Chapter 11, Sniffers, Session Hijacking, and Denial of Service Attacks
This lesson presents material from chapter 11. Objectives important
to this lesson:
This chapter reviews familiar information. It begins with some history
about sniffers, and about protocols that transmit in cleartext, making
them vulnerable to packet sniffing. It is unlikely that anyone is still
using Telnet, but we will still run into HTTP,
and FTP. The text discusses passive
sniffing, which is hard to detect, but it only works within the
collision domain that the sniffer is on. That takes us to active sniffing.
Active sniffing works better
in standard networks that use switches.
Switches are the enemies of passive sniffing because they create multiple
collision domains. The text presents two methods to get around that.
MAC flooding - MAC flooding
means that the attacker sends a huge a number of packets, each containing
a new MAC address, to a switch. The attack objective is to fill the
memory space allocated for the switch's lookup
table, hoping that the switch will be overcome by more addresses
than it has space to write down. This may induce the switch to change
its mode to fail-open. A switch
in fail-open mode stops acting like a switch. It starts acting like
a hub, passing all
received packets to all of its
ports because it is no longer sure which ports to use for which MAC
addresses. This allows the attacker's sniffer to see all packets that
were going to be passed to other ports/collision domains.
The text lists several utilities that can perform a MAC flood: EtherFlood,
SMAC, macof, and Technetium MAC Address Changer. The text also observes
that this kind of attack will cause a huge increase in traffic on the
network segments the compromised switch is part of, drawing the attention
of good monitoring software.
ARP poisoning - The text observes
that Address Resolution Protocol (ARP) is used on IPv4 networks, but
Neighbor Discovery Protocol (NDP) is used on IPv6 networks, making them
less vulnerable to ARP poisoning. (I won't say they are invulnerable...)
However, most networks you encounter are still using IPv4, so the distinction
is not as useful as you might think. Anyway, ARP works by sending a
broadcast request that contains an IP address. The request is asking
for a response from the device having that IP address that contains
the device's MAC address. The response, when received by a switch, causes
an update to the switch's look-up table.
In an ARP spoofing attack, the
attacker lies to the switch to divert traffic to the attacker's port.
As the text explains, the attacker may forward the received packets
to the correct device in order to minimize traffic and eliminate packet
loss. This works best when the attacker's lie is about devices that
are a hop or more away. The lie keeps the traffic on the same network,
and the attacker can just send the packets across a router to make it
look like they arrived as intended.
In an ARP poisoning attack,
the attacker floods the switch with ARP updates, causing the switch
to fail as described above.
The text lists some utilities that can be used for ARP attacks: arpspoof,
Cain and Abel, Ettercap, IP Restrictions Scanner, and Nemesis.
Having armed you with switch defeating
tools, the text presents a list of sniffing
software on page 276. Everyone's favorite, Wireshark,
is there. Take a look for others you may not know about. At the bottom
of that same page, the text presents some methods to combat sniffing.
Encrypt traffic with a VPN
Use static ARP tables. This
is less useful on a dynamic network that has lots of visitors and transients.
Use switches with managed ports.
Managing the ports can also prevent updates to the look-up table, and
will prevent unauthorized equipment from working when plugged into your
The second major topic is session hijacking.
The text presents a short description of a hijack on page 277. The essence
is that an attacker monitors a network session, the attacker takes over
the role of one party in the session, then the attacker sends desired
traffic onto the network to serve the attacker's goals. Hijacking removes
the need to steal credentials by taking over a session after authentication
and authorization have taken place.
The text remarks that there is a passive form of hijacking, but it is
no different from sniffing a specific session.
Active session hijacking is discussed in terms of needing to understand
the sequence numbers being used
in the session. Each packet sent to the other party must be numbered using
sequential integers for successive packets. To make it harder, the numbers
do not typically start with 1. A random number may be selected during
the time the session is being established, so the attacker must monitor
the packet numbers actually being used, break the connection between the
two parties, and continue with a packet having the next logical number
in the established sequence. The text spends a page discussing this simple
idea, then presents a list of tools that can be used by hijackers.
The more useful information for this section is the defensive
discussion on page 281. Three ideas are presented.
Encrypt traffic to hide session
numbers and other data in packets.
Configure routers to block
Use intrusion detection methods
to watch for spoofed traffic.
The chapter continues with a discussion of Denial
of Service attacks, followed by a separate discussion of Distributed
Denial of Service attacks. Both have the same goal: to prevent
users from accessing services. If users of an ecommerce site, for example,
cannot establish connection to that site, there will be no reason for
that site to exist and its customers will go elsewhere.
The text goes on to discuss DoS attacks in three categories:
consumption of bandwidth - Attacks in this category attempt to choke
the system by sending enough traffic to prevent legitimate traffic from
being processed. This includes ICMP floods (Smurf attack), UDP floods
(Fraggle attack), and Chargen
attacks, which use an old (1983) protocol that was meant to be used
when testing networks.
consumption of resources - Attacks in this category focus on individual
systems. The three flood attacks mentioned in the text, however, will
have effects on other devices on the same network. Despite this, the
intention is to target particular computers, so these attacks can be
harder to spot.
exploitation of programming defects - Attacks in this category exploit
particular faults in programs or operating systems. The text lists three
types that are pretty obsolete. Years ago, I actually diagnosed a ping
of death event, which was caused by sending packet of an illegal size
to a server. That was patched long ago, so we should consider this category
the bucket to catch any new attack on a newly discovered or unpatched
The text lists a handful of tools for DoS attacks, then goes on to considerDDoS
attacks, which are typically carried out by an army of co-opted machines,
which may number in the hundreds or thousands, depending on the success
of the attacker in organizing an attack group, often called a botnet.
This probably means a robot network, but the term has been around so long
that the original longer form doesn't matter. The text discusses the elements
daemon software - Software that turns a computer into a member of
the attacking army, variously called a bot or a zombie.
target - The network, system, or device being attacked
master system, botmaster, or control system - The device from which
the attacker coordinates the attack
Page 286 offers a list of attack software, some of which can be use for
DoS or DDoS attacks.
This video illustrates a visual analysis of an actual attack:
For some ideas about preventing such attacks, take a look that this
article, which also features the video embedded above.
The usual array of assignment, lab, and project portions are assigned