1 / 129

Session 1 Framework

Session 1 Framework. Security Threat Responsibility and Policy Architecture Response Flow Preparation. Emergency Response. Yan Wang 2006.09. Agenda. Framework & Technology Security Monitoring Response Measure Case Study & Discussion. Security Threat. Threat Evolution and Trends

berg
Download Presentation

Session 1 Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 1 Framework • Security Threat • Responsibility and Policy • Architecture • Response Flow • Preparation

  2. Emergency Response Yan Wang2006.09

  3. Agenda • Framework & Technology • Security Monitoring • Response Measure • Case Study & Discussion

  4. Security Threat • Threat Evolution and Trends • Threat Categories • Attacks Fundamental

  5. Evolution of Availability Threats

  6. Exploit Trends

  7. Three Key Threat Categories • Reconnaissance Unauthorized discovery and mapping of systems, services, or vulnerabilities • Access Unauthorized data manipulation, system access, or privilege escalation • Denial of Service Disable or corrupt networks, systems, or services

  8. How do these impact ISPs? • Reconnaissance–Happens all the time. It is part of the “attack noise” of the Internet (along with low level attacks and backscatter). • Access–Break-ins on the edge of an ISP’s network (I.e. customer CPE equipment) can impact the ISP’s core. • DOS–The core threat to an ISP – knocking out customers, infrastructure, and services.

  9. Reconnaissance Methods • Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl • Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts

  10. Network Sniffer

  11. nmap

  12. nmap

  13. Why Do We Care?

  14. Why Do We Care?

  15. Access Methods

  16. Access Methods (cont.)

  17. Denial of Service Methods • Resource Overload Disk space, bandwidth, buffers, ... Ping floods, SYN flood, UDP bombs, ... • Software bugs Out of Band Data Crash: Ping of death, fragmentation… • Toolkits TRINOO, Tribal Flood Net and friends • Distributed attacks for amplification

  18. DoS

  19. DoS type • Resource Overload Disk space, bandwidth, buffers, ... Ping floods, SYN flood, UDP bombs, ... • Out of Band Data Crash Ping of death, ... • Routing Capacity Fill up packet buffers, queues, flow tables, and processing capabilities.

  20. DoS Sequence

  21. DDoS

  22. DDoS Step 1: Crack Handlers and Agents

  23. DDoS Step 2: Install Trojan & Covert Communication Channel

  24. DDoS Step 3: Launch the Attack

  25. DDOS Attack Characteristics • DDOS Arrays (handlers and agents) a maintenance intensive. Take time and effort to create. • Launching attacks from an agent can be considered a one shot weapon. Once the attack is launched, there is a risk of traceback. If someone traces back to the agent, they could watch and wait to see if the perpetrator returns to the agent.

  26. Attacks Fundamental

  27. Address Resolution Protocol (ARP)

  28. ARP Datagram

  29. Internet Protocol

  30. IP Header

  31. Internet Control Message Protocol (ICMP)

  32. User Datagram Protocol (UDP)

  33. Transport Control Protocol

  34. TCP Header

  35. TCP Establishment and Termination

  36. Packet Spoofing

  37. IP Spoofing

  38. TCP Blind Spoofing

  39. TCP blind spoofing (Cont.)

  40. ARP Based Attacks

  41. Gratuitous ARP

  42. Misuse of Gratuitous ARP

  43. A Test in the Lab

  44. A Collection of Tools to Do:

  45. ARP spoof in Action

  46. More on ARP Spoof

  47. Selective Sniffing

  48. SSL/SSH Interception

  49. SSL/SSH Interception

  50. SSL/SSH Interception

More Related