1 / 10

Chapter 7

Chapter 7. Denial of Service & Session Hijacking. Denial of Service. Rendering a system unusable to those who deserve it Consume bandwidth or disk space Overwhelming amount of spam Perform account lockout of valid users Considered an unsophisticated attack BOTs (zombies) and BOTnets

havyn
Download Presentation

Chapter 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7 Denial of Service & Session Hijacking

  2. Denial of Service • Rendering a system unusable to those who deserve it • Consume bandwidth or disk space • Overwhelming amount of spam • Perform account lockout of valid users • Considered an unsophisticated attack • BOTs (zombies) and BOTnets • “Botnet of 1,000 bots has larger bandwidth than the Internet connection of most corporate networks.” • Oct 20, 2002: 9 of 13 DNS Root servers disabled for 1 hour • DoSTools • Ping of Death: packets are too large for reassembly • Ping Flood: too many pings to handle the traffic • Land attack: source IP matches target IP

  3. Distributed Denial of Service • Use master/slave configuration • Phase 1: intrusion: infect systems to be zombies • Phase 2: attack: trigger slaves to attack • DDosTools • Trinoo, Tribal Flood Network (TFN), TFN2K, Stacheldraht • Controlling Bots • Usually done by IRC connections due to unencrypted and long connection times • http://www.pcmag.com/article2/0,2817,2348902,00.asp • http://it.slashdot.org/story/11/09/06/1944233/rent-your-own-botnet • http://www.inquisitr.com/19880/bbc-shows-what-happens-when-you-buy-a-botnet/

  4. Smurf and SYN Flood Attacks • Smurf attack: send much ICMP Echo (ping) to broadcast IP address with spoofed source address of victim • http://www.nordu.net/articles/smurf.html • Fraggleattack: use large amounts of UDP traffic instead of ICMP • Preventing Smurf and Fraggle Attacks • http://www.javvin.com/networksecurity/SmurfAttack.html • Teardrop attack: send overlapping or over-sized payloads to the target machine • http://www.physnet.uni-hamburg.de/physnet/security/vulnerability/teardrop.html • SYN Flood: flood victim with TCP connection requests and then don’t finish 3 way handshake • http://www.tech-mavens.com/synflood.htm

  5. Preventing SYN Flood Attacks • SYN Cookies: don’t allocate resources until 3 way handshake is complete • RST Cookies: victim responds with incorrect SYN • ACK so attacker has to respond with notice of error • Micro Blocks: allocate smaller memory space for connection record • Stack Tweaking: modify the TCP/IP stack

  6. PING of Death • Send ICMP echo packets of more than the 65,536 bytes allowed by the IP protocol • Causes system to freeze, crash, or reboot • Operating systems after 1997 are patched to prevent this

  7. DoS/DDoS Countermeasures • Network-Ingress filter • Rate-Limiting network Traffic (traffic shaping) • Intrusion Detection Systems • Automated Network-Tracing Tools • Host & Network Auditing Tools • DoS Scanning Tools • SARA (Security Auditor’s Research Assistant) • RID • Zombie Zapper

  8. Session Hijacking • Hacker gains control of authenticated session • Made possible by sequence number projecting • SN range from 1 to 4,294,967,295 • Incremented by 128,000 / second + 64,000 for each connection

  9. Session Hijacking • Methods of hijacking • Session fixation: attacker sets user’s session to one know to him; (I set your session ID to one I know) • Session sidejacking: attacker sniffs traffic to steal the session cookie • Cross-site scripting: attacker tricks user’s computer to run code that captures the session cookie • Active vs Passive Hijacking • Active: attacker takes over the session • Passive: attacker watches/records all traffic (sniffing) • Relies on Sequence Prediction

  10. Session Hijacking • Tools • Hunt • Dangers of hijacking • Easy to perform • Few countermeasures • Information gathering is successful • Preventing hijacking • Encryption: IPSec, SSH, HTTPS, VPNs • Minimize remote access • Strong Authentication • Educated users • Variety of usernames and passwords

More Related