MIS4850Class9
Download
Report
Transcript MIS4850Class9
Targeted Break-in, DoS,
& Malware attacks (II)
(February 22, 2016)
© Abdou Illia – Spring 2016
Learning Objectives
Discuss DoS attacks
Discuss Malware attacks
2
Denial of Service Attacks
TCP opening and DoS
Server
1
SYN
SYN/ACK
ACK
Waiting for request
from Computer 1
2
SYN
SYN/ACK
ACK
Waiting for request
from Computer 2
3
SYN
SYN/ACK
ACK
Waiting for request
from Computer 3
.
.
.
...
.
For each TCP connection request (SYN), server has to:
Respond to the request (SYN/ACK)
4
Set resources aside in order respond to each data request
Web Server configuration
5
Denial of Service (DoS)
Intel Pentium 4 540 (3 Ghz)
512 MB SDRAM
2 x 100 GB SATA HDD
16x CD Drive
Gateway 3-button mouse
Gateway 108 keyboard
SVGA graphic card
NetworkNetwork
Attacker’sHome
Home
Legitimate user
Legitimate user
HTTP requests
Workstation
Stream of HTTP requests
Workstation
Internet
Router
Hub
Workstation
Web Server
HTTP requests
All workstations use IP spoofing
to send HTTP requests to the
web server.
Legitimate user
Workstation
Workstation
Legitimate user
What resources the web server would use to respond to each of the HTTP requests it
receives?
What could be the consequences of the web server being invaded by too much requests 6
from the attacker?
Denial of Service (DoS) Attack
Attack that makes a computer’s resources
unavailable to legitimate users
Types of DoS attacks:
Single-message
DoS
Flooding
DoS
Distributed DoS
7
Single-message DoS attacks
First kind of DoS attacks to appear
Exploit weakness in the coding of operating
systems and network applications
Three main single-message DoS:
Ping-of-Death
Teardrop
LAND attack
8
Total Length (16 bits)
Flags
Fragment Offset (13 bits)
Ping of Death attacks
Take advantage of
Fact that TCP/IP allows large packets to be fragmented
Some network applications & operating systems’ inability to handle
packets larger than 65536 bytes
Attacker sends IP packets that are larger than 65,536
bytes through IP fragmentation.
Ping of death attacks are rare today as most operating
systems have been fixed to prevent this type of attack
from occurring.
Example of PoD code and vulnerable Operating Systems:
http://insecure.org/sploits/ping-o-death.html
Fix
Add checks in the reassembly process or in firewall to protect hosts with
bug not fixed
Check: Sum of Total Length fields for fragmented IP is < 65536 bytes 9
Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be fragmented or not
Total Length (16 bits)
Flags
Fragment Offset (13 bits)
Teardrop attacks
Take advantage of IP fragmentation
Attacker sends a pretend fragmented IP packet
But Fragment Offset values are not consistent
Earlier operating systems* and poorly coded
network applications crash because
Unable to reassemble the packet due to missing
fragments
Pretend fragmented IP packet
Frag 1
Frag 2
Frag 4
Attacker
* Win 3.1, Win 95, Win NT, and Linux prior to 2.163
Victim
10
LAND attacks
First, appeared in 1997
Attacker uses IP spoofing with
source and destination addresses referring to target itself.
Back in time, OS and routers were not designed to deal with this
kind of loopback
Problem resurfaces recently with Windows XP and Windows 2003
Server
11
Summary Questions 1
Do DoS attacks primarily attempt to jeopardize confidentiality,
integrity, or availability?
Which of the following DoS attacks takes advantage of IP
fragmentation?
a)
b)
c)
d)
LAND attack
Teardrop
Ping of Death
None of the above
In which of the following DoS attacks the attacker makes use
of IP spoofing?
a)
b)
c)
d)
LAND attack
Teardrop
Ping of Death
None of the above
12
Flooding DoS Attacks
Flood a target with a series of messages in
an attempt to make it crash
Main types of flooding DoS attacks:
Flooding with regular requests
SYN flooding
Smurf flooding
Distributed DoS
13
Flooding with regular request
Open cmd and type: ping /?
Show the –l option
Show the following video about using ping –l in
a possible attempt to flood the allrecipes.com
website.
Youtube: How To DOS a Website
Another Fooding attack
DoS using Low Orbit Ion Cannon
14
SYN Flooding
Attacker sends a series of TCP SYN opening requests
For each SYN, the target has to
Send back a SYN/ACK segment, and
set aside memory, and other resources to respond
When overwhelmed, target slows down or even crash
SYN takes advantage of client/server workload
asymmetry
SYN
SYN
SYN
SYN
SYN
Attacker
15
Victim
Smurf Flooding DoS
Attacker uses IP spoofing
Attacker sends ping / echo messages to third
party computers on behalf of the target
All third party computers respond to target
16
Distributed DoS (DDoS) Attack
Attacker hacks into multiple clients and plants handler programs on
them. Clients become bots or intermediaries
Attacker sends attack commands to handlers which execute the
attacks
First appeared in 2000 with Mafiaboy attack against cnn.com,
ebay.com, etrade.com, yahoo.com, etc.
Attack
Command
DoS Messages
Attack
Command
Bots
Server
Handler
DoS Messages
Attacker
Attack
Command
Link to how to deal with DDoS (by Cisco)
17
Distributed DoS (DDoS) Attack
18
Distributed DoS (DDoS) Attack
19
A DoS story:
The Spamhaus was a victim of a DoS in 2013
The following video discusses how the attack
was lauched and how it was stopped
The Spamhaus attack video
20
Summary Questions 2
Describe SYN flooding.
Describe Smurf flooding
What is a DDoS attack?
What is a Handler program?
21
Malware Attacks
Malware attacks
Types of malware:
Viruses
Worms
Trojan horses
Logic bombs
23
Virus
Code/Program (script, macro) that:
attaches to files
Spreads by user actions (floppy disk, flash drive,
opening email attachment, IRC, FTP, etc), not by
themselves.
Symptoms:
Annoying actions when the virus is executed: hog up
memory, crash the system, drives are not accessible,
antivirus disabled, etc.
Performing destructive actions when they are executed:
delete files, alter files, etc.
24
Viruses
Could be
Boot sector viruses: attach themselves to files in boot
sector of HD
File infector viruses: attach themselves to files (i.e.
program files and user files)
Polymorphic viruses: mutate with every infection
(using encryption techniques), making them hard to
locate
Metamorphic viruses: rewrite themselves completely
each time they are to infect new executables*
Stealth: hides itself by intercepting disk access
requests by antivirus programs.
Request by antivirus
The stealth returns an uninfected version of files to the
anti-virus software, so that infected files seem "clean”.
* metamorphic engine is needed
Stealth
OS
25
Worm
Does not attach to files
A self-replicating computer program that
propagate across a system
Uses a host computer’s resources and network
connections to transfer a copy of itself to another
computer
Harms the host computer by consuming
processing time and memory
Harms the network by consuming the bandwidth
Question: Distinguish between viruses and worms
26
Trojan horse
A computer program
That appears as a useful program like a game, a
screen saver, etc.
But, is really a program designed to damage or
take control of the host computer
When executed, a Trojan horse could
Format disks
Delete files
Open TCP ports to allow a remote computer to
take control of the host computer (Back Door)
NetBus and SubSeven used to be attackers’
favorite programs for target remote control
27
Trojan horse
NetBus Interface
28
Logic bomb
Piece of malicious code intentionally inserted
into a software system
The bomb is set to run when a certain condition
is met
Passing of specified date/time
Deletion of a specific record in a database
Example: a programmer could insert a logic
bomb that will function as follow:
Scan the payroll records each day.
If the programmer’s name is removed from payroll,
then the logic bomb will destroy vital files weeks or
29
months after the name removal.
Summary Questions 3
Distinguish between a virus and a worm
What kind of malware is a malicious program
that could allow an attacker to take control of
a target computer?
What kind of malware could harm a host
computer by consuming processor time and
random access memory?
30