Presentation is loading. Please wait.

Presentation is loading. Please wait.

Review Exam 2 Spring 2014. Targeted Break-in, DoS, & Malware attacks (I)

Similar presentations


Presentation on theme: "Review Exam 2 Spring 2014. Targeted Break-in, DoS, & Malware attacks (I)"— Presentation transcript:

1 Review Exam 2 Spring 2014

2 Targeted Break-in, DoS, & Malware attacks (I)

3 3 Unobtrusive Information Collection Sending packets into a network is “noisy” Need to do unobtrusive info gathering, first, by Visiting target corporate website for  Employees’ names and emails  Officers names and organizational structure, etc. Reading trade press (often online & searchable) for  Info about products under development  Firms’ financial prospects, etc. Searching U.S. EDGAR* system online for  Ownership, shareholder information, etc. Searching the Whois database at: NetworkSolutions.com/whhois/index.jsp, internic.net/whois.html, etc. NetworkSolutions.com/whhois/index.jspinternic.net/whois.html * Electronic Data Gathering, Analysis, and Retrieval

4 4 Host Scanning Objective: identify IP addresses of active hosts Pinging individual hosts Ping scanning Pinging a range of IP addresses IP scanning software: fping, gping, Ping Sweep, PingerPing Sweep SYN/ACK scanning used when firewall configured to block pinging from outside

5 5 Network Scanning Objective: understand a network internal structure including routers, firewalls location Also called network mapping Main tools used Tracert (in Windows) or Traceroute (in Linux) Network scanning software, e.g NetScanner

6 6 Port Scanning Most break-ins exploit specific services/applications Service Default Port www80 FTP21 SMTP25 Scan target for open ports Send SYN segments to a particular port number Observe SYN/ACK or reset (RST) responses

7 7 Fingerprinting Determining specific software run by target Identify a particular operating system or application program and (if possible) version For example, Microsoft Windows 2000 Server For example, BSD LINUX 4.2 For example, Microsoft IIS 5.0 Useful because most exploits are specific to particular programs or versions

8 8 Active vs. Passive fingerprinting Active Fingerprinting Send odd messages and observe replies Different operating systems and application programs respond differently Active fingerprinting may set off alarms Attackers usually use rate of attack messages below IDSs volume thresholds Passive Fingerprinting Read headers (IP-H, TCP-H, etc.) of normal response messages e.g. Windows 2000 uses TTL = 128 and Window Size = 18000 Passive Fingerprint difficult b/c Admin could change default values Time To Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP,17=UDP Window Size (16 bits)

9 9 Fingerprinting by reading banners Many programs have preset banners used in initiating communications Using telnet or FTP to connect to a server could display the banner

10 10 Summary Questions 1 (cont.) In preparing his attack, the attacker sent normal HTTP requests to a web server. Then, he spent some time analyzing the protocol-related information in the response received from the web server in order to determine what software are installed on the web server. Which of the following did the attacker do? a)Active learning b)Network scanning c)Passive fingerprinting d)None of the above

11 11 Password guessing Brute force Generating possible password combinations by changing one character at a time If password is 4 decimal numbers  Start with 0000; next try 0001; then 0002; etc.  How many possible combinations? ___________ If password is 6 alphabetical characters, how many possible combinations? _____________ Brute force password cracking software available

12 12 Summary Questions 2 (cont.) Assume that a password is 2 decimal number long. What is the maximum number of passwords that an attacker would have to try in order to crack the password? a)4 b)67108864 c)1024 d)None of the above How much time (in minutes) will it take to crack the password if it requires 1.2 second to try each password? Answer: a maximum of ______ minutes.

13 Targeted Break-in, DoS, & Malware attacks (II)

14 14 TCP opening and DoS For each TCP connection request (SYN), server has to: Respond to the request (SYN/ACK) Set resources aside in order respond to each data request........ SYN SYN/ACK ACK Waiting for request from Computer 1 1 SYN SYN/ACK ACK 2 SYN SYN/ACK ACK 3 Waiting for request from Computer 2 Waiting for request from Computer 3 Server......

15 15 Denial of Service (DoS) What resources the web server would use to respond to each of the HTTP requests it receives? What could be the consequences of the web server being invaded by too much requests from the attacker? Attacker’s Home Network

16 16 Denial of Service (DoS) Attack Attack that makes a computer’s resources unavailable to legitimate users Types of DoS attacks: Single-message DoS Flooding DoS Distributed DoS

17 17 Single-message DoS attacks First kind of DoS attacks to appear Exploit weakness in the coding of operating systems and network applications Three main single-message DoS: Ping-of-Death Teardrop LAND attack

18 18 Ping of Death attacks Take advantage of Fact that TCP/IP allows large packets to be fragmented Some network applications & operating systems’ inability to handle packets larger than 65536 bytes Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation. Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring. Example of PoD code and vulnerable Operating Systems: http://insecure.org/sploits/ping-o-death.html Fix Add checks in the reassembly process or in firewall to protect hosts with bug not fixed Check: Sum of Total Length fields for fragmented IP is < 65536 bytes Total Length (16 bits)FlagsFragment Offset (13 bits) Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be fragmented or not

19 19 Teardrop attacks Take advantage of IP fragmentation Attacker sends a pretend fragmented IP packet But Fragment Offset values are not consistent Earlier operating systems* and poorly coded network applications crash because Unable to reassemble the packet due to missing fragments Attacker Victim Frag 1Frag 2Frag 4 Pretend fragmented IP packet * Win 3.1, Win 95, Win NT, and Linux prior to 2.163 Total Length (16 bits)FlagsFragment Offset (13 bits)

20 20 LAND attacks First, appeared in 1997 Attacker uses IP spoofing with source and destination addresses referring to target itself. Back in time, OS and routers were not designed to deal with this kind of loopback Problem resurfaces recently with Windows XP and Windows 2003 Server

21 21 Summary Questions 1 Do DoS attacks primarily attempt to jeopardize confidentiality, integrity, or availability? Which of the following DoS attacks takes advantage of IP fragmentation? a) LAND attack b) Teardrop c) Ping of Death d) None of the above In which of the following DoS attacks the attacker makes use of IP spoofing? a) LAND attack b) Teardrop c) Ping of Death d) None of the above

22 22 Flooding DoS Attacks Flood a target with a series of messages in an attempt to make it crash Main types of flooding DoS attacks: Flooding with regular requests SYN flooding Smurf flooding Distributed DoS

23 23 SYN Flooding Attacker sends a series of TCP SYN opening requests For each SYN, the target has to Send back a SYN/ACK segment, and set aside memory, and other resources to respond When overwhelmed, target slows down or even crash SYN takes advantage of client/server workload asymmetry Attacker Victim SYN

24 24 Smurf Flooding DoS Attacker uses IP spoofing Attacker sends ping / echo messages to third party computers on behalf of the target All third party computers respond to target

25 25 Distributed DoS (DDoS) Attack Server DoS Messages Bots Link to how to deal with DDoS (by Cisco) Handler Attack Command Attack Command Attacker hacks into multiple clients and plants handler programs on them. Clients become bots or intermediaries Attacker sends attack commands to handlers which execute the attacks First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc. Attacker Attack Command

26 26 Distributed DoS (DDoS) Attack

27 27 Distributed DoS (DDoS) Attack

28 Malware Attacks

29 29 Malware attacks Types of malware: Viruses Worms Trojan horses Logic bombs

30 30 Virus Code/Program (script, macro) that: a ttaches to files Spreads by user actions (floppy disk, flash drive, opening email attachment, IRC, FTP, etc), not by themselves. Symptoms: Annoying actions when the virus is executed: hog up memory, crash the system, drives are not accessible, antivirus disabled, etc. Performing destructive actions when they are executed: delete files, alter files, etc.

31 31 Viruses Could be Boot sector viruses: attach themselves to files in boot sector of HD File infector viruses: attach themselves to files (i.e. program files and user files) Polymorphic viruses: mutate with every infection (using encryption techniques), making them hard to locate Metamorphic viruses: rewrite themselves completely each time they are to infect new executables* Stealth: hides itself by intercepting disk access requests by antivirus programs. Request by antivirus OS Stealth The stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”. * metamorphic engine is needed

32 32 Worm Does not attach to files A self-replicating computer program that propagate across a system Uses a host computer’s resources and network connections to transfer a copy of itself to another computer Harms the host computer by consuming processing time and memory Harms the network by consuming the bandwidth Question: Distinguish between viruses and worms

33 33 Trojan horse A computer program That appears as a useful program like a game, a screen saver, etc. But, is really a program designed to damage or take control of the host computer When executed, a Trojan horse could Format disks Delete files Open TCP ports to allow a remote computer to take control of the host computer (Back Door) NetBus and SubSeven used to be attackers’ favorite programs for target remote control

34 34 Logic bomb Piece of malicious code intentionally inserted into a software system The bomb is set to run when a certain condition is met Passing of specified date/time Deletion of a specific record in a database Example: a programmer could insert a logic bomb that will function as follow: Scan the payroll records each day. If the programmer’s name is removed from payroll, then the logic bomb will destroy vital files weeks or months after the name removal.

35 35 Firewalls

36 36 Test your Firewall knowledge Which of the following is true about firewalls? a)A firewall is a hardware device b)A firewall is a software program c)Firewalls could be hardware or software Which of the following is true about firewalls? a)They are used to protect a whole network against attacks b)They are used to protect single computers against attacks c)Both a and b.

37 37 Test your Firewall knowledge (cont) Which of the following is true about firewalls? a)They are configured to monitor inbound traffic and protect against attacks by intruders b)They are configured to monitor outbound traffic and prevent specific types of messages from leaving the protected network. c)Both a and b

38 38 Firewall: definition Hardware or software tool used to protect a single host 1 or an entire network 2 by “sitting” between a trusted network (or a trusted host) and an untrusted network Applying preconfigured rules and/or traffic knowledge to allow or deny access to incoming and outgoing traffic 1 Host-based or personal firewall2 network-based firewall Untrusted network Trusted network PC with Host- based Firewall Network-Based Firewall

39 39 Questions What is the main advantage of having a host-based firewall in addition to having a network-based one? Answer:_________________________________________ What kind of security issue could be associated with having host-based firewall on users PCs? Answer:__________________________________________ Untrusted network Trusted network PC with Host- based Firewall Network-Based Firewall

40 40 Firewall Architecture Most firms have multiple firewalls. Their arrangement is called the firm’s firewall architecture Internet Main Border Firewall 172.18.9.x Subnet Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet Public Webserver 60.47.3.9 SMTP Application Proxy Server 60.47.3.10 HTTP Application Proxy Server 60.47.3.1 External DNS Server 60.47.3.4 Screening Router Firewall Internal Firewall Host Firewall Host Firewall Email Server on 172.18.6.x Subnet Host Firewall Demilitarized Zone (DMZ)

41 41 Questions What is a DMZ? Which of the following may be placed in a DMZ? a)A SMTP proxy server b)A server that contains files available for downloading by employees c)An File Transfer Protocol server d)A SQL (Structured Query Language) database server What IP addresses should a DNS server in the DMZ be able to find? a) All company’s IP addresses b) Only the IP addresses of the computers in the internal subnet c) Only the IP addresses of the computers in the DMZ You work as the security administrator at King.com. King.com has been receiving a high volume of attacks on the king.com web site. You want to collect information on the attackers so that legal action can be taken. Which of the following can you use to accomplish this? a)A DMZ (Demilitarized Zone). b)A honey pot. c)A firewall. d)None of the above.

42 42 Basic Firewall Operation Attack Packet 1 1. Internet (Not Trusted) Attacker Log File Dropped Packet (Ingress) Legitimate User Legitimate Packet 1 Attack Packet 1 Internal Corporate Network (Trusted) Border Firewall Passed Legitimate Packet (Ingress) Legitimate Packet 1 Egress filtering: filtering packets leaving to external networks Ingress filtering: filtering packets coming from external networks Legitimate Packet 2 Passed Packet (Egress) Legitimate Packet 2

43 43 ConnectionSource IPDestination IPState Connection 1123.12.13.460.47.3.9:80TCP opening Connection 2213.14.33.5660.47.3.9:80Data transfer ……………. ……… Types of Firewalls Static Packet Filtering Firewalls (1 st generation) Inspect TCP, UDP, IP headers to make filtering decisions Do static filtering of individual packets based on configured ruleset (or Access Control List) Prevent attacks that use IP or port spoofing, etc. Stateful Packet Filtering Firewalls (2 nd generation) Inspect TCP, UDP, IP headers to make filtering decisions Do stateful filtering by checking the firewall’s state table for relation of packets to packets already filtered If packet does not match existing connect, ruleset (static filt.) is used If packet matches existing connection, it is allowed to pass Prevent SYN attacks, teardrops, etc. State Table IP-H TCP-H UDP-HApplication Layer Message

44 44 Types of Firewalls (cont.) Application Firewalls (3 rd generation) Also called proxy firewalls Inspect the Application Layer message (e.g. HTTP requests, emails, etc. Specialized proxy firewalls more effective than general-purpose HTTP proxy firewalls for HTTP requests SMTP proxy firewalls for SMTP emails FTP proxy firewall for FTP-based file transfer requests Prevent malware attacks IP-H TCP-H UDP-HApplication Layer Message HTTP Proxy Browser Webserver Application 1. HTTP Request 2. Passed inspected HTTP Request 3. HTTP Response 4. Passed inspected HTTP Response Log File

45 45 Types of Firewalls (cont.) Network Address Translation Firewall Replace IP address in outgoing message by a spoof IP address Hide internal hosts’ IP address to outsiders Help prevent IP spoofing attacks using internal IP addresses Host IP AddressOutgoing IP AddressRequest ID 135.12.23.12135.12.20.1120121 135.12.22.2135.12.20.2120122 135.12.21.3135.12.20.3120123 …….. ……… 135.12.20.1 135.12.20.2 135.12.20.3 135.12.23.12 135.12.22.2 135.12.21.3

46 46 Firewall Principles Danger of Overload If a firewall is overloaded and cannot handle the traffic, it drops unprocessed packets This is the safest choice, because attack packets cannot enter the network However, this creates a self-inflicted denial- of-service attack

47 47 Host Hardening

48 Computer Hardware & Software Computer Hardware Operating System Web service software (IIS, Apache,...) Web browser Productivity Software Client & server application programs

49 Your knowledge about Host hardening Which of the following is most likely to make a computer system unable to perform any kind of work or provide any service? a) Client application programs get hacked b) Server application programs (web service software, database service, network service, etc.) get hacked c) The operating system get hacked d) The connection to the network/Internet get shut down

50 OS market share OS Vulnerability test 2010 by omnired.com OS tested: Win XP, Win Server 2003, Win Vista Ultimate, Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise 10, Ubuntu 6.10 Tools used to test vulnerabilities: Scanning tools (Track, Nessus) Network mapping (Nmap command) All host with OS installation defaults Results Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities and allow for executing malicious code The UNIX and Linux variants present a much more robust exterior to the outside Once patched, however, both Windows and Apple’s OS are secure.

51 Your knowledge about Host hardening You performed an Out-of-the-box installation of Windows XP and Linux FreeBSD 6.2 on two different computers. Which computer is more likely to be secure ? a) Windows XP b) Linux FreeBSD 6.2 c) They will have the same level of security What needs to be done, first, in order to prevent a hacker from taking over a server with OS installation defaults that has to be connected to the Internet? a) Lock the server room b) Configure the firewall to deny all inbound traffic to the server c) Download and install patches for known vulnerabilities

52 Security Baseline Because it’s easy to overlook something in the hardening process, businesses need to adopt a standard hardening methodology: standard security baseline Need to have different security baseline for different kind of host; i.e. Different security baselines for different OS and versions Different security baselines for different types of server applications (web service, email service, etc.) Different security baselines for different types of client applications.

53 Options for Security Baselines Organization could use different standards OS vendors’ baselines and tools e.g. Follow MS Installation procedure and use Microsoft Baseline Security Analyzer (MBSA) Standards Agencies baselines e.g. CobiT* Security Baseline Company’s own security baselines Security Baseline to be implemented by Server administrators known as systems admin * Control Objectives for Information and Related Technology

54 Elements of Hardening Physical security Secure installation and configuration Fix known vulnerabilities Remove/Turn off unnecessary services (applications) Harden all remaining applications Manage users and groups Manage access permissions For individual files and directories, assign access permissions to specific users and groups Back up the server regularly Advanced protections According toAccording to baselinebaseline

55 Hardening servers Choose the OS that provides the following: Ability to restrict admin access (Administrator vs. Administrators) Granular control of data access Ability to disable services Ability to control executables Ability to log activities Host-based firewall Support for strong authentication and encryption Disable or remove unnecessary services or applications If no longer needed, remove rather than disable to prevent re-enabling Additional services increases the attack vector More services can increase host load and decrease performance Reducing services reduces logs and makes detection of intrusion easier

56 Hardening servers (cont.) Configure user authentication Remove or disable unnecessary accounts (e.g. Guest account) Change names and passwords for default accounts Disable inactive accounts Assign rights to groups not individual users Don't permit shared accounts if possible Configure time sync Enforce appropriate password policy Use 2-factor authentication when necessary Always use encrypted authentication

57 UNIX / Linux Hardening Many versions of UNIX No standards guideline for hardening User can select the user interface Graphic User Interface (GUI) Command-Line Interfaces (CLIs) or shells CLIs are case-sensitive with commands in lowercase except for file names

58 UNIX / Linux Hardening Three ways to start services Start a service manually (a) through the GUI, (b) by typing its name in the CLI, or (c) by executing a batch file that does so Using the inetd program to start services when requests come in from users Using the rc scripts to start services automatically at boot up Inetd = Internet daemon; i.e. a computer program that runs in the background

59 UNIX / Linux Hardening Program A Program B Program C Program D inetd Port 23 Program A Port 80 Program B Port 123 Program C Port 1510 Program D 1. Client Request To Port 123 4. Start and Process This Request 3. Program C 2. Port 123 /etc/inetd.config Starting services upon client requests Services not frequently used are dormant Requests do not go directly to the service Requests are sent to the inetd program which is started at server boot up

60 UNIX / Linux Hardening Turning On/Off unnecessary Services In UNIX Identifying services running at any moment ps command (process status), usually with –aux parameters, lists running programs  Shows process name and process ID (PID) netstat tells what services are running on what ports Turning Off Services In UNIX kill PID command is used to kill a particular process  kill 47 (If PID=47)

61 Advanced Server Hardening Techniques File Integrity Checker Creates snapshot of files: a hashed signature (message digest) for each file After an attack, compares post-hack signature with snapshot This allows systems administrator to determine which files were changed Tripwire is a file integrity checker for Linux/UNIX, Windows, etc.: www.tripwire.com ( ftp://coast.cs.purdue.edu/pub/tools/unix ) ftp://coast.cs.purdue.edu/pub/tools/unix

62 Advanced Server Hardening Techniques File 1 File 2 … Other Files in Policy List File 1 File 2 … Other Files in Policy List File 1 Signature File 2 Signature … File 1 Signature File 2 Signature … Tripwire 1. Earlier Time 2. After Attack Post-Attack Signatures 3. Comparison to Find Changed Files Reference Base File Integrity problem: many files change for legitimate reasons. So it is difficult to know which ones the attacker changed.


Download ppt "Review Exam 2 Spring 2014. Targeted Break-in, DoS, & Malware attacks (I)"

Similar presentations


Ads by Google