Network Security Look forward to Lecture
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: THEend8_
CS 6823 –Network Security Look forward to Lecture
Lab 1 Overview
-
Task 1: SYN Flood Attacks
-
Test telnet during a SYN Flood, with SYN Flood protections ON and OFF
-
There are two SYN Flood protection methods:
-
SYN Cookies
-
Reserve TCP Connections for “proven destinations”
-
Task 2: TCP RST Attack
-
Guess the correct SEQ/ACK Number to perform a RST Attack
-
5% bonus for fully automating the attack
-
Task 3: TCP Session Hijacking
-
Guess the correct SEQ/ACK, 5% for automating the attack
-
Task 4:
-
Reverse shell. Same as Task 3, but add a reverse shell exploit
SYN flood defense: SYN cookies (1)
-
When SYN segment arrives, host B calculates function (hash) based on:
-
Apache example: Source and destination IP addresses and port numbers, and a secret number
-
Host B uses resulting “cookie” for its initial seq # (ISN) in SYNACK
-
Host B does not allocate anything to half-open connection:
-
Does not remember A’s ISN
-
Does not remember cookie
SYN flood defense: SYN cookies (2)
If SYN is legitimate
Host A returns ACK
Host B computes same function, verifies function = ACK # in ACK segment
Host B creates socket for connection
Legit connection established without the need for half-open connections
If SYN-flood attack with spoofed IP address
No ACK comes back to B for connection.
No problem: B is not waiting for an ACK
TCP RST Attack
-
Attacker can break the TCP connection by sending a TCP RST
-
Must match the SEQ and ACK Numbers
Session hijacking
-
Take control of one side of a TCP connection
-
Marriage of sniffing and spoofing
Session hijacking: The details
-
Attacker is on segment where traffic passes from Alice to Bob
-
Attacker sniffs packets
-
Sees TCP packets between Bob and Alice and their sequence numbers
-
Attacker jumps in, sending TCP packets to Bob; source IP address = Alice’s IP address
-
Bob now obeys commands sent by attacker, thinking they were sent by Alice
-
Principal defense: encryption w/ auth protocol
-
Attacker does not have keys to encrypt and insert meaningful traffic