Address Spoofing and Denial of Service.ppt

The Ethernet Frame - IEEE 802.3 MAC modification/Spoofing Change the MAC on a Host (Cloning) Linux (ifconfig) Windows Network Settings Creating Link Layer Packets (Spoofing) libnet (API) Linkcat (tool – netcat for link layer) Modifying Windows XP Network Interface Modifying Windows XP Network Interface (continued) Modifying Linux Network Interface Address Resolution Protocol (ARP) Method to finding a hosts Ethernet address Broadcast message looking for the IP address Hosts maintain a cache to avoid frequent requests ARP Cache Poisoning Man in the Middle (MiM) Attack Session Stealing Packet/Data Injection Beat the Switch Making a Switch into a Hub Arpspoof Example Network and Transport Layers Internet Protocol (IP) Internet Control Message Protocol (ICMP) Transmission Control Protocol (TCP) User Data Protocol TCP Session Hijacking Internet Protocol (IP) IP provides a best-effort way to route datagrams from source to destination Source address, destination address: network number and host number IP spoofing: change or disguise source address IP Spoofing Non-blind attacks Attacker and target on same subnet Reply traffic can be sniffed Blind attacks Attacker and target on different subnets Reply traffic cannot be seen by attacker Attacker must be able to predict replies IP Spoofing Attacks made possible by IP spoofing include Denial of Service (DOS) Session Hijacking Man in the Middle To take over a TCP stream, sequence and acknowledgement numbers must be sniffed or predicted. Transmission Control Protocol (TCP) Source and Destination Ports Sequence and Acknowledgement number Reliability Checksum (not tamperproof) Transmission Control Protocol (TCP) Packet Types URG - Urgent ACK - Acknowledge PSH - Push RST - Reset SYN - Synchronize can flood a server FIN - Finish Transmission Control Protocol (TCP) (4) TCP connection initiation Three-way handshake Session Hijacking Session hijacking attacks: based on sniffing and IP spoofing Attacker monitors packets between Alice an