Transcript Review For Exam 2

Review For Exam 2
March 9, 2010
MIS 4600 – MBA 5880 - © Abdou Illia
Network & Computer Attacks
(Part 2)
Denial of Service (DoS)
 Attempt to make a computer resources unavailable to
legitimate users
Intel Pentium 4 540 (3 Ghz)
512 MB SDRAM
2 x 100 GB SATA HDD
16x CD Drive
Gateway 3-button mouse
Gateway 108 keyboard
SVGA graphic card
NetworkNetwork
Attacker’sHome
Home
Legitimate user
Legitimate user
HTTP requests
Workstation
Stream of HTTP requests
Workstation
Internet
Router
Hub
Workstation
Web Server
HTTP requests
All workstations use IP spoofing
to send HTTP requests to the
web server.
Legitimate user
Workstation
Legitimate user

3


The attackers tries to overload the server by sending a stream of HTTP requests.
The server needs to use its limited resources (processor, RAM) to respond to each request
When overloaded, the server slows down or even crashes.
Workstation
TCP opening and DoS
Server
1
SYN
SYN/ACK
ACK
Waiting for request
from Computer 1
2
SYN
SYN/ACK
ACK
Waiting for request
from Computer 2
3
SYN
SYN/ACK
ACK
Waiting for request
from Computer 3
.
.
.
...
.
 Server can maintain multiple connections
 For each TCP connection request (SYN), server…
 Responds to the request (SYN/ACK)
 Set resources aside (Processor’s capacity, RAM, bandwidth)
4
in order respond to each upcoming data request
TCP Connection opening
 TCP connection opening is accomplish as follow
3-way
handshake
 Client sends a TCP SYN to request connection
 Server responds by sending back a TCP SYN/ACK
 Client responds by sending a TCP ACK
 Some form of computer attacks exploit the 3-way
handshake process
 Example: A client may send a TCP ACK without the two
steps of the 3-way handshake being accomplished
ACK
Attacker
5
Victim
SYN Flood DoS
 Attacker sends a series of TCP SYN opening requests
 For each SYN, the target has to
 Send back a SYN/ACK segment, and
 set aside memory, and other resources to respond
 When overwhelmed, target slows down or even crash
 SYN takes advantage of client/server workload
asymmetry
SYN
SYN
SYN
SYN
SYN
Attacker
6
Victim
Web Server configuration
7
Bandwidth Throttling
Method of ensuring a bandwidth-intensive
device, such as a server…
will limit ("throttle") the quantity of data it transmits
and/or accepts within a specified period of time
For web servers, bandwidth throttling …
helps limit network congestion and server crashes
For ISPs, bandwidth throttling …
can be used to limit users' speeds across certain
applications (such as BitTorrent), or limit upload
speeds.
When allowed bandwidth is reached, the
server will block further connection
attempts…
8
By moving them into a queue, or
By dropping them
Bandwidth Throttling (cont)
When you enable bandwidth throttling,
Internet Information Services (IIS)
activates a set of counters to monitor it in
System Monitor (SysMon).
9
Current Blocked Async I/O
Requests counter
Number of requests blocked or
held in a buffer until bandwidth
is available.
Measured Async I/O
Bandwidth Usage/Minute
number of bytes sent per
minute as indicated by a
sample taken by bandwidth
throttling.
Rejected Async I/O Requests
number of requests rejected by
bandwidth throttling since the
service was last started.
Total Length (16 bits)
Flags
Fragment Offset (13 bits)
Ping of Death attacks
 Take advantage of
 Fact that TCP/IP allows large packets to be fragmented
 Some network applications & operating systems’ inability to handle
packets larger than 65536 bytes
 Attacker sends IP packets that are larger than 65,536
bytes through IP fragmentation.
 Ping of death attacks are rare today as most operating
systems have been fixed to prevent this type of attack
from occurring.
 List of OS that were vulnerable:
 http://insecure.org/sploits/ping-o-death.html
 Fix
 Add checks in the reassembly process of servers
 Add checks in firewall to protect hosts with bug not fixed
 Check that Sum of Total Length fields for fragmented IP is < 65536 bytes
10
or less than maximum allowed
Distributed DoS (DDoS)
Attack
 Attacker hacks into multiple clients and plants handler
programs and Zombie programs on them
 Attacker sends attack commands to Handlers and Zombie
programs which execute the attacks
 First appeared in 2000 with Mafiaboy attack against cnn.com,
ebay.com, etrade.com, yahoo.com, etc.
Attack
Command
DoS Messages
Computer with
Zombie
Server
11
Attack
Command
Handler
DoS Messages Computer with
Zombie
Attack
Command
Attacker
Buffer Overflow Attack
 Occurs when ill-written programs allow data destined to a
memory buffer to overwrite instructions in adjacent
memory register that contains instructions.
 If the data contains malware, the malware could run and
creates a DoS
 Example of input data: ABCDEF LET JOHN IN WITHOUT
PASSWORD
Buffer
1
2
3
Instructions
4
5
6
Print
Run Program
Accept input
Buffer
1
A
2
B
3
C
Instructions
4
D
5
E
6
F
LET JOHN IN WITHOUT PASSWORD
Run Program
12
Accept input
Keyloggers
 Used to capture keystrokes on a computer
Hardware
Software
 Software
Behaves like Trojan programs
 Hardware
Easy to install
Goes between the keyboard and the CPU
KeyKatcher and KeyGhost
13
Summary Questions
 Describe SYN flooding.
 What is a Zombie program?
 Explain how Ping of Death attack occurs?
 Explain difference between DoS and DDoS.
Do DoS attacks primarily attempt to
jeopardize confidentiality, integrity, or
availability?
What is a Buffer Overflow attack?
What is a hardware keylogger?
14
Footprinting
Footprinting
 Process of collecting information about an
organization, its network, its IP address ranges,
its IP address registration, and the people
involved in network/computers issues.
 Footprinting is conducted through social
engineering and by researching information
 from
printed resources
 From online resources
 Footprinting tools/techniques:
Gathering WHOIS information
Performing web reconnaissance
DNS interrogation
16
Understanding Footprinting Lab (Lab 4)
 You must understand the footprinting activities
performed in Lab 4. In particular:
What Footprinting tools were used
What can be done with each
 You are allowed to have your lab sheet during
the exam
17
Scanning
What is Scanning?
 Step after footprinting
1. Footprinting
2. Scanning
3. Enumeration Searching
vulnerabilities
4. Attack
 Referred to as port scanning, service scanning,
or network scanning
 Process of scanning a range of IP addresses in
order to determine what services/programs are
running on networked computers
 Typically performed using scanning tools like
 Command
line utilities like Fping, Hping, nmap,
tcpdump, etc
 GUI scanners
19
Types of Port scanning
SYN
SYN/ACK
ACK
 SYN scan—In normal TCP session, first the client sends the server a TCP packet with
the SYN flag set. The server responds to this with a packet having both SYN and ACK
flags set, acknowledging the SYN. The client then replies with an ACK of its own,
completing the connection. With SYN scan the 3-way handshaking is not completed;
which means the target never log the “transaction”. After all you don’t want the log
to show your IP address.
 FIN scan—In this scan, a TCP packet with the FIN flag set is sent to the target
computer to “see” how it react. Normally, a TCP packet with the FIN flag set is sent to
a client when the server is ready to terminate the connection. The client responds
with an ACK which acknowledges the disconnect.
 NULLscan—In a NULL scan, all the packet flags are turned off, that means none of the
RST (reset), FIN, SYN, or ACK flags is set. If the ports of the target are closed, the
target responds with a TCP RST packet. If the ports are open, the target sends no
reply, effectively noting that port number as an open port to the user.
 ACK scan—A TCP packet with the ACK flag set. Scans of the TCP ACK type are used
to identify Web sites that are active, which are normally set not to respond to ICMP
pings. Active Web sites respond to the TCP ACK with a TCP RST, giving the user
confirmation of the status of a site.
 TCP Connect scan—The “three-way handshake” process described under TCP SYN
20
above. When one system sends a packet with the SYN flag set, the target device
responds with SYN and ACK flags set, and the initiator completes the connection with
a packet containing a set ACK flag. Unlike in a SYN scan, the “transaction” is logged.
Types of Port scanning
 XMAS scan—In this kind of scan, the FIN, PSH, and URG flags are set. Closed ports
respond with a RST packet. Can be used to determine which ports are open. Not
getting the RST packet doesn’t mean that the port is open because firewalls or other
packet filtering devices may be configured to drop the UDP scan packet.
 UDP scan—In this scan, a UDP packet is sent to the target computer. If the computer
sends back an ICMP “Port unreachable” message, the port is. Not getting this
message doesn’t mean that the port is open because firewalls or other packet
filtering devices may be configured to drop the UDP scan packet.
21
Understanding Scanning Lab (Lab 5)
 You must understand the scanning activities
performed in Lab 5. In particular:
What scanning tools were used
What can be done with each
What kind of information can be collected using
the tools
 You are allowed to have your lab sheet during
the exam
22
Enumeration
What is Enumeration?
1. Footprinting
2. Scanning
3. Enumeration
4. Attack
Searching
vulnerabilities
 Security Testing Step to be performed after
 Discovering live targets >>[Scanning]
 Determining open ports and services hosted
by discovered live targets >>[Scanning]
 Determining OS >> [Scanning]
 Process of extracting the following from targets
 Available resources or shares
 User/group names and password
 Enumeration is more intrusive than footprinting
and scanning because you try to access
resources
 Typically performed using Enumeration tools like
24
 NetBIOS names scanners
 Share scanners
 Vulnerability scanners such
as Nessus
Understanding Enumeration Lab (Lab 6)
 You must understand the Enumeration activities
performed in Lab 6. In particular:
What Enumeration tools were used
What can be done with each
What kind of information can be collected using
the tools
 You are allowed to have your lab sheet during
the exam
25