3 Tipe Serangan

Tipe Serangan
Instructor : Team
Course : TTH3K3 - Network Security
As Taught In : 2nd semester 2017-2018
Level : Undergraduate
CLO :1
Week :3
Sub-Topic : Types of Attack
www.telkomuniversity.ac.id
Social Engineering
Introduction to Social Engineering
• Older than computers

• Targets the human component of a network
• Goals
– Obtain confidential information (passwords)
– Obtain personal information
Tactics
– Persuasion
– Intimidation
– Coercion
– Extortion/blackmailing
Introduction to Social Engineering (continued)
• The biggest security threat to networks

• Most difficult to protect against
• Main idea:
– “Why to crack a password when you can simply ask
for it?”
– Users divulge their passwords to IT personnel
Studies human behavior
– Recognize personality traits

– Understand how to read body language
Types of Social Engineering
1. Phishing
2. Pretexting
3. Baiting
4. Quid Pro Quo
5. Tailgating
source: tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/
Types of Social Engineering: Phising
1. Phishing
Phishing scams might be the most common types of social engineering
attacks used today. Most phishing scams demonstrate the following
characteristics:
• Seek to obtain personal information, such as names, addresses and social
security numbers.
• Use link shorteners or embed links that redirect users to suspicious
websites in URLs that appear legitimate.
• Incorporates threats, fear and a sense of urgency in an attempt to
manipulate the user into acting promptly.
• Some phishing emails are more poorly crafted than others to the extent
that their messages oftentimes exhibit spelling and grammar errors but
these emails are no less focused on directing victims to a fake website or
form where they can steal user login credentials and other personal
information. www.telkomuniversity.ac.id
Types of Social Engineering: Pretexting
2. Pretexting
Pretexting is another form of social engineering where attackers focus on
creating a good pretext, or a fabricated scenario, that they can use to try and
steal their victims’ personal information. These types of attacks commonly
take the form of a scammer who pretends that they need certain bits of
information from their target in order to confirm their identity.
More advanced attacks will also try to manipulate their targets into
performing an action that enables them to exploit the structural weaknesses
of an organization or company. A good example of this would be an attacker
who impersonates an external IT services auditor and manipulates a
company’s physical security staff into letting them into the building.
Unlike phishing emails, which use fear and urgency to their advantage,
pretexting attacks rely on building a false sense of trust with the victim. This
requires the attacker to build a credible story that leaves little room for doubt
on the part of their target.
Types of Social Engineering: Baiting
3. Baiting
Baiting is in many ways similar to phishing attacks. However, what
distinguishes them from other types of social engineering is the promise of an
item or good that hackers use to entice victims. Baiters may offer users free
music or movie downloads, if they surrender their login credentials to a
certain site.
Baiting attacks are not restricted to online schemes, either. Attackers can also
focus on exploiting human curiosity via the use of physical media.
Types of Social Engineering: Quid pro Quo
4. Quid pro Quo

Similarly, quid pro quo attacks promise a benefit in exchange for information.
This benefit usually assumes the form of a service, whereas baiting frequently
takes the form of a good.
One of the most common types of quid pro quo attacks involve fraudsters
who impersonate IT service people and who spam call as many direct
numbers that belong to a company as they can find. These attackers offer IT
assistance to each and every one of their victims. The fraudsters will promise
a quick fix in exchange for the employee disabling their AV program and for
installing malware on their computers that assumes the guise of software
updates.
It is important to note, however, that attackers can use much less
sophisticated quid pro quo offers than IT fixes. As real world examples have
shown, office workers are more than willing to give away their passwords for
a cheap pen or even a bar of chocolate.
Types of Social Engineering: Tailgaiting
5. Tailgaiting
Another social engineering attack type is known as tailgating or
“piggybacking.” These types of attacks involve someone who lacks the proper
authentication following an employee into a restricted area.
In a common type of tailgating attack, a person impersonates a delivery driver
and waits outside a building. When an employee gains security’s approval and
opens their door, the attacker asks that the employee hold the door, thereby
gaining access off of someone who is authorized to enter the company.
Tailgating does not work in all corporate settings, such as in larger companies
where all persons entering a building are required to swipe a card. However,
in mid-size enterprises, attackers can strike up conversations with employees
and use this show of familiarity to successfully get past the front desk.
Preventing Social Engineering
• Train user not to reveal any information to

outsiders
• Verify caller identity
– Ask questions
– Call back to confirm
• Security drills
Social Engineering: Other Techniques
• Urgency
• Status quo
• Kindness
• Position
• Shoulder Surfing
• Dumpster Diving
The Art of Shoulder Surfing
• Shoulder
surfer
– Reads what
users enter
on keyboards
• Logon
names
• Passwords
• PINs
Tools for Shoulder Surfing
• Binoculars or telescopes or cameras in cell

phones
• Knowledge of key positions and typing
techniques
• Knowledge of popular letter substitutions
– s equals $, a equals @
The Art of Shoulder Surfing (continued)
• Prevention
– Avoid typing when someone is nearby
– Avoid typing when someone nearby is talking on
cell phone
– Computer monitors should face away from door
or cubicle entryway
– Immediately change password if you suspect
someone is observing you
Dumpster Diving
• Attacker finds information in victim’s trash

– Discarded computer manuals
• Notes or passwords written in them
– Telephone directories
– Calendars with schedules
– Financial reports
– Interoffice memos
– Company policy
– Utility bills
– Resumes of employees
The Art of Dumpster Diving (continued)
• Prevention
– Educate your users about
dumpster diving
– Proper trash disposal
– Use “disk shredder” software
to erase disks before
discarding them
• Software writes random bits
• Done at least seven times
– Discard computer manuals
offsite
– Shred documents before
disposal
19
The Art of Piggybacking
• Trailing closely behind an employee cleared to

enter restricted areas
• How it works:
– Watch authorized personnel enter an area
– Quickly join them at security entrance
– Exploit the desire of other to be polite and helpful
– Attacker wears a fake badge or security card
The Art of Piggybacking (continued)
• Prevention
– Use turnstiles
– Train personnel to notify the
presence of strangers
– Do not hold secured doors
for anyone
• Even for people you know
– All employees must use secure cards
Sample Phishing
Network Attack
Theoretical Perspective
Tipe Network Attack
1. Eavesdropping
2. Data Modification
3. Identity Spoofing (IP Address Spoofing)
4. Password-Based Attacks
5. Denial-of-Service Attack
6. Man-in-the-Middle Attack
7. Compromised-Key Attack
8. Sniffer Attack
9. Application-Layer Attack
source: technet.microsoft.com/en-us/library/cc959354.aspx www.telkomuniversity.ac.id
Tipe Network Attack: Eavesdropping
1. Eavesdropping
In general, the majority of network communications occur in an
unsecured or "cleartext" format, which allows an attacker who
has gained access to data paths in your network to "listen in" or
interpret (read) the traffic. When an attacker is eavesdropping
on your communications, it is referred to as sniffing or snooping.
The ability of an eavesdropper to monitor the network is
generally the biggest security problem that administrators face in
an enterprise. Without strong encryption services that are based
on cryptography, your data can be read by others as it traverses
the network.
Tipe Network Attack: Data Modification
2. Data Modification
After an attacker has read your data, the next logical step is to
alter it. An attacker can modify the data in the packet without
the knowledge of the sender or receiver. Even if you do not
require confidentiality for all communications, you do not want
any of your messages to be modified in transit. For example, if
you are exchanging purchase requisitions, you do not want the
items, amounts, or billing information to be modified.
Tipe Network Attack: Identity Spoofing
3. Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a
computer to identify a valid entity. In certain cases, it is possible
for an IP address to be falsely assumed— identity spoofing. An
attacker might also use special programs to construct IP packets
that appear to originate from valid addresses inside the
corporate intranet.
After gaining access to the network with a valid IP address, the
attacker can modify, reroute, or delete your data. The attacker
can also conduct other types of attacks, as described in the
following sections.
Tipe Network Attack: Password-based Attacks
4. Password-Based Attacks
A common denominator of most operating system and network
security plans is password-based access control. This means your
access are determined using user name and password.
When an attacker finds a valid user account, the attacker has the
same rights as the real user, even an administrator-level rights.
After gaining access to your network with a valid account, an
attacker can do any of the following:
• Obtain lists of valid user and computer names and network information.
• Modify server and network configurations, including access controls and
routing tables.
• Modify, reroute, or delete your data.
Tipe Network Attack: Denial-of-Service Attack
5. Denial-of-Service Attack
Unlike a password-based attack, the denial-of-service attack
prevents normal use of your computer or network by valid users.
After gaining access to your network, the attacker can do any of
the following:
• Randomize the attention of your internal Information Systems staff so that
they do not see the intrusion immediately, which allows the attacker to
make more attacks during the diversion.
• Send invalid data to applications or network services, which causes
abnormal termination or behavior of the applications or services.
• Flood a computer or the entire network with traffic until a shutdown
occurs because of the overload.
• Block traffic, which results in a loss of access to network resources by
authorized users. www.telkomuniversity.ac.id
Tipe Network Attack: Man-in-the-Middle Attack
6. Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when
someone between you and the person with whom you are
communicating is actively monitoring, capturing, and controlling
your communication transparently. For example, the attacker
can re-route a data exchange.
Man-in-the-middle attacks are like someone assuming your
identity in order to read your message. The person on the other
end might believe it is you because the attacker might be actively
replying as you to keep the exchange going and gain more
information. This attack is capable of the same damage as an
application-layer attack, described later in this section.
Tipe Network Attack: Compromised-key Attack
7. Compromised-Key Attack
A key is a secret code or number necessary to interpret secured
information. Although obtaining a key is a difficult and resource-
intensive process for an attacker, it is possible. After an attacker
obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a
secured communication without the sender or receiver being
aware of the attack.With the compromised key, the attacker can
decrypt or modify data, and try to use the compromised key to
compute additional keys, which might allow the attacker access
to other secured communications.
Tipe Network Attack: Sniffer Attack
8. Sniffer Attack
A sniffer is an application or device that can read, monitor, and
capture network data exchanges and read network packets. If
the packets are not encrypted, a sniffer provides a full view of
the data inside the packet. Even encapsulated (tunneled) packets
can be broken open and read unless they are encrypted and the
attacker does not have access to the key.
Using a sniffer, an attacker can do any of the following:
• Analyze your network and gain information to eventually cause your
network to crash or to become corrupted.
• Read your communications.
Tipe Network Attack: Application-layer Attack
9. Application-Layer Attack
An application-layer attack targets application servers by
deliberately causing a fault in a server's operating system or
applications. This results in the attacker gaining the ability to
bypass normal access controls. The attacker takes advantage of
this situation, gaining control of your application, system, or
network, and can do any of the following:
• Read, add, delete, or modify your data or operating system.
• Introduce a virus program that uses your computers and software
applications to copy viruses throughout your network.
• Introduce a sniffer program to analyze your network and gain information
that can be used to crash or to corrupt your systems and network.
• Abnormally terminate your data applications or operating systems.
• Disable other security controls to enable future attacks.
Distributed Denial of Service
Denial-of-service
• Denial of service (DoS) an action that prevents or impairs the

authorized use of networks, systems, or applications by
exhausting resources such as central processing units (CPU),
memory, bandwidth, and disk space
• Attacks (overload or invalid request services that consume
significant resources)
– network bandwidth
– system resources
– application resources
• Have been an issue for some time (25% of respondents to an
FBI survey)
Classic DoS attacks
• Flooding ping command

– Aim of this attack is to overwhelm the capacity of the
network connection to the target organization
– Traffic can be handled by higher capacity links on the path,
but packets are discarded as capacity decreases
• Source of the attack is clearly identified unless
a spoofed address is used
• Network performance is noticeably affected
Classic DoS attacks
Internet Control Message Protocol (ICMP)
• The Internet Control Message Protocol (ICMP) is one

of the main IP protocols; it is used by network
devices, like routers, to send error messages
indicating (e.g., a requested service is not available
or a host or router could not be reached)
The host must respond to all echo requests

with an echo reply containing the exact data
received in the request message
Source address spoofing
• Use forged source addresses

– Usually via the raw socket interface on operating systems
– Makes attacking systems harder to identify
• Attacker generates large volumes of packets that have
the target system as the destination address
• Congestion would result in the router connected to the
final, lower capacity link
• Backscatter traffic
– Advertise routes to unused IP addresses to monitor attack
traffic
Backscatter traffic
• Security researchers (Honeypot Project)

advertise blocks of unused IP addresses (no
real/legit uses)
• If ICMP/connection request is made, most
likely from attackers
• Monitoring provides valuable info on the type
and scale of attack
SYN spoofing
• Common DoS attack

• Attacks the ability of a server to respond to
future connection requests by overflowing the
tables used to manage them
• Thus legitimate users are denied access to the
server
• Hence an attack on system resources,
specifically the network handling code in the
operating system
TCP connection handshake
syn/ack pkts
y= server seq#
x= client seq#
SYN spoofing attack
assumption: most connections succeed and thus table cleared quickly
SYN spoofing attack: attacker’s source
• Attacker often uses either

– random source addresses (addresses that may not exist)
– or that of an overloaded server (that may not send a RST)
– to block return of (most) reset packets
• Has much lower traffic volume
– attacker can be on a much lower capacity link
• Objective: uses addresses that will not respond to
the SYN-ACK with a RST
Types of flooding attacks
• Classified based on network protocol used

• Objective: to overload the network capacity on some link to a
server
• Virtually any type of network packet can be used
• ICMP Flood
– Uses ICMP packets, eg ping (echo) request
– Typically allowed through, some required
• UDP Flood
– Alternative uses UDP packets to random ports (even if no service is
available, attacker achieves its goal)
• TCP SYN Flood (SYN spoof vs SYN flood)
– Sends TCP SYN (connection request) packets
– But for volume attack www.telkomuniversity.ac.id
UDP packet
• User Datagram Protocol (UDP)

is a component of the IP suite
and allows computer
applications to send messages
• A UDP can be directed at
practically any service (port); if
service is unavailable, the
packet is discarded but the
attacker objective is achieved
Distributed DoS attacks
• Have limited volume if single source used

• Multiple systems allow much higher traffic volumes
to form a distributed DoS (DDoS) attack
• Often compromised PC’s/workstations
– Zombies with backdoor programs installed
– Forming a botnet
• Example: Tribe Flood Network (TFN), TFN2K
– did ICMP, SYN, UDPF and ICMP floods
DDoS control hierarchy
Attacker sends one command to the handler zombies;

the handler forwards to other handlers, agents
Application-based bandwidth attacks
• Force the victim system to execute resource-

consuming operations (e.g., searches, complex
DB queries)
• VoIP Session Initiation Protocol (SIP) flood:
attacker sends many INVITE requests; major
burden on the proxies
– server resources depleted while handling requests
– bandwidth capacity is consumed
HTTP-based attacks
• Attempts to monopolize by sending HTTP

requests that never complete
• Eventually consumes Web server’s connection
capacity
• Utilizes legitimate HTTP traffic
• Spidering: Bots starting from a given HTTP link
and following all links on the provided Web site in
a recursive way
• Existing intrusion detection and prevention
solutions that rely on signatures to detect attacks
will generally not recognize Slowloris
Reflection attacks
• Attacker sends packets to a known service on the

intermediary with a spoofed source address of the
actual target system
• When intermediary responds, the response is sent to
the target
• “Reflects” the attack off the intermediary (reflector)
• Goal is to generate enough volumes of packets to flood
the link to the target system without alerting the
intermediary
• The basic defense against these attacks is blocking
spoofed-source packets
Reflection attacks
Reflection attacks
• Further variation creates a self-contained loop

between intermediary and target (attacker spoofs
using port 7 requiring echoes)
• Fairly easy to filter and block
DNS amplification attacks
• Use packets directed at a legitimate DNS server as

the intermediary system
• Attacker creates a series of DNS requests containing
the spoofed source address of the target system
• Exploit DNS behavior to convert a small request to a
much larger response (amplification)
• Target is flooded with responses
• Basic defense against this attack is to prevent the use
of spoofed source addresses
Amplification attacks
Can take advantage of broadcast address of some network
Four lines of defense against DDoS attacks
• Attack prevention and preemption (before attack)

• Attack detection and filtering (during the attack)
• Attack source traceback and identification (during
and after the attack)
• Attack reaction (after the attack)
DoS attack prevention
• Block spoofed source addresses

– On routers as close to source as possible
• Filters may be used to ensure path back to the claimed source
address is the one being used by the current packet
– Filters must be applied to traffic before it leaves the ISP’s network or
at the point of entry to their network
• Use modified TCP connection handling code
– Cryptographically encode critical information in a cookie that is sent as
the server’s initial sequence number
– Legitimate client responds with an ACK packet containing the
incremented sequence number cookie
– Drop an entry for an incomplete connection from the TCP connections
table when it overflows
Attack prevention
• Rate controls in upstream distribution nets

– On specific packets types e.g. some ICMP, some
UDP, TCP/SYN
– Impose limits
• Use modified TCP connection handling
– Server sends SYN cookies when table full
(reconstruct table data from the cookie from legit
clients)
– Sr selective or random drop when table full
Responding to attacks
• Good incidence response plan

– Details on how to contact technical personal for
ISP
– Needed to impose traffic filtering upstream
– Details of how to respond to the attack
• Implement anti-spoofing, directed broadcast,
and rate limiting filters
• Ideally have network monitors and IDS to
detect and notify abnormal traffic patterns
TCP Connection Management: Closing
client server
Step 1: client end system sends TCP
FIN control segment to server closing
Step 2: server receives FIN, replies

with ACK. Closes connection, sends
FIN. closing
Step 3: client receives FIN, replies

with ACK.
timed wait
– Enters “timed wait” - will
respond with ACK to closed
received FINs
Step 4: server, receives ACK. closed

Connection closed.
Detection Methods (I)
• Utilize SYN-FIN pair behavior

• Or SYNACK – FIN
• Can be both on client or server side
• However, RST violates SYN-FIN behavior
– Passive RST: transmitted upon arrival of a packet at a
closed port (usually by servers)
– Active RST: initiated by the client to abort a TCP connection
(e.g., Ctrl-D during a telnet session)
• Often queued data are thrown away
– So SYN-RSTactive pair is also normal
SYN – FIN Behavior
• Generally every SYN has a FIN
• We can’t tell if RST is active or passive
• Consider 75% active
Detection Method (II)
• SYN – SYN/ACK pair behavior

• Hard to evade for the attacking source
• Problems
– Need to sniff both incoming and outgoing traffic
– Only becomes obvious when really swamped
Password Management
Password Management
• Front line of defense againts intruder

• Virtually all multiuser systems require that a user
provide not only a name or identifier (ID) but also a
password
– Password serves to authenticate the ID of the individual
logging on to the system
– The ID provides security by:
• Determining whether the user is authorized to gain access to a system
• Determining the privileges accorded to the user
• Used in discretionary access control
Managing Password
• need policies and good user education

• ensure every account has a default password
• ensure users change the default passwords to
something they can remember
• protect password file from general access
• set technical policies to enforce good passwords
– minimum length (>6)
– require a mix of upper & lower case letters, numbers,
punctuation
– block known dictionary words
Managing Password
• may reactively run password guessing tools

– note that good dictionaries exist for almost any
language/interest group
• may enforce periodic changing of passwords
• have system monitor failed login attempts, & lockout
account if see too many in a short period
• do need to educate users and get support
• balance requirements with user acceptance
• be aware of social engineering attacks
Attack Strategies and Countermeasures (1)
Workstation hijacking
• The attacker waits until a logged-in workstation is unattended
• The standard countermeasure is automatically logging the workstation out
after a period of inactivity
Exploiting user mistakes
• Attackers are frequently successful in obtaining passwords by using social
engineering tactics that trick the user or an account manager into
revealing a password; a user may intentionally share a password to enable
a colleague to share files; users tend to write passwords down because it
is difficult to remember them
• Countermeasures include user training, intrusion detection, and simpler
passwords combined with another authentication mechanism
Offline dictionary attack

• Determined hackers can frequently bypass access controls and gain access
to the system’s password file
• Countermeasures include controls to prevent unauthorized access to the
password file, intrusion detection measures to identify a compromise, and
rapid reissuance of passwords should the password file be compromised
Specific account attack
• The attacker targets a specific account and submits password guesses until
the correct password is discovered
• The standard countermeasure is an account lockout mechanism, which
locks out access to the account after a number of failed login
Electronic Monitoring
• sniffing/eavesdropping
• (advanced) encryptions
Password guessing against single user
• User awareness, password policies
Exploiting multiple password use
• Similar password for given user @ diff network
• User awareness, password policie
Popular password attack
• User awareness, password policies,
UNIX Password Scheme
Password Selection Strategies
• The goal is to eliminate guessable passwords while allowing the user to select a password
•–
that is memorable
Four basic techniques are in use:
User education
• Users can be told the importance of using hard-to-guess passwords and can be
–• provided with guidelines for selecting strong passwords

Computer-generated passwords
Computer-generated password schemes have a history of poor acceptance by users
•
–• Users have difficulty remembering them
Reactive password checking
A strategy in which the system periodically runs its own password cracker to find
–• guessable passwords
Proactive password checking
A user is allowed to select his or her own password, however, at the time of selection,
the system checks to see if the password is allowable and, if not, rejects it
Passwords…… New Ways
• Use passwords manager applications

• Use passphrase instead of passwords
– Random common words instead of gibberish hard-
to-memmorized random word (xkcd #936)
Exercise
•–
Use wireshark to monitor your network traffic
–• Save your network traffic for 30 minutes

From your saved traffic file:
Determine how many is ARP, DNS, and HTTP traffic?
•
•
What’s your IP address?? What’s your DNS server??
Assume that passwords are selected from four-character combinations of 26 alphabetic
characters. Assume that an adversary is able to attempt passwords at a rate of one per
–
second.
Assuming no feedback to the adversary until each attempt has been completed, what
– is the expected time to discover the correct password?

Assuming feedback to the adversary flagging an error as each incorrect character is
entered, what is the expected time to discover the correct password?
Sertifikat Server: SSL
Virtual Communication between Layers
Application Data
Application layer Application layer
Transport payload
Transport layer Transport layer
Network
Network layer Network layer Network layer Network layer
Payload
Data Link layer Data Link Data Link layer Data Link layer Data Link layer
Payload
Host A Router Router Host B
76
TCP/IP Secutiry Protocol
Application Layer PGP, SSH
Transport Layer SSL/TLS
Internetwork Layer IPsec
Network Access Layer IEEE 802.11 (WEP, WPA)
77
Security in what layer?
• Depends on the purpose…

– How are keys provisioned/shared?
– Should the (human) user be involved?
– Semantics: authenticate user-to-user, or host-to-
host?
• Depends on what’s available

– E.g., consider a user connecting to a website from
a café (over a wireless network)
– End-to-end encryption might be unavailable (e.g.,
if website does not support encryption)
– Eavesdropping on Internet backbone less likely
than eavesdropping on wireless link in café
– Encrypt link from user to wireless router
– Link-layer encryption more appropriate
• Link-layer authentication also possible
• Depends on the threat model/what threats

are being addressed
– What information needs to be protected? (Ports,
IP addresses?)
– e.g. network-layer authentication will not prevent
DoS attacks at link level (e.g., ARP spoofing, replay
disconnect messages, overloading access point)
– e.g. an application-layer protocol cannot protect
IP header information
– End-to-end or hop-by-hop?
• Security interactions with various layers

– e.g. if TCP accepts a packet which is rejected by
the application above it, then TCP will reject the
“correct” packet (detecting a replay) when it
arrives!
– e.g. if higher-layer header data is used by a
firewall to make decisions, this is incompatible
with network-layer encryption (if it encrypts
headers)
Generally…
• When security is placed at lower levels, it can

provide automatic, “blanket” coverage…
– …but it can take a long time before it is widely
adopted
– Can be inefficient to encrypt everything
• When security is placed at higher levels,

individual users can choose when to use it…
– …but users who are not security-conscious may not
take advantage of it
– Can encrypt only what is necessary
Example: PGP vs. SSL vs. IPsec
• PGP is an application-level protocol for “secure

email”
– Can provide security over insecure networks
– Users choose when to use PGP; user must be involved
– Alice’s signature on an email proves that Alice actually
generated the message, and it was received unaltered;
also non-repudiation
• In contrast, SSL secures “the connection” from Alice’s computer;
would need additional mechanisms to authenticate the user
– Communication with off-line party (i.e., email)
• SSL sits at the transport layer, “above” TCP

– Packet stream authenticated/encrypted
– End-to-end security, best for connection-oriented
sessions (e.g., http traffic)
– User does not need to be involved
– The OS does not have to change, but applications
do if they want to communicate securely
• IPsec sits at the network layer

– Individual packets authenticated/encrypted
– End-to-end or hop-by-hop security
– Need to modify OS
– All applications “protected” by default, without
requiring any change to applications or actions on
behalf of users
– Only authenticates hosts, not users
– User can be completely unaware that IPsec is
running
Application Layer
• Provides services for an application to send

and recieve data over the network, e.g., telnet
(port 23), mail (port 25), finger (port 79)
• Interface to the transport layer:

Operating system dependent
Socket interface
86
Application Layer Security
Advantages:
• Most flexible
• Executing in the context of the user easy access to user’s credentials
• Complete access to data easier to ensure nonrepudation and small
security granularity
• Application-based security
Disadvantages:
• Most intrusive
• Implemented in end hosts
• Need for each application
• Expensive
• Greated probability of making mistake
87
Providing Security
• Provide security system that can be used by

different applications
– Develop authentication and key distribution
models
• Enhance application protocol with security
features
– Need to enhance each application
88
Web Security
• HTTP is not a secure protocol

– Simple and stateless client/server application running
over TCP/IP
• Added security measures needed
– We will see SSL (Socket Secure Layer) and TLS
(Transport Layer Security)
– HTTPS
• Secure HTTP Protocol
• Actually SSL support is provided for several other
TCP/IP application as well
– POP, SMTP, FTP, …
HTTPS
• HTTPS (HTTP over SSL/TLS)

– combination of HTTP & SSL/TLS to secure
communications between browser & web server
• documented in RFC2818
• no fundamental change using either SSL or TLS; both are referred
as HTTPS
• use https:// URL rather than http://
– use port 443 rather than 80
• encrypts
– URL, document contents, form data, cookies, HTTP
headers
HTTPS Connection Initiation
• SSL/TLS handshake is first done

– HTTP client (browser) acts as SSL/TLS client
• After the handshake HTTP request(s) are sent
– Actually all HTTP data should be sent through
SSL/TLS record protocol
HTTPS Connection Closure
• connection closure
– have “Connection: close” in HTTP headers
• which normally causes to close the TCP connection
• but there is SSL/TLS protocols between HTTP and TCP
• thus, SSL/TLS should control connection closure at TCP
level
– SSL/TLS level exchange close_notify alerts
– can then close TCP connection
Sample HTTPS
EXPERIMENTS
Experiment 1
• Objective:
• Sniffing password using wireshark
• https://www.wireshark.org/download.html
What to do
1.Launch Wireshark
2.From the
wireshark menu
bar, select capture
 interfaces
(Ctrl+I)
3. In the Wireshark capture interfaces dialog
box, find and select the Ethernet Driver
Interface that is connected to the system, and
then click start.
4. Switch to virtual machine and login to your
email.
5. You may save the captured
packets from file save as.
6. In Find by...
QUESTION
1.Evaluate the protocols that are involved in the

activity that captured by wireshark
2. Evaluate the result of the activity
Experiment 2
• Objective:
• Scan, detect, protect and attack computer on
LANs
What you need :
• PC with windows server 2012 as host machine

• Windows2008 running on virtual maschine as
target machine
• Installed-version of WinPcap driver
• Double click WinArpAttacker.exe
What to do
1.Launch Windows server 8 Virtual Machine

2.Launch WinArpAttacker in the host machine
3. Click the scan option from toolbar menu,
select Scan LAN. The scan the active host on the
LAN.
4. Select a victim host (window server 2008)
from the display list. Select attack -> flood.
Scanning acts as another gateway or IP-
forwarder without other user recognition on the
LAN, while spoofing ARP tables.
• 5. All data sniffed by spoofing and
forwarded by WinArpAttackerIP-
forward functions are counted, as
shown in the main interface. The
BanGateway option tells the
gateway wrong MACaddresses of
target computer, so the target can’t
receive packets from the internet.
6. Click save to save the report
QUESTION
• Analize and document the scanned, attacked

IP address.
Experiment 3
• Install nessus
• Then use nessus to scan your home network (or other
network appropriate) and report the vulnerabilities
discovered. You can use the standard policy defined in
Nessus 4.2 or modify the policies are you like. Everyone
should try this and may get different output from their own
machines. So I expect this group exercises will have reports
from every one (i.e., 4 to 5 reports depending on the size of
the group)
Experiment 3
• There are two parts for the submission:

• Please include a cover page with the group name. Then for
each member, the amount of vulnerabilities found in three
categories: high, medium and low. Here is an example.
John Smith
Number of vulnerabilities
Open ports : 21
High : 0
Medium : 4
Low : 44
Experiment 3
• For each member, you should have a summary

page from the Nessus scan results which show
the list of vulnerabilities found. Please submit
that page as a pdf or html file. You don't need
to output the detailed report from Nessus.
• Please concatenate all the results into one file
for submission if possible
Soal
• Describe the three main concerns with the use

of passwords for authentication.
• Explain what is meant by a social engineering
attack on a password.
• Explain how malicious software threats and
attacks are broadly classified.
• Describe what a virus, worm, trojan horse,
and spyware are.
Soal
• The Internet is, slowly, transitioning from the version of the TCP/IP
protocol suite currently in use IPv4 to a new version, IPv6. Unlike
IPv4 IP addresses, which are 32 bits long (e.g., 192.168.10.1), IPv6
IP addresses are 128 bits long (e.g.,
2001:1890:1112:0001:0000:0000:0000:0020).
• a. Consider random-scanning Internet worms. These worms
spread by choosing a random IP address, connecting to any host
answering to that address, and attempting to infect it. Is the
random-scanning strategy feasible if the Internet switches from
IPv4 to IPv6? Why or why not?
• b. On the IPv6 Internet, try to give three different ways that a
worm, executing on a compromised computer, can discover IP
addresses of other hosts to try to infect.
Next Chapter: Attack Phase

3 Tipe Serangan

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3 Tipe Serangan

Uploaded by

Copyright:

Available Formats

Tipe Serangan

• Older than computers

• The biggest security threat to networks

– Recognize personality traits

4. Quid pro Quo

• Train user not to reveal any information to

• Binoculars or telescopes or cameras in cell

• Attacker finds information in victim’s trash

• Trailing closely behind an employee cleared to

3. Identity Spoofing (IP Address Spoofing)

• Denial of service (DoS) an action that prevents or impairs the

• Flooding ping command

• The Internet Control Message Protocol (ICMP) is one

The host must respond to all echo requests

• Use forged source addresses

• Security researchers (Honeypot Project)

• Common DoS attack

assumption: most connections succeed and thus table cleared quickly

• Attacker often uses either

• Classified based on network protocol used

• User Datagram Protocol (UDP)

• Have limited volume if single source used

Attacker sends one command to the handler zombies;

• Force the victim system to execute resource-

• Attempts to monopolize by sending HTTP

• Attacker sends packets to a known service on the

• Further variation creates a self-contained loop

• Use packets directed at a legitimate DNS server as

Can take advantage of broadcast address of some network

• Attack prevention and preemption (before attack)

• Block spoofed source addresses

• Rate controls in upstream distribution nets

• Good incidence response plan

Step 2: server receives FIN, replies

Step 3: client receives FIN, replies

Step 4: server, receives ACK. closed

• Utilize SYN-FIN pair behavior

• SYN – SYN/ACK pair behavior

• Front line of defense againts intruder

• need policies and good user education

• may reactively run password guessing tools

Offline dictionary attack

–• provided with guidelines for selecting strong passwords

• Use passwords manager applications

–• Save your network traffic for 30 minutes

– is the expected time to discover the correct password?

Host A Router Router Host B

Application Layer PGP, SSH

Transport Layer SSL/TLS

Internetwork Layer IPsec

Network Access Layer IEEE 802.11 (WEP, WPA)

• Depends on the purpose…

• Depends on what’s available

• Depends on the threat model/what threats

• Security interactions with various layers

• When security is placed at lower levels, it can

• When security is placed at higher levels,

• PGP is an application-level protocol for “secure

• SSL sits at the transport layer, “above” TCP

• IPsec sits at the network layer

• Provides services for an application to send

• Interface to the transport layer:

• Provide security system that can be used by

• HTTP is not a secure protocol