Presentation is loading. Please wait.

Presentation is loading. Please wait.

Review Exam 2 Spring 2013.

Published byHugh Day Modified over 6 years ago

Similar presentations

Presentation on theme: "Review Exam 2 Spring 2013."— Presentation transcript:

1 Review Exam 2 Spring 2013

2 Targeted Break-in, DoS, & Malware attacks (I)

3 Unobtrusive Information Collection
Sending packets into a network is “noisy” Need to do unobtrusive info gathering, first, by Visiting target corporate website for Employees’ names and s Officers names and organizational structure, etc. Reading trade press (often online & searchable) for Info about products under development Firms’ financial prospects, etc. Searching U.S. EDGAR* system online for Ownership, shareholder information, etc. Searching the Whois database at: NetworkSolutions.com/whhois/index.jsp, internic.net/whois.html, etc. * Electronic Data Gathering, Analysis, and Retrieval

4 Host Scanning Ping scanning
Objective: identify IP addresses of active hosts Pinging individual hosts Ping scanning Pinging a range of IP addresses IP scanning software: fping, gping, Ping Sweep, Pinger SYN/ACK scanning used when firewall configured to block pinging from outside

5 Network Scanning Objective: understand a network internal structure including routers, firewalls location Also called network mapping Main tools used Tracert (in Windows) or Traceroute (in Linux) Network scanning software, e.g NetScanner

6 Port Scanning Port Scanning
Most break-ins exploit specific services/applications Service Default Port www 80 FTP 21 SMTP 25 Scan target for open ports Send SYN segments to a particular port number Observe SYN/ACK or reset (RST) responses

7 Fingerprinting Determining specific software run by target
Identify a particular operating system or application program and (if possible) version For example, Microsoft Windows 2000 Server For example, BSD LINUX 4.2 For example, Microsoft IIS 5.0 Useful because most exploits are specific to particular programs or versions

8 Active vs. Passive fingerprinting
Active Fingerprinting Send odd messages and observe replies Different operating systems and application programs respond differently Active fingerprinting may set off alarms Attackers usually use rate of attack messages below IDSs volume thresholds Passive Fingerprinting Read headers (IP-H, TCP-H, etc.) of normal response messages e.g. Windows 2000 uses TTL = 128 and Window Size = 18000 Passive Fingerprint difficult b/c Admin could change default values Time To Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP,17=UDP Window Size (16 bits)

9 Fingerprinting by reading banners
Many programs have preset banners used in initiating communications Using telnet or FTP to connect to a server could display the banner

10 Summary Questions 1 (cont.)
In preparing his attack, the attacker sent normal HTTP requests to a web server. Then, he spent some time analyzing the protocol-related information in the response received from the web server in order to determine what software are installed on the web server. Which of the following did the attacker do? Active learning Network scanning Passive fingerprinting None of the above

11 Password guessing Brute force
Generating possible password combinations by changing one character at a time If password is 4 decimal numbers Start with 0000; next try 0001; then 0002; etc. How many possible combinations? ___________ If password is 6 alphabetical characters, how many possible combinations? _____________ Brute force password cracking software available

12 Summary Questions 2 (cont.)
Assume that a password is 2 decimal number long. What is the maximum number of passwords that an attacker would have to try in order to crack the password? 4 1024 None of the above How much time (in minutes) will it take to crack the password if it requires 1.2 second to try each password? Answer: a maximum of ______ minutes.

13 Targeted Break-in, DoS, & Malware attacks (II)

14 TCP opening and DoS Server 1 . SYN Waiting for request from Computer 1 SYN/ACK ACK 2 SYN Waiting for request from Computer 2 SYN/ACK ACK 3 SYN Waiting for request from Computer 3 SYN/ACK ACK . For each TCP connection request (SYN), server has to: Respond to the request (SYN/ACK) Set resources aside in order respond to each data request

15 Denial of Service (DoS)
Attacker’s Home Network What resources the web server would use to respond to each of the HTTP requests it receives? What could be the consequences of the web server being invaded by too much requests from the attacker?

16 Denial of Service (DoS) Attack
Attack that makes a computer’s resources unavailable to legitimate users Types of DoS attacks: Single-message DoS Flooding DoS Distributed DoS

17 Single-message DoS attacks
First kind of DoS attacks to appear Exploit weakness in the coding of operating systems and network applications Three main single-message DoS: Ping-of-Death Teardrop LAND attack

18 Fragment Offset (13 bits)
Total Length (16 bits) Flags Fragment Offset (13 bits) Ping of Death attacks Take advantage of Fact that TCP/IP allows large packets to be fragmented Some network applications & operating systems’ inability to handle packets larger than bytes Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation. Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring. Example of PoD code and vulnerable Operating Systems: Fix Add checks in the reassembly process or in firewall to protect hosts with bug not fixed Check: Sum of Total Length fields for fragmented IP is < bytes Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be fragmented or not

19 Teardrop attacks Take advantage of IP fragmentation
Total Length (16 bits) Flags Fragment Offset (13 bits) Teardrop attacks Take advantage of IP fragmentation Attacker sends a pretend fragmented IP packet But Fragment Offset values are not consistent Earlier operating systems* and poorly coded network applications crash because Unable to reassemble the packet due to missing fragments Pretend fragmented IP packet Frag 1 Frag 2 Frag 4 Attacker Victim * Win 3.1, Win 95, Win NT, and Linux prior to 2.163

20 LAND attacks First, appeared in 1997 Attacker uses IP spoofing with
source and destination addresses referring to target itself. Back in time, OS and routers were not designed to deal with this kind of loopback Problem resurfaces recently with Windows XP and Windows Server

21 Summary Questions 1 Do DoS attacks primarily attempt to jeopardize confidentiality, integrity, or availability? Which of the following DoS attacks takes advantage of IP fragmentation? LAND attack Teardrop Ping of Death None of the above In which of the following DoS attacks the attacker makes use of IP spoofing?

22 Flooding DoS Attacks Flood a target with a series of messages in an attempt to make it crash Main types of flooding DoS attacks: Flooding with regular requests SYN flooding Smurf flooding Distributed DoS

23 SYN Flooding Attacker sends a series of TCP SYN opening requests
For each SYN, the target has to Send back a SYN/ACK segment, and set aside memory, and other resources to respond When overwhelmed, target slows down or even crash SYN takes advantage of client/server workload asymmetry SYN SYN SYN SYN SYN Attacker Victim

24 Smurf Flooding DoS Attacker uses IP spoofing
Attacker sends ping / echo messages to third party computers on behalf of the target All third party computers respond to target

25 Distributed DoS (DDoS) Attack
Attacker hacks into multiple clients and plants handler programs on them. Clients become bots or intermediaries Attacker sends attack commands to handlers which execute the attacks First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc. Attack Command DoS Messages Bots Attack Command Server Handler Attacker Attack Command DoS Messages Link to how to deal with DDoS (by Cisco)

26 Distributed DoS (DDoS) Attack

27 Distributed DoS (DDoS) Attack

28 Malware Attacks

29 Malware attacks Types of malware: Viruses Worms Trojan horses
Logic bombs

30 Virus Code/Program (script, macro) that: attaches to files Symptoms:
Spreads by user actions (floppy disk, flash drive, opening attachment, IRC, FTP, etc), not by themselves. Symptoms: Annoying actions when the virus is executed: hog up memory, crash the system, drives are not accessible, antivirus disabled, etc. Performing destructive actions when they are executed: delete files, alter files, etc.

31 Viruses Could be Boot sector viruses: attach themselves to files in boot sector of HD File infector viruses: attach themselves to files (i.e. program files and user files) Polymorphic viruses: mutate with every infection (using encryption techniques), making them hard to locate Metamorphic viruses: rewrite themselves completely each time they are to infect new executables* Stealth: hides itself by intercepting disk access requests by antivirus programs. Request by antivirus The stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”. Stealth OS * metamorphic engine is needed

32 Question: Distinguish between viruses and worms
Does not attach to files A self-replicating computer program that propagate across a system Uses a host computer’s resources and network connections to transfer a copy of itself to another computer Harms the host computer by consuming processing time and memory Harms the network by consuming the bandwidth Question: Distinguish between viruses and worms

33 Trojan horse A computer program When executed, a Trojan horse could
That appears as a useful program like a game, a screen saver, etc. But, is really a program designed to damage or take control of the host computer When executed, a Trojan horse could Format disks Delete files Open TCP ports to allow a remote computer to take control of the host computer (Back Door) NetBus and SubSeven used to be attackers’ favorite programs for target remote control

34 Logic bomb Piece of malicious code intentionally inserted into a software system The bomb is set to run when a certain condition is met Passing of specified date/time Deletion of a specific record in a database Example: a programmer could insert a logic bomb that will function as follow: Scan the payroll records each day. If the programmer’s name is removed from payroll, then the logic bomb will destroy vital files weeks or months after the name removal.

Download ppt "Review Exam 2 Spring 2013."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
DENIAL OF SERVICE ATTACK

DENIAL OF SERVICE ATTACK
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Attack Methods Chapter 4 Corporate IT Security Copyright 2002 Prentice-Hall.

Attack Methods Chapter 4 Corporate IT Security Copyright 2002 Prentice-Hall.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Targeted Break-in, DoS, & Malware attacks (II) (February 23 2015) © Abdou Illia – Spring 2015.

Targeted Break-in, DoS, & Malware attacks (II) (February ) © Abdou Illia – Spring 2015.
1 Higher Computing Topic 8: Supporting Software Updated 16-6-11.

1 Higher Computing Topic 8: Supporting Software Updated

Similar presentations

Ads by Google