Session Hijacking Countermeasures

In this article, we will go through the controlmeasures of session hijacking.

Session Hijacking Countermeasures

Session Hijacking Detection Methods

  • Detection Method
    • Manual Method
      • Using Packet Sniffing Software
        • Normal Telnet Session
        • Forcing an ARP Entry
    • Automatic Method
      • Intrusion Detection Systems (IDS)
      • Intrusion Prevention Systems (IPS)

Protecting against Session Hijacking

  • Use Secure Shell (SSH) to create a secure communication channel.
  • Pass the authentication cookies over HTTPS connection.
  • Implement the log-out functionality for user to end the session.
  • Generate the session ID after successful login and accept sessions IDs generated by server only.
  • Ensure data in transit is encrypted and implement defense-in-depth mechanism.
  • Use string or long random number as a session key.
  • Use different user name and passwords for different accounts.
  • Educate the employees and minimize remote access.
  • Implement timeout() to destroy the session when expired.
  • Do not transport session ID in query string.
  • Use switches rather than hubs and limit incoming connections.
  • Ensure client-side and server-side protection software are in active state and up to date.
  • Use strong authentication (like Kerberos) or peer-to-peer VPN's.
  • Configure the appropriate internal and external spoof rules on gateways.
  • Use IDS products or ARPwatch for monitoring ARP cache poisoning.
  • Use encrypted protocols that are available at OpenSSH suite.

Methods to Prevent Session Hijacking: To be Followed by Web Developers

  • Create session keys with lengthy strings or random number so that it is difficult for an attacker to guess a valid session key.
  • Regenerate the session ID after a successful login to prevent session fixation attack.
  • Encrypt the data and session key that is transferred between the user and the web servers.
  • Expire the session as soon as the user logs out.
  • Prevent Eavesdropping within the network.
  • Reduce the life span of a session or a cookie. 

Methods to Prevent Session Hijacking: To be Followed by Web Users

  • Do not click on the links that are received through mails or IMs.
  • Use Firewalls to prevent the malicious content from entering the network.
  • Use firewall and browser settings to restrict cookies.
  • Make sure that the website is certified by the certifying authorities.
  • Make sure you clear historyoffline content, and cookies from your browser after every confidential and sensitive transaction.
  • Prefer https, a secure transmission, rather than http when transmitting sensitive and confidential data.
  • Logout from the browser by clicking on logout button instead of closing the browser.

Approaches Vulnerable to Session Hijacking and their Preventative Solutions

Issue Solution Notes
Telnet, rlogin OpenSSH or ssh (Secure Shell) If the session is hijacked, it sends encrypted data and makes it harder for the attacker to send the proper encryption.
FTP sFTP It reduces the chances of successful hijacking
HTTP SSL (Secure Socket Layer) It reduces the chances of successful hijacking
IP IPSec It prevents hijacking by securing IP communications
Any Remote Connection VPN Implementing encrypted VPN such as PPTP, L2PT, IPSec, etc. for remote connection prevents session hijacking
SMB (Server Message Block) SMB signing It enhances the SMB protocol's security and lessens the likelihood of session hijacking.
Hub Network Switch Network It mitigates the risk of ARP spoofing and other session hijacking attacks

IPSec (?)

  • IPSec is a protocol suite developed by the IETF for securing IP communications by authenticating and encrypting each IP packet of a communication session.
  • It is deployed widely to implement virtual private networks (VPNs) and for remote user access through dial-up connection to private networks.
  • Benefits:
    • Network-level peer authentication
    • Data origin authentication
    • Data integrity
    • Data confidentiality (encryption)
    • Replay protection 

Modes of IPsec  (?)

  • Transport Mode:
    • Authenticates two connected computers
    • Has an option to encrypt data transfer
    • Compatible with NAT

  • IPsec encrypts only the payload of the IP packet, leaving the header untouched.
  • Only authenticate or encrypt data for protocols at the top layer. The IPSec transmission mode can be utilized, for instance, if there are two computers A and B in the local area network. A and B can connect directly (without going through a router or firewall) and can process IPSec packets.
  • Tunnel Mode:
    • Encapsulates packets being transferred
    • Has an option to encrypt data transfer
    • Not compatible with NAT

  • The IPsec encrypts both the payload and the header.
  • IPSec encrypts or authenticates the entire packet, and then adds a new IP header to the outermost. The tunnel mode must be used when one or both of the computers at both ends of an IPSec connection do not have the ability to process IPSec packets, and must process IPSec packets through a router or firewall capable of IPSec.

IPsec Architecture 

  • AH Protocol:not encrypted
  • ESP Protocol: with encryption

IPsec Authentication and Confidentiality

  • IPsec uses two different security services for authentication and confidentiality:
    • Authentication Header (AH): Provide data authentication of the sender.

      Provide origin authentication and data integrity,However, confidentiality is not provided.

    • Encapsulation Security Payload (ESP): Provides both data authentication and encryption (confidentiality) of the sender.

      Provides authentication, data integrity, and confidentiality.

In the AH protocol and the ESP protocol, before the protected data packet is transmitted from the source end host to the destination end host, the source end and the network host will first perform a handshake and establish a logical connection at the network layer. This logical channel is called a Security Association (SA).

Components of IPsec (?)

  • IPsec driver: A software, that performs protocol-level functions that are required to encrypt and decrypt the packets.
  • Internet Key Exchange (IKE):IPsec protocol that produces security keys for IPsec and other protocols.
  • Internet Security Association Key Management Protocol: Software that allows two computers to communicate by encrypting the data that is exchanged between them.
  • Oakley: A protocol, which uses the Diffie-Heilman algorithm to create master key, and a key that is specific to each session in IPsec data transfer.
  • IPsec Policy Agent: A service of the Windows 2000, collects IPsec policy settings from the active directory and sets the configuration to the system at start up.