1 / 48

General Overview of Attacks

General Overview of Attacks. Regardless of the motivation, a network security specialist must be aware of the threats and appropriate responses. What is an attack. Any malicious activity directed at a computer system or the services it provides.

celine
Download Presentation

General Overview of Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. General Overview of Attacks Regardless of the motivation, a network security specialist must be aware of the threats and appropriate responses

  2. What is an attack • Any malicious activity directed at a computer system or the services it provides. • Eg: Viruses, use of a system by an unauthorized individual, denial of service, physical attack against computer hardware.

  3. Reasons for attacks 1) Gaining access to the system 2)     Simply for the challenge 3)     To Collect information 4)     Desire to cause damage

  4. Attacks • Criminal Attacks • Publicity Attacks • Logon Abuse • Inappropriate System Use • Network Intrusion

  5. Criminal Attacks • Fraud: Involvement of money and commerce • Scams: Selling something of no value and getting the money • Destructive Attacks: Work of Terrorists, employees bent on revenge or hacks gone over to the wrong side. Eg: Denial of Service Attacks on Yahoo, CNN, eBay, Amazon etc • Intellectual Property Theft: Electronic versions of property. Eg: Piracy of software

  6. Criminal Attacks Continued… • Identity Theft: Why steal from someone when you can just become that person? • Brand Theft: How do users know which sites are worth visiting and bookmarking? • Please update your Amazon/eBay profile

  7. Publicity Attacks • How can I get my name in the newspapers? • Motivated by a desire to fix the problems. • Possibility of exploitation by criminals. • Public confidence • Eg: Denial-of-service attacks

  8. Different Forms of attacks • Non-Technical Form of Attack: • Social Engineering • Technical Form of Attack: • Implementation Bugs • Abuse of Feature • System Misconfiguration • Masquerading • DoS / DDoS • Session Hijacking

  9. Social Engineering • Attacker making use of his social contacts or people skills to get private information. Eg: Attacker acting as an administrator and convincing the individual on telephone to reveal confidential information like passwords, filenames, details about security policies.

  10. Implementation Bugs • Attackers use bugs in trusted programs to exploit and gain unauthorized access to a computer system. Eg: buffer overflows, race conditions, and mishandled temporary files.

  11. Abuse of Feature • These are legitimate actions that one can perform that when taken to the extreme can lead to system failure. Eg: Opening hundreds of telnet connections to a machine to fill its process table or filling up a mail spool with junk email.

  12. System Misconfiguration • Refers to an attacker gaining access to the system because of an error in the configuration of a system Eg: the default configuration of some systems includes “guest” account that is not protected with a password.

  13. Masquerading • Sometimes, it is possible to fool a system into giving access by misrepresenting oneself. Eg: Sending a TCP packet that has forged source address that makes the packet appear to come from a trusted host.

  14. Broad Categories of Attacks 1) Denial of service attacks 2) Attacks that give local user super user access. 3) Attacks that give remote user local access 4) Probes (Attempts to probe a system to find potential weaknesses) 5) Physical attack against computer hardware

  15. Possible Types of Actions in an Attack

  16. Denial of Service (DoS) Attacks • Is an attack in which the attacker makes some computing or memory resource too busy or too full to handle legitimate requests, or denies legitimate users access to a machine. • Some DoS attacks abuse a perfectly legitimate feature. • Eg: mailbomb, smurf attack

  17. DoS continued… • Some DoS attacks create malformed packets that confuse the TCP/IP stack of the machine that is trying to reconstruct the packet. • Eg: teardrop, ping of death • Others take advantage of bugs in a particular network daemon. • Eg: apache2, back, syslogd

  18. Summary of Denial of Service attacks

  19. Footprinting • Footprinting is gathering information about networks, specific computers, companies &/or people. • Scouring the website • Whois Lookup on the domain or command at shell • Get the IP address to know about the network (Ping or nslookup) • Search in ARIN database (American Registry for Internet Numbers) to find out who owns that specific netblock. • Talk to the ISP that somebody from their network is sending spam or possibly start a social engineering attack

  20. Where to start • Locations • Related Companies • Merger or acquisition news • Phone numbers • Contact names and email addresses • Privacy and security policies indicating the security mechanisms in place • Links to other web servers related to organization

  21. Port Scanning • Stealth scans • Spoofed scans • TCP syn, syn/ack, & fin scans • ICMP (ping sweep) • TCP ftp proxy • Scanner connects to real ftp server & requests data transfer to other system

  22. Scanning Tools • HPing • Legion • Nessus • Nmap • SAINT • SATAN • Tcpview • Snort

  23. User to Root Attacks • Attacker starts out with access to a normal user on the system (perhaps by sniffing passwords, a dictionary attack, or social engineering) and exploits some vulnerability to gain root access. • The most common attacks are • Buffer overflow attacks. (eg: Eject, Ftbconfig) • Poor Environment Sanitation. (eg:Loadmodule, perl) • Poor Temp File Management. • Lack of chroot in vulnerable system services

  24. Summary of User to Root attacks

  25. Remote to User Attacks • Attacker who has the ability to send packets to a machine over a network, but who does not have an account on that machine—exploits some vulnerability to gain local access as a user of that machine. • Some of theses attacks exploit buffer overflows in network server software.

  26. Remote to User Attacks • Most common attacks are • Abuse of feature (eg: Dictionary) • Misconfiguration (eg: Ftp-write, guest, xlock) • Bug (eg: Imap, Named, Phf, Sendmail)

  27. Summary

  28. Probes • Programs that can automatically scan a network of computers to gather information or find known vulnerabilities. • Scanning tools like satan, saint, mscan enable even a very unskilled attacker to very quickly check thousands of machines on a network for known vulnerabilities.

  29. Summary

  30. Most Serious Problems pointed out by CERT (2003) • Exploitation of weaknesses in the “cgi-bin/phf” program used on web servers to steal system password files. • Attacks on systems running free Linux version of UNIX, including installation of “Sniffers” that can steal unencrypted passwords when people log on to the systems. • Denial-of-service attacks were particularly troubling for internet service providers.

  31. Continued… • Widely available hacker kits  ScriptKiddies attacking systems with known vulnerabilities. • Abuse of email including mail-bombing, forgeries(spoofing), and a large increase in the amount of junk mail. • Viruses and hoaxes about viruses (especially wild claims about dangerous mail)

  32. Problems in ascertaining the threats • Unknown number of crimes of all kinds is undetected. Some of them are discovered long after they have occurred. • Similarly, computer crimes may not be detected by the victims. Estimate is 1/10th of the total crimes are detected. • Some of them go unreported. Estimate is 1/10th of the detected crimes are reported.

  33. Precautions against attacks • Intrusion detection systems: • 1)Those detect system attacks in real time and can be used to stop an attack in progress. • 2)Those provide after-the-fact information about the attacks that can be used to repair damage, understand the attack mechanism, and reduce the possibility if future attacks are of the same type.

  34. Intrusion Detection Systems • Intrusion detection system should be designed in such a way that they can handle all level sophistications of the hacker right from a novice cracker to an experienced cracker who knows about the intrusion detection systems and take steps to avoid being caught.

  35. Sources of data for an IDS • Traffic sent over the network • System Level Audit Data • Information about file system state There are other sources of data such as real-time process lists, log files, processor loads etc. However, they are used rarely.

  36. Traffic sent over the network All data sent over an Ethernet network is visible to every machine that is present on the local network segment. Hence, one machine connected to this Ethernet can be used to monitor traffic for all hosts on the network.

  37. System Level Audit Data • Most operating system offer some level of auditing of operating systems events. • Eg: Logging failed attempts to log in, logging every systems call.

  38. Information about file system state • An intrusion detection system that examines this file system data can alert an administrator whenever a system binary file (such as ps, login, or ls program) is modified. Since normal user have no legitimate reason to alter these files, a change to a system binary file indicates that the system has been compromised.

  39. Strategies for Intrusion Detection • Signature Verification • Anomaly Detection • Specification Based Intrusion Systems • Bottleneck verification

  40. Signature Verification example • An oversized ping packet of length greater than 64 kilobytes can often cause some systems to reboot. A signature verification system that is looking for a ping of death denial service attack would have a simple rule that says “any ping packet of length greater than 64 kilobytes is an attack.”

  41. Signature Verification • Advantages: • Can be devised to detect attempts to exploit many possible vulnerabilities • One sniffer can monitor many work stations • The computation required to construct network sessions and search for keywords is not excessive

  42. Signature Verification • Drawbacks: • Difficult to establish rules • Chances of false alarm rates are very high • Can not identify novel type of attacks

  43. Anomaly Detection • These systems track typical behavior of a system and issue warning when they observe actions that deviate significantly from those models. • Construct Statistical Models of a user, system, or network activity to observe typical behavior during an initial training phase. After training, anomalies are detected and flagged as attacks. Eg: NIDES (Next-Generation Intrusion Detection Expert System) by SRI international.

  44. Anomaly Detection • These systems are frequently suggested approaches to detect novel attacks. • Involve large computations and memory resources • High False alarm rates • Can not detect if the attacker’s activity overlaps with that of a user or system.

  45. Specification Based Intrusion Systems • This type of approach detects the attacks that make improper use of system or application programs. • Results in far lesser false alarm rates. • Detects wide range of new attacks including many forms of malicious code such as trojan horses, viruses, attacks that take advantage of race conditions, and attacks that take advantage of improperly synchronized distributed programs.

  46. Bottleneck verification • This approach applies to situations where there are only a few, well-defined ways to transition between two groups of states. • Eg: Transition between a normal user and a superuser with in a shell. If an individual is in a normal use state, the only way to legally gain a root privileges is by using the su command and entering the root password. • Thus, if a bottleneck verification system can detect a shell being launched, determine the permission of the new shell and detect the successful su command to gain root access.

  47. Time Vs Vulnerability

  48. References • www.exploitresearch.org/faqs/network-footprinting.html • www.ll.mit.edu/IST/ideval/pubs/ 1998/kkendall_thesis.pdf • http://www.sans.org/rr/audit/footprint.php • http://www.icsalabs.com/html/library/whitepapers/crime.pdf • http://csrc.nist.gov/SBC/PDF/NIST_ITL_Bulletin_05-99_Comp_Attacks.pdf • Secrets & Lies

More Related