Auditing, Monitoring, Intrusion Prevention, Intrusion Detection, and Penetration Testing "Unlike IP fragmentation (which can be done by intermediate devices), IP reassembly can be done only at the final destination. What problems do you see if IP reassembly is attempted in intermediate devices like routers?" [ ]

IP fragmentation is defined as the IP (Internet Protocol) that breaks datagrams into smaller fragment to assist packets passing through links and forming a smaller MTU (maximum transmission unit) than its original size. However, the fragments reassemble themselves when reaching the receiving hosts. After the receiving hosts have received the fragmented IP packet, they have to reassemble the datagram before passing it to the higher layer. In practices, the reassembly happens in the receiving hosts, however, a reassembly may be carried out by the intermediate router. For example, the NAT (network address translation) is designed to reassemble the fragments to the translate data streams. Several problems can occur if IP reassembly is carried out by the intermediate device such a router. A packet loss is one of the major problems, which will lead to poor performances. It is essential to realize that a loss of fragment can be attributed to the idiosyncratic gateway behavior, link errors, and congestion resulting to the segment retransmission, and a continuous loss of a packet.

Moreover, the router will slow the reassembly process since routers are not capable to reassembly efficiently. Another problem is that it will lead the smaller fragments to travel over a long route, which increases the chances of fragments got missing and entire message can be discarded through this process.

The IP reassembly by the intermediate device can also lead to bottlenecks. Essentially, routers are designed to process a large number of packets, easily and quickly. Mandating them to reassemble the packets will increase the complexity of their functions, which will slow down the process. Moreover, a reassembly by the intermediate device can lead to inefficient use of resources. If a bad intermediate device is chosen for reassembly, it can make the router to process a large number of the packet header, which can cause a slowdown in the transmission process. For example, if 1010 datagrams are fragmented over 1000 MTU size, the downstream nodes will receive twice the number fragments and packets than its original size of 1000. Reassembly through the routers can lead to an inefficient reassembly, which can lead to a reassembly deadlocks where a large number of packets or fragments are partially reassembled. In most cases, the intermediate devices are not designed to perform the reassembly process, however, when the intermediate devices are required to perform the reassembly process, they slow down the reassembly process.

(Kozierok, 2005).

b. "Let's assume that Host A (receiver) receives a TCP segment from Host B (sender) with an out-of-order sequence number that is higher than expected as shown in the diagram. Then, what do Host A (receiver) and host B (sender) do"? [ ]

Answer:

When the Host B, the sender, sends the TCP higher than the expected to the Host A (receiver), the result is that the receiver will not be able to receive the TCP segments as being detected by TCP/IP protocol. Typically, the individual packets within a single stream can traverse different paths right from the sources to the destination. In this case, packets may be corrupted or get lost, which may prevent them reaching their final destination. In this case, the TCP handles the potential problems using the strategy of assigning each byte to the sequence number. The segments are 100 bytes in length, and if Host A receives segment 01 ~ 100, it will automatically respond to Host B. using the ACK that contains the missing segment sequence 101. After the missing segment is detected, Host A (the receiver) will send an ACK 301 to indicate to the Host B (sender) that segments 201 ~ 300 and 101 ~200 were received.

2. "Describe or propose a way to detect ARP spoofing attack. What could be a possible weakness in your proposed method? Please do not discuss any prevention method (e.g., port security is an example of a preventive method)."[ ]

Answer

The ARP (Address Resolution Protocol) spoofing arises when there is the absence of authentication mechanism that can be used to verify the identity of the sender. In the contemporary IT environment, ARP spoofing has been widely susceptible to attack such as sophisticated Dos (denial of service) attack, and session hijacking. Moreover, the attackers send the ARP message to LAN (local area network) to intercept the data frame over the network systems. The passive approach...

The downside of the passive approach is that the time lag to detect the ARP spoofing is long, which sometimes lead to damage being already done before the attacks being detected. To address this shortcoming, specialized tools can be used to monitor the ARP spoofing attacks. For example, the Arpwatch is a highly effective monitoring tool to carry out the IP mapping. The tool has the ability to dump information to Syslog as well as sending an email to the network administrators when a suspicious event occurs in the systems.
The IDSs (Intrusion Detection Systems) are the other tools to detect the ARP spoofing, and has the ability to inform the security administrator through an appropriate alarm or alert. A major setback of the IDSs is that they can generate a significant number of false alarms that devoid of attacks. Moreover, their ability to detect the ARP attack is limited. ARP-Guard is another system to detect the ARP spoofing that involves delegating the detection task to one of the detection station. The ARP-Guard is an effective tool to detect the ARP poisoning, however, attackers may hide behind a large volume of traffic for a long time and remain undetected. (Abad, & Bonilla, 2007).

Kukoleca, Zdravkovic, & Ivanovic, (2014) argue that Syslog is an effective strategy to detect the ARP spoofing because logs contain valuable information, which can assist to know when the system has been compromised by the ARP spoofing. Moreover, logs provide critical forensic data to detect vulnerability and can be used in mapping out the events that lead to the security breach. Despite the benefits associated with Syslog, its shortcoming is that an attacker may inject false information into the system to deceive the security administrator.

3." [Wireless LAN Security-WEP] What is the main difference between the FMS attack and Chopchop attack?" Clearly explain your answer [ ]

Answer:

In the IT environment, different vulnerabilities and flaws have been associated with the WEP (Wired Equivalent Privacy). While the goal of WEP is to achieve a high level of data confidentiality, however, WEP face challenges to guarantee data confidentiality in the network systems because of the associated number of attacks. The chopchop and FMS are two most common forms of attacks on WEP. The nature of the FMS attack is that the attackers transmit a large number packets, which can be up to millions to the WAP (wireless access point) in order to collect a response packet. In the WEP attack, the attackers listen passively to WEP protect traffic to record encrypted packets as well as vectors of these packets. Since it is possible to predict the first bytes of most packets, the attacker is able to recover the first bytes of the encrypted keystream of these packets. Afterward, the attacker transmits the unprotected initialization vector of the packets, which assists the attacker to discover the first three bytes per packet key. Thus, the attacker exploits the weakness of RC4 by performing the RC4 manipulation, which allowing the attacker to guess 5% probability of the byte of the security key. By using the voting system, the attacker will be able to guess the probability of the right key and test it. If the key does not work, he would try another key until a correct key is obtained. The working protocol of the attack is as follows: The attacker can stimulate the first steps of RC4-KSA. However, the attacker needs between 4 million and 6 million packets to achieve his aim with the success probability of at least 50%.

On another hand, the chopchop attack exploits the WEP encryption using the trial and error to determine the PSK. Typically, the chopchop attack uses the AP (access point) to decipher wireless and ARP (Address Resolution Protocol). The major difference between the WEP attack chopchop attack is that the chopchop attacker guesses the last byte by assuming the last encrypted byte is equal to zero. On the other hand, the FMS attacker starts with the first byte to start an attack. In the chopchop attack, the attacker re-encrypt the packet and transmit to the AP since the attacker is using the multicast packet making the guess to be correct. However, the chance of success is 50-50 in the case of the FMS attack. While FMS can reveal the WEP key in the process, the chopchop attack will…