Download presentation
Presentation is loading. Please wait.
Published byAdrienne Mader Modified over 9 years ago
1
Dr. Igor Santos
2
Denial of Service Man in the middle ICMP attacks 2
3
3 Denial of Service (DoS)
4
Denial-of-Service (DoS) Exclusive appropiation of a resource or service with the intention of preventing access to third parties Attacks designed to collapse a resource or system with the intent to destroy the service Removing the service delivery of system connected to a network 4
5
Many DoS are based on bandwidth If I have more bandwidth than you, I can send you lot of traffic and you get flooded What if the attacker does not have more bandwidth than the victim? ▪ Use DoS not based on the bandwidth (eg Ping-Of-Dead, Winnuke, etc..)ç ▪ Use DDoS 5
6
Distributed Denial-of-Service (DDoS) Denial of service attack in which a number of compromised systems attack a single system, causing the termination of a service 6
7
7
8
Goals Disable the service Disable the net Disable the organization Cause economical losses 8
9
DDoS to Wikileaks 28/11/2010 http://news.cnet.com/8301-1009_3- 57492527-83/wikileaks-endures-a-lengthy- ddos-attack/ Response attacks to mastercard, paypal, … 9
10
Anonymous attacks institutional webs in response to the closure of Megaupload 20/01/2012 http://www.guardian.co.uk/technology/2012/j an/20/anonymous-attacks-after- megauploads-closure 10
11
Types of DoS attacks Network Flooding ▪ SYN Flood ▪ FIN Flood ▪ Connection Flood ▪ ICMP Smurf System Overload ▪ Computation (eg: lots of encrypted sessions) ▪ Memory (eg: heavy SQL queries) ▪ Disk (eg: temporal files) OS Vulnerabilities ▪ Ping of Death ▪ Land Attack 11
12
PORTADA INUNDACIÓN 12 Network Flooding
13
Based on the Three-Way Handshake to establish a TCP connection Attacker initiates a high number of connections that are never completed, leaving the server waiting for the final ACK They consume a lot of resources on the server and there is a DoS Very easy to perform 13
14
Pera-attack (Three-Way Handshake) 14
15
Attack 15
16
The problem is that the OS have a very low limit of the number of half-open connections that can handle If the limit is exceeded, the server does not respond to new connection requests The half-open connections expire, releasing 'slots' for new connections If the attack is maintained, the probability that one of these 'slots' is used by a malicious SYN is very high 16
17
Example Limit 5-30 half-open connections that expire after about 2 minutes To cause DoS -> send SYN every 4 sec 17
18
Tools Hping3 ▪ hping3 --flood –S –p 80 Others ▪ http://www2.packetstormsecurity.org/cgi- bin/search/search.cgi?searchvalue=syn+flood&type=arc hives&[search].x=0&[search].y=0 http://www2.packetstormsecurity.org/cgi- bin/search/search.cgi?searchvalue=syn+flood&type=arc hives&[search].x=0&[search].y=0 18
19
Countermeasures SYN-cookies ▪ Using TCP sequence numbers as session state control ▪ The SYN queue is released from the state maintenance Raise 'backlog queue' ▪ More 'slots' to connect to ▪ If not supplemented with syn-cookies can be counterproductive 19
20
Sending a TCP packet with the FIN flag active and falsified source IP, different ports and source and sequence number If there is a connection to that IP and source port, and the sequence number matches, the legitimate connection ends ▪ Formerly the OS used consecutive sequence numbers! Otherwise, simply saturate the network with traffic 20
21
The connection-oriented services (eg ftp, http, smtp,...) have a limit of simultaneous connections supported When the limit is reached, new connections are rejected The attacker attempts to monopolize established connections Similar to SYN flood, but in this case a TCP connection (three way handshake) is established 21
22
Based on IP spoofing and broadcast It involves sending a ICMP packet, for example Echo Request, to the broadcast of a subnet (amplifier) All machines on this subnet answer the broadcast If we spoof the packet's source IP, all the responses will go to that IP (victim) 22
23
For every packet sent, the victim will receive hundreds of responses -> FLOOD This attack works if the amplifier router is misconfigured 23
24
24
25
25 OS Vulnerabilities
26
Bug in the implementation of the TCP / IP stack for Windows platforms Sending SYN packet to an open port of the victim, with the same source and destination addresses The OS kernel sends ACKs to itself, and causes a DoS 26
27
27
28
ICMP is sent with a total size greater than the maximum allowed by the RFC (65,535 bytes) The packet is fragmented and reassembled at the destination If the system is vulnerable, it crashes when reassembling Current systems are not vulnerable 28
29
29
30
30 Man in the Middle (MitM)
31
MitM: Man in the Middle Attack in which one is able to read, insert and modify at will, messages between two parties without either of them know that the link between them has been compromised The attacker must be able to observe and intercept messages between the two victims 31
32
Most used MitM MAC flooding ARP spoofing DNS spoofing SSL strip 32
33
Attack to compromise switches CAM Table (Content Addressable Memory) Maps the MAC addresses with switch ports The attacker sends packets with different source MAC in order to saturate the limited memory of the CAM table. Once saturated, the switch acts as a hub 33
34
34
35
Also known as ARP poisoning Sending fake ARPs to the network Usually the aim is to associate the attacker's MAC address with the IP address of another node (the node attacked) ▪ Eg default gateway (gateway) to see all traffic to Internet. 35
36
Any traffic directed to the attacked node's IP address, will be mistakenly sent to the attacker, rather than to its actual destination Passive Attack Traffic is only observed It redirects it the gateway Active Attack The data are modified before forwarding it to the gateway 36
37
37
38
38
39
39
40
40
41
Tool: Ettercap Ettercap -G ▪ Sniff → Unified sniffing ▪ Hosts → Host list ▪ Hosts → Scan for hosts ▪ Add the Gateway as Target1 ▪ Add the victim as Target2 ▪ Start → Start Sniffing ▪ Mitm → Arp poisoning (sniff remote connections) 41
42
Countermeasures ArpON - http://arpon.sourceforge.nethttp://arpon.sourceforge.net Patriot NG - http://www.security- projects.com/?Patriot_NGhttp://www.security- projects.com/?Patriot_NG 42
43
Fake the relationship “DomainName-IP" for name resolution queries Solving it with a fake address certain DNS name or viceversa Tool: Ettercap Edit /usr/local/share/ettercap/etter.dns Plugins -> Manage plugins… Dns_spoof 43
44
Intercept HTTPS traffic Perform a MitM between the server and the client and replace every an query “https://” with an “http://” ▪ The victim and perpetrator communicate via HTTP ▪ The attacker and the server communicate over HTTPS with server certificate ▪ The attacker is able to see all unencrypted traffic of the victim 44
45
45
46
46 ICMP Attacks
47
Attacks based on sending special ICMP packets (not 'echo-requests') ICMP redirect Source Quench Blind Connection-Reset … 47
48
It makes use of ICMP type 5 - Redirect Used by a router to indicate to other computers that an alternative route bypassing it The router generates an ICMP "redirect" with the path information that he believes best If the team receiving the package "redirect" have faith in what you say, accept the new route ▪ Can be used to carry out attacks "Man in the middle“ ▪ ICMP redirect should be filtered 48
49
It makes use of ICMP type 4 - Source Quench In the next review of ICMP will be declared obsolete It is used for the destination IP lowers the rate at which is sending traffic It can be used to cause DoS 49
50
When a TCP receives an ICMP serious error, aborts the connection Errors considered serious ICMP type 3 (Destination Unreachable) ▪ Code 2 (protocol unreachable) ▪ Code 3 (port unreachable) ▪ Code 4 (fragmentation needed and DF bit set) Tools: icmp-reset http://www.gont.com.ar/tools/icmp-attacks/ http://www.gont.com.ar/tools/icmp-attacks/ 50
51
Images http://www.flickr.com/photos/vanf/5047341611 http://www.flickr.com/photos/vanf/5047341611 http://www.flickr.com/photos/massimo_riserbo/5230786429 http://www.flickr.com/photos/massimo_riserbo/5230786429 http://en.wikipedia.org/wiki/File:Stachledraht_DDos_Attack. svg http://en.wikipedia.org/wiki/File:Stachledraht_DDos_Attack. svg http://2.imimg.com/data2/PR/IW/MY-252130/vulnerability- assessment-250x250.jpg http://2.imimg.com/data2/PR/IW/MY-252130/vulnerability- assessment-250x250.jpg http://www.flickr.com/photos/jinnrouge/3156175315 http://www.flickr.com/photos/jinnrouge/3156175315 http://securitymusings.com/wp- content/uploads/2008/12/arp-spoofing.png http://securitymusings.com/wp- content/uploads/2008/12/arp-spoofing.png http://thaicomsec.citec.us/wp- content/uploads/2011/01/sslstrip.png http://thaicomsec.citec.us/wp- content/uploads/2011/01/sslstrip.png http://www.flickr.com/photos/julioalbarran/3349726207 http://www.flickr.com/photos/julioalbarran/3349726207 51
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.