║JAI SRI GURUDEV║

Sri Adichunchanagiri Shikshana Trust (R)

SJB INSTITUTE OF TECHNOLOGY
BGS Health & Education City, Kengeri , Bangalore – 60 .

DEPARTMENT OF ELECTRONICS & COMMUNICATION ENGINEERING

Network Security [18EC821]

Module-1

Attacks on Computers and Computer Security

Mr. Darshan B D
Assistant Professor,
Dept. of ECE

18EC821 1
 Course Outcomes:
After studying this course, students will be
able to:
1. Explain network security services and mechanisms and
explain security concepts.
2. Understand the concept of Transport Level Security and
Secure Socket Layer.
3. Explain Security concerns in Internet Protocol security.
4. Explain Intruders, Intrusion detection and Malicious
Software.
5. Describe Firewalls, Firewall Characteristics, Biasing and
Configuration.

18EC821 2
 Module-1
Attacks on Computers and Computer Security 8 hours

• Attacks on Computers and Computer Security:

• Need for Security,
• Security Approaches,
• Principles of Security Types of Attacks.

18EC821 3
 Module-2
Transport Level Security 8 hours
• Transport Level Security:
• Web Security Considerations,
• Secure Sockets Layer,
• Transport Layer Security,
• HTTPS,
• Secure Shell (SSH)

18EC821 4
 Module-3
IP Security 8 hours
IP Security:
• Overview of IP Security (IPSec),
• IP Security Architecture,
• Modes of Operation,
• Security Associations (SA),
• Authentication Header (AH),
• Encapsulating Security Payload (ESP),
• Internet Key Exchange.
18EC821 5
 Module-4
Intruders
8 hours
• Intruders,
• Intrusion Detection.
• MALICIOUS SOFTWARE:
• Viruses and Related Threats,
• Virus Counter measures,

18EC821 6
 Module-5
Firewalls 8 hours
Firewalls:
• The Need for firewalls,
• Firewall Characteristics,
• Types of Firewalls,
• Firewall Biasing,
• Firewall location and configuration

18EC821 7
TEXT BOOKS:
1. Cryptography and Network Security Principles and
Practice , Pearson Education Inc., William Stallings, Slh
Edition, 2014, ISBN: 978-81- 317- 6166-3.
2. Cryptography and Network Security, Atul Kahate, TMH,
2003.

REFERENCE BOOKS:
3. Cryptography and Network Security, Behrouz A.
Forouz.an, TMH, 2007.

18EC821 8
 Why is Security Required?

• Business & different types of transactions are being conducted to a large

extent over Internet.

• Inadequate or improper security mechanism can bring whole business

down or play havoc with people’s lives!

• Since Electronic Documents & Messages are now becoming equivalent to

proper documents in terms of their legal validity & binding.

18EC821 9
 The Need for Security

• Now a days Importance of data was truly realized.

Financial & Personal data
Therefore various areas in security began to gain prominence.
Typical Examples of Basic Security Mechanism:
Authenticate a User->id, pw
Encode->DB->Not Visible to user who do not have the right
permission.
• Organization employed their own mechanism.

18EC821 10
 Contd..
Two typical examples of such security mechanisms were
as follows:

• Provide a user identification and password to every user,

and use that information to authenticate a user.

• Encode information stored in the databases in some

fashion, so that it is not visible to users who do not have
the right permission.

18EC821 11
Information traveling from a client
to a server over the internet.

Fig. Example of information traveling from a client to a server over the Internet

18EC821 12
Some real time attacks
• Russian Attacker Maxim actually manage to intruder into a
merchant Internet site & obtained 300,000 credit card numbers
from its DB.
• He then attempted extortion by demanding protection
money($100,000) from the merchant.
• The merchant refused to oblige.
• Following this, the attacker published about 25,000 of the
credit card numbers on the internet!
• Some banks reissued all the credit cards at a cost of $20 per
card & others forewarned their customers about unusual
entries in their statements.

18EC821 13
Consequences of Attack
• Great Losses-both in terms of finance & goodwill.
• Cost of attack $20*300000=$6M
• Another Example:-
• 1999 Swedish hacker broke into Microsoft’s Hotmail Website & created a
mirror site.
• This allowed anyone to enter any Hotmail user’s email id & read their
emails.
• 2005 survey about the losses that occur due to successful attacks on
security. $455,848,000
• Next year this figure reduced to $201,757340!

18EC821 14
 Modern Nature of Attacks
1. Automating Attacks:-
Traditional Attack: Produce Coins using machinery & Bring them
into circulation.
Modern Attack: Steal half a dollar from million accounts in a
few minutes time digitally.
2. Privacy Concern:-Every Company are collecting & processing
lots of information about us. Without we
realizing when & how it is going to be used.
3. Distance does not matter:- Attack Can be launched from the
distance.
E.g:- In 1995, a Russian hacker broke into Citibank’s computer
remotely, stealing $12M.
Although the attacker was traced, it was very difficult to get
extradited him for the court case.
18EC821 15
Fig. The changing nature of attacks due to automation
18EC821 16
Fig. Attacks can now be launched from a distance
18EC821 17
 SECURITY APPROACHES
1.Trusted Systems-A trusted system is a computer system that can be
trusted to a specified extent to enforce a specified security policy.

• Trusted systems often use the term reference monitor.

Following are the expectations from the reference monitor:

(a) It should be tamper-proof.

(b) It should always be invoked.

(c) It should be small enough so that it can be tested independently.

18EC821 18
 Contd..
2. Security Models- An organization can take several
approaches to implement its security model.

a) No Security

b) Security through Obscurity

c) Host Security

d) Network Security

18EC821 19
a) No security: This is the simplest model with no security at all.

b) Security through obscurity: In this model, a system is secure

simply because nobody knows about its existence and contents.
This approach cannot work for too long, as there are many ways an
attacker can come to know about it.

c) Host security: In this scheme, the security for each host is

enforced individually. This is a safe approach, but the complexity
and diversity of modern sites/organizations makes the task harder
and difficult to scale.

d) Network security: Host security is tough to achieve as

organization grows and becomes more diverse. In this technique,
the focus is to control network access to various hosts and their
services, rather than individual host security. This is a very efficient
and scalable model.

18EC821 20
3. Security-Management Practices-Good security-management
practices always talk of a security policy

1. Affordability How much money and effort does this security

implementation cost?

2. Functionality What is the mechanism of providing security?

3. Cultural Issues Does the policy complement the people’s

expectations, working style and beliefs?

4. Legality Does the policy meet the legal requirements?

18EC821 21
Once a security policy is in place, the following points should be
ensured.

(a) Explanation of the policy to all concerned.

(b) Outline everybody’s responsibilities.

(c) Use simple language in all communications.

(d) Accountability should be established.

(e) Provide for exceptions and periodic reviews.

18EC821 22
 Principle/Goals of Security
• These r the 4 chief principles of security.
1. Confidentiality:- Is msg seen by someone else?
2. Authentication:- Do u trust the sender of msg?
3. Integrity:- Is the meg changed during transmit?
4. Non-repudiation:- Can sender refute the msg?
• Two more principles that are linked to the overall system are:

5. Access Control:- Who can Access what?

6. Availability:- Information should be available
timely.

18EC821 23
 Confidentiality
• Confidentiality is the process of preventing disclosure
of information to unauthorized individuals or systems.

Examples: Credit card

• Confidentiality is necessary, but not sufficient to

maintain privacy

18EC821 24
Interception Causes Loss of
Message Confidentiality

Fig. Loss of confidentiality

18EC821 25
 Authenticity
• In computing, e-Business and information security it is
necessary to ensure that the data , transactions,
communications or documents (electronic or physical) are
genuine (i.e. they have not been forged or fabricated.)

Examples:

Passport, Credit card Accounts, academic

transcripts

18EC821 26
Fabrication is possible in absence of
proper authentication

Absence of authentication
18EC821 27
 Integrity
• Integrity means that data cannot be
modified/change without Authorization

Examples: Manual deletion or alteration or

creation of important data files, Virus infection,
Employee altering their own salary , website
vandalism, polling fraud.

18EC821 28
Modification Causes Loss of Message integrity

Fig. Loss of integrity

18EC821 29
 Non-Repudiation
• It is a complex term used to describe the lack of
deniability of ownership of a message, piece of
data, or Transaction.
Examples: Proof of an ATM transaction, a stock trade, or an email
There are situations where a user sends a message and later
refuses that the message was sent. This is repudiation (refuse to
accept).
Example: User A could send a fund transfer request to bank B
over the internet. After the bank performs the funds transfer as
per A’s request, A could claim that he never sent the fund
transfer request to the bank.

18EC821 30
It does not allow the sender of a message to
refute the claim of not sending that message

Fig. Establishing non-repudiation

18EC821 31
Access Control
➢ The principle of access control determines who should be
able to access what.
➢ For instance, we should be able to specify that user A can
view the records in a database, but cannot update them.
However, another user B might be allowed to make updates as
well. An access control mechanism can be set up to ensure this.
➢ Access control is broadly related to two areas: role
management and rule management.
➢ Role management concentrates on the user side (which user
can do what)
➢ Rule management focuses on the resources side (which
resource is accessible, and under what circumstances).

18EC821 32
 Availability
• For any information/system to serve its purpose,
• The information must be accessible & usable when it
is needed.
• Computing systems used to store and process the
information, the security controls used to protect it,
and the communication channels used to access it
must be functioning correctly.

Examples: Power outages, Hardware failures,

System upgrades and Preventing denial-of-service
attacks

18EC821 33
Interruption puts the availability of
resources in danger.

Fig. Attack on availability

18EC821 34
 OSI Network Model 7498-1
•Application
•Presentation
•Session
•Transport
•Network
•data link
• physical
OSI Security Model 7498-2
•Authentication
•Access control
•Non-repudiation
•Data integrity
•Confidentiality
• Assurance or availability
•Notarization or signature
18EC821 35
 Ethical and Legal Issues
The ethical issues in security systems are classified into the
following four categories
• Privacy
• Accuracy
• Property
• Accessibility
When dealing with legal issues, we need to remember that
there is a hierarchy of regulatory bodies that govern the
legality of information security.
We can roughly classify them as follows.
● International, e.g. International Cybercrime Treaty
● Federal, e.g. FERPA, GLB, HIPAA, DMCA, Teach Act, Patriot
Act, etc.
● Organization, e.g. computer use policy
18EC821 36
 TYPES OF ATTACKS
• We can classify attacks with respect to two views: the common person’s
view and a technologist’s view
• From a common person’s point of view, we can classify attacks into three
categories

Fig. Classification of attacks as understood in general terms(common person’s view)

18EC821 37
1.Attacks: A General View
Criminal Attacks

18EC821 38
 Publicity Attacks

Publicity attacks occur because the attackers want

to see their names appear on television news
channels and newspaper

Legal Attacks

This form of attack is quite novel and unique. Here, the

attacker tries to make the judge or the jury doubtful
about the security of a computer system

18EC821 39
• 2.Attacks: A Technical View
1. Theoretical Concepts behind this attack.
 Interception:- Copying of data & program & listening to N/W Traffic.
 Fabrication:-Attacker may add fake records to a database. Creation of
illegal objects on the computer system.
 Modification:-Attacker modifies Value of DB
 Interruption:- Resources became unavailable, lost or unusable.
Causing problems to a H/W device, erasing program, Data or OS
components.

18EC821 40
Further Grouped in to two types:

Fig. Types of attacks

18EC821 41
 Passive Attacks
Attacker eavesdropping or monitoring of data transmission.
Tries too learn something out of it & make use of it.
Aims to obtain information that is in transmit.
No Modification
Detection harder.

1. For plain text Message

Solution prevention :- encryption

2. For Encoded Message

Similarity -> Pattern -> Clue
Passive attacks do not involve any modifications to the
contents of an original message.
18EC821 42
Classification of Passive Attack

Fig. Passive attacks

18EC821 43
 Active Attack
• Unlike passive attacks, the active attacks are based on the
modification of the original message in some manner, or in
the creation of a false message.
• These attacks cannot be prevented easily. However, they
can be detected with some effort, and attempts can be made
to recover from them. These attacks can be in the form of
interruption, modification and fabrication.
• Modification
• Creation of False Msg.
• No prevention
• Solution Detection & Recovery

18EC821 44
In active attacks, the contents of the original message
are modified in some way.
• Trying to pose as another entity involves
masquerade attacks.
• Modification attacks can be classified further into
replay attacks and alteration of messages.
• Fabrication causes Denial of Service (DOS) attacks

18EC821 45
Classification of Active Attack

Fig. Active attacks

18EC821 46
3.Practical Side Of Attack

Fig. Practical side of attacks

18EC821 47
1. Application-level Attacks

These attacks happen at an application level in

the sense that the attacker attempts to access,
modify, or prevent access to information of a
particular application, or the application itself.
Examples of this are trying to obtain
someone’s credit-card information on the
Internet, or changing the contents of a message
to change the amount in a transaction, etc.

18EC821 48
2. Network-level Attacks
• These attacks generally aim at reducing the capabilities of a network
by a number of possible means. These attacks generally make an
attempt to either slow down, or completely bring to halt, a computer
network.
• This automatically can lead to application-level attacks, because once
someone is able to gain access to a network, usually he/she is able to
access/modify at least some sensitive information.
• These two types of attacks can be attempted by using various
mechanisms, as discussed next. We will not classify these attacks into
the above two categories, since they can span across application as
well as network levels.
• Security attacks can happen at the application level or the network
level

18EC821 49
Programs Attack
1. Virus :A virus is a computer program that attaches itself to another
legitimate program, and causes damage to the computer system or to the
network.

Fig. Virus

18ec831 50
Virus Conti…

During its lifetime, a virus goes through four phases:

• (a) Dormant Phase Here, the virus is idle. It gets activated based on a
certain action or event (e.g. the user typing a certain key or a certain
date or time is reached, etc). This is an optional phase.
• (b) Propagation Phase In this phase, a virus copies itself, and each
copy starts creating more copies of itself, thus propagating the virus.
• (c) Triggering Phase A dormant virus moves into this phase when the
action/event for which it was waiting is initiated.
• (d) Execution Phase This is the actual work of the virus, which could
be harmless (display some message on the screen) or destructive (delete
a file on the disk).

18EC821 51
Virus Conti…
Viruses can be classified into the following categories:
• (a) Parasitic Virus :This is the most common form of virus. Such a virus
attaches itself to executable files and keeps replicating. Whenever the
infected file is executed, the virus looks for other executable files to
attach itself and spread.
• (b) Memory-resident Virus: This type of virus first attaches itself to an
area of the main memory and then infects every executable program that
is executed.
• (c) Boot sector Virus :This type of virus infects the master boot record
of the disk and spreads on the disk when the operating system starts
booting the computer.

18EC821 52
Virus Conti…
• (d) Stealth Virus: This virus has intelligence built in, which prevents
anti-virus software programs from detecting it.
• (e) Polymorphic Virus: A virus that keeps changing its signature (i.e.
identity) on every execution, making it very difficult to detect.
• (f) Metamorphic Virus: In addition to changing its signature like a
polymorphic virus, this type of virus keeps rewriting itself every time,
making its detection even harder.
• There is another popular category of viruses, called the macro virus.
• This virus affects specific application software, such as Microsoft Word
or Microsoft Excel.
• They affect the documents created by users, and spread quite easily since
such documents are very commonly exchanged over email.
• There is a feature called macro in these application-software programs,
which allows users to write small, useful, utility programs within the
documents. Viruses attack these macros, and hence the name macro
virus.

18EC821 53
 2. Worm
• A worm does not perform any destructive actions, and instead, only
consumes system resources to bring it down
• Similar in concept to a virus, a worm is actually different in
implementation.
• A virus modifies a program (i.e. it attaches itself to the program under
attack).
• A worm does not modify a program. Instead, it replicates itself again and
again.
• The replication grows so much that ultimately the computer or the
network on which the worm resides, becomes very slow, ultimately
coming to a halt.
• The basic purpose of a worm attack is different from that of a virus. A
worm attack attempts to make the computer or the network under attack
unusable by eating all its resources.

18EC821 54
Worm Conti..

Fig.Worm
18EC821 55
3. Trojan Horse

• A Trojan horse allows an attacker to obtain some confidential information

about a computer or a network.
• A Trojan horse is a hidden piece of code, like a virus. However, the
purpose of a Trojan horse is different.
• Whereas the main purpose of a virus is to make some sort of modifications
to the target computer or network, a Trojan horse attempts to reveal
confidential information to an attacker.
• In a similar fashion, a Trojan horse could silently sit in the code for a
Login screen by attaching itself to it.
• When the user enters the user id and password, the Trojan horse could
capture these details, and send this information to the attacker without the
knowledge of the user who had entered the id and password.
• The attacker can then merrily misuse the user id and password to gain
access to the system. 18EC821 56
Trojan Horse Conti..

Fig. Trojan horse

18EC821 57
Applets and ActiveX Controls
• Born due to the technological development of the world wide web(www)
application of the Internet.
• Web consists of communication between client and server computers
using a communications protocol called as Hyper Text Transfer
Protocol(HTTP).
• Client uses a piece of software called as web browser.
• The server runs a program called as web server.
• Browser sends a HTTP request for a web page to a web server. The web
server locates this web page and sends it back to the web browser again
using HTTP.

18EC821 58
Applets and ActiveX Controls Conti..

18EC821 59
Applets and ActiveX Controls Conti..
• Sun Microsystems provides Java applets
• Microsoft’s technology makes use of ActiveX controls.

18EC821 60
Applets and ActiveX Controls Conti..
To prevent these attacks
• Java applets have strong security checks as to what they can do and
what they cannot.
• ActiveX controls have no such restrictions.
• New version of applets called as signed applets allows
Accesses similar to ActiveX.
• Java applets (from Sun Microsystems ) and provides
ActiveX controls (from Microsoft’s corporation) are client side programs
that might cause security problems, if used by attackers with a malicious
intention.

18EC821 61
Cookies
• Cookie Definition: Cookies are pieces of information generated
by a Web server and stored in the user's computer, ready for
future access.
• Cookies are embedded in the HTML information
flowing back and forth between the user's
computer and the servers.
• Cookies were implemented to allow user-side
customization of Web information. For example,
cookies are used to personalize Web search
engines, to allow users to participate in
WWW-wide contests (but only once!), and to store
shopping lists of items a user has selected while
browsing through a virtual shopping mall.

18EC821 62
Cookies Contin…
• Essentially, cookies make use of user-specific
information transmitted by the Web server onto
the user's computer so that the information might
be available for later access by itself or other
servers.
• In most cases, not only does the storage of
personal information into a cookie go unnoticed,
so does access to it.
• Web servers automatically gain access to relevant
cookies whenever the user establishes a
connection to them, usually in the form of Web
requests.

18EC821 63
Cookies Contin…
Two Stage Process
• First the cookie is stored in the user's computer without their consent or
knowledge.
• For example, with customizable Web search engines like My Yahoo!, a
user selects categories of interest from the Web page. The Web server
then creates a specific cookie, which is essentially a tagged string of text
containing the user's
preferences, and it transmits this cookie to the user's computer.
• The user's Web browser, if cookie-savvy, receives the cookie and stores it
in a special file called a cookie list.
• This happens without any notification or user consent. As a result,
personal information (in this case the user's category preferences) is
formatted by the Web server, transmitted, and
saved by the user's computer.

18EC821 64
Two Stage Process (cont.)
• During the second stage, the cookie is
clandestinely and automatically transferred
from the user's machine to a Web server.
• Whenever a user directs her Web browser to
display a certain Web page from the server, the
browser will, without the user's knowledge,
transmit the cookie containing personal
information to the Web server.

18EC821 65
Cookies Contin…

18EC821 66
Cookies Contin…

18EC821 67
Cookies Contin…
Some modern tricks allow attackers to misuse cookies interms of
collecting personal data and invading people’s privacy. This attack works
is as follows.
• An advertising agency (say My Ads) contacts major Web sites and places
banner ads for its corporate clients products on their pages. It pays some
fees to the site owners for this.
• Instead of providing an actual image that can be embedded by the
respective web sites in their pages directly, it provides a link(URL) to
add to each page. This is shown in Fig.

18EC821 68
Cookies Contin…

18EC821 69
Cookies Contin…

18EC821 70
Dealing with Viruses

Fig. Generations of Anti-virus software

18EC821 71
Dealing with Viruses Conti..

Anti-virus software is classified into four generations, as depicted in

Fig.

18EC821 72
 Generations of anti-virus software

• First Generation: These anti-virus software programs were called

simple scanners. They needed a virus signature to identify a virus. A
variation of such programs kept a watch on the length of programs and
looked for changes so as to possibly identify a virus attack.
• 2. Second Generation: These anti-virus software programs did not rely
on simple virus signatures. Rather, they used heuristic rules to look for
possible virus attacks. The idea was to look for code blocks that were
commonly associated with viruses. For example, such a program could
look for an encryption key used by a virus, find it, decrypt and remove
the virus, and clean the code. Another variation of these anti-virus
programs used to store some identification about the file (e.g. a message
digest) are also notorious for detecting changes in the contents of the file.

18EC821 73
Generations of anti-virus software Conti..

• Third Generation These anti-virus software programs were memory

resident. They watched for viruses based on actions, rather than their
structure. Thus, it is not necessary to maintain a large database of
virus signatures. Instead, the focus is to keep watch on a small
number of suspect actions.
• Fourth Generation These anti-virus software programs package
many anti-virus techniques together (e.g. scanners, activity
monitoring). They also contain access control features, thus thwarting
the attempts of viruses to infect files. There is a category of software
called behavior-blocking software, which integrates with the
operating system of the computer and keeps a watch on virus-like
behavior in real time. Whenever such an action is detected, this
software blocks it, preventing damages.

18EC821 74
Generations of anti-virus software Conti..

The actions under watch can be

• Opening, viewing, modifying, deleting files
• Network communications
• Modification of settings such as start-up scripts
• Attempts to format disks
• Modification of executable files
• Scripting of email and instant messaging to send executable
content to others

18EC821 75
Specific Attacks
• Sniffing and Spoofing On the Internet, computers exchange messages
with each other in the form of small groups of data, called packets. A
packet, like a postal envelope contains the actual data to be sent, and the
addressing information. Attackers target these packets, as they travel
from the source computer to the destination computer over the Internet.
These attacks take two main forms: (a) Packet sniffing (also called
snooping), and (b) Packet spoofing. Since the protocol used in this
communication is called Internet Protocol (IP), other names for these two
attacks are (a) IP sniffing, and (b) IP spoofing. The meaning remains the
same.

18EC821 76
Specific Attacks Conti..
Two attacks are:
• Packet Sniffing: Packet sniffing is a passive attack on an ongoing
conversation. An attacker need not hijack a conversation, but instead, can
simply observe (i.e. sniff) packets as they pass by. Clearly, to prevent an
attacker from sniffing packets, the information that is passing needs to be
protected in some ways. This can be done at two levels: (i) The data that
is traveling can be encoded in some ways, or (ii) The transmission link
itself can be encoded. To read a packet, the attacker somehow needs to
access it in the first place. The simplest way to do this is to control a
computer via which the traffic goes through. Usually, this is a router.
However, routers are highly protected resources. Therefore, an attacker
might not be able to attack it, and instead, attack a less-protected
computer on the same path.

18EC821 77
Specific Attacks Conti..
• Packet spoofing : In this technique, an attacker sends packets with an
incorrect source address. When this happens, the receiver (i.e. the party
who receives these packets containing false addresses) would
inadvertently send replies back to this forged address (called spoofed
address), and not to the attacker. This can lead to three possible cases: (i)
The attacker can intercept the reply If the attacker is between the
destination and the forged source, the attacker can see the reply and use
that information for hijacking attacks. (ii) The attacker need not see the
reply If the attacker’s intention was a Denial Of Service (DOS) attack,
the attacker need not bother about the reply. (iii) The attacker does not
want the reply The attacker could simply be angry with the host, so it
may put that host’s address as the forged source address and send the
packet to the destination. The attacker does not want a reply from the
destination, as it wants the host with the forged address to receive it and
get confused.

18EC821 78
Phishing

Phishing has become a big problem in recent times. In

2004, the estimated losses due to phishing were to the
tune of USD 137 million, according to Tower Group.
Attackers set up fake Web sites, which look like real
Web sites. It is quite simple to do so, since creating Web
pages involves relatively simple technologies such as
HTML, JavaScript, CSS (Cascading Style Sheets), etc.
Learning and using these technologies is quite simple.
The attacker’s modus operandi works as follows.

18EC821 79
Phishing Conti..
• The attacker decides to create his/her own Web site, which looks very
identical to a real Web site. For example, the attacker can clone
Citibank’s Web site. The cloning is so clever that the human eye will not
be able to distinguish between the real (Citibank’s) and fake (attacker’s)
site.
• The attacker can use many techniques to attack the bank’s customers.

18EC821 80
Phishing Conti..

Fig. 1.19 Attacker sends a forged email to the innocent victim (customer)

18EC821 81
Phishing Conti..

Fig. 1.20 Fake email from the attacker to a PayPal user

18EC821 82
Phishing Conti..

Fig. 1.21 Fake PayPal site asking for user’s credit-card details
18EC821 83
Pharming (DNS Spoofing)

• Another attack, known earlier as DNS spoofing or DNS poisoning, is

now called pharming attack. As we know, using the Domain Name
System (DNS), people can identify Web sites with human-readable
names (such as www.yahoo.com), and computers can continue to treat
them as IP addresses (such as 120.10.81.67). For this, a special server
computer called a DNS server maintains the mappings between domain
names and the corresponding IP addresses. The DNS server could be
located anywhere. Usually, it is with the Internet Service Provider (ISP)
of the users.

18EC821 84
Pharming (DNS Spoofing) Conti..
DNS spoofing attack works as follows
• Suppose that there is a merchant (Ankith) whose site’s domain name is
www.ankith.com, and the IP address is 100.10.10.20. Therefore, the DNS
entry for Ankith in all the DNS servers is maintained as follows:
www. ankith.com 100.10.10.20
• The attacker (say, Trudy) manages to hack and replace the IP address of
Ankith with her own (say 100.20.20.20) in the DSN server maintained
by the ISP of a user, say Alice. Therefore, the DNS server maintained by
the ISP of Alice now has the following entry: www. ankith.com
100.20.20.20

18EC821 85
Pharming (DNS Spoofing) Conti..

The contents of the hypothetical DNS table maintained by the ISP

would be changed. A hypothetical portion of this table (before and
after the attack) is shown in Fig. 1.22

18EC821 86
Pharming (DNS Spoofing) Conti..
• When Alice wants to communicate with Bob’s site, her Web browser
queries the DNS server maintained by her ISP for Bob’s IP address,
providing it the domain name (i.e. www.bob.com). Alice gets the
replaced (i.e. Trudy’s) IP address, which is 100.20.20.20.
• Now, Alice starts communicating with Trudy, believing that she is
communicating with Bob! Such attacks of DNS spoofing are quite
common, and cause a lot of havoc. Even worse, the attacker (Trudy)
does not have to listen to the conversation on the wire! She has to
simply be able to hack the DNS server of the ISP and replace a single
IP address with her own!

18EC821 87
 Pharming (DNS Spoofing) Conti..
• A protocol called DNSSec (Secure DNS) is being used to thwart such
attacks. Unfortunately, it is not widely used.

18EC821 88
THANK
YOU

18EC821 89