Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Igor Santos.  Denial of Service  Man in the middle  ICMP attacks 2.

Similar presentations


Presentation on theme: "Dr. Igor Santos.  Denial of Service  Man in the middle  ICMP attacks 2."— Presentation transcript:

1 Dr. Igor Santos

2  Denial of Service  Man in the middle  ICMP attacks 2

3 3 Denial of Service (DoS)

4  Denial-of-Service (DoS)  Exclusive appropiation of a resource or service with the intention of preventing access to third parties  Attacks designed to collapse a resource or system with the intent to destroy the service  Removing the service delivery of system connected to a network 4

5  Many DoS are based on bandwidth  If I have more bandwidth than you, I can send you lot of traffic and you get flooded  What if the attacker does not have more bandwidth than the victim? ▪ Use DoS not based on the bandwidth (eg Ping-Of-Dead, Winnuke, etc..)ç ▪ Use DDoS 5

6  Distributed Denial-of-Service (DDoS)  Denial of service attack in which a number of compromised systems attack a single system, causing the termination of a service 6

7 7

8  Goals  Disable the service  Disable the net  Disable the organization  Cause economical losses 8

9  DDoS to Wikileaks 28/11/2010 http://news.cnet.com/8301-1009_3- 57492527-83/wikileaks-endures-a-lengthy- ddos-attack/ Response attacks to mastercard, paypal, … 9

10  Anonymous attacks institutional webs in response to the closure of Megaupload 20/01/2012 http://www.guardian.co.uk/technology/2012/j an/20/anonymous-attacks-after- megauploads-closure 10

11  Types of DoS attacks  Network Flooding ▪ SYN Flood ▪ FIN Flood ▪ Connection Flood ▪ ICMP Smurf  System Overload ▪ Computation (eg: lots of encrypted sessions) ▪ Memory (eg: heavy SQL queries) ▪ Disk (eg: temporal files)  OS Vulnerabilities ▪ Ping of Death ▪ Land Attack 11

12  PORTADA INUNDACIÓN 12 Network Flooding

13  Based on the Three-Way Handshake to establish a TCP connection  Attacker initiates a high number of connections that are never completed, leaving the server waiting for the final ACK  They consume a lot of resources on the server and there is a DoS  Very easy to perform 13

14  Pera-attack (Three-Way Handshake) 14

15  Attack 15

16  The problem is that the OS have a very low limit of the number of half-open connections that can handle  If the limit is exceeded, the server does not respond to new connection requests  The half-open connections expire, releasing 'slots' for new connections  If the attack is maintained, the probability that one of these 'slots' is used by a malicious SYN is very high 16

17  Example  Limit 5-30 half-open connections that expire after about 2 minutes  To cause DoS -> send SYN every 4 sec 17

18  Tools  Hping3 ▪ hping3 --flood –S –p 80  Others ▪ http://www2.packetstormsecurity.org/cgi- bin/search/search.cgi?searchvalue=syn+flood&type=arc hives&[search].x=0&[search].y=0 http://www2.packetstormsecurity.org/cgi- bin/search/search.cgi?searchvalue=syn+flood&type=arc hives&[search].x=0&[search].y=0 18

19  Countermeasures  SYN-cookies ▪ Using TCP sequence numbers as session state control ▪ The SYN queue is released from the state maintenance  Raise 'backlog queue' ▪ More 'slots' to connect to ▪ If not supplemented with syn-cookies can be counterproductive 19

20  Sending a TCP packet with the FIN flag active and falsified source IP, different ports and source and sequence number  If there is a connection to that IP and source port, and the sequence number matches, the legitimate connection ends ▪ Formerly the OS used consecutive sequence numbers!  Otherwise, simply saturate the network with traffic 20

21  The connection-oriented services (eg ftp, http, smtp,...) have a limit of simultaneous connections supported  When the limit is reached, new connections are rejected  The attacker attempts to monopolize established connections  Similar to SYN flood, but in this case a TCP connection (three way handshake) is established 21

22  Based on IP spoofing and broadcast  It involves sending a ICMP packet, for example Echo Request, to the broadcast of a subnet (amplifier)  All machines on this subnet answer the broadcast  If we spoof the packet's source IP, all the responses will go to that IP (victim) 22

23  For every packet sent, the victim will receive hundreds of responses -> FLOOD  This attack works if the amplifier router is misconfigured 23

24 24

25 25 OS Vulnerabilities

26  Bug in the implementation of the TCP / IP stack for Windows platforms  Sending SYN packet to an open port of the victim, with the same source and destination addresses  The OS kernel sends ACKs to itself, and causes a DoS 26

27 27

28  ICMP is sent with a total size greater than the maximum allowed by the RFC (65,535 bytes)  The packet is fragmented and reassembled at the destination  If the system is vulnerable, it crashes when reassembling  Current systems are not vulnerable 28

29 29

30 30 Man in the Middle (MitM)

31  MitM: Man in the Middle  Attack in which one is able to read, insert and modify at will, messages between two parties without either of them know that the link between them has been compromised  The attacker must be able to observe and intercept messages between the two victims 31

32  Most used MitM  MAC flooding  ARP spoofing  DNS spoofing  SSL strip 32

33  Attack to compromise switches  CAM Table (Content Addressable Memory)  Maps the MAC addresses with switch ports  The attacker sends packets with different source MAC in order to saturate the limited memory of the CAM table.  Once saturated, the switch acts as a hub 33

34 34

35  Also known as ARP poisoning  Sending fake ARPs to the network  Usually the aim is to associate the attacker's MAC address with the IP address of another node (the node attacked) ▪ Eg default gateway (gateway) to see all traffic to Internet. 35

36  Any traffic directed to the attacked node's IP address, will be mistakenly sent to the attacker, rather than to its actual destination  Passive Attack  Traffic is only observed  It redirects it the gateway  Active Attack  The data are modified before forwarding it to the gateway 36

37 37

38 38

39 39

40 40

41  Tool: Ettercap  Ettercap -G ▪ Sniff → Unified sniffing ▪ Hosts → Host list ▪ Hosts → Scan for hosts ▪ Add the Gateway as Target1 ▪ Add the victim as Target2 ▪ Start → Start Sniffing ▪ Mitm → Arp poisoning (sniff remote connections) 41

42  Countermeasures  ArpON - http://arpon.sourceforge.nethttp://arpon.sourceforge.net  Patriot NG - http://www.security- projects.com/?Patriot_NGhttp://www.security- projects.com/?Patriot_NG 42

43  Fake the relationship “DomainName-IP" for name resolution queries  Solving it with a fake address certain DNS name or viceversa  Tool: Ettercap  Edit /usr/local/share/ettercap/etter.dns  Plugins -> Manage plugins…  Dns_spoof 43

44  Intercept HTTPS traffic  Perform a MitM between the server and the client and replace every an query “https://” with an “http://” ▪ The victim and perpetrator communicate via HTTP ▪ The attacker and the server communicate over HTTPS with server certificate ▪ The attacker is able to see all unencrypted traffic of the victim 44

45 45

46 46 ICMP Attacks

47  Attacks based on sending special ICMP packets (not 'echo-requests')  ICMP redirect  Source Quench  Blind Connection-Reset  … 47

48  It makes use of ICMP type 5 - Redirect  Used by a router to indicate to other computers that an alternative route bypassing it  The router generates an ICMP "redirect" with the path information that he believes best  If the team receiving the package "redirect" have faith in what you say, accept the new route ▪ Can be used to carry out attacks "Man in the middle“ ▪ ICMP redirect should be filtered 48

49  It makes use of ICMP type 4 - Source Quench  In the next review of ICMP will be declared obsolete  It is used for the destination IP lowers the rate at which is sending traffic  It can be used to cause DoS 49

50  When a TCP receives an ICMP serious error, aborts the connection  Errors considered serious  ICMP type 3 (Destination Unreachable) ▪ Code 2 (protocol unreachable) ▪ Code 3 (port unreachable) ▪ Code 4 (fragmentation needed and DF bit set)  Tools: icmp-reset  http://www.gont.com.ar/tools/icmp-attacks/ http://www.gont.com.ar/tools/icmp-attacks/ 50

51  Images  http://www.flickr.com/photos/vanf/5047341611 http://www.flickr.com/photos/vanf/5047341611  http://www.flickr.com/photos/massimo_riserbo/5230786429 http://www.flickr.com/photos/massimo_riserbo/5230786429  http://en.wikipedia.org/wiki/File:Stachledraht_DDos_Attack. svg http://en.wikipedia.org/wiki/File:Stachledraht_DDos_Attack. svg  http://2.imimg.com/data2/PR/IW/MY-252130/vulnerability- assessment-250x250.jpg http://2.imimg.com/data2/PR/IW/MY-252130/vulnerability- assessment-250x250.jpg  http://www.flickr.com/photos/jinnrouge/3156175315 http://www.flickr.com/photos/jinnrouge/3156175315  http://securitymusings.com/wp- content/uploads/2008/12/arp-spoofing.png http://securitymusings.com/wp- content/uploads/2008/12/arp-spoofing.png  http://thaicomsec.citec.us/wp- content/uploads/2011/01/sslstrip.png http://thaicomsec.citec.us/wp- content/uploads/2011/01/sslstrip.png  http://www.flickr.com/photos/julioalbarran/3349726207 http://www.flickr.com/photos/julioalbarran/3349726207 51


Download ppt "Dr. Igor Santos.  Denial of Service  Man in the middle  ICMP attacks 2."

Similar presentations


Ads by Google