buffer overflow

Download Report

Transcript buffer overflow 

Denial of Service Attacks
Denial of service ( DOS )
- Too many requests for a particular web site
“clog the pipe” so that no one else can access
the site
Denial of service ( DOS )
 Possible impacts:
May reboot your
computer, Slows down
computers-Certain sites,
Applications become
inaccessible
**you are off.
What is Denial of Service Attack?
• “Attack in which the primary goal is to
deny the victim(s) access to a particular
resource.”
What is Denial of Service Attack?
• A "denial-of-service" attack
is characterized by an
explicit attempt by attackers
to prevent legitimate users
of a service from using that
service.
Case 1: Code Red
• Exploited buffer overflow error in IIS
• Several different versions
• Date-based
– 1-19th: attempted to infect random IPs
– 20-28th: attack whitehouse.gov
– After 28th: dormant
• At peak more than 2,000 new hosts were
infected each minute
6
Case 2: Sapphire/Slammer
• Fastest virus spread in history
• Exploited buffer overflow in MS SQL Server
• Used UDP instead of TCP
– Allowed faster spread – no response needed
– Limited only by bandwidth
• Problems affected customers, ex. automatic
cash machines
7
How to take down a restaurant
Restauranteur
Saboteur
Table for four
at 8 o’clock.
Name of Mr. Smith.
O.K.,
Mr. Smith
Restauranteur
Saboteur
Saboteur vs. Restauranteur
Restauranteur
Saboteur
No More Tables!
Categories of DOS attack
•
•
•
Bandwidth attacks
Protocol exceptions
Logic attacks
Bandwidth attacks
• A bandwidth attack is the oldest and most
common DoS attack. In this approach, the
malicious hacker saturates a network with
data traffic. A vulnerable system or
network is unable to handle the amount
of traffic sent to it and subsequently
crashes or slows down, preventing
legitimate access to users.
Protocol exceptions
• A protocol attack is a trickier approach, but it
is becoming quite popular. Here, the malicious
attacker sends traffic in a way that the target
system never expected.
Logic attacks
• The third type of attack is a logic attack. This is
the most advanced type of attack because it
involves a sophisticated understanding of
networking.
Samples
•
•
•
•
Ping of Death
Smurf & Fraggle
Land attack
Synchronous Flooding
PING OF DEATH
A Ping of Death attack uses Internet Control Message
Protocol (ICMP) ping messages. Ping is used to see if a
host is active on a network. It also is a valuable tool for
troubleshooting and diagnosing problems on a
network. As the following picture, a normal ping has
two messages:
PING OF DEATH
• BUT
• With a Ping of Death attack, an echo packet is sent that is
larger than the maximum allowed size of 65,536 bytes. The
packet is broken down into smaller segments, but when it is
reassembled, it is discovered to be too large for the receiving
buffer. Subsequently, systems that are unable to handle such
abnormalities either crash or reboot.
• You can perform a Ping of Death from within Linux by typing
ping –f –s 65537.
• Note the use of the –f switch. This switch causes the packets
to be sent as quickly as possible. Often the cause of a DoS
attack is not just the size or amount of traffic, but the rapid
rate at which packets are being sent to a target.
Tools:-Jolt -SPing-ICMP Bug -IceNewk
Smurf and Fraggle
A Smurf attack is another DoS attack that uses
ICMP. Here, a request is sent to a network
broadcast address with the target as the
spoofed source. When hosts receive the echo
request, they send an echo reply back to the
target. sending multiple Smurf attacks directed
at a single target in a distributed fashion might
succeed in crashing it.
Smurf and Fraggle
• If the broadcast ping cannot be sent to a
network, a Smurf amplifier is used. A Smurf
amplifier is a network that allows the hacker
to send broadcast pings to it and sends back a
ping response to his target host on a different
network. NMap provides the capability to
detect whether a network can be used as a
Smurf amplifier.
Smurf and Fraggle
• A variation of the Smurf attack is a Fraggle attack,
which uses User Datagram Protocol (UDP) instead of
ICMP. Fraggle attacks work by using the CHARGEN
and ECHO UDP programs that operate on UDP ports
19 and 7. Both of these applications are designed to
operate much like ICMP pings; they are designed to
respond to requesting hosts to notify them that they
are active on a network.
LAND Attack
• In a LAND attack, a TCP SYN packet is sent with the
same source and destination address and port
number. When a host receives this abnormal traffic,
it often either slows down or comes to a complete
halt as it tries to initiate communication with itself in
an infinite loop. Although this is an old attack (first
reportedly discovered in 1997), both Windows XP
with service pack 2 and Windows Server 2003 are
vulnerable to this attack.
HPing can be used to craft packets with the same
spoofed source and destination address.
LAND Attack
‫ منتظر‬،‫ قرار دارد‬SYN_Received ‫• هنگامی که قربانی در حالت‬
‫ دریافت می‬ACK ‫ است در حالی که‬SYN/ACK ‫دریافت بسته ی‬
‫کند‬
SYN_RECIEVED
‫قربانی‬
SYN
SYN_RECIEVED
ACK
Waiting for SYN/ACK
Not ACK
‫مهاجم‬
‫‪LAND Attack‬‬
‫• هنگامی که قربانی ‪ SYN‬را دریافت می کند‪ ،‬شماره ترتیب را به روز‬
‫کرده‪ACK ،‬می فرستد‪ ،‬سپس بسته ای با شماره ترتیب مشابه‬
‫دریافت می کند و آن را با همان شماره ترتیب برای فرستنده می‬
‫فرستد تا توسط او اصالح شود‬
‫• چون شماره ترتیب هرگز به روز نمی شود‪ ،‬قربانی دچار حلقه بی نهایت‬
‫می شود!‬
‫امنیت در شبکه های کامپوتری (دکتر بهروز ترک‬
‫الدانی ‪)1386‬‬
LAND Attack
‫قربانی‬
SN=x
SN=y
SN=y
ACK
Waiting for
updated SN
SYN
ACK
‫مهاجم‬
Synchronous flood
• A SYN flood is one of the oldest and yet still most effective DoS
attacks. As a review of the three-way handshake, TCP
communication begins with a SYN, a SYN-ACK response, and
then an ACK response. When the handshake is complete,
traffic is sent between two hosts.
Synchronous flood
but in our case the using of the syn flood for the 3
way handshaking is taking another deal, that is the
attacker host will send a flood of syn packet but will
not respond with an ACK packet. The TCP/IP stack
will wait a certain amount of time before dropping
the connection, a syn flooding attack will therefore
keep the syn_received connection queue of the
target machine filled.
With a SYN flood attack, these rules are violated. Instead of
the normal three-way handshake, an attacker sends a
packet from a spoofed address with the SYN flag set but
does not respond when the target sends a SYN-ACK
response. A host has a limited number of half-open
(embryonic) sessions that it can maintain at any given time.
After those sessions are used up, no more communication
can take place until
Synchronous flood
• the half-open sessions are cleared out. This
means that no users can communicate with
the host while the attack is active. SYN packets
are being sent so rapidly that even when a
half-open session is cleared out, another SYN
packet is sent to fill up the queue again.
Synchronous flood
• SYN floods are still successful today for three
reasons:
1) SYN packets are part of normal, everyday traffic, so it is
difficult for devices to filter this type of attack.
2) SYN packets do not require a lot of bandwidth to launch an
attack because they are relatively small.
3) SYN packets can be spoofed because no response needs to
be given back to the target. As a result, you can choose
random IP addresses to launch the attack, making filtering
difficult for security administrators.
Return to our Restaurant
“TCP
“TCPconnection,
connection,please.”
please.”
“O.K.Please
Pleasesend
sendack.”
ack.”
“O.K.
Buffer
‫‪IP Packet options‬‬
‫• در این روش برخی از فیلد های انتخابی بسته به صورت تصادفی تغییر‬
‫داده می شوند و بسته حاصل برای قربانی ارسال می شود‪.‬‬
‫• بیت های مربوط به کیفیت خدمات یک می شوند‬
‫• باعث باال رفتن زمان پردازش ‪ CPU‬می شود‬
‫‪Tear drop‬‬
‫• در این حمله بسته ی ‪ IP‬در اثر یک افراز غلط‪ ،‬به قطعه هایی‬
‫تقسیم می شود که همپوشانی دارند‬
‫• قربانی نمی تواند این بسته را دوباره از قطعه هایش بسازد‬
‫• باعث می شود سیستم "صفحه ی آبی مرگ" را مشاهده کند و در‬
‫نتیجه باید ‪ reboot‬شود‬
Tear drop
A new Classification
• Now we may categorize the DOS in to 3 parts
depending on the number of characters:
– Single-tier DoS Attacks
– Dual-tier DoS Attacks
– Triple-tier DDoS Attacks
Single-tier DoS Attacks
– Straightforward 'point-to-point' attack, that means
we have 2 actors: hacker and victim.
– Examples
• Ping of Death
• SYN floods
• Other malformed packet attacks
Single-tier DoS Attacks
Dual-tier DoS Attacks
– More complex attack model
– Difficult for victim to trace and identify attacker
– Examples
• Smurf
Dual-tier DoS Attacks
Triple-tier DDoS Attacks
– Highly complex attack model, known as Distributed Denial
of Service (DDoS).
– DDoS exploits vulnerabilities in the very fabric of the
Internet, making it virtually impossible to protect your
networks against this level of attack.
– Examples
• TFN2K
• Stacheldraht
• Mstream
Components of a DDoS Flood Network
– Attacker
• Often a hacker with good networking and routing
knowledge.
– Master servers
• Handful of backdoored machines running DDoS master
software, controlling and keeping track of available
zombie hosts.
– Zombie hosts
• Thousands of backdoored hosts over the world
Triple-tier DDoS Attacks
Results expected
• Denial-of-service attacks can essentially disable
your computer or your network. Depending on the
nature of your enterprise.
• Some denial-of-service attacks can be executed
with limited resources against a large, sophisticated
site. This type of attack is sometimes called an
"asymmetric attack“. For example, an attacker with
an old PC and a slow modem may be able to
disable much faster and more sophisticated
machines or networks.
Defense
Internet Service Providers
• Deploy source address anti-spoof filters (very
important!).
• Turn off directed broadcasts.
• Develop security relationships with neighbor ISPs.
• Develop traffic volume monitoring techniques.
High loaded machines
• Look for too much traffic to a particular destination.
• Learn to look for traffic to that destination at your
border routers (access routers, peers, exchange
points, etc.).
• Can we automate the tools – too many queue drops
on an access router will trigger source detection.
• Disable and filter out all unused UDP services.
Also
• Routers, machines, and all other Internet
accessible equipment should be periodically
checked to verify that all security patches
have been installed
• System should be checked periodically
for presence of malicious software (Trojan
horses, viruses, worms, back doors, etc.)
Also
• Train your system and network administrators
• Read security bulletins like:
www.cert.org, www.sans.org, www.eEye.com
• From time to time listen on to attacker
community to be informed about their latest
achievements.
• Be in contact with your ISP. In case that your
network is being attacked, this can save a lot of
time
references
[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution".
[.2.] http://jya.com/floodd.txt
2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane
[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
IP-spoofing Demystified by daemon9 / route / infinity
for Phrack Magazine
[.4.]http://www.gao.gov/new.items/d011073t.pdf
[.5.]http://www.cl.cam.ac.uk/~rc277/
[.6.]http://www.cert.org/reports/dsit_workshop.pdf
[.7.]http://staff.washington.edu/dittrich/misc/tfn.analysis