Network Security Flashcards
Define
Network Protocol
Network Security
Transports data between nodes of a network and defines the syntax/semantics (how)
Define
Layering
Network Security
Stacks of protocols for modularization (separation)
What is the TCP/IP Layering?
Network Security
Link (data transfer)
Transport (process to process transport)
Netowrk (source to dest route)
Application (supporting network applications)
Define
Internet Protocol
Network Security
Connectionless, unreliable, best-effort datagram delivery between any nodes on the Internt with reliance on lower-level layer protocols
Define
IP Address
Network Security
4 byte value unqiue to each network separated by .
Components of IP Datagram
Network Security
- Expiration
- Protocol
- Source Address
- Destination Address
Describe
Delivery of an IP datagram: same physical network
Network Security
Direct delivery in lower-level
Describe
Delivery of an IP datagram: different physical networks
Network Security
Pass through devices of intermediate networks
What are the two intermediate networks?
Network Security
Inter-networks: routers
Intra-networks: switches
Define
Ethernet
Network Security
Link-layer protocol that includes dest address, source address, and type
Define
Switches
Network Security
- Connects machines in the Local Area Networks (LAN)
- Stores/forwards Ethernet
- Examines incoming MAC addresses
- Maintains a table that maps MAC addresses and their respective ports
Types of Network Attacks
Network Security
- Local Area Network (LAN) Attacks
- Network Layer Attacks
- Transport Layer Attacks
Describe
Local Area Network (LAN) Attacks
Network Security
- Impersonate host
- Denial of service
- Access information
- Tamper with delivery mechanisms
Define
Sniffing/Eavesdropping
Network Security
Gathering traffic from a local traffic (promiscuous mode) to collect credentials/emails/files, etc.
Can sniffing go undetected?
Network Security
Mainly yes but can be detected by software
Define
Address Resolution Spoofing
Network Security
Sniffing all traffic between two hosts in a switched environment (intra-network)
How is Address Resolution Spoofing possible?
Network Security
Replies in a switched environments don’t need requests to be accepted
Define
Address Resolution Protocol (ARP)
Network Security
Mapping a host’s IP address to its link-layer address associated with peer’s hardware for direct delivery and sends messages through the underlying link-layer
Defenses against Address Resolution Spoofing
Network Security
- Static ARP entities
- Cache poisoning resistance
- Monitor changes and report sus mappings
Describe
Defense to Address Resolution Spoofing: Static ARP Entities
Network Security
Ignores dynamic updates
Limitation: difficult to manage in a large system
Describe
Defense to Address Resolution Spoofing: Cache Poisoning Resistance
Network Security
Ignoring unsolicited ARP replies and updates based on timeouts
Limitations: susceptible to hijacking, timeouts have limited usefulness
Hijacking is the product of
Network Security
Sniffing and spoofing
Describe
Process of hijacking
Network Security
Once the attacker sniffs and spoof the necessary information, they are racing against the legit host to reply to the client’s request
Define
Rogue Gateway
Network Security
First hop for all Internet traffic
What happens if an attacker gains control of a rogue gateway?
Network Security
Attacker can sniff, intercept, block, and modify traffic
Define
Broadcast Protocol
Network Security
Enables transmission of messages
Securing LAN Mechanisms
Network Security
- Do nothing and assume that it is secure
- Smart switching/active monitoring
Define
Smart switching/active monitoring
Network Security
- Don’t broadcast traffic
- Forward Ethernet to the right path
- Filter requests to limit listening/filtering replies to limit replying
Define
Dynamic Host Configuration Protocol
Network Security
Dynamically allocates the IP address to hosts of a network and provides information about DNS server, gateway, and period of lease
Threats against Dynamic Host Config Protocol
Network Security
- Fake DNS server => redirection of DNS lookups
- Fake gateway router => interception of traffic, relay/modification of contents between host and remote machine
Define
Network Layer Attack
Network Security
Gaining access to a system that is isolated from other networks
What are the two types of Network Layer Attacks?
Network Security
IP Spoofing and Blind Spoofing
Define
IP Spoofing
Network Security
Impersonating sources of security-critical information to exploit address-based authentication
Define
Blind Spoofing
Network Security
Attacker sends IP packet and forges source IP with another host’s IP => receiver sends a response back (unaccessible by attacker)
What are the two types of Internet spoofing?
Network Security
On-path and off-path spoofing
What can an on-path Internet spoofer do?
Network Security
See all traffic
What can an off-path Internet spoofer do?
Network Security
Has to blind spoof and guess header values/use brute force because they can’t see traffic
Define
Autonomous System (AS)
Network Security
Network that manages its internal routing and is interconnected to form the Internet
What does an Autonomous System (AS) do?
Network Security
Determines where its packets should be sent
Who specifies the routing of an Automous System (AS)?
Network Security
Border Gateway Protocol
What makes blind-spoofing and IP spoofing possible?
Network Security
Lack of edge-AS restricting IP spoofing or blocking packets with a different source IP address
Define
User Datagram Protocol (UDP)
Network Security
Transport layer protocol that is connectionless, unreliable, best-effort datagram delivery service; best suited for multi-media and services based on requests
Cons of User Datagram Protocol (UDP)
Network Security
No delivery, integrity, ordering, or non-duplication guaranteed
What does User Datagram Protocol (UDP) introduce?
Network Security
Port abstraction
Define
Port abstraction
Network Security
One can communicate with different components of the same IP address
User Datagram Protocol (UDP) Packet components
Network Security
- Length
- Destination port
- Source port (optional)
- Checksum (error detection, optional)
Types of User Datagram Protocol (UDP) Attacks
Network Security
- UDP Spoofing ~ IP Spoofing
- UDP Hijacking ~ UDP Spoofing variant
- UDP Port Scan - finding vulnerable/open ports
- Denial of Service
Define
Transmission Control Protocol (TCP)
Network Security
Transport layer protocol that provides connection-oriented, reliable stream delivery service
Guarantees of a Transmission Control Protocol (TCP)
Network Security
Ordering, delivery, non-duplication
What are the ports associated with in UDP and TCP?
Network Security
OS Processes
Function of TCP
Network Security
Allows 2 hosts to establish a connection identified by IP address/ports of source and destination (socket)
Describe
TCP Window
Network Security
Performs flow control and is dynamic
Describe
TCP Packet
Network Security
Includes source/dest ports, seq #, ack #, data
Define
Sequence Number (Seq #)
Network Security
Relative position of TCP segment in stream
Define
Acknowledgement Number (ACK #)
Network Security
Position of next byte expected from stream
List TCP flags
Network Security
- SYN
- ACK
- FIN
- RST
- PSH
Define
TCP Flag: SYN
Network Security
Set only in the 1st packet to request sync of syn/ack nums and kickstart connection request
Define
TCP Flag: ACK
Network Security
Validates ACK # in all packets except 1st
Define
TCP Flag: FIN
Network Security
Indicates a request to terminate a stream in last packet from sender
Define
TCP Flag: RST
Network Security
Request to reset a connection
Define
TCP Flag: PSH
Network Security
Push buffered data request
List TCP Threats
Network Security
- Port Scan
- Disruption
- SYN Flooding
Define
TCP Threat: Port Scan
Network Security
Finds vulnerable/open ports
Types of TCP Port Scans
Network Security
- Normal
- SYN
- FIN
Describe
Port Scan: Normal
Network Security
Establish a connection with an arbitrary port and follows the TCP connection setup/shutdown (giveaway: lots of logs/connections)
Describe
Port Scan: SYN
Network Security
If a port is available, server/target will return an ACK packet (unavailable = RST packet) => scanner sends RST packet to “terminate” connection
Why is a SYN port scan not logged?
Network Security
A connection was never fully established
Describe
Port Scan: FIN
Network Security
Scanner sends a FIN packet to a host/target => open port: FIN ignored, closed port: RST
Define
TCP Threat: SYN Flooding
Network Security
Overload of connections
What does SYN Flooding cause?
Network Security
Denial of Service (DoS)
Defenses against SYN Flooding
Network Security
- Filtering
- Small time-outs for 1/2 open connections
- Limiting the number of 1/2 open connections
- Recyling oldest 1/2 open connections
- Requesting a SYN cookie to finish connection (set up and validate => reconstructed state)
Why can attackers spoof victim’s IP and SYN Flood?
Network Security
ACK packets are not needed
Describe
TCP Threat: Disruption
Network Security
Abrupt termination request with RST packet and acceptance with correct seq #
Two Injections following TCP Disruption
Network Security
RST and Data Injection
Define
RST Injection
Network Security
MITM with port and sequence #
Describe
Data Injection
Network Security
Control hijacking with port and sequence #
Requirement to execute TCP Disruption
Network Security
TCP spoofing
How to guess the sequence number?
Network Security
Establish a legit connection with target and predict based on information
Describe
TCP Connection Setup Process
Network Security
- Server listens to ports
- Client sends requests (SYN packet) wtih initial sequence number (Sc)
- Server accepts and responds (SYN-ACK packet) with initial sequence number (Ss) and ACK # (Sc + 1)
- Client acknowledges with sequence number (Sc + 1) and acknowledgement number (Ss + 1)
- Data is sent
Describe
TCP Connection Shutdown Process
Network Security
- End A sends FIN packet (Sc)
- End B replies with ACK packet (seq # = Ss, ACK # = Sc + 1)
- End B sends FIN packet to close stream (seq # = Ss, ACK # = Sc + 1)
- A replies with ACK packet (seq # = Sc + 1, ACK # = Ss + 2)
If a TCP segment is accepted, what’s the order of the ack/seq/window?
Network Security
ACK # <= Seq # <= ACK # + Window
