Chapter 8: Computer Networks

Network Security

Network Security

The practice of protecting computer networks from unauthorized access, use, disclosure, disruption, modification, or destruction.

Confidentiality

The security property that ensures information is kept private and inaccessible to unauthorized users.

Integrity

The security property that ensures information is not modified or tampered with by unauthorized users.

Availability

The security property that ensures systems and services are accessible and usable, without being disrupted or rendered unavailable.

Authentication

The process of verifying the identity of a user or system before granting access to sensitive information or resources.

Nonrepudiation

The security property that ensures the integrity and authenticity of messages, preventing the sender from denying their involvement.

Adversary

A person or entity with malicious intent, seeking to exploit vulnerabilities in a network for personal gain, attention, or harm.

Principle of economy of mechanism

The principle that advocates for simplicity in system design to minimize bugs and user errors, reducing the attack surface.

Principle of fail-safe defaults

The principle that recommends setting default permissions to deny access, requiring explicit rules for granting access to resources.

Principle of complete mediation

The principle that states every access to a resource should be checked for authorization, requiring identification of the requester.

Principle of least authority

The principle that suggests granting the minimum necessary privileges to perform a task, limiting the impact of a compromised system.

Principle of privilege separation

The principle that advises splitting a system into multiple components with limited privileges, reducing the potential damage of a compromise.

Principle of least common mechanism

The principle that advocates for minimizing shared mechanisms between users to prevent information leakage or unauthorized access.

Principle of open design

The principle that promotes transparency in system design, assuming that the adversary has knowledge of the system's algorithms and focusing on the security of the key.

Principle of psychological acceptability

The principle that emphasizes the importance of user-friendly security mechanisms and clear explanations of the necessity of security rules.

Isolation

The concept of separating components or systems that belong to different security domains or have different privileges to ensure security.

Privilege checks

The process of verifying and granting appropriate privileges for interactions between different components in order to maintain isolation and security.

Ping of death

A classic network attack where attackers crash hosts by sending ICMP echo request packets larger than the maximum allowed IP packet size, causing buffer overflow.

Buffer overflow

A bug that occurs when a program or system reserves insufficient buffer memory for data, allowing excess bytes to overwrite other data in memory.

40-bit key

The encryption key used in the original WEP encryption for WiFi networks, which was easily brute-forced by attackers with sufficient computational power.

Fundamental Attack Principles

The fundamental principles that guide attackers in their attempts to violate the security properties of a system, such as confidentiality, integrity, and availability.

Reconnaissance

The initial phase of an attack where the attacker gathers information about the target, such as the network topology, machines, protocols, and services.

Sniffing and Snooping

The interception of network packets, including both clear and encrypted traffic, to gather information about the communicating parties and potentially break encryption.

Spoofing

The act of masquerading as someone else or sending network traffic with a different source address to bypass defenses or launch denial-of-service attacks.

Disruption

The component of an attack that aims to disrupt the availability of a system or network, often through denial-of-service attacks.

Secure authentication

The technique used to verify the identity of a communication partner and prevent spoofing, typically based on cryptographic protocols.

Cryptography

The field of study and practice that involves secure communication and data protection through the use of mathematical algorithms and protocols.

Port scanning

The process of probing a machine to identify which ports are active and what services are running, often used in reconnaissance to gather information about a target.

Connect scan

A type of port scanning where the attacker sets up a full TCP connection to each port of interest to determine if a service is listening.

Half-open scan

A type of port scanning where the attacker sends TCP packets with the SYN flag set to all port numbers of interest and waits for the corresponding SYN/ACKs, without completing the three-way handshake.

SYN segment

A TCP segment used for establishing a connection.

FIN scan

A scanning technique that sends a TCP FIN segment to determine if a port is open or closed.

RST packet

A TCP packet sent in response to a FIN packet, indicating that a port is closed.

Xmas scan

A scanning technique that sets multiple flags (FIN, PSH, URG) in a TCP packet to probe for open ports.

Connect scan

A scanning technique that establishes a connection to determine if a port is open.

Half-open scan

A scanning technique that receives a SYN/ACK reply to determine if a port is open.

Fingerprinting

The process of determining the specific server, software, version, and operating system running on a port.

Traceroute

A technique that sends UDP packets with increasing time-to-live (TTL) values to determine the path to a target IP address.

Sniffing

Intercepting network traffic to capture and analyze data packets.

Promiscuous mode

A network interface mode that accepts all packets on a channel, even those not destined for the host.

Spoofing

Sending network traffic with a falsified source address.

MAC cloning

Duplicating the MAC address of a target host to intercept its traffic.

MAC flooding

Flooding a switch with Ethernet frames with fake source addresses to revert to broadcast for all traffic.

ARP spoofing

Sending ARP replies to intercept traffic between communicating parties.

MITM (Man-in-the-Middle) gateway

A gateway that intercepts and forwards traffic between two hosts.

SMTP spoofing

Falsifying the source address in SMTP email headers to send emails from seemingly trusted sources.

DNS spoofing

Providing false DNS replies to redirect clients to a different IP address.

DNS Spoofing

The act of falsifying DNS mappings in order to redirect traffic to a malicious website.

Birthday Attack

A type of attack that takes advantage of the probability of two inputs producing the same output in a mapping function.

Kaminsky Attack

A DNS attack that involves poisoning the mapping for an entire zone, allowing attackers to act as a man-in-the-middle for any site in that zone.

DNSSEC

A collection of extensions to DNS that provide integrity and origin authentication of DNS data to clients.

TCP Connection Spoofing

The act of setting up a new TCP connection, pretending to be someone at a different computer.

TCP Connection Hijacking

The act of injecting data into an existing TCP connection, pretending to be either of the two parties involved.

SYN/ACK

The reply sent by the X-terminal to the server in response to a spoofed TCP connection setup request.

RST

A segment sent by the server to terminate the connection setup after receiving the SYN/ACK from the X-terminal.

ISN

Initial Sequence Number, a random number needed for the third phase of the TCP handshake.

Spoofed SYN

A spoofed TCP connection setup request sent by Mitnick to the X-terminal.

KILL!

A command used by Mitnick to terminate the connection attempts of the trusted server.

Third phase of TCP handshake

The phase of the TCP handshake where data can be sent.

TCP Connection Hijacking

An attack where the aim is to take over an existing connection by injecting data into the stream.

ACK storm

A phenomenon where a continuous exchange of ACKs occurs between the client and server, leading to a never-ending loop.

Off-Path TCP Exploits

Attacks that are performed when the attacker is not on the same network segment as the communicating parties.

RFC 5961

A TCP extension that changed how TCP handles the reception of SYN segments, RST segments, and regular data segments.

ACK throttling

A solution to the potential problem of a huge number of challenge ACKs in protocol extension. It limits the number of challenge ACKs sent per second to 100 across all connections.

Global variable

A shared variable used in the implementation of Linux to keep track of the number of challenge ACKs sent. If the counter reaches 100, no more challenge ACKs are sent for that one-second interval.

Side channel attack

An attack that exploits shared state or resources to gain information indirectly. In this case, counting the number of challenge ACKs allows attackers to determine if two hosts are communicating and even the source port number of the client.

Data injection

A technique used in attacks to reset connections or inject data. Attackers can guess sequence and acknowledgement numbers by counting challenge ACKs received.

Denial-of-service (DoS) attacks

Attacks that aim to disrupt the availability of a victim by overwhelming it with data it cannot handle. Crashes, algorithmic complexity, and flooding are common causes of unresponsiveness.

SYN flooding

A type of DoS attack where the attacker sends a large number of TCP SYN segments to a server, leaving it unable to accept new connections once its limit is reached.

SYN cookies

A defense mechanism against SYN flooding attacks. The server uses a special algorithm to determine the initial sequence number, allowing it to establish connections without remembering anything until the third packet of the handshake.

Reflection attack

A DDoS attack where the attacker sends requests with spoofed source addresses to legitimate servers, causing them to reply to the spoofed address and overwhelm the victim with a deluge of UDP reply packets.

Amplification-based DDoS attacks

DDoS attacks that exploit services with a large amplification factor, where small request packets result in large reply packets. DNS and misconfigured memcached servers are examples of services with high amplification factors.

Egress filtering

A technique used to block outgoing packets with source IP addresses that do not correspond to those inside a network, helping to prevent DDoS attacks close to the source.

Ingress filtering

A technique used to filter incoming traffic with internal IP addresses, providing additional protection against DDoS attacks.

Cloud-based DDoS protection

A defense mechanism that utilizes the strength and scalability of the cloud to absorb and mitigate DDoS attacks. Proxies in the cloud filter and shield the IP address of the real server.

Malicious traffic

Traffic that is intended to harm or disrupt a network or server.

Cloud-based proxies

Proxies that are hosted in the cloud and used to forward traffic to a real server, while filtering out malicious traffic.

BGP blackholing

A method where the owner of a website withdraws BGP announcements for a block of IP addresses, and the cloud-based security provider announces these IP addresses from its network, directing all traffic to the cloud first.

DNS rerouting

A method where the DNS mappings for a website are changed to point to servers in the cloud instead of the real server, redirecting traffic to the cloud-based security provider.

IP address leakage

When the IP address of a server becomes known to attackers, allowing them to bypass the cloud-based security and directly attack the server.

Firewalls

Network devices that inspect incoming and outgoing packets based on predefined rules, allowing or blocking traffic based on these rules.

Packet filtering

The process of inspecting each packet and forwarding or dropping it based on predefined rules.

Stateful firewalls

Firewalls that map packets to connections and use TCP/IP header fields to keep track of connections, allowing for more sophisticated rules.

Application-level gateways

Firewalls that inspect packets beyond the TCP header to determine the application being used, allowing for more granular control over traffic.

Intrusion Detection Systems (IDS)

Systems that detect attacks by monitoring network traffic and generating warnings or alerts when suspicious activity is detected.

Host-based IDS (HIDS)

IDS that works on the end-point itself, scanning the behavior of software or network traffic on a specific machine.

Network IDS (NIDS)

IDS that checks network traffic for a set of machines on the network, protecting multiple machines and correlating events associated with different hosts.

IDS evasion techniques

Tricks used by attackers to bypass or evade detection by IDS, such as manipulating TTL values or overlapping byte ranges in IP fragments or TCP segments.

NIDS

Network Intrusion Detection System that detects malicious network traffic.

Encryption

Process of converting data into a form that is unreadable to unauthorized users.

IDS

Intrusion Detection System that monitors network traffic for suspicious activity.

Key management

Process of securely storing and distributing encryption keys.

Host-based IDS

Intrusion Detection System that runs on individual machines and monitors local network traffic.

Evasion problems

Challenges faced by IDS in detecting and preventing attacks that attempt to bypass detection.

Signature-based IDS

Intrusion Detection System that detects known attacks based on predefined patterns or signatures.

Anomaly-based IDS

Intrusion Detection System that detects abnormal behavior or deviations from normal network traffic.

IPS

Intrusion Prevention System that not only detects attacks but also takes action to stop them.

False positives

Alerts generated by IDS or IPS that incorrectly identify benign activity as malicious.

False negatives

Failures of IDS or IPS to detect actual attacks.

Precision

Metric that measures the proportion of justified alarms generated by IDS or IPS.