Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia
Objectives Understand the types of network attacks and how the occur Denial of Service attacks (DoS) SYN Flood DoS Distributed DoS attacks Ping of Death attacks Buffer Overflow attacks Identify physical security attacks and vulnerabilities 2
Denial of Service (DoS) What resources the web server would use to respond to each of the HTTP requests it receives? What could be the consequences of the web server being invaded by too much requests from the attacker? Attacker’s Home Network 3 Attempt to make a computer resources unavailable to legitimate users
TCP opening and DoS For each TCP connection request, server has to: Respond to the request Set resources aside in order respond to each data request SYN SYN/ACK ACK Waiting for request from Computer 1 1 SYN SYN/ACK ACK 2 SYN SYN/ACK ACK 3 Waiting for request from Computer 2 Waiting for request from Computer 3 Server
SYN Flood DoS Attacker sends a series of TCP SYN opening requests For each SYN, the target has to Send back a SYN/ACK segment, and set aside memory, and other resources to respond When overwhelmed, target slows down or even crash SYN takes advantage of client/server workload asymmetry Attacker Victim SYN 5
Web Server configuration 6
Ping of Death attacks Take advantage of Fact that TCP/IP allows large packets to be fragmented Some network applications & operating systems’ inability to handle packets larger than bytes Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation. Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring. List of OS that were vulnerable: Fix Add checks in the reassembly process or in firewall to protect hosts with bug not fixed Check: Sum of Total Length fields for fragmented IP is < bytes Total Length (16 bits)FlagsFragment Offset (13 bits) Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be fragmented or not 7
Distributed DoS (DDoS) Attack Server DoS Messages Computer with Zombie Computer with Zombie Handler Attack Command Attack Command Attacker hacks into multiple clients and plants handler programs and Zombie programs on them Attacker sends attack commands to Handlers and Zombie programs which execute the attacks First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc. Attacker Attack Command 8
Buffer Overflow Attack Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions. If the data contains malware, the malware could run and creates a DoS Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD 9 BufferInstructions Print Run Program Accept input BufferInstructions ABCDEFLET JOHN IN WITHOUT PASSWORD Run Program Accept input
Addressing Physical Security Protecting a network also requires physical security Inside attacks are more likely than attacks from outside the company 10
Keyloggers Used to capture keystrokes on a computer Hardware Software Behaves like Trojan programs Hardware Easy to install Goes between the keyboard and the CPU KeyKatcher and KeyGhost 11
Keyloggers (continued) Protection Software-based Antivirus Hardware-based Random visual tests 12
Behind Locked Doors Lock up your servers Average person can pick deadbolt locks in less than five minutes After only a week or two of practice Experienced hackers can pick deadbolt locks in under 30 seconds Rotary locks are harder to pick Keep a log of who enters and leaves the room Security cards can be used instead of keys for better security 13
Summary Questions Describe SYN flooding. What is a Zombie program? Explain how Ping of Death attack occurs? Explain difference between DoS and DDoS. Do DoS attacks primarily attempt to jeopardize confidentiality, integrity, or availability? What is a Buffer Overflow attack? What is a hardware keylogger? 14