Slides 6 - USC Upstate: Faculty
Download
Report
Transcript Slides 6 - USC Upstate: Faculty
SCSC 455 Computer Security
Chapter 6 Network Attacks
Index
Overview of attacks
DoS & DDoS
Buffer overflow
Other attacks
Physical security
Attacks on Networks and Computers
Attack
Any attempt by an unauthorized person to access or use
network resources
Computer security
Concerned with the security of a computer, which is not
part of a network infrastructure
Network security
Concern with security of network resources
Common Network Attacks
Common network attacks include:
Denial-of-Service (DoS)
Distributed Denial-of-Service (DDoS)
Buffer overflow
Ping of Death
Session hijacking
Index
Overview of attacks
DoS & DDoS
Buffer overflow
Other attacks
Physical security
Denial-of-Service Attacks
Denial-of-Service (DoS) attack
Attacks do not attempt to access information
Prevents legitimate users from accessing network
resources
Cripple the network
Make it vulnerable to other type of attacks
DoS include two major types
SYN flood
Smurf attack
SYN Flood
Exploits the TCP three-way handshake
Overwhelm server by SYN packets with spoofed
source
Inhibits server’s ability to accept new TCP
connections
TCP Three-Way Handshake
Smurf Attack
Smurf attack is Non-OS specific attack that uses the
network to amplify its effect on the victim
Floods a host with ICMP
Saturates Internet connection with bogus traffic and
delays/prevents legitimate traffic from reaching its
destination
To prevent smurf attack, ISP needs to take
responsibility and filter out bogus packets
bogus packets:
broadcast packets
packets with fake source IP address
not every ISP is willing to enforce the security policy
(Read article 2: The strange tale of the DoS)
Distributed Denial-of-Service (DDoS)
Attacks
DDoS attack on a host from multiple servers or
workstations
Network could be flooded with billions of requests
Loss of bandwidth
Degradation or loss of speed
Often participants (zombies) are not aware they are part
of the attack
Thousands zombies are controlled by the attacker via
Trojan programs
DDoS Tools and Countermeasures
DDoS countermeasures:
• Security patches from software vendors
• Antivirus software
• Firewalls: Ingress (inbound) and egress (outbound) filtering
(details next …)
How to Prevent the Network from
Inadvertently Attacking Others
•
Block any packets coming into the network
destined for a broadcast address
•
Block any ingress packet that uses a protocol or
port that is not permissible on the Internet
•
•
•
Private IP addresses: 10.0.0.0, 172.16.0.0, 192.168.0.0;
Multicast address space: 224.0.0.0
Block any packets with a source address
originating inside your network from entering your
network
Index
Overview of attacks
DoS and DDoS
Buffer overflow
Other attacks
Physical security
Buffer Overflow Attacks
A vulnerability in poorly written code
does not check predefined size of input field
Goal of buffer overflow attack:
Fill overflow buffer with executable code
OS executes this code, elevates attacker’s permission
Administrator
Owner of running application
To stop software exploits
Train your programmer in developing applications with security in
mind
Stay appraised of latest security patches provided by software
vendors
Buffer Overflow Exploits
Buffer Overflow Exploits is the Most common cause of
Internet attacks
Over 50% of advisories published by CERT (computer
security incident report team) are caused by various
buffer overflows
Morris worm (1988): overflow in fingerd
Infected 10% of the existing Internet
CodeRed (2001): overflow in MS-IIS server
300,000 machines infected in 14 hours
SQL Slammer (2003): overflow in MS-SQL server
75,000 machines infected in 10 minutes
Memory Buffers
Buffer is a data storage area inside computer
memory (stack or heap)
Intended to hold pre-defined amount of data
If more data is stuffed into it, it spills into adjacent
memory
If executable code is supplied as “data”, victim’s machine
may be fooled into executing it
Code will self-propagate or give attacker control over
machine
Attack can exploit any memory operation
Pointer assignment, format strings, memory allocation
and de-allocation, function pointers, calls to library
routines via offset tables
Stack Buffers
Suppose Web server contains this function
void func(char *str) {
char buf[126];
strcpy(buf,str);
}
Allocate local buffer
(126 bytes reserved on stack)
Copy argument into local buffer
When this function is invoked, a new frame with
local variables is pushed onto the stack
Stack grows this way
Top of
stack
Frame of the
calling function
buf
Local variables
sfp
ret
addr
str
Pointer to Execute
Arguments
previous
code at
frame this address
after func()
finishes
What If Buffer is Overstuffed?
Memory pointed to by str is copied onto stack…
void func(char *str) {
char buf[126];
strcpy does NOT check whether the string
strcpy(buf,str); at *str contains fewer than 126 characters
}
If a string longer than 126 bytes is copied into
buffer, it will overwrite adjacent stack locations
Top of
stack
Frame of the
calling function
buf
overflow
This will be
interpreted
as return address!
str
Executing Attack Code
Suppose buffer contains attacker supplied string
For example, *str contains a string received from the network as
input to some network service daemon
Top of
stack
Frame of the
calling function
code
Attacker puts actual
instructions into his input string, e.g.,
binary code of execve(“/bin/sh”)
ret
str
In the overflow, a pointer back
into the buffer appears in
the location where the system
expects to find return address
When function exits, code in the buffer will be
executed, giving attacker a shell
The attacker gets a root shell if the victim program is SUID root
Some Issues on Buffer Overflow
Executable attack code is stored on stack, inside the buffer
containing attacker’s string
Stack memory is supposed to contain only data, but…
Overflow portion of the buffer must contain correct address of
attack code in the RET position
The value in the RET position must point to the beginning
of attack code in the buffer
Otherwise application will crash with segmentation
violation
Attacker must know or correctly guess in which stack
position his buffer will be when the function is called
The Cause : No Range Checking
strcpy does not check input size
strcpy(buf, str) simply copies memory contents into buf
starting from *str until “\0” is encountered
Ignoring the size of area allocated to buf
Many C library functions are unsafe
strcpy(char *dest, const char *src)
strcat(char *dest, const char *src)
gets(char *s)
scanf(const char *format, …)
printf(const char *format, …)
Common Buffer Overflow Attacks
(details are not required)
Common Buffer Overflow Attacks
(details are not required)
Index
Overview of attacks
DoS and DDoS
Buffer overflow
Other attacks
Physical security
Ping of Death Attacks
Ping of death is actually a type of DoS attack
Not as common as during the late 1990s
How ping of death works
Attacker creates a large ICMP packet (More than 65,535 B)
Large packet is fragmented at source network
Destination network reassembles large packet
Destination point cannot handle oversize packet and
crashes
Ping of Death
Ping of death uses IP packet fragmentation techniques
to crash remote systems
Session Hijacking
Session hijacking -- the exploitation of a valid computer session to
gain unauthorized access to information or services in a computer
system.
the HTTP session cookies used to maintain a session on many web
sites can be easily stolen by an attacker
In order that the user does not have to re-enter their username /
password on every page to maintain their session, many web sites use
session cookies: a token of information issued by the server and
returned by the user's web browser to confirm its identity.
If an attacker is able to steal this cookie, they can make
requests themselves as if they were the genuine user.
How to steal session cookie
Sniffing
steal the session key by obtaining the file or memory
contents of the appropriate part of either the user or the
server's computer.
session fixation: the attacker sets a user's session id to
one known to him
sending the user an email with a link that contains a particular
session id. The attacker now only has to wait until the user logs in
by clicking that link.
How to prevent session hijacking
Regenerating the session id after a successful login.
Encryption of the session key.
prevents session fixation because the attacker does not
know the session id of the user after she has logged in.
prevents sniffing-style attacks.
Some services make secondary checks against the
identity of the user.
E.g., a web server could check with each request made
that the IP address of the user matched the one last used
during that session.
Spoofing
Spoofing is act of falsely identifying a
packet’s IP address, MAC address, etc
Four primary spoofing types
IP address spoofing
ARP poisoning
Web spoofing
DNS spoofing
IP Address Spoofing
IP Address Spoofing exploits trust relationships between two hosts
Involves creating an IP address with a forged source address
Issues on IP Address Spoofing
Three issues the attacker must solve:
The reply message from the victim is NOT delivered to
the attacker;
•
•
since the attacker is outside LAN, it’s difficult to intercept
packets
•
If the impersonated host (host B in the figure) replies
packets to the victim machine, it could interference the
attacker’s spoofing message.
•
In order for the victim to accept the spoofed packets,
the packets must guess / have the correct sequence
number
ARP Poisoning
Q: What is ARP?
Address resolution protocol
ARP
Address resolution protocol is a protocol used by the IP, specifically IPv4, to
map IP address to the hardware addresses (MAC address) used by a data link
protocol.
ARP Poisoning
Attacker sends fake ARP messages to an Ethernet LAN.
These fake ARP messages confusing network
devices, such as network switches – poisoning their
ARP table.
As a result frames intended for one machine can be
mistakenly sent to another (the attacker’s computer) or
an unreachable host (a denial of service attack).
ARP Poisoning can be used in man-in-the-middle attack
and session hijacking attack
Web Spoofing
Convinces victim that he or she is visiting a real and
legitimate site
creating a website, as a hoax, with the intention of misleading
readers that the website has been created by a different
organization.
Normally, the website will adopt the design of the target website
and sometimes has a similar URL
DNS Spoofing
DNS server translates human-readable computer
hostnames into the IP addresses that networking
equipment needs for delivering information.
In DNS spoofing, attacker poses as the victim’s
legitimate DNS server
Direct users to a compromised server
Or redirect corporate e-mail through a hacker’s server where it
can be copied or modified before sending mail to final destination
How To Thwart Spoofing Attacks
Prevent IP spoofing
Disable source routing on all internal routers
source routing allows a sender of a packet to specify the route the
packet takes through the network.
Filter out packets entering local network from the Internet that
have a source address of the local network
Prevent ARP poisoning
Using static ARP records.
Using certain tools that watch the local ARP cache and report to
the administrator if anything unusual happens.
Prevent Web spoofing
Educate users
Prevent DNS spoofing
Thoroughly secure DNS servers
Man-in-the-Middle Attack
Man-in-the-Middle Attack is a class of attacks in which the attacker
places himself between two communicating hosts and listens in on their
session
Is a general form of attack
Can be executed in different methods
ARP poisoning
ICMP redirects
DNS poisoning
Index
Overview of attacks
DoS and DDoS
Buffer overflow
Other attacks
Physical security
Physical security
Physical security is as important as network or computer
security
Protecting a network also requires physical security
Inside attacks are more likely than attacks from outside the
company
Locks
Choose hard-to-pick locks
Security cards
Keyloggers
Software-based
Hardware-based
Behind Locked Doors
Lock up your servers
Average person can pick deadbolt locks in less than
five minutes, after only a week or two of practice
Experienced hackers can pick deadbolt locks in under
30 seconds
Rotary locks are harder to pick
Keep a log of who enters and leaves the room
Security cards can be used instead of keys for
better security
Keyloggers
Keyloggers are used to capture
keystrokes on a computer
Software
Hardware
Software
Behaves like Trojan programs
Hardware
Easy to install
Goes between the keyboard and the
CPU
KeyKatcher and KeyGhost
An email message captured by keycatcher