1. Denial of Service & Session Hijacking

2.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of spam  Perform account lockout of valid users  Considered an unsophisticated attack  BOTs (zombies) and BOTnets  “Botnet of 1,000 bots has larger bandwidth than the Internet connection of most corporate networks.”  Oct 20, 2002: 9 of 13 DNS Root servers disabled for 1 hour  DoS Tools  Ping of Death: packets are too large for reassembly  Ping Flood: too many pings to handle the traffic  Land attack: source IP matches target IP

3.  Use master/slave configuration  Phase 1: intrusion: infect systems to be zombies  Phase 2: attack: trigger slaves to attack  DDos Tools  Trinoo, Tribal Flood Network (TFN), TFN2K, Stacheldraht  Controlling Bots  Usually done by IRC connections due to unencrypted and long connection times  http://www.pcmag.com/article2/0,2817,2348902,00.asp http://www.pcmag.com/article2/0,2817,2348902,00.asp  http://it.slashdot.org/story/11/09/06/1944233/rent-your-own-botnet http://it.slashdot.org/story/11/09/06/1944233/rent-your-own-botnet  http://www.inquisitr.com/19880/bbc-shows-what-happens-when-you-buy-a-botnet/ http://www.inquisitr.com/19880/bbc-shows-what-happens-when-you-buy-a-botnet/

4.  Smurf attack: send much ICMP Echo (ping) to broadcast IP address with spoofed source address of victim  http://www.nordu.net/articles/smurf.html http://www.nordu.net/articles/smurf.html  Fraggle attack: use large amounts of UDP traffic instead of ICMP  Preventing Smurf and Fraggle Attacks  http://www.javvin.com/networksecurity/SmurfAttack.html http://www.javvin.com/networksecurity/SmurfAttack.html  Teardrop attack: send overlapping or over-sized payloads to the target machine  http://www.physnet.uni-hamburg.de/physnet/security/vulnerability/teardrop.html http://www.physnet.uni-hamburg.de/physnet/security/vulnerability/teardrop.html  SYN Flood: flood victim with TCP connection requests and then don’t finish 3 way handshake  http://www.tech-mavens.com/synflood.htm http://www.tech-mavens.com/synflood.htm

5.  SYN Cookies: don’t allocate resources until 3 way handshake is complete  RST Cookies: victim responds with incorrect SYN  ACK so attacker has to respond with notice of error  Micro Blocks: allocate smaller memory space for connection record  Stack Tweaking: modify the TCP/IP stack

6.  Send ICMP echo packets of more than the 65,536 bytes allowed by the IP protocol  Causes system to freeze, crash, or reboot  Operating systems after 1997 are patched to prevent this

7.  Network-Ingress filter  Rate-Limiting network Traffic (traffic shaping)  Intrusion Detection Systems  Automated Network-Tracing Tools  Host & Network Auditing Tools  DoS Scanning Tools  SARA (Security Auditor’s Research Assistant)  RID  Zombie Zapper

8.  Hacker gains control of authenticated session  Made possible by sequence number projecting  SN range from 1 to 4,294,967,295  Incremented by 128,000 / second + 64,000 for each connection

9.  Methods of hijacking  Session fixation: attacker sets user’s session to one know to him; (I set your session ID to one I know)  Session sidejacking: attacker sniffs traffic to steal the session cookie  Cross-site scripting: attacker tricks user’s computer to run code that captures the session cookie  Active vs Passive Hijacking  Active: attacker takes over the session  Passive: attacker watches/records all traffic (sniffing)  Relies on Sequence Prediction

10.  Tools  Hunt  Dangers of hijacking  Easy to perform  Few countermeasures  Information gathering is successful  Preventing hijacking  Encryption: IPSec, SSH, HTTPS, VPNs  Minimize remote access  Strong Authentication  Educated users  Variety of usernames and passwords