Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia

Network & Computer Attacks (Part 2)

Denial of Service (DoS)  The attackers tries to overload the server by sending a stream of HTTP requests.  The server needs to use its limited resources (processor, RAM) to respond to each request  When overloaded, the server slows down or even crashes. Attacker’s Home Network 3  Attempt to make a computer resources unavailable to legitimate users

TCP opening and DoS  Server can maintain multiple connections  For each TCP connection request (SYN), server…  Responds to the request (SYN/ACK)  Set resources aside (Processor’s capacity, RAM, bandwidth) in order respond to each upcoming data request SYN SYN/ACK ACK Waiting for request from Computer 1 1 SYN SYN/ACK ACK 2 SYN SYN/ACK ACK 3 Waiting for request from Computer 2 Waiting for request from Computer 3 Server

TCP Connection opening  TCP connection opening is accomplish as follow  Client sends a TCP SYN to request connection  Server responds by sending back a TCP SYN/ACK  Client responds by sending a TCP ACK  Some form of computer attacks exploit the 3-way handshake process  Example: A client may send a TCP ACK without the two steps of the 3-way handshake being accomplished Attacker Victim ACK 5 3-way handshake

SYN Flood DoS  Attacker sends a series of TCP SYN opening requests  For each SYN, the target has to  Send back a SYN/ACK segment, and  set aside memory, and other resources to respond  When overwhelmed, target slows down or even crash  SYN takes advantage of client/server workload asymmetry Attacker Victim SYN 6

Web Server configuration 7

Bandwidth Throttling  Method of ensuring a bandwidth-intensive device, such as a server…  will limit ("throttle") the quantity of data it transmits and/or accepts within a specified period of time  For web servers, bandwidth throttling …  helps limit network congestion and server crashes  For ISPs, bandwidth throttling …  can be used to limit users' speeds across certain applications (such as BitTorrent), or limit upload speeds.  When allowed bandwidth is reached, the server will block further connection attempts…  By moving them into a queue, or  By dropping them 8

Bandwidth Throttling (cont)  When you enable bandwidth throttling, Internet Information Services (IIS) activates a set of counters to monitor it in System Monitor (SysMon). 9 Current Blocked Async I/O Requests counter Number of requests blocked or held in a buffer until bandwidth is available. Measured Async I/O Bandwidth Usage/Minute number of bytes sent per minute as indicated by a sample taken by bandwidth throttling. Rejected Async I/O Requestsnumber of requests rejected by bandwidth throttling since the service was last started.

Ping of Death attacks  Take advantage of  Fact that TCP/IP allows large packets to be fragmented  Some network applications & operating systems’ inability to handle packets larger than bytes  Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation.  Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring.  List of OS that were vulnerable:   Fix  Add checks in the reassembly process of servers  Add checks in firewall to protect hosts with bug not fixed  Check that Sum of Total Length fields for fragmented IP is < bytes or less than maximum allowed Total Length (16 bits)FlagsFragment Offset (13 bits) 10

Distributed DoS (DDoS) Attack Server DoS Messages Computer with Zombie Computer with Zombie Handler Attack Command Attack Command  Attacker hacks into multiple clients and plants handler programs and Zombie programs on them  Attacker sends attack commands to Handlers and Zombie programs which execute the attacks  First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc. Attacker Attack Command 11

Buffer Overflow Attack  Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions.  If the data contains malware, the malware could run and creates a DoS  Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD 12 BufferInstructions Print Run Program Accept input BufferInstructions ABCDEFLET JOHN IN WITHOUT PASSWORD Run Program Accept input

Keyloggers  Used to capture keystrokes on a computer  Hardware  Software  Behaves like Trojan programs  Hardware  Easy to install  Goes between the keyboard and the CPU  KeyKatcher and KeyGhost 13

Summary Questions  Describe SYN flooding.  What is a Zombie program?  Explain how Ping of Death attack occurs?  Explain difference between DoS and DDoS.  Do DoS attacks primarily attempt to jeopardize confidentiality, integrity, or availability?  What is a Buffer Overflow attack?  What is a hardware keylogger? 14

Footprinting

16  Process of collecting information about an organization, its network, its IP address ranges, its IP address registration, and the people involved in network/computers issues.  Footprinting is conducted through social engineering and by researching information  from printed resources  From online resources  Footprinting tools/techniques:  Gathering WHOIS information  Performing web reconnaissance  DNS interrogation

Understanding Footprinting Lab (Lab 4) 17  You must understand the footprinting activities performed in Lab 4. In particular:  What Footprinting tools were used  What can be done with each  You are allowed to have your lab sheet during the exam

Scanning

What is Scanning? 19  Step after footprinting  Referred to as port scanning, service scanning, or network scanning  Process of scanning a range of IP addresses in order to determine what services/programs are running on networked computers  Typically performed using scanning tools like  Command line utilities like Fping, Hping, nmap, tcpdump, etc  GUI scanners 1. Footprinting 2. Scanning 3. Enumeration 4. Attack Searching vulnerabilities

Types of Port scanning 20  SYN scan—In normal TCP session, first the client sends the server a TCP packet with the SYN flag set. The server responds to this with a packet having both SYN and ACK flags set, acknowledging the SYN. The client then replies with an ACK of its own, completing the connection. With SYN scan the 3-way handshaking is not completed; which means the target never log the “transaction”. After all you don’t want the log to show your IP address.  FIN scan—In this scan, a TCP packet with the FIN flag set is sent to the target computer to “see” how it react. Normally, a TCP packet with the FIN flag set is sent to a client when the server is ready to terminate the connection. The client responds with an ACK which acknowledges the disconnect.  NULLscan—In a NULL scan, all the packet flags are turned off, that means none of the RST (reset), FIN, SYN, or ACK flags is set. If the ports of the target are closed, the target responds with a TCP RST packet. If the ports are open, the target sends no reply, effectively noting that port number as an open port to the user.  ACK scan—A TCP packet with the ACK flag set. Scans of the TCP ACK type are used to identify Web sites that are active, which are normally set not to respond to ICMP pings. Active Web sites respond to the TCP ACK with a TCP RST, giving the user confirmation of the status of a site.  TCP Connect scan—The “three-way handshake” process described under TCP SYN above. When one system sends a packet with the SYN flag set, the target device responds with SYN and ACK flags set, and the initiator completes the connection with a packet containing a set ACK flag. Unlike in a SYN scan, the “transaction” is logged. SYN SYN/ACK ACK

Types of Port scanning 21  XMAS scan—In this kind of scan, the FIN, PSH, and URG flags are set. Closed ports respond with a RST packet. Can be used to determine which ports are open. Not getting the RST packet doesn’t mean that the port is open because firewalls or other packet filtering devices may be configured to drop the UDP scan packet.  UDP scan—In this scan, a UDP packet is sent to the target computer. If the computer sends back an ICMP “Port unreachable” message, the port is. Not getting this message doesn’t mean that the port is open because firewalls or other packet filtering devices may be configured to drop the UDP scan packet.

Understanding Scanning Lab (Lab 5) 22  You must understand the scanning activities performed in Lab 5. In particular:  What scanning tools were used  What can be done with each  What kind of information can be collected using the tools  You are allowed to have your lab sheet during the exam

Enumeration

What is Enumeration? 24  Security Testing Step to be performed after  Discovering live targets >>[Scanning]  Determining open ports and services hosted by discovered live targets >>[Scanning]  Determining OS >> [Scanning]  Process of extracting the following from targets  Available resources or shares  User/group names and password  Enumeration is more intrusive than footprinting and scanning because you try to access resources  Typically performed using Enumeration tools like  NetBIOS names scanners  Share scanners  Vulnerability scanners such as Nessus 1. Footprinting 2. Scanning 3. Enumeration 4. Attack Searching vulnerabilities

Understanding Enumeration Lab (Lab 6) 25  You must understand the Enumeration activities performed in Lab 6. In particular:  What Enumeration tools were used  What can be done with each  What kind of information can be collected using the tools  You are allowed to have your lab sheet during the exam