replying the thousands of Pings its receiving.

You can do that by running this configuration: echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all And naturally, add this line to the file /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_all = 1 Enabling ICMP Flood Protection by setting the ICMP flood

threshold value. [edit] user@host# set security screen ids-option 1000-icmp-

flood icmp flood threshold 1000

SMURF ATTACK Send ICMP ping packet

with spoofed IP source address to a LAN which will broadcast to all hosts on the LAN

Each host will send a reply packet to the spoofed IP address leading to denial of service

Command using hping3: Hping3 –icmp –

spoof ‘target ip’ ‘broadcast ip’ --

flood

PROTECTION AGAINST SMURF ATTACK

How to prevent your network from being the source of the attack:

Apply filters to each customer network

Ingress: Allow only those

packets with source addresses within the customer’s assigned netblocks

Apply filters to your upstreams

Egress: Allow only those packets

with source addresses within your netblocks to protect others

Ingress: Deny those packets with

source addresses within your netblocks to protect yourself

This also prevents other forms of attacks as well

ARP POISONING & IP SPOOFING (MITM) ATTACK

A Man-In-The-Middle (MITM) attack is achieved when an attacker poisons the ARP cache of two devices with the (48-bit) MAC address of their Ethernet NIC (Network Interface Card). Once the ARP cache has been successfully poisoned, each of the victim devices send all their packets to the attacker when communicating to the other device. This puts the attacker in the middle of the communications path between the two victim devices; hence the name Man-In-The-Middle (MITM) attack. It allows an attacker to easily monitor all communication between victim devices.

ARP POISONING & IP SPOOFING (MITM) ATTACK

STEPS• Start ettercap• Select unifide sniffing• Scan for host• Select target 1 and target 2 from host list• Then start arp poisoning and sniff• See the packets using WIRESHARK• Before closing ettercap stop the MIM attack

PREVENTION AGAINST ARP POISONING & IP SPOOFING

ATTACK Use of private Vlans To prevent IP spoofing happen in your network, the

following are some common practices:

1- Avoid using the source address authentication. Implement cryptographic authentication system-wide.

2- Configuring your network to reject packets from the Net that claim to originate from a local address.

3- Implementing ingress and egress filtering on the border routers and implement an ACL (access control list) that blocks private IP addresses on your downstream interface.

If you allow outside connections from trusted hosts, enable encryption sessions at the router.

FILTERING

Internet

B

IDS

Router Firewall

if src_addr is from 10.10.0.0then dropelse forward

if src_addr is from 10.10.0.0then forwardelse drop

10.10.10.0

TCP SESSION HIJACKING TCP session hijacking is

when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.

Categories of TCP Session Hijacking

Based on the anticipation of sequence numbers there are two types of TCP hijacking: Man-in-the-middle

(MITM)

Blind Hijack

 PREVENT SESSION HIJACKING

Require the use of SSL encryption on all pages of your website, or at least those pages that are used to transmit cookies.

Ensure your wireless network uses WPA encryption.

Provide a VPN to your users when they are away from the office.

Be very careful with your organization's social networking accounts; only grant access to a small number of well-trained personnel.

REFLECTOR ATTACK

senderdst:

reflector

src: victimreflector

src: re

flecto

rds

t: vict

im

VICTIM

ip spoofed packet

reply

pack

et

Oops, a lot of replies

without any request…

Command using hping3:Hping3 -1 spoof 192.168.0.104 192.168.0.101 –flood

Using scapy: Send(ip(src=“ip”, dst=“ip”)/icmp())

IP FRAGMENTATION ATTACK

IP fragmentation is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of smaller size so as to avoide detection by network‑based Intrusion Detection Systems (IDSs) anf firewall.

IP allows packets to be broken down into fragments for more efficient transport across various media

The TCP packet (and its header) are carried in the IP packet One of the type of ip fragmentation attack is TINY FRAGEMENT ATTACK The tiny fragment attack is designed to fool a firewall or packet filter by

creating an initial fragment that is very small. It is so small, in fact, that it does not contain the TCP port number. Instead, the TCP port number follows in the second packet.

Because the packet filter is looking for the port number to make filtering decisions, it may allow the tiny initial fragment to pass through. Also, it may allow the second fragment (which includes the rest of the TCP header, including the port number) through. Furthermore, an IDS may not process the fragments properly and therefore may not notice the attack.

TINY FRAGMENT ATTACK

TINY FRAGMENT ATTACK

PREVENTING IP FRAGMENT ATTACK

Prevention of the Tiny Fragment Attack In a router, one can prevent this sort of attack by enforcing certain limits on fragments passing through, namely, that the first fragment be large enough to contain all the necessary header information. There are two ways to guarantee that the first fragment of a "passed" packet includes all the required fields, one direct, the other indirect.

CONCLUSION

BE SECURE

THANK YOU