Tcp/ip Security Attacks and Prevention

The TCP/IP protocol suits are vulnerable to variety of attacks ranging from password sniffing to denial of service. I am going to focus on two attacks DOS (Denial of Service) and IP spoofing.

Denial of Service (Dos): Denial of Service implies that an attacker (Hacker) disable or corrupts networks to user’s network. Denials of Service attacks involve either crashing the system or slowing it down.

Distributed denial of service (DDoS) attacks is a subclass of denial of service (DoS) attacks. A DDoS attack involves multiple connected online devices, collectively also known as a botnet, where hackers are using fake id.

SYN flooding:- TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to user resources on the main server.

1. User requests for connection by sending SYN (synchronize) message to the server.
2. Server acknowledges by sending Syn-Ack (synchronize-acknowledge) message back to the client.
3. User responds with an ACK message, and the connection is established.

In a SYN flood attack, the attacker or hacker sends repeated SYN packets to every port on the targeted server, often using a fake IP address. The targeted server is unaware of the attack from attacker or hacker, receives multiple, apparently legitimate requests to establish communication. It responds to each attempt with a Syn-Ack packet from each open port.

The malicious user either does not send the expected ACK, or if the IP address is spoofed never receives the Syn-Ack in the first place.

The server under attack will wait for acknowledgement of its Syn-Ack packet for some time. During this time, the server can’t close down the connection by sending an RST packet. Before the connection can time out, another SYN packet will arrive. This leaves an increasingly large number of connections half-open – and indeed SYN flood attacks are also referred to as “half-open” attacks. Eventually, as the server’s connection overflow tables fill, service to legitimate clients will be denied, and the server may even malfunction or crash.

There is Various Ways to Prevent

1. SYN cookies
2. Increasing Backlog
3. Reducing SYN-RECEIVED Timer
4. Firewalls and Proxies
5. TCP half-open
6. SYN Cache
7. Hybrid Approaches
8. Filtering

Ping of Death Attack

Ping of Death is a type of Denial of Service (DoS) attack in which an attacker attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.

While ping of death attacks exploit legacy weaknesses which may have been patched in target systems. However, in unpatched systems, the attack is still relevant and dangerous.

Ping Flood Attack

In Ping flood attack, also known as ICMP (Internet control message protocol) flood is a common Denial of Service (DoS) attack. In this an attacker takes down a user's computer by took over it with ICMP echo requests, also known as pings.

The attack involves flooding the user's network with request packets, to knowing that the network will respond with an equal number of reply packets. Additional methods for bringing down a target with ICMP requests include the use of own tools or code, playing with user's computer. This happened both the incoming and outgoing channels of the network, taking significant bandwidth and resulting in a denial of service.

In http flood attack is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application.

HTTP flood attacks are volumetric attacks, often using a botnet zombie army a group of Internet-connected computers, each of which has been maliciously taken over, usually with the assistance of malware like Trojan Horses.

A sophisticated Layer 7 attack, HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server. Each attack must be specially-crafted to be effective. This makes HTTP flood attacks significantly harder to detect and block

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of hiding the identity of the sender or impersonating another computing system. One technique which a sender may use to maintain anonymity is to use a proxy server.

When a user sends a packet to the server, the packet will have the IP address of the computer it is coming from. When an IP spoofing attack occurs, this source details that IP address which specifies the sender of the packet is not actual, but a bogus IP address which is permitted to access the website. This will make the server handle the request packet as it is coming from the permitted user. Thus the server grants access to the attacker and it can cause various security threats. This is how the IP spoofing works.