1 / 27

Chapter 18

Chapter 18. Network Attack and Defense. The Most common attacks. http://www.sans.org/top20/ This is the list of the top 20 attacks. How many does encryption solve? How many does firewalls solve? How many are software flaws?. Combination.

yvon
Download Presentation

Chapter 18

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 18 Network Attack and Defense

  2. The Most common attacks • http://www.sans.org/top20/ • This is the list of the top 20 attacks. • How many does encryption solve? • How many does firewalls solve? • How many are software flaws?

  3. Combination • Many attacks are combinations of what we already have looked at: • Buffer overflows • Password crackers • Sniffing • Root kits • Software vulnerabilities • Open ports etc • SQL infection • Programming errors • Some from this chapter • Protocol vulnerabilities (TCP/IP suite) • Denial of Service

  4. It’s Sad • Many attacks you read about are exploits where patches already exist. It’s the ones you don’t know about that keep security administrators up at night. • The patch for Code Red worm had existed months before the attack. • TCP/IP vulnerabilities • http://www.javvin.com/networksecurity/tcpipnetwork.html • Huge number of services are enabled by default in Operating Systems

  5. We can look at attacks by level in OSI model Layer 2 Attacks VLAN Hopping MAC Spoofing Attack Private VLAN Attacks DHCP Starvation Layer 3 Attacks Spoofing IP Fragmentation Ping of Death Land Attack Layer 4 Attacks SYN Flooding Sniffing MitM Session Replay Session Hijacking TCP Sequence Prediction Denial of Service Backhoe Attenuation Smurf Attack Domain Hijacking Layer 8 Attacks Trusted Insiders Social Engineering Identity Theft Layer 7 Attacks Buffer Overflow Malware Viruses Worms Trojan Horses Back Door Malware Attack Vectors Malware Protection Hoaxes UCE Application Attacks Exploiting Software Reverse Engineering Software Testing and Monitoring Password Attacks Logic Bombs Downgrade Attacks Store and Forward Transmissions Automated Software Distribution Audit Log Attacks Rootkits Covert Channels Web-Based Attacks Web Cookies Leaking Browser Information Spyware Databases on the Web Web Site Blocking Active Content CGI Java ActiveX OSI model

  6. Script kiddies/Packaged defense • Hacking is becoming de-skilled • TCP/IP suite designed to work in open sharing honest environment • Various levels of hackers • script kiddies • download script run it have no real idea what they are doing • Experienced hackers (typically excellent programmers) • Many companies can not find or afford proper security personnel • Easy to find tools to automate hack • Hard to trace international hack, requires international cooperation. • Massive amount of information on how to hack on the internet.

  7. Denial of Service Attacks • Jolt2 • source code widely available • sends identical fragmented IP packets • systems use 100% resources attempting to re-assemble these malformed packets • can attack servers as well as routers • patches exist for most systems • some firewalls recognize the malformed packets and drop them

  8. Denial of Service Attacks • SYN flood • violates 3-way handshake by establishing a large number of half open connections • Eventually fills storage allocated for these and system does not allow new connections • Prevention, well if you limit the number of these connections, then legit users still can not access system • Various OS’s are working on changes to prevent these attacks, need to adjust how ½ openeds are stored

  9. Denial of Service Attacks • Smurf, Papa Smurf, Fraggle • Uses forged address to send packets (ICMP) to broadcast address (12.255.255.255) • All machines on the network then attempt to respond to the forged address • Simply generates large amounts of traffic on both networks • address where original message sent • forged return address when all respond

  10. Denial of Service Attacks • Smurf amplifiers are sites that • allow ICMP echo packets to broadcast address • allows ICMP replies out • nmap can also be used to find Smurf amplifiers • http://www.powertech.no/smurf/reports smurf amplifiers

  11. Denial of Service Attacks • So smurf attacks basically use the following • hacker • amplifier • misconfigured system • router broadcasts packets to subnet • machines respond to pings/echoes • victim • receives all the responses

  12. Denial of Service Attacks • as you can see most of these attacks utilize networking protocols • sending malformed packets cause problems for the attacked machine • IP spoofing is typically used to hide source of attack • Not going to cover all of these from the chapter, please read them though. • Many Many others exist and most are available on Packet Storm just search on DOS • http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=DOS&type=archives&%5Bsearch%5D.x=14&%5Bsearch%5D.y=10

  13. Distributed Denial of Service • In February of 2000 these became famous • Amazon • CNN • E*Trade • Yahoo • eBay • ……………….. • all attacked and brought to their knees

  14. Distributed Denial of Service • The seeds were in the wind before 2000 • In August of 1999 University of Minnesota was subject to a 2 day attack. • Before we look at these attacks we need to understand a little about them.

  15. Distributed Denial of Service • These attacks use compromised machines to attack others. • Hackers over time develop a network of compromised machines that are set to “do their bidding” that is attack. • these are often called zombie machines • or just zombies

  16. Distributed Denial of Service • Once the network of zombies are built • specific commands typically on specific ports instruct the zombies where to attack • dos 192.192.192.192 would launch the attack against that address

  17. Distributed Denial of Service • OK so Trinoo was the first major one • Used to launch attack against U of Minnesota • Did not use IP spoofing from attacking machine so admins were able to contact compromised machines and stop the attack • Most of these machines were Solaris 2.x systems • While doing this the attacker simply continued to release new Zombies against the network • Progressed for 2 days. • Newer ones are being developed: • http://news.zdnet.com/2100-1009_22-6050688.html

  18. Bot networks can be rented • http://news.zdnet.com/2100-1009_22-6030270.html • http://news.zdnet.com/2100-1009_22-5772238.html?tag=nl • The following is a great source of Dist DOS information • http://staff.washington.edu/dittrich/misc/ddos/

  19. Blind IP Spoofing Attacker 192.113.123.010 From address: 65.67.68.05 To address: 65.67.68.07 Target 65.67.68.07 Spoofed Address 65.67.68.05

  20. Defenses • Configuration management • Current copies of OS • All patches applied • Service and config files hardened • Default passwords removed • Organizational discipline to make sure stays this way.

  21. Firewalls • Hardware and software • Protects internal network from external • Installed between internal and external • Uses rules to limit incoming traffic • Uses rules to decide what traffic is allowed in and what traffic is not allowed in

  22. Firewall techniques • NAT • Basic Packet filtering • Stateful packet inspection • Application gateways • Access control lists

  23. Intrusion detection systems • Must tune and monitor systems • http://www.snort.org/ • Discussed IDS previously • Security Information Management Systems • Attempt to combine and automatically monitor all systems • http://www.netforensics.com/ • http://www.managementsoftware.hp.com/ • http://www.sourcefire.com/products.html

  24. Articles • Egress filtering • Lawsuits stemming from DOS • Intrusion Detection • Intrusion/Penetration testing programs • Satan saint • Lawsuits stemming from losses incurred do to insufficient protection. • Current DOS canned packages

  25. List of Resources • Jolt2 • http://www.securiteam.com/exploits/5RP090A1UE.html • http://www.networkworld.com/details/673.html?def • SYN flood • http://en.wikipedia.org/wiki/SYN_flood • http://www.cert.org/advisories/CA-1996-21.html

  26. List or resources • Smurf • http://en.wikipedia.org/wiki/Smurf_attack • http://en.wikipedia.org/wiki/Smurf_amplifier • Distributed Denial of Service • http://en.wikipedia.org/wiki/Denial_of_service • http://staff.washington.edu/dittrich/misc/ddos/ • Defenses • http://www.dtc.umn.edu/resources/perrig.pdf

  27. List of resource • Network Protocol vulnerabilities • http://www.javvin.com/networksecurity/tcpipnetwork.html • http://www.ja.net/CERT/Bellovin/TCP-IP_Security_Problems.html • http://www.kb.cert.org/vuls/id/222750 • http://www.insecure.org/stf/tcpip_smb.txt

More Related