Dr. Igor Santos

 Denial of Service  Man in the middle  ICMP attacks 2

3 Denial of Service (DoS)

 Denial-of-Service (DoS)  Exclusive appropiation of a resource or service with the intention of preventing access to third parties  Attacks designed to collapse a resource or system with the intent to destroy the service  Removing the service delivery of system connected to a network 4

 Many DoS are based on bandwidth  If I have more bandwidth than you, I can send you lot of traffic and you get flooded  What if the attacker does not have more bandwidth than the victim? ▪ Use DoS not based on the bandwidth (eg Ping-Of-Dead, Winnuke, etc..)ç ▪ Use DDoS 5

 Distributed Denial-of-Service (DDoS)  Denial of service attack in which a number of compromised systems attack a single system, causing the termination of a service 6

7

 Goals  Disable the service  Disable the net  Disable the organization  Cause economical losses 8

 DDoS to Wikileaks 28/11/ /wikileaks-endures-a-lengthy- ddos-attack/ Response attacks to mastercard, paypal, … 9

 Anonymous attacks institutional webs in response to the closure of Megaupload 20/01/ an/20/anonymous-attacks-after- megauploads-closure 10

 Types of DoS attacks  Network Flooding ▪ SYN Flood ▪ FIN Flood ▪ Connection Flood ▪ ICMP Smurf  System Overload ▪ Computation (eg: lots of encrypted sessions) ▪ Memory (eg: heavy SQL queries) ▪ Disk (eg: temporal files)  OS Vulnerabilities ▪ Ping of Death ▪ Land Attack 11

 PORTADA INUNDACIÓN 12 Network Flooding

 Based on the Three-Way Handshake to establish a TCP connection  Attacker initiates a high number of connections that are never completed, leaving the server waiting for the final ACK  They consume a lot of resources on the server and there is a DoS  Very easy to perform 13

 Pera-attack (Three-Way Handshake) 14

 Attack 15

 The problem is that the OS have a very low limit of the number of half-open connections that can handle  If the limit is exceeded, the server does not respond to new connection requests  The half-open connections expire, releasing 'slots' for new connections  If the attack is maintained, the probability that one of these 'slots' is used by a malicious SYN is very high 16

 Example  Limit 5-30 half-open connections that expire after about 2 minutes  To cause DoS -> send SYN every 4 sec 17

 Tools  Hping3 ▪ hping3 --flood –S –p 80  Others ▪ bin/search/search.cgi?searchvalue=syn+flood&type=arc hives&[search].x=0&[search].y=0 bin/search/search.cgi?searchvalue=syn+flood&type=arc hives&[search].x=0&[search].y=0 18

 Countermeasures  SYN-cookies ▪ Using TCP sequence numbers as session state control ▪ The SYN queue is released from the state maintenance  Raise 'backlog queue' ▪ More 'slots' to connect to ▪ If not supplemented with syn-cookies can be counterproductive 19

 Sending a TCP packet with the FIN flag active and falsified source IP, different ports and source and sequence number  If there is a connection to that IP and source port, and the sequence number matches, the legitimate connection ends ▪ Formerly the OS used consecutive sequence numbers!  Otherwise, simply saturate the network with traffic 20

 The connection-oriented services (eg ftp, http, smtp,...) have a limit of simultaneous connections supported  When the limit is reached, new connections are rejected  The attacker attempts to monopolize established connections  Similar to SYN flood, but in this case a TCP connection (three way handshake) is established 21

 Based on IP spoofing and broadcast  It involves sending a ICMP packet, for example Echo Request, to the broadcast of a subnet (amplifier)  All machines on this subnet answer the broadcast  If we spoof the packet's source IP, all the responses will go to that IP (victim) 22

 For every packet sent, the victim will receive hundreds of responses -> FLOOD  This attack works if the amplifier router is misconfigured 23

24

25 OS Vulnerabilities

 Bug in the implementation of the TCP / IP stack for Windows platforms  Sending SYN packet to an open port of the victim, with the same source and destination addresses  The OS kernel sends ACKs to itself, and causes a DoS 26

27

 ICMP is sent with a total size greater than the maximum allowed by the RFC (65,535 bytes)  The packet is fragmented and reassembled at the destination  If the system is vulnerable, it crashes when reassembling  Current systems are not vulnerable 28

29

30 Man in the Middle (MitM)

 MitM: Man in the Middle  Attack in which one is able to read, insert and modify at will, messages between two parties without either of them know that the link between them has been compromised  The attacker must be able to observe and intercept messages between the two victims 31

 Most used MitM  MAC flooding  ARP spoofing  DNS spoofing  SSL strip 32

 Attack to compromise switches  CAM Table (Content Addressable Memory)  Maps the MAC addresses with switch ports  The attacker sends packets with different source MAC in order to saturate the limited memory of the CAM table.  Once saturated, the switch acts as a hub 33

34

 Also known as ARP poisoning  Sending fake ARPs to the network  Usually the aim is to associate the attacker's MAC address with the IP address of another node (the node attacked) ▪ Eg default gateway (gateway) to see all traffic to Internet. 35

 Any traffic directed to the attacked node's IP address, will be mistakenly sent to the attacker, rather than to its actual destination  Passive Attack  Traffic is only observed  It redirects it the gateway  Active Attack  The data are modified before forwarding it to the gateway 36

37

38

39

40

 Tool: Ettercap  Ettercap -G ▪ Sniff → Unified sniffing ▪ Hosts → Host list ▪ Hosts → Scan for hosts ▪ Add the Gateway as Target1 ▪ Add the victim as Target2 ▪ Start → Start Sniffing ▪ Mitm → Arp poisoning (sniff remote connections) 41

 Countermeasures  ArpON -  Patriot NG - projects.com/?Patriot_NGhttp:// projects.com/?Patriot_NG 42

 Fake the relationship “DomainName-IP" for name resolution queries  Solving it with a fake address certain DNS name or viceversa  Tool: Ettercap  Edit /usr/local/share/ettercap/etter.dns  Plugins -> Manage plugins…  Dns_spoof 43

 Intercept HTTPS traffic  Perform a MitM between the server and the client and replace every an query “ with an “ ▪ The victim and perpetrator communicate via HTTP ▪ The attacker and the server communicate over HTTPS with server certificate ▪ The attacker is able to see all unencrypted traffic of the victim 44

45

46 ICMP Attacks

 Attacks based on sending special ICMP packets (not 'echo-requests')  ICMP redirect  Source Quench  Blind Connection-Reset  … 47

 It makes use of ICMP type 5 - Redirect  Used by a router to indicate to other computers that an alternative route bypassing it  The router generates an ICMP "redirect" with the path information that he believes best  If the team receiving the package "redirect" have faith in what you say, accept the new route ▪ Can be used to carry out attacks "Man in the middle“ ▪ ICMP redirect should be filtered 48

 It makes use of ICMP type 4 - Source Quench  In the next review of ICMP will be declared obsolete  It is used for the destination IP lowers the rate at which is sending traffic  It can be used to cause DoS 49

 When a TCP receives an ICMP serious error, aborts the connection  Errors considered serious  ICMP type 3 (Destination Unreachable) ▪ Code 2 (protocol unreachable) ▪ Code 3 (port unreachable) ▪ Code 4 (fragmentation needed and DF bit set)  Tools: icmp-reset 

 Images    svg svg  assessment-250x250.jpg assessment-250x250.jpg   content/uploads/2008/12/arp-spoofing.png content/uploads/2008/12/arp-spoofing.png  content/uploads/2011/01/sslstrip.png content/uploads/2011/01/sslstrip.png 