ITS 4550 - Fraud Prevention and Deterrence

Chapter 11, Sniffers, Session Hijacking, and Denial of Service Attacks

This lesson presents material from chapter 11. Objectives important to this lesson:

  1. Sniffers
  2. Session hijacking
  3. DoS attacks
  4. DDoS attacks
  5. Botnets
Chapter 11

This chapter reviews familiar information. It begins with some history about sniffers, and about protocols that transmit in cleartext, making them vulnerable to packet sniffing. It is unlikely that anyone is still using Telnet, but we will still run into HTTP, SMTP, POP, and FTP. The text discusses passive sniffing, which is hard to detect, but it only works within the collision domain that the sniffer is on. That takes us to active sniffing.

Active sniffing works better in standard networks that use switches. Switches are the enemies of passive sniffing because they create multiple collision domains. The text presents two methods to get around that.

  • MAC flooding - MAC flooding means that the attacker sends a huge a number of packets, each containing a new MAC address, to a switch. The attack objective is to fill the memory space allocated for the switch's lookup table, hoping that the switch will be overcome by more addresses than it has space to write down. This may induce the switch to change its mode to fail-open. A switch in fail-open mode stops acting like a switch. It starts acting like a hub, passing all received packets to all of its ports because it is no longer sure which ports to use for which MAC addresses. This allows the attacker's sniffer to see all packets that were going to be passed to other ports/collision domains.
    The text lists several utilities that can perform a MAC flood: EtherFlood, SMAC, macof, and Technetium MAC Address Changer. The text also observes that this kind of attack will cause a huge increase in traffic on the network segments the compromised switch is part of, drawing the attention of good monitoring software.
  • ARP poisoning - The text observes that Address Resolution Protocol (ARP) is used on IPv4 networks, but Neighbor Discovery Protocol (NDP) is used on IPv6 networks, making them less vulnerable to ARP poisoning. (I won't say they are invulnerable...) However, most networks you encounter are still using IPv4, so the distinction is not as useful as you might think. Anyway, ARP works by sending a broadcast request that contains an IP address. The request is asking for a response from the device having that IP address that contains the device's MAC address. The response, when received by a switch, causes an update to the switch's look-up table.
    In an ARP spoofing attack, the attacker lies to the switch to divert traffic to the attacker's port. As the text explains, the attacker may forward the received packets to the correct device in order to minimize traffic and eliminate packet loss. This works best when the attacker's lie is about devices that are a hop or more away. The lie keeps the traffic on the same network, and the attacker can just send the packets across a router to make it look like they arrived as intended.
    In an ARP poisoning attack, the attacker floods the switch with ARP updates, causing the switch to fail as described above.
    The text lists some utilities that can be used for ARP attacks: arpspoof, Cain and Abel, Ettercap, IP Restrictions Scanner, and Nemesis.

Having armed you with switch defeating tools, the text presents a list of sniffing software on page 276. Everyone's favorite, Wireshark, is there. Take a look for others you may not know about. At the bottom of that same page, the text presents some methods to combat sniffing.

  • Encrypt traffic with a VPN or IPSec.
  • Use static ARP tables. This is less useful on a dynamic network that has lots of visitors and transients.
  • Use switches with managed ports. Managing the ports can also prevent updates to the look-up table, and will prevent unauthorized equipment from working when plugged into your network.

The second major topic is session hijacking. The text presents a short description of a hijack on page 277. The essence is that an attacker monitors a network session, the attacker takes over the role of one party in the session, then the attacker sends desired traffic onto the network to serve the attacker's goals. Hijacking removes the need to steal credentials by taking over a session after authentication and authorization have taken place. The text remarks that there is a passive form of hijacking, but it is no different from sniffing a specific session.

Active session hijacking is discussed in terms of needing to understand the sequence numbers being used in the session. Each packet sent to the other party must be numbered using sequential integers for successive packets. To make it harder, the numbers do not typically start with 1. A random number may be selected during the time the session is being established, so the attacker must monitor the packet numbers actually being used, break the connection between the two parties, and continue with a packet having the next logical number in the established sequence. The text spends a page discussing this simple idea, then presents a list of tools that can be used by hijackers.

The more useful information for this section is the defensive discussion on page 281. Three ideas are presented.

  • Encrypt traffic to hide session numbers and other data in packets.
  • Configure routers to block spoofed traffic.
  • Use intrusion detection methods to watch for spoofed traffic.

The chapter continues with a discussion of Denial of Service attacks, followed by a separate discussion of Distributed Denial of Service attacks. Both have the same goal: to prevent users from accessing services. If users of an ecommerce site, for example, cannot establish connection to that site, there will be no reason for that site to exist and its customers will go elsewhere.

The text goes on to discuss DoS attacks in three categories:

  • consumption of bandwidth - Attacks in this category attempt to choke the system by sending enough traffic to prevent legitimate traffic from being processed. This includes ICMP floods (Smurf attack), UDP floods (Fraggle attack), and Chargen attacks, which use an old (1983) protocol that was meant to be used when testing networks.
  • consumption of resources - Attacks in this category focus on individual systems. The three flood attacks mentioned in the text, however, will have effects on other devices on the same network. Despite this, the intention is to target particular computers, so these attacks can be harder to spot.
  • exploitation of programming defects - Attacks in this category exploit particular faults in programs or operating systems. The text lists three types that are pretty obsolete. Years ago, I actually diagnosed a ping of death event, which was caused by sending packet of an illegal size to a server. That was patched long ago, so we should consider this category the bucket to catch any new attack on a newly discovered or unpatched vulnerability.

The text lists a handful of tools for DoS attacks, then goes on to considerDDoS attacks, which are typically carried out by an army of co-opted machines, which may number in the hundreds or thousands, depending on the success of the attacker in organizing an attack group, often called a botnet. This probably means a robot network, but the term has been around so long that the original longer form doesn't matter. The text discusses the elements involved:

  • daemon software - Software that turns a computer into a member of the attacking army, variously called a bot or a zombie.
  • target - The network, system, or device being attacked
  • master system, botmaster, or control system - The device from which the attacker coordinates the attack

Page 286 offers a list of attack software, some of which can be use for DoS or DDoS attacks.

This video illustrates a visual analysis of an actual attack:

For some ideas about preventing such attacks, take a look that this article, which also features the video embedded above.



The usual array of assignment, lab, and project portions are assigned this week.