Network Security Assessment Detect a Denial of Service

Question: Discuss about the Network Security Assessment for Detect a Denial of Service? Answer: Vulnerability Assessments Vulnerability in network security is defined as the weakness or flaw in the flow of network which minimizes the assurance of information that available in the corresponding device ie., Vulnerability is the state at which the device is not secure and open for the attackers. Most common network vulnerability [8] which pushes the device to the insecurity level are, Shellshock attacks Backdoor attacks Denial of Service(DoS) attacks SSL attacks Botnet attacks Brute force attacks Browser attacks Among the above mentioned vulnerabilities, Denial of Service attack [1] is the most common attack that occurs often, in both industry and also in domestic level. The attack that suspends the network to the device or system, the attack due to the network servers is called as Denial of Service attack. In simple words, DoS prevents the network servers to be available to the users. Most commonly these DoS attack occurs due to the flooding of network with a network. When the user types a particular website or URL into the browser, the device sends a request to the corresponding site server. The network server can acquire only few sets of requests, if the user overloads the server with too many requests, the server cant process the request, where the user cant access the corresponding site, such state of inaccessibility of users is called as DoS attack. In other words (DoS) attack is also called as Distributed Denial of Service (DDoS), in which the attacker uses the own computer to attack more than one targeted device. Due to the Distributed Denial of Service (DDoS) . Due to the attacking of the computer from the current computer, the user could take advantage of using the defected device. This attack is called as Distributed DoS, because the attacker is using multiple computers. The another form of implementing the DoS [1] is through Email messages, where the attacker can launch the similar form of attack through email account. These kinds of attacks, often occurs due to the free service of mails such as Yahoo or Hotmail. By sending bulk number of email messages to the single mail address, an attacker can get the provisions to use the corresponding mail account. Once the computer is attacked by the Denial of Service (DoS) attack, the web browser will show the message like HTTP error (Error Number), the service unavailable. How to Overcome DoS: To overcome this kind of attacks, the corresponding website should have the capacity to handle 10,000 users[1], only then the site can handle 1,00,000 users. Check the flow of the website periodically, to check whether the website is in the normal flow or in a slothful manner Periodically check the statistics of the web sites, if it is in a normal form then the site is not attacked by DoS, if the statistics has more flaw then the user can confirm that the site is attacked with DoS or DDoS. If the website is attacked with the DoS, the user can check the source of the attacker through the Unix command called netstat-an [2] , which will describes the Protocol, Local Address of the site, Foreign address (IP address of the attacker), and the State, where the state may be Listening, Established, or Time Wait. If the user is waiting for the response of the site then the state will be listening, the user is currently using the site then the state will be in Established, the user is closed the site then the state will be n Time-Wait site. Scenario Security of wireless network of small accounting firm: Wireless Network In our case we required to secure our wireless network. So this case we can do by using our NETGEAR MR814 router device security settings. Here given below are the steps to secure wireless network infrastructures: Before we get started there is a little bit of background info that you should be familiar with Wireless Name Your wireless network needs to have a name to uniquely identify it from other wireless networks. If you are not sure what this means we have a guide explaining what a wireless name is that you can read for more information. Wireless Password An important part of securing your wireless network is choosing a strong password. Wireless Channel Picking a WiFi channel is not always a simple task. Be sure to read about WiFi channels before making the choice. Encryption You should almost definitely pick WPA2 for your networks encryption. If you are unsure, be sure to read our WEP vs WPA guide first. Login to the Netgear MR814v2 To get started configuring the Netgear MR814v2 WiFi settings you need to login to your router. If you are already logged in you can skip this step. Find the WiFi Settings on the Netgear MR814v2 If we login to our router device then we should see this screen. For the Netgear MR814v2 you begin on the Router Status page. Click the Wireless Settings option in the left sidebar under the Setup heading. Change the WiFi Settings on the Netgear MR814v2 On this new page we are able to configure the Wireless options to our liking. There are four settings that really need to be changed for the best and most secure wireless experience. The first is titled Name (SSID). This is our local network's ID. Be creative but avoid personal data. The second setting is titled Channel. For the least interference our channel should not partially overlap our neighbor's channel. Completely sharing a channel is okay though. If everyone used channels 1, 6, or 11 there would be a lot less interference. Make sure our wireless network is using channel 1, 6, or 11. Read our WiFi Channels Guide for more information. Now we need to change the Wireless Encryption. This router allows for WEP security. This is a very weak form of encryption and can be cracked quickly. Do not use WEP. Use WPA2-PSK security option for more private secure network. Now we had WPA2-PSK then you would need to enter a Passphrase PASSWORD. Create a strong and memorable password to login to our internet. That's it, just don't forget to click the Apply button before you leave this page. The password we have created to log in, by only this password one can access to our internet. So we have 20 Pcs and 2 printers and 1 iPad by applying the log in password to all this devices, this devices are now accessible to use internet. Also this device create a network infrastructure to share file and folders between all this devices. Network/System Security Recommendations Generally, there are two forms of Denial of Service (DoS) attack, which are as follows, Flooding Services attack Crashing Services attack Flooding Services Attack: Flood attacks occurs when the website or the system receives too much of service requests, which causes the system to be shut down or stops the overall process, Some of the Flooding service attacks are ICMP flood SYN Flood Buffer Overflow attack (BOA) In the BOA the attacker sends bulk amount of service requests to the websites, which will be beyond the number of requests that can be handled by the site, these kind of buffer overflow attack is specific only to some of the applications such as Web applications, Internal memory of the device. The two main types of BOA are, Heap Based Overflow Stack Based Overflow Some of the common ways to handle BOA are, Use canaries or default values in the website, when the default value changes the user will get the notification that the attacker has entered ie., DoS has occurred Protections can be made to the internal memory through shell code Use of address layout randomization to prevent the attackers in the specified location. ICMP Flood: ICMP is abbreviated as Internet Control Message Protocol, ICMP [4] attackers not only attacks the single system also attacks the devices which are connected to the targeted device. This attack is also called as Smurf attack or Ping of death. The ICMP error messages are up to 1280 bytes. The IPv4 [5] protocol possess ICMP messages and IPv6 protocol possess ICMPv6 messages. Some of the ICMP messages with type numbers [5] are, Unassigned [1] Source quench [4] Echo [8] Router advertisement [9] Timestamp Reply [14] Timestamp Request [15] Echo Reply [0] Redirect [5] Timestamp [13] Destination unreachable [3] SYN Flood Attack: In the SYN flood attack [4], the attacker pools the targeted system by sending n number of SYN requests, where the targeted system fails to send the acknowledgement message or the targeted system becomes unresponsive. SYN flood attack is also called as half open attack. Crashing Services Attack (CSA): In the CSA, the attacker aims to crash the targeted device. In the crashing service attack the targeted system is attacked from the multiple attackers which makes the targeted system to shut down or affects the processes in it [4]. The another method to detect DoS is IP reputation, some Internet Protocol addresses aims to produce malevolent traffic than the other attacks. Internet Protocol reputation is referred as a system of scoring that goes through at a sites penchant to get the targeted system which is as like as DDoS attack, vulnerability scanning and web application attacks. This attack can also be used to alert filter the site traffic automatically. Internet Protocol reputation can easily be overcome by cloud security. Scenario 2 - Expanding Network by Using Network Switch: Let say accounting firm has a network which is shown as below. The router bought only got 4 Ethernet LAN ports. All 4 ports are connected to PC. Still there are 20 Pcs in office. So how to connect remaining PC to our network. You can use a network switch to solve your problem. This is a device that joins multiple computers in your network, and so those connected computers can communicate with each other. The switch is commonly used to expand wired network and the good thing is it's not expensive. There are 4-port, 8-port, 16-port, 32-ports also 50-ports switch available in the market. The Ethernet that can be supported by the switch are 10Mbps, 100Mbps or 1000Mbps. usually 100Mbps switch would be sufficient to support your network unless you run Gigabit network (1000Mbps). This is what we need to do: Buying a switch and connect Ethernet LAN port from router to one of the normal ports on network switch by using crossover cable. If there is uplink port on the switch, you can connect it to routers Ethernet LAN port using straight cable, but usually this is not available for those entry level switches. After that, you can connect computer and notebook to the switchs normal port by using straight Ethernet cable, finally they are all connected to network and able to access Internet. The LED on the switch will show you which ports are connected. This is 50-port Switch to use in network sharing system. III. Application/End-User Security Recommendations The risks that are occurs due to denial of Service(DoS) attack is affects the network bandwidth, decreases the server memory, Application exceptions, CPU usage, minimizes the hard disk space, database space, database connection pool. Attack Mitigation Systems (AMS) [3] is the most known application and recently used technique to overcome DoS attack. The attacks that are overcome through AMS are web destruction, pilfering of information, exploitation of application vulnerability. In order to prevent the attacks in network flow the Attack Mitigation System (AMS) is also called as Attack Mitigation Network (AMN) [3], AMN combines the distributed detection elements and mitigation elements to synchronize the traffic baselines and to prevent the information from the attackers. AMN increases the frequency, difficulty and brutality of information, security solutions. The another way to avoid DoS in web server is controlling the performance of the server, which adjusts the server response with respect to the server requests, Low Rate DoS (LRDoS) is the attacking of cyber physical systems in order to reduce the performance of the feedback based applications. XSD (XML Schema Definition) is the current technique which is used to avoid the DoS, which is most popularly recommended by World Wide Web Consortium (W3C), where the prevention of the user through XSD is done through XML (Extensible Markup Language) document. XSD provides the C++/Tree mapping to customize the attackers of the particular user. Step by step procedure for XSD is, Analyze the state for each user login Create a separate service request and acknowledgement for each user Analyze the number of service requests and acknowledgements provided Validate the acknowledgements The another method to detect DoS is Clogging Participation Rate(CPR), in the CPR method the user can filter and detect LDDoS attacks, also to analyze the intention to attack the site. In the CPR method the user can detect the attacker with the help of the statistics report, which peculiarly shows the attacked part. The CPR approach is more quick and better than the previous method Discrete Fourier Transform (DFT). But in CPR the user can analyze only the websites or web servers based on the Transaction Control Protocol (TCP), because only in TCP protocol the network congestion and loss of packets will not occur. The CPR analysis is based on sending of packets and receiving the acknowledgement for the same. Scenario Use of firewall in context of network system of small accounting firm Firewall A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. In our scenario we have used NETGEAR MR814 router device and it is connected to a Motorola SB3100 cable modem. So our NETGEAR MR814 router device itself acts as a hardware firewall. So we dont need to use any software firewall. If in our system, any individual or particular programs we need to stop allowing internet access to that only program or application then we can use software firewall system. Microsoft Firewall system gives this type of facilities. But in our case we did not required to do this. Bibliography Mindi McDowell , Security Tip (ST04-015) Understanding Denial-of-Service Attacks, US-CERT. Available: https://www.us-cert.gov/ncas/tips/ST04-015. [Accessed: 06- Feb- 2016]. Greg Thatcher, How to Detect a Denial of Service (DoS) attack, Thatcher Development Software, 2013. [Online]. Available: https://www.gregthatcher.com/Azure/Ch2_ Detecting Denial OfService.aspx. [Accessed: 07- Feb- 2016]. Palo Alto Networks, Denial of Service Attack - Prevent DoS Attacks with Palo Alto Networks - Overview of DoS attacks. [Online]. Available: https://www.paloaltonetworks. com/resources/learning-center/what-is-a-denial-of-service-attack-dos.html. [Accessed: 07- Feb- 2016] Gorry Fairhurst, Internet control Message Protocol [Online]. Available: https://www.erg.abdn.ac.uk/users/gorry/eg3567/inet-pages/icmp.html. [Accessed: 08-Feb- 2016] Gorry Fairhurst, ICMP Type Numbers, [Online]. Available:https://www.erg.abdn.ac.uk/users/gorry/eg3567/inet-pages/icmp-code.html.[Accessed: 08-Feb- 2016] Peter Crowcombe, Network Vulnerabilities, Infosecurity. [Online]. Available: https://www.scmagazine.com/network-vulnerabilities/article/30530/. Accessed: 08- Feb- 2016] Derek Manky, "Top 10 vulnerabilities inside the network", Network World, 2016. [Online]. Available: https://www.networkworld.com/article/2193965/tech-primers/top-10-vulnerabilities-inside-the-network.html. [Accessed: 09- Feb- 2016]. Calyptix, Top 7 Network Attack Types in 2015 so far, [Online]. Available : https://www.calyptix.com/top-threats/top-7-network-attack-types-in-2015-so-far/. [Accessed: 08-Feb- 2016]