How the arp cache poisoning attack work

Assignment Help Computer Networking
Reference no: EM131031968

Network Security Systems - TCP/IP Attack

Objective:

-Understand the vulnerabilities of TCP/IP protocols.
-Perform attacks on TCP/IP vulnerabilities.
-Study the countermeasures for the TCP/IP attacks.

Task 1: ARP cache poisoning:

The ARP cache is an important part of the ARP protocol. Once a mapping between a MAC address and an IP address is resolved as the result of executing the ARP protocol, the mapping will be cached. Therefore, there is no need to repeat the ARP protocol if the mapping is already in the cache. However, because the ARP protocol is stateless, the cache can be easily poisoned by maliciously crafted ARP messages. Such an attack is called the ARP cache poisoning attack.

In such an attack, attackers use spoofed ARP messages to trick the victim to accept an invalid MAC-to IP mapping, and store the mapping in its cache. There can be various types of consequences depending on the motives of the attackers. For example, attackers can launch a DoS attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway; attackers can also redirect the traffic to and from the victim to another machine, etc.

In this task, you need to demonstrate how the ARP cache poisoning attack work. Several commands can be useful in this task. In linux we can use command arp to check the current mapping between IP address and MAC.

Task 2: ICMP Redirect Attack:

The ICMP redirect message is used by routers to provide the up-to-date routing information to hosts, which initially have minimal routing information. When a host receives an ICMP redirect message, it will modify its routing table according to the message. Because of the lack of validation, if attackers want the victim to set its routing information in a particular way, they can send spoofed ICMP redirect messages to the victim, and trick the victim to modify its routing table.

In this task, you should demonstrate how the ICMP redirect attack works, and describe the observed consequence. To check the routing information in linux, you can use the command route.

Task 3: SYN Flooding Attack:

SYN flood is a form of DoS attack in which attackers send many SYN requests to a victim's TCP port, but the attackers have no intention to finish the 3-way handshake procedure. Attackers either use spoofed IP address or do not continue the procedure. Through this attack, attackers can flood the victim's queue that is used for half-opened connections, i.e. the connections that has finished SYN, SYN-ACK, but has not yet got a final ACK back. When this queue is full, the victim cannot take any more connection.

The size of the queue has a system-wide setting. In linux, we can check the system queue size setting using the following command:

# sysctl -q net.ipv4.tcp_max_syn_backlog

We can use command "netstat -na" to check the usage of the queue, i.e., the number of half-opened connection associated with a listening port. The state for such connections is SYN-RECV. If the 3-way handshake is finished, the state of the connections will be ESTABLISHED.

In this task, you need to demonstrate the SYN flooding attack. You can use the Netwox tool to conduct the attack, and then use a sniffer tool to capture the attacking packets. While the attack is ongoing, run the "netstat -na" command on the victim machine, and compare the result with that before the attack. Please also describe how you know whether the attack is successful or not.

SYN Cookie Countermeasure: If your attack seems unsuccessful, one thing that you can investigate is whether the SYN cookie mechanism is turned on. SYN cookie is a defense mechanism to counter the SYN flooding attack. The mechanism will kick in if the machine detects that it is under the SYN flooding attack. You can use the sysctl command to turn on/off the SYN cookie mechanism:
# sysctl -a | grep cookie (Display the SYN cookie flag)
# sysctl -w net.ipv4.tcp_syncookies=0 (turn off SYN cookie)
# sysctl -w net.ipv4.tcp_syncookies=1 (turn on SYN cookie)

Please run your attacks with the SYN cookie mechanism on and off, and compare the results. In your report, please describe why the SYN cookie can effectively protect the machine against the SYN flooding attack.

Task 4: TCP RST Attacks on Video Streaming Applications

For this task, you can choose a video streaming web site that you are familiar with (we will not name any specific web site here). Most of video sharing websites establish a TCP connection with the client for streaming the video content. The attacker's goal is to disrupt the TCP session established between the victim and video streaming machine. To simplify the lab, we assume that the attacker and the victim are on the same LAN. In the following, we describe the common interaction between a user (the victim) and some video-streaming web site:

The victim browses for a video content in the video-streaming web site, and selects one of the videos for streaming. Normally video contents are hosted by a different machine, where all the video contents are located. After the victim selects a video, a TCP session will be established between the victim machine and the content server for the video streaming. The victim can then view the video he/she has selected.

Your task is to disrupt the video streaming by breaking the TCP connection between the victim and the content server. You can let the victim user browse the video-streaming site from another (virtual) machine or from the same (virtual) machine as the attacker. Please be noted that, to avoid liability issues, any attacking packets should be targeted at the victim machine (which is the machine run by yourself), not the content server machine (which does not belong to you).

Task 5: TCP Session Hijacking

The objective of the TCP Session Hijacking attack is to hijack an existing TCP connection (session) between two victims by injecting malicious contents into this session. If this connection is a telnet session, attackers can inject malicious commands into this session, causing the victims to execute the malicious commands. We will use telnet in this task. We also assume that the attackers and the victims are on the same LAN.

If you use Wireshark to observe the network traffic, you should be aware that when Wireshark displays the TCP sequence number, by default, it displays the relative sequence number, which equals to the actual sequence number minus the initial sequence number. If you want to see the actual sequence number in a packet, you need to right click the TCP section of the Wireshark output, and select "Protocol Preference". In the popup window, uncheck the "Relative Sequence Number and Window Scaling" option.

Lab Report

You should submit a lab report with screen shots of each steps. The report should cover the following sections:

1) The design of your attacks, including the attacking strategies, the packets that you use in your attacks, the tools that you used.

2) Is your attack successful? How do you know whether it has succeeded or not? What do you expect to see? What have you observed? Some of the attacks might fail. If so, you need to find out what makes them fail. Attach screen shots of your observation.

It should be noted that because some vulnerabilities have already been fixed in Linux, some of the above attacks will fail in Linux, but they might still be successful against other operating systems.

Reference no: EM131031968

Questions Cloud

Examine the packaging for green works : Examine the packaging for Green Works What perceptual processes are evident in the design and in how consumers will perceive and interpret the Product?
How long could we afford to sustain the old system : The essence of our approach to ROI analysis was on what's focused and simplicity-Why did we need to replace the old system? How long could we afford to sustain the old system? What were people doing now that took so long?
Is connection in meteoritic material and life solar system : Is there any connection between meteoritic material and life in our Solar System? Explain your answer.
Find the long run probability that a caller is put on hold : Players and spectators enter a ballpark according to independent Poisson processes having respective rates 5 and 20 per hour. Starting at an arbitrary time, compute the probability that at least 3 players arrive before 4 spectators.
How the arp cache poisoning attack work : In this task, you need to demonstrate how the ARP cache poisoning attack work. Several commands can be useful in this task. In linux we can use command arp to check the current mapping between IP address and MAC
Develop a long-term professional relationship : In each case the client is attracted to the idea of working with a young architect / landscape architect / built environment professional, with whom they might develop a long-term professional relationship
Draw a single erd and identify primary and foreign keys : Draw a single ERD - clearly identify Primary and Foreign keys (state any assumptions made) and Create a view that would list all MIS required courses
Frederick mining had the following income and expense : Frederick Mining board of directors declares a $1.50-per-share dividend payable on 3/31/2016 to shareholders of record as of 3/15/2016. Frederick uses a dividends account to record dividends declared.
Indicate that both processes yield the same mean level : Reading down and left to right, draw a time series plot of all the data and comment on any features of the data that are revealed by this plot.

Reviews

Write a Review

Computer Networking Questions & Answers

  Networking and types of networking

This assignment explains the networking features, different kinds of networks and also how they are arranged.

  National and Global economic environment and ICICI Bank

While working in an economy, it has a separate identity but cannot operate insolently.

  Ssh or openssh server services

Write about SSH or OpenSSH server services discussion questions

  Network simulation

Network simulation on Hierarchical Network Rerouting against wormhole attacks

  Small internet works

Prepare a network simulation

  Solidify the concepts of client/server computing

One-way to solidify the concepts of client/server computing and interprocess communication is to develop the requirements for a computer game which plays "Rock, Paper, Scissors" using these techniques.

  Identify the various costs associated with the deployment

Identify the various costs associated with the deployment, operation and maintenance of a mobile-access system. Identify the benefits to the various categories of user, arising from the addition of a mobile-access facility.

  Describe how the modern view of customer service

Describe how the greater reach of telecommunication networks today affects the security of resources which an organisation provides for its employees and customers.

  Technology in improving the relationship building process

Discuss the role of Technology in improving the relationship building process Do you think that the setting of a PR department may be helpful for the ISP provider? Why?

  Remote access networks and vpns

safekeeping posture of enterprise (venture) wired and wireless LANs (WLANs), steps listed in OWASP, Securing User Services, IPV4 ip address, IPV6 address format, V4 address, VPN, Deploying Voice over IP, Remote Management of Applications and Ser..

  Dns

problems of IPV, DNS server software, TCP SYN attack, Ping of Death, Land attack, Teardrop attack, Smurf attack, Fraggle attack

  Outline the difference between an intranet and an extranet

Outline the difference between an intranet and an extranet A programmer is trying to produce an applet with the display shown in Figure 1 below such that whenever one of the checkboxes is selected the label changes to indicate correctly what has..

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd