4MMSR - Network Security 2 - Network Security Related ......o!1989-90: Janardhan Sharma, Dave Presetto , and Kshitij Nigam o!1995: first commercial product by Nir ZukÕs team (CheckPoint

4MMSR - Network Security2 - Network Security Related Attacks

Fabien Duchene1

1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Grenoble INP Ensimag

[email protected]

2011-2012

Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 1/32 2011-2012 1 / 32

http://www.liglab.frhttp://vasco.imag.fr/http://grenoble-inp.fr

Outline

1 Physical and MAC LayersARPVLAN

2 Network and Transport LayersDHCPIP securityFirewalls, Proxies, Routers

3 Application LayersDNS

4 Underground stuffBotnetDDOSPhishing, Spam, Pr0n


Physical and MAC Layers

The lower the better...?

Lower layers vulnerabilities CAN affect higher layers: [Bhaiji 2005]



Security principle: In-depth defense

... [(Microsoft) 2004]



High level network attacks

Security properties that are violated on the transmitted dataInterruption: ...Interception: ...

Modification: ...Fabrication: ...


Physical and MAC Layers ARP

ARP poisoningNotice also that if an entry already exists forthe ¡protocol type, sender protocol address¿pair, then the new hardware address supersedesthe old one [Group and Plummer 1982]

... : gratuitous ARP Replies[Group et al. 2005]ability for a link-local attackerto redirect ALL network trafficto himself!tools: ettercap, dsniff

ARP poisoning - some counter-measuresmake the switch aware: binding IP ←→ MAC addresses (DHCP snooping, static)limit the ARP Reply rate on given port


http://ettercap.sourceforge.nethttp://monkey.org/~dugsong/dsniff/

Physical and MAC Layers VLAN

VLAN - reminders I

VLAN802.1Q: an extension of 802.1D

[Duda, Rousseau, and Alphand 2011]



VLAN - reminders II

trunks have access to allVLANS (default)route traffic for multiplesVLANS via the same physicallink

tagged vs untaggedVLAN ID=3 is

untagged for port 7tagged for port 2



VLAN hopping attack: basic

Dynamic Trunk Protocol (Cisco) [Bhaiji 2005]automates trunk configurationAuto/On/Off/Desirable/Non-Negotiate

HypothesesDTP set to Auto/On on end-station port

station can spoof aswitch implementationDTPcan be a member of anyVLAN



VLAN hopping attack: double 802.1q encapsulation

Hypothesestrunk has to contain the attacker VLANswitch performs only one decapsulation level

Limitationsunidirectional



VLAN attacks: some counter-measures

on ports facing users:untagdisable auto-trunking

disable unused ports and put them into default vlanalways untag the default vlan, and never use it


Network and Transport Layers DHCP

DHCP reminders



DHCP starvation attacks

DHCP reminders [Duda, Rousseau, and Alphand2011]

a DHCP address is given to a DHCP client (MAC address)for a given lease-duration (eg: 3600s)the addressing scope is limited. Eg: 192.168.5.0/24= 232−24 − 2 = 254

DHCP starvationperform ..... ... DHCPREQUEST + DHCPACK from different MACaddresses [Bhaiji 2005]

Some counter-measuresfor DHCPREPLY: reduce the ...force clients to ... (DHCP-Request)PORT SECURITY: limit the number of different MAC @ on a given port switch



Rogue DHCP servers

Client Rogue. DHCP S. Leg. D.S.DHCP-Discover ...DHCP-Offer 1 ...

DHCP-Offer 2

DHCP-Request ?

DHCP-ACK ?

clients accept the ... matching the DHCP-Discover Transaction ID

Some consequencesAttacker controlled ... , ... : threats for upper layers!

client IP address: ... [Bhaiji 2005]



Rogue DHCP Servers - some counter-measures

DHCP snoopingFiltering on DHCP packets (UDP 67and 68): Offer, ACK, NACKEg (Cisco):

Trusted port: ip dhcp snooping trustUntrusted:

no ip dhcp ...

ip dhcp snooping limit rate 1 (probe per second)... (mac ; ip ; lease ; type ; vlan ; interface) built by snooping DHCP repliesensures hosts only use assigned IP addresses

Server authenticationforce DHCP servers to ... (DHCP-Offer, DHCP-ACK)


Network and Transport Layers IP security

a touch of IP Security

Spoofing... of a MAC address is not guaranteedsame for IP address

QCM: the use of NAT?Network Address Translation permits

A. protecting the confidentiality of an IPv4 network topologyB. using only one public IPv6 for internal several serversC. protecting the confidentiality of an IPv6 network topology

...


Network and Transport Layers IP security

IPSec


•  Lecturer: Fabien Duchene •  Firewall •  Proxy, Socks •  Web-Services

4MMSR - Network security course

2.2. Network and Transport Layers security

4MMSR

2011-2012

Grenoble INP Ensimag

2.2.1. Firewall

2 4MMSR - Network Security - 2010-2011

•  Introduction •  Firewall locations

o  Network edge o  Endpoint & servers

•  Packet filtering •  Stateful Packet Inspection •  Application firewalls •  Firewall policy

Some stuff from Cyril Voisin’s lecture: “Base de la sécurité des réseaux", Principal Security Advisor, Microsoft

2.2.1. Perimeter security


•  Security at the network layers (transport & network) •  Part of the in-depth defense mechanism •  Traditional security view

•  But… •  Old, traditional mechanism •  This is NOT SUFICIENT today: a host protection is vital! •  Lack of flexibility, cost

o  Microsoft now pushes for a “deperimeterization”: IPSec boundaries

2.2.1. Firewall - introduction


•  Filtering •  “limits network access between at least two

networks” o  2 directions filtering o  Rules, metrics o  RFC2979

•  thus located between two networks o  L2 switching capabilities o  L3 router in an IP path

•  Information Disclosure prevention: •  IPv4 network: Network Address Translation protects a

network topology from being discovered o  1-to-1 mapping o  1-to-N mapping (discrimation regarding destination port)

2.2.1. Firewall – introduction (2)


•  Products •  Software firewall

o  Installable executable –  linux iptables –  Windows Advanced Firewall

o  Virtual machine

•  Hardware accelerated firewall “appliance” = HW+SW o  Eg: Juniper, NetASQ …

2.2.2. Firewall locations


•  Endpoint & servers “host-based firewall” •  Software: in-depth defense principle! •  Tight OS interactions (each socket or routing operation!) •  Easier to hack than separate firewalls

•  Network Edge o  Software o  Virtualized o  Hardware

Firewall WAN (public network)

LAN (controlled network)

Picture source: Wikipedia

DMZ (DeMilitarized Zone) "perimeter network"

•  Two firewall levels •  the multiculture principle => different brands

•  One firewall level:

2.2.2. some common DMZ network topologies


Internet&DMZ&

DMZ&

Internet&

Internal&network&

Internal&network&

2.2.3. Stateless firewalls “packet filtering”


•  1st generation: o  1988 Dodong Sean James, Elohra (DEC) o  1980-1990 Bill Cheswick and Steve Bellovin (AT&T

Bell Labs)

•  Filter packets for allowing some circuits: o  Pass o  Drop (silently discard) o  Reject (error response to the sender)

•  Depending of L3 (Network) and L4 (Transport) metrics o  IP source/dest address o  TCP/UDP source/dest port number

•  Policy example: o  allow TCP->21 traffic from networkA to network B o  deny all traffic from (any network) to (any network)

Upper%layers%(applica3on,&session,&

presenta3on…)&

Transport%(UDP,&TCP)&

Network&(IP)&

Link%(ethernet)&

Physical%

2.2.4. Stateful packet inspection “session filtering”


•  Attacks on 1st generation FW: o  DoS: eg: SYN flood (firewall ressources consumption)

•  2rd generation o  1989-90: Janardhan Sharma, Dave Presetto, and Kshitij Nigam o  1995: first commercial product by Nir Zuk’s team (CheckPoint)

•  Stores the “connection state” o  is that new packet conform to that current connection? o  or is it for a new connection? o  see the NAT connection table (in your network lecture !)

•  Additional conformance verification for: o  TCP flags (SYN, ACK, RST, PSH, FIN) o  Session state and the TCP sequence number! o  If any packet does not correspond to the expected state, it is

blocked!

2.2.4. Stateful firewalls – TCP states

10 4MMSR - Network Security - 2010-2011 http://en.wikipedia.org/wiki/Transmission_Control_Protocol

2.2.4. Stateful firewalls – state table


•  Statically limited size table •  Each entry:

•  Flushing policy: if the connection is closed, or if no packet is sent during the TIMEOUT time

•  Some Internet Protocol numbers:

Source%port%

Des9na9on%port%

Source%IP%

Des9na9on%IP%

IP%number%(op$onnal)%

Protocol%(op$onnal))

Timeout%(op$onnal))

51345& 25& 216.32.180.22& 129.88.30.5& 6& SMTP& 35/50&

IP%number% IP%name%

1& ICMP&

6& TCP&

17& UDP&

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

Understanding the FW-1 State Table, Lance Spitzner

2.2.4. SPI firewall - example


•  Eg: web-server (HTTP on TCP 80) publishing over IPv4, protected by D-NAT (Destination NAT) in that case in 1-to-1 mapping

SPI Firewall Web Client 87.98.190.108 10.0.0.4/28

. Web-Server (listening on TCP

8082)

.5 .6

Public IP addresses

91.121.51.205

SourcePort:&TCP&45784&Des3na3onPort:&TCP&80&

SourceIP:&87.98…&Des3na3onIP:91.121…&

SYN%

S_Port:&TCP&45784&D_Port:&TCP&8082&

S_IP:&87…&D_IP:&10.0.0.5&

SYN%

S_Port:&TCP&8082&D_Port:&TCP&45784&

S_IP:&10.0.0.5&D_IP:&87…&

SYN%ACK%

S_Port:&TCP&80&D_Port:&TCP&45784&S_IP:&91.121.51.205&

D_IP:&87…&

SYN%ACK%

DMZ

1%

2%

3%4%

5%6%

7%

SYN processing

12%

The client can now send its HTTP requests and the same kind of checks are performed during the WHOLE communication

…&ACK% …&ACK% 11%10%

8% 9%

Example:)M  TCP)has)a)30way)

handshake)(SYN,)SYN)ACK,)ACK))

M  If)any)actor)do)not)respect)that,)the)packet)will)be)dropped)

2.2.5. Application firewalls


•  3nd generation o  1990-91: Bill Cheswick (AT&T), Marcus Ranum, and

Gene Spafford (Purdue)

•  Has a “protocol description” o  Sequences, data types & size : eg: HTTP, DNS …

•  QoS: traffic prioritization o  Useful for applications with real-time requirements (eg: SIP)

•  Performs Deep Packet Inspection o  blocks known

–  attacks (exploit signature) ~ 80% –  viruses (signature too)

o  force specific protocol behavior –  eg: limiting the HTTP header to x bytes

o  blocks specific content –  eg: sending PDF files via gmail

Bill Cheswick, The Design of a Secure Internet Gateway, USENIX 1990

Upper%layers%(applica3on,&session,&

presenta3on…)&

Transport%(UDP,&TCP)&

Network&(IP)&

Link%(ethernet)&

Physical%

2.2.6. Firewall policy


•  Set of rules

•  Example: •  Block all outgoing FTP traffic except from host … to

host … •  Allow only a subset of commands of the SIP protocol

•  Least privilege principle: •  The last evaluated rule has to be

o  “Deny All traffic from any network to any network”

2.2.7. Additional cool stuff


•  Policy depending of the identity of authenticated users: •  Role-Based Access Control

•  Could also have additional functions: •  Proxy •  Failover, Load-Balancing

Firewall - interlude


•  Firewalls and Internet security: repelling the wily hacker, William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin

2.2.2. Proxy


•  Acts as an intermediary for requests from clients to another service.

•  Types •  Forward

•  Open

•  Reverse

•  Applications o  Squid o  Microsoft Forefront Threat Management Gateway (ISA server)

Internet&

Internet&Internet&

Internet&

Internal network

Proxy

Proxy

Proxy

Internal server (eg: webserver)

Internal network

2.2.2. Proxy - features


•  Policy: •  Filtering at the application level

o  Similar to Deep-Packet Inspection –  eg: HTTP URL filtering –  DNS: blacklist

•  Caching o  Accelerating some requests o  (eg: Forward proxy loading static content from google.fr from its

cache rather than fetching it again from the Internet)

•  Logging o  Each corporation providing an internet access has to log requests

(liability issues)

•  the policy could be dependent of the authenticated user/comp.

2.2.2. Proxy - SOCKS


•  SOCKet Security, RFC1928, default TCP port 1080 (server) •  The application has to "understand" a SOCKS dialog •  Eg: forward proxy in a corporation ; HTTP GET /

Internet&

Internal network

Proxy Client FW

Identity provider

allow HTTP, DNS from proxy to

Internet

SOCKS

HTTP&

TCP&

IP&clientMserver&

SOCKS&

TCP&IP&clientMproxy&

HTTP&

TCP&IP&(source&=&proxy)&

HTTP&

TCP&IP&(source&=&proxy/fw)&

2.2.3. Service Oriented Architecture


•  Provides: •  UDDI: Service location •  WSDL: Service description •  SOAP: Remote Procedure Call

•  Interesting: •  Interoperability •  Low-coupling

•  Web-Services and Firewalls: o  Generally TCP 80 or TCP 443 for the

transport. o  "classic DPI" is not enough, since the

"real applications" function at a higher level than HTTP!

XML&

HTTP&/&RPC&

TCP&

IP&

2.2.3. WS-Security


•  A way of ensuring integrity and confidentiality properties on SOAP messages.

o  Author: OASIS (Microsoft, IBM, …)

•  Credentials: transport of security tokens •  SAML Security Assertion Markup Language

o  Authentication o  Authorization o  .. between "security domains" (eg: Active Directory domains)

•  Kerberos •  X.509

•  Integrity: XML signature •  Encryption: XML encryption

2.2.3. WS-Federation & SAML: identity federation


•  An user authenticates through his Identity Provider (eg: corp A) and gets access to applications published by a Service Provider (eg: corp B) ~ Web-Browser SSO

•  Some definitions (see ADFS 1.0 example next slide) •  Identity Provider (eg: LDAP, SQL database…) •  Claims (FR: revendication)

o  Eg: User.Age >=18

•  Token (FR: jeton) •  Service Provider: provides the application

http://blogs.sun.com/hubertsblog/entry/deep_dive_on_saml_2

2.2.3. Active Directory Federation Services 1.0


o  Example in Business2Businness Web-Browser Single-Sign-On

Active Directory Federation Services 2.0 (2010), Philippe BERAUD , Microsoft

Web Application

Corporation A (Authentication)

Client C

FSLA% FSLWebLProxy%A%

FSLWebLProxy%R%

Corporation R (Ressource)

Identity Provider

DMZ DMZ

1 HTTP GET / web app. B 2.1 Authenticate to FS-P B (HTTP 302). I need the claims c1,c2..

2.2 security

domain=A

2

3.1. Plz pro

vide a tok

en from F

S-A

3.2 HTTP 302 FS-A User authentication SAML Token Request

3

FS-A - obtains the attributes from IP - build the claims (c1,c2) - add some information regarding C - signs them = SAML token [C,c1,c2]FS-A

4 Intranet Intranet

5

[C,c1,c2…]FS-A HTTP POST

Token construction: - checks the FS-A token signature - and builds [C,c1,c2]FS-R

6

88: HTTP 200 OK, servicing

77.1 [C

,c1,c2..]FS-

R

HTTP POST

X.509 cert. exchange FS-R accepts FS-A tokens

2.2.3 – Network and Transport layer security – key notions


Firewall&

•  Statefull/stateless&• Which&layers&count&for&deciding?&• Applica3on&•  Transport&• Network&

• Do&they&perform&masquerading?&•  Eg&NAT&in&IPv4&

• DeepMPacket&Inspec3on&•  Loca3on:&endpoint&or&network?&

• QoS?&

Proxy&

•  Types&•  Forward&• Open&• Reverse&

•  Features&•  Filtering&(DPI)&• Caching&•  Logging&(rela3onship&to&authen3ca3on)&

•  SOCKS&•  L5&protocol&•  Easier&to&administrate&firewalls&

WebMServices&

•  SOA&•  Service&• Requestor&• Broker&•  Provider&

• WSMSecurity&• WSMFedera3on&•  SAML&token&• ADFS&1.0&example&

Application Layers DNS

DNS Cache Poisoning

Key pointsJuly 1997: Eugene Kashpureff [DNS and BIND, 4th Edition]Summer 2008 [Kaminsky 2008] alerted vendors most DNS Serversimplementations were vulnerable [US-CERT 2008]Security property violated: ... ... of DNS records

The birthday paradox [O’Connor 2008]n = number of sent queriest = total number of query ID (216 = 65, 536)

Pcollis.(n, t) = 1− (1− 1t )(1−2t )...(1−

n−1t )

≥ 1− (1− 1t )n∗(n−1)

t

Approximatively : n ≥ 700 =⇒ P(n, t) ≥ 0, 95

[Friedl 2008]Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 18/32 2011-2012 18 / 32


DNS Cache Poisoning (simple record) [Friedl 2008]

Hypothesesrecursive queries ...the DNS name to beresolved can’t be inthe victim’s ...the attacker has toreply ...... than thelegitimate server

First DNS replyhaving the same ... .Others are dropped.



DNS cache poisoning: some counter-measures

Randomize Query ID

Use Source Port + Query IDalso randomize the source port (211)216 ∗ 211 = 227 = 134 million

We are trying to ensure the integrity of DNS repliesWhy not signing them? → DNSSec: (next slide!)



DNSSec

nslookup> set q=DNSKEY> udp53.org...udp53.org rdata_48 = 256 3 5

BEAAAAOr2ijJHRRTMTATseOYKej9212iaIyE...

> set q=RRSIG> udp53.org...udp53.org rdata_46 = SOA 5 2 3600

20120228123908 201201291139089234 udp53.org.

nenjX9dlyZYhabfpgyWuIr5K0V4GURVtZVdyUbr3/+5..==

use of PKI for guaranteeing the... of DNS recordssome new DNS records:

DNSKEY: ... (DNS server)RRSIG: ... (DNS record)

signature schemes examples:RSA+MD5RSA+SHA-1RSA+SHA-256

periodic resigning !


Underground stuff Botnet

Botnet

[Bot-net]

Economic model1 Botnet Operator (BO) gains the ability to

... on victims’ computers usually byexploiting at least one vulnerability onthose systems a

2 BO speaks to his Bot network via a ...(eg: IRC, HTTPS, SMTP..)

3 A client ... the botnet usage to BO

4 BO ... to perform the client requestedoperations for:

limited amount of timelimited amount of production (eg:mails)

anew trend: people are voluntarily giving such a privilege

Some possible usages: DDOS, SPAM, Proxy, Password Bruteforcing



Botnet: a more technical insight

Protocolregistring new “client” nodes, new “servers”orders: transmitting and returning resultsupdating: mostly automatic (eg: targets, payloads (spam templates))

DNS Fast-Fluxlow SOA TTL ( min. (181 seconds) if not 0 while usually day)[Groz and Maury 2011]meaning the SOA DNS servers can change very quicklyeach node is of the botnet is a compromised host

digSOAensimag .fr ; ;ANSWERSECTION : ensimag .fr .7200INSOAppp.imag .imag .fr .fr − imag − subdom − admin.imag .fr .2011101809216003600360000086400dig SOA void99.com

;; ANSWER SECTION:void99.com. 1800 IN SOA dns1.name-services.com. info.name-services.com.

2002050701 10001 1801 604801 181Fabien Duchene (LIG) 4MMSR-2-Network Security Related Attacks 23/32 2011-2012 23 / 32


Botnet: Mega-D IOLTS

Abstracted IOLTS of the Mega-D botnet: [Cho et al. 2010]


Underground stuff DDOS

Distributed Denial Of Service

Denial Of Serviceressource exhaustion:

socketvirtual memorybandwidthCPU clock cycles

violated security property: ...in certain (rare) situations could lead to remote code execution


Underground stuff Phishing, Spam, Pr0n

Phishing

... The spoofing website has a similar“look-and-feel” (FQDN, webpage) (..generally money is derived)

some phishing examplesemail from the XXX bank you have to change yourpasswordsome welfare service sent you some money (eg:“french CAF”)Paypal urge you to log on to your account

Phishing filterssimilarity:

DNS names: mistakes (gooogle.com), redirectors (HTTP, JS), IDNhomograph attacks (UTF-8 for FQDN)webpage: XML distance



Spam

Generating money?promoting drugs (fake or real), porn websitesphishingtraffic broker to exploit vulnerabilities in browser (goal: trojaninstallation for instance to participate in a botnet)

Getting email addresses?crawling the web: regular expressionssql injection: extracting records from other databasesbuying them: undeground market



Pr0n

the adult industry:main goal: generate $attract a lot of trafficadvertissement, payingsbscriptiontraffic broker (see nextslide)some: re-sell vulnerableclients for exploitation



Spam, Pr0n, phishing: some flows

[“Is the Internet for Porn? An Insight Intothe Online Adult Industry”]

trafic broker:

browser vulnerabilityscanning:


Underground stuff For Further Reading

Albitz, Paul and Cricket Liu. DNS and BIND, 4th Edition.Bhaiji, Yusuf (2005). LAYER 2 ATTACKS And MITIGATIONTECHNIQUES. http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf.Cho, Chia Yuan et al. (2010). “Inference and Analysis of Formal Models ofBotnet Command and Control Protocols”. In:Duda, Andrzej, Franck Rousseau, and Olivier Alphand (2011).4MMRES-Networks.https://intranet.ensimag.fr/KIOSK/Matieres/4MMRES/news/?page_id=73.Friedl, Steve (2008). An Illustrated Guide to the Kaminsky DNSVulnerability. http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html.Group, Network Working and David C. Plummer (1982). An EthernetAddress Resolution Protocol – or – Converting Network ProtocolAddresses. https://tools.ietf.org/html/rfc826.


http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdfhttp://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdfhttps://intranet.ensimag.fr/KIOSK/Matieres/4MMRES/news/?page_id=73https://intranet.ensimag.fr/KIOSK/Matieres/4MMRES/news/?page_id=73http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htmlhttp://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htmlhttps://tools.ietf.org/html/rfc826


Group, Network Working et al. (2005). IPv4 Link-Local.https://www.ietf.org/rfc/rfc3927.txt?number=3927.Groz, Roland and Ghislaine Maury (2011). Ensimag-3MMIRC-IntroducingCommunication Networks.https://intranet.ensimag.fr/KIOSK/Matieres/3MMRTEL/.Kaminsky, Dan (2008). DNS 2008 and the new (old) nature of criticalinfrastructure. http://www.blackhat.com/presentations/bh-dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-Critical-Infrastructure.pdf.(Microsoft), Cyril Voisin (2004). Notions fondamentales de sécurité.O’Connor, Luke (2008). On the DNS Birthday Probability.http://lukenotricks.blogspot.com/2008/11/on-dns-birthday-probability.html.US-CERT (2008). Multiple DNS implementations vulnerable to cachepoisoning. http://www.kb.cert.org/vuls/id/800113.Wikipedia. Botnet. https://en.wikipedia.org/wiki/Botnet.


https://www.ietf.org/rfc/rfc3927.txt?number=3927https://intranet.ensimag.fr/KIOSK/Matieres/3MMRTEL/http://www.blackhat.com/presentations/bh-dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-Critical-Infrastructure.pdfhttp://www.blackhat.com/presentations/bh-dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-Critical-Infrastructure.pdfhttp://www.blackhat.com/presentations/bh-dc-09/Kaminsky/BlackHat-DC-09-Kaminsky-DNS-Critical-Infrastructure.pdfhttp://lukenotricks.blogspot.com/2008/11/on-dns-birthday-probability.htmlhttp://lukenotricks.blogspot.com/2008/11/on-dns-birthday-probability.htmlhttp://www.kb.cert.org/vuls/id/800113https://en.wikipedia.org/wiki/Botnet


Wondracek, Gilbert et al. “Is the Internet for Porn? An Insight Into theOnline Adult Industry”. In:http://iseclab.org/papers/weis2010.pdf.


http://iseclab.org/papers/weis2010.pdf

Physical and MAC LayersARPVLAN

Network and Transport LayersDHCPIP securityFirewalls, Proxies, Routers

Application LayersDNS

Underground stuffBotnetDDOSPhishing, Spam, Pr0n

Documents

4MMSR - Network Security 2 - Network Security Related ......o!1989-90: Janardhan Sharma, Dave Presetto , and Kshitij Nigam o!1995: first commercial product by Nir ZukÕs team (CheckPoint