Focus Question Describe how Nmap, psad, and iptables work together for playing out attack and defend strategies.
Transport Layer Attacks • Connection Resource Exhaustion • packets designed to saturate all available resources for servicing new connections. e.g syn flooding • Header abuses • packets that contain maliciously constructed, broken or falsified headers. e.g. forged RST packets • Transport Stack Exploits • packets that attack kernel code vulnerabilities
Port Scans with Nmap • TCP connect() Scans: Nmap –sT • typical handshake protocol. • TCP SYN Scan: Nmap -sS • raw socket used to generate syn packet • TCP FIN, XMAS, NULL scans • TCP ACK scan: Nmap –sA • TCP idle scan: Nmap –sI • UDP scan: Nmap -sU
Other Types of Scans • Port Sweeps • Checking a small set of ports on a number of computers:nmap –P0 –p 22 –sS 192.168.1.0/24 • TCP Sequence Prediction Attacks • inject data into a stream, hijack a session, or force a session to close. • SYN Floods • Denial of service attack from spoofed source addresses
Focus Question Describe how Nmap, psad, and iptables work together for playing out attack and defend strategies. • Nmap acts as an attacking agent • iptables provides loggin rules for invalid packets or packets that are not part of an established connection.The packets are logged to the psad daemon • psad (Port Scan Attack Detector) analyzes and creates alerts for suspicious packets