450 likes | 474 Views
This review exam discusses targeted break-in, Denial of Service (DoS), and malware attacks, including unobtrusive information collection, host scanning, network scanning, port scanning, and fingerprinting.
E N D
Review Exam 2 Spring 2016
Unobtrusive InformationCollection • Sending packets into a network is “noisy” • Need to do unobtrusive info gathering, first, by • Visiting target corporate website for • Employees’ names and emails • Officers names and organizational structure, etc. • Reading trade press (often online & searchable) for • Info about products under development • Firms’ financial prospects, etc. • Searching U.S. EDGAR* system online for • Ownership, shareholder information, etc. • Searching the Whois database at: • NetworkSolutions.com/whhois/index.jsp, internic.net/whois.html, etc. * Electronic Data Gathering, Analysis, and Retrieval
Host Scanning • Objective: identify IP addresses of active hosts • Pinging individual hosts • Pinging a range of IP addresses • IP scanning software: fping, gping, Ping Sweep, Pinger • SYN/ACK scanning used when firewall configured to block pinging from outside
Network Scanning • Objective: understand a network internal structure including routers, firewalls location • Also called network mapping • Main tools used • Tracert (in Windows) or Traceroute (in Linux) • Network scanning software, e.g NetScanner
Port Scanning • Port Scanning • Most break-ins exploit specific services/applications ServiceDefault Portwww 80FTP 21SMTP 25 • Scan target for open ports • Send SYN segments to a particular port number • Observe SYN/ACK or reset (RST) responses
Fingerprinting • Determining specific software run by target • Identify a particular operating system or application program and (if possible) version • For example, Microsoft Windows 2000 Server • For example, BSD LINUX 4.2 • For example, Microsoft IIS 5.0 • Useful because most exploits are specific to particular programs or versions
Active vs. Passive fingerprinting • Active Fingerprinting • Send odd messages and observe replies • Different operating systems and application programs respond differently • Active fingerprinting may set off alarms • Attackers usually use rate of attack messages below IDSs volume thresholds • Passive Fingerprinting • Read headers (IP-H, TCP-H, etc.) of normal response messages • e.g. Windows 2000 uses TTL = 128 and Window Size = 18000 • Passive Fingerprint difficult b/c Admin could change default values Time To Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP,17=UDP Window Size (16 bits)
Fingerprinting by reading banners • Many programs have preset banners used in initiating communications • Using telnet or FTP to connect to a server could display the banner
Summary Questions 1 (cont.) • In preparing his attack, the attacker sent normal HTTP requests to a web server. Then, he spent some time analyzing the protocol-related information in the response received from the web server in order to determine what software are installed on the web server. Which of the following did the attacker do? • Active learning • Network scanning • Passive fingerprinting • None of the above
Password guessing • Brute force • Generating possible password combinations by changing one character at a time • If password is 4 decimal numbers • Start with 0000; next try 0001; then 0002; etc. • How many possible combinations? ___________ • If password is 6 alphabetical characters, how many possible combinations? _____________ • Brute force password cracking software available
Summary Questions 2 (cont.) • Assume that a password is 2 decimal number long. What is the maximum number of passwords that an attacker would have to try in order to crack the password? • 4 • 67108864 • 1024 • None of the above • How much time (in minutes) will it take to crack the password if it requires 1.2 second to try each password? Answer: a maximum of ______ minutes.
SYN SYN SYN 3 1 2 SYN/ACK SYN/ACK SYN/ACK ACK ACK ACK TCP opening and DoS Server • For each TCP connection request (SYN), server has to: • Respond to the request (SYN/ACK) • Set resources aside in order respond to each data request . . . . Waiting for request from Computer 1 Waiting for request from Computer 2 Waiting for request from Computer 3 . . .
Attacker’s Home Network Denial of Service (DoS) • What resources the web server would use to respond to each of the HTTP requests it receives? • What could be the consequences of the web server being invaded by too much requests from the attacker?
Denial of Service (DoS) Attack • Attack that makes a computer’s resources unavailable to legitimate users • Types of DoS attacks: • Single-message DoS • Flooding DoS • Distributed DoS
Single-message DoS attacks • First kind of DoS attacks to appear • Exploit weakness in the coding of operating systems and network applications • Three main single-message DoS: • Ping-of-Death • Teardrop • LAND attack
Total Length (16 bits) Flags Fragment Offset (13 bits) Ping of Death attacks • Take advantage of • Fact that TCP/IP allows large packets to be fragmented • Some network applications & operating systems’ inability to handle packets larger than 65536 bytes • Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation. • Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring. • Example of PoD code and vulnerable Operating Systems: • http://insecure.org/sploits/ping-o-death.html • Fix • Add checks in the reassembly process or in firewall to protect hosts with bug not fixed • Check: Sum of Total Length fields for fragmented IP is < 65536 bytes Fragment offset: identify which fragment this packet is attached to.Flags: indicates whether packet could be fragmented or not
Total Length (16 bits) Flags Fragment Offset (13 bits) Teardrop attacks • Take advantage of IP fragmentation • Attacker sends a pretend fragmented IP packet • But Fragment Offset values are not consistent • Earlier operating systems* and poorly coded network applications crash because • Unable to reassemble the packet due to missing fragments Pretend fragmented IP packet Frag 1 Frag 2 Frag 4 Attacker Victim * Win 3.1, Win 95, Win NT, and Linux prior to 2.163
LAND attacks • First, appeared in 1997 • Attacker uses IP spoofing with • source and destination addresses referring to target itself. • Back in time, OS and routers were not designed to deal with this kind of loopback • Problem resurfaces recently with Windows XP and Windows 2003 Server
Summary Questions 1 • Do DoS attacks primarily attempt to jeopardize confidentiality, integrity, or availability? • Which of the following DoS attacks takes advantage of IP fragmentation? • LAND attack • Teardrop • Ping of Death • None of the above • In which of the following DoS attacks the attacker makes use of IP spoofing? • LAND attack • Teardrop • Ping of Death • None of the above
Flooding DoS Attacks • Flood a target with a series of messages in an attempt to make it crash • Main types of flooding DoS attacks: • Flooding with regular requests • SYN flooding • Smurf flooding • Distributed DoS
SYN Flooding • Attacker sends a series of TCP SYN opening requests • For each SYN, the target has to • Send back a SYN/ACK segment, and • set aside memory, and other resources to respond • When overwhelmed, target slows down or even crash • SYN takes advantage of client/server workload asymmetry SYN SYN SYN SYN SYN Attacker Victim
Smurf Flooding DoS • Attacker uses IP spoofing • Attacker sends ping / echo messages to third party computers on behalf of the target • All third party computers respond to target
Distributed DoS (DDoS) Attack • Attacker hacks into multiple clients and plants handler programs on them. Clients become bots or intermediaries • Attacker sends attack commands to handlers which execute the attacks • First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc. Attack Command DoS Messages Bots Attack Command Server Handler Attacker Attack Command DoS Messages Link to how to deal with DDoS (by Cisco)
Malware attacks • Types of malware: • Viruses • Worms • Trojan horses • Logic bombs
Virus • Code/Program (script, macro) that: • attaches to files • Spreads by user actions (floppy disk, flash drive, opening email attachment, IRC, FTP, etc), not by themselves. • Symptoms: • Annoying actions when the virus is executed: hog up memory, crash the system, drives are not accessible, antivirus disabled, etc. • Performing destructive actions when they are executed: delete files, alter files, etc.
Viruses • Could be • Boot sector viruses: attach themselves to files in boot sector of HD • File infector viruses: attach themselves to files (i.e. program files and user files) • Polymorphic viruses: mutate with every infection (using encryption techniques), making them hard to locate • Metamorphic viruses: rewrite themselves completely each time they are to infect new executables* • Stealth: hides itself by intercepting disk access requests by antivirus programs. Request by antivirus The stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”. Stealth OS * metamorphic engine is needed
Worm • Does not attach to files • A self-replicating computer program that propagate across a system • Uses a host computer’s resources and network connections to transfer a copy of itself to another computer • Harms the host computer by consuming processing time and memory • Harms the network by consuming the bandwidth Question: Distinguish between viruses and worms
Trojan horse • A computer program • That appears as a useful program like a game, a screen saver, etc. • But, is really a program designed to damage or take control of the host computer • When executed, a Trojan horse could • Format disks • Delete files • Open TCP ports to allow a remote computer to take control of the host computer (Back Door) • NetBus and SubSeven used to be attackers’ favorite programs for target remote control
Logic bomb • Piece of malicious code intentionally inserted into a software system • The bomb is set to run when a certain condition is met • Passing of specified date/time • Deletion of a specific record in a database • Example: a programmer could insert a logic bomb that will function as follow: • Scan the payroll records each day. • If the programmer’s name is removed from payroll, then the logic bomb will destroy vital files weeks or months after the name removal.
Firewalls 35
Test your Firewall knowledge • Which of the following is true about firewalls? • A firewall is a hardware device • A firewall is a software program • Firewalls could be hardware or software • Which of the following is true about firewalls? • They are used to protect a whole network against attacks • They are used to protect single computers against attacks • Both a and b.
Test your Firewall knowledge (cont) • Which of the following is true about firewalls? • They are configured to monitor inbound traffic and protect against attacks by intruders • They are configured to monitor outbound traffic and prevent specific types of messages from leaving the protected network. • Both a and b
Trusted network PC with Host-basedFirewall PC with Host-basedFirewall Firewall: definition • Hardware or software tool used to protect a single host1 or an entire network2 by • “sitting” between a trusted network (or a trusted host) and an untrusted network • Applying preconfigured rules and/or traffic knowledge to allow or deny access to incoming and outgoing traffic Untrusted network Network-BasedFirewall 1 Host-based or personal firewall 2 network-based firewall
Trusted network PC with Host-basedFirewall PC with Host-basedFirewall Questions • What is the main advantage of having a host-based firewall in addition to having a network-based one? Answer:_________________________________________ • What kind of security issue could be associated with having host-based firewall on users PCs? Answer:__________________________________________ Untrusted network Network-BasedFirewall
Most firms have multiplefirewalls. Their arrangementis called the firm’s firewall architecture Internal Firewall ScreeningRouter Firewall Internet 172.18.9.x Subnet Demilitarized Zone (DMZ) Main BorderFirewall Public Webserver 60.47.3.9 External DNS Server 60.47.3.4 Host Firewall Host Firewall Host Firewall SMTP ApplicationProxy Server 60.47.3.10 HTTPApplicationProxy Server 60.47.3.1 Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet Email Server on 172.18.6.x Subnet Firewall Architecture
Questions • What is a DMZ? • Which of the following may be placed in a DMZ? • A SMTP proxy server • A server that contains files available for downloading by employees • An File Transfer Protocol server • A SQL (Structured Query Language) database server • What IP addresses should a DNS server in the DMZ be able to find? • All company’s IP addresses • Only the IP addresses of the computers in the internal subnet • Only the IP addresses of the computers in the DMZ • You work as the security administrator at King.com. King.com has been receiving a high volume of attacks on the king.com web site. You want to collect information on the attackers so that legal action can be taken. Which of the following can you use to accomplish this? • A DMZ (Demilitarized Zone). • A honey pot. • A firewall. • None of the above.
Basic Firewall Operation Passed Packet (Egress) Passed Legitimate Packet (Ingress) Legitimate Packet 2 Legitimate Packet 1 Attack Packet 1 1. Internet (Not Trusted) Legitimate Packet 1 Attacker Legitimate Packet 2 Border Firewall Attack Packet 1 Legitimate User Dropped Packet (Ingress) Egress filtering: filtering packets leaving to external networks Ingress filtering: filtering packets coming from external networks Log File Internal Corporate Network (Trusted)
IP-H TCP-H Application Layer Message IP-H UDP-H Application Layer Message Types of Firewalls • Static Packet Filtering Firewalls (1st generation) • Inspect TCP, UDP, IP headers to make filtering decisions • Do static filtering of individual packets based on configured ruleset (or Access Control List) • Prevent attacks that use IP or port spoofing, etc. • Stateful Packet Filtering Firewalls (2nd generation) • Inspect TCP, UDP, IP headers to make filtering decisions • Do stateful filtering by checking the firewall’s state table for relation of packets to packets already filtered • If packet does not match existing connect, ruleset (static filt.) is used • If packet matches existing connection, it is allowed to pass • Prevent SYN attacks, teardrops, etc. State Table
IP-H TCP-H Application Layer Message IP-H UDP-H Application Layer Message Browser Types of Firewalls (cont.) • Application Firewalls (3rd generation) • Also called proxy firewalls • Inspect the Application Layer message (e.g. HTTP requests, emails, etc. • Specialized proxy firewalls more effective than general-purpose • HTTP proxy firewalls for HTTP requests • SMTP proxy firewalls for SMTP emails • FTP proxy firewall for FTP-based file transfer requests • Prevent malware attacks HTTP Proxy 2. Passed inspected HTTP Request 1. HTTP Request 3. HTTP Response 4. Passed inspected HTTP Response Webserver Application Log File
Types of Firewalls (cont.) • Network Address Translation Firewall • Replace IP address in outgoing message by a spoof IP address • Hide internal hosts’ IP address to outsiders • Help prevent IP spoofing attacks using internal IP addresses 135.12.20.1135.12.20.2135.12.20.3 135.12.23.12 135.12.22.2 135.12.21.3