Transcript Document

Review Exam 2
Spring 2014
Targeted Break-in, DoS,
& Malware attacks (I)
Unobtrusive Information
Collection
 Sending packets into a network is “noisy”
 Need to do unobtrusive info gathering, first, by
 Visiting target corporate website for
 Employees’ names and emails
 Officers names and organizational structure, etc.

Reading trade press (often online & searchable) for
 Info about products under development
 Firms’ financial prospects, etc.

Searching U.S. EDGAR* system online for
 Ownership, shareholder information, etc.

Searching the Whois database at:

NetworkSolutions.com/whhois/index.jsp, internic.net/whois.html, etc.
3
* Electronic Data Gathering, Analysis, and Retrieval
Host Scanning
 Objective: identify IP addresses of active hosts
 Pinging individual hosts
Ping scanning

Pinging a range of IP addresses

IP scanning software: fping, gping, Ping Sweep, Pinger
 SYN/ACK scanning used when firewall configured to
block pinging from outside
4
Network Scanning
 Objective: understand a network internal
structure including routers, firewalls location
 Also called network mapping
 Main tools used

Tracert (in Windows) or Traceroute (in Linux)

Network scanning software, e.g NetScanner
5
Port Scanning
 Port Scanning

Most break-ins exploit specific
services/applications
Service
www
FTP
SMTP

Default Port
80
21
25
Scan target for open ports


Send SYN segments to a
particular port number
Observe SYN/ACK or reset
(RST) responses
6
Fingerprinting
 Determining specific software run by target


Identify a particular operating system or
application program and (if possible) version

For example, Microsoft Windows 2000 Server

For example, BSD LINUX 4.2

For example, Microsoft IIS 5.0
Useful because most exploits are specific to
particular programs or versions
7
Active vs. Passive fingerprinting
 Active Fingerprinting

Send odd messages and observe replies

Different operating systems and application programs respond
differently

Active fingerprinting may set off alarms

Attackers usually use rate of attack messages below IDSs volume
thresholds
 Passive Fingerprinting

Read headers (IP-H, TCP-H, etc.) of normal response messages


e.g. Windows 2000 uses TTL = 128 and Window Size = 18000
Passive Fingerprint difficult b/c Admin could change default values
Time To Live
Protocol (8 bits)
1=ICMP, 6=TCP,17=UDP
(8 bits)
Window Size
(16 bits)
8
Fingerprinting by reading banners
 Many programs have preset banners used in
initiating communications
 Using telnet or FTP to connect to a server could
display the banner
9
Summary Questions 1 (cont.)

In preparing his attack, the attacker sent normal
HTTP requests to a web server. Then, he spent
some time analyzing the protocol-related
information in the response received from the web
server in order to determine what software are
installed on the web server. Which of the following
did the attacker do?
a)
b)
c)
d)
Active learning
Network scanning
Passive fingerprinting
None of the above
10
Password guessing
 Brute force

Generating possible password combinations
by changing one character at a time

If password is 4 decimal numbers
 Start with 0000; next try 0001; then 0002; etc.
 How many possible combinations? ___________


If password is 6 alphabetical characters, how
many possible combinations? _____________
Brute force password cracking software
available
11
Summary Questions 2 (cont.)


Assume that a password is 2 decimal number long.
What is the maximum number of passwords that an
attacker would have to try in order to crack the
password?
a) 4
b) 67108864
c) 1024
d) None of the above
How much time (in minutes) will it take to crack the
password if it requires 1.2 second to try each
password?
Answer: a maximum of ______ minutes.
12
Targeted Break-in, DoS,
& Malware attacks (II)
TCP opening and DoS
Server
1
SYN
SYN/ACK
ACK
Waiting for request
from Computer 1
2
SYN
SYN/ACK
ACK
Waiting for request
from Computer 2
3
SYN
SYN/ACK
ACK
Waiting for request
from Computer 3
.
.
.
...
.
 For each TCP connection request (SYN), server has to:


Respond to the request (SYN/ACK)
14
Set resources aside in order respond to each data request
Denial of Service (DoS)
Intel Pentium 4 540 (3 Ghz)
512 MB SDRAM
2 x 100 GB SATA HDD
16x CD Drive
Gateway 3-button mouse
Gateway 108 keyboard
SVGA graphic card
NetworkNetwork
Attacker’sHome
Home
Legitimate user
Legitimate user
HTTP requests
Workstation
Stream of HTTP requests
Workstation
Internet
Router
Hub
Workstation
Web Server
HTTP requests
All workstations use IP spoofing
to send HTTP requests to the
web server.
Legitimate user
Workstation
Workstation
Legitimate user


What resources the web server would use to respond to each of the HTTP requests it
receives?
15
What could be the consequences of the web server being invaded by too much requests
from the attacker?
Denial of Service (DoS) Attack
 Attack that makes a computer’s resources
unavailable to legitimate users
 Types of DoS attacks:
 Single-message
DoS
 Flooding
DoS
 Distributed DoS
16
Single-message DoS attacks
 First kind of DoS attacks to appear
 Exploit weakness in the coding of operating
systems and network applications
 Three main single-message DoS:



Ping-of-Death
Teardrop
LAND attack
17
Total Length (16 bits)
Flags
Fragment Offset (13 bits)
Ping of Death attacks
 Take advantage of


Fact that TCP/IP allows large packets to be fragmented
Some network applications & operating systems’ inability to handle
packets larger than 65536 bytes
 Attacker sends IP packets that are larger than 65,536
bytes through IP fragmentation.
 Ping of death attacks are rare today as most operating
systems have been fixed to prevent this type of attack
from occurring.
 Example of PoD code and vulnerable Operating Systems:

http://insecure.org/sploits/ping-o-death.html
 Fix


Add checks in the reassembly process or in firewall to protect hosts with
bug not fixed
Check: Sum of Total Length fields for fragmented IP is < 65536 bytes18
Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be fragmented or not
Total Length (16 bits)
Flags
Fragment Offset (13 bits)
Teardrop attacks




Take advantage of IP fragmentation
Attacker sends a pretend fragmented IP packet
But Fragment Offset values are not consistent
Earlier operating systems* and poorly coded
network applications crash because

Unable to reassemble the packet due to missing
fragments
Pretend fragmented IP packet
Frag 1
Frag 2
Frag 4
Attacker
* Win 3.1, Win 95, Win NT, and Linux prior to 2.163
Victim
19
LAND attacks
 First, appeared in 1997
 Attacker uses IP spoofing with

source and destination addresses referring to target itself.
 Back in time, OS and routers were not designed to deal with this
kind of loopback
 Problem resurfaces recently with Windows XP and Windows 2003
Server
20
Summary Questions 1


Do DoS attacks primarily attempt to jeopardize confidentiality,
integrity, or availability?
Which of the following DoS attacks takes advantage of IP
fragmentation?
a)
b)
c)
d)

LAND attack
Teardrop
Ping of Death
None of the above
In which of the following DoS attacks the attacker makes use
of IP spoofing?
a)
b)
c)
d)
LAND attack
Teardrop
Ping of Death
None of the above
21
Flooding DoS Attacks
 Flood a target with a series of messages in
an attempt to make it crash
 Main types of flooding DoS attacks:




Flooding with regular requests
SYN flooding
Smurf flooding
Distributed DoS
22
SYN Flooding
 Attacker sends a series of TCP SYN opening requests
 For each SYN, the target has to
 Send back a SYN/ACK segment, and
 set aside memory, and other resources to respond
 When overwhelmed, target slows down or even crash
 SYN takes advantage of client/server workload
asymmetry
SYN
SYN
SYN
SYN
SYN
Attacker
23
Victim
Smurf Flooding DoS
 Attacker uses IP spoofing
 Attacker sends ping / echo messages to third
party computers on behalf of the target
 All third party computers respond to target
24
Distributed DoS (DDoS) Attack
 Attacker hacks into multiple clients and plants handler programs on
them. Clients become bots or intermediaries
 Attacker sends attack commands to handlers which execute the
attacks
 First appeared in 2000 with Mafiaboy attack against cnn.com,
ebay.com, etrade.com, yahoo.com, etc.
Attack
Command
DoS Messages
Attack
Command
Bots
Server
Handler
DoS Messages
Attacker
Attack
Command
Link to how to deal with DDoS (by Cisco)
25
Distributed DoS (DDoS) Attack
26
Distributed DoS (DDoS) Attack
27
Malware Attacks
Malware attacks
 Types of malware:
Viruses
Worms
Trojan horses
Logic bombs
29
Virus
 Code/Program (script, macro) that:
 attaches to files
 Spreads by user actions (floppy disk, flash drive,
opening email attachment, IRC, FTP, etc), not by
themselves.
 Symptoms:
 Annoying actions when the virus is executed: hog up
memory, crash the system, drives are not accessible,
antivirus disabled, etc.
 Performing destructive actions when they are executed:
delete files, alter files, etc.
30
Viruses
 Could be
 Boot sector viruses: attach themselves to files in boot
sector of HD
 File infector viruses: attach themselves to files (i.e.
program files and user files)
 Polymorphic viruses: mutate with every infection
(using encryption techniques), making them hard to
locate
 Metamorphic viruses: rewrite themselves completely
each time they are to infect new executables*
 Stealth: hides itself by intercepting disk access
requests by antivirus programs.
Request by antivirus
The stealth returns an uninfected version of files to the
anti-virus software, so that infected files seem "clean”.
* metamorphic engine is needed
Stealth
OS
31
Worm
 Does not attach to files
 A self-replicating computer program that
propagate across a system
 Uses a host computer’s resources and network
connections to transfer a copy of itself to another
computer
 Harms the host computer by consuming
processing time and memory
 Harms the network by consuming the bandwidth
Question: Distinguish between viruses and worms
32
Trojan horse
 A computer program
 That appears as a useful program like a game, a
screen saver, etc.
 But, is really a program designed to damage or
take control of the host computer
 When executed, a Trojan horse could
 Format disks
 Delete files
 Open TCP ports to allow a remote computer to
take control of the host computer (Back Door)
 NetBus and SubSeven used to be attackers’
favorite programs for target remote control
33
Logic bomb
 Piece of malicious code intentionally inserted
into a software system
 The bomb is set to run when a certain condition
is met


Passing of specified date/time
Deletion of a specific record in a database
 Example: a programmer could insert a logic
bomb that will function as follow:


Scan the payroll records each day.
If the programmer’s name is removed from payroll,
then the logic bomb will destroy vital files weeks or
34
months after the name removal.
Firewalls
35
Test your Firewall knowledge

Which of the following is true about firewalls?
a) A firewall is a hardware device
b) A firewall is a software program
c) Firewalls could be hardware or software

Which of the following is true about firewalls?
a) They are used to protect a whole network against attacks
b) They are used to protect single computers against attacks
c) Both a and b.
36
Test your Firewall knowledge (cont)
 Which of the following is true about firewalls?
a) They are configured to monitor inbound traffic and protect
against attacks by intruders
b) They are configured to monitor outbound traffic and prevent
specific types of messages from leaving the protected
network.
c) Both a and b
37
Firewall: definition
 Hardware or software tool used to protect a single
host1 or an entire network2 by


“sitting” between a trusted network (or a trusted host)
and an untrusted network
Applying preconfigured rules and/or traffic knowledge to
allow or deny access to incoming and outgoing traffic
Trusted network
PC with Hostbased
Firewall
PC with Hostbased
Firewall
Network-Based
Firewall
Untrusted
network
38
1 Host-based or personal firewall
2 network-based firewall
Questions
 What is the main advantage of having a host-based firewall
in addition to having a network-based one?
Answer:_________________________________________
 What kind of security issue could be associated with
having host-based firewall on users PCs?
Answer:__________________________________________
Trusted network
PC with Hostbased
Firewall
PC with Hostbased
Firewall
Network-Based
Firewall
Untrusted
network
39
Most firms have multiple
firewalls. Their arrangement
is called the firm’s
firewall architecture
Firewall Architecture
Internal
Firewall
Screening
Router
Firewall
Internet
172.18.9.x Subnet
Demilitarized Zone (DMZ)
Main Border
Firewall
Host
Firewall
Host
Host
Firewall Firewall
Marketing Accounting
Email
Client on Server on Server on
172.18.5.x 172.18.7.x 172.18.6.x
Subnet
Subnet
Subnet
Public
Webserver
60.47.3.9
SMTP
Application
Proxy Server
60.47.3.10
External
DNS Server
60.47.3.4
HTTP
Application
Proxy Server
60.47.3.1
40
Questions

What is a DMZ?

Which of the following may be placed in a DMZ?
a)
b)
c)
d)


A SMTP proxy server
A server that contains files available for downloading by employees
An File Transfer Protocol server
A SQL (Structured Query Language) database server
What IP addresses should a DNS server in the DMZ be able to find?
a)
All company’s IP addresses
b)
Only the IP addresses of the computers in the internal subnet
c)
Only the IP addresses of the computers in the DMZ
You work as the security administrator at King.com. King.com has been receiving a high
volume of attacks on the king.com web site. You want to collect information on the attackers
so that legal action can be taken. Which of the following can you use to accomplish this?
a)
b)
c)
d)
A DMZ (Demilitarized Zone).
A honey pot.
A firewall.
None of the above.
41
Basic Firewall Operation
Passed Legitimate
Packet (Ingress)
Passed Packet
(Egress)
Legitimate Packet 2
Legitimate Packet 1
Attack Packet 1
1. Internet
(Not Trusted)
Legitimate Packet 1
Legitimate Packet 2
Border
Attack Packet 1 Firewall
Dropped Packet
(Ingress)
Log
File
Internal Corporate Network (Trusted)
Attacker
Legitimate
User
Egress filtering:
filtering packets leaving to external networks
Ingress filtering:
filtering packets coming from external networks
42
IP-H
TCP-H
Application Layer Message
IP-H
UDP-H
Application Layer Message
Types of Firewalls
 Static Packet Filtering Firewalls (1st generation)



Inspect TCP, UDP, IP headers to make filtering decisions
Do static filtering of individual packets based on configured ruleset
(or Access Control List)
Prevent attacks that use IP or port spoofing, etc.
 Stateful Packet Filtering Firewalls (2nd generation)





Inspect TCP, UDP, IP headers to make filtering decisions
Do stateful filtering by checking the firewall’s state table for relation
of packets to packets already filtered
If packet does not match existing connect, ruleset (static filt.) is used
If packet matches existing connection, it is allowed to pass
Prevent SYN attacks, teardrops, etc.
State Table
Connection
Source IP
Destination IP
State
Connection 1
123.12.13.4
60.47.3.9:80
TCP opening
Connection 2
213.14.33.56
60.47.3.9:80
Data transfer
……
……….
……….
………
43
IP-H
TCP-H
Application Layer Message
IP-H
UDP-H
Application Layer Message
Types of Firewalls (cont.)
 Application Firewalls (3rd generation)



Also called proxy firewalls
Inspect the Application Layer message (e.g. HTTP requests, emails,
etc.
Specialized proxy firewalls more effective than general-purpose




HTTP proxy firewalls for HTTP requests
SMTP proxy firewalls for SMTP emails
FTP proxy firewall for FTP-based file transfer requests
Prevent malware attacks
1. HTTP Request
Browser
4. Passed inspected
HTTP Response
HTTP
Proxy
2. Passed inspected
HTTP Request
Log
File
3. HTTP
Response
Webserver
Application
44
Types of Firewalls (cont.)
 Network Address Translation Firewall



Replace IP address in outgoing message by a spoof IP address
Hide internal hosts’ IP address to outsiders
Help prevent IP spoofing attacks using internal IP addresses
135.12.20.1
135.12.20.2
135.12.20.3
135.12.23.12
135.12.22.2
Host IP Address
Outgoing IP Address
Request ID
135.12.23.12
135.12.20.1
120121
135.12.22.2
135.12.20.2
120122
135.12.21.3
135.12.20.3
120123
……..
……..
………
45
135.12.21.3
Firewall Principles
 Danger of Overload

If a firewall is overloaded and cannot handle
the traffic, it drops unprocessed packets

This is the safest choice, because attack
packets cannot enter the network

However, this creates a self-inflicted denialof-service attack
46
Host Hardening
47
Computer Hardware & Software
Web service software (IIS, Apache, ...)
Web browser
Productivity Software
Operating System
Computer Hardware
Client &
server
application
programs
Your knowledge about Host hardening
 Which of the following is most likely to
make a computer system unable to
perform any kind of work or provide any
service?
Client application programs get hacked
b) Server application programs (web service software,
database service, network service, etc.) get hacked
c) The operating system get hacked
d) The connection to the network/Internet get shut down
a)
OS Vulnerability test
2010 by omnired.com
 OS tested:



Win XP, Win Server 2003, Win Vista Ultimate,
Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger OS market share
FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse
Enterprise 10, Ubuntu 6.10
 Tools used to test vulnerabilities:



Scanning tools (Track, Nessus)
Network mapping (Nmap command)
All host with OS installation defaults
 Results



Microsoft's Windows and Apple's OS X are ripe with remotely
accessible vulnerabilities and allow for executing malicious code
The UNIX and Linux variants present a much more robust exterior to
the outside
Once patched, however, both Windows and Apple’s OS are secure.
Your knowledge about Host hardening

You performed an Out-of-the-box installation of
Windows XP and Linux FreeBSD 6.2 on two
different computers. Which computer is more likely
to be secure ?
a)
b)
c)

Windows XP
Linux FreeBSD 6.2
They will have the same level of security
What needs to be done, first, in order to prevent a
hacker from taking over a server with OS installation
defaults that has to be connected to the Internet?
a)
b)
c)
Lock the server room
Configure the firewall to deny all inbound traffic to the server
Download and install patches for known vulnerabilities
Security Baseline
 Because it’s easy to overlook something in the
hardening process, businesses need to adopt a
standard hardening methodology: standard
security baseline
 Need to have different security baseline for
different kind of host; i.e.



Different security baselines for different OS and versions
Different security baselines for different types of server
applications (web service, email service, etc.)
Different security baselines for different types of client
applications.
Options for Security Baselines
 Organization could use different standards

OS vendors’ baselines and tools


Standards Agencies baselines


e.g. Follow MS Installation procedure and use
Microsoft Baseline Security Analyzer (MBSA)
e.g. CobiT* Security Baseline
Company’s own security baselines
 Security Baseline to be implemented by

Server administrators known as systems admin
* Control Objectives for Information and Related Technology
Elements of Hardening







Physical security
Secure installation and configuration
Fix known vulnerabilities
Remove/Turn off unnecessary services (applications)
Harden all remaining applications
Manage users and groups
Manage access permissions

For individual files and directories, assign access
permissions to specific users and groups
 Back up the server regularly
 Advanced protections
A
c
c
o
r
d
i
n
g
t
o
b
a
s
e
l
i
n
e
Hardening servers
 Choose the OS that provides the following:







Ability to restrict admin access (Administrator vs. Administrators)
Granular control of data access
Ability to disable services
Ability to control executables
Ability to log activities
Host-based firewall
Support for strong authentication and encryption
 Disable or remove unnecessary services or
applications




If no longer needed, remove rather than disable to prevent re-enabling
Additional services increases the attack vector
More services can increase host load and decrease performance
Reducing services reduces logs and makes detection of intrusion
easier
Hardening servers (cont.)
 Configure user authentication









Remove or disable unnecessary accounts
(e.g. Guest account)
Change names and passwords for default accounts
Disable inactive accounts
Assign rights to groups not individual users
Don't permit shared accounts if possible
Configure time sync
Enforce appropriate password policy
Use 2-factor authentication when necessary
Always use encrypted authentication
UNIX / Linux Hardening
 Many versions of UNIX

No standards guideline for hardening
 User can select the user interface


Graphic User Interface (GUI)
Command-Line Interfaces (CLIs) or shells
 CLIs are case-sensitive with commands in
lowercase except for file names
UNIX / Linux Hardening
 Three ways to start services

Start a service manually (a) through the GUI, (b) by
typing its name in the CLI, or (c) by executing a
batch file that does so

Using the inetd program to start services when
requests come in from users

Using the rc scripts to start services automatically
at boot up
Inetd = Internet daemon; i.e. a computer program that runs in the background
UNIX / Linux Hardening
 Starting services upon client requests



Services not frequently used are dormant
Requests do not go directly to the service
Requests are sent to the inetd program which is started at server boot up
Program A
Program B
4. Start and
Process
This Request
Program C
Program D
1. Client Request
To Port 123
inetd
3. Program C
Port 23
Port 80
Port 123
Port 1510
2. Port 123
Program A
Program B
Program C
Program D
/etc/inetd.config
UNIX / Linux Hardening
 Turning On/Off unnecessary Services In UNIX

Identifying services running at any moment

ps command (process status), usually with –aux
parameters, lists running programs
 Shows process name and process ID (PID)


netstat tells what services are running on what ports
Turning Off Services In UNIX
 kill PID command is used to kill a particular process
 kill 47
(If PID=47)
Advanced Server Hardening Techniques
 File Integrity Checker

Creates snapshot of files: a hashed signature
(message digest) for each file

After an attack, compares post-hack signature
with snapshot

This allows systems administrator to
determine which files were changed

Tripwire is a file integrity checker for
Linux/UNIX, Windows, etc.: www.tripwire.com
(ftp://coast.cs.purdue.edu/pub/tools/unix)
Advanced Server Hardening Techniques
Reference Base
1.
Earlier
Time
File 1
File 2
…
Other Files in
Policy List
Tripwire
File 1 Signature
File 2 Signature
…
…
3. Comparison to Find Changed Files
Post-Attack Signatures
2.
After
Attack
File 1
File 2
…
Other Files in
Policy List
Tripwire
File 1 Signature
File 2 Signature
…
…
File Integrity problem: many files change for legitimate reasons. So it is difficult to know
which ones the attacker changed.