CS682-Network Security
Module-1
Introduction to Network Security
SYN
 This is CS682, Network Security
 There is a lab in RH219, get your accounts
 Homework-0 is on-line: Part I, II due next
week, Part III, IV due in two weeks
 Homework submission:
 Handover hardcopies at the beginning of the class
 Randomly selected students will be asked for
demos of their work
 Website: />Prerequisites for CS682
 CS392
 Website: /> Textbook: “Computer Security: Art and Science,” Matt
Bishop, 0201440997
 CS918 or EL537
 Textbook: “TCP/IP Illustrated, Vol. 1,” Richard W. Stevens
 Programming Reference: “Unix Network Programming, Vol.
1,” Richard W. Stevens, 013490012X
 Basic Understanding of Operating Systems
 CS623 – Operating Systems I
 Textbook: “Operating System Concepts,” Silberschatz,
Galvin, & Gagne
Prerequisites for CS682
 Cryptography & Computer Security:
 Symmetric & asymmetric key algorithms
 Key Exchange, Authentication etc.
 Hash, Message Digests, Signatures etc.
 Networking:
 TCP/UDP/ICMP

 IP
 Ethernet, ARP, RARP
 Programming Environment:
 Unix & C (Mostly Linux and ANSI C)
 CASL (Custom Audit Scripting Language)
Server Netw ork
Backbone
Student Network
Accountin
g
Sales
Inf orma tion
systems
Coustomer
service
Human
resources
Server_00
Switch
Internal Router/Firewall
External Router/Firewall
Server_01
Server_02
XYZ Enterprise Network Layout
IDS Sy s t e m
What is This Course about?
We will explore:
 Various vulnerabilities in network protocols and services.
 Mechanisms to protect networks.
 Security tools.

Overview of This Course
 TCP/IP Suite
 Vulnerabilities and solutions
 Security protocols built on top of TCP/IP
 Security devices and tools to test and protect networks
 Network security theory and practice
 In homework
 Explore TCP/IP vulnerabilities in detail by exploiting them
using CASL
 Learn to analyze a TCP/IP network for vulnerabilities
 Write small client/server applications and learn to do
penetration testing on your code and algorithm.
 Learn to setup security devices such Firewall’s and IDS
systems, and how to integrate them.
 “War Games” – A serious one if time permits
Introduction to TCP/IP
R/L =Http Request and Reply
TH/F = TCP Header and Footer
IH/F = IP Header and Footer
EH/F= Ethernet Header and Footer
Cloud
Network
Host A
HTTP (Web Browser)
TCP
IP
3Com NIC Driver
Host B
HTTP (Web Server)
TCP

IP
1GB NIC Driver
HTTP Protocol
TCP Protocol
Network
EH EF
R
TH TFIH IF
EH EF
L
TH TFIH IF
R
TH TFIH IF
R
R
TH TF
L
TH TFIH IF
L
TH TF
L
EH EF
R
TH TFIH IF
R
TH TFIH IF
R
TH TF
R
EH EF

L
TH TFIH IF
L
TH TFIH IF
L
TH TF
L
(Logical Link)
Security Issues in Networking
Life is great here (An ideal life)
Interruption: An asset of the system is destroyed
or becomes unavailable or unusable. This is an
attack on the availability. Examples include
destruction of a piece of hardware, such as a hard
disk, the cutting of a communication link, or the
disabling of the file management system.
Host A
Host B
Normal Flow
Host A
Host B
Interuption
Security Issues in Networking
Interception: An unauthorized party gains access to an asset. This is an attack on
confidentiality. The unauthorized party could be a person, a program, or a computer.
Examples include wiretapping to capture data in a network. And the illicit copying of files
or programs.
Host A
Host B
Interception

Host C
Modification: An unauthorized party not only gains access to but tampers with an
asset. This is an attack on the integrity. Examples include changing values in a data file,
altering a program so that it performs differently, and modifying the content of a message
being transmitted in a network.
Host A
Host B
Modificition
Host C
Security Issues in Networking
Fabrication: An unauthorized part inserts counterfeit objects into the system. This
is an attack on the authenticity. Examples include the insertion of spurious messages in a
network or the addition of records to a file.
Attacks can be classified into two broad categories:
Passive Attacks can only
observe communications or
data
Host A
Host B
Fabricition
Host C
Passive Attack
Active Attack
Active Attacks can actively modify
communications or data, Often difficult
to perform, but very powerful. Example:
Mail forgery/modification, and TCP/IP
spoofing/session hijacking
Security Issues in TCP/IP
 TCP/IP was not designed with security in mind

 Most of the attacks present today were unheard of during the
design of TCP/IP
 It was designed to protect DoD network infrastructures
 Does not have strong authentication mechanism
 The primary objective during the design, was to have robust
communication protocol that would survive partial network
damage.
 There was no threat from the insider, the notion of having a
malicious node did not exist (Nodes were missile silos)
Network Programming in Unix
 Network programming jargons:
 Address: a bit string identifying a machine
 Port: an entry point via network into a machine
 Socket: {address, port} pair
 Binding: process of attaching to a port
 Client-Server Model:
Client Server
Response
Request
Client-Side Programming
1. Initialize environment
2. Create a socket
3. Identify server’s IP
address, port number
4. Establish a connection
to server
5. Read/write as if the
socket were a file
6. Close connection
7. Exit program

1. struct sockaddr_in server;
bzero(&server,
sizeof(server));
2. sockfd=socket(AF_INET,
SOCK_STREAM, 0)
3. server.sin_family=AF_INET;
server.sin_port=htons(80);
inet_pton(AF_INET,
argv[1], &server.sin_addr)
4. connect(sockfd, &server,
sizeof(server))
5. read(sockfd, buffer,
max_buffer)
6. close(sockfd)
7. exit(0)
Server-Side Programming
1. Initialize environment
2. Create socket
3. Bind socket to a port
4. Listen on port
5. Accept connection
6. Read/write
7. Close connection
8. Exit program
1. struct sockaddr_in server;
bzero(&server,
sizeof(server));
2. listenfd=socket(AF_INET,
SOCK_STREAM, 0);
3. server.sin_family=AF_INET;

server.sin_addr.s_addr=hto
nl(INADDR_ANY);
server.sin_port=htons(80);
bind(listenfd, &server,
sizeof(server));
4. listen(listenfd, 0);
5. connfd=accept(listenfd,
NULL, NULL);
6. read(connfd, buffer,
buff_max);
7. close(connfd);
8. exit(0);
On the Wire
connect()
SYN_SENT
SYN
SYN,ACK
listen()
accept()
SYN_RCVD
ESTABLISHED
ACK
ESTABLISHED
write()
Request
read()
write()
Reply, ACK
ACK
read()

close()
FIN_WAIT1
FIN
CLOSE_WAIT
ACK
FIN
ACK
FIN_WAIT2
close()
LAST_ACK
TIME_WAIT
CLOSED
Client Serve
r
References and Reading Assignments
 Read about TCP/IP from
 />www.cs.um.edu.mtzSz~kvelzSzCSA401zSzibm-tcpip.pdf/tcp-
ip-tutorial-and.pdf
(Look for “tcp ip security” at )
 From Books 24x7 ( /> Read about Linux Socket programming from
 Book 24x7
 Search in Google for more practical examples
 Review CS392 lecture notes for general issues in
information security.
( />Taxonomy of Network Vulnerabilities
 Vulnerabilities Classification:
 Improper Design of Protocol (e.g.: 802.11 Security)
 Improper Implementation of Protocol (e.g.: Teardrop)
 Improper Configuration of Protocol (e.g.: Smurf)
 Exploit Modes:

 Passive Exploits (e.g.: Packet Sniffing)
 Blind Exploits (e.g.: Spoofing)
 Active Exploits (e.g.: Session Hijacking)
 Where to Find Vulnerabilities:
 Application Level (e.g.: Cross Site Scripting)
 Protocol Level (e.g.: Teardrop)
 MAC (e.g.: Jamming)
Packet Sniffing
 Sniffers are wire-tap devices (software+hardware) that can be
plugged into a computer network to eavesdrop on computers
in the network.
 Sniffing requires physical access to network medium.
 It is a passive activity, in that sniffing doesn’t introduce new
packets into network.
 Sniffing is useful in two ways:
1. Eavesdropping (e.g.: extracting passwords or IDS)
2. Traffic Analysis (e.g.: tracking ssh connections)
 Packet Sniffers have two phases:
1. Packet Capture Phase
2. Protocol Analysis Phase
 Two essential ingredients for successful sniffing:
1. Shared Media
2. Promiscuous Mode Operations
Anatomy of a sniffer
 In normal mode,
network interface card
discards packets not
destined to the
current host.
 Promiscuous mode

disables this function
and allows all packets
to flow through the
network stack.
 A sniffer would simply
capture these packets
for consumption.
 There is more to a
sniffer than setting a
network card to
promiscuous mode.
is destination?
no
yes
Application
Normal Network
Interface Operation
is destination?
Sniffer
Promiscuous Mode
Network
Interface Operation
Anatomy of a sniffer
 Media: usually an Ethernet
card but it could also be a
wireless card or anything
else.
 Capture Driver: software
driver to capture and filter
network traffic. E.g.: pcap

and BPF
 Buffer: packets must be
temporarily buffered prior to
storage or processing.
Usually fill-buffered or
round-robin.
 Decode: packets must be
decoded to a human readable
form.
 Logging: permanent storage
of packets for offline analysis.
Media
Decode
Buffer
Capture Driver
Logging/Editing
Packets
 Popular sniffers:
 Ethereal – excellent protocol analyzer
 tcpdump – you’ll use this in homework
 Carnivore – FBI uses this at ISPs
 Aerosnort – 802.11 wireless sniffer
Uses of sniffers
 Stealing clear-text content on the wire and in the air
 Passwords
 Credit card numbers
 “Secret” email conversations
 Network traffic analysis
 If the network content is encrypted then perform traffic
analysis to extract partial information

 Famous pizza delivery to Pentagon story
 Intrusion detection systems are built on sniffers
 Traffic logging for forensics
 Fault analysis of networks
 Performance analysis to identify bottlenecks
 Are sniffers bad? Yes and no!
Sniffing out the sniffers…
 Sniffing is a passive activity, hence done properly it is
impossible to detect a sniffer!
 However, there are some practical solutions
 Local detection of promiscuous mode
 Improper response to ping
 Improper response to ARP queries
 Improper response to DNS queries
 Source routing to suspicious node
 Employing a honeypot
 Network latency monitoring
 Time-domain reflectometers
 SNMP monitoring
 Can you design a sniffer to counter these detection
methods?
Detection of promiscuous mode
 If you suspect a machine is running a sniffer
then use ifconfig to find out if the NIC is in
promiscuous mode.
 Obviously, you will use an ifconfig binary
from a trusted machine or CD-ROM.
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:AA:AA:AA:AA:AA
inet addr:0.0.0.0 Bcast:0.0.0.55 Mask:255.255.255.0

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:595017 errors:0 dropped:0 overruns:0 frame:0
TX packets:113401 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0xb800
Improper Response to Pings
 Remember how the
sniffers put the network
card to promiscuous
mode?
 Any packet, whether it
is destined to the
machine or not, is sent
thru the network stack.
 We can exploit this fact
to trick the sniffers to
give up their locations.
 Send a ping (ICMP Echo Request)
to a suspected sniffer with the IP of
the sniffer but with a MAC of
another machine.
 What happen in the network
stack:
1. Card receives the packet
2. Since it is in promiscuous mode,
ignores the MAC address, removes
the Ethernet header and send the
packet to IP.
3. IP checks the IP destination, since
it is the proper destination sends

the packet to ICMP.
4. ICMP sends an Echo Reply!
5. Ooops!
 We know we should not be
receiving a reply for this packet
since the MAC and IP are
mismatch!
Improper Response to Pings
 This method can be generalized to:
1. Any protocol or service that sends a response,
such as TCP connection establishment or telnet.
2. Any protocol or service that generates an error
message in response, such as bad IP packets.
 Can we fix the sniffer not to give up its
location?
 Sure. Do more sanity checks on the packets
addressed to the machine using a software filter.
Improper response to ARP queries
 Similar to the method describe earlier
 Send ARP to a non-broadcast address, if a machine
replies then it is running in promiscuous mode.
 Another method:
 ARP requests are cached, since the machine that sends the
request sends it own mapping in the request.
1. Send a non-broadcast ARP
2. Send a broadcast ping
3. The machine that replies without an ARP could have only
gotten the mapping from our previous ARP, so it should be
in promiscuous mode.
Improper Response to DNS Queries

 Some sniffers do reverse-DNS lookups on IP
addresses they see.
 To identify sniffers, do a ping sweep on
addresses that do not exist.
 Watch the DNS server for reverse-DNS
queries for these addresses.
 By doing a reverse-DNS lookup sniffers
violate the passive activity code, they begin to
inject packets into network. Probably not a
good design decision.
Source routing to suspicious node
 In source routing, intermediate routers ignore
routing tables and simply forward the packets to
next hop in the list.
 We use the idea in the following way:
1. Create a source routed ping to the suspicious node
2. Make the intermediary nodes non-routing
3. Send the packet on wire
4. If we get a response from suspicious node then the node is
on promiscuous mode. Because our intermediary would
have dropped the packet since it doesn’t route, so the
suspicious node could only have gotten this packet by
sniffing the wire.
Other Methods
 Employing a honeypot:
 Let a automated script generate clear-text traffic and lure the
hackers into sniffing the traffic. The fact that the password is
sniffed can be used to identify the sniffer.
 Network latency monitoring:
 Uses the fact that sniffers process unusually large number of

packets to detect the sniffer. Load the network with dummy packets
and ping sweep the machines. The ones with sniffers will have large
latency. (Not a viable solution.)
 Time-domain reflectometers:
 TDRs work like RADAR. It sends out a pulse and detects reflections
off the wire. This can also detect adressless passive hardware
sniffers on the wire.
 SNMP monitoring:
 Lets you track connection details. If a packet takes unusual path on
the network, most probably a sniffer is trying to lure packets its
way. Known as ARP spoofing.
How to avoid sniffers
 Replace the hub (shared medium) with a switch
(switched medium)
 Switch jamming
 ARP spoof
 ICMP Redirect
 ICMP Router Advertisements
 Cable taps
 Never send clear-text messages on the wire
 SSH for telnet
 SFTP for FTP
 SSL Tunneled IMAP for IMAP
 PGP for unencrypted email
 VPN for clear-text traffic
 Broadband and wireless connections are sniffable.
Sniffers and Anti-Sniffers
 tcpdump*
 Ethereal
 Etherpeek

 AeroSnort
 Snoop
 Dsniff
 Snort
 Antisniff
 Sentinel
 ifconfig/ifstatus
 NEPED (Network Promiscuous
Ethernet Detector)
 CPM (Check Promiscuous Mode)
Route Discovery
 Packets to and from a host have route
symmetry on the Internet.
 Which means, with high probability packets
from node A to node B travel the same path as
packets from node B to node A.
 And most often packets from the same source
to the same destination follow the same path.
 Our goal is to find the intermediate nodes a
packet travel to reach a remote node.
 How shall we implement this?
Using IP Record Route Option (RR)
 We can use IP record route option with ICMP Echo Request
(ping –R).
 This allows intermediate routers to put their IP addresses in
the header and when the packet reaches the destination it
copies the route into Echo Reply and send it back to the
source.
 This is not a good implementation. Why?
1. Requires all routers to support RR

2. Requires a ping server at the destination. Most ping servers
reflect the Echo Request so the return path is also recorded.
3. There is no room for long paths. IP header has room for only 9
addresses but routes in current Internet are longer, average is
about 14 hops.
 So we need an implementation that doesn’t depend on any
special servers and works by default on any router.
Using IP TTL Field
 TTL field is used as a simple hop count at the routers.
 When a router receives a datagram with TTL 1 or 0 it
discards the datagram and sends a ICMP Time
Exceeded message to the source.
 This Time Exceeded message has the router’s IP as
the source address.
 We can now easily build a route discovery based on
this information:
i=1
while(i<=255){
send_UDP(TTL=i, dest, port=65521);
if(receive_ICMP(dest) == “Port Unreachable”)
break;
++i;
};
Using IP TTL Field
 The algorithm works as follows:
1. We send a UDP packet to a large port number (65521),
wrapped in a IP datagram with TTL=1…255
2. When the TTL reaches 1 or 0 routers return ICMP Time
Exceeded. Then, we increment TTL by one and send the
packet again.

3. When the packet reaches the destination, it sends out a
ICMP Port Unreachable message, because it is highly
unlikely that any application is listening on the port we
randomly chose.
4. Algorithm terminates either when it gets Port Unreachable
or TTL=255.
 This implementation relies only on default
behaviors of routers and a standard UDP
implementation at the destination.
Uses of Route Discovery
 Maps out the network topology (Look at the
map of Internet in our lab)
 To get an idea of the network neighborhood
 Network fault analysis
 Router failures
 Routing loops
 Network bottlenecks
 Route Discovery Tools:
 traceroute/tracert
 Visual Route (fun stuff)
Summary of Today’s Lecture
 You have two weeks utmost to play catch up
 Drop by the lab and get your accounts
 Start working on homework-0
 We covered:
 Extremely quick review of networking
 Somewhat quick review of network programming
 Sniffing
 Route discovery
 Coming up next week…

 CASL
 Fingerprinting
 Spoofing