This page is under construction.
1.1 Background
The internet has evolved tremendously for the last decade. Its history can be traced back as far as 1973 where the US Defense Advanced Research Projects Agency (DARPA) first initiated a research program to investigate techniques and technologies for interlinking packet networks of various kinds. Another milestone of its development was the late 80’s where commercial facilities started to be included by some network constituents. Today as we speak, there are millions of users around the world doing transaction over the internet as it is made up of private networking facilities in educational, research institutions, businesses and government organization across the globe.
1.2 Motivation
When it is first developed, nobody ever thought that the internet will be so widely used. So when the underlying protocol (TCP/IP) was designed, security issue was never a major concern. However, today almost every week the news wrote about a system being hacked into, making use of the basic flaws of the protocol.
As the world moves towards using the internet as a common media for various purposes (business, education etc), this security threats can no longer be tolerated.
1.3 Objectives
This project aims to give a review on some of the vulnerabilities inherited in the TCP/IP protocol suite. Some of the basic application’s vulnerability will also be reviewed. A real life example will then be illustrated on how these attacks are used to hack a system, and hijack (specifically) an e-commerce transaction.
A defense mechanism will be discussed afterwards. Its effectiveness to protect against various forms of attacks will then be evaluated.
In this chapter, the history and the overwhelming growth of Internet is discussed. Along with the growth, the increasing security threat is also briefly reviewed.
2.1 History
In 1957, when the USSR launches Sputnik, the first artificial earth satellite, the United States forms the Advanced Research Projects Agency (ARPA) within the Department of Defense (DoD) as a response to establish US lead in science and technology applicable to the military. The physical network of the ARPANET itself was constructed in 1969, linking only four nodes: University of California at Los Angeles, SRI (in Stanford), University of California at Santa Barbara, and University of Utah.This network was wired together via 50 Kbps circuits. In 1972, ARPA was renamed DARPA (The Defense Advanced Research Projects Agency). At this time, the ARPANET was using the Network Control Protocol or NCP to transfer data. This allowed communications only between hosts running on the same network.
It was not until 1973 that the TCP/IP protocol began its development by a group headed by Vinton Cerf from Stanford and Bob Kahn from DARPA to allow diverse computer networks to interconnect and communicate with each other. The following year, in their paper on Transmission Control Protocol, the term "Internet" was first used.
In 1976, Ethernet, a crucial component of the development of LANs was developed, allowing coaxial cable to move data extremely fast. The packet Satellite network went into practical use, linking the United States with Europe. The Department of Defense began to experiment with the TCP/IP protocol and decided to require it for use on ARPANET. Five years later, National Science Foundation created backbone called CSNET, a 56 Kbps network for institutions without access to ARPANET. A plan for an inter-network connection between CSNET and the ARPANET was proposed.
In 1983, TCP/IP became the core Internet protocol and replaced NCP entirely. ARPANET was later divided into MILNET to serve military needs and ARPANET to support the advanced research component.
The National Science Foundation began deploying its new T1 lines, running at 1.544Mbps (NSFNET) in 1985. It would finish by 1988. At that time the Advanced Network Systems (ANS) has come out with the concept of T3, a 45 Mbps line.
The 50 Kbps ARPANET was taken out of service in 1990, to be replaced by the NSFNET. The56 Kbps CSNET was also discontinued the following year.
In 1992, the World Wide Web was released. The NSFNET backbone was upgraded to use T3 45Mbps link. A year later, the InterNIC was established to give Internet registration and information services. The NSFNET ATM backbone of 145Mbps was beginning to be installed in 1994.
The National Science Foundation announced that as of April 30, 1995 it would no longer allow direct access to the NSF backbone. The National Science Foundation contracted with four companies that would be providers of access to the NSF backbone (Merit). These companies would then sell connections to groups, organizations, and companies.
From then to date, nothing much has change but the fast growing number of user from various sector including business, education, commerce, military, and government.
2.2 The growth of the Internet
Figure 2.1 The growth of the Internet Host (Courtesy of the Internet Society "ISOC")
From the graph above, we can see the exponential growth of internet hosts over the last decade. Not only that, the number of domains also experience a major increase in number as shown by the graph below
Figure 2.2 Courtesy of CERT (Computer Emergency Response Team)
However, as the number of user grow, so does the number of incidents that occur.
Table 2.1 The number of incident (Courtesy of CERT)
| Year | 1988 | 1989 |
| Incidents | 6 | 132 |
| Year | 1990 | 1991 | 1992 | 1993 | 1994 | 1995 | 1996 | 1997 | 1998 | 1999 |
| Incident | 252 | 406 | 773 | 1,334 | 2,340 | 2,412 | 2,573 | 2,134 | 3,734 | 9,859 |
| Year | 2000(1st quarter) |
| Incident | 4266 |
These figures were obtained from Computer Emergency Response Team (CERT), based on the number of incident that is reported to them.
2.3 Electronic Warfare
From the day people starts using the electronic media for critical purposes, the term electronic warfare starts to come about. This is too broad of a term. In this project, we are narrowing the scope of "electronic" to just those related to the use of computer. As illustrated in the early part of this chapter, the rapid growth of the internet is truly overwhelming. But as most computer nowadays are connected to the internet, the ability to access remote machine poses a security threat on secrecy (information only for authorized party), integrity (assets can only be modified by authorized party), and availability (assets can only be used by authorized party).
In their book "Firewalls and Internet Security" [2], Cheswick and Bellovin define computer security to be "keeping anyone from doing things you do not want them to do to, with, on, or from your computers or any peripheral devices".
The next question would be what are we trying to protect. There are three main things here, that is process, files, and data in transit. In his paper, John D. Howard [10] mentioned four classification of attacks :
- Unauthorized use
- Disclosure of information
- Denial of Service
- Corruption of information
A common intruder’s method of attack is firstly by gaining access to a computer, exploit the vulnerabilities to get root access, then tamper with that machine or use it to attack others. The term "attack" here means all 4 of the above, from stealing information, hogging the processor to deny others of its services, even tamper with the information stored. Depends on how valuable their resources are, different people perceive computer security at different level of importance.
The next chapter would discuss these attacks in greater details.
This chapter will discuss the attacks on each of the 4 IP layer. Tcpdump output will be presented in some of the attack scenario to get a better look on what it is actually performing. More explanation on TCP/IP protocol suite is given in Appendix A.
Finally, a section on Denial of Service attack will be presented.
3.1 IP model
A widely accepted structuring technique for inter-networking, and the one chosen by ISO is layering. In 1977, ISO establish a subcommittee to develop such an architecture, and the result was the Open Systems Interconnection (OSI) reference model. The 7 layer of the OSI model (from bottom up) are as follow:
However, the original Internet protocol specifications defined a four-level model, and protocols designed around it (like TCP) have difficulty fitting neatly into the seven-layer model. Since the mid-1960, IP model was used as a de-facto standard. In this chapter, we will be using the 4 layer of IP model. They are basically the same as 7 OSI layer with the lower 2 and upper 3 layer being lumped together. Here are the 4 IP layer:
The following figure shows the various protocols and applications that works on each of the layer which will be discussed in this chapter.
Figure 3.1 Various protocols and application on each IP layer
3.2 Network Access Layer
This is where the physical and the data link layer of the OSI model resides. To tamper with this layer is to physically tap the wire and analyze the electric signal. The only precaution that can be taken is to put the wire in an unreachable place. An ethernet cable buried underground is much safer than those lying round in the student dormitory.
ARP and RARP are protocols that help IP packet gets to the destination machine. Hence, they are put below the Internet layer.
3.2.1. ARP
Address Resolution Protocol provides mapping between 32 bit IP addresses and hardware address used by the data link. This is very important because the Ethernet (over which the IP packets are usually sent) does not understand the 32 bit IP addresses. So an Ethernet broadcast packet containing the desired IP address must be sent first, and the corresponding host will reply with its hardware address. Here is how it looks on the TCP dump output.
12:09:57.606888 arp who-has 155.69.172.141 tell 155.69.183.1
12:09:57.607195 arp reply 155.69.172.141 is-at 0:a0:cc:28:35:bc
One security concern about this protocol is that anyone could reply to the broadcast request with faulty hardware address hence directing the traffic to that particular machine. ARP does not have an authentication method to verify that the reply is legitimate. Another thing is the ARP cache on each machine (this can be seen using the command "arp –a" ). An attacker could flood the machine with ARP replies, flushing the machine’s ARP cache. This can cause devices like switches to re-enter the learning mode [12].
3.2.2 RARP
The principle of RARP is for the diskless system to read its unique hardware address from the interface card, and send an RARP request (a broadcast frame on the network) asking for someone to reply with the diskless system’s IP address. As it is with ARP, the lack of authentication makes it vulnerable to spoofing.
3.3 Internet layer
3.3.1 ICMP (Internet Control Message Protocol)
As the name suggest, this protocol is used in the Internet layer as means to transmit control messages from host to host. The common attacks exploiting this protocol are as follow:
ICMP message "time exceeded" is sent when the TTL (Time To Live) field in the IP header expires (reaches zero). This message and "Destination Unreachable" message will cause a connection to be dropped. An attacker can forge these messages to obtain that effect
This mechanism is used to inform hosts of a better route to destination. An attacker can firstly sends a false packet claiming from T. Then, he sends a false redirect message referring to that bogus connection. It will appear to be legitimate and the routing change will be accepted.
This is similar to RIP attack.
The workaround for this problem is to avoid changing the global routing table upon receiving an ICMP redirect packet
This message is used to test host’s availability, more commonly known as
"Ping" command (in the application layer). A host receiving ICMP echo request replies with an ICMP echo reply. Here is the TCP dump output :12:09:52.607213 155.69.183.1 > 155.69.172.141: icmp: echo request (ttl 64, id 4204)
12:09:52.607600 155.69.172.141 > 155.69.183.1: icmp: echo reply (ttl 128, id 21046)
Ping flood is an attack making use of this protocol. More of it will be discuss in the application layer.
3.3.2 IGMP (Internet Group Message Protocol)
This protocol is used for multicasting service. It lets all the systems on a physical network know which hosts currently belong to which multicast groups [1]. Window systems are found to degrade its performance upon receiving a fragmented IGMP packet. Microsoft has released patches for this, but those who have not applied this fix are still vulnerable to this attack.
3.3.3 IP (Internet Protocol)
An IP header is attached to the TCP segment in this layer. An overview on IP header format is given in Appendix A.
This is when we are impersonating a host by using his or her IP address. Usually when attackers send a malicious packet, they at the same time spoof the source IP address so it would be more difficult to trace them. The problem with this is that the spoofed address will receive an acknowledgement, and since they have no knowledge of the sent packet, they might reset the connection. That is why sometimes it is best to wait until that host is offline, or else that host has to be compromised first (for example by flooding it)
In the IP header, there is an IP option field in which one bit can be turned on to specify that the packet is source routed. This kind of packet contains the information about the route which it has to take. This is very dangerous since it can lead the packet to travel anywhere the attacker wants.
Most firewalls are configured to drop packets with IP option source route bit turned on.
This is an exploit of IP fragmentation module. Here the fragmented packet is modified in such a way that host computer will crash not being able to re-assemble it. This attack is famous under the name teardrop attack.
The other idea is to send a heavily fragmented oversized packet to consume processor time in re-assembling them.
There are certain kinds of packets, which are not meant to be sent over a network. For example, it is impossible for a host to receive a packet, which has an IP header source address field set to its own IP. However, with lower level programming, this kind of packet can be constructed and sent successfully. The result is disastrous for the target host since it does not know how to handle such packet.
Land is an attack, which send a packet using the same source and destination address on an open port. Another example is Winnuke, which send an OOB (out of bound) packet to port 139 of a windows machine.
3.4 Transport layer
The first end to end connection. However, the TCP protocol also has its flaws.
Three-way handshake is used to establish a connection and to terminate it. A normal connection establishment involves two parties exchanging the correct sequence number. The client selects and transmits initial sequence number (ISN) for example C, the server will acknowledge it with C + 1 and send its own sequence number S which will be acknowledged again by the client in the same manner. Following that, the data transmission may take place.
There is a state machine associated with this mechanism with 4 controlling timer (please refer to Appendix A for details). Unfortunately, there are states which has no timer controlling it. These states are sitting target for a denial of service attack.
3.4.1 Close Wait State
When SYN and FIN bit is set, we are entering a CLOSE WAIT state which has no timer associated with it. Sending only this packet will put the receiver into a stall)
3.4.2 Simultaneous connection establishment (flaws)
When both host send SYN and reply with SYN ACK, each host must be able to associate the reply with the correct connection. If not, they will move to SYN RECV state and switch off the connection establishment timer (please refer to Appendix A).
3.4.3 SYN flood
If only SYN packet is sent without continuation, eventually the buffer will be filled and the subsequent connection will be rejected.
To avoid this, the number of allowable connection can be increased, or the time out period of waiting for the ACK packet can be reduced (this method seems to be unfair for those hosts who want to establish a legal connection from across the country). Nevertheless, as long as these two numbers are finite, the threat still exists. More discussion on SYN flood will be presented in Denial of Service section (3.6).
3.4.4 Connection Hijacking
Refers to being a middleman in between a connection. This requires the knowledge of the sequence number used by both parties.
The first thing to be done is to create a desynchronized state, in which the sequence number received is different with expected). This can be done
e.g. NOP. Then we can proceed as per normal)
Both methods require us to know the correct TCP sequence number. These numbers can be analyzed and accurately guessed. As described in the Morris attack, the Berkeley system increments its initial sequence number by a constant amount each second and half of that constant on each new connection establishment.
It is suggested that we increment the initial sequence number rapidly, or even use a random number generator. However, this doesn’t mean that it cannot be analyzed. Once compromised, the attacker can just send a bogus packet and wait for the reply to get the current sequence number. Then, by calculating the round trip delay, he can send the real malicious packet with the correct sequence number.
3.5 Application layer
Up to this writing, there are countless number of application being distributed, some of which with an ingrained vulnerabilities. In this section, only some of the basic applications are reviewed. 5 applications are selected from UDP and TCP based application (please refer to figure 3.1).
3.5.1. Ping
As mentioned in the Internet layer, Ping application uses ICMP echo request and reply. A normal ping traffic would look like this:
12:09:52.607213 155.69.183.1 > 155.69.172.141: icmp: echo request (ttl 64, id 4204)
12:09:52.607600 155.69.172.141 > 155.69.183.1: icmp: echo reply (ttl 128, id 21046)
12:09:53.606917 155.69.183.1 > 155.69.172.141: icmp: echo request (ttl 64, id 4205)
12:09:53.607286 155.69.172.141 > 155.69.183.1: icmp: echo reply (ttl 128, id 21558)
12:09:54.606915 155.69.183.1 > 155.69.172.141: icmp: echo request (ttl 64, id 4206)
12:09:54.607280 155.69.172.141 > 155.69.183.1: icmp: echo reply (ttl 128, id 22326)
As observed above, an icmp echo request is sent every second. This is not the case for Ping flood. The request will be sent so rapidly that the server is overwhelm, and crash.
One thing about ping flooding is that there is always icmp echo reply from the other side. The attacker usually spoofs the source address, making the icmp echo reply went to the spoofed address. This is one of the traffic that an Intrusion Detection System should watch (IDS will be discussed further in chapter 4). A sudden large amount icmp echo reply traffic could mean the host is spoofed by a ping flooder. However, some firewalls are configured to drop icmp packets. This is good as a protection for the network behind that firewall, but it also makes it a good spoofable source.
3.5.2 Telnet
Telnet allows us to make a direct terminal connection to another host computer on the Internet, before which, a login name and a password must be supplied. These informations are susceptible to prying eyes on the net. This is a common hacking trick. One method to alleviate this is by using an IP based authentication, restricting only certain IP be able to telnet into the machine. Spoofing would be useless in this case, because the reply would get to the spoofed address instead of the attacker (unless he already has access to this trusted host). However, this method is very inconvenient for authorised personnel who travel as they work and does not have a permanent IP. In this case, the use of one time password is recommended.
3.5.3 FTP
File transfer protocol, similar to telnet, relies on login and password for authentication, which is susceptible to eavesdropping. More sites are adopting one time password to workaround this.
Anonymous FTP requires no password at all. This is a major security concern because a malicious attacker might put a hostile program or hacking tools inside, waiting to be run by an innocent user. Another precaution is for a system administrator to restrict anonymous ftp area. Some implementations require the creation of a partial replica of the directory tree. It has to be ensured that these files are not to be compromised and do not contain sensitive information. There is no greater gift for a hacker than having /etc/passwd available for download.
The major problem with FTP is actually its transfer file method which requires the opening of a second channel in non-ephemeral port (above 1024). This makes the firewall’s task very difficult, specially the fact that they must track the flow of transfer. More on firewall will be discussed in chapter 4.4
3.5.4 Traceroute
Trace route lets us see the route that IP datagram follow from one host to another. It works by firstly sending an IP datagram with TTL value set to 1. When it doesn’t reach the destination within one hop, an ICMP time exceeded packet will be received, and this host will send another IP datagram with TTL value set to 2. So long as ICMP time exceeded is received, the TTL value will be incremented.
Here is the TCP dump output: (CHANGE !! )
12:17:59.718132 155.69.183.1.38712 > 216.33.238.7.33437: udp 12 [ttl 1] (id 38715)
12:17:59.718645 155.69.160.254 > 155.69.183.1: icmp: time exceeded in-transit (ttl 128, id 45116)
12:17:59.719451 155.69.183.1.38712 > 216.33.238.7.33438: udp 12 (ttl 2, id 38716)
It was observed that the destination port is usually a very high UDP port number, which is very unlikely to be used by any application. This is very important for the implementation, because when the packet finally reach the target, instead of ICMP time exceeded, an ICMP port unreachable is received.
12:15:48.414071 155.69.183.1.38704 > 155.69.172.141.33436: udp 12 [ttl 1] (id 38706)
12:15:48.414371 155.69.172.141 > 155.69.183.1: icmp: 155.69.172.141 udp port 33436 unreachable (ttl 128, id 17207)
Here is an example of a traceroute result.
Tracing route to 155.69.248.190 over a maximum of 30 hops:
1. <10ms 1ms 1ms 155.69.160.254
2. 1ms 1ms 1ms 155.69.201.253
3. 2ms 4ms 2ms 155.69.248.190
Trace complete
This program revealed the path from host to host. There is nothing wrong with the trace route by itself, but this is a very good tool for an attacker. If he wants to observe a traffic from A to B, by looking at the trace result, he would know where should he put his sniffer. However, packets do not follow a constant path all the time. They do take different routes, although most of the time they don’t.
3.5.5 DNS
The Domain Name System does a mapping from name to IP address. An attacker who has an access to DNS server can make malicious changes to the table. That is why DNS server must be on a highly secure machine.
Another possible attack method is to generate a server’s response to the target’s query. This requires knowing the resolver’s UDP port (netstat might provide this information) and the DNS sequence number used for the query (usually 0). Intruder can intercept requests to translate names to IP addresses.
One way to overcome DNS attack is to perform 2 DNS query on hostname.
Another way is to ensure integrity and authentication. Hesiod name server has been developed by MIT, which uses Kerberos ticket for authenticating queries and responses. It includes session key, known only to Hesiod and client, used to compute a cryptographic checksum of the query and response.
3.5.6 TFTP
Trivial File Transfer Protocol is a simple file transfer mechanism without authentication. Properly configured TFTP daemon restricts the file transfer to certain directory. Failing to do which, an attacker would be able to get to whatever files he needs (typically /etc/passwd).
TFTP is actually used along with BOOTP to boot a diskless workstation. While BOOTP provides the client with information needed to obtain bootstrap configuration image, TFTP is used to obtain the image from the specified server.
3.6 DENIAL OF SERVICE
A discussion on attacks would not be complete without Denial of Service, the most popular term this year. The most recent attack on popular site like CNN and Yahoo early February this year makes people around the world realize that security really is something to worry about if we are to enter the Internet age. This section will give an explanation along with a few variation of denial of service attack.
3.6.1 Definition
Any attack that denies a user from using services provided by the computer falls under denial of service category. This is an attack against availability, either the physical existence of the hardware or its processing power.
3.6.2 Destruction and Storage degradation
When someone physically tamper with the ethernet cable causing it to malfunction, he is hampering other user from connectivity to the net. This falls under denial of service; so does vandalizing keyboard or other computer peripheral. However, here we are more interested to the "non physical" aspect of denial of service.
Mail spammer floods user’s mailbox with useless e-mail. A more serious attack is the sending of a lot of oversized mail. This causes storage degradation. Mail spammer is still a serious threat these days. It is recommended to check carefully whether the source can be trusted before one really subscribe to any mailing list.
3.6.3 Process degradation
This is what people usually meant when they talk about denial of service; the occupying of CPU by absurd processes.
When a network is weighed down with continuous broadcast or multicast traffic. A broadcast storm may result in a total loss of network service as packets multiply.
As explained earlier, a ping / ICMP request is usually sent every seconds. However, for the case of ping flood, it is sent rapidly such that the target is overwhelmed and crashed.
Smurf is another variation of ping flood attack. It pings a broadcast address (255.255.255.255) and spoofs the source address. The poor victim would suddenly received a large amount of ICMP reply from all hosts on the network. A proper configuration for a network would be to disable a broadcast ping (unless it is needed).
This is a tcp dump output of a normal 3-way handshake.
(A)
12:22:34.431555 155.69.183.1.2206 > 155.69.172.141.139: S 2071926751:2071926751(0) win 32120 <mss 1460,sackOK,timestamp 7843239[|tcp]> (DF) (ttl 64, id 4257)
(B)
12:22:34.432307 155.69.172.141.139 > 155.69.183.1.2206: S 601820743:601820743(0) ack 2071926752 win 8760 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 64311)
(C)
12:22:34.432374 155.69.183.1.2206 > 155.69.172.141.139: . ack 1 win 32120 (DF) (ttl 64, id 4258)
The first one is a SYN, second one is a SYN ACK, and the third one is the ACK from the initiating party, following which the exchange of data can occur. In the case for SYN flood, we will not be seeing the third packet. Even the second packet is not considered. The important thing is to send as many SYN as possible in a short period of time.
The previously discussed fragmentation attack (teardrop) and malicious packet (better known as malformed or magic packet) such as Nuke and Land attack causes the victim to crash. They are for sure one of the denial of service method.
3.6.4 Distributed Denial of Service
The recent attack on February 2000 to famous web server such as CNN and Yahoo brings everybody attention to denial of service attack. Actually, this attack is performed by more than one machine. The attacker obviously has control over those computers, and installs the client software for DDoS. These computers are called "zombie" computers. At one time, the attacker activates the attack against one particular victim. Trinoo and Tribe Flood Network are examples of attack that uses this mechanism.
3.7 Port Scanning
So far we have been talking about attacks, but when packets are sent, which port must they be directed to? Port scanning by itself is not a form of attack, but it facilitates an attack. It is used to check whether a port is open (running any services) or not. There is no point directing an attack to a closed port. One thing about port scanning is that it has a significant signature which is a good hint for IDS (Intrusion Detection System) to trigger, that is an attempt to connect to a wide range of port.
3.7.1. TCP connect scan
The simplest way to do a port scan is to send a SYN packet, and wait for the SYN ACK. If there is no reply, that means the port is not used. However, this activity creates a half-open connection, which is logged. A few of this found on various ports, the IDS would trigger a warning. The next method is harder to detect.
3.7.2. TCP Syn Scan
Not only SYN packet is sent, but when SYN ACK is received, a RST (reset) packet is sent. This activity is not logged, as it behaves as a normal cancelled connection. This type of scan is often called "stealth scan".
3.7.3. TCP Fin Scan
Another method is by sending a FIN packet. An open port would not reply with any packet, since it cannot correlate the FIN packet to any connection. It would just assume the packet arrived by mistake. However, a closed port would reply with a RST packet. This type of scan does not work for windows system. It was observed that window system always response with an RST packet upon receiving a stray FIN.
In this chapter, a few defensive mechanisms will be presented. Emphasize will be given to firewall, Kerberos, and IDS, as they are considered a crucial part of the modern security measure. Lastly, a method to defeat Distributed Denial of Service is discussed
Future works
A section on report organization will be added in chapter 1. A graphical explanation on parallel architecture of IDS will be presented in section 4.7, followed by a section on Defeating Distributed Denial of Service Attack. Chapter 4 will end with a summary on overall protection mechanism against attacks.
Chapter 5 will be an explanation of the demo. Starting with scanning the victim up to sending a magic packet or flooding it (observed in tcpdump). A main engine of a sniffer will be explained, and a proof how some of the web based password authentication are merely sent in clear text will also be given. A simple IDS built using PERL will be presented to analyze and recognize a malicious traffic.
Books
[1] W. Richard Stevens , "TCP/IP Illustrated" , Addison Wesley Publishing Company 1994
[2] William R. Cheswick and Steven M. Bellovin, "Firewalls and Internet Security, Repelling the Wily Hacker", Addison Wesley Publishing Company 1994
[3] W. Richard Stevens, "Unix Network Programming", Prentice-Hall 1994
[4] Douglas E.Comer, "Internetworking with TCP/IP" , Prentice-Hall 1995
[5] Aviel D.Rubin, Daniel Geer, Marcus J.Ranum, "Web Security Sourcebook" ,Wiley Computer Publication 1997
Papers
[6] S.M. Bellovin, "Security Problems in the TCP/IP Protocol Suite", AT&T Bell Laboratory Murray Hill, New Jersey.
[7] Laurent Joncheray, "Simple Active Attack Against TCP", Merit Network, Inc.
[8] Chris Chambers, Justin Dolske, Jayaraman Iyer, "TCP/IP Security", Department of Computer and Information Science, Ohio State University, Colombus, Ohio.
[9] Armando Fox and Stephen D. Gribble, "Indirect Authentication Using Kerberos", University of California at Berkeley, 1996
[10] John D. Howard, "An Analysis Of Security Incidents On The Internet 1989 – 1995", Carnegie Mellon University
[11] Steven Cheung, Rick Crawford, Mark Dilger, Jeremy Frank, Jim Hoagland, Karl Levitt, Jeff Rowe, Stuart Staniford-Chen, Raymond Yip, Ran Zerkle, " The Design of GrIDS: A Graph-Based Intrusion Detection System", Department of Computer Science, University of California AT Davis 1999
[12] Dave Ahmad and Jeremy Rauch, "The authentication, management, and routing protocols that run your network", Black Hat security conference.
[13] Marcus J. Ranum, "Intrusion Detection and Network Forensics", Black hat security conference.
Useful URLs
[14] Computer Emergency Response Team (CERT) : http://www.cert.org
[15] SANS Institute : http://www.sans.org
[16] Defcon, Computer Underground Convention : http://www.defcon.org
[17] HNN : Hacker News Network : http://www.hackernews.com