TCP operates using synchronized connections. The synchronization is vulnerable to attack; this is probably the most common attack used today. The synchronization or handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a DoS attack referred to as the TCP SYN Flood attack. The process is also susceptible to access and modification attacks, which are briefly explained in the following sections.
An assault on a network that prevents a TCP/IP server from servicing other users. It is accomplished by not sending the final acknowledgment to the server's SYN-ACK response in the handshaking sequence, which causes the server to keep signaling until it eventually times out. The source address from the client is, of course, counterfeit. SYN flood attacks can either overload the server or cause it to crash.
TCP Sequence Number Attack -
This is when the attacker takes control of one end of a TCP session. The goal of this attack is to kick the attacked end of the network for the duration of the session. Only then will the attack be successful. Each time a TCP message is sent the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can then hijack or disrupt a session. If a valid sequence number is guessed the attacker can place himself between the client and the server. The attacker gains the connection and the data from the legitimate system. The only defense of such an attack is to know that its occurring. There is little that can be done.
IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack, etc. For details, please read the IP Spoofing section.
b) 1. SSL (Secure Socket Layer): -
SSL is a secure protocol developed for sending information securely over the Internet. Many websites use SSL for secure areas of their sites, such as user account pages and online checkout. Usually, when you are asked to "log in" on a website, the resulting page is secured by SSL. It is based on the RSA Data Security's public-key cryptography.
Figure: - SSL between application protocols and TCP/IP
2) IPSec (IP Security): -
IPSec is a framework for a set of protocols for security at the network or packet processing layer of network communication. Earlier security approaches have inserted security at the application layer of the communications model. IPSec is said to be especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks. A big advantage of IPSec is that security arrangements can be handled without requiring changes to individual user computers. Cisco has been a leader in proposing IPSec as a standard and has included support for it in its network routers.
3) Kerberos: -
Open source and public domain user authentication scheme typically used as network security system in a client-server environment. Kerberos verifies whether a system user is legitimate both at the time of user log-in, and every time he or she requests a service. It uses private or secret keys called 'tickets' to encrypt data. Developed at Massachusetts Institute of Technology (MIT), Kerberos is based on symmetric key cryptography and data encryption standard algorithms, and is named after the fierce three-headed guard dog of the Greek mythology.
a) Trusted Computer Security Evaluation Criteria (TCSEC) is a standard for computer security that was issued by the US government. It was used in the United States, while Canada used their own CTCPEC, and Europe and several other parts of the world used the competing ITSEC standard. These standards have now been superseded by the Common Criteria.
TCSEC was issued by the United States Government National Computer Security Council "Trusted Computer System Evaluation Criteria, DOD standard 5200.28-STD, December 1985".
b) This Trusted Network Interpretation (TNI) Environments Guideline (TNIEG) addresses many issues in determining the security protection required in different network environments. It complements the TNI, just as the Trusted Computer System Evaluation Criteria (TCSEC) Environments Guideline complements the TCSEC. The TNI interprets the TCSEC for networks; it contains all of the criteria in the TCSEC, adding interpretation and rationale to applying trust technology to network systems. In the same way that the TCSEC Environments Guideline provides guidance on applying the TCSEC, this TNIEG provides guidance on the use of the TNI. The TCSEC and its Environments Guideline constitute the foundation on which the TNI and TNIEG add network applicability.
c) Information Technology Security Evaluation Criteria (ITSEC) is a scheme for the evaluation of security products run in the UK by the DTI and CESG. ITSEC was probably the most successful computer security evaluation criteria of the 1990s. It offers greater flexibility than TCSEC and is easier and cheaper to use.
d) The Common Criteria, an internationally approved set of security standards, provides a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product's ability to meet security standards, Common Criteria gives customers more confidence in the security of Information Technology products and leads to more informed decisions. Security-conscious customers, such as the U.S. Federal Government, are requiring Common Criteria certification as a determining factor in purchasing decisions. Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings.
e) What types of products are evaluated using a security evaluation criterion?
Evaluated Products List for (EPL)
iii) Intrusion Detection
iv) Port Scanner
v) Packet Filter
vi) Intrusion Protection System
a) 1. An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.
2. Sourcefire IPS provides best-in-class intrusion defense with extensive analytics, powerful reporting, and unrivaled scalability. Through the use of Sourcefire 3D Sensors and one or more Sourcefire Defense Center management consoles, Sourcefire IPS lets you automatically detect and/or block attacks targeting thousands of vulnerabilities.
3. There are three main types of Intrusion Detection Systems:
Host Based IDS: -
Intrusion Detection System is installed on a host in the network. HIDS collects and analyzes the traffic that is originated or is intended to that host. HIDS leverages their privileged access to monitor specific components of a host that are not readily accessible to other systems. Specific components of the operating system such as password files in UNIX and the Registry in Windows can be watched for misuse. There is great risk in making these types of components available to NIDS to monitor.
Network Based IDS: -
Network IDS's (NIDS) are placed in key areas of network infrastructure and monitors the traffic as it flows to other host. Unlike HIDS, NIDS have the capability of monitoring the network and detecting the malicious activities intended for that network. Monitoring criteria for a specific host in the network can be increased or decreased with relative ease. NIDS should be capable of standing against large amount number of network traffic to remain effective. As network traffic increases exponentially NIDS must grab all the traffic and analyze in a timely manner.
Stack Based IDS: -
Stack based IDS is latest technology, which works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. Watching the packet in this way allows the IDS to pull the packet from the stack before the OS or application has a chance to process the packets.
4. Blackhats, security researchers and network intrusion detection system (NIDS) developers have continually played a game of point-counterpoint when it comes to NIDS technology. The BlackHat community continually develops methods to evade or bypass NIDS sensors while NIDS vendors continually counter act these methods with patches and new releases. Due to the inherent complexities involved in capturing, analyzing and understanding network traffic there is several common techniques that can be used to exploit inherent weaknesses in NIDS.
Throughout basic evasion techniques as well as suggest fixes or what to look for in many of these attacks. For the purpose of consider evasion not only the process of totally concealing an attack but also a technique to disguise an attack to appear less threatening than it really is. These techniques can be divided into three specific categories, and one general category that are closely related to false negatives and poor implementation issues. The methods by which we can attack IDS are through string matching weaknesses, session assembly weaknesses, and denial of service techniques.
b) Some free IDS are listed below: -
OSSECH HIDS: -
OSSEC is an open source host based intrusion detection system (IDS). An IDS is one of the most important tools available to a security administrator. As a host based IDS (or HIDS), OSSEC is uniquely advantaged to monitor activity from the server side. Although a network based IDS may be able to spot malicious traffic and identify attacks based on traffic, a HIDS can look directly at log files and system behavior to spot oddities such as successful brute force attacks or evidence of rootkit installation. OSSEC fills a critical niche in any Linux security plan. OSSEC provides file integrity checking, so it can spot rootkits, in addition to real time log analysis. OSSEC can alert you to suspicious behavior and can even be configured to actively respond to threats.
Some functions of OSSEC: -
Used to detect on a specific host network system
Centralized management system
Performs log analysis, file integrity checking and root-kit detection
Real time alerts and response
Host-based Intrusion Detection System
Also detects malware, spam, worms and viruses
Agent or agent less monitoring
a) (1) Exposure: -
The whole concept of P2P is based on connecting to someone else in order to share files. You have no idea whether that someone else is a college student, FBI agent or grandmother.
(2) Data corruption: -
This is less common with BitTorrent and Ares, as they offer native methods of checking data integrity during reception, however overall it's still a problem with a lot of P2P applications. Even in programs that do support data integrity checking, occasionally downloaded data can be corrupted
(3) Bandwidth shaping/throttling: -
Most ISPs are wise to the P2P concept and unfortunately; do not differentiate between one person downloading the latest Adobe programs illegally and another person downloading a legal Linux distribution. Taking the "safe rather than sorry" approach, most ISPs attempt to shape or throttle bandwidth in order to prevent P2P usage. Some block it entirely.
4) Signal to noise ratio: -
When downloading files, it is nearly impossible to tell a legitimate copy of a desired file from a fake one, or worse, one that is infected with a virus or other malware. To the trained eye, it is easy to spot these things in the wild, but to your average person, it is not. So when someone hears about the latest XBox 360 game being cracked, they just search for it and download what looks like a likely match - but wind up infected in some way.
(5) Spyware/backdoors: -
Many common P2P programs come bundled with spyware, adware or another form of unexpected and undesired software. Also, the vast majority of common P2P programs require specific network and firewall settings to function properly. That means that an average person installing Limewire, they will have adware/spyware running on their machine and a port or two open at all times which would normally not be open.
b) Briefly describe the vulnerabilities peculiar to the P2P technology: -
i) Sybil attack: -
A Sybil attack is one in which an attacker subverts the reputation system of a peer-to-peer network by creating a large number of pseudonymous entities, using them to gain a disproportionately large influence. A reputation system's vulnerability to a Sybil attack depends on how cheaply identities can be generated, the degree to which the reputation system accepts inputs from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically.
ii) Eclipse attack: -
Eclipse attack is more general than the Sybil attack. Attackers can use a Sybil attack to launch an Eclipse attack by inventing a large number of seemingly distinct overlay nodes. However, defenses against Sybil attacks do not prevent Eclipse attacks because attackers may manipulate the overlay maintenance algorithm to mount an Eclipse attack. This paper discusses the impact of the Eclipse attack on several types of overlay and it proposes a novel defense that prevents the attack by bounding the degree of overlay nodes.
c) The countermeasures that could be implemented to defend an enterprise from potential attacks: -
Countermeasures for Sybil attack: -
The majority of outsider attacks against sensor network routing protocols can be prevented by simple link layer encryption and authentication using a globally shared key. The Sybil attack is no longer relevant because nodes are unwilling to accept even a single identity of the adversary. The majority of selective forwarding and sinkhole attacks are not possible because the adversary is prevented from joining the topology. Link layer acknowledgements can now be authenticated.
Countermeasures for Bandwidth shaping/throttling: -
The ultimate effect of network throttling is to use network countermeasures to slow down the traffic by various means including delayed responses, disconnection, resets or outright temporary blacklist (no responses at all).
Countermeasures for Spyware/backdoors: -
(1) Use anti-Spyware software, keep virus definition files updated,
and scan your system for Spyware
(2) Keep your computer up-to-date
(3) Be careful about suspicious sites and emails
(4) Enhance the security level of your computer
(5) In case of emergency, back up important files
d) Some of the p2p programs are: -
i) Vulnerabilities of BitTorrent : -
BitTorrent Web UI HTTP "Range" Header DoS
The vulnerability is caused due to an error in the handling of HTTP requests and can be exploited to crash the application by sending an HTTP request containing a malformed "Range" header string.
BitTorrent a Peers Static buffer Overflow
A static buffer overflow is present in BitTorrent clients; this overflow would allow a remote attacker to crash the clients.
ii) Vulnerabilities of Kazaa: -
Vulnerability in Kazaa could be exploited by malicious people to corrupt the files other users download.
The vulnerability is caused by Kazaa only checking file name and size, when categorizing files for simultaneous downloads from multiple locations. A malicious person could therefore download a file and corrupt it by deleting the content by replacing it with NULL bytes or other arbitrary values with a hex editor keeping the same filename and file size. If another user downloaded part of the file as part of a simultaneous download from multiple locations, the file would be corrupted.
iii) Vulnerabilities of iMesh: -
Rgod has discovered vulnerability in iMesh, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an input validation error in the IMWeb.IMWebControl.1 ActiveX control (IMWebControl.dll) and can be exploited to execute arbitrary code by calling the "SetHandler()" and "ProcessRequestEx()" methods, respectively.