ISS539 Midterm

ISS539 Midterm



Virus v.s. Worm (Self-spreading)

    Worm history

  • Morris worm
    • Infected 6000 computers, 90% of them are not connected to the internet
  • Code Red worm
    • Attack web servers (buffer overflow)
    Epidemic Model

  • Basic model
    • Susceptible –> Removed
  • Kermack-McKendric model
    • Susceptible –> Infectious –> Removed

Network Intrusion

    Delivering malicious payload

  • Buffer overflow
  • Heap spray

Drive-by Download

    Bot: a software application that runs automated tasks over the Internet.

  • Web crawler
  • Botnet


  • SYN flooding
  • UDP flooding
  • HTTP flooding


Name If opened If closed Description
SYN scan SA packet RA packet
UDP scan No response Port unreachable ICMP message
Inverse TCP flag scan No response RA packet Use F packet, FUP packet or a packet without any flags instead of SYN packet to avoid IDS or FW. (see RFC 793)
FTP bounce scan 150 (Opening connection), 226 (Transfer complete) 425 (Connection refused) To hide attacker

Defending against scan

  • Slowing down the scan by rate limiting
    • Delay SYN from unfamiliar host. (Unfamiliar: The IP address is not seen recently.)
  • Detecting the scan
    • Sophos port scan detector
      • Give score to suspicious behavior and alert if it exceeds a threshold
      • Product use to be simple
    • Network Telescope project
      • Monitor large range of unused IP addresses
      • Scanner does not know whether the IP address is actually being used or not

Resolving source of scan

Proxy responder

  • Stateless
  • Stateful
    • Honeypot / Honeyfarm
      • Scalability
      • Liability (Legal issue)
      • Isolation (Honeypot system should not breakdown by malware)
      • Detection
  • Statistic
    • TRW

Vulnerability Scan

Test target to find following vulnerabilities on database.

  • Network vulnerabilities
  • Host-based (OS) vulnerabilities
    • Misconfigured file permissions
    • Open services
    • Missing patches
    • Commonly exploited applications


Network Intrusion: A set of actions aimed to compromise the security goals.

Criteria Details
Analysis approach Misuse detection Black-list approach, Cannot detect unknown attacks
Anomaly detection White-list approach, High false-positive rate
Deployment Network-based Monitor network packets, Monitor user activity by packet payload inspection
Host-based Use system call trace, shell commands log

Hiding from NIDS

  • Insertion attack: Insert some bad packets which will be dropped by the end host. (To confuse the NIDS)
  • Evasion attack: Hide payload of a packet by fragmentation overlap.

(Distributed) Denial of Service

Much more general meaning than my previous understanding

Name Description
Smurf attack  Broadcast ICMP ping request with source address of target host. Every host on the network will send ping reply to the target.
DNS amplification attack Request DN with source address of target host. DNS server will send the big response to the target.
SYN flooding Fills up backlog queue on server by sending SYN packets with random source IP address.

Backscatter effect: Server respond with SYNACK to random IP which is used by SYN flooding attack.

SQL Slammer: Buffer overflow MSDE

Distrubuted Reflector Denial of Service (DRDoS): Like Smurf attack or DNS amplification attack, it uses uncompromised machines.

HTTP HEAD attack

Attack Defense Description
SYN flooding SYN cookie seq of SYNACK = hash(saddr, daddr, sport, dport, seq)
Prolexic proxy  Let a proxy do connection establishment for backend
Ingress/Egress filtering Filter invalid source IP address.
Trust issue on ISP. (Ingress)
High burden for routers in the middle. (Egress)
dFence Middlebox does 3-way handshake (by using SYN cookie) for servers.
The middlebox have to translate seq/ack for rest of packets on the flow.
Capability based mitigation ???
Sinkhole Router SYNACK of the victim will be scattered to random destinations. Sink hole router placed by ISP can detect backscatter effect.
Anomaly detection
Application level attack CAPCHAs differentiate human from bots


Source verification to prevent source spoofing, old packet replaying and packet manipulation.

Two modes: transport mode and tunnel mode


Two types of headers: Authentication Header (AH) and Encapsulation Security Payload (ESP)

  • AH
    • Source authentication
    • Data integrity
    • Has sequence number
  • ESP
    • AH + data encryption (by using symmetric key)

IKE: ???



  • Handshake protocol
  • Record protocol


  • TLD server: Top-level domain server (com, org, net, edu, …)
  • Authoritative DNS server: Providing authoritative hostname to IP mappings. (One for each zone, e.g.
  • Local name server: KAIST DNS server, Google DNS server, …

DNS records: name, value, type, ttl, …

Cybersquatting: 알박기 (Registering in 2013, and sell the name for big profit)


DNS cache of OS reveals a user’s browsing history

DNS vulnerability

  • Plaintext
  • No authentication
  • Relying on UDP

DNS cache poisoning

Give DNS servers false records and get it cached.


  • User random identifiers which is hard to guess.
  • Port randomization for DNS requests
  • Configure LDNS server to only accept requests from internal networks

Random identifiers are not enough

  • Attacker generates a flux of DNS requests and send the corresponding flux of DNS response back
  • Birthday Paradox: the prob. of two person in same age share the same birthday is more than 50%


  • Initially DNS resolver has TLD’s public keys
  • TLDs serve as Certificate Authority

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.