ITI 510 - PowerPoint PPT Presentation

About This Presentation
Title:

ITI 510

Description:

Exploits that spread from one infracted computer to another. ITI-510. Computer. Networks ... Without hacking password files or stealing sensitive data, a ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 39
Provided by: chrisu2
Category:
Tags: iti

less

Transcript and Presenter's Notes

Title: ITI 510


1
ITI 510 Computer NetworksMeeting 5
  • Rutgers University Internet Institute
  • Instructor Chris Uriarte

2
ICMP Internet Control Message Protocol
  • ICMP is a message control and error-reporting
    protocol between a host server and a gateway to
    the Internet.
  • ICMP uses IP packets to transport its messages.
  • ICMP messages are processed by the IP software
    portion of the operating system, and are not
    directly apparent to the application user.

3
ICMP Message Generation
  • There are a number of situations that may cause
    an ICMP message to be generated
  • A link is down to a host
  • A host is down or is not responding
  • The TTL (Time-to-Live) IP Hop-count have have
    expired.
  • When an error is detected, the IP packet is
    discarded by the router and an ICMP message is
    returned directly to the source host.

4
Types of ICMP Error Messages
  • There are several types of ICMP Messages
  • Destination Unreachable A packet cannot reach
    its destination host, service or application.
    Usually caused by a network link, host or
    application being down.
  • Time Exceeded The Time-To-Live for a packet has
    expired, i.e. the packet hit too many routers in
    its travels. Usually caused by routing loops.
  • Parameter Problem Some piece of data in the IP
    header just doesnt make sense.
  • Redirect The router notifies the host sender to
    use another gateway for the desired path.

5
Transmission of ICMP Messages
  • ICMP Messages are sent in the Data portion of
    an IP packet.
  • The Protocol field in the IP packet is set to
    1, signifying to a host that the data portion
    of the packet contains an ICMP message.
  • The format of an ICMP message will vary based on
    the type of ICMP message.

6
When ICMP Messages are NOT Sent
  • When a particular problem is encountered sending
    an ICMP message back to a host (we dont want
    ICMP errors to create more ICMP packets).
  • When a problem is encountered with broadcast or
    multicast packets (packets sent to all hosts on a
    network). (we dont want multiple hosts
    responding with ICMP errors)
  • Messages whose source addresses does not identify
    a unique hosts, like 0.0.0.0 or 127.0.0.1

7
The ping Utility
  • Ping is a basic Internet program that lets you
    verify that a particular IP address exists and
    can accept requests.
  • Generally used for network troubleshooting and to
    verify connectivity between hosts.
  • Ping uses the ICMP ECHO function, which simply
    sends ICMP messages round-trip between hosts.
    When a destination host receives an ICMP ECHO
    request, it returns an ICMP ECHO message back to
    the source host.

8
When ping is used
  • Ping is typically used for two reasons
  • To test whether a remote host is alive on a
    network
  • To test the round trip time between two hosts.
  • Used together, traceroute and ping are two very
    useful tool when performing network diagnostics.

9
Using ping
  • Ping is available on Windows and UNIX platforms
    by issuing the ping command.
  • Usage
  • ping lthostname or IP addressgt
  • ping 128.6.6.4
  • ping www.rutgers.edu

10
Ping Results
  • Ping returns an output that shows the name of the
    host contacted, the amount of packets sent, the
    size of the packet and the round trip time for
    each packet
  • C\gtping www.rutgers.edu
  • Pinging ncc1701.rutgers.edu 128.6.4.5 with 32
    bytes
  • Reply from 128.6.4.5 bytes32 time10ms TTL240
  • Reply from 128.6.4.5 bytes32 time10ms TTL240
  • Reply from 128.6.4.5 bytes32 time10ms TTL240
  • Reply from 128.6.4.5 bytes32 time10ms TTL240
  • Ping statistics for 128.6.4.5
  • Packets Sent 4, Received 4, Lost 0 (0
    los
  • Approximate round trip times in milli-seconds
  • Minimum 10ms, Maximum 10ms, Average
    10ms

11
DNS The Domain Name Service
  • IP addresses are usually paired with more
    human-friendly names Domain Name System (DNS).

internet.rutgers.edu
Hostname Organization Top-level domain
  • Other top-level domains include .com, .gov, .org,
    etc. There are also country-specific domains
    like .uk, .ca, .jp, etc.

12
DNS, cont.
  • Domain name information is maintained through a
    distributed database of host name/ IP address
    pairing.
  • The Network Information Center (NIC) manages the
    top-level domains, delegates authority for
    second-level domains, and maintains a database of
    registered name servers for all second-level
    domains.
  • Host name assignments maintained through zone
    files on primary DNS server. Secondary DNS server
    gets zone file from primary server.

13
DNS, cont.
  • Network Solutions (previously the InterNic)
    registers domain names See http//www.networksol
    utions.com. Other registrars include
    Register.com
  • Costs range from 20 to 50 per year.
  • ISPs beginning to offer domain name registration
    as part of other packages.
  • Need to register a primary and secondary domain
    name servers for your domain and arrange to have
    zone files created on DNS servers.

14
DNS Overview If DNS Server could Talk
15
Typical DNS Query Flow
  • An end-users PC queries its local DNS servers
    (provided by their company or ISP) for the IP
    address associated with a hostname.
  • If the local DNS server does not have the IP
    address locally available, it will contact the
    central root servers and ask for DNS servers
    that do have information for that particular
    domain (the authoritative server for that
    domain).
  • The local DNS server will then issue a second
    query to the authoritative DNS server for that
    domain, which will return the correct IP address
    for the hostname.
  • The local DNS server will return the correct IP
    address to the end-user PC that initiated the
    request.

16
DNS Caching
  • When local DNS servers contact remote DNS servers
    for DNS queries, local servers will cache
    information about that DNS zone (domain). Thus,
    subsequent queries dont require a query across
    the Internet for that domain every time a local
    PC needs DNS information for that domain.
  • I.e. the first query for www.yahoo.com from a
    Rutgers PC will cause Rutgerss local DNS servers
    to cache yahoo.com DNS information, so subsequent
    queries on Rutgers networks do not require
    Rutgers nameservers to contact Yahoos
    nameservers every time.
  • The amount of time the zone information is cached
    is set by the authoritative DNS server for a
    domain.

17
Sending DNS Queries Messages
  • A DNS query packet is formed at the application
    layer.
  • DNS is unique, as it can utilize either UDP/IP or
    TCP/IP to send a message.
  • Uses UDP by default if message is too bit (gt512
    bytes), it will use TCP

18
Types of DNS Records
  • There are several types of DNS records that are
    kept by DNS servers
  • A Records give the IP address for a hostname.
  • CNAME Records give aliases for hostanmes (i.e.
    web.domain.com www.domain.com)
  • MX Records give the IP address of the mail host
    for a hostname or domain (I.e. Mail addressed to
    anyone _at_yahoo.com gets handled by the mail server
    mail.yahoo.com)

19
DNS Tools
  • There are several tools for for monitoring DNS
    information
  • whois tells you the owner and primary DNS
    servers associated with a domain (e.g. whois
    yahoo.com). Also available via web browser at
    www.networksolutions.com and other places on the
    web.
  • nslookup and host (host is only on UNIX machines)
    tell you IP address information for a
    particular hostname on the internet (e.g.
    nslookup www.yahoo.com or host www.rutgers.edu)

20
DNS Exercise
  • What are IP addresses of the DNS servers that
    contain information about rutgers.edu?
  • What are the IP address of
  • www.retaildecisions.com
  • abusaday.admin.cju.com
  • www.linux.org

21
Network Security
  • Security is, quite possibly, the hottest topic in
    network and systems infrastructure today.
  • Increased use of the Internet and the extension
    of enterprise computing environments into
    network-based global infrastructures has required
    IT groups to look at security like they never
    have before.
  • Recent innovations that greatly effect security
  • Heavy dependence on the Internet
  • Telecommuting
  • Invasive client programs like Napster, Instant
    Messenger, etc.
  • Electronic Mail
  • In most organizations today, security must be a
    core competency, rather than a specialty.

22
What type of attacks are we afraid of?
  • Opportunistic Attacks
  • Hackers take advantage of holes in an
    infrastructure to gain access to or bring down a
    network.
  • Targeted Attacks
  • Competitors attempt to gain trade secrets
  • Malicious users specifically target an
    organization (ex employees, disgruntled
    customers, etc.)
  • Internal Attacks
  • Employees attempt to get access to information or
    resources they should not have access to.
  • Distributed Network Attacks
  • Exploits that spread from one infracted computer
    to another.

23
Business Risks
  • Insecure systems and networks can cause
  • System downtime (loss of productivity and/or
    direct loss of revenue)
  • Loss of critical business information due to lost
    or damaged system.
  • Distribution of trade secrets and customer data.

24
Types of Network Attacks
  • There are a number of different types of attacks
    that we see on computer networks today. Some of
    those include
  • Denial of Service Attacks
  • Viral Attacks
  • Distributed Network Attacks
  • Data Sniffing

25
Denial of Service Attacks
  • Denial of Service (DoS) attacks are network
    attacks targeted at network hosts, including
    servers, routers and switches.
  • Typically targeted at networks attached to the
    Internet.
  • The goal is to cripple a device or network so
    that external users no longer have access to your
    network resources.
  • Without hacking password files or stealing
    sensitive data, a denial-of-service hacker simply
    fires up a program that will generate enough
    traffic to your site that it denies service to
    the site's legitimate users

26
Popular DoS Attacks
  • TCP SYN Floods A client computer initiates a
    large number of TCP/IP connections to a host, but
    purposely does not implement the TCP protocol
    correctly. The client sends a SYN packet to
    initiate the connection, but never responds to
    the servers SYN-ACK response. This floods
    buffers (memory segments) on the server and stops
    it from being able to take additional
    connections.
  • Broadcast Storms - A large number of packets are
    rapidly sent to all computers on a network,
    flooding the network with a large amount of
    traffic.

27
Popular DoS Attacks (cont)
  • PING Floods - A Ping Flood consists of sending a
    continuous series of ICMP Echo Request (Ping)
    packets to a target host on the network, which
    responds with ICMP Echo Replies. The continuing
    combination of requests and replies can slow the
    network and cause legitimate traffic to continue
    at a significantly reduced speed or, in extreme
    cases, to disconnect.

28
Viral Attacks
  • Computer virus files are attached to an email or
    an Internet download.
  • Virus files typically do one or several of the
    following
  • Damage the host system
  • Open security holes or back doors into the
    system
  • Propagate to other system.

29
Distributed Network Attacks
  • The newest form of network attacks. Sometimes
    referred to as worms.
  • An attacker takes advantage of a security exploit
    on a particular operating system running network
    software (such as a web server) and infects that
    system.
  • The infected system then scans the Internet and
    infects other servers with the same security
    exploit.
  • The exploit can grow exponentially, infecting
    many system in a short period of time.

30
Data Sniffing
  • Hackers or Employees setup network sniffer
    software that captures all packets moving across
    a network.
  • The attacker can then decode the packets and gain
    full access to usernames and passwords, email
    messages, instant messenger sessions, etc.
  • Often used to sniff usernames and passwords to
    gain access to unauthorized resources.

31
Preventive Measures
  • Preventing network attacks requires a combination
    of approaches, which typically include
  • Hardware solutions Using Firewalls and switches
  • Software solutions Using Intrusion Detection
    Systems Updating Operating system and firmware
    patches.
  • Good Practices

32
Firewalls
  • A firewall is a piece of hardware or software
    that examines network packets and makes a
    determination as to whether a packet should be
    passed through the firewall onto the destination
    network or denied.
  • Firewall rules typically examine
  • Source IP addresses
  • Destination IP addresses
  • Destination TCP Port Number
  • Example of firewall rules
  • Deny all unsollicited inbound traffic
  • Allow all traffic from our branch office IP
    address block 128.5.5.0/255.255.255.0

33
Firewalls (cont)
  • Many routers have firewall capabilities built in,
    so traffic can be filtered at the router level.
  • Other firewalls can be placed behind a router,
    filtering traffic before it gets to the general
    network.
  • Firewall software can be loaded on a PC to do
    filtering between the router and network.
  • Firewall appliances can be purchased and do
    filtering between the router and network.

34
Some Popular Firewall Solutions
  • Cisco PIX Firewall (appliance)
  • Checkpoint Firewall (available as software for
    Windows NT/2000 and Solaris or as an appliance).
  • Raptor Firewall (software)
  • Access lists and packet filtering on Cisco
    Routers
  • Personal Firewall Software that can run on
    individual PCs for home use, such as Norton
    Internet Security.

35
Using Switches as Security Devices
  • Using switches over hubs in a network environment
    greatly increases overall network security.
  • Switch technologies do not share packets with all
    computers on a network like hubs do.
  • Greatly reduces packet sniffing capabilities
  • Greatly reduces the effect of flood attacks
  • Switches have the ability to recognize and stop
    attacks like broadcast storms.

36
Intrusion Detection Systems (IDS)
  • IDS are hardware or software devices that
    interact with other network infrastructure
    devices (typically routers and firewalls) to
    analyze network traffic patterns with the goal of
    recognizing and thwarting attacks.
  • IDS systems are typically expensive, but provide
    a constant intelligent eye on network traffic.
  • Starting to become standards for organizations
    that require the highest level of security, such
    as financial firms and government agencies.

37
Operating System and Firmware Patches
  • Security exploits are often discovered as flaws
    in Operating Systems (Windows, etc.) or the
    firmware that controls devices like firewalls and
    routers.
  • It is of paramount importance that network and
    system administrators keep up to date with
    security patches that vendors publish on a
    regular basis
  • Every major vendor maintains a website for
    security patches and known exploits
  • Un-patched devices, servers and software
    contributed to the largest overall
    security-related loss in the IT industry last
    year (100 billion in 2001)

38
Best Practices
  • Good technology cant always solve security
    problems. Some other major problems include
  • Bad password practices (sharing pws, writing
    down pws, not changing pws often enough)
  • Giving too many people access to system or
    network resources (Give access on a need-to-know
    basis only!)
  • Poor auditing of network activity (not checking
    basic logs on systems and network devices).
  • Un-educated users.
Write a Comment
User Comments (0)
About PowerShow.com