200 likes | 351 Views
The Five Most Popular Attacks on the Internet. Peter Mell, 1-7-98 peter.mell@nist.gov National Institute of Standards and Technology Computer Security Division. Outline. Sources of attacks and vulnerability information Details on the most frequently requested attacks
E N D
The Five Most Popular Attacks on the Internet Peter Mell, 1-7-98 peter.mell@nist.gov National Institute of Standards and Technology Computer Security Division
Outline • Sources of attacks and vulnerability information • Details on the most frequently requested attacks • Statistics on attacks available on the Internet
Web Site Resources Attack Scripts Rootshell, http://www.rootshell.com Fyodor’s Playhouse, http://www.insecure.org Vulnerability Information Bugtraq, http://geek-girl.com/bugtraq NTBugtraq, http://www.ntbugtraq.com Vulnerability Advisories CERT, http://www.cert.org L0pht, http://www.l0pht.com/
We are Measuring the Popularity of Attacks • Rootshell makes available a cgi scripts that reveals the last 50 search requests made on its database of 700+ attack scripts • We created a perl script that harvests search requests each hour • Approximately 170,000 queries are made each month (our current sample size is 20% of the total number: 33,000 queries)
Attacks on Applications • ICQ: 6 exploits in the last year Spoof any ICQ user id and send people files that get stored anywhere • Sendmail: 11 exploits in the last year Local get root, DOS, Remote control • imap: 8 exploits in the last year Scanners and remote get root attacks Manuals on performing a buffer overflow attacks: http://www.insecure.org/stf/smashstack.txt http://www.l0pht.com/advisories/bufero.html
Back Orifice: What Microsoft Says “Microsoft takes security seriously, and has issued this bulletin to advise customers that Windows 95 and Windows 98 users following safe computing practices are not at risk…” According to Wired (1998-Nov-17), 79% of Australian ISPs are "infected" with Back Orifice. http://www.wired.com/news/news/technology/story/16310.html
Back Orifice Author: Cult of the Dead Cow http://www.cultdeadcow.com Publish Date: Released in August 1998 at the annual hacker DEF CON convention Summary: Remotely control Windows 95 hosts Transmission Method: Web site downloads, e-mailing free apps, piggybacking with “ordinary” remote exploits
Back Orifice Applications File System Control: Add/delete any file Process Control: Run/kill any process Registry Control: List, create, delete, and set registry keys and values Network Control: View all exported resources and their passwords. View and kill connections. Multimedia Control: Keystroke monitor. Take screen shots. Control host cameras. Packet Redirection: Redirect local ports to remote ports Packet Sniffer: Views any network packets Plug in Interface: Much like netscape plug-ins
Other Back Orifice Features Plug-Ins: Butt Trumpet: Penetration Notification via e-mail Saran Wrap: Easily bundle BO with legitimate software Speakeasy: Broadcast a penetration to an IRC channel Other Features: Encrypted Connections Autonomous mode
Netbus Similar to Back Orifice except that anyone can log into a netbus server Start optional application. Download/Upload/Delete files Send keystrokes and disable keys. Record sounds from the microphone. Go to an optional URL. Control mouse. Shut down Windows. Listen to keystrokes. Take a screendump.
Published before 11/14/97 Teardrop Reboots or halts Windows 95, NT and Linux using 2 fragmented packets P1 Offset=0 P1 Offset=0 P1 End=N P1 End=N a a a a a a a a a a a a c c c b b c c c P2 Offset<N P2 End=N+M P2 Offset=N P2 End=N+M P1 Offset=0 P1 Offset=0 P1 End=N P1 End=N a a a a a a a a a a a a b P2 Offset<N P2 End<N P2 Offset=N P2 End<N
Published before 10/13/97 Smurf Smurf freezes a target by sending it large numbers of ICMP ping packets Attacker is not traceable Each of the attacker’s ping packets is amplified into hundred of packets Attacker Target Network that responds to broadcast pings Ping packets: Source: Target Destination: Broadcast address Target receives hundreds of packets for each of the attacker’s packets
Published before 5/7/97 (Win)Nuke Winnuke crashes window 95/NT hosts by establishing a tcp connection and sending out of band data Target Attacker 1. TCP connection established (port 139) 2. Send a packet of out of band data (e.g. send(s,str,strlen(str),MSG_OOB)
Listing of the top 20 attacks Recommended scanning software: nmap, queso, strobe, netcat DOS attack toolkit: targa
Statistics on attacks published on the Internet • 37% of attacks can be launched from Windows hosts(people don’t need Unix to be dangerous anymore) • 4% of attacks compromise hosts that visit web sites(surfing the Internet is not risk free) • 3% of attacks exploit more than one vulnerability(attack toolkits that allow children to penetrate hosts with the push of a button are becoming a reality) • 8% are scanning tools that look for vulnerabilities(automated searching for vulnerable hosts is common place)
Even Firewalls, Routers, and Switches are not safe Percent of attacks that work against: firewalls (7%) (no penetration attacks found) routers (6%) (no penetration attacks found) Percent of attacks that penetrate: switches (2%) (nbase and 3com backdoor passwords)