Transcript Slide 1

BCIS 4630 Fundamentals of IT Security
NETWORK ATTTACKS
Dr. Andy Wu
Overview
• Denial of service attacks
– DoS and DDoS
– Flood attacks
– SYN flood
• Man-in-the-middle attack
– ARP poisoning
– IP spoofing
2
Denial of Service Attacks
• Denial-of-service (DoS): attacker sends large
number of connection or information requests to a
target.
– Target system cannot handle other, legitimate service
requests.
– May result in system crash or inability to perform
ordinary functions.
• Distributed denial-of-service (DDoS): coordinated
stream of requests is launched against target from
many locations simultaneously.
3
Flood Attacks
• The basic approach to creating a DoS attack
is to consume the limited resources of a
computer or a network by transmitting a large
number of packets as quickly as possible.
• A flood attack can occur under the following
conditions:
– Sending connection requests
– Consuming the bandwidth
– Consuming target’s local resources
4
SYN Flood
• Goal: to overwhelm the target with SYN packets.
• Works by taking advantage of the TCP three-way handshake.
– The attacker initiates a connection with a SYN packet.
– The target replies with a SYN/ACK packet.
– The attacker doesn’t reply with an ACK packet.
5
SYN Flood
• The number of connections a system can support is finite.
– Typically 128 to 1024 “slots” in the connection queue.
• Once the target sends the SYN/ACK response, it waits for the
third step in the handshake to happen.
– The timeout value often is > 1 min. by default.
• If the attacker sends requests faster than the time-out can
eliminate them, the system is filled with requests.
– SYN flood creates numerous half-open connections that take up
“slots” in the queue.
• Once the queue is filled up, further requests will be dropped
and legitimate users who want to connect to the target system
will not be able to do so.
6
SYN Flood
• Many SYN flood tools send SYN packets using spoofed
(fake) source address.
– To hide the identity of the attacker.
– If the address is used by a real host, the host whose
address was spoofed will receive the SYN/ACK packet from
the target. Since the host never initiated a connection, it will
send a RST packet to the target to refuse a connection. The
“half-open” connection will be shut down immediately,
before timing out.
– If the address is not assigned to a real host, the “half-open”
connection will not be shut down until time-out is reached.
– Thus attackers prefer bogus addresses.
7
Distributed Denial of Service
• A DoS attack implemented by staging a DoS attack against a
target from multiple systems simultaneously.
• Takes advantage of the distributed nature of the Internet to
create a massive flood of packets against the victim.
• The attacker first breaks into and gains control of a large
number of machines (“zombies”, “bots”, or “agents”).
• The attacker installs zombie software (“daemon”) on the
zombies.
– Popular programs include: Tribe Flood Network (TFN), Trin00,
Stacheldraht.
• Daemons on the zombies wait for commands from a master.
8
Botnets
• A bot is a program that surreptitiously
installs itself on a computer so it can be
controlled by an attacker.
• A botnet is a network of robot, or zombie,
computers.
– Can harness their collective power to do
damage
– Or send out huge amounts of junk e-mail
9
DDoS: Raising the Dead
• The attacker communicates with a small number of “masters”
via control software (“client”) installed on those masters.
• The attacker uses the masters to summon the zombies to life
and orders all the zombies to wage an attack simultaneously.
– The commands are often issued into a shared IRC (Internet Relay
Chat) channel used by all of the attacker’s zombies.
• When the zombies receive their masters’ command, they
spring into action and conduct a DoS attack against the target.
• The two layers of communication (attacker-master, masterzombie) make it difficult to hunt down the attacker.
10
Distributed Denial of Service
11
Man-in-the-Middle Attacks
• Man-in-the-middle: attacker monitors network
packets, modifies them, and inserts them back into
network.
• It is technically possible for the attacker to control
what data are sent between the two hosts.
• Can be achieved by ARP poisoning.
– The attacker sets up two NICs and sends packets to
each host, falsely notifying the host of the other host’s
MAC address, which in fact belongs to one of the
attacker’s NICs.
12
ARP Poisoning
• Computers resolve IP addresses to MAC
addresses using ARP.
– The IP-MAC mappings are stored in the ARP
cache for a limited amount of time. After it times
out, a record is deleted from the cache. Resolution
has to be done again if a packet needs to go to
that IP.
– Computers welcome unsolicited updates of the
mappings (just like websites and the postal
services welcome your unsolicited update on your
address).
13
ARP Poisoning
• An attacker can “poison” a computer’s ARP
cache by sending it a bogus record
mapping a target’s IP address to the
attacker’s MAC address.
• Packets going from the “duped” computer
to the target then will be sent to the
attacker.
14
IP Address Spoofing
• TCP/IP doesn’t have a mechanism to prevent the
insertion of a fake source IP address.
• An attacker can make packets look like they are
from a different host than the real originator.
– Helpful for attackers who don’t want to have their
actions traced back.
• Often used to “impersonate” another
(authenticated) host to get around authentication.
– A Dos attack usually is waged against the real McCoy
so that the other party of the communication (the attack
target) won’t be alerted.
15
IP Address Spoofing
• If the attacker’s purpose simply is to obfuscate investigation by
faking her identity, such as in the cases of spamming or in a
DoS attack, spoofing is relatively easy.
• The goal is to change the “source IP address” field in the
header (blind spoofing). This can be done by:
– Changing NIC properties (Windows) or ifconfig (*nix) command.
– Packet crafting tools like Hping2, Nemesis, and NetDude.
• Works fine when the attacker doesn’t expect a response from
the target.
• Won’t work if the attacker desires an interactive session with
the target.
16
Smurf
• The attacker sends an echo request packet to the
broadcast address of a network, e.g., 132.170.255.255.
– Directed broadcast can be initiated from within or outside
the network.
– When a packet coming from outside a local network is
addressed to the network’s broadcast address, the packet is
also sent to every machine on the network.
• The source address of the packet is spoofed and
belongs to the target.
• All other hosts on network will reply with an echo reply
packet and send it to the target’s address, inundating
the target.
17
Fraggle
• Similar to a smurf attack, but uses UDP instead of
ICMP.
• Sends packets to a broadcast address with a
destination UDP port set to:
– A service that will generate a response, e.g., echo service
(Port 7). When the hosts on the network receive the packet,
they will send back a response containing exactly the same
data they received.
– A closed port. Many systems will respond with an ICMP
Port Unreachable message.
• In both cases, the target will receive packets from all
the hosts on the network.
18