ICT 5301:

Information System and

Network Security
Dr. Hossen Asiful Mustafa
http://hossenmustafa.buet.ac.bd
 Remote User Authentication
 Authentication over network more complex
 problems of eavesdropping, replay
 Generally use challenge-response
 user sends identity
 host responds with random number
 user computes f(r,h(P)) and sends back
 host compares value from user with own computed value, if
match user authenticated
 Protects against a number of attacks 2
 Authentication Security
Issues
 Client attacks
 The adversary attempts to achieve user authentication without
access to the remote host or to the intervening
communications path.
 the adversary attempts to masquerade as a legitimate user.
e.g., in a password-based system,
 the adversary may attempt to guess the likely user password.
 Host attacks
 directed at the user file at the host where passwords, token
passcodes, or biometric templates are stored. 3
 Authentication Security
Issues
 Eavesdropping
 an adversary attempts to learn the password
• by observing the user,
• finding a written copy of the password,
• keystroke logging, etc.
 Replay
 an adversary repeating a previously captured user response

4
 Authentication Security
Issues
 Trojan horse
 an application or physical device masquerades as an
authentic application or device for the purpose of capturing a
user password, passcode, or biometric.
 the adversary can then use the captured information to
masquerade as a legitimate user.
 Denial-of-service
 attempts to disable a user authentication service by flooding
the service with numerous authentication attempts.
5
Practical Application

6
Case Study: ATM Security

7
 Denial of Service
 Denial of Service (DoS) an action that prevents or
impairs the authorized use of networks, systems, or
applications by exhausting resources such as central
processing units (CPU), memory, bandwidth, and disk
space
 Attacks
 network bandwidth
 system resources
 application resources
 Have been an issue for some time 8
 Classic Denial of Service
Attacks
 Can use simple flooding ping
 From higher capacity link to lower
 Causing loss of traffic
 Attack disadvantage
 Source of flood traffic easily identified
 Response is generated towards the source

9
Classic Denial of Service
Attacks

10
 Source Address Spoofing
 Use forged source addresses
 given sufficient privilege to “raw sockets”
 easy to create
 Generate large volumes of packets
 Directed at target
 With different, random, source addresses
 Cause same congestion
 Responses are scattered across Internet
 Real source is much harder to identify 11
 SYN Spoofing
 A common attack
 Attacks ability of a server to respond to future
connection requests
 Overflowing tables used to manage them
 Hence an attack on system resource

12
TCP Connection Handshake

13
SYN Spoofing Attack

14
 SYN Spoofing Attack
 Attacker often uses either
 random source addresses
 or that of an overloaded server
 to block return of (most) reset packets
 Has much lower traffic volume
 attacker can be on a much lower capacity link

15
 Types of Flooding Attacks
 Classified based on network protocol used
 ICMP Flood
 uses ICMP packets, e.g., echo request
 typically allowed through, some required
 UDP Flood
 alternative uses UDP packets to some port
 TCP SYN Flood
 use TCP SYN (connection request) packets
 but for volume attack 16
 Distributed Denial of Service
Attacks
 DoS has limited volume if single source used
 Multiple systems allow much higher traffic volumes to
form a Distributed Denial of Service (DDoS) Attack
 Often compromised PC’s / workstations
 zombies with backdoor programs installed
 forming a botnet
 E.g. Tribe Flood Network (TFN), TFN2K

17
DDoS Control Hierarchy

18
 Reflection Attacks
 Use normal behavior of network
 Attacker sends packet with spoofed source address
being that of target to a server
 Server response is directed at target
 If send many requests to multiple servers, response
can flood target
 Various protocols e.g. UDP or TCP/SYN
 Ideally want response larger than request
19
 Prevent if block source spoofed packets
 Reflection Attacks
 Further variation
creates a self-contained
loop between
intermediary and target
 Fairly easy to filter and
block

20
Amplification Attacks

21
 DNS Amplification Attacks
 Use DNS requests with spoofed source address being
the target
 Exploit DNS behavior to convert a small request to a
much larger response
 60 byte request to 512 - 4000 byte response
 Attacker sends requests to multiple well connected
servers, which flood target
 need only moderate flow of request packets
 DNS servers will also be loaded 22
 DoS Attack Defenses
 High traffic volumes may be legitimate
 result of high publicity, e.g. “slash-dotted”
 or to a very popular site, e.g. Olympics etc
 Or legitimate traffic created by an attacker
 Three lines of defense against (D)DoS:
 attack prevention and preemption
 attack detection and filtering
 attack source traceback and identification
23
 Attack Prevention
 Block spoofed source addresses
 on routers as close to source as possible
 still far too rarely implemented
 Rate controls in upstream distribution nets
 on specific packets types
 e.g. some ICMP, some UDP, TCP/SYN
 Use modified TCP connection handling
 use SYN cookies when table full
 or selective or random drop when table full 24
 Attack Prevention
 Block IP directed broadcasts
 Block suspicious services & combinations
 Manage application attacks with “puzzles” to
distinguish legitimate human requests
 Good general system security practices
 Use mirrored and replicated servers when high-
performance and reliability required
25
 Responding to Attacks
 Need good incident response plan
 with contacts for ISP
 needed to impose traffic filtering upstream
 details of response process
 Have standard filters
 Ideally have network monitors and IDS
 to detect and notify abnormal traffic patterns

26
 Responding to Attacks
 Identify type of attack
 capture and analyze packets
 design filters to block attack traffic upstream
 or identify and correct system/application bug
 Have ISP trace packet flow back to source
 may be difficult and time consuming
 necessary if legal action desired
 Implement contingency plan
 Update incident response plan 27
Access control

28
 Access Control
 The prevention of unauthorized use of a resource
 The prevention of use of a resource in an
unauthorized manner
 Central element of computer security
 Assume have users and groups
 authenticate to system
 assigned access rights to certain resources on system

29
 Access Control Principles
 Authentication: The verification an identity claimed by or for a system
entity.
 Authorization: The granting of a right or permission to a system entity to
access a system resource. This function determines who is trusted for a
given purpose.
 Audit: An independent review and examination of system records and
activities
 to test for adequacy of system controls,
 to ensure compliance with established policy and operational procedures,
 to detect breaches in security, and
 to recommend any indicated changes in control, policy and procedures.
30
Access Control Principles

31
 Access Control
Requirements
 Reliable input: An authentication mechanism ensures reliability of
inputs
 Fine and coarse specifications: Access can be regulated to field
level as well as class level
 Least privilege: Each system entity is granted the minimum system
resources
 Open and closed policies
 Policy combinations, conflict resolution
 Administrative policies
32
 Access Control Elements
 Subject: entity that can access objects
 a process representing user/application
 often have 3 classes: owner, group, world/public
 Object: access controlled resource
 e.g. files, directories, records, programs etc
 number/type depend on environment
 Access right: way in which subject accesses an object
 e.g. read, write, execute, delete, create, search

33