10.5 Countermeasures

Session Hijacking Detection Methods

  • Detection Method
    • Manual Method
      • Using Packet Sniffing Software
        • Normal Telnet Session
        • Forcing an ARP Entry
    • Automatic Method
      • Intrusion Detection Systems (IDS)
      • Intrusion Prevention Systems (IPS)

Protecting against Session Hijacking

  • Use Secure Shell (SSH) to create a secure communication channel.
  • Pass the authentication cookies over HTTPS connection.
  • Implement the log-out functionality for user to end the session.
  • Generate the session ID after successful login and accept sessions IDs generated by server only.
  • Ensure data in transit is encrypted and implement defense-in-depth mechanism.
  • Use string or long random number as a session key.
  • Use different user name and passwords for different accounts.
  • Educate the employees and minimize remote access.
  • Implement timeout() to destroy the session when expired.
  • Do not transport session ID in query string.
  • Use switches rather than hubs and limit incoming connections.
  • Ensure client-side and server-side protection software are in active state and up to date.
  • Use strong authentication (like Kerberos) or peer-to-peer VPN's.
  • Configure the appropriate internal and external spoof rules on gateways.
  • Use IDS products or ARPwatch for monitoring ARP cache poisoning.
  • Use encrypted protocols that are available at OpenSSH suite.

Methods to Prevent Session Hijacking: To be Followed by Web Developers

  • Create session keys with lengthy strings or random number so that it is difficult for an attacker to guess a valid session key.
  • Regenerate the session ID after a successful login to prevent session fixation attack.
  • Encrypt the data and session key that is transferred between the user and the web servers.
  • Expire the session as soon as the user logs out.
  • Prevent Eavesdropping within the network.
  • Reduce the life span of a session or a cookie.

Methods to Prevent Session Hijacking: To be Followed by Web Users

  • Do not click on the links that are received through mails or IMs.
  • Use Firewalls to prevent the malicious content from entering the network.
  • Use firewall and browser settings to restrict cookies.
  • Make sure that the website is certified by the certifying authorities.
  • Make sure you clear history, offline content, and cookies from your browser after every confidential and sensitive transaction.
  • Prefer https, a secure transmission, rather than http when transmitting sensitive and confidential data.
  • Logout from the browser by clicking on logout button instead of closing the browser.

Approaches Vulnerable to Session Hijacking and their Preventative Solutions

Issue Solution Notes
Telnet, rlogin OpenSSH or ssh (Secure Shell) It sends encrypted data and makes it difficult for attacker to send the correctly encrypted data if session is hijacked
FTP sFTP It reduces the chances of successful hijacking
HTTP SSL (Secure Socket Layer) It reduces the chances of successful hijacking
IP IPSec It prevents hijacking by securing IP communications
Any Remote Connection VPN Implementing encrypted VPN such as PPTP, L2PT, IPSec, etc. for remote connection prevents session hijacking
SMB (Server Message Block) SMB signing It improves the security of the SMB protocol and reduces the chances of session hijacking
Hub Network Switch Network It mitigates the risk of ARP spoofing and other session hijacking attacks

IPSec (重要) (?)

  • IPSec is a protocol suite developed by the IETF for securing IP communications by authenticating and encrypting each IP packet of a communication session.
  • It is deployed widely to implement virtual private networks (VPNs) and for remote user access through dial-up connection to private networks.
  • Benefits:
    • Network-level peer authentication
    • Data origin authentication
    • Data integrity
    • Data confidentiality (encryption)
    • Replay protection

Modes of IPsec (重要) (?)

  • Transport Mode:
    • Authenticates two connected computers
    • Has an option to encrypt data transfer
    • Compatible with NAT

  • IPsec encrypts only the payload of the IP packet, leaving the header untouched.
  • 僅加密或認證上層協定的資料。例如,在區域網路中有兩台電腦A與B,A與B可直接建立連線(不必經由路由器或防火牆),且A與B具有處理IPSec封包的能力時,則可使用IPSec的傳輸模式。
  • Tunnel Mode:
    • Encapsulates packets being transferred
    • Has an option to encrypt data transfer
    • Not compatible with NAT

  • The IPsec encrypts both the payload and the header.
  • IPSec會加密或認證整個封包,然後在最外面再加上一個新的IP表頭。當IPSec連線兩端的電腦有一端或兩端不具處理IPSec封包能力,而必須透過具有IPSec能力的路由器或防火牆來代為處理IPSec封包時,即必須使用通道模式。

IPsec Architecture (重要)

  • AH Protocol: 沒加密
  • ESP Protocol: 有加密

IPsec Authentication and Confidentiality

  • IPsec uses two different security services for authentication and confidentiality:
    • Authentication Header (AH): Provide data authentication of the sender.


    • Encapsulation Security Payload (ESP): Provides both data authentication and encryption (confidentiality) of the sender.


在AH協定與ESP協定中,在受安全防護的資料封包從來源端主機傳送到目的端主機之前,來源端與網路主機會先進行握手,並建立網路層的邏輯連線。這種邏輯通道稱做安全性繫合 (Security Association, SA)

Components of IPsec (?)

  • IPsec driver: A software, that performs protocol-level functions that are required to encrypt and decrypt the packets.
  • Internet Key Exchange (IKE):IPsec protocol that produces security keys for IPsec and other protocols.
  • Internet Security Association Key Management Protocol: Software that allows two computers to communicate by encrypting the data that is exchanged between them.
  • Oakley: A protocol, which uses the Diffie-Heilman algorithm to create master key, and a key that is specific to each session in IPsec data transfer.
  • IPsec Policy Agent: A service of the Windows 2000, collects IPsec policy settings from the active directory and sets the configuration to the system at start up.

Q1) The use of technologies like IPSec can help guarantee the following. authenticity, integrity, confidentiality and (?)

  1. non-repudiation.
  2. operability.
  3. security.
  4. usability.


  • IPsec 有效地保證了數據的機密性(Confidentially)、完整性(Integrity)、認證(Authentication)和不可否認性(Non-Repudiation)
  • 不可否認性(non-repudiation): 假設在正常情況下,A 傳訊息給 B,之後就不能否認曾經傳過訊息,此即為不可否認性。

Q2) A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the company’s internal network. Which of the following can be implemented to minimize the opportunity for the man-in-the-middle attack to occur?

  1. SSL
  2. Mutual authentication
  3. IPSec
  4. Static IP addresses

Q3) Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan? (?)

  1. It is a network fault and the originating machine is in a network loop
  2. It is a worm that is malfunctioning or hardcoded to scan on port 500
  3. The attacker is trying to detect machines on the network which have SSL enabled
  4. The attacker is trying to determine the type of VPN implementation and checking for IPSec

A3) Port 500 is used by IKE (Internet Key Exchange). This is typically used for IPSEC-based VPN software,such as Freeswan,PGPnet,and various vendors of in-a-box VPN solutions such as Cisco. IKE is used to set up the session keys. The actual session is usually sent with ESP (Encapsulated Security Payload) packets,IP protocol 50 (but some in-a-box VPN's such as Cisco are capable of negotiating to send the encrypted tunnel over a UDP channel,which is useful for use across firewalls that block IP protocols other than TCP or UDP).

Q4) Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could compromise the data? (?)

  1. Spoof Attack
  2. Smurf Attack
  3. Man inthe Middle Attack
  4. Trojan Horse Attack
  5. Back Orifice Attack


  • To compromise the data, the attack would need to be executed before the encryption takes place at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack.
  • BO是一套Clent-Server架構的軟體,Server負責在遠端電腦當"內應",client則負責下命令給server,所有的監控都必須在遠端電腦有 BO server執行著的前提下才能進行。是一個足以讓你的電腦門戶大開的軟體,舉凡你電腦上的檔案、密碼、windows登錄資料庫都可能被擷取或修改。

Q5) Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

  1. ESP confidential
  2. AH Tunnel mode
  3. ESP transport mode
  4. AH permiscuous

Q6) You want to establish a network connection between two LANs using the Internet. Which technology would best accomplish that for you? (?)

  1. IPSec
  2. L2TP
  3. PPP
  4. SLIP

A6) Layer 2 Tunneling Protocol (L2TP) is a VPN technology used to establish secure connections over an insecure medium such as the Internet.

Q7) In IPSec, encryption and other processes happen at which layer of the OSI model?

  1. Level 1
  2. Level 2
  3. Level 3
  4. Level 4

A7) IPSec operates at the Network layer, or layer 3, of the OSI model, unlike many previous techniques.

Q8) In IPSec, what does Authentication Header (AH) provide?

  1. Data security
  2. Header security
  3. Authentication services
  4. Encryption

A8) The Authentication Header provides authentication services to data, meaning that the sender of the data can be authenticated by the receiver of the data.

Q9) In IPSec, what does Encapsulating Security Payload (ESP) provide? (?)

  1. Data security
  2. Header security
  3. Authentication services
  4. Encryption

A9) Data security services are provided by ESP.

Q10) Which of the following does IPSec use? (?)

  1. SSL
  2. AES
  3. DES
  4. PKI

A10) PKI (Public Key Infrastructure) is used with IPSec to allow it to function in environments of any size. IPSec is also capable of using Preshared Keys if desired by the system owner.

Q11) IPSec uses which two modes?

  1. AH/ESP
  2. AES/DES
  3. EH/ASP
  4. AES/ESP

A11) IPSec uses two modes: Authentication Header (AH) and Encapsulating Security Payload (ESP). Both modes offer protection to data, but do so in different ways.

Q12) Which technology can provide protection against session hijacking?

  1. IPSec
  2. UDP
  3. TCP
  4. IDS

results matching ""

    No results matching ""