Sunday, December 20, 2015

Authentication Reflection Attack and DoS Reflection Attack



In this article, we will discuss about Authentication Reflection Attack and Denial of Service Reflection Attack.


What is Authentication Reflection Attack ?


Two hosts over the network use Challenge-Response-Authentication system to authenticate each other. In this system, one host throws a challenge to another host and the other host sends the response back to the first host. If the response matches, the other host is authenticated.





But, sometimes same protocol is used to authenticate hosts in either direction. That is, the same challenge-response protocol is used to authenticate either of the hosts. To authenticate any host, the first host encrypts the challenge C with encryption key K and sends E(K, C) to the other host.

But, as the same challenge-response authentication protocol is used in either direction, the other host can open another connection to the first host and throw the same challenge E(K, C) to the first host. At this point, if the first host sends a response to the challenge to the second host, the second host can use the same response in the first connection and send it back to the first host. As a result, the second host will be able to fraudulently authenticate it to the first host though it is not authorized to do so. And the attackers use this vulnerability to attack a system and steal data. This is called Authentication Reflection Attack.

How to prevent Authentication Reflection Attack ?


With a few modifications with the authentication protocol this vulnerability can be eliminated :

  • The first host can include its identifier in the response to the second host. So, if the second host sends the same response to the first host back, the first host can easily identify that and reject the response.
  • If the second host opens a second connection to the first host, while the first connection from the first host to the second host is already open, the first host can delay its response to the second host over the second connection until the second host is done with responding to the first challenge over the first connection.
  • We can also use different key or protocol between the two directions.


What is DoS Reflection Attack ?


In DoS Reflection Attack, an attacker spoofs his IP address, and sends lots of request messages to other hosts of the network. As the attacker uses the victim machine's IP address as the source IP address of the outgoing request messages, all the other hosts sends a response to the victim machine. At this point, if the attacker has much higher bandwidth than the victim machine, the victim machine gets lots of reponses which uses up all its network bandwidth. As a result, victim machine becomes no longer available for legitimate requests. This is called DoS Reflection Attack.






DNS Amplification Attack is also a type of Reflection Attack. In this attack, the attacker sends lots of DNS query to a DNS server, but forges the IP address of the victim machine as source IP. As a result, the DNS server ends up sending all the responses to the victim machine. As the DNS responses are much larger in size, the victim machine ends up getting flooded with the responses which use up all its bandwidth.


So, beware of various security vulnerabilities, so that you can protect your systems in a better way and stay safe, stay protected.



Read More

What is Web Application Firewall ?

What is Deep Packet Inspection ?

What is Next Generation Firewall ?

How to prevent DDoS attacks ?

What is IoT Botnet ?

How does Network Segmentation improve security ?




No comments:

Post a Comment