Types of Network Attacks Based on slides accompanying the book Network Defense and Countermeasures by Chuck Easttom (2018)
Objectives Describe the most common network attacks Explain how these attacks are executed Identify basic defenses against those attacks A. Denial of service attacks B. Buffer overflow attacks C. IP Spoofing attacks D. Session Hijacking attacks E. Viruses F. Trojan horse attacks
A. Denial of Service Attacks Denial of Service (DoS) Distributed Denial of Service (DDoS) SYN Flood Smurf Attack The Ping of Death UDP Flood ICMP Flood DHCP Starvation HTTP Post DoS PDoS Distributed Reflection Denial of Service
Denial of Service (DoS) Attacks Based on the premise that all computers have operational limitations e.g., cpu cycles, memory space, network bandwidth Point out Figure 2 that illustrates a simple DoS attack. Also point out that the actual execution of the Dos attack is much more complicated. The example in the book uses the –w, -l (L) and –t switches to specify wait time, packet size, and timeout. Use the ping utility to execute the attack
Distributed Denial of Service (DDoS) Attacks Variation of a Denial of Service Launched from multiple clients More difficult to track due to the use of zombie machines c.f., bots – “A bot (short for "robot") is an automated program that runs over the Internet. Some bots run automatically, while others only execute commands when they receive specific input.” (source: https://techterms.com/definition/bot) Explain the terms related to DDoS attacks (that is, Zombie machines). Explain the general structure of a DDoS attack from the host (master launching the attack) to zombies to the target machine.
SYN Flood Takes advantage of the TCP handshake process The target server’s buffer space for handling TCP connection are exhausted; preventing legitimate sessions to be established All protocols relying on TCP are vulnerable (e.g., HTTP) Explain the process of the SYN flood attack: The client does not respond to the server acknowledgment in the TCP handshake process. Explain the defenses for the SYN flood, their weaknesses and strengths, and the difficulty level of configuring these defenses. Explain the figure and how it demonstrates the SYN flood attack.
SYN Flood TCP connection multi-step SYN to initiate SYN+ACK to respond ACK gets agreement Sequence numbers then incremented for future messages Ensures message order Retransmit if lost Verifies party really initiated connection
SYN Flood Implementation Receive SYN Allocate connection Acknowledge Wait for response See the problem? What if no response And many SYNs All space for connections allocated None for legitimate ones Time?
SYN Flood: Mitigations Micro Blocks Instead of a complete connection object, the server only allocates a few bytes to the incoming SYN request. Q: Would this be effective against the attack? Bandwidth Throttling Excessive SYN traffic from a IP causes that source’s bandwidth to be restricted (by the firewall or IDS)
SYN Flood: Mitigations SYN Cookies - When receiving the SYN request, the server does not allocate memory space, but rather send a cookie to the requester. Q: Trade-offs? RST Cookies - The server sends a wrong SYNACK back to the requester. Problem? May not be effective (because of firewalls) Stack Tweaking - Reduce timeout time set in the server’s stack Problem? (a) Only decrease (but doesn’t prevent) the danger; (b) complicated
SYN Flood: Mitigations Mitigations using intermediate hosts TCP intercept Router establishes connection to client When connected then establish connection with server Synkill Monitor machine behaves like a “firewall” Good addresses: history of successful connections Bad addresses: previous timeout attempt Block and terminate attempts from bad addresses
Smurf Attack Sends an ICMP packet to the network’s broadcast address (with the victim’s spoofed IP as the source) Explain how the Smurf attack uses the ICMP packet to affect the target computer. (The ICMP packet is broadcast on the network with an altered source address. The source address is the target or victim machine’s IP address.)
Ping of Death (PoD) Attacks machines that cannot handle oversized packets Causes the victim to crash Mitigations? Ensure that systems are patched and up to date Most current operating systems automatically drop oversized packets
Ping Flood Sends a large number of ICMP Echo requests or ping packets to the victim The victim responds with ICMP Echo Reply packets Both the victim’s incoming and outgoing bandwidth are used.
UDP Flood and IMCP Flood UDP (User Datagram Protocol) Flood Targets a victim machine’s open ports Sends packets to random ports of the victim If enough are sent, the target computer will be overwhelmed. ICMP Flood Another name for the Ping Flood
HTTP Post DoS Hangs server with slowly delivered HTTP Post message POST /path/script.cgi HTTP/1.0 From: frog@jmarshall.com User-Agent: HTTPTool/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 32 home=Cosby&favorite+flavor=flies Hangs server with slowly delivered HTTP Post message The ‘content-length’ is in the HTTP Post header, while the actual content is in the HTTP Post payload/body. The attacker sends the actual message body at an extremely slow rate, causing the HTTP server to ‘hung’.
Other Denial-of-Service Attacks DHCP Starvation Dynamic Host Configuration Protocol A DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network. The attacker sends lots of DHCP Request to the server, causing the DHCP server’s IP addresses to be depleted. Permanent DoS (PDoS) (a.k.a. phlashing) Often attacks the device’s firmware Causes OS reboot or damaged hardware
Distributed Reflection DoS (DRDoS) Explain that routers use port 179 to communicate over the Internet backbone. Also explain that packets are altered to have the target machine’s IP address as the source. Mitigations? Configure routers to not forward broadcast packets
DoS Tools Tools are downloadable from the Internet. Ease of access facilitates widespread use. Example DoS tools: Low Orbit Ion Cannon High Orbit Ion Cannon DoSHTTP Warning: Use a test system. DO NOT try these tools on a live system. Point out web sites where students can get more information regarding TFN2K: Washington University, PacketStorm Security, and CERT.
Real World Examples of DoS Attacks Viruses Started in Purpose FakeAV 2012 Fake Anti-Virus Flame Spyware MyDoom 2004 Cyber Terrorism Gameover ZeuS 2001 (src: https://www.knowbe4.com/gameover-zeus) Peer-to-peer botnet CryptoLocker & CryptoWall 2013 (CryptoLocker) 2014 (CryptoWall) Ransomware + bot (CryptoWall) Explain these worms and attacks and their effects.
Defending Against DoS Attacks Understand how attack is perpetrated Configure firewall to disallow incoming protocols or all traffic This may not be a practical solution. Disable forwarding of directed IP broadcast packets on routers Maintain virus protection on all clients on your network Maintain up-to-date operating system patches Establish policies for downloading software. Q. Example policies? Remind students how the DoS attack is executed and the protocols used in the attack. Explain that most network need to allow some type of traffic to function on the Internet. Explain the difference between Denial of Service and Dynamic Denial of Service. Provide additional examples. Point students to the SANS institute web site for additional information (www.sans.org/dosstep).
B. Buffer Overflow Attacks More common than DoS a few years ago Still a very real threat Designed to put more information in the buffer than it is meant to hold More difficult to execute (than DoS attacks) Can only occur if some flaw exists in the software Mitigations? ‘Good’ application design can reduce this threat. Explain how the buffer overflow attack works. Explain what knowledge is necessary to execute a buffer overflow attack (e.g. some programming language and knowledge of an OS).
Buffer Overflow Attacks How do buffer overflow attacks occur? Explain how the buffer overflow works. Provide examples if you have them. Also provide answers to the questions posed.
C. IP Spoofing Used to gain unauthorized access to computers by spoofing an authorized computer’s IP address Source address of packet is changed Often used as part of a DoS attack Becoming less frequent due to security Potential vulnerabilities with routers: External routers connected to multiple internal networks Proxy firewalls that use the source IP address for authentication Routers that subnet internal networks Unfiltered packets with a source IP on the local network/domain Provide ways to address IP spoofing: Do not release information about your internal IP addresses. Monitor incoming IP packets for signs of spoofing (e.g. Netlog). In relation to monitoring packets, if you use a Windows Server OS, it comes with a network monitor. Explain the dangers of not filtering or configuring your router properly to prevent IP spoofing attacks.
D. Session Hacking or Hijacking TCP Session Hijacking: The hacker takes over an established TCP session. Possible because authentication often is done at the start of a TCP session (one time only). “Most common is the man-in-the-middle attack.” Correction: The attack described in the book is actually eavesdropping attack. Q: What is man-in-the-middle (MITM) attack? Explain the process of how a man-in-the-middle attack is executed and how to avoid being caught in the middle.
MITM attacks “… a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.” -- https://en.wikipedia.org/wiki/Man-in-the-middle_attack Src: https://www.incapsula.com/web-application-security/man-in-the-middle-mitm.html
Session Hacking or Hijacking (cont.) An example of session hijacking: Launch a DoS attack against one of the communicating entities, say X Impersonate entity X while communicating with the remaining entity Q: Why is session hijacking possible? Encryption may be the only way to combat this type of attack (because …) Explain the process of how a man-in-the-middle attack is executed and how to avoid being caught in the middle.
E. Virus Attacks Most common threat to networks Propagate in two ways Scanning computer for network connections Reading e-mail address book and sending to all Examples: Sobig Virus Mimail and Bagle Sasser Provide other examples of viruses and what they tend to do.
Protecting Against Viruses Always use virus scanner software Do not open unknown attachments Establish a code word with friends and colleagues Do not believe security alerts sent to you Q: Other advices? Often on the security alert e-mails there is a link to view the alert. You might mention that these links could be false links or to a hacker’s site. You can view the header information of the e-mail to verify that it is going to the correct site. You also need to be familiar with the site or be able to verify it without clicking the link in the e-mail but typing the URL directly in your browser.
F. Trojan Horse Attacks Program that looks benign but has malicious intent They might: Download harmful software Install a key logger or other spyware Delete files Open a backdoor for hacker to use
Trojan Horse Caution Students are strongly cautioned against attempting to create any of these Trojan horse scenarios. Release of this type of application is a criminal offense and likely to result in a prison sentence and civil penalties.
Summary Most common network attacks Session hacking Virus and Trojan horse attacks Denial of Service/Distributed Denial of Service Buffer overflow
Summary (cont.) Defenses against attacks Antivirus software Router configuration Smart e-mail policies and procedures Monitor network traffic Maintain a current patch policy to keep systems up to date with security patches
Summary (cont.) Defenses against DoS attacks Proxy servers Established policies on maintenance Keep systems up to date with latest patches Defenses against Trojan horse and virus attacks: Have an established policy for e-mail attachments and downloading software Do not open unknown attachments Strictly monitor software downloads and what can be downloaded
Summary (cont.) Defenses against buffer overflow attacks Routinely update systems Keep security patches up to date