Web Pages and Attack

Auditing, Monitoring, Intrusion Prevention, Intrusion Detection, and Penetration Testing

"Unlike IP fragmentation (which can be done by intermediate devices), IP reassembly can be done only at the final destination. What problems do you see if IP reassembly is attempted in intermediate devices like routers?" [ ]

IP fragmentation is defined as the IP (Internet Protocol) that breaks datagrams into smaller fragment to assist packets passing through links and forming a smaller MTU (maximum transmission unit) than its original size. However, the fragments reassemble themselves when reaching the receiving hosts. After the receiving hosts have received the fragmented IP packet, they have to reassemble the datagram before passing it to the higher layer. In practices, the reassembly happens in the receiving hosts, however, a reassembly may be carried out by the intermediate router. For example, the NAT (network address translation) is designed to reassemble the fragments to the translate data streams. Several problems can occur if IP reassembly is carried out by the intermediate device such a router. A packet loss is one of the major problems, which will lead to poor performances. It is essential to realize that a loss of fragment can be attributed to the idiosyncratic gateway behavior, link errors, and congestion resulting to the segment retransmission, and a continuous loss of a packet.

Moreover, the router will slow the reassembly process since routers are not capable to reassembly efficiently. Another problem is that it will lead the smaller fragments to travel over a long route, which increases the chances of fragments got missing and entire message can be discarded through this process.

The IP reassembly by the intermediate device can also lead to bottlenecks. Essentially, routers are designed to process a large number of packets, easily and quickly. Mandating them to reassemble the packets will increase the complexity of their functions, which will slow down the process. Moreover, a reassembly by the intermediate device can lead to inefficient use of resources. If a bad intermediate device is chosen for reassembly, it can make the router to process a large number of the packet header, which can cause a slowdown in the transmission process. For example, if 1010 datagrams are fragmented over 1000 MTU size, the downstream nodes will receive twice the number fragments and packets than its original size of 1000. Reassembly through the routers can lead to an inefficient reassembly, which can lead to a reassembly deadlocks where a large number of packets or fragments are partially reassembled. In most cases, the intermediate devices are not designed to perform the reassembly process, however, when the intermediate devices are required to perform the reassembly process, they slow down the reassembly process.

(Kozierok, 2005).

b. "Let's assume that Host A (receiver) receives a TCP segment from Host B (sender) with an out-of-order sequence number that is higher than expected as shown in the diagram. Then, what do Host A (receiver) and host B (sender) do"? [ ]

Answer:

When the Host B, the sender, sends the TCP higher than the expected to the Host A (receiver), the result is that the receiver will not be able to receive the TCP segments as being detected by TCP/IP protocol. Typically, the individual packets within a single stream can traverse different paths right from the sources to the destination. In this case, packets may be corrupted or get lost, which may prevent them reaching their final destination. In this case, the TCP handles the potential problems using the strategy of assigning each byte to the sequence number. The segments are 100 bytes in length, and if Host A receives segment 01 ~ 100, it will automatically respond to Host B. using the ACK that contains the missing segment sequence 101. After the missing segment is detected, Host A (the receiver) will send an ACK 301 to indicate to the Host B (sender) that segments 201 ~ 300 and 101 ~200 were received.

2. "Describe or propose a way to detect ARP spoofing attack. What could be a possible weakness in your proposed method? Please do not discuss any prevention method (e.g., port security is an example of a preventive method)."[ ]

Answer

The ARP (Address Resolution Protocol) spoofing arises when there is the absence of authentication mechanism that can be used to verify the identity of the sender. In the contemporary IT environment, ARP spoofing has been widely susceptible to attack such as sophisticated Dos (denial of service) attack, and session hijacking. Moreover, the attackers send the ARP message to LAN (local area network) to intercept the data frame over the network systems. The passive approach that involves the ARP monitoring is one of the effective methods to detect the ARP spoofing by looking for the network inconsistency in the corporate Ethernet. The downside of the passive approach is that the time lag to detect the ARP spoofing is long, which sometimes lead to damage being already done before the attacks being detected. To address this shortcoming, specialized tools can be used to monitor the ARP spoofing attacks. For example, the Arpwatch is a highly effective monitoring tool to carry out the IP mapping. The tool has the ability to dump information to Syslog as well as sending an email to the network administrators when a suspicious event occurs in the systems.

The IDSs (Intrusion Detection Systems) are the other tools to detect the ARP spoofing, and has the ability to inform the security administrator through an appropriate alarm or alert. A major setback of the IDSs is that they can generate a significant number of false alarms that devoid of attacks. Moreover, their ability to detect the ARP attack is limited. ARP-Guard is another system to detect the ARP spoofing that involves delegating the detection task to one of the detection station. The ARP-Guard is an effective tool to detect the ARP poisoning, however, attackers may hide behind a large volume of traffic for a long time and remain undetected. (Abad, & Bonilla, 2007).

Kukoleca, Zdravkovic, & Ivanovic, (2014) argue that Syslog is an effective strategy to detect the ARP spoofing because logs contain valuable information, which can assist to know when the system has been compromised by the ARP spoofing. Moreover, logs provide critical forensic data to detect vulnerability and can be used in mapping out the events that lead to the security breach. Despite the benefits associated with Syslog, its shortcoming is that an attacker may inject false information into the system to deceive the security administrator.

3." [Wireless LAN Security-WEP] What is the main difference between the FMS attack and Chopchop attack?" Clearly explain your answer [ ]

Answer:

In the IT environment, different vulnerabilities and flaws have been associated with the WEP (Wired Equivalent Privacy). While the goal of WEP is to achieve a high level of data confidentiality, however, WEP face challenges to guarantee data confidentiality in the network systems because of the associated number of attacks. The chopchop and FMS are two most common forms of attacks on WEP. The nature of the FMS attack is that the attackers transmit a large number packets, which can be up to millions to the WAP (wireless access point) in order to collect a response packet. In the WEP attack, the attackers listen passively to WEP protect traffic to record encrypted packets as well as vectors of these packets. Since it is possible to predict the first bytes of most packets, the attacker is able to recover the first bytes of the encrypted keystream of these packets. Afterward, the attacker transmits the unprotected initialization vector of the packets, which assists the attacker to discover the first three bytes per packet key. Thus, the attacker exploits the weakness of RC4 by performing the RC4 manipulation, which allowing the attacker to guess 5% probability of the byte of the security key. By using the voting system, the attacker will be able to guess the probability of the right key and test it. If the key does not work, he would try another key until a correct key is obtained. The working protocol of the attack is as follows: The attacker can stimulate the first steps of RC4-KSA. However, the attacker needs between 4 million and 6 million packets to achieve his aim with the success probability of at least 50%.

On another hand, the chopchop attack exploits the WEP encryption using the trial and error to determine the PSK. Typically, the chopchop attack uses the AP (access point) to decipher wireless and ARP (Address Resolution Protocol). The major difference between the WEP attack chopchop attack is that the chopchop attacker guesses the last byte by assuming the last encrypted byte is equal to zero. On the other hand, the FMS attacker starts with the first byte to start an attack. In the chopchop attack, the attacker re-encrypt the packet and transmit to the AP since the attacker is using the multicast packet making the guess to be correct. However, the chance of success is 50-50 in the case of the FMS attack. While FMS can reveal the WEP key in the process, the chopchop attack will not reveal its WEP key by allowing the attacker to bypass the WEP encryption and decrypt the packet without actually supplying the key.

4. "A large enterprise decides to use a symmetric encryption to protect routing update messages between its own routers (i.e. entire routing update messages are encrypted by a strong shared symmetric key). They think this will prevent routing table modification attacks. Do you think their decision is appropriate? Do you see any problems or issues with their decision"?

Answer:

The decision of the enterprise is appropriate because the Symmetric encryption offers an effective and viable security mechanism for the integrity checking. A high effective symmetric encryption consists of SEAD protocol that is based on one-to-one way hash chains, which is efficient for updating the vector-based routing. Moreover, the hash tree chain is used for the tree authentication and distance vector security. The shortest path protocols also help in achieving a cumulative authentication encryption protocol, and one-way chains are able to secure the systems through the authentication. Thus, the symmetric solutions are efficient in eliminating the hash processing for in-line routers. Distributed and centralized symmetric approach are the other symmetric models where the Centralized key distribution are lengthy in size to the routers, however, distributed key distribution is the most efficient way of implementing the symmetric approach.

Moreover, asymmetric encryption also assists in protecting routing update messages and securing the BGP messages using the two types of symmetric security distribution protocols. The first strategy is to establish the appropriate keys between the routers using the centralized key distribution approach. However, the centralized controller is assumed to be non-existence since each AS distributes the appropriate keys to the BGP routers since the goal of the BGP is make a routing path towards the path information for the IP prefixes. A major drawback of symmetric keys is that an attacker can compromise the key using the brute force attack especially the key with weaker key generation mechanism. Moreover, man-in-the-middle may expose the key, which may compromise the update session. (Bruhadeshwar, Kulkarni, & Liu, 2011).

5. "An ACK scan does not provide information about whether a target machine's ports are open or closed, but rather whether or not access to those ports is being blocked by a firewall. If there is no response or an ICMP "destination unreachable" packet is received as a response, then the port is blocked by a firewall. If the scanned port replies with an RST packet, then ACK packet reached its intended host. So the target port is not being filtered by a firewall. Note, however, that port itself may be open or closed."

"Describe a rule (or a set of rules) that could be used by Snort to detect an ACK scan. Cleary express your assumption and explain your rules. Do you think Bro can do a better job detecting an ACK scan"? "Explain your answer. [ ]

Answer

In the contemporary IT environment, Snort is commonly used for the network IDS (intrusion detection system) and IPS (intrusion prevention system). Typically, Snort is popular because of its powerful detection and prevention strategy based on rules shared by the snort administrators and public users. Typically, snort is the open source with the capability to detect the network activity using the rule generation. The snort can have some number of rule options, which is separated by the semicolons and enclosed with the parentheses.

More importantly, the port scans are able to target the common ports because the exploits are written for vulnerabilities with widely used services, applications and protocols. In essence, the most effective Snort rules are able to target the port 0-1024 reserved for privileged or well-known services. Rehman, (2003) argues that the Snort rule options are followed by the rule header enclosed by a pair of parentheses. However, some options are separated by a semicolon. By using the multiple options, the options will form a logical AND. However, the action is only invoked when all the options are true. For example, the options ttl and msg are the rules examples defined by the keywords. Generally, an option may consist of two parts: an argument and keyword. Typically, an argument is separated by colon using the example of following rule option:

msg: "Detected confidential";

The msg is a keyword, and "Detected confidential" is used an argument. The snort also uses the ack keyword where TCP consist of an Acknowledgment Number field having 32 bits long. The field shows the sequence of the number which TCP expects to receive. The study provides the snort rules to detect ACK scans:

preprocessor sfportscan:

proto { all }

scan_type { all }

sense_level { high }

logfile { portscan.log" }(Security Site, 2016 p1).

"# Some additional pre-processor things"

" preprocessor stream5_global: track_tcp yese," (Security Site, 2016 p1).

" track_udp yes, track_icmp no, max_tcp 262144,

max_udp 131072,

max_active_responses 2,"

min_response_seconds 5 (Security Site, 2016 p1).

"preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180,"

"overlap_limit 10, small_segments 3 bytes 150, timeout 180," (Security Site, 2016 p1).

" ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143" (Security Site, 2016 p1).

"161 445 513 514 587 *** 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669"

" 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779," (Security Site, 2016 p1).

" ports both 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 591 593 631 636 901 989 992 993" " *** 1414 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779" (Security Site, 2016 p1). (Security Site, 2016 p1).

"7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916" (Security Site, 2016 p1).

"7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8222 8243 8280 8300" 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 10000 11371 34443 34444 41080 50000 50002 55555" (Security Site, 2016 p1).

"preprocessor stream5_udp: timeout 180" (Security Site, 2016 p1).

The rules have the ability to detect traffic of the SCK scans, however, it may generate some false positives. Thus, network professionals should review the alerts to look for the trends to identify the positive alerts. Essentially, Snort starts with a network sniffing and good to identify the specific type of attacks. The Bros IDS has the intrusion detection context that has the ability to capture bytes and analyzing sequence to detect an abnormality. Thus, the Bros has the ability to detect a policy violation.

6. "Explain the main difference between SQL injection and XSS attacks." [ ]

Answer:

The XSS (Cross-site scripting) attacks are the type of attack, which an attacker uses to inject the malicious scripts into the web pages, and be executed by the victim browser. In other words, the XSS is a type of vulnerability in the computer system commonly found in the web application. The XSS makes attackers to inject the client-side scripts on the web pages with the ability to bypass the access control. In the United States, the XSS account for the 84% of all vulnerabilities in 2007, and XSS effects range from small nuisance to a large security risk. The XSS is of different types that include persistence and non-persistence XSS attacks. The non-persistence XSS is the most type of the XSS vulnerability used for the HTTP query to display and parse a page leading to markup injection. Non-persistence is mostly delivered through the email, which looks like an innocent looking URL however, contains the XSS vector. If a user clicks the URL, it will cause a harm on the victim web browsers following the injection of the script. The persistence XSS is a scripting vulnerability that is coupled with worms to execute the arbitrary code. Typically, the attacker uses the persistence XSS to steal sensitive data from web pages.

On the other hand, the SQL injection is an attack driven by the SQL statements inserted into the entry field to attack the database. Typically, the SQL injection exploits a security vulnerability of the database and website. Moreover, SQL injection allows an attacker to tamper with existing data, spoof identity, change the account balance, destroy data, and invoke repudiation to void transactions. While the goal of XSS injection and SQL injection are to exploit the vulnerability, however, there still a fundamental difference between the two types of attacks. While the attacking tool of the XSS is by injecting the web page with the client-side scripts, the SQL injection technique is by using the SQL statements to exploit the vulnerability. Other difference between SQL injection and XSS is that the SQL injection uses SQL command and meta character for the execution, however, the XSS uses the script tags to deceive the users. The attacker sends a simple text to affect the syntax in the SQL injection, however, XSS sends text-based scripts to interpret the browser. While the technical impact of the SQL injection can be severe, the impact of XSS is moderate.

7.

7. "As shown in the above diagram, Kevin, the system admin, installed a text-message sender and a text-message receiver in a Multi-Level-Secure (MLS) environment. In the MLS environment, two security levels exist (i.e., Unclassified (Low) and Classified (High) levels). His goal is to enforce the Bell-La Padula (BLP) access control model in the network. In a nutshell, the BLP model defines two mandatory access control rules":

• "No Read Up Rule: a subject (Low) at a lower security level must not read an object (High) at a higher security level. Simply, a Low entity cannot have read-access to a High object."

• "No Write Down Rule: a subject (High) at a higher security level must not write to any object (Low) at a lower security level. Simply, a High entity cannot have a write-access to a Low object."

"In this scenario, enforcing the BLP model means no confidential information flows from Classified LAN (High) to Unclassified LAN (Low). However, information can still flow from Unclassified LAN to Classified LAN."

Part A)

"As you can see from the diagram above, the text message sender and receiver have been compromised by the adversary and the Trojan, respectively. However, the router with Snort IDS installed (router/snort) is securely protected and can be fully trusted."

"Write efficient Snort rules and access control lists which will be implemented on the router/snort to detect or block confidential information leakage from High to Low. Write your rationale for writing your rules and access control lists. For example, if the text message receiver (Trojan at High LAN) attempts to send a text message (confidential information) to the text message sender (the adversary at Low LAN), the attempt will be either blocked by your access control list(s) or detected by your snort rule(s)".