1 / 19

Attack Profiles

This article provides an overview of various network attack profiles, including Denial-of-Service attacks, Exploitation attacks, Information Gathering attacks, and Disinformation attacks. It discusses examples of each attack category and suggests defense mechanisms to mitigate their impact.

dshawn
Download Presentation

Attack Profiles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attack Profiles CS-480b Dick Steflik

  2. Attack Categories • Denial-of-Service • Exploitation Attacks • Information Gathering Attacks • Disinformation Attacks

  3. Denial of Service Attacks • Ping of Death • Teardrop • UDP Floods • SYN Floods • Land Attack • Smurf Attack • Fraggle Attack • e-Main Bombs • Malformed Message Attacks

  4. Ping of Death • ICMP Echo request packet that is bigger than largest allowable • TCP/IP specification says max should be 65 Kbytes • Hacker’s goal is to crash the stack by exceeding the max size of the I/O buffer • Defense - stack must be hardened (all current popular stack implementations take care of this)

  5. Teardrop • IP implementations that trust fragmentation information in the headers of fragmented IP packets • if offsets have overlapping offsets many implementations will crash • Defenses: • apply latest patches • configure firewalls to reassemble fragments rather than forwarding (for end point to reassemble)

  6. UDP Floods • Forge a connection to a host running chargen and have it send useless chargen data to the echo server on another • makes the 2 services so busy that the host may crash or be too busy to respond to normal traffic • Defense: configure only services that are absolutely necessary (chargen and echo have no business running on a production server)

  7. SYN Floods • The goal here is to use up all of the target host’s resources (memory and processes) thereby making it unable to process legitimate traffic • each time a user sends a SYN the host accepts and allocates a process and memory • this gets done over and over until things just get used up • Defense: A firewall that can recognize the characteristics of a SYN attack and start rejecting packets

  8. Land Attack • Hardened stack inplementations have made this obsolete • send a special SYN packet with source and destination address set to the targeted machines IP address, causes recipient to acknowledge to its own address, connection is left open until OS times it out • Defense • latest patches • configure firewalls to reject inbound packets with internal addresses as the source address

  9. Smurf Attack • Flood a host with ICMP Echo Requests that have the destination address set to the subnet broadcast address • Defense • turn off broadcast addressing feature • configure firewall to drop incoming pings

  10. Fraggle Attacks • A Smurf attack using UDP echo messages rather than ICMP echo requests • Defense: have firewall filter out incoming UDP echo requests

  11. E-mail Bombs • Goal is to use up the mail servers bandwidth, thus denying mail to all users • repeatedly send large e-mail message to same user over and over • Defense: configure mail server to delete excessive and/or duplicate e-mails from the server

  12. Malformed Message Attacks • Send malformed messages • excessively large URLs to web servers • send random data to RPC services to try crashing • try buffer overflows by malforming protocol fields • Defense: keep up to date with vulnerability reports and patched from vendors for OEM products

  13. Exploitation Attacks • TCP/IP Connection Hijacking • Layer-2 Connection Hihacking • Password Guessing • Trojan Horses • Buffer Overflows

  14. TCP/IP Connection Hijacking • TCP uses pseudo random number sequences to generate to order TCP packets so they can be reassembled reliably • if hacker can predict the next correct sequence number he can send a fixed up packed that will cause the stream to be hijacked to his address and the valid packets will end up getting dropped • Defense: use a stack with an uncompromised pseudo random number generator (OpenBSD or Linux) • use a redirector to reconstruct a stream (redir)

  15. Layer-2 Connection Hijacking • Exploits fact the IP broadcasts ARP requests • Extreemly rare, because it requires layer2 access, except in ISP colocation situations where your machine may be located on same switch as many other machines. • Use hubs rather than switches or have ISP use layer-3 routers rather than layer-2 switches

  16. Password Guessing • Use strong passwords • don’t expose exploitable services like telnet, NetBIOS or NFS • use lockout policies for handling multiple unsuccessful login attempts

  17. Trojan Horses • Some other exploit installs a program on your computer that opens a back door into the system • could open up pcAnywhere or VNC to give remote user full access to your machine • usually installed from a e-mail attachment

  18. Information Gathering Attacks • Address Scanning • Port Scanning • Inverse Mapping • Slow Scanning • Architecture Probes • DNS Zone Transfers • Finger • LDAP • SNMP

  19. Disinformation Attacks • DNS Cache Pollution • Registrar Usurpation • Forged E-mail

More Related