6-10 page paper

Due 3/7/13 so i can submit to TURNITIN.COM….MODULE and INSTRUCTONS ATTATCH…please follow instructions

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

CSEC 640

© UMUC 2012 Page 1 of 45

Contents
Topic 1: Analogy …………………………………………………………………………………………………………………………. 2 

TCP/IP: Understanding the Layers …………………………………………………………………………………………….. 2 
Topic 2: Module Introduction ………………………………………………………………………………………………………… 4 
Topic 3: Domain Name System Basics ………………………………………………………………………………………….. 5 

Introduction to Domain Name System ………………………………………………………………………………………… 5 
DNS Zones ……………………………………………………………………………………………………………………………… 6 
DNS Query Types ……………………………………………………………………………………………………………………. 8 

Topic 4: Domain Name System Attacks ……………………………………………………………………………………….. 13 
DNS Spoofing ……………………………………………………………………………………………………………………….. 13 
DNS Cache Poisoning ……………………………………………………………………………………………………………. 15 
Activity: Analyzing a Spoofing Attack ………………………………………………………………………………………… 18 

Topic 5: TCP Session Hijacking ………………………………………………………………………………………………….. 29 
Introduction to TCP Session Hijacking ……………………………………………………………………………………… 29 
Activity: Analyzing TCP Session Hijacking ………………………………………………………………………………… 31 

Topic 6: Denial of Service Attacks ……………………………………………………………………………………………….. 34 
Introduction …………………………………………………………………………………………………………………………… 34 
Ping of Death ………………………………………………………………………………………………………………………… 35 
SYN Flooding ………………………………………………………………………………………………………………………… 36 
Teardrop, LAND, and Smurf Attacks ………………………………………………………………………………………… 39 
Activity: Identify the DoS Attack ……………………………………………………………………………………………….. 43 

Topic 7: Summary……………………………………………………………………………………………………………………… 44 
Glossary …………………………………………………………………………………………………………………………………… 45 

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

CSEC 640

© UMUC 2012 Page 2 of 45

Topic 1: Analogy

TCP/IP: Understanding the Layers

TCP/IP Vulnerabilities
CSEC 640 – Module 4

TCP/IP: Understanding the Layers
To better understand how Transmission Control Protocol/Internet Protocol (TCP/IP) is
structured, it is helpful to compare TCP/IP with the U.S. Postal Service (USPS). The USPS
consists of many post offices and several administrative departments spread over a wide
geographic area. Each post office carries out specific functions and works both independently
and in cooperation with the other post offices.

Similarly, TCP/IP is divided into layers that play a role in transferring data across the Internet.
Each layer works independently, and together these layers help to transfer data and
communication between computers.

U.S. Postal Service

Kylie Sends a Letter
Kylie writes a letter to her friend Samantha, who has recently moved to New York. She drops
the letter in a local mailbox in Sacramento, California. Samantha is unaware that Kylie has
written to her. However, when Samantha receives and reads the letter, she is happy to hear
from Kylie. Kylie did not think about how the letter would reach New York, and Samantha did not
consider how the letter arrived at her home. Both Kylie and Samantha are unaware of the
underlying delivery mechanism that enabled the letter to travel from Sacramento to New York.

Address Check During Transportation
Postal employees check addresses while letters are in transit. If Kylie writes an incorrect
address on the envelope and that letter arrives in New York, a postal employee will stamp the
letter “address unknown” and the letter will be returned to Kylie. Kylie would remain unaware of
the details of the steps taken to return the letter, and it would be up to her to decide what to do
next.

Letters Move Between Cities
Since Kylie and Samantha live in two different states that are separated by thousands of miles,
Kylie’s letter will travel through many cities before it reaches Samantha. Letters such as Kylie’s
are transported by airplanes between cities. The pilot of the airplane carrying the letters is
concerned only with delivering the cargo to its destination—he or she knows nothing about the
contents, senders, or recipients of the letters.

Letter Reaches Samantha
Within a city, letters are taken by trucks from airports to their destination post offices. Kylie’s
letter is sent to a post office in New York by a truck.

Samantha finds the letter from Kylie in her mailbox, and Samantha opens the envelope to read
the letter. When Kylie wrote the letter, she used old-fashioned physical tools such as a pen and
paper.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

CSEC 640

© UMUC 2012 Page 3 of 45

TCP/IP Protocol

Application Layer
Kylie wants to write an e-mail to Samantha. She requests a Web page from a remote Web
server by typing a URL into a browser in the application layer. The server receives the request,
locates the requested site on its hard drive, and sends the data back to Kylie. Kylie is unaware
of how the data was delivered—whether it was transmitted over wireless connections or the
number of routers it passed through. This e-mail goes through five layers, the first one being the
application layer.

Transport Layer
Transport layer software performs the function of establishing a connection between a client and
server and monitoring the connection for errors. Transport layer software also slows
transmission if data transmission is too fast to handle at the recipient’s end. Transport layer
software is not concerned with how the data is transmitted—choosing the method of
transmission is the responsibility of lower-level software. There are two transport layer
protocols—TCP, which is considered reliable, and User Datagram Protocol (UDP), which is fast
but unreliable. If TCP tries to transmit data repeatedly and errors in the connection persist, TCP
informs its “boss,” the application program, of the problem.

Internet Layer
Internet layer programs move data between networks. IP software is responsible only for
moving data from one point to another, regardless of the contents of the data. When the data
reaches its destination local area network (LAN), the Internet layer hands the data over to the
data link layer software or firmware for delivery to the intended computer.

Data Link Layer
Data link layer programs transport incoming and outgoing data within LANs. Ethernet is the
most common protocol for the data link layer. A data link program is concerned solely with the
transmission of data within the LAN and is not responsible for how data enters or leaves the
LAN. The responsibility of managing the entering and leaving of data from a LAN lies with the
Internet layer.

Physical Layer
Physical layer protocols specify the means of representing ones and zeros or bits. The protocols
also specify how bits should be transmitted between two points using wire, fiber, and so on.
There are several types of physical layer protocols that represent and transmit bits uniquely.
The e-mail that Kylie sends to Samantha passes through these five layers twice and reaches
Samantha’s inbox.

Breaking the Rules
In an ideal situation, each component of the postal network or the TCP/IP protocol performs its
function as desired. However, there can be deviations. For example, a mail carrier might read a
letter or choose not to deliver it.

Similarly, on the Internet, a Web router may be programmed to process data packets from a
competing service slowly or to intercept them. For example, routers can be programmed to send
copies of packets containing certain data to a government security agency. The postal service
has laws against tampering with mail. It has been recommended that network neutrality laws be
implemented for the Internet to protect against the differential treatment of packets.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 4 of 45

Topic 2: Module

Introduction

The TCP/IP protocol suite has a number of inherent vulnerabilities and security flaws. These
vulnerabilities are often used by hackers to launch denial of service (DoS) attacks, TCP
connection hijackings, and other attacks.

Most of the weaknesses in the TCP/IP suite probably exist because the protocols are outdated,
having been developed in the mid-1970s. Vendors of network equipment and operating systems
have made code improvements over time to disable many of the attacks. However, some
vulnerabilities continue to exist and are exploited by malicious users to disrupt and damage
users and organizations.

This module explores the basics of the Domain Name System (DNS), such as its structure,
query types, and zones. It also covers major TCP/IP security problems, namely DNS attacks,
TCP session hijackings, and DoS attacks.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 5 of 45

Topic 3: Domain Name System Basics

Introduction to the Domain Name System

The Domain Name System (DNS) is based on a naming system that consists of a hierarchical
and logical tree structure known as the domain name space.

The top-level domains within the DNS hierarchy are .com, .edu, .gov, .mil, .int, .org, and .net.
Each node or branch in the DNS tree represents a unique fully qualified domain name (FQDN).
The FQDN indicates the position of a domain within the tree.

A FQDN consists of labels—such as IT, UMUC, edu—separated by a period. Some examples
of FQDN are “.edu,” “UMUC.edu,” “Berkeley.edu,” and “IT.UMUC.edu.”

When data is requested from a node, a host server uses DNS to translate the domain name to
an IP address.

DNS Hierarchy

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 6 of 45

Topic 3: Domain Name System Basics

DNS Zones

It is inefficient and unreliable to store DNS information in a single server. The solution is to
distribute DNS information among many entities called DNS servers. Each DNS server is
responsible, or authoritative, for large or small domains. As a result, there is a hierarchy of DNS
servers similar to the hierarchy of domain names.

A DNS server stores information about and is authoritative for a part of the DNS called a zone.
A single server may be authoritative for many zones. A zone is a portion of a domain. Each
zone will have a primary name server and a secondary name server. A primary server maintains
a zone file, which is a text file that describes the zone. Any updates to the zone are made on the
primary server. The secondary server maintains a copy of the zone data, which is periodically
transferred from the primary server. The DNS answers any queries about the hosts in its zone.

Step 1
In this example, it is assumed that a UMUC system administrator creates two subdomains,
Physics.UMUC.edu and IT.UMUC.edu, under the UMUC.edu domain. There are three
authoritative DNS servers responsible for the three zones: UMUC.edu, Physics.UMUC.edu, and
IT.UMUC.edu, respectively.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 7 of 45

Step 2
The top authoritative DNS server is responsible for the UMUC.edu zone, and the two
subauthoritative DNS servers are responsible for the two subzones, Physics.UMUC.edu and
IT.UMUC.edu.

Step 3
The zone UMUC.edu contains only DNS information for UMUC.edu and references to the two
authoritative name servers for the subdomains; Physics.UMUC.edu and IT.UMUC.edu. The
system administrator or network engineer will determine how to create multiple zones and
authoritative DNS servers responsible for one or more zones.

Step 4
For example, the IT.UMUC.edu domain name server is responsible for any queries for its Web
server www.IT.UMUC.edu. Generally, the domain name structure is divided into zones based
on how the name space will be administered.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 8 of 45

Topic 3: Domain Name System Basics

DNS Query Types

The two types of queries for common DNS name resolutions are recursive and iterative queries.
The example below shows how recursive queries work.

How Recursive Queries Work

Step 1

A client sends a recursive query to its configured DNS server, requesting an IP address that
corresponds to the name www.UMUC.edu.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 9 of 45

Step 2

The local DNS server checks its zone and does not find any zone that corresponds to the
requested domain name. It then sends a query for www.UMUC.edu to the root name server.

Step 3

The root name server is authoritative for the root domain. The server has information about
name servers for top-level domain names such as .com, .edu, .org, and others. The root name
server responds with the IP address of a name server for the .edu domain.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 10 of 45

Step 4

The local DNS server sends a query for www.UMUC.edu to the name server that is authoritative
for the .edu domain.

Step 5

The .edu name server responds with the IP address of the name server that is authoritative for
the .UMUC.edu domain.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 11 of 45

Step 6

The local DNS server sends a query for www.UMUC.edu to the authoritative name server for
the .UMUC.edu domain.

Step 7

The UMUC.edu name server replies with the IP address corresponding to the www.UMUC.edu
domain.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 12 of 45

Step 8

The local DNS server sends the IP address of www.UMUC.edu to the client that made the
request.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 13 of 45

Topic 4: Domain Name System Attacks

DNS Spoofing

Every DNS query has a unique identification number known as a transaction ID. The transaction
ID allows the recipient of the response to identify the corresponding query. When the UDP or
TCP port number, IP address, and transaction ID from a remote host are provided, the recipient
accepts the DNS reply.

In a DNS spoofing attack, an attacker uses spoofed or fake DNS replies to direct a victim to a
malicious Web site or device. This example looks at how an attacker launches a DNS spoofing
attack on a network. It is assumed that both the target and the attacker are on the same LAN.

Example of a DNS Spoofing Attack

Step 1

The target sends a query to the DNS server to resolve www.UMUC.edu to an IP address. A
cache entry of the IP address of www.UMUC.edu does not exist in the target’s Address
Resolution Protocol (ARP) table. The responses to previous ARP requests are cached in the
ARP table. Every PC caches an ARP table in its local file system. In this example, it is assumed
that the target’s ARP table is empty in the beginning.

The attacker observes the DNS query that the target has made.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 14 of 45

Step 2

Before the original DNS reply arrives, the attacker sends a spoofed DNS reply to the target. The
spoofed reply has the same transaction ID used by the target. In the spoofed DNS reply, the IP
address of the malicious device—such as the Web server—is included.

Step 3

The target uses the IP address provided in the spoofed DNS reply and accesses the malicious
Web site instead of www.UMUC.edu.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 15 of 45

Topic 4: Domain Name System Attacks

DNS Cache Poisoning

Jamie is accessing a golf Web site from his office computer. Sarah, a hacker, has initiated a
DNS cache poisoning attack against the company’s DNS server.

Using the DNS cache poisoning attack, Sarah is able to maliciously modify entries in the DNS
server of Jamie’s company. As a result, Jamie’s computer receives a reply from the company
server containing the IP addresses of the malicious hosts.

Since Sarah is on a network different from the network of Jamie’s company, she cannot observe
the transaction ID that Jamie uses.

Step 1

Sarah has sent a series of bogus DNS queries to the DNS server of Jamie’s company.

Sarah sends spoofed responses to the company’s DNS server before the Web site’s DNS
replies reach the company’s DNS server. Sarah creates the spoofed responses using
transaction IDs that she guesses. She hopes to guess the correct transaction ID by sending an
increasing number of simultaneous queries with different transaction IDs that the server has to
resolve.

DNS Cache Poisoning
Here is an explanation of the first step in a DNS cache poisoning attack. It is assumed that the
DNS server for Jamie’s company has an ARP table that is initially empty. Sarah first sends a
DNS query to the company’s DNS server. Unable to find a matching cache entry in its ARP
table, the server sends the query to another DNS server with a DNS transaction ID.
Immediately, Sarah sends a spoofed DNS reply to the company’s DNS server with a guessed
transaction ID that tries to match the ID sent by it earlier. She sends spoofed replies until the
transaction ID matches the ID used by the company’s DNS server.

Step 2

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 16 of 45

The spoofed DNS replies from the attacker to the DNS server are successful. The DNS replies
from the legitimate DNS server are rejected.

Step 3

Jamie types a URL in his browser, sending a request to his company’s DNS server for a Web
page. Jamie’s computer receives a DNS reply with a bogus IP address from the compromised
company DNS server.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 17 of 45

Step 4

Jamie’s computer is directed to a malicious device set up by Sarah with the bogus IP address.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 18 of 45

Topic 4: Domain Name System Attacks

Activity: Analyzing a Spoofing Attack

Introduction
A DNS spoofing attack is often difficult to detect, and the victim is unwittingly directed to a
malicious Web site that an attacker can use to gain confidential information or to infect the
user’s computer.

Ernest and Sons LLC is a reputable law firm based in New Jersey. An Internet hacker is seeking
to direct unsuspecting users on the company’s network to a malicious Web page.

What are the signs that a system administrator at Ernest and Sons should look out for to
determine whether the company’s network is the target of a spoofing attack?

Workspace
Review the details of the spoofing attack on the Ernest and Sons network by clicking the Attack
Details button. Then answer each question below.

Attack Details
The LAN of Ernest and Sons is shown below. View the animation to understand how the
attacker launches the DNS spoofing attack.

Step 1

A user on Ernest and Sons’ LAN is trying to access the Web site www.UMUC.edu. The ARP
spoofing attack causes the victim’s DNS request—the IP address of www.UMUC.edu—to be
forwarded to the attacker’s host.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 19 of 45

Step 2

The attacker provides a spoofed DNS response to make the victim’s computer believe the
response is coming from the desired host. The response includes the malicious Web server’s IP
address, 192.168.195.130, that the hacker has set up.

Step 3

The victim makes a HTTP Web request to the malicious Web server, believing it is the UMUC
Web server.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 20 of 45

Step 4

The server set up by the hacker returns a malicious Web page to the victim.

Question 1: Which one of the following screenshots indicates the DNS request sent by the
victim?
a. Screenshot A

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 21 of 45

b. Screenshot B

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

Correct answer: Option b

Feedback:
The source IP address 192.168.195.133 and the MAC address 00-0C-29-28-85-76 shown in the
screenshot are those of the victim. Due to the ARP spoofing attack, the MAC address for the
gateway cached in the victim’s ARP table is changed to that of the attacker’s. As a result, the
victim uses the right destination IP address, 192.168.195.2, which is the IP address of the
gateway. However, the polluted destination MAC address, 00-0C-29-48-03-59, is cached in the
victim’s ARP table.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 22 of 45

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 23 of 45

Question 2: Here is a screenshot of the victim’s DNS request. What is the DNS transaction ID
used in the DNS request?
a. 0x54ac
b. 0xe161
c. 0x0100

Screenshot

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

Correct answer: Option b

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 24 of 45

Feedback:
The DNS transaction ID 0xe161 is displayed in the DNS header in the screenshot. This
transaction ID uniquely identifies the DNS query and response.

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 25 of 45

Question 3: Here is a screenshot of the attacker’s DNS response. Which aspect of the request
is suspicious?
a. The destination MAC address used by the attacker is suspicious.
b. The TCP sequence number used by the attacker is suspicious.
c. The value of the DNS transaction ID is too small.
d. The source MAC address used by the attacker is suspicious.
e. None of the above—the DNS response is normal.

Screenshot

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

Correct answer: Option d

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 26 of 45

Feedback:
The source MAC address 00-0C-29-48-03-59 does not match the source IP address
192.168.195.2, which is the IP address of the gateway router. The source MAC address actually
belongs to the attacker.

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

Review
The attacker successfully launched a DNS spoofing attack on Ernest and Sons’ network. The
following animation depicts the queries and responses exchanged by the victim and the
malicious Web server.

The Attack on Ernest and Sons’ Network
As a result of the DNS spoofing attack, the victim unknowingly makes an HTTP Web request to
the malicious Web server.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 27 of 45

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

The malicious Web server set up by the attacker responds with an HTTP Web request to the
victim.

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 28 of 45

As a result, the following message is displayed in the victim’s Web browser.

Further Challenges
Do you think a network intrusion detection system (IDS) can detect a discrepancy between the
IP address and the corresponding MAC address? For example, will the IDS detect that the
victim’s machine is using the attacker’s MAC address and the gateway’s IP address when
sending a request?

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 29 of 45

Topic 5: TCP Session Hijacking

Introduction to TCP Session Hijacking

If an attacker can predict or “sniff” a TCP sequence number that a target and its communication
partner use, then the attacker can hijack the established TCP connection. When the session is
hijacked, the attacker can assume the identity of the compromised user and access the
resources stored on the communication partner as the compromised user. Here is a simple
example of a TCP session hijack that takes place within a LAN.

An Example of a TCP Session Hijacking Attack

Step 1

An attacker monitors TCP packets between Host A and Host B. Host B is the target.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 30 of 45

Step 2

The attacker jumps into the exchanged communication, sending TCP packets to Host B by:
a. Forging the source IP address—IP address of Host A—of the TCP packets. The source IP

address of the bogus packet becomes 192.168.1.1.
b. Embedding the IP address of Host B in the bogus packet, making the destination IP address

of the bogus packet 192.168.2.2.
c. Forging the TCP sequence number of the TCP packets, which is the TCP sequence number

that Host B expects to see. Since Host B expects to see the sequence 10045, the TCP
sequence number of the bogus packet becomes 10045. The acknowledged TCP sequence
number of the bogus packet becomes 20020 since the packet previously sent by the Host B
has 20000 as the TCP sequence number and the length of the packet is 20 (20000 + 20 =
20020).

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 31 of 45

Topic 5: TCP Session Hijacking

Activity: Analyzing TCP Session Hijacking

This activity shows a simple TCP/IP hijacking attack that involves an attacker hijacking a
currently established Telnet (TCP) connection between two hosts and injecting an authentic-
looking reset (RST) packet to disrupt the connection.

Attack Details
In the attack, the target client makes a Telnet connection to the Linux server and executes a
Linux command through the Telnet connection. The attacker is listening to the communication
between the server and the client. At some point, after the client is authenticated to the server,
the attacker hijacks the TCP connection and injects an RST packet to reset the connection.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 32 of 45

Activity
The packet shown in the screenshot represents the last active TCP connection between the
client and server before the attacker launches a TCP reset attack. It shows that the packet is
sent from the server 192.168.195.130 to the client 192.168.195.128. Then, the attacker
192.168.195.133 hijacks and resets this connection.

Question: Based on the details in the screenshot, what are the source IP address, source MAC
address, and TCP sequence number of the reset frame sent to the Telnet client by the attacker?
a. Source IP: 192.168.195.133

Source MAC: 00-0C-29-28-85-76
TCP sequence: 2364602049

b. Source IP: 192.168.195.130

Source MAC: 00-0C-29-33-73-46
TCP sequence: 2364602050

c. Source IP: 192.168.95.130
Source MAC: 00-0C-29-28-85-76
TCP sequence: 2364602050

Screenshot

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

Correct answer: Option c

Feedback:
To hijack the active connection between the server and the client, the attacker must send an IP
packet with a valid TCP sequence number and source IP address. For RST, the attacker must
use the TCP sequence number of the active connection. Since 2364602049 is the TCP
sequence number of the last packet, the correct TCP sequence number is 2364602050. Also,
the attacker should use the source IP address of the current connection—192.168.195.130.
Finally, the MAC address cannot be forged since the frame must originate from the attacker.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 33 of 45

Thus, the MAC address must be the attacker’s, which is 00-0C-29-28-85-76. The actual frame is
shown below:

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 34 of 45

Topic 6: Denial of Service Attacks

Introduction

System resources such as network bandwidth, number of connections a server can properly
handle, CPU usage, and memory are finite and limited. Any attack designed to render a
computer resource unavailable to its intended users and unable to perform its basic functionality
is known as a denial of service (DoS) attack.

For example, a Web server needs a minimum amount of network bandwidth to function
properly. In addition, it has a maximum number of connections it can maintain based on its
limitation of CPU and memory resources. If the server reaches its resource limit, additional
connections are rejected and some potential clients are not able to access the server. In a DoS
attack, an attacker can create a flood of server requests, causing the targeted server to reject
any further requests. This is a “denial of service” because users cannot access a resource.

Attack Symptoms
The following are possible symptoms of a DoS attack:
 Unusually slow network performance, such as difficulty accessing files or Web sites
 Unavailability of a particular Web site or any Web sites
 Dramatic increase in the amount of spam in the user’s mailbox

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 35 of 45

Topic 6: Denial of Service Attacks

Ping of Death

A “ping of death” attack is one of the earliest types of DoS attacks. The ping of death is
especially effective on systems running on Windows 95, Windows 98, Linux 6.0, or any earlier
operating system. This attack uses an oversized ICMP packet to create a DoS effect.

The maximum allowable size of an IP packet is 65535 bytes. An Internet Control Message
Protocol (ICMP) echo request is an IP packet with an ICMP header. An IP header has a size of
20 bytes and the ICMP header is 8 bytes. This means that the data portion of an ICMP packet
cannot be larger than 65507 bytes.

A ping of death attack exploits the following facts:
 Many ping implementations allow a user to specify a packet size larger than 65507 bytes

due to the way the IP fragmentation is performed. An attacker can specify an ICMP data
packet with a size larger than 65507 bytes and then divide the packet into pieces.

 Many early computer systems could not handle a ping of death packet larger than the
maximum IP packet size of 65535 bytes. When the recipient system reassembles the
packet, it is too big for the receiver’s buffer, and the receiving host crashes, reboots, or
freezes.

What is malicious about this attack is that a huge IP packet can be transmitted to a target
network via IP fragmentation and cause a victim machine to crash.

Attack Details
The ping command and the host IP address is typed on a Linux or Windows computer in the
Run dialog box. An example of a ping command would be ping –n 100 60000 192.168.10.2.

Explanation: 100 ICMP packets with the size of 60,000 bytes are transmitted to the IP address
192.168.10.2. Each ICMP packet is fragmented into several pieces during the transmission.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 36 of 45

Topic 6: Denial of Service Attacks

SYN Flooding

An SYN flood attack is an early form of DoS attack. The attack creates disruptions and slows
connections by exploiting the three-way handshake used to establish TCP connections.

In a TCP three-way handshake, a client sends an SYN request to a server or network resource
to initiate the connection. The server or network resource responds with an SYN-ACK request
back to the client. Finally, the client responds with an ACK to the server to complete the
handshake and establish the connection.

Steps in an SYN Flood Attack

Step 1

An attacker sends a large number of SYN packets to a victim server to initiate a three-way
handshake. The SYN packets probably have randomly generated spoofed source addresses.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 37 of 45

Step 2

The server sends numerous SYN-ACK responses to the spoofed IP addresses.

Step 3

The attacker does not send the corresponding ACK packets to the server. This omission creates
a large number of half-open connections.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 38 of 45

Step 4

The attacker keeps sending SYN packets with spoofed source IP addresses until the server
reaches its resource limit.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 39 of 45

Topic 6: Denial of Service Attacks

Teardrop, LAND, and Smurf Attacks

Teardrop Attack
In a normal TCP packet transmission, a packet is fragmented into three different packets:
packet 1, packet 2, and packet 3. Each fragment packet has the proper offset value in the IP
header.

In a teardrop attack, an attacker sends fragments with invalid overlapping TCP values in the
offset field of the IP header.

Attack Details

In the diagram, the normal transmission has packets with sequence numbers that begin and
end correctly. In an abnormal packet transmission, the attacker has put an offset value in the IP
field in such a way that the first 20 bytes of packet 2 will overlap with the last 20 bytes of

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 40 of 45

packet 1. The data bytes from 170 to 210 will not be transmitted on purpose to confuse the data
receiver.

LAND Attack
In a local area network denial (LAND) attack, an attacker sends a TCP SYN packet to the target
machine that uses the target’s address as the source and destination address. The attack
causes the targeted machine to reply to itself continuously and eventually crash.

Smurf Attack
Smurf attacks are directed at a single target in a distributed way to crash the target. The attack
needs three main components: the attacker’s computer, a target host, and packet amplifiers.

Step 1

To run a Smurf attack, an attacker must discover a network to which ICMP request packets can
be broadcast. The network—referred to as an amplifier—should be able to respond with the
ICMP reply messages to the target address on a different network.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 41 of 45

Step 2

Once an attacker discovers an amplifier network, a broadcast ICMP is sent to the amplifier
network. The source address of the broadcast ICMP requests is forged to include the address of
the target.

Step 3

The hosts on the amplifier network respond with the broadcast ICMP request and send ICMP
reply messages to the target address.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 42 of 45

Step 4

The target server or host is inundated with the ICMP reply messages from the amplifier network.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 43 of 45

Topic 6: Denial of Service Attacks

Activity: Identify the DoS Attack

Question: Review the screenshot and determine the type of DoS attack it illustrates.
a. Ping of death
b. SYN flood
c. Teardrop
d. LAND attack

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

Correct answer: Option b

Feedback:
The screenshot shows that numerous SYN packets with different source addresses are sent to
the single host with the IP address of 192.168.195.130. Therefore, the attack is an SYN flooding
attack.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 44 of 45

Topic 7: Summary

We have come to the end of Module 4. The key concepts covered in this module are listed
below.

 The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol is divided into
multiple layers: application, transport, Internet, data link, and physical.

 The Domain Name System (DNS) consists of a hierarchical structure of nodes and
domains that determines the position of a domain within the system.

 The DNS structure for an organization is determined based on which domains require
independent administration.

 Two of the key DNS attacks are DNS spoofing and DNS cache poisoning.

 In a TCP session hijacking, an attacker predicts or sniffs the TCP sequence number
used between the target and a host to hijack the communication and gain unauthorized
access to the target.

 A ping of death attack is a type of denial of service (DoS) attack in which the attacker
sends an oversized Internet Control Message Protocol (ICMP) packet to the target that
causes the target to freeze, crash, or reboot.

 In an SYN flood attack, an attacker sends numerous SYN requests to a server and then
does not complete the three-way handshake, resulting in pending requests to the server
that cause a denial of service.

 Teardrop, local area network denial (LAND), and Smurf are some other commonly used
DoS attacks.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 45 of 45

Glossary

Term Definition

ARP Table An ARP table is a short-term memory of all the IP
addresses and MAC addresses that a device has already
matched. The ARP table helps to avoid having to repeat
ARP requests for devices that have been communicated
with earlier.

DNS The Domain Name System (DNS) is a protocol that
translates a computer’s domain name into an IP address.

Echo Request An echo request is an Internet Control Message Protocol
(ICMP) request that expects to receive an echo or identical
reply.

FQDN A fully qualified domain name (FQDN) is a domain name
that exactly specifies its position within the hierarchy of the
Domain Name System (DNS).

ICMP Internet Control Message Protocol (ICMP) is a protocol that
sends error messages or query messages.

MAC Address A Media Access Control (MAC) address is a unique
identifying code assigned to every piece of hardware that
accesses the Internet.

TCP The Transmission Control Protocol (TCP) is one of the core
protocols of the Internet and enables the reliable transfer of
data bytes across the Internet.

UDP The User Datagram Protocol (UDP) is one of the core
protocols of the Internet that enables computers to send
datagrams to other systems over the Internet without
requiring prior communication channels to be established.

CSEC640 – Week 4 Individual Assignment #1

DUE DATE: End of Week 5 (Two Week assignment – Week 4 and Week 5).

Description

The course module #4 covers very important concepts of how Denial of Service (DoS) attacks work. However, the module does not discuss detection, prevention, or mitigation of DoS attacks (or Distributed DoS). The task of this individual assignment is to write a research paper/report.

Topic of the Paper:

Technique(s) or scheme(s) or method(s) for detecting, preventing or mitigating DoS or Distributed DoS (DDoS) attacks.

Assignment Guidelines

The following must be considered when you write the report:

Select 3-4 research papers which discuss detection, prevention, or mitigation techniques for DoS or DDoS attacks:

The research papers must be published by a peer reviewed journal or be published in conference proceedings (e.g., IEEE, ACM, IBM Systems Journal, Lecture Notes in Computer Science (LNCS), etc.).

You must not choose papers or research works from magazines or periodicals that are not research-oriented (e.g., Wikipedia, SANS, etc.).

Briefly explain your rationale for selecting a specific research paper.

Allocate sufficient time to read the research papers. Reading a research paper requires more time than most people realize.

Summarize each research paper and identify three different detection, mitigation, or prevention techniques described in the papers you selected. For example: you can have a) one detection + two prevention methods, OR b) one detection + two mitigation methods, OR c) one detection + one prevention + one mitigation

Describe how each technique works. Clearly describe (in detail using your own words), how each technique works. Assume that you are explaining the author’s technique to someone with a fairly strong fundamental knowledge in network and security (e.g., a first year computer science graduate student) and assume the student has no knowledge of the author’s research (never read the article before). Discuss each technique or method using the following questions:

Is the proposed technique a promising, practical approach which can be effectively implemented into an existing platform? Clearly explain your answer.

What are the strengths and weaknesses (limitations) of this technique?

Make sure there are No IPR(Intellectual Property Right) issues. This requires the following:

Re-draw all figures and tables.

Summarize all concepts using your own words.

Do not copy any part of text or unmodified figures (short quotes are acceptable.)

Cite references as needed using APA format.

To support your claims or statements, you may cite/reference non-peer reviewed papers and journals (including white papers, SANs documents, etc.; do not have to be academic papers or articles, however, no Wikipedia or blogs).

Submission Guidelines

Print format: MS Word or PDF format.

The general structure of your research paper:

Name and Title

Brief Intro

Background (if needed)

Main Sections

Conclusion (if needed)

References

The paper length: 6-10 double space pages (good, solid content which is factual, relevant, and concise).

Follow the APA format.

Turnitin.com requirement: Please see the Turnitin Conference posting for Turnitin requirements and metrics.

Upload your report to your Assignment Folder

DUE DATE: End of Week 5 (Two Week assignment – Week 4 and Week 5).

————–

Note: The student must check the file(s) right after submission to make sure the right file(s) are submitted. No resubmission after the due date is allowed without prior approval from the instructor. Only valid submission in the correct assignment folder can be graded.

————–

Still stressed with your coursework?
Get quality coursework help from an expert!