Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Similar presentations


Presentation on theme: "1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when."— Presentation transcript:

1 1 CHAPTER 3 CLASSES OF ATTACK

2 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when availability to resource is intentionally blocked or degraded Degrading processes, storage capability, destroying files or shutting down parts of the system or processes Degrading processes, storage capability, destroying files or shutting down parts of the system or processes Degrading the processes by reduces the performance through overload the target system Degrading the processes by reduces the performance through overload the target system

3 3 Denial of Service (DoS) Degrading processes can also directed at a network application such as FTP, Simple Mail Transfer Protocol (SMTP) or network service IP (Internet Protocol) or Internet Control Message Protocol (ICMP) Degrading processes can also directed at a network application such as FTP, Simple Mail Transfer Protocol (SMTP) or network service IP (Internet Protocol) or Internet Control Message Protocol (ICMP) Example attacks that degrade processes are snork and chargen Example attacks that degrade processes are snork and chargen Both affect Windows NT except if have Service Pack 4 and higher Both affect Windows NT except if have Service Pack 4 and higher

4 4 Denial of Service (DoS) Snork Snork –send spoofed Remote Procedure Control (RPC) datagrams to the User Datagram Protocol (UDP) destination port 135 –Giving appearance as an attacked RPC server –RPC server sent bad data to another RPC server, then replies with reject packet –Creating a loop that is not broken until a packet is dropped –Waste processor resources and network bandwith

5 5 Denial of Service (DoS) Chargen Chargen –Functions against Windows NT systems that have the Simple TCP/IP Services –Flood of UDP datagrams is sent from a spoofed source IP address to port 19 (chargen port) to the subnet broadcast adress –Affected Windows NT systems respond to each broadcast –Creating a flood of UDP datagrams on the network

6 6 Denial of Service (DoS) Smurf Smurf –Performs a network level attack against the target host –Using a router (smurf amplifier) spoofing the source IP address, generates a large amount of ICMP echo traffic –Host that received respond back with an echo reply –Degraded network service availability

7 7 Denial of Service (DoS) SYN (synchronization) SYN (synchronization) –Accomplished by sending Transmission Control Protocol (TCP) connection requests faster than a system can process them Storage Capability (Degrading) Storage Capability (Degrading) –Use all storage resources –Example The Love Letter Worm –UNIX also not exempted –Destroying Files »Bat, exe, com, dll and sys

8 8 Denial of Service (DoS) Storage Capability (Degrading) Storage Capability (Degrading) –Shutdown System »Ping of death sending ICMP echo packet of just over 65535 bytes »Default packet size 64 bytes –Latest Distributed Denial of Service (DDoS)

9 9 Information Leakage Gather info from target as much as possible Gather info from target as much as possible Use finger or DNS to get info on layout of network Use finger or DNS to get info on layout of network DNS, determine system names and locations DNS, determine system names and locations Advertising type of search engine or FTP server used, help determine the type of Web server being used Advertising type of search engine or FTP server used, help determine the type of Web server being used Occur in SMTP through application banner, SNMP (Simple Network Management Protocol) Occur in SMTP through application banner, SNMP (Simple Network Management Protocol)

10 10 File Creation, Reading, Modification, Removal Capability exist in NFS ( Network File System) in statd Capability exist in NFS ( Network File System) in statd Never validate info that received from the remote lockd Never validate info that received from the remote lockd Statd and lockd is used by NFS to maintain crash and recovery functions for file locking Statd and lockd is used by NFS to maintain crash and recovery functions for file locking

11 11 Misinformation Log files cannot be trusted Log files cannot be trusted

12 12 Special File/ Database Access Access registry for NT can take over the system, can attack NT that used SP1 and SP 2 Access registry for NT can take over the system, can attack NT that used SP1 and SP 2 DB use standard security, need to put password for all users account DB use standard security, need to put password for all users account

13 13 How To Secure Against These Classes of Attacks Using commercial scanning software such as Internet Security System, Internet Scanner, Nessus Security Scanner Using commercial scanning software such as Internet Security System, Internet Scanner, Nessus Security Scanner –Scan purpose only, you still need to fix the problem Intrusion Detection System (IDS) such as Network Flight Recorder (NFR) Intrusion Detection System (IDS) such as Network Flight Recorder (NFR) –Purpose to detect / alert of any attacks –Cannot prevent or patch it –Need to find the patches or report to organization that responsible to create patches

14 14 How To Secure Against These Classes of Attacks Denial of Service (DoS) Denial of Service (DoS) –Windows NT close port 139 (NetBIOS Session Service) that vulnerable to Winnuke at router / firewall –Cisco Routers, to prevent SYN flood, can be prevent by utilizing features in Internetwork Operating System (IOS)11.3 and higher »Has feature TCP intercept

15 15 How To Secure Against These Classes of Attacks Denial of Service (DoS) Denial of Service (DoS) –Smurf »Disable IP-directed broadcast at each routers »If possible, configure OS not to respond to ICMP packets sent to IP broadcast addresses –DDoS »Block default ports that used by DDoS tools –Traffic flood »Need to contact ISP to prevent it

16 16 How To Secure Against These Classes of Attacks Information Leakage Information Leakage –Hide banner, version number, OS etc, that could give attacker any info –Changing finger print of your OS File Creation, Reading, Modification, Removal File Creation, Reading, Modification, Removal –Apply all precautions available including patching known vulnerabilities

17 17 How To Secure Against These Classes of Attacks Misinformation Misinformation –Use Tripwire and keep your system logs on a protected server to prevent them from being tampered with –Tripwire creates a database of all files in your systems and then compares the integrity of them the next time Tripwire is run –LogCheck is useful for verifying you immediately by e-mail of problems and security violations that appear in your log

18 18 How To Secure Against These Classes of Attacks Special File / Database Access Special File / Database Access –Protecting by blocking port 135 (Location Service), 137 (NetBIOS Name Service), 138 NetBIOS Datagram Service), 139 (NetBIOS Session Service) at boundary router so attacker cannot gain access from internet –To protect from inside ensure the winreg key is set in the proper location to limit who has access to the Registries remotely

19 19 End Of Chapter 3


Download ppt "1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when."

Similar presentations


Ads by Google