Transcript Chapter 18
Chapter 18 Network Attack and Defense The Most common attacks http://www.sans.org/top20/ This is the list of the top 20 attacks. How many does encryption solve? How many does firewalls solve? How many are software flaws? Combination Many attacks are combinations of what we already have looked at: Buffer overflows Password crackers Sniffing Root kits Software vulnerabilities Open ports etc SQL infection Programming errors Some from this chapter Protocol vulnerabilities (TCP/IP suite) Denial of Service It’s Sad Many attacks you read about are exploits where patches already exist. It’s the ones you don’t know about that keep security administrators up at night. The patch for Code Red worm had existed months before the attack. TCP/IP vulnerabilities http://www.javvin.com/networksecurity/tcpipnetwork.html Huge number of services are enabled by default in Operating Systems OSI model We can look at attacks by level in OSI model Layer 2 Attacks VLAN Hopping MAC Spoofing Attack Private VLAN Attacks DHCP Starvation Layer 7 Attacks Buffer Overflow Malware Layer 3 Attacks Spoofing IP Fragmentation Ping of Death Land Attack Hoaxes UCE Application Attacks Layer 4 Attacks SYN Flooding Sniffing MitM Session Replay Session Hijacking TCP Sequence Prediction Denial of Service Backhoe Attenuation Smurf Attack Domain Hijacking Layer 8 Attacks Trusted Insiders Social Engineering Identity Theft Exploiting Software Reverse Engineering Software Testing and Monitoring Password Attacks Logic Bombs Downgrade Attacks Store and Forward Transmissions Automated Software Distribution Audit Log Attacks Rootkits Covert Channels Web-Based Attacks Viruses Worms Trojan Horses Back Door Malware Attack Vectors Malware Protection Web Cookies Leaking Browser Information Spyware Databases on the Web Web Site Blocking Active Content CGI Java ActiveX Script kiddies/Packaged defense Hacking is becoming de-skilled TCP/IP suite designed to work in open sharing honest environment Various levels of hackers script kiddies download script run it have no real idea what they are doing Experienced hackers (typically excellent programmers) Many companies can not find or afford proper security personnel Easy to find tools to automate hack Hard to trace international hack, requires international cooperation. Massive amount of information on how to hack on the internet. Denial of Service Attacks Jolt2 source code widely available sends identical fragmented IP packets systems use 100% resources attempting to reassemble these malformed packets can attack servers as well as routers patches exist for most systems some firewalls recognize the malformed packets and drop them Denial of Service Attacks SYN flood violates 3-way handshake by establishing a large number of half open connections Eventually fills storage allocated for these and system does not allow new connections Prevention, well if you limit the number of these connections, then legit users still can not access system Various OS’s are working on changes to prevent these attacks, need to adjust how ½ openeds are stored Denial of Service Attacks Smurf, Papa Smurf, Fraggle Uses forged address to send packets (ICMP) to broadcast address (12.255.255.255) All machines on the network then attempt to respond to the forged address Simply generates large amounts of traffic on both networks address where original message sent forged return address when all respond Denial of Service Attacks Smurf amplifiers are sites that allow ICMP echo packets to broadcast address allows ICMP replies out nmap can also be used to find Smurf amplifiers http://www.powertech.no/smurf/ reports smurf amplifiers Denial of Service Attacks So smurf attacks basically use the following hacker amplifier misconfigured system router broadcasts packets to subnet machines respond to pings/echoes victim receives all the responses Denial of Service Attacks as you can see most of these attacks utilize networking protocols sending malformed packets cause problems for the attacked machine IP spoofing is typically used to hide source of attack Not going to cover all of these from the chapter, please read them though. Many Many others exist and most are available on Packet Storm just search on DOS http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=DOS&type=archives&%5Bsearch%5D.x=14&%5Bsearch%5D.y=10 Distributed Denial of Service In February of 2000 these became famous Amazon CNN E*Trade Yahoo eBay ……………….. all attacked and brought to their knees Distributed Denial of Service The seeds were in the wind before 2000 In August of 1999 University of Minnesota was subject to a 2 day attack. Before we look at these attacks we need to understand a little about them. Distributed Denial of Service These attacks use compromised machines to attack others. Hackers over time develop a network of compromised machines that are set to “do their bidding” that is attack. these are often called zombie machines or just zombies Distributed Denial of Service Once the network of zombies are built specific commands typically on specific ports instruct the zombies where to attack dos 192.192.192.192 would launch the attack against that address Distributed Denial of Service OK so Trinoo was the first major one Used to launch attack against U of Minnesota Did not use IP spoofing from attacking machine so admins were able to contact compromised machines and stop the attack Most of these machines were Solaris 2.x systems While doing this the attacker simply continued to release new Zombies against the network Progressed for 2 days. Newer ones are being developed: http://news.zdnet.com/2100-1009_226050688.html Bot networks can be rented http://news.zdnet.com/2100-1009_22-6030270.html http://news.zdnet.com/2100-1009_22-5772238.html?tag=nl The following is a great source of Dist DOS information http://staff.washington.edu/dittrich/misc/ddos/ Blind IP Spoofing Attacker 192.113.123.010 From address: 65.67.68.05 To address: 65.67.68.07 Spoofed Address 65.67.68.05 Target 65.67.68.07 Defenses Configuration management Current copies of OS All patches applied Service and config files hardened Default passwords removed Organizational discipline to make sure stays this way. Firewalls Hardware and software Protects internal network from external Installed between internal and external Uses rules to limit incoming traffic Uses rules to decide what traffic is allowed in and what traffic is not allowed in Firewall techniques NAT Basic Packet filtering Stateful packet inspection Application gateways Access control lists Intrusion detection systems Must tune and monitor systems http://www.snort.org/ Discussed IDS previously Security Information Management Systems Attempt to combine and automatically monitor all systems http://www.netforensics.com/ http://www.managementsoftware.hp.com/ http://www.sourcefire.com/products.html Articles Egress filtering Lawsuits stemming from DOS Intrusion Detection Intrusion/Penetration testing programs Satan saint Lawsuits stemming from losses incurred do to insufficient protection. Current DOS canned packages List of Resources Jolt2 http://www.securiteam.com/exploits/5RP090 A1UE.html http://www.networkworld.com/details/673.ht ml?def SYN flood http://en.wikipedia.org/wiki/SYN_flood http://www.cert.org/advisories/CA-199621.html List or resources Smurf http://en.wikipedia.org/wiki/Smurf_attack http://en.wikipedia.org/wiki/Smurf_amplifier Distributed Denial of Service http://en.wikipedia.org/wiki/Denial_of_service http://staff.washington.edu/dittrich/misc/ddos/ Defenses http://www.dtc.umn.edu/resources/perrig.pdf List of resource Network Protocol vulnerabilities http://www.javvin.com/networksecurity/tcpipnetwork .html http://www.ja.net/CERT/Bellovin/TCPIP_Security_Problems.html http://www.kb.cert.org/vuls/id/222750 http://www.insecure.org/stf/tcpip_smb.txt