Karary University

Research paper
Three level passwords authentication system

Done by:
Kamal Eldin Yousif

Instructor’s name:

Dr.M.AlGhazaliHamza

Fbr 2020

1
 Abstract:

There are many techniques about the way devices are connected through a network, and
it is becoming more sophisticated and very complex leaving same weaknesses and
vulnerabilities in the network. However, utilizing these techniques and having advantages of
the vulnerabilities to intrude the network requires a comprehensive understanding about how
these techniques work. On the other side, preventing these intrusions also requires more
understanding about how these techniques work in addition to the way intrusions work. In
this paper I’m going to list some basic network techniques and how intruders use them to
breach the network and get to the end devices. Also I’m going to show some solutions to
detect these intrusions and prevent them.

i. Introduction:

Computer networks have become greater and greater through the last two decades. This
huge expansion made networks to be very complex, which means the weaknesses of the
network become more, resulting in many network intrusions in variety and different
ways. Network intrusion is any suspicious activity on the network that leads to interfering
the communication between the entities of the network (PC’s, switches, routers … etc.),
either for harming these devices or stealing data from them.

Researchers in many organizations have published a lot of papers about the ways of
detecting these intrusions, or as a previous stage, preventing them from intruding the
network. Detecting and preventing these intrusions needs a full understanding on how
they are implemented, how do they work, and what are they made for. In this paper I will
show some ways of intruding a network, and to detect or prevent them.

ii. Ways of intrusion:

ii.1. Asymmetric routing:

Asymmetric routing is the situation where packets from A to B follow a different path
than packets from B to A. Fortunately, under normal circumstances, asymmetric routing

2
doesn’t cause any problems, as routers don’t care about this and obviously, the sending
and receiving hosts see packets in both directions [1].
The technique employed to both better utilize existing tactical full-duplex pipes and
integrate high-bandwidth broadcast (simplex) pipes into DoD data infrastructure.
Asymmetric routing is accomplished by splitting the transmit and receive data streams at
the router. This technique can be implemented on any router with two free serial ports.
One port is configured as the transmit connection and the other as the receive connection
[2]. Router can be connected by UniDirectional Link (UDL), UDL can be integrated into
the Internet as a sub net technology, if there already exist other paths in the Internet from
the receivers to the feeds. Internet routers can be configured to use the UDL to deliver IP
datagrams in one direction and use the alternative path for the other direction [3].
The figure below shows how a network support asymmetric routing connection, it
contains four routers connected to each other by UDL.

Figure 1. Network routers connected by UDL

3
 Let’s study a case that Router1 connects to Router3, passing through either Router2 or
Router4. The result will be as the table states:

Router1 to Router3 Router3 to Router1 Type

Through Router2 Through Router2 Symmetric
Through Router2 Through Router4 Asymmetric
Through Router4 Through Router2 Asymmetric
Through Router4 Through Router4 Symmetric

Table 1. Symmetric and Asymmetric connection

In this method, the attacker attempts to utilize more than one route to the targeted
network device. The idea is to have the overall attack evade detection by having a
significant portion of the offending packets bypass certain network segments and their
network intrusion sensors [4].
Attacker can use asymmetric routing behaviors to send malicious packets through certain
parts of your system to bypass your security setups [5].

The GigaSECURE Security Delivery Platform (SDP) helps organizations maintain the
benefits of asymmetric routing without compromising security. Tapped into all the right
places in the network, the GigaSECURE SDP sees all traffic (regardless of the routers it
traverses) and reassembles asymmetric conversations into a single stream that can be fed
to any security tool. What’s more, it enables organizations to use fewer security
solutions [6].

ii.2. Buffer overflow:

Buffer overflows are pointing to a buffer fill is greater than the size of the contents of his
own, this time filled with the contents of the memory cells that will override the other.
Buffer overflow refers to a particular variable assignment, gave greater than the length
of the contents of the variable itself, so that the occurrence of overflow.

4
 Figure 2. Buffer Overflow Example.

Buffer overflows are one of today's popular network attack methods, it is easy to attack
and cause serious harm to the system's security has brought great risks [7]. Many of the
buffer overflow problems are probably the result of careless programming and could
have been found and corrected by the vendors, before releasing the software [8].

Many C programs have buffer overflow vulnerabilities, both because the C language
lacks array bounds checking, and because the culture of C programmers encourages a
performance-oriented style that avoids error checking where possible [9, 10]. The
programs that are attacked using this technique are usually privileged daemons;
programs that run under the user-ID of root to perform some service [11].

As long as we place the data on all copies of the data length, and the effectiveness of
inspections to ensure that the data is not cross-border target buffer and effective, then the
buffer overflow can be avoided, let alone make the program jump to the malicious code
[12]. Pairs of array bounds checking, so long the code can not be implanted, so that no
buffer overflow attack that condition. As long as the array can not be overflow, overflow
attacks impossible [13].

Dynamic buffer overflow detectors are attractive because they automatically insert the
necessary guards. However, for a dynamic detector to be deployed: it must (1) protect
against all buffer overflow attacks, (2) not break working code, and (3) be reasonably
efficient [14]. Some dynamic buffer overflow detectors do not offer complete protection
against buffer overflow attacks; tools such as StackGuard, attempt to guard against only
stack smashing [15]. StackGuard is a compiler extension that enhances the executable

5
 code produced by the compiler so that it detects and thwarts buffer-overflow attacks
against the stack. The effect is transparent to the normal function of programs. The only
way to notice that a program is StackGuard-enhanced is to cause it to execute C
statements with undefined behavior: StackGuard-enhanced programs define the behavior
of writing to the return ad- dress of a function while it is still active [16]. Bounds
checkers detect any bounds violations in pro- gram execution and hence guard against all
buffer overflow attacks. Some bounds checkers modify the representation of C pointers
[17, 18, 19]. The bounds checker proposed by Jones and Kelly is particularly attractive
in that no pointer representation modifications are necessary [20].

ii.3. Protocol-Specific attack:

3.3.1 Smurf Attack:
There have been numerous attacks targeting the weak point of ICMP. Typical examples
include the Smurf attack, ICMP Flooding attack, and ICMP spoofing attack [21, 22, 23].
The Smurf attack is a way of generating significant computer network traffic on a victim
network. This is a type of denial- of-service attack that floods a target system via spoofed
broadcast ping messages. A Denial-of-Service attack (DoS attack) or Distributed Denial-
of-Service attack (DDoS attack) is an attempt to compromise availability of a network
resource for its intended users [24]. Smurf attack primarily exploits the ICMP messages
that are diagnostics tools frequently used to troubleshoot the problems in the network.
ICMP protocol is a message that provides an alert when a path change or error happens,
and it is useful for network management [25].

A router or a host uses ICMP echo request (ping) message to test a destination’s
reachability. A computer system that receives an ICMP echo request message responds to
it by sending an ICMP echo reply message back to the sender. This way ICMP echo
request and reply together can test the reachability of computer on a network. Fig.3
shows the packet format used by the ICMP echo request and reply messages. The ICMP
echo request and reply messages are identified by the value of the type field. The echo
request has the TYPE field value = 8 where the echo reply has the TYPE field value =0.
The OPTIONAL DATA field holds data that are returned to the sender by the receiver of

6
 the ping messages. The IDENTIFIER and the SEQUENCE NUMBER fields are used to
match the request and reply messages [26].

Figure 3. ICMP Echo Request/Reply Message Format

In such an attack, a perpetrator broadcasts a large number of ICMP echo requests (ping)
to all the addresses in the network. All broadcasted requests have a spoofed source IP
address of the intended victim in their source IP address field. Once the routing device
delivers the echo request to the targeted host (for example via a layer 2 broadcast), most
hosts on that IP network will respond to the ICMP echo request by replying to it with an
echo reply. The group’s respond to the echo request will cause a large the traffic send to
the victim host. On a multi-access broadcast network, hundreds of machines might reply
to each echo request packet [27].

3.3.2 SYN Attack:

One of the major types of DDOS attack is SYN flood. It is categorized as a semantic
attack [28] as it exploits a feature of transmission control protocol (TCP) called three-
way handshake [29]. This feature, as shown in Fig.4, refers to the process of initiating an
end-to-end logical connection between the client and server. The client sends a TCP
segment to the server with the SYN flag set to 1. The server responds with a segment
with both SYN and ACK flags set to 1. At this point the server allocates an entry in a
memory buffer to identify this half-open connection. This memory buffer is called a
backlog queue [30] in the TCP server.

7
 Figure 4. Three Way Handshake.

Spoof SYN packets of the SYN flood are difficult to distinguish from legitimate packets.
The reason is that they look like normal packets, except for the source IP which is set by
the attacker to a spoof IP [31]. When a SYN packet is received, the server responds with
a SYN-ACK packet and stores the information of the half-open connection in the
backlog. If after a pre-specified time no ACK packet is received for the half-open
connection, the server cancels the three-way handshake process and frees the memory
space allocated to that specific half-open connection. This is the main reason for denial
of service and unavailability of the server. Another factor impacting the performance of
the server is CPU power used to process each of the SYN packets by SYN cookie and
SYN proxy [32].

iii. Conclusion:
There are many ways of network intrusions, in this paper we discussed some of these
ways. Intruders use some of the network technique and utilize them to intrude the
network. When we say asymmetric routing, we are talking about a sophisticated
methodology to enhance the way of connection between end devices in the network that
has been utilized by the intruder to reach one of these end devices, the same is applied for
the rest of the technique. Each type of intrusion has a method to prevent or detect it, these
methods are improved day by day since intruders create new different ways of intrusion.
Nowadays, there many organizations that provide technical solutions for network to
detect or prevent intrusions.

8
References:

[1] https://www.noction.com/blog/bgp-and-asymmetric-routing

[2] LCDR R. Scott Starsman, DISA JIEO Norfolk. Asymmetric Routing. 2, 1997.

[3] Manish Karir and Yangguang Zhang. Page 1, An Experimental Study of Asemmetric
Routing.

[4] https://www.rsaconference.com/industry-topics/blog/network-intrusion-methods-of-
attack

[5] https://www.dnsstuff.com/intrusion-detection-system
[6] An Zhiyuan, Liu Haiyan. LangFang, HeBei 065000, China. Realization of Buffer
Overflow.

[7] Michele Crabb. Curmugeon’s Executive Summary. In Michele Crabb, editor, The
SANS Network Security Digest. SANS, 1997. Contributing Editors: Matt Bishop, Gene
Spafford, Steve Bellovin, Gene Schultz, Rob Kolstad, Marcus Ranum, Dorothy
Denning, Dan Geer, Peter Neumann, Peter Galvin, David Harley, Jean Chouanard.

[8] Barton P. Miller, David Koski, Cjin Pheow Lee, Vivekananda Maganty, Ravi
Murthy, Ajitkumar Natarajan, and Jeff Steidl. Fuzz Revisited: A re- examination of the
Reliability of UNIX Utilities and Services. Report, University of Wisconsin, 1995.

[9] Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat
Bakke, Steve Beattie, Aaron Grier, Perry Wagle and Qian Zhang. StackGuard:
Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Department
of Computer Science and Engineering.

[10] B.P. Miller, L. Fredrikson, and B. So. An Empirical Study of the Reliability of UNIX
Utilities. Communications of the ACM, 33(12):33–44, December 1990.

[11] CHENG Hongrong, QIN Zhiguang, WAN Mingcheng, DENG Wei . On the Buffer
Overflow Attack Mode and Countermeasures[J] Journal of University of Electronic
Science and Technology of China, 2007-06-011.

[12] Haugh E,Bishop M. Testing C programs for buffer overflow vulnerabilities[C] .Proc
of the10th Network and Distribu- ted System Security Symposium. San Diego. 2003,
:123-130.

[13] Olatunji Ruwase, Monica S. Lam. A Practical Dynamic Buffer Overflow Detector.
Transmeta Corporation, Computer Systems Laboratory.

9
[14] C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks
and defenses for vulnerability of the decade. In Proceedings of DARPA Information
Survivability Conference and Exposition, pages 119–129, January 2000.

[15] Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat
Bakke, Steve Beattie, Aaron Grier, Perry Wagle and Qian Zhang. StackGuard:
Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Department
of Computer Science and Engineering.

[16] J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. CCured in the real
world. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming
Language Design and Implementation, June 2003.

[17] T. Jim, G. Morriset, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A

safe dialect of C. In Proceedings of the USENIX Annual Technical Conference, pages
275 – 288, June 2002.

[18] S. C. Kendall. Bcc: Run-time checking for C programs. In Proceedings of the

USENIX Summer Conference, pages 5–16, 1983.

[19] R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and
pointers in C programs. In Proceedings of the International Workshop on Automatic De-
bugging, pages 13–26, May 1997.

[20] CERT CC, Smurf IP Denial-of-Service Attacks,

http://www.cert.org/historical/advisories/CA-1998-01.cfm

[21] CERT CC, TCP SYN Flooding and IP Spoofing Attacks,

http://www.cert.org/advisories/CA-1996-21.html

[22] R. Shirey, “Internet Security Glossary,” RFC 2828, IETF, May 2000.

[23] Gholam Reza Zargar, Peyman.kabiri. Faculty of Computer Engineering, Iran

University of Science and Technology of Iran, 16846-13114, Tehran, Iran. Identification
of Effective Network Features to Detect Smurf Attacks.

[24] Hyeonwoo Kim, Dongwoo Kwon, Hongtaek Ju. Keimyung University. Analysis of
ICMP Policy for Edge Firewalls Using Active Probing.

[25] J. Postel, “RFC 792 - Internet Control Message Protocol,” IETF-Network Working
Group, September 1981.

[26] G. Zargar, P. Kabiri, “Identification of Effective Network Feature for Probing

Attack Detection”, proceedings of First International Conference on Network Digital
Technologies (NDT2009), PP. 392-397 July 2009.

10
 [27] J. Mirkovic, P. Reiher, "A taxonomy of DD0S attack and DDOS defense
mechanisms," SIGCOMM Comput. Commun. Rev., vol. 34, no. 2, pp. 39-53, April
2004.

[28] Alptugay Degirmencioglu', Hasan Tugrul Erdogan', Mehrdad A. Mizani', Oğuz

Yılmaz. A classification approach for adaptive mitigation of SYN flood attacks
Preventing performance loss due to SYN flood attacks.

[29] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks," in In

Proceedings of the IEEE Infocom, 2002, pp. 1530-1539.

[30] Y. Ohsita, S. Ata, and M. Murata, "Detecting Distributed Denial-of- Service Attacks
by Analyzing TCP SYN Packets Statistically, IEICE TRANSACTIONS on
Communications, vol. E89-B, no. 10, pp. 2868– 2877, October. 2006.

[31] Alptugay Degirmencioglu', Hasan Tugrul Erdogan', Mehrdad A. Mizani', Oğuz

Yılmaz. A classification approach for adaptive mitigation of SYN flood attacks
Preventing performance loss due to SYN flood attacks.

[32] https://blog.gigamon.com/2016/04/28/asymmetric-routing-can-screw-security/

11

View publication stats