Top Banner
Security - 1 Security Peter O’Grady
62

Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Dec 31, 2015

Download

Documents

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 1

Security

Peter O’Grady

Page 2: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 2

Network Security Problem

Data Flow - transmission security Network Security - server security Malicious code - virus security

Page 3: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 3

The Internet

User

User

User

User

Data moves through a networkAttacker may try to gain access

Page 4: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 4

“By accessing or altering data, an attacker can steal tangible assets or lead an organization to take actions it would not otherwise take. By merely examining data, an attacker can gain competitive advantage, without the owner of the data being any the wiser.”

Computers at Risk: Safe Computing in the Information AgeNational Research Council, 1991

Page 5: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 5

Network Security where an intruder may be malicious in

that they may interfere with the operation of the network, causing operation problems such as deliberately crashing a server.

Particularly dangerous when they gain access to data on servers.

Page 6: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 6

Example Attack Texas A&M August 1992 Several outside intruders Captured hundreds of passwords

(including some on servers) One machine set up as hacker bulletin

board to discuss progress without the victim knowing.

Hackers had developed programs to test for weaknesses.

Page 7: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 7

Transmission Security- Data Flow

The potential security problems in data flow can be thought of as:

Interruption – stop flow Interception – intercept message, for reading – original

message continues Modification – intercept message and replace with

alternative. Send alternative Fabrication – send fabricated message

How can each of these be stopped?

Page 8: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 8

Conveying Messages Securely Phrases that convey meaning

– 1:1 coding - has to be pre-determined– Difficult to decode– Low flexibility

Character encryption– Very flexible– Need large number of possible

permutations to avoid brute force decryption

Page 9: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 9

Transmission Security

Transmission Security involves three main measures that can be taken to prevent these breaches of security occurring. – encryption, – authentication, – and data integrity.

Page 10: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 10

Encryption Task: take regular text and produce

encrypted text so that original text cannot be determined easily from the encrypted text.

Encryption Examples– Caesar cipher– Enigma encoding machine

Decryption:– Letter usage analysis– Complete enumeration– Obtaining Key

Page 11: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 11

Encryption History of encryption tied to military and diplomatic

messages If messages are send by wireless then can be heard

by others Governments seek very hard encryption for

messages. Other governments try hard to decrypt messages.

Of VERY great importance Examples:

– Midway– German Enigma machine

Page 12: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 12

Page 13: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 13

Midway December 7 Pearl Harbor Japanese had “Purple” cipher machine. US had

decoded this (“Magic”) Japanese overran much of SE Asia by May 1942 Japanese 4 large carriers, 3 battleships, 16

submarines for invasion of Midway US only had 3 carriers (one damaged) in Pacific Messages decoded about Japanese plan. Nimitz

rushes all US carriers to Midway. US surprises Japanese fleet and sinks 4 Japanese

carriers.

Page 14: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 14

“Scouts found the Japanese early in the morning of June 4. Although initial strikes by Midway-based planes were not successful, American carrier-based planes turned the tide. Torpedo bombers became separated from the American dive-bombers and were slaughtered (36 of 42 shot down), but they diverted Japanese defenses just in time for the dive-bombers to arrive; some of them had become lost, and now by luck they found the Japanese. The Japanese carriers were caught while refueling and rearming their planes, making them especially vulnerable. The Americans sank four fleet carriers—the entire strength of the task force….”

http://college.hmco.com/history/readerscomp/mil/html/ml_034100_midwaybattle.htm

Page 15: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 15

Iraq I“One of the ROCKSTARS (codename for group of agents) next delivered an Iraqi mobile communications device that was supposed to be sent out for repairs. It was the device used by Deputy Prime Minister Tariq Aziz. It had encryption capability and was part of the SSO communications network. A ROCKSTAR agenthas swiped it. Tim (a USA agent) had it couriered back to Washington where the National Security Agency was able to exploit it. Soon NSA was listening in to some SSO communications.”

"Plan of Attack", Bob Woodward 2004 p 303

Page 16: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 16

Iraq II

“Ahmad Chalabi, the Iraqi leader and former ally of the Bush administration, disclosed to an Iranian official that the United States had broken the secret communications code of Iran's intelligence service, betraying one of Washington's most valuable sources of information about Iran, according to United States intelligence..”NY Times, June 2, 2004

Page 17: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 17

Caesar Cipher Simple coding that replaces letter by one n

places further along the alphabet. If n=2 then, for example, all occurrences of a

are replaced by c. internet becomes kpvgtpgv Easy to decode (26 possible keys) especially

using letter usage analysis (e.g. e is most frequently used letter in English)

Page 18: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 18

Improving Caesar Cipher

Cipher where n is variable would be stronger– n varies with letter - i.e. one to one mapping

between letters– Can decipher using letter usage analysis– mapping that varies over time/usage would be

better - example is the German Enigma machine of WWII.

Page 19: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 19

Enigma encoding machine On successive keystrokes the wheels

moved so that the encoding was different for each keystroke.

The wheels could be set by the users and the same settings had to be used at both ends of the transmission.

With five wheels, each with 26 pins, the number of different substitution alphabets is 265 (which equals 11,881,376).

Page 20: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 20

Page 21: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 21

Page 22: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 22

Enigma in use Gen. Guderian, 1943

Page 23: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 23

Enigma Coding Machine 11,881,376 possible permutations was thought to be

impregnable. Illustrated key points on encryption:

– Same key at both ends (single key)- wheel positions– Number of permutations as high as possible to defeat

complete enumeration– Varying characteristics of encoding to defeat letter

usage analysis Now need much larger number of permutations to

avoid eavesdroppers.

Page 24: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 24

Transmission Security - Main Elements

Single Key Encryption Dual Key Encryption Message Digest (often 128 bit) Certificate - containing subjects public key and

encrypted using certificates authority private key We’ll go through each of these and see how

they apply

Page 25: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 25

Encryptionalgorithm

Decryptionalgorithm

Plaintext Ciphertext Plaintext

Shared key

Simplified Model of Conventional Single Key Encryption (Stallings, 1995)

Page 26: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 26

Secure channel

Messagesource

Encrypter

Key source

Cryptanalyst

Decrypter DestinationX Y

K

X

X

K

Model of Conventional Single Key Encryption (Stallings, 1995)

Page 27: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 27

Single Key Encryption

Input• plaintext X=[X1, X2, X3 , …., XM ]

• K=[K1, K2, ……, KJ ]

Output• ciphertext Y=[Y1,Y2, ….., YN]

Page 28: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 28

Single Key Decryption

Input• ciphertext Y=[Y1,Y2, ….., YN]

• K=[K1, K2, ……, KJ ]

Output• plaintext X=[X1, X2, X3 , …., XM ]

Page 29: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 29

Single Key The general method for decrypting are

generally based on enumerating the possible key settings.

Historically single key most common. Both ends have key. Example is Data Encryption Standard (DES)

from NIST. DES takes 64 bits of message and uses 56 bit

length key. 56 bit length key provides 256 ( = 7.2 x 1016)

keys

Page 30: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 30

Encryption - Public (or Dual) Key Uses two separate, but matched, keys -

public and private. RECEIVER generates two keys with the

public key made available to others. TRANSMITTER uses public key to encrypt

the message. RECEIVER uses private key to decrypt

message. Can be used for authentication

Page 31: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 31

Encryptionalgorithm

Decryptionalgorithm

Plaintext Ciphertext PlaintextUser A User B

B's private key

B's public key

Simplified Model of Dual-Key Encryption (Stallings, 1995)

Page 32: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 32

Messagesource

Encrypt

Key-pairsource

Cryptanalyst

Decrypt DestinationX Y X

X

K Rb

KUb

KRbKUb

Source A Destination B

Dual-Key Encryption (Stallings, 1995)

Page 33: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 33

Dual Key Encryption

Input• plaintext X=[X1, X2, X3 , …., XM ]

• KUb

Output• ciphertext Y=[Y1,Y2, ….., YN]

Page 34: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 34

Dual Key Decryption

Input• ciphertext Y=[Y1,Y2, ….., YN]

• KRb

Output• plaintext X=[X1, X2, X3 , …., XM ]

Page 35: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 35

Dual-Key Encryption

Most Internet data that is very sensitive is now encrypted using this dual key system (using the RCA or IDEA algorithms) with a key length of 128 bits (in North America) and 40 bits elsewhere.

Page 36: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 36

Dual-Key Encryption The 128 bit key provides for 2128 (=3.4 x

1038) different keys while the 40 bit key provides for 240( approximately 1012) different keys. Each is therefore secure from all but the most determined eavesdropper.

Dual Key Encryption more computing intensive then single key so is only used to start communications

Page 37: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 37

Authentication Is the process of checking that the

sender of data is in fact who they claim to be.

This is not as simple as it first appears. – an intruder can copy all of the packet

information, perhaps also altering some of the data, and then re-transmitting it as if it had come from the original source.

Page 38: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 38

Messagesource

Encrypt

Key-pairsource

Cryptanalyst

Decrypt DestinationX Y X

K Ra

KRa

KUa

Source A Destination B

Authentication Using Dual-Key Encryption (Stallings, 1995)

Page 39: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 39

Dual Key Authentication (encrypt)

Input• plaintext X=[X1, X2, X3 , …., XM ]

• KRa

Output• ciphertext Y=[Y1,Y2, ….., YN]

Page 40: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 40

Dual Key Authentication (decrypt)

Input• ciphertext Y=[Y1,Y2, ….., YN]

• KUa

Output• plaintext X=[X1, X2, X3 , …., XM ]

Page 41: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 41

Digital Signature

This mode of operation has been formulated into what is termed the Secure Sockets Layer (SSL) which uses an independent Certification Authority (CA) to issue a digital certificate. The digital certificate contains the name of the server and the public key, as well as a digital signature

Page 42: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 42

Certificate: Data: Version: 0 (0x0) Serial Number: 02:41:00:00:01 Signature Algorithm: MD2 digest with RSA Encryption Issuer: C=US, O=RSA Data Security, Inc.,

OU=Secure Server Certification Authority Validity: Not Before: Wed Nov 9 15:54:17 1994 Not After: Fri Dec 31 15:54:17 1999 Subject: C=US, O=RSA Data Security, Inc.,

OU=Secure Server Certification Authority Subject Public Key Info: Public Key Algorithm: RSA Encryption Public Key: Modulus: 00:92:ce:7a:c1:ae:83:3e:5a:aa:89:83:57:ac:25: 01:76:0c:ad:ae:8e:2c:37:ce:eb:35:78:64:54:03: e5:84:40:51:c9:bf:8f:08:e2:8a:82:08:d2:16:86: 37:55:e9:b1:21:02:ad:76:68:81:9a:05:a2:4b:c9: 4b:25:66:22:56:6c:88:07:8f:f7:81:59:6d:84:07: 65:70:13:71:76:3e:9b:77:4c:e3:50:89:56:98:48: b9:1d:a7:29:1a:13:2e:4a:11:59:9c:1e:15:d5:49: 54:2c:73:3a:69:82:b1:97:39:9c:6d:70:67:48:e5: dd:2d:d6:c8:1e:7b Exponent: 65537 (0x10001) Signature Algorithm: MD2 digest with RSA Encryption Signature: 88:d1:d1:79:21:ce:e2:8b:e8:f8:c1:7d:34:53:3f:61:83:d9: b6:0b:38:17:b6:e8:be:21:8d:8f:00:b8:8b:53:7e:44:67:1e: 22:bd:97:27:e0:9c:85:cc:4a:f6:85:3b:b2:e2:be:92:d3:e5: 0d:e9:af:5c:0e:0c:46:95:ff:a1:1c:5e:3e:e8:36:58:7a:73: a6:0a:f8:22:11:6b:c3:09:38:7e:26:bb:73:ef:00:bd:02:a4: f3:14:0d:30:3f:61:70:7b:20:fe:32:a3:9f:b3:f4:67:52:dc: b4:ee:84:8c:96:36:20:de:81:08:83:71:21:8a:0f:9e:a9

Example Certificate (RSA Secure Server Certification Authority)

Page 43: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 43

Page 44: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 44

Digital Signature Procedure The client sends a request to connect to

the secure server The server generates a public and

private key and then sends a signed digital certificate with the public key.

The client uses the public key from the server to decrypt the message and authenticate the server.

Page 45: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 45

Authentication and Encryption It should be noted that this

authentication process does not prevent eavesdropping.

What is often used to prevent this is a double encryption procedure combining both authentication and encryption that provides both authentication and message encryption.

Page 46: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 46

Authentication and Encryption (Encrypt)

Input• plaintext X=[X1, X2, X3 , …., XM ]

• KUb(KRa)

Output• ciphertext Y=[Y1,Y2, ….., YN]

Page 47: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 47

Authentication and Encryption (Decrypt)

Input• ciphertext Y=[Y1,Y2, ….., YN]

• KUa(KRb)

Output• plaintext X=[X1, X2, X3 , …., XM ]

Page 48: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 48

Data Integrity Data Integrity involves ensuring that the

message received has not been tampered with.

A main method used is that of computing a small block of code that is derived from the message and appending this small block of code to the message.

Page 49: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 49

Data Integrity

This code is known as a cryptographic checksum or Message Authentication Code (MACs)

The function that is used to calculate the MAC need be only one way

Page 50: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 50

SSL ProcessA->B helloB->A Hi, I'm Bob, bobs-certificate (Bobs public key

and encrypted using CA private key)A->B prove it (A has CA public key and hence

obtains Bobs public key securely)B->A Alice, This Is Bob

{ digest[Alice, This Is Bob] } bobs-private-keyA->B ok bob, here is a secret {secret}bobs-public-

key {some message,MAC}secret-key

Page 51: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 51

Server Security “Most servers run UNIX, which is notorious

for its lack of mainframe-style security features and is a particular favorite of hackers.”– Network and Internetwork Security W.

Stallings, 1995 “The best safe in the world is worthless if

no one remembers to close the door.– Computers at Risk: Safe Computing in the

Information Age” National Research Council, 1991

Page 52: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 52

Server Security

Firewall Housekeeping

Page 53: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 53

Firewall

A firewall acts as the entry and exit point to an internal network and all traffic to and from the external Internet passes through it.

Can configure to allow/not allow packets of certain type or origin to pass

Page 54: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 54

Housekeeping

Passwords Physically Secure the Servers Secure the private keys Limit Applications on Servers Limit ports on Servers

Page 55: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 55

Length Number Fraction of Total1 55 0.0042 87 0.0063 212 0.024 449 0.035 1260 0.096 3035 0.227 2917 0.218 5772 0.42Total 13787 1.0

Passwords (Observed Password Lengths, Spafford (1990) )

Page 56: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 56

E x a m p l e :S u p p o s e d a p a s s w o r d i s c o m p o s e d b y a l e n g t h o f n c h a r a c t e r s f r o m m c h a r a c t e r s , t h e n t h e p o s s i b l ep e r m u t a t i o n w i l l b e m ^ n .

m \ n 3 8

2 6 { l e t t e r s ( u p p e r c a s e o n l y ) } 1 7 5 7 6 2 .0 8 8 2 7 E + 1 1

5 2 { l e t t e r s ( u p p e r c a s e + l o w e r c a s e ) } 1 4 0 6 0 8 5 .3 4 5 9 7 E + 1 3

6 2 { l e t t e r s ( u p p e r c a s e + l o w e r c a s e ) + n u m b e r s ( 0 ,1 ,2 … 9 ) } 2 3 8 3 2 8 2 .1 8 3 4 E + 1 4

7 5 { l e t t e r s ( u p p e r c a s e + l o w e r c a s e ) + n u m b e r s ( 0 ,1 ,2 … 9 ) + s y m b o l s ( $ , * , > , < . . ) } 4 2 1 8 7 5 1 .0 0 1 1 3 E + 1 5

Passwords

Usually, situation is made much worse by used of familiar names as passwords.

Page 57: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 57

Virus Security Logic Bombs Trojan Horses Trapdoors Viruses Bacteria Worm Malicious Components and Programs

(primarily ActiveX and Java code)

Page 58: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 58

Virus Security Protection

Enforcing strict checks during program and system development to guard against Logic Bombs and trapdoors.

Installing virus protection software on all computers in the network.

Page 59: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 59

Virus Security Protection

Enforcing network security aspects such as ensuring that passwords be made difficult to guess to prevent intruders or worms.

Restricting downloadable programs particularly those programs that are not constrained by a sandbox e.g. IloveYou virus containing VBScript.

Page 60: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 60

Denial of Service Attacks Examples include

– attempts to "flood" a network, thereby preventing legitimate network traffic

– attempts to disrupt connections between two machines, thereby preventing access to a service

– attempts to prevent a particular individual from accessing a service

– attempts to disrupt service to a specific system or person

Page 61: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 61

Denial-of-service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network.

An example of this type of attack is the "SYN flood" attack In this type of attack, the attacker begins the process of establishing a connection to the victim machine, but does it in such a way as to prevent the ultimate completion of the connection. In the meantime, the victim machine has reserved one of a limited number of data structures required to complete the impending connection. The result is that legitimate connections are denied while the victim machine is

waiting to complete bogus "half-open" connections.

Page 62: Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n.

Security - 62

Other DoS Attacks Bandwidth Consumption

– An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network.

– The intruder need not be operating from a single machine; he may be able to coordinate or co-opt several machines on different networks to achieve the same effect.