Learning Center
Plans & pricing Sign in
Sign Out



         Internet attack patterns
        Typically
    1.     A weakness is discovered (usually a software bug)
    2.     Many sites are attacked
    3.     Short term patch is created
    4.     Full repairs to software or protocols are issued
    5.     Majority of web sites etc implement repairs
    6.     Unrepaired sites end up blacklisted - poses a problem
           as it then advertises the sites with weaknesses –
           hence more attacks happen
Denial Of Service attacks or
SYN flooding
   In TCP handshaking the sequence is as
      Client                        Server
                S       SYN
                n                            Time

                    SYN + ACK


           Client and server can now send
           service specific data
     Perils of half-open connections
   If after the server has send its SYN + ACK response the
    client does not send a ACK response - half-open
   But the server has built in its system memory a data
    structure describing all pending connections. Will time
    out eventually
   Attacker carries on creating these may cause memory
    overflow and server to crash or at least not able to accept
    any new connections until table emptied out
   IP spoofing location of attacking system is obscured
    because source addresses in the SYN packets are often
    implausible. When the packet arrives at the victim server
    system, there is no way to determine its true source.
       SYN flooding remedies
   Non yet with the current IP protocol technology.
   However, proper router configuration can reduce the
    likelihood that a site will be the source of one of
    these attacks.
   Currently, the best method is to install a filtering
    router that restricts the input to your external
    interface (known as an input filter) by not allowing a
    packet through if it has a source address from your
    internal network. would prevent outside attackers
    from sending you packets pretending to be from your
    internal network.
   also prevents packets originating within your network
    from pretending to be from outside your network.
    RFC 2267
   Should also filter outgoing packets that
    have a source address different from your
    internal network to prevent a source IP
    spoofing attack from originating from your
   These filters will not stop all TCP SYN
    attacks, since outside attackers can spoof
    packets from any outside network, and
    internal attackers can still send attacks
    spoofing internal addresses.
        IP spoofing – changing source
        IP address
   Stealth scan method of spoofing
       Before an attacker will attack a specific server they will
        in most cases want to scan the system in order to find
        out as much as possible about the system.
        this scan could alert fire-walls, IDS systems and their
        administrators of a forthcoming attack, and could point
        the administrator to the originator of a following (basic)
        DDOS attack.
       By hiding the actual scan in a large amount of spoofed
        scanning datagrams from a wide range of IP addresses,
        the attacker will be able to hide the real scan from the
Intrusion Detection Systems DoS
   In order to detect and stop hack attacks many companies now
    implement so IDS. -when combined with fire-walls that support them
    will in the ideal case stop a hack that is in progress ones specific or
    generic hacking fingerprints are detected.
   Downside of IDS systems is that they have to do a wide range of CPU
    intensive and state-full protocol analysis. Can make Datagrams to use a
    maximum amount of IDS resources (state objects and cpu) per byte of
   By using again a large amount of spoofed IP addresses, and by again
    using this to create as much as possible state objects on the IDS
    system, combined with large strains on the IDS to do the full set of
    protocol analysis it will in many cases be possible to heighten the time
    taken with IDS detection to such an extend that the full attack can
    be implemented before the IDS has been able to detect it.
        Anti spoofing techniques
   Border router filter rules
   Simple principle - Don't let anything out with a source IP address not
    belonging to the ISP rfc2827
   Don't let anything in with a source IP address belonging to the ISP
   The first one is basically the most important, also used to fight DoS

                                                     AS of neighbouring ISP
            AS for my ISP                        
    DOS - Smurfing
   Simple concept – send forged ICMP echo
    request packets to IP broadcast addresses of an
    unsuspecting network.
   All hosts on that network send a ICMP reply to
    the spoofed IP address of the victim
   When (potentially) all the machines on a
    network respond to this ICMP echo request, the
    result can be severe network congestion or even
Attacker Sends Broadcast packet to unsuspecting network

All hosts send replies to spoofed IP address of victim

  Ping                Router
  (broadcast address)

   Attackers have developed automated tools
    (botnets etc) that enable them to send these
    attacks to multiple intermediaries at the same
    time, causing all of the intermediaries to direct
    their responses to the same victim.
    Attackers have also developed tools to look for
    network routers that do not filter broadcast traffic
    and networks where multiple hosts respond.
    These networks can the subsequently be used as
    intermediaries in attacks.
    Dictionary Attack – cracking of
    authentication passwords
   Authentication passwords are stored in a file in both
    UNIX and Windows – but are usually encrypted with an
    algorithm that is non reversible (MD5 etc)
   Passwords are stored in password file encrypted using a
    one way algorithm (MD5 etc), user enters password
    which is encrypted and the encrypted version is
    compared with the stored version
   With a brute force attack, where all possibilities are
    searched through exhaustively, a dictionary attack only
    tries possibilities which are most likely to succeed -
    derived from a list of words in a dictionary.
   Weakness with passwords
       Usually word from native language
       Common list of words typically used
   Dictionary attacks may be applied in two main situations:
        in cryptanalysis, in trying to determine the decryption key for a given
         piece of ciphertext;
        in computer security, in trying to circumvent an authentication
         mechanism for accessing a computer system by guessing passwords.
   An attacker may be able to obtain a copy of the list of encrypted
    passwords from a remote system; assuming the users are mostly
    English speakers, can attempt to guess the passwords at their
    leisure, by encrypting each of a list of English words and comparing
    each encryption against the stored encrypted version of users'
    passwords. As users often choose easily guessed passwords, this
    has historically succeeded about 4 times out of 10 when a
    reasonably large list is used.
   Dictionaries for most human languages (even those no longer used)
    are easily accessible on the Internet, meaning even the use of
    foreign words is practically useless in preventing dictionary attacks.
                                  One way encryption of password
                                  Stored in Password table

                           username          Encrypted password

Client                     Alix.Bergeret     ADSNUYTGHLKLLL
                           Matthew.Green     NJKFFDSHPTTDRD
                           Ian.Coulson       VFGMNBDEQQASU
                           Brendan.Riordan   VHGUIOUIYEDRDT
Password encrypted by      Chris.Dennett     CXZAASWEWEDFD
the client using same      Andy.Sloane       MLOPIUYTRFFGHJ
algorithm then passed
over network               Mary.Garvey       MNJTYUUIFVCXFG
                           Brian.Penfold     REDERFGGGHYTR
If Hash values are equal
then client is                    Password authentication server
        Combating dictionary attacks
   An attacker can by encrypting and storing a
    list of encrypted dictionary words, sorted by
    the encrypted 'value'.
        requires a large amount of storage and often a
        considerable amount of preparation time, but
        makes the actual attack almost instantaneous.
       particularly effective when a large number of
        passwords are to be cracked at once.
            Attacker simply takes a list of commonly used passwords and
            passes them all thought the same algorithm
            Then sorts them alphabetically

                                                username          Encrypted password

   Word                  Hashed word            Alix.Bergeret     ADSNUYTGHLKLLL
   cricket               ABVGTHYULPMMN          Matthew.Green     NJKFFDSHPTTDRD
   football              ADSNUYTGHLKLLL
                                                Ian.Coulson       VFGMNBDEQQASU
   england               CFTGERHTYUUUU
   sister                QRTSNDCNCNNNN          Brendan.Riordan   VHGUIOUIYEDRDT
   christopher           RTSGHWEREEEDM          Chris.Dennett     CXZAASWEWEDFD
   charlie               STTHHHHHERERE
                                                Andy.Sloane       MLOPIUYTRFFGHJ
   louise                NMZOAOWJBHEEU
                                                Mary.Garvey       MNJTYUUIFVCXFG
Crackers sorted list of hashed words
                                                Brian.Penfold     REDERFGGGHYTR

    Easy to determine Alix.Begeret password                         Password list
    by comparing hash values
   A SALT is a value used to modify a hash of a password.
   Unfortunately, obtaining the password file revealed hash
    values which then could be compared to hash values (the
    Hash algorithm are public) for popular passwords, thus
    revealing the password itself.
   To avoid this, a salt value is hashed along with password,
    thus changing the hash value and making a known-hash
    attack difficult.
   Salt value is a random characters (or more often the
    username) which can be stored – even if attacker can
    see salt value means they have to add salt value to every
    dictionary value – has it and do a comparison against that
    one entry in the password file
        Add a salt value
    Username Password before any encryption

              Alix.Bergeret     Football

 Password is given a salt value -Username and password added together

       Alix.Bergeret + Football = Alix.BergeretFootball
                               Then encrypted

           Alix.BergeretFootball -> FFFGHTYPOIYT
As Alix.BergeretFootball is not a word you would find in a common list
of words then attacker will not find the encrypted version in his list –
makes it impossible to crack
   attack can be greatly reduced by limiting
    the number of authentication attempts
    that can be performed each minute, and
    even blocking further attempts after a
    threshold of failed authentication attempts
    is reached.
   There are downloadable tools for
    password cracking
      RIP attacks
   Routing Information Protocol (RIP) Routing attacks
    is often seen in routers which implemented the
    original RIP.
   RIP is used to distribute routing information within
    networks, such as shortest-paths, and advertising
    routes out from the local network.
   original version of RIP has no built in
    authentication, and the information provided in a
    RIP packet is often used without verifying it.
   Attacker could forge a RIP packet, claiming his host
    "X" has the fastest path out of the network. All
    packets sent out from that network would then be
    routed through X, where they could be modified or
    examined. An attacker could also use RIP to
    effectively impersonate any host, by causing all
    traffic sent to that host to be sent to the attacker's
    machine instead.
   The version 2 of RIP was enhanced with a simple
    password authentication algorithm, which makes RIP
    attack harder to happen. IPsec VPN provides a way
    to keep routing information encrypted among the
    routers implemented the IPsec VPN.
    Packet Sniffing
   NIC cards normally only process packets (MAC)
    addressed to your PC
   Software/hardware is easily available to do this
   Can turn it promiscuous so that it processes all
    packets passing your portion of the network
   Means the contents off all packets can be seen –
    FTP, Telnet, POP3 all send passwords in clear text.
    Many more implications
   Should not be a problem in a switched environment
    as only packets destined for your PC will be on your
    segment, but ….
    Packet Sniffing
   MAC Flooding is an ARP Cache Poisoning technique
    aimed at network switches. When certain switches
    are overloaded they often drop into a "hub" mode.
   In "hub" mode, the switch is too busy to enforce its
    port security features and just broadcasts all network
    traffic to every computer in your network.
   By flooding a switch's ARP table with many spoofed
    ARP replies, a hacker can overload many vendor's
    switches and then packet sniff your network while
    the switch is in "hub" mode.
Number of intercepted phishing attempts (provided by MessageLabs)
Ratio of spam to legitimate email (provided by MessageLabs)
Ratio of virus-laden email to legitimate email (provided by MessageLabs)
Number of intercepted directed phishing attempts (provided by MessageLabs)
Attacks by industry (provided by IBM Security Monitoring)
Attacks by category (provided by IBM Security Monitoring)

To top