Transcript Introduction - Eastern Illinois University

School of Business
Eastern Illinois University
Review for Exam 4
© Abdou Illia, Fall 2006
School of Business
Eastern Illinois University
Security
Identifying security attacks’ targets

Scanning (Probing)
–
–
–
Ping messages (To know if a potential victim exist)
Supervisory messages (To know if victim available)
Tracert, Traceroute (To know how to get to target)
http://www.netscantools.com/nstpro_netscanner.html
3
Identifying security attacks’ targets

Examining scanning results reveal
 IP addresses
of potential victims
 What
services victims are running; different services
have different weaknesses
 Host’s
operating system, version number, etc.
4
Denial of Service (DoS) attacks
 Types
of DoS attacks:
Flooding DoS
Smurf Flooding DoS
Ping of Death attacks
LAND attacks
Distributed Denial of Service attacks
5
6
Flooding DoS

Send a stream of request messages to the target

Makes the target run very slowly or crash

Objective is to have the target deny service to
legitimate users
Legitimate request
Legitimate user
DoS requests
Server
Legitimate request
Attacker
Legitimate user
http://www.netscantools.com/nstpro_netscanner.html
Smurf Flooding DoS



Attacker uses IP spoofing (false source IP address in
outgoing messages)
Attacker sends ping / echo messages to third party
computers on behalf of the target
All third party computers respond to target
7
Ping of Death attacks

8
Take advantage of
–
–
Fact that TCP/IP allows large packets to be fragmented
Some operating systems inability to handle packets larger than 65
536 bytes

Attacker sends a request message that are larger than
65,536 bytes

Ping of Death are usually single-message DoS attacks

Ping of death attacks are rare today as most operating
systems have been fixed to prevent this type of attack from
occurring
http://insecure.org/sploits/ping-o-death.html
LAND attacks






9
First, appeared in 1997
Attacker uses IP spoofing (false source IP address in outgoing messages)
Attacker sends IP packets where the source and destination address refer
to target itself.
LAND attacks are usually single-message DoS attacks
Back in time, OS and routers were not designed to deal with loopback
Problem resurface recently with Windows XP and Windows 2003 Server
Distributed DoS (DDoS) Attack
10

Attacker hacks into multiple clients and plants Zombie programs on them

Attacker sends commands to Zombie programs which execute the attacks

First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com,
etrade.com, dell.com, etc.
Attack
Command
DoS Messages
Computer with
Zombie
Server
Attacker
Attack
Command
DoS Messages
Computer with
Zombie
Review Questions
11
What is the difference between DoS and DDoS?
What kinds of tools/techniques could be used during the
scanning process by a hacker?
Are ping of death attacks and LAND attacks all example of
single-message DoS attacks
What kind of techniques or defense systems could be used to
protect a system against (a) intercepting messages, (b) malware
or content attack
What is the difference between a worm, a Trojan horse, and a
logic bomb
What kind of malware could harm a host computer by
consuming processor time and random access memory
Security Goals
 CIA is
12
the key word in implementing
security
– Confidentiality of communications
– Integrity of data
– Availability of network services and
resources
13
Packet Filter Firewall
Corporate Network
The Internet
Permit
Packet
Filter
Firewall
Deny
IP-H
TCP-H Application Message
IP-H
UDP-H Application Message
IP-H
ICMP Message
Arriving Packets
Examines content of IP header, TCP
header, UDP header, and content of
ICMP supervisory messages
Application (Proxy) Firewall

Application firewalls, also known as Proxy firewalls
–

14
Examine Application layer messages to check for illicit
content
Application firewalls and Packet filter firewalls are
complementary
–
In terms of what part of a message they examine.
IP-H
TCP-H Application Message
IP-H
UDP-H Application Message
Intrusion Detection Systems

Software or hardware device that
–
–
Capture network activity data in log files
Generate alarms in case of suspicious activities
15
Review Questions
16
What are the three main security goals?
What parts of incoming messages do packet filter firewalls
examine?
What parts of incoming messages do application firewalls
examine? b) What do they look for?
Answer: (a) Application layer messages, (b) illicit content
What kind of techniques or defense systems could be used to
protect a system against (a) intercepting messages, (b) malware
or content attack
What could an IDS be used for?
Summary Questions

17
Jason sends a message to Kristin using public key encryption. (a) What
key will Jason use to encrypt the message? (b) What key will Kristin
use to decrypt the message? (c) What key will Kristin use to encrypt
the reply? (d) What key will Jason use to decrypt the reply? (e) Can the
message and reply be long messages? Explain.
Answer:
a) Jason will encrypt the message with Kristin’s public key.
b) Kristin will use her own private key to decrypt the message.
c) Kristin will use Jason’s public key to encrypt the reply.
d) Jason will use his own private key to decrypt the reply.
e) No, public key encryption can only encrypt short messages.

Does public key encryption have a problem with secure key exchange
for the public key? Explain.
Answer: There is no problem distributing the public key, because it does
not have to be distributed securely. You can even find companies’
public keys on their website.
Network Management
Summary Questions (Part 1)
19
1) List the main elements in centralized network
management
2) Does the Manager communicate directly with the
managed devices? Explain.
3) Explain the difference between a managed device
and objects.
4) Where is the MIB (database) stored?
Summary Questions (Part 2)
20
1) In Manager-Agent communications, what device
creates commands? Responses? Traps?
2) Explain the two types of commands.
3) What is a trap?