CH4
Why is DoS protection a community problem, not just a problem for individual victim firms to solve?
DoS attacks are community problems that can only be stopped with the help of ISPs and organizations whose computers are taken over as bots and used to attack other firms. DoS attacks may unintentionally originate from an unsuspecting firm. Working together firms can stop attacks from leaving their organizations, before they even reach their target.
What is a false opening?
False opens occur when a SYN segment arrives, the firewall itself sends back a SYN/ACK segment, without passing the SYN segment on to the target server.
Other than a DoS attack, what could cause a company's webserver crash?
Faulty coding, or referrals from large sites.
Why do hosts send ARP requests?
If a host (gateway) receives a packet addressed to an internal host (10.0.0.1) it sends an ARP request to every host on the LAN asking if they have that IP address (Step 1). Only the host that has the requested IP address responds. All other hosts ignore the request (Step 2). Thus, hosts use ARP requests to resolve IP addresses into MAC addresses.
Why does all network traffic go through the attacker after poisoning the network?
If the attacker has successfully used spoofed ARP replies to record false entries in the ARP tables for all internal hosts and the gateway. All traffic sent from internal hosts to the gateway will go to the attacker (Step 4). All traffic from the gateway will also go through the attacker and is now redirected through his computer as part of a MITM attack (Step 5).
How can information be gathered from encrypted network traffic?
Information transmitted during an SSL session cannot be viewed. However, the sender's IP address, receiver's IP address, the DNS request to resolve the hostname, the port numbers used, and the quantity of data sent are all visible. Even if the traffic is encrypted the attacker can still see which sites are visited, how much data is sent or received, and which port numbers are used.
Is eavesdropping usually more of a concern for wired LANs, wireless LANs, or both?
It is a concern in both, but it is a rare concern in wired LANs and a common concern with wireless LANs.
Why would limiting local access prevent DoS attacks?
Limiting local access would prevent ARP DoS attacks because foreign hosts would not be able to send packets to internal hosts.
c) What has to be introduced to a network for a SLAAC attack to work?
With the physical introduction of a rogue IPv6 router all internal traffic is automatically rerouted (Step 1). This happens because the rogue router advertises its presence on the network using Router Advertisement (RA) messages over ICMPv6 (Step 2). Hosts receive RAs and automatically derive their IPv6 address using a process called Stateless Address Auto Configuration (SLAAC).
Does the attacker have to poison the gateway's ARP tables too? Why?
Yes, after the attacker has successfully rerouted host traffic, it needs to reroute the traffic coming to, and from, the gateway. It uses a similar spoofed ARP reply to poison the gateway. The attacker sends a continuous stream of spoofed ARP replies to the gateway telling it that all other internal hosts are at C3-C3-C3-C3-C3-C3 (Step 3).
Could a rogue router direct internal traffic to an outside rogue DNS server? How?
Yes, the rogue router can assign a false DNS server to internal hosts as part of the SLAAC attack. A false DNS server would allow an attacker to redirect all internal traffic to any number of phishing sites.
Can static IP and ARP tables be effectively used in large networks? Why not?
Most organizations are too large, change too quickly, and lack the experience to effectively manage static IP and ARP tables. The workload would be overwhelming.
Would a SLAAC attack work on an existing IPv6 network? Why not?
No, the attack would only work on existing IPv4 networks. If the attack were tried on an existing IPv6 network the network administrator would immediately see conflicts. The network administrator could also assign a specific (legitimate) internal DHCP server (IPv6) to each host.
What is meant by "death of the perimeter?"
The "death of the perimeter" is a phrase used by network administrators to convey the idea that creating a 100 percent secure network is impossible. They argue that it is impractical, if not impossible, to force all information in an organization through a single point in the network.
b) Why does the attacker have to send a continuous stream of unrequested ARP replies?
The attacker must send a continuous stream of unsolicited ARP replies to all hosts on the LAN. Otherwise, all hosts would quickly resolve the true MAC addresses of all other hosts on the network.
How does the city model relate to secure networking?
The city model has no distinct perimeter, and there are multiple ways of entering the network. Like a real city, who you are will determine which buildings you will be able to access. In technical terms, this will mean more internal intrusion detection systems, virtual LANs, central authentication servers, and encrypted internal traffic.
How can the effects of SYN floods be mitigated?
The effects of SYN floods can be mitigated by validating the TCP handshake, rate limiting, or even black-holing.
Where is the heavy authentication work done?
The heavy authentication work is done on a central authentication server, rather than on the switch.
) Why is the access threat to WLANs more severe
The intruder does not even have to enter the building as he or she needs to do in wired LANs. In WLANs, attackers can connect to unprotected (or poorly protected) wireless access points and bypass border router security from outside of the physical premises of the company.
Why is 802.1X called Port-Based Access Control?
802.1X is called port-based access control because security is implemented on specific ports of an Ethernet workgroup switch.
What type of packet is sent in a Smurf flood? Why?
ICMP, the attacker benefits from a multiplier effect because a single ICMP request is responded to by multiple hosts (Step 4).
What is backscatter?
Backscatter occurs when a victim sends responses to the spoofed IP address used by the attacker, and inadvertently floods an unintended victim.
Is black holing an effective defense against DoS attacks? Why?
Black holing an attacker is not a good long-term strategy because attackers can quickly change source IP addresses.
What is black holing?
Black holing is when a firm drops all IP packets from an attacker.
What is a denial-of-service attack?
A DoS attack attempts to make a server or network unavailable to legitimate users. In terms of the general goals discussed earlier, DoS attacks are ways of reducing availability.
b) Can ARP poisoning be used outside the LAN? Why not?
Typically not. Packets with IP addresses not on that LAN are redirected out of the network. ARP requests are only sent on the LAN.
Describe a SYN flood.
A SYN flood, or half-open TCP attack, happens when the attacker sends a large number of TCP SYN segments to the victim server. Each SYN begins a TCP session opening process on the server. The server sets aside RAM and other resources for the connection. The server then sends back a SYN/ACK segment. The attacker never completes the connection opening by sending a final ACK. As the attacker sends more SYN segments, the victim host keeps setting aside resources until it crashes or refuses to provide any more connections, even to legitimate users.
What is a Smurf flood?
A Smurf flood is a variation of a reflected attack that takes advantage of an incorrectly configured network device (router) to flood a victim. The attacker sends a spoofed ICMP echo request to a network device (Step 1) that has broadcasting enabled to all internal hosts. The network device forwards the echo request to all internal hosts (Step 2). All internal hosts respond to the spoofed ICMP echo request (Step 3) and the victim is flooded.
What is a SLAAC attack?
A Stateless Address Auto Configuration (SLAAC) attack is an attack on the functionality and confidentiality of a network. This attack occurs when a rogue IPv6 router is introduced to an IPv4 network. All traffic is automatically rerouted through the IPv6 router, creating the potential for a MITM attack.
What is the difference between a direct and indirect DoS attack?
A direct attack occurs when an attacker tries to flood a victim with a stream of packets directly from the attacker's computer. An indirect attack tries to flood the victim computer in the same way, but the attacker's IP address is spoofed (i.e., faked) and the attack appears to come from another computer.
What types of packets can be sent as part of a DoS attack?
A few of the types of packets that could be sent in a DoS attack include SYN, ICMP, and HTTP.
How does a P2P redirect attack work?
A peer-to-peer (P2P) redirect attack uses many hosts to overwhelm a victim using normal P2P traffic (Figure 4-7, Step 1). A P2P redirect attack differs from a traditional DDoS attack in several ways. The attacker does not have to control each of the hosts (i.e., make them bots) used to attack the victim. The attacker just needs to convince the hosts to redirect their legitimate P2P traffic (Step 2) from the P2P server to the victim (Step 3).
How does a reflected attack work?
A reflected attack uses responses from legitimate services to flood a victim. The attacker sends spoofed requests to existing legitimate servers (Step 1). Servers then send all responses to the victim (Step 2). There is no redirection of traffic.
How can static IP and ARP tables be used to prevent ARP poisoning?
ARP poisoning can be prevented by using static IP tables and static ARP tables. Static ARP tables are manually set and cannot be dynamically updated using ARP. Each computer has a known static IP address that does not change. All hosts on the LAN know which IP address is assigned to each MAC address (host).
) Explain ARP poisoning?
ARP poisoning can be used to reroute traffic for a MITM attack by sending unsolicited false ARP replies to all other hosts. An attacker can force hosts to erroneously mismatch MAC addresses and IP address. Essentially, the attacker can reroute all internal traffic as desired.
How could an attacker use ARP spoofing to manipulate host ARP tables?
ARP requests and replies do not require authentication or verification. All hosts trust all ARP replies. Spoofed ARP replies are broadcast to other hosts on the LAN. This allows an attacker to manipulate ARP tables on all LAN hosts. ARP Poisoning
What is ARP spoofing?
ARP spoofing uses false ARP replies to map any IP address to any MAC address. Spoofed ARP replies can be broadcast to other hosts on the LAN.
) Why do hosts use ARP?
Address Resolution Protocol (ARP) is used to resolve 32-bit IP addresses (e.g., 55.91.56.21) into 48-bit local MAC addresses (e.g., 01-1C-23-0E-1D-41). Hosts on the same network must know each other's MAC addresses before they can send and receive packets using IP addresses. Hosts build ARP tables by sending ARP requests and replies to each other.
What is the main access threat to 802.11 wireless LANs?
An intruder can connect by radio to an unprotected wireless access point.
Is a slow degradation of service worse than a total stoppage? Why?
An attack that slowly degrades services is more difficult to detect because there isn't an abrupt change in service quality. Network administrators cannot see a clear distinction between genuine growth in network traffic and a progressive DoS attack. They may be forced into unnecessary capital expenditures for additional bandwidth, hardware, and software.
How could a malformed packet cause a host to crash?
An attacker could send a malformed packet that will cause the victim to crash. For example, ping of death is a well-known older attack that uses an illegally large IP packet to crash the victim's operating system. Defending Against Denial-of-Service (DoS) Attacks
How does a DDoS attack work?
DDoS attacks are the most common form of DoS attack that uses intermediaries to attack the victim. The attacker's identity can be hidden behind layers of bots which directly attack the victim. Second, the ability to control thousands of bots can give the attacker the resources needed to overwhelm the victim.
Give an example of how new technology has made networks less secure.
For example, newer cell phones have the ability to allow wireless laptops to tether themselves to the cell phone and share their Internet connectivity. Allowing cell phones into the corporate network completely circumvents access control procedures, firewalls, antivirus protection, data loss prevention systems, and so on.
What does a handler do?
Handlers are an additional layer of compromised hosts that are used to manage large groups of bots. Handlers can direct bots to send a variety of different packets depending on the service being targeted.
How can ARP poisoning be used as a DoS attack?
Spoofed ARP replies can be used to stop all traffic on the local network as part of an ARP DoS attack. The attacker sends all internal hosts a continuous stream of unsolicited spoofed ARP replies saying the gateway (10.0.0.4) is at E5-E5-E5-E5-E5-E5 (Step 1). Hosts record the gateway's IP address and nonexistent MAC address (Step 2).
Why is rate limiting a good way to reduce the damage of some DoS attacks?
Rate limiting can be used to reduce a certain type of traffic to a reasonable amount. This is good if an attack is aimed at a single server because it keeps transmission lines at least partially open for other communication
Why is it limited in effectiveness?
Rate limiting frustrates both attackers and legitimate users. It helps, but it does not solve the problem.
Do switches record IP addresses? Why not?
Switches only look at MAC addresses. They cannot identify the incorrect ARP resolution being pushed out to all other hosts. They merely forward all packets based on MAC address. They do not look at the IP address on the packet.
How does the castle model relate to secure networking?
The traditional castle model of network defense had the good guys on the inside, and the attackers on the outside. There was a well-guarded single point of entry. All network administrators had to do was secure this point of entry and attackers would be stopped.
What are the main goals of DoS attacks?
The ultimate goal of a DoS attack is to cause harm. For corporations, this can come in the form of losses related to online sales, industry reputation, employee productivity, or customer loyalty. DoS attacks can cause harm by (1) stopping a critical service, or (2) slowly degrading services over time.
1. a) Explain the four general goals for secure networking.
These four goals include availability, confidentiality, functionality, and access control.
What is the main access threat to Ethernet LANs?
Traditionally, Ethernet LANs offered no access security. Any intruder who entered a corporate building could walk up to any wall jack and plug in a notebook computer. The intruder would then have unfettered access to the LAN's computers, bypassing the site's border firewall. This was a complete breakdown in access control.
Why do host automatically prefer IPv6 addressing
Traffic on the existing IPv4 network is rerouted through the rogue IPv6 router because all newer operating systems are configured by default to prefer IPv6 networks. Microsoft Windows 7, Microsoft Server 2008, and Apple OS X all ship with IPv6 fully enabled.
What is a DRDoS attack, and how does it work?
Using a botnet in a reflected attack using legitimate services is known as a distributed reflected denial-of-service (DRDoS) attack.
Availability
authorized users have access to information, services, and network resources.
Access control
policy-driven control of access to systems, data, and dialogues.
Functionality
preventing attackers from altering the capabilities or operation of the network.
Confidentiality
preventing unauthorized users from gaining information about the network's structure, data flowing across the network, network protocols used, or packet header values.