Attack Methods Chapter 4 Corporate IT Security Copyright 2002 Prentice-Hall.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

By Hiranmayi Pai Neeraj Jain
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Introduction to Security Computer Networks Computer Networks Term B10.
Computer Security and Penetration Testing
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Computer Security Prevention and detection of unauthorized actions by users of a computer system Confidentiality Integrity Availability.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
1 Computer Security: Protect your PC and Protect Yourself.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Chapter Nine Maintaining a Computer Part III: Malware.
Port Scanning.
Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Hacker Zombie Computer Reflectors Target.
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Honeypot and Intrusion Detection System
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
CIS 450 – Network Security Chapter 3 – Information Gathering.
Targeted Break-in, DoS, & Malware attacks (II) (February ) © Abdou Illia – Spring 2015.
Introduction to ITE Chapter 9 Computer Security. Why Study Security?  This is a huge area for computer technicians.  Security isn’t just anti-virus.
Attack Methods Chapter 4 Corporate IT Security Copyright 2002 Prentice-Hall.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
--Harish Reddy Vemula Distributed Denial of Service.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
FORESEC Academy FORESEC Academy Security Essentials (III)
Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.
IT Essentials 1 Chapter 9 JEOPADY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Security (Part 1) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Tuesday 4/3/2007)
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Malicious Software.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
DoS/DDoS attack and defense
1 Figure 4-11: Denial-of-Service (DoS) Attacks Introduction  Attack on availability  Act of vandalism Single-Message DoS Attacks  Crash a host with.
DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
DEVICE MANAGEMENT AND SECURITY NTM 1700/1702. LEARNING OUTCOMES 1. Students will manipulate multiple platforms and troubleshoot problems when they arise.
Attack Methods  Attacks  DoS (Denial of Service)  Malware.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Review Exam 2 Spring 2013.
Instructor Materials Chapter 7 Network Security
CS4622 Team 4 Worms, DoS, and Smurf Attacks
Attack Methods Chapter 4
A Distributed DoS in Action
Presentation transcript:

Attack Methods Chapter 4 Corporate IT Security Copyright 2002 Prentice-Hall

2 Figure 4-1: Targeted System Penetration (Break-In Attacks) Unobtrusive Information Collection  Do research before sending any packets into the network Use in social engineering attacks Use as background for packet attacks  Corporate website  Trade press (often online and searchable)  Securities and Exchange Commission (SEC) web-enabled Internet financial database (Figure 4-2)

3 Figure 4-2: Securities and Exchange Commission's Edgar Service

4 Figure 4-1: Targeted System Penetration (Break-In Attacks) Unobtrusive Information Collection  Whois database (Figure 4-3) Information about responsible person Information about IP addresses of DNS servers, to find firm’s IP address block Easy if assigned a classful address block (Figure 4-4) Difficult is CIDR address block or a block of ISP addresses

5 Registrant: Panko, Ray (PUKANUI-DOM)PUKANUI-DOM 1000 Pukanui St. Honolulu, HI US Domain Name: PUKANUI.COM Administrative Contact: Panko, Ray 1000 Pukanui St. Honolulu, HI US (808) Figure 4-3: Whois Entry for Pukanui.Com (from

6 Registrant: Technical Contact: VeriSign, Inc. (HOST-ORG) VeriSign, Inc Ridgetop Circle Dulles, VA US fax: - Record expires on 07-Jul-2003 Record created on 07-Jul-2001 Database last updated on 7-Jun :07:22 EDT. Domain servers in listed order: NS76.WORLDNIC.COM NS75.WORLDNIC.COM Figure 4-3: Whois Entry for Pukanui.Com (from DNS Servers

7 Figure 4-4: Classful IP Address Allocations Example  Suppose DNS server is  Must be a Class B address block (from table lookup)  Therefore, the network part is 16 bits:  Address block must be to ClassInitial IP Address in Class Last IP Address in Class Size or Network Part Addresses in Block Allocated to Firm A ,777,214 B ,534 C

8 Figure 4-1: Targeted System Penetration (Break-In Attacks) IP Address Spoofing (Figure 3-17)  Put false IP addresses in outgoing attack packets Attacker is blind to replies  Use series of attack platforms (Figure 4-5)

9 Figure 4-5: Using a Chain of Attack Hosts Attacker Victim Compromised Host Compromised Host Attack Replies Allows Reading of Replies Without Exposing Attacker

10 Figure 4-5: Using a Chain of Attack Hosts Subsequent Trace Back Successful Connection Broken Connection Broken Compromised Host Compromised Host Attacker Victim

11 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  To identify IP addresses of potential victims  Ping individual hosts (Figure 4-6)  Ping all IP addresses in block for live IP addresses (Figure 4-7)

12 Figure 4-6: Ping at the Windows Command Prompt

13 Figure 4-7: Ping Scanning With Ping Sweep

14 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments (Figure 4-8) These are carried in IP packets that reveal the potential victim’s IP address  Other RST-generating attacks (SYN/FIN segments)

15 Figure 4-8: TCP SYN/ACK Host Scanning Attack

16 Figure 4-1: Targeted System Penetration (Break-In Attacks) Network Scanning  To learn about router organization in a network  Send Traceroute messages (Tracert in Windows systems) Port Scanning  Most break-ins exploit specific services For instance, IIS webservers Services listen for connections on specific TCP or UDP ports (HTTP=80)

17 Figure 4-1: Targeted System Penetration (Break-In Attacks) Port Scanning  Scan servers for open ports (Figure 4-9) Send SYN segments to a particular port number Observe SYN/ACK or reset (RST) responses  May scan for all well-known TCP ports (1024) and all well- known UDP ports (1024)  Or may scan more selectively  Scan clients for Windows file sharing ports ( ) Stealth scanning  Scan fewer systems and ports and/or scan more slowly to avoid detection

18 Figure 4-1: Targeted System Penetration (Break-In Attacks) Fingerprinting  Identify a particular operating system or application program and (if possible) version For example, Microsoft Windows 2000 Server For example, BSD LINUX 4.2 For example, Microsoft IIS 5.0  Useful because most exploits are specific to particular programs or versions

19 Figure 4-1: Targeted System Penetration (Break-In Attacks) Fingerprinting  Active fingerprinting Send odd messages and observe replies Different operating systems and application programs respond differently Odd packets may set off alarms

20 Figure 4-1: Targeted System Penetration (Break-In Attacks) Fingerprinting  Passive fingerprinting Read packets and look at parameters (TTL, window size, etc.)  If TTL is 113, probably originally 128. Windows 9X, NT 4.0, 2000, or Novell NetWare  Window size field is 18,000. Must be Windows 2000 Server Less precise than active fingerprinting

21 Figure 4-9: NMAP Port Scanning and Operating Systems Fingerprinting

22 Figure 4-1: Targeted System Penetration (Break-In Attacks) The Break-In  Password Guessing Seldom works because attacker is locked our after a few guesses  Exploits that take advantage of known vulnerabilities that have not been patched Exploits are easy to use Frequently effective The most common break-in approach today  Session hijacking (Figure 4-10) Take over an existing TCP communication session Difficult to do (must guess TCP sequence numbers), so not commonly done

23 Figure 4-10: Session Hijacking

24 Figure 4-1: Targeted System Penetration (Break-In Attacks) After the Break-In  Install rootkit Usually downloaded through trivial file transfer protocol (TFTP)  Erase audit logs  Create backdoors for reentry if original hacking vulnerability is fixed Backdoor accounts Trojanized programs that permit reentry

25 Figure 4-1: Targeted System Penetration (Break-In Attacks) After the Break-In  Weaken security  Unfettered access to steal information  Install victimization software Keystroke capture programs Spyware Remote Administration Trojans (RATs) Attack software to use against other hosts

26 Figure 4-11: Denial-of-Service (DoS) Attacks Introduction  Attack on availability  Act of vandalism Single-Message DoS Attacks  Crash a host with a single attack packet  Examples: Ping-of-Death, Teardrop, and LAND  Send unusual combination for which developers did not test

27 Figure 4-11: Denial-of-Service (DoS) Attacks Flooding Denial-of-Service Attacks  SYN flooding (Figure 4-12) Try to open many connections with SYN segments Victim must prepare to work with many connections Victim crashes if runs out of resources; at least slows down More expensive for the victim than the attacker

28 Figure 4-12: SYN Flooding DoS Attack SYN Attacker Victim Attacker Sends Flood of SYN Segments Victim Sets Aside Resources for Each Victim Crashes or Victim Becomes Too Overloaded to Respond to the SYNs from Legitimate Uses

29 Figure 4-13: Smurf Flooding DoS Attack “Innocent” Firm Attacker Single ICMP Echo Message Source IP: (Victim) Destination IP: Broadcast Echo 4. Echo Replies Victim Router with Broadcasting Enabled 3. Broadcast Echo Message

30 Figure 4-14: Distributed Denial-of- Service (DDoS) Attack Attacker Attack Command Handler Attack Command Zombie Attack Packet Victim Attack Packet Zombie Handler Attack Command

31 Figure 4-11: Denial-of-Service (DoS) Attacks Stopping DoS Attacks  Ingress filtering to stop attack packets (Figure 4- 14)  Limited ability of ingress filtering because link to ISP might become overloaded  Egress filtering by attacker’s company or ISP  Requires cooperating from attacker’s company or ISP  Requires a community response; victim cannot do it alone

32 Figure 4-15: The Difficulty of Stopping DoS Attacks 2. Attack Packets Blocked But Internet Backbone Site Border Firewall Attack packets 1. ISP Access Line Saturated by Attack Packets 3. Legitimate Packets Cannot Get Through 4. Attacks Must Be Stopped on the Internet ISP 5. Other Companies Must Harden Hosts So They Are Not Compromised and Used in Attacks

33 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity attacks

34 Figure 4-16: Malicious Software (Malware) Types of malware  Viruses: infect files or system sectors on disk Attach themselves to executable programs or to disk system sectors (mostly the former) Infected file must be executed for virus to be able to work  Worms: propagate by themselves between hosts  Payloads Malicious: designed to do damage “Benign” may do damage accidentally

35 Figure 4-16: Malicious Software (Malware) Types of malware  Active Content in Webpages, HTML Bodies HTML scripts or small programs (applets) Attack directly when clicked on or download a malicious program User can turn off active content execution, but webpage functionality will be reduced  Non-mobile malware Trojan horses, etc.

36 Figure 4-16: Malicious Software (Malware) Types of malware  Blended threats combine attack vectors and after-attack damage tools Propagate in multiple ways: as viruses, worms and active content Afterward, do damage directly, and download non-mobile attack programs

37 Figure 4-16: Malicious Software (Malware) Viruses  Executable versus macro viruses Executable viruses attach to executable programs (traditional) Macro viruses attach as macros (series of commands) to data file; executed when file is opened  Propagation vectors Exchange floppy disks (rare)

38 Figure 4-16: Malicious Software (Malware) Viruses  Propagation vectors attachments  offers easy attachment delivery  90% of viruses spread via attachments today  An epidemic: virus in every 200 to 400 e- mail messages  Some users open attachments from people they trust

39 Figure 4-16: Malicious Software (Malware) Viruses  Propagation vectors attachments  But good people get viruses  Viruses send pretending to be coming from victim  Should open attachments only if specifically expected and still scan with updated virus program  HTML bodies may execute malware automatically

40 Figure 4-16: Malicious Software (Malware) Viruses  Propagation vectors IRC and instant messaging (IM) FTP and website downloads

41 Figure 4-16: Malicious Software (Malware) Antivirus Protection  Location for Filtering On clients (often disabled by users) On mail servers (does not require user compliance) Outsourced scanning outside the firm (advantages of scale and experience)

42 Figure 4-16: Malicious Software (Malware) Antivirus Protection  Scanning Method Signature scanning (characteristic sequence of commands for a particular virus)  Dominant scanning method today Behavioral scanning (what the virus tries to do, for instance reformat the hard drive)  Can stop new viruses and worms  Many false alarms and misses

43 Figure 4-16: Malicious Software (Malware) Antivirus Protection  Two nightmares for antivirus professionals Flash viruses that spread too rapidly for signatures to be developed  Not a theoretical concern. In 2001, Nimda became the most widespread Internet virus/worm within 22 minutes!  Behavioral scanning and outsourcing firms that see many instances quickly will become important

44 Figure 4-16: Malicious Software (Malware) Antivirus Protection  Two nightmares for antivirus professionals Metamorphic viruses  Instead of placing their code at the end of the infected file, they place it throughout the file  Might make signature detection inaccurate  Might make signature detection too slow to be workable

45 Figure 4-16: Malicious Software (Malware) Antivirus Protection  Recovery Detection and Identification Repair  Go to the antivirus vendor’s website  Malware-specific repair program or manual procedure

46 Figure 4-16: Malicious Software (Malware) Antivirus Protection  Recovery Repair  Often, infected programs must be reinstalled- sometimes the entire operating system  Some or all data since the last backup might be lost  If damage to data files took place over a period of time, a company might not know when its last clean backup was  Extremely time consuming

47 Figure 4-16: Malicious Software (Malware) Nimda Worm of 2001  Highly sophisticated blended threat  Spread by infected clients infecting other clients Spread by sending in client’s name (often accepted because receivers recognize and trust the name) Spread by open file shares on client

48 Figure 4-16: Malicious Software (Malware) Nimda Worm of 2001  Spread by infected clients infecting webservers Client scanning for IIS webservers almost constitutes a DoS attack Client infects IIS webserver through backdoors left by previous viruses and worm Client infects IIS webserver through unpatched directory traversal vulnerability

49 Figure 4-16: Malicious Software (Malware) Nimda Worm  Spread by IIS webserver infecting clients with malicious links, often executed automatically when the page is downloaded  Trojanizes various files so they are difficult to find and clean out  Multiple propagation vectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 minutes

50 Figure 4-16: Malicious Software (Malware) MyDoom Worm (2004)  mass-mailing worm selects from a list of subjects, message bodies, and attachment file names for its messages. It spoofs the sender name of its messages so that they appear to have been sent by different users instead of the actual users on infected machines. messages  can also propagate through the Kazaa peer-to-peer file- sharing network  performs a denial of service (DoS) attack against the software business site  runs a backdoor component, which it drops as the file SHIMGAPI.DLL. The backdoor component opens port 3127 to 3198 to allow remote users to access and manipulate infected systems  One in nine s infected within the first week