Network Security: DoS Attack, Smurf Attack, Botnets, Worms CS4622 Group 4: Emilio Bapue, James Brown, Daemin Lee, Katelyn Marsala, Armando Mercado
Introduction Network Security What is Network Security? It is any activity designed to protect the usability and integrity of a network and its data. It includes both hardware and software technologies. Effective network security manages access to the network. It targets a variety of threads and stops them from entering or spreading in the network How does network security work? It combines multiple layers of defenses at the edge and in the network. Each network security layer implements policies and controls. Authorized users gain access to network resources, but malicious actors are blocked from carrying out exploits and threads.
Types of network securities Access control Not everyone should have access to your network. To keep out potential attacker, you need to recognize each user and each device. Then you can enforce your security policies. You can block non compliant endpoint devices or give them only limited access. Antivirus and antimalware software Sometimes, malware will infect a network, but lie dormant for days or even weeks. The best antimalware programs not only scan for malware upon entry, but also continuously track files afterword to find anomalies, remove malware, and fix damage.
Application security Email security Firewalls Application may contain holes, or vulnerabilities, that attackers can use to infiltrate your network. Application securities encompasses hardware, software, and processes you use to close those holes Email security Email gateways are the number one threat vector for a security breach. Attackers use personal information and and social engineering tactics to build sophisticated phishing campaigns to deceive recipient and send them to sites serving malware. An email security application block incoming attacks and control outbound messages to prevent the loss of sensitive data. Firewalls Firewalls put up a barrier between your trusted internal network and untrusted outside network, such as the Internet. They use a set of defined rules to allow or block traffic. A firewall can be hardware, software or both
Distributed Denial of Service (DDOS) Attack an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. - Tech Target DDOS Attacks are usually done through sending multiple requests from multiple botnets or users to a given server to the point where it overwhelms the system to the point where it shuts down. The main objective of an attack like this is to prevent access to a system’s resources, usually a website from other end-users. Similar to a DOS attack, but the only difference being that it is done through multiple machines to have the attack be distributed.
DDOS Attack Visualized
Ways of responding and DDOS attacks Firewalls Having various spread out backup servers and datacenters in emergencies when servers do go down. Increase Bandwidth DDOS mitigation services
Smurf Attack Type of DDoS Attack Originated in the late 1990s Exploits the Internet Control Message Protocol (ICMP) and Internet Protocol (IP) broadcast addressing ICMP packets exchange information about the state of a network DDoS.Smurf malware 3 Parties involved in the attack: Hacker, Target, and Intermediate Network.
How a Smurf Attack Works https://www.google.com/search?q=smurf+attack+illustration&rlz=1C1RNPN_enUS440&espv=2&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiXvsjQnbHTAhXIMyYKHXOGDCQQ_AUIBigB&biw=1600&bih=770#imgrc=UKb04UAiAAPlZM:
Botnets A network of compromised/enslaved computers that can be used to execute malicious code en masse. In addition to the master, there are generally servers that act as intermediaries between the master and the slaves. Primary bot-spreading vectors are: malicious links, email attachments, or via automatically triggered downloads that execute & install when visiting a malicious site. Prevention of becoming enslaved depends on user awareness.
Botnet Use Examples DDoS- Army of enslaved devices to interrupt network traffic at a specified addresses/ports Keylogging- Enslaved devices have keystrokes monitored & recorded Spam- Enslaved devices used as propagators of spam/phishing emails, and potentially malicious links in things like Instant Messenger clients Click Fraud- Enslaved devices are used en masse to visit webpages, & click on advertisements that have payouts based on number of clicks Warez- Enslaved devices used as storage/hosts of pirated software
Worms A worm is a malicious program that replicates and spreads through a network Can have a payload, but many do not A common payload for worms is a backdoor for a botnet Spread through both security vulnerabilities and by social engineering Harmful even without a payload a worm will bring a computer network down when spreading Mostly by looking for hosts or causing crashes when exploiting vulnerabilities Helpful Worms, or anti-worms are not unheard of Often appear during worm outbreaks or in simulated environments
Mitigating Worm Outbreaks Isolate potentially vulnerable computers, like servers Keep systems updated with latest patches, especially servers taking requests from internet Implement access controls with firewall Isolate and fix computers that are already compromised
History of worms The first worm was written in 1988 by Robert Morris, a Cornell student, at MIT Was intended to count nodes connected to the Internet Spread too rapidly and acted as a DDOS attack that took approximately 6000 computers offline Computer worms were the most widespread from the late 1990s to early 2000s Several worms made the evening news: Code Red, ILOVEYOU, Sasser, etc Worm outbreaks have declined due to better security practices in enterprise and end user networks Making a comeback due to IoT emergence
Worm Examples ILOVEYOU Blaster Email worm that spread from the Philippines to Hong Kong to Europe to the US on Friday, May 5th 2000, arriving in the US that friday morning Used social engineering to get users to run a Visual Basic script that in turn sent itself to contacts in Outlook Blaster Worm that spread from August 11 2004 to its peak in August 13 then subsided at the end of August Spread through vulnerabilities in the windows RPC service patched a month before Payload launched a DDOS attack against windowsupdate.com from Aug. 15 to Dec. 31. Had a helpful worm associated with it, Welchia, that updated machines with the Blaster vulnerabilities
Examples (cont) SQL Slammer Worm that spread on Jan. 25 2003 Spread around the world in under 10 minutes by sending scan packets very rapidly Caused DDOS attacks on some server traffic and crashed routers by overflowing the routing tables and causing too many routing table updates Used a vulnerability in MS SQL Server to propagate
Resources/Citations Rouse, Margret, and Kevin Beaver. "What Is Distributed Denial of Service (DDoS) Attack? - Definition from WhatIs.com." SearchSecurity. Tech Target, Jan. 2017. Web. 17 Apr. 2017. Botnets. (n.d.). Retrieved April 1, 2017, from https://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets Incapsula.com. N.p., n.d. Web. 19 Apr. 2017. <https://www.incapsula.com/ddos/attack-glossary/smurf-attack-ddos.html>. "What is smurfing? - Definition from WhatIs.com." SearchSecurity. N.p., n.d. Web. 19 Apr. 2017. <http://searchsecurity.techtarget.com/definition/smurfing>. “What is a Computer Worm” PC Tools. Retrieved 21 August 2017. <http://www.pctools.com/security-news/what-is-a-computer- worm/> The Welchia Worm. December 18, 2003. Retrieved 20 August 2017. <http://www.giac.org/paper/gcih/517/welchia- worm/105720> Easttom, Chuck. Computer Security Fundamentals. 2nd ed. Indianapolis, IN: Pearson, 2016. Print. Boutin, Paul. "Slammed!". WIRED. Retrieved 2017-04-21. <https://www.wired.com/2003/07/slammer/>