“As news of data security breaches at high-profile
companies keeps coming, so too does the need for
security planning and management skills. IT
security is one of the top 10 skills that will become
"newly important" to companies in the next five
years.”
-- Kate Kaiser,
Associate Professor at Marquette University,
quoted in “Hot Skills, Cold Skills”,
ComputerWorld, July 17, 2006
1
“Companies employ 1.4 million IT security
professionals worldwide. By 2010, that number
will reach 2 million, an increase of almost 30%.
U.S. companies will also increase spending on
information security training by 16.4% annually
through 2009.”
-- from a study by IDC on
Security Workforce Trends
quoted in “Hot Skills, Cold Skills”,
ComputerWorld, July 17, 2006
2
Certifications

International Information Systems Security
Certification Consortium, Inc. [(ISC)²];
https://www.isc2.org/:


…. 1
Certified Information Systems Security
Professional (CISSP)
Information Systems Audit and Control Association
(ISACA); http://www.isaca.org/:


Certified Information Systems Auditor
(CISA)
Certified Information Security Manager
(CISM)
3
Certifications

Computing Technology Industry Association
(CompTIA); http://www.comptia.org/:




…. 2
CompTIA Security+ Certification
CompTIA Network+ Certification
CompTIA A+ Certification
SysAdmin, Audit, Network, Security (SANS) Institute;
http://www.sans.org/:

Global Information Assurance Certification
(GIAC)
4
Example 1: Telnet connection
TCP Stimulus-Response
5
TCP stimulus – response

Example of tcpdump data for a telnet (port
23) application

Type 1: Normal system

Stimulus
abc.com.25020 > cde.com.telnet: S 2538567 :
2538567 (0) win 4096 <mss 1480> (DF)

Response
cde.com.telnet > abc.com.25020: S 38849799 :
38849799 (0) ack 2538568 win 4096 <mss
1480>
6
Anomalous cases: tcp-telnet example

Type 2: Destination not listening on telnet port

For the same stimulus, response will be a Reset/Ack:
cde.com.telnet > abc.com.25020: R 0:0(0) ack
2538568 win 0

Type 3: Destination host: not available:
Though the destination host has a registered DNS IP
address,


the host may be currently down, or,
it may have been misconfigured preventing it from
responding.
The response would be from the router (Assume its
address as xxx.1.) to which the network of the dest
host is directly connected.
7
Anomalous cases: tcp-telnet example
continued
xxx.1 > abc.com: icmp: host cde.com
unreachable.

Type 4: Destination port blocked
xxx.1 > abc.com: icmp: host cde.com unreachable – admin
prohibited filter.




Type5: Destination port blocked – Router is
silenced.
Some routers can be silenced by putting a statement like
‘no IP unreachable’ in the access control list.
The stimulus will get no response.
The stimulus will be sent repeatedly till the maximum
number of permitted attempts is reached.
8
Example 2: Windows tracert
ICMP ECHO REQUEST-RESPONSE
9
Windows tracert:
Windows tracert:
 Consists of ICMP echo requests and
ICMP echo replies.
 Ex: For a final dest, which is at two jumps
tcpdump output from the FIRST router, at a distance of one
jump from the source, the :

Stimulus
abc.com > cde.com: icmp: echo request [ttl = 1]

Response
router1 > abc.com: icmp: time exceeded in transit
tracert sends the same stimulus three times (i.e. twice
more) to get the response, from the same
destination.
10
Windows tracert (continued):

Thereafter it sends an echo request with TTL = 2.
abc.com > cde.com : icmp : echo request
cde.com > abc.com : icmp: echo reply
abc.com would note RTT.
The same message is sent again two times and the
values of RTT are noted in each case.
Tracert then gives an output:
Over a maximum of 30 hops:
129ms 126ms 130ms router 1
229ms 124ms 118ms
cde.com trace complete.
11
Example 3: UNIX traceroute
UDP-ICMP PORT UNREACHABLE
12
UNIX traceroute:


The default behavior of tcpdump is to print TTL only
when it has a value of 1 -- to warn of an impending
problem.
UNIX traceroute:


Sends a UDP message with increasing values of TTL,
beginning with TTL = 1, to trace the route.
For the destination, usually a port lying in the range
33000 to 33999 range is used.
Such a port is normally not used for listening.
So an ICMP port unreachable message is returned.
13
Tcpdump output of traceroute:

The tcpdump output: For ttl = 1
abc.com.27822 > cde.com.33888: udp
12(DF) [ttl=1]
router1 > abc.com: icmp: time exceeded in
transit
For ttl = 2
abc.com.27822 > cde.com.33889: udp 12
(DF)
cde.com.33889 > abc.com.27822: icmp:
cde.com udp port 33889 unreachable (DF)
3 similar messages are sent in each case.
14
Example 4: FTP PROCEDURE
TCP
15
FTP Procedure:
Active FTP: (21:command port; 20: data port)
 Step 1: FTP client initiates the establishment of a
connection with the ftp server at port 21.
 Step 2: The client requests transfer of a directory file or
any other file from the server to the client.
 Step 3: The server initiates the connection from port 20
to an ephemeral port of the client.
 Step 4: After the connection is established, on the new
connection, the transfer of data is completed.
For additional exchange of data a new connection with a
new ephemeral port is made.
16
FTP: tcpdump output

Step1:Establishment of Connection:
abc.com.38235 > cde.com.21: S 2537895 :
2537895 (0)
cde.com.21 > abc.com.38235: S 12337887 :
12337887 (0) ack 2537896
abc.com.38235 > cde.com.21 : ack 1
Step2: Exchange of packets for authentication: asking for
user name, and later, the password etc.
As an example, the ONLY THE FIRST TWO packets are
shown below.:
cde.com.21 > abc.com.38235 : P 1 : 24 (23) ack 1
P indicates Push flag.
abc.com.38235 > cde.com.21 : .ack 24
17
FTP: tcpdump output (continued):
Step 3: The directory command is issued by abc.com, to
get the list of directories available at the server.(not shown)
This leads to an establishment of a second TCP
connection between the port 20 of the server and an
ephemeral port of the server.:
cde.com.20 > abc.com.38236:S 23376656: 23376656 (0)
abc.com.38236 > cde.com.20 : S 3535736 : 3535736 (0)
ack 23376657
cde.com.20 > abc.com.38236 : .ack 1
Now cde.com would send the list of directories to
abc.com at the new connection.
18
Example 5:
All erroneous packets may not be malicious.
19
No stimulus
-- all response:
Consider the following tcp output:
 router 1 > 182.122.150.72: icmp : time exceeded in
transit (or any other error message)
 router 1 > 182.122.130.52 : icmp : time exceeded
in transit
 router1 > 182.122.110.32 : icmp : time exceeded in
transit
Explanation:A large number of such messages to the net
182.122  net host addresses had been spoofed for sending
traffic to a foreign host.
Note: Such icmp message cannot be probing messages since
an icmp message cannot get a response.  No danger to
182.122
20
Example 6: DNS MESSAGES
UDP STIMULUS-RESPONSE
21
UDP stimulus – response:

Example of tcpdump data for DNS messages (port
53):
 Type 1: Normal:

Stimulus:
abc.com.25020 > cde.com.domain: 21000 + (31) (DF)
+ means that the domain server is asked to
recursively work to obtain the resolution. 31 is
the payload of the udp packet – not including
the udp and ip headers.

Response:
cde.com.domain > abc.com. 25020 21000 1/0/0
(193) (DF)
22
UDP stimulus-response: Anomalous Cases

1/0/0 tcpdump DNS report format
1 one answer resource record
0 no authority record
0 no additional record.

Type2: Destination not listening at port 53:

For the same stimulus, the response is:
cde.com.domain > abc.com: icmp: cde.com
udp port domain unreachable.
23
DNS Background
….1
24
DNS :

DNS (UDP port 53):
2-character country
specific domain……….
Root servers
Com edu net org biz
info name pro gov mil
ca
jp
uk…….
arpa
(for reverse look-up)
25
DNS System:




Every domain name server has many slaves, which
take over in case there is a failure.
The slaves keep themselves synchronized by using
BIND protocol.
Transfers between the primary DNS server and the
slaves is through a zone transfer, which should be
allowed between authorized servers only.
These transfers are done by using TCP in the
interest of reliability.
26
DNS RESPONSE:




X/Y/Z
X: gives the number of responses
(usually 1 or 0) i.e. the resolved IP
address
Y: Authoritative records: The names of
authoritative DNS servers
Z: Additional records: The IP addresses
of authoritative DNS servers
27
Example 7: DNS MESSAGES
UDP STIMULUS-RESPONSE
28
DNS: tcpdump output
abc.com.2222 > dns.cde.com.53 : 1 + (35)
 abc.com issues a ‘gethostbyname’ call to resolve the IP
address of some host lying in SANS organization.
 The + sign means the request is recursive, in that it asks
the local DNS server to find and give the final answer.
The local DNS server has no information about SANS
organization. So it goes to the root server.
dns.cde.com.53 > h.root.servers.net.53: 12420(30)(DF)
 Root servers are busy. So only an iterative request is
issued as indicated by a hyphen after 12420.
Reference: The example is taken from Northcutt and Novak, Ch 6
29
DNS: Authoritative records:

12420 is the ID number for the request.
h.root.servers.net.53 > dns.cde.com.53: 12420-0/3/3
(153)(DF)
 The root server says that it is sending:
0
/ 3
/ 3
No records
/ authoritative records
/additional records


Authoritative records:of 3 servers which own and maintain
the records for the SANS domain.
Additional records: provides the resolution of the above
three authoritative DNS servers with their IP addresses.
30
DNS: Authoritative & Additional records:


Authoritative records:
sans.org
name server = server1.sans.org
sans.org
name server = ns.BSD1.COM
sans.org
name server = ns. DELOS.COM
Additional records:

server1.sans.org Internet address = 167.216.133.33
ns.BSD.COM
Internet address = 205.230.225.16
ns.DELOS.COM
Internet address = 192.65.171.1
31
DNS: tcpdump output (continued):
The local DNS server now asks the first authoritative
DNS server for resolving the IP address.:
dns.cde.com.53 > server1.sans.org.53:12421 +
(30) DF
server1 sans.org.53 > dns.cde.com.53:12421 *
1/3/3 (172)
 * means the IP address being given is authoritative.
 3/3 are the same Authority Records and Additional
Records, mentioned in the previous slide.
32
DNS Background
….2
33
DNS Cache

The local DNS server caches the IP
address(es), obtained as shown in the
previous four slides, for a period called TTL,
as specified by the authoritative domain
server.
As long as the record is in the cache, a
request for resolving a domain address would
be met by responding with the IP address
from the cache. The server will mark it as
unauthoritative.
34
DNS: Reverse lookup

Reverse look up:




Given: an IP address
To find: host name by using gethostbyaddr
Method : To reverse look up the address
167.216.233.33, the query is as follows:
33.233.216.167.in-addr.arpa.
Limited size of UDP data:


Maximum allowable size of UDP DNS response = 512
bytes
Out of this IP header = 20 bytes
UDP header = 8 bytes
35
Limited size of UDP data:
Therefore data part of a UDP DNS message  484 bytes.
 If the data to be returned should be more than 484
bytes, it would be truncated and a new TCP request for
DNS will be issued.
 Example:
abc.com.2727 > dns.cde.com.53:12122 (43)(DF)
dns.cde.com.53 > abc.com.2727:12122| 7/0/0
(494)
 The vertical line after 12122 indicates that the data has
been truncated.

36
DNS: on TCP


The size of the data that should have been sent was
494 bytes (which is larger than 484 bytes that is
allowed with UDP).
The request can be reissued with TCP.
But TCP connection to 53 is usually not allowed, except
for zone transfer.
In such a case, larger data of the type asked for above
cannot be obtained.
Alternatively TCP connections to port 53 may be
allowed, if an earlier udp connection exist(ed). But this
would require storing the state of udp connections.
37
Weaknesses in DNS:

Probing attacks:
a) At any machine,
on giving the following command
% nslookup


the name of default domain name server and
its IP address
are provided.
Example W1 : >nslookup
Default Server: davinci.newcs.uwindsor.ca
Address: 137.207.76.3
38
Weaknesses in DNS: Example 2
Example W2: > on sending a ‘gethostbyname’
call to resolve the IP address of www.msn.com:
Server: davinci.newcs.uwindsor.ca
Address: 137.207.76.3
Non-authoritative answer:
Name: www.msn.com
Addresses: 207.68.173.254, 207.68.171.244,
207.68.171.245, 207.68.172.234, 207.68.173.244
A Non-authoritative answer: the one that the
local domain name server supplies from its cache.
39
To find your name server
b) On using the command
>set type=ns
>domainname
the system responds with your name server.
Ex W3:
> set type=ns
> uwindsor.ca
Server: davinci.newcs.uwindsor.ca
Address: 137.207.76.3
……………..next slide
40
Ex W3:
continued
Non-authoritative answer:
uwindsor.ca
nameserver = dns.uwindsor.ca
uwindsor.ca
nameserver = ns1.uwo.ca
dns.uwindsor.ca internet address =
137.207.232.1
ns1.uwo.ca
internet address = 129.100.2.12
There are two name servers.
Names and IP addresses of both are provided.
41
Weaknesses in DNS: Example W4
Example W4: > set type=ns
> msn.com
Server: davinci.newcs.uwindsor.ca
Address: 137.207.76.3
Non-authoritative answer:
msn.com
msn.com
msn.com
msn.com
nameserver
nameserver
nameserver
nameserver
=
=
=
=
dns1.cp.msft.net
dns1.dc.msft.net
dns1.sj.msft.net
dns1.tk.msft.net
42
Weaknesses in DNS: Example W4
continued
msn.com nameserver = dns3.jp.msft.net
msn.com nameserver = dns3.uk.msft.net
dns1.cp.msft.net
dns1.dc.msft.net
dns1.sj.msft.net
dns1.tk.msft.net
dns3.jp.msft.net
dns3.uk.msft.net
internet address = 207.46.138.20
internet address = 64.4.25.30
internet address = 65.54.248.222
internet address = 207.46.245.230
internet address = 207.46.72.123
internet address = 213.199.144.151
43
Weaknesses in DNS(continued):

c) Many domain name servers store host information like
 name of the machine,
 details of its hardware and
 operating system.
Example: The command
> set type = hinfo
> host49
will get the hardware and OS information of host 49, if
available.
It is wise not to store such information in a DNS server,
since the DNS protocol provides a means of accessing
the information to any one (including a hacker)
easily.
44
Host Information: Example W5
> set type=hinfo
> davinci.newcs.uwindsor.ca
Server: davinci.newcs.uwindsor.ca
Address: 137.207.76.3
newcs.uwindsor.ca
primary name server = davinci.newcs.uwindsor.ca
responsible mail addr = walid.uwindsor.ca
serial = 2003112403
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
45
Host Information: Definitions
Master/Secondary servers ..1
Serial: serial number at the beginning of Start Of
Authority (SOA) data: updated every time the dns
database is updated.
A secondary dns server updates its data, only if the
Serial number of the Master is higher than its Serial
number
Serial: defines when the DNS data was updated.
Refresh: is the time interval (in seconds) between two
successive updating of the database of a secondary
name server
Retry: If the secondary should not be able to reach the
Master after a Refresh interval, it starts trying to
reach the Master every Retry interval.
Retry Interval < Refresh Interval
46
Host Information: Definitions
Master/Secondary servers ..2
Expire:If the secondary should not be able to
reach the Master after a Expire interval, it
stops responding to domain name resolution
queries. i.e. it expires its data.
default TTL: TTL for every record of the name
server’s database is supplied by the
authoritative ns in its response to the query.
The default value is used if no such value is
supplied in the response.
47
Host Information: Example W6
> set type=hinfo
> nismail.uwindsor.ca
Server: davinci.newcs.uwindsor.ca
Address: 137.207.76.3
uwindsor.ca
primary name server = dns.uwindsor.ca
responsible mail addr = clw.uwindsor.ca
serial = 2004020400
refresh = 14400 (4 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 129600 (1 day 12 hours)
48
Weaknesses in DNS(continued):

d) the command
> ls -d abc.com
may list the entire DNS server record of the domain abc.com.
Example W7: > ls -d newcs.uwindsor.ca
[davinci.newcs.uwindsor.ca]
newcs.uwindsor.ca.
SOA (Start of Authoority)
davinci.newcs.uwindsor.ca walid.uwindsor.ca.
(2003020700 10800 3600 604800 86400)
newcs.uwindsor.ca. NS
uwindsor.ca
newcs.uwindsor.ca. NS davinci.newcs.uwindsor.ca
……………..next slide 49

Weaknesses in DNS: Example W7:
continued ……2
newcs.uwindsor.ca. NS
naps.uwindsor.ca
router-nt
A
137.207.76.2
Symmetra ups
A
137.207.76.15
xylan
ATM machine A
137.207.76.54
cs-ssr-6th router at 6thfl A
137.207.76.250
davinci MX
5 davinci.newcs.uwindsor.ca
davinci MX
10 nismail.uwindsor.ca
cs-ssr-main main router A
137.207.76.254
davinci.newcs.uwindsor.ca walid.uwindsor.ca.
(2003020700 10800 3600 604800 86400)
Notes: A: Authoritatve Record; MX: Mail exchange
50
Weaknesses in DNS: Example W7:
continued
….3
Ex.W7: For the domain, there are two mail
exchangers available with Priority values of 5
and 10.
Allowed priority values: 0 to 65,535. The
highest priority: 0
and the lowest priority:65,535.
A mail server would try to deliver the mail first to a Mail
Exchange of the highest value of priority. In case, that
mail exchanger is down, it would deliver the mail to the
mail exchanger with the next lower value of priority.
This method avoids looping in a large system
51
Weaknesses in DNS

(continued)
e) A tool called ‘Domain Internet Groper’ (DIG):
supplied with some implementations of BIND.
This can provide the version number of
BIND. (versions in use: 4.8.3 and 4.9.4)
 f) Sneaky traceroute
Since port 53 is usually kept open, and
firewalls allow the port 53 messages udp
messages to port 53, with increasing values
of TTL, can tell whether the host is alive.
This method ( to find whether a host is alive) 
may be used --if ICMP echo requests are
blocked.
52
sneaky traceroute
Generate udp messages for the destination host
(which should not be a ns) with progressively
increasing values of ttl.
Intermediate routers would respond with time
exceeded ICMP message.
If the dest host is alive, it would respond with a
port unreachable ICMP message.
If the dest host is not alive, the last router
would respond with a host unreachable ICMP
message.
53
Weaknesses in DNS
Cache Poisoning attack:
g) Since DNS message format for query and
the message format for the response
is the same, a query may contain a poisoned IP
address.


The domain name server would cache it for
later use.
This can misdirect other users to the wrong
site.
54
References

For Mitnic attack:
1.http://www.totse.com/en/hack/hack_attack/hacker03.html
2. http://www.shado.info/blog/archives/000112.html
(home page of the blog: http://www.shado.info/
55

Two news-items
and

Two stories
(p. 103-105 and Ch 7 of the text
book on Intrusion Detection)
56
WHY DID AL – JAZEERA WEB-SITES GO DOWN?
“At this point we're not able to triangulate to a particular
reason…. It could just be an overall traffic increase that
adds to the load or it could be an increase in the rate at
which users are coming to the site. Or it could be some
external event like a DoS or a virus that's propagating.
Al-Jazeera put this site together in a hurry…. You have to
do at least some basic load testing.”
Roopak Patel,
Senior Internet Data Analyst, Keynote Systems Inc., a
performance management and testingcompany,
San Mateo, Calif
March 25, 2003
57
Dangerous times
The recent rash of Internet worms has produced an
army of hundreds of thousands of compromised
machines that could ultimately be used to launch a
massive DDoS attack at any time.
CERT is monitoring .. five large networks of
compromised machines installed with bots. The
bots connect compromised PCs or servers to
Internet Relay Chat servers, which attackers
commonly use to execute commands on the remote
systems. At least one of these networks has more
than 140,000 machines.
Officials at the CERT Coordination Center
58
Carnegie- Mellon University, 17 March 2003