Transcript Attacks

NetworkSecurity
Lecture 1:
Introduction
Attacks and Risks
Prof. Reuven Aviv
Faculty of Information Technology
King Mongkut’s University Of Technology, North
Bangkok
[email protected]
Prelude
11 August 2003
The Worm MSBlast Attack
What happened? How?
11.8.2003: MSBlast DDoS Attack
Targets
attacker
Targets
victim
Windows.update.com
MSBlast last step: IP Spoofing & SYN Flood

1. Target knows that host XX not working

2. target Starts establishes a TCP connection with
Victim, spoofing its IP address to XX
XX
(3) SYN(Src = T, Dest = XX)
(1)
Target
Victim
MSBlast: The infection process

Ensure you run again when Windows Starts
how?

HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“Windows auto update” = MBLASTER.EXE

Scan addresses for Targets with open port 135

Send buffer overflow packet to Target, port 135


Target waits for commands on port 4444
Command Target: download copy of MSBlaster

Command Target: run the copy

Target repeats contacts other target, restarts
MSBlast: Summary of used techniques

Denial of Service Attack, using SYN flood

IP Spoofing

Scanning (Addresses, ports)

Application Layer Attack (Buffer Overflow)

Side effect: attacked computers were shutdown
Course objectives

Recognize the internal working of security
protocols and systems, their design
considerations, and the way they are employed in
organizations and in the Internet.

Have deep understanding of application level
attacks and defense mechanism against them

Able to learn and master security topics now
being researched
Course Components

Lectures: Active Discussions
15%

2-3 Problem Sets (individual submission) 15%

Attack Code Analysis Report (Team of 2)
15%

Research Project (Team of 2)
15%

Term Test (Open Books)
15%

Final Exam (Open Books)
15%
Class Discussions












1. Attacks, Risks, Defense
2. Buffer Overflow Attack
3 - 4 Classic & Public key Cryptography
5. X.509 Public Key Infrastructure (PKI)
6. Strong Password Authentication Protocols
7. Web Security using SSL/TLS
8. Kerberos Authentication System
9. IP Security (IPSec)
10. Electronic Mail Security with PGP
11. OS Security – SE Linux
12. Firewall Design
13-14. Multi-layer security
Team Assignments


Attack Code Analysis Report (Team of 2) 15%

Analyzing buffer overflow attack

Problems for attacker & solutions

Problems for the defender & solutions
Research Project (Team of 2)
15%

Topic selected by team

Written report & presentation of sub-topic
 READ
POLICY OF AUTHENTICITY
Lecture 1: Attacks, Mitigation Services
1. Network Insecurity
2. Security Services
Appendix: Preview of next lectures
1. Network Insecurity
The need for security

The Internet is constantly changing the way we
live and conduct business.

hackers pose an increasing threat to the Internet
resources with several different types of attacks
why attacks are easier today?
The need for security

Attacks: more prolific and easier to implement.

More vulnerable devices.

Easier to share knowledge on a global scale.

Easier developing hacking applications

Easy-to-use hack applications are distributed
to the masses.

Internet Protocols are insecure. Examples?

Why Internet Protocols are insecure?
insecurity of Internet protocols


Examples of lack of security in Internet Protocols

IP: No check if source addresses are true

TCP: No check for intentional delay of packets
Security was not designed into the specification of
the Internet Protocols

Nobody predicted its wide spread use
insecurity of Internet protocols

Most IP implementations are inherently
insecure.

Various attacks are possible
Give some types of attacks you heard
1. Sniffer attacks

application capturing network packets.

some data is cleartext (Telnet, FTP, SMTP)

sensitive information: usernames passwords
how these are mitigated?
1. Sniffer attacks: Mitigation

Strong Authentication with one-time passwords
(OTPs).


a PIN & OTP created by Hw/Sw Token card
Antisniffer: detect changes in the response time
of hosts

Cryptography—The most effective method

Copied info is then useless.

Used by IPSec, SSL, SSH.
2. IP Spoofing Attack

Use a trusted forged IP address to attack


injection of malicious packets
Mitigation by Filtering (Router, Firewall)

deny traffic with “illegal”source address in
both directions
 ISP

checks addresses of inbound data
Enforce Authentication of sender. why? how?
3. Denial of Service (DOS) Attacks

Making a service unavailable for normal use


flooding the network – TCP SYN, ICMP
DOS attacks exploit weakness in the overall
architecture of the network

E.g. waiting for a connection to be opened

E.g. error/congestion notifications procedures
via ICMP
What is ICMP?
ping
icmp echo request
icmp echo reply
Simple DOS attack: SMURF
icmp echo request to a broadcast address: “from” victim
attacker
victim
icmp echo reply from all hosts to victim
What can we do to mitigate DOS?
3. Denial of Service (DOS) Attacks: Mitigation

Require authentication - If hackers cannot mask
their identities, they might not attack.

Anti-DoS features limit the amount of half-open
connections that a system allows open at any
given time. Done at edge routers

Traffic rate limiting –

collaborating with the ISP to reduce unusual
traffic
What are password attacks?
4. Password attacks
 repeated attempts to identify a user account /
password. E.g. during login
Tool:
nat
4. Password attacks: Reducing/Elimination

Limit number of password guessing
 send hashed password over the net
 use One Time Password
 Enforce strong passwords:
 by education
 By password cracking or strength-assessing
software

Authenticate user/process not by password

Use certificate/ticket based cryptographic
authentication
5. Man in the middle attack

Hacker accesses network packets how?

Packets can be copied, destructed, delayed,
reordered

Packets can be replayed, with forged sender or
contents
What are the damages?
5. Man in the middle attack: damages

theft / change / insertion of information

Session hijacking to gain access to a network

By forging identities (IP addresses and ports)

denial of service (by replaying)

impersonate one or both communicating parties
How to mitigate MIM attacks?
5. Mitigating M.I.M attacks: Cryptography

Copies of encrypted data: meaningless

Destructing, replaying & reordering eliminated
by sequence numbers, timestamps or nonces in
the cryptographic envelopes of the data

Forging sender and or data is eliminating by
authentication (signatures)
6. Application Layer attacks

Exploit weaknesses in servers (RPC, HTTP…)

Enforce remote server to invoke a certain
program

Send “buffer overflow”: replaces server by shell

Via ports that are allowed through a firewall

Shell with same permissions as the server

Shell waiting for commands
Buffer Overflow: Overflowing the stack on victim
Sending buffer overflow to remote IIS
IIS now waits on port 2002 for commands
Taking full control of Victim
How to mitigate application layer attacks?
6. Application Layer attacks: Mitigation

Firewall: Close ports

Proper system administration – patches, log
files…

intrusion detection systems (IDSs) – HIDs/NIDs

Identifying patterns of SysCalls/stream of
packets

Create alarms
7. Network Reconnaissance Attacks


First step of any attack: Analyze target network

1. DNS queries: owner, addresses, topology

2. Ping sweeps: live hosts.

3. Port-scanning: list of services running

4. examine servers: version, fixes, bugs
PRTIAL DEFENCE

Filter packets, identify scans

Use IDS to identify signature of reconnaisance
scans
Ping: Is Target running?
Tool: Sam Spade
Port Scanning: Which ports are active?
Tool: SuperScan
8. Malicious Code

Worms, Viruses, Backdoors, ...

Run by itself, by a “host program” or waiting to
be connected. Creating Damages

Mitigation:

antivirus software

Download signed software from developers
certified by acceptable Certificate Authorities
Attacks Scenarios
Reconnaissance
Packet
Sniffing
DOS Attack
Application
Layer Attack
Password
Attack
Un Authorized
Access
Trust Exploit
Attack
Man in the
Middle
Malicious
Code
2. Security Services
What types of services do we need?
Complexities of Security

Requirements are simple:


Algorithms are non-intuitive


Due to hostile actions and countermeasures!
Where the algorithms are to be used?


Confidentiality, Authentication, integrity, nonrepudiation what are these?
Workstations? Routers?
Possession of secret information essential

how to create, distribute and protect secrets?
Security Services: Confidentiality

Keeping private data private

protection from passive attacks

part of or all the information flow

Service provision. how?

End stations encrypt and decrypt data

Intermediate routers encrypt and decrypt data
Security Services: Authentication

protection from masquerading/impersonation

assure that messages are really from the entity
that claimed to send it

Service provision examples: how?

Sender: transmit a “certificate” to the receiver

an authentication server transmits a “proof of
identity” ticket to the sender that will present it to
the receiver (Kerberos)
Security Services: Integrity

protection from data modification attack

Service provision examples:
how?

The sender attaches to the message a secret
“Message digest”

like parity or CRC
Security Services: Non Repudiation


Protection from possible future denial of
responsibility for sending previous message
Service provision example: how?

Sender adds to the message a “signature”, that
depends on a secret known only to the sender

In court, sender cannot deny his signature

his “certificate” proves that he knows the
secret, and the Certificate Authority testifies
that it issued only one certificate, to sender
Models for Information Security 1
Secure information on transit
 Use trusted parties (Certificate Authority)

Models for network security 2
 Secure the Gate
 Use trusted parties (the ISP)
Summary

Internet is is where our life is

The Internet is not safe

Major Risks are theft of proprietary Info and
Financial Fraud

We need secure communication in a hostile
environment

Key ingredient of secure communication is
cryptography
3. Preview of next lectures
2. Application Layer Attacks:
Overflowing the stack
3. Conventional Encryption

Transformation: permutations & substitutions
4. Authentication by Digital signature
Alice: Create H - Hash function of Message M
 Create E: Encrypt H with her private key
 Send M and E. E is the “signature of Alice”
 Bob: Create H – Hash function of Message M
 Decrypt E with public key of Alice  get H’
 Compare H with H’ . If OK signature verified

Alice
Bob

Algorithm used to sign this
certificate (by the CA) and
its parameters

Name of Certificate
Authority (CA) issuing this
certificate

Name of holder (subject)
of this certificate

Public Key of subject

Signature of issuer: hash of
other fields, encrypted with
the CA private key
5. X.509 Certificate



7. Web Security

Uses Secure Socket Layer
(SSL/TLS)

Layer above TCP
1. SSL session is established

Cryptographic algorithms
negotiated

Certificates presented

Shared master key is
established

Session keys derived
2. Secured data transmission

8. Kerberos
Authentication
System
a
9. IP Security

General mechanism in the internet,
implemented in firewalls/routers
11. OS Security (SE Linux Architecture)
Object Managers observe access requests from
processes
send consultation requests to Security Server
 gets decisions, enforce access
12. Firewall Systems
Traffic from Internet to Bastion host: allowed
 Traffic from bastion to the Internet: allowed
 Everything else: denied

13. – 14. Multi-Layer Defense Corporate Internet Module
4
3
5
2
1
13. – 14. Multi-Layer Defense:
VPN & Remote Access Module
1
4
2
1
2
3
2