Denial of Services and Man-In-The-Middle

Abstract

Techotopia (n.d.) explained that the threats and the attack on the network, and the computer systems have different forms that allow the attackers to create a variety of methods to succeed. One of such attacks can be undertaken with the purpose of preventing users from accessing their normal services. Such attack is called Denial of Service (DOS) where the attackers attack a variety of different standard network protocols, and tools. Some of these forms of attacks are:

 

  • Ping flood – Where attackers use the Internet Message Protocol (ICMP) ping request to a server to send a large quantities of requests that prevent the system from responding to users requests (Called Ping flood attack). 

 

  • Smurfing – Where the attackers flood the victim IP address with Ping responding. In this attack the attackers use the victim’s IP address to request a service where such request is sent to all computers on the broadcast network, and as a result of such request, all the computers on the broadcast network send the response back to the victim’s IP address.

 

  • TCP SYN Flood – Where the attackers flood the victim server with open sessions as a request on behalf of the user trying to establish a TCP connection within the victim server. As a result of such attack, the victim server uses up all available sessions and as such, preventing other users to access the server.

  

  • Teardrop – Where the attacker exploit the weakness in the TCP/IP implementation within the operating the system by corrupting the UDP package (UPD is the User Datagram Protocol which is part of the TCP/IP that is used for data transferring) to prevent the operating system from rebuilding the original packets received by the victim computer.

 

  • Bonk – Where the attacker crashes the victim computer by corrupting the UDP packets that will be sent to the DNS post in Windows systems.

Another complex attack happens most of the times within wireless networks called Man-In-The-Middle (MITM) where the attacker replaces a software agent between the server and the client ends, and as such neither ends of the communication is aware of the agent present within the line of communication. As the data transmission between the client and the server is flowing, the agent starts recording the data as it passes through, and as such; the agent will have an opportunity to access confidential information and password credentials. Also, with such technique, the malicious agent can have the chance to modify the data on the fly and cause a problem to both ends. Once the data is intercepted from anywhere within the range of the wireless network, the attacker will have the chance to pursue his attack on the victim users, and their data (Lam and Smith, 2004).    

Is the MITM Realistic?

Yes-The MITM is doable and can happen once the attacker takes control over the communication between the client and the server with the use of malicious agent. With such attack, the attacker will impersonate a legitimate user by taking a control over the communication between the client and the server. Common scenario for such attack is web session hijacking where the attacker takes control over the user’s browser session. When the attacker takes control over legitimate conversion between the client and the server, and the attacker can throw the communication packets and replace them with new packets sent to the destination (Tanase, 2003).

Another opportunity with session hijacking can be created when the server time-out is poorly configured for a longer period of time, and as such; creates a larger window of opportunity for an attacker to be able to hijack the user session. The same scenario can occur within the telnet connections where the attacker can intercept a TCP session being initiated, and data being passed between the client and the server. Once the conversion seems interesting to the attacker, such attacker can take control over the user’s session (Lam and Smith, 2004).

Different MITM Scenarios

Similar scenario could occur when the attackers takes control of the ongoing session between the client and the server (TCP/IP Hijacking). Such attack is similar to the Man-In-The-Middle attack, however in such case the malicious agent sends a reset to the client request where the client will lose the contact with the server while the agent pretend to be a legitimate client and continuing the session (Techotopia, n.d.).

Another form of the Man-In-The-Middle attack is called (Replay Attack) where again the Malicious agent is placed within the client and server communication line. With such technique the attacker records the entire process of the user’s communications with the server, and then replays the process in trying to gain access to financial or confidential information on the server (Techotopia, n.d.).

Another scenario of MITM is the IP Spoofing attack (IP Hijacking), where attackers target the IP address of the victim computer and disrupt the normal routing of the network and as such packets end up forwarded to the wrong part of the network that can result an endless loop of communication. Also, IP hijacking can be used with spamming or a distributed denial-Of-Service attack (DDOS) (Tanase, 2003).

Conclusion

Lam and Smith (2004) explained that one of the key features of the TCP protocol is the reliability and the ability to deliver packets between two channels of communications (Client/Server) and to accomplish such task TCP uses acknowledgement (ACK) packets and sequence numbers. TCP session hijacking occurs when the attacker is able to take control over these elements of the TCP protocol. If the attacker wanted to inject data in the TCP session of the client, one of the following scenarios might happen:

 

  • Spoofing the client’s IP address
  • Determine the sequence number used by the client that expected by the server
  • Inject data into the session before the client be able to send its next packet

Hijacking a UDP (User Datagram Protocol) session is almost the same as over the TCP with exception that the attackers don’t have to worry about managing sequence numbers and other TCP mechanisms. With UPD session it’s easy for hackers to perform the data injection since the UPD is connectionless and detecting UPD session is extremely easy (Lam and Smith, 2004).

TCP/IP protocol is a packet based and packet-based networks are easy to implement and are less costly. The difference between IP and TCP communications layers is that with TCP protocol adds port information to the communications stream as well as mechanisms to ensure delivery, and reliability, while IP doesn’t provide such mechanisms. If the sequencing packets of TCP/IP get lost in delivery it can be re-requested, and delivered again to the required destination.

Finally, when the attacker take a fully control of the TCP connection the attacker usually stops sending packets on behalf of the legitimate user’s machine, and takes the place of the user’s machine, and do the switch without the awareness of the remote target host of such switch (Strebe and Perkins, 2007).

References

Lam, K. & Smith, B. (2004) Theft on the Web: Prevent Session Hijacking [Online]. Available from: http://technet.microsoft.com/en-us/magazine/2005.01.sessionhijacking.aspx

(Accessed: 06 November 2010).

Strebe, M. & Perkins, C. (2007) TCP/IP from a Security Viewpoint [Online]. Available from: http://technet.microsoft.com/en-us/library/cc750854.aspx (Accessed: 06 November 2010),

Tanase, M. (2003) IP Spoofing: An Introduction [Online]. Available from: http://www.symantec.com/connect/articles/ip-spoofing-introduction (Accessed: 06 November 2010).

Techotopia (n.d.) An Overview of IT Security Threats and Attacks [Online]. Available from: http://www.techotopia.com/index.php/An_Overview_of_IT_Security_Threats_and_Attacks

(Accessed: 06 November 2010).

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: