Network Intrusion Detection - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Network Intrusion Detection

Description:

... 98 system running the Novell Intranet Client will cause the blue screen of death. ... Spoofing is still possible but limited to the address space of the ... – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 14
Provided by: CISE6
Category:

less

Transcript and Presenter's Notes

Title: Network Intrusion Detection


1
Network Intrusion Detection
  • DOS

2
Echo-Chargen
  • UNIX Echo service at UDP port 7, echoing any
    received characters back to the sender
  • UNIX Chargen (character generator) service at UDP
    port 19, replying a pseudo random string of
    characters for any received characters
  • Echo-Chargen attack the attacker sends a packet
    to As UDP port 19 with B as the forged source
    address and UDP port 7 as the source port.

3
One-Packet Kill
  • Exploit the software vulnerability or bugs by
    sending a single packet that causes a system to
    crash
  • For example, sending a packet to port 427 of a
    Windows 98 system running the Novell Intranet
    Client will cause the blue screen of death.

4
Land Attack
  • Exploit the flaw of some IP stack implementation
    by sending a forged packet with the source
    address the same as the destination address,
    which causes the operation system to crash

5
Attack against Doom Server
  • Trick the Doom server into communicating with the
    Chargen service of an innocent host.

6
Address Spoofing and Ingress Filtering
  • Edge routers of stub networks are required to
    inspect outbound packets and discard those
    packets whose source addresses do not belong to
    the networks.
  • Spoofing is still possible but limited to the
    address space of the stub network where the
    attacker resides.

7
Reflection Attack
  • Make it harder to identify the attacker
  • Send attack traffic to the UDP Echo service of an
    innocent machine, which echoes the packets with
    its own address as the source.
  • Reflection via a router

8
Distributed DoS
  • Increase the resources available for offense
  • Make it harder to trace the attacker
  • A typicall DDoS architecture
  • The attacker operates from its console,
    communicating with a group of masters.
  • Each master controls a group of daemons, which
    actually launch the attacks.
  • Masters and daemons are compromised machines, on
    which the attack software is installed.

9
Trinoo
  • Communication means TCP and UDP
  • Attacks UDP floods to random ports of the victim

10
Why not TCP Flooding?
  • UDP does not have flow control. The attacker can
    send at the highest rate that its network
    connection allows.
  • If the attacker has a faster Internet link than
    the victim, the attacker can congest the victims
    Internet connection.

11
TFN
  • Communication means ICMP echo reply
  • Attacks UDP flood, TCP SYN flood, ICMP echo flood

12
TFN2k
  • First DDoS program on Windows
  • Communication means encryption over TCP, UDP, or
    ICMP with no identifying ports
  • Attacks UDP flood, TCP SYN flood, ICMP echo flood

13
Stacheldraht
  • Combination of Trinoo and TFN
  • Communication means encryption over TCP or ICMP
    echo reply
  • Attacks UDP flood, TCP SYN flood, ICMP echo flood
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Network Intrusion Detection" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!