chapter 18 network attack and defense. the most common attacks this is the list of the top 20...
Post on 20-Dec-2015
243 views
TRANSCRIPT
Chapter 18
Network Attack and Defense
The Most common attacks
http://www.sans.org/top20/
This is the list of the top 20 attacks.How many does encryption solve?How many does firewalls solve?How many are software flaws?
Combination
Many attacks are combinations of what we already have looked at: Buffer overflows Password crackers Sniffing Root kits Software vulnerabilities
Open ports etc SQL infection Programming errors
Some from this chapter Protocol vulnerabilities (TCP/IP suite) Denial of Service
It’s Sad
Many attacks you read about are exploits where patches already exist. It’s the ones you don’t know about that keep security administrators up at night.
The patch for Code Red worm had existed months before the attack.
TCP/IP vulnerabilities http://www.javvin.com/networksecurity/tcpipnetwork.html Huge number of services are enabled by default in Operating
Systems
OSI model
We can look at attacks by level in OSI model Layer 2 Attacks
VLAN Hopping MAC Spoofing Attack Private VLAN Attacks DHCP Starvation
Layer 3 Attacks Spoofing IP Fragmentation Ping of Death Land Attack
Layer 4 Attacks SYN Flooding Sniffing MitM Session Replay Session Hijacking TCP Sequence Prediction Denial of Service Backhoe Attenuation Smurf Attack Domain Hijacking
Layer 8 Attacks Trusted Insiders Social Engineering Identity Theft
Layer 7 Attacks Buffer Overflow Malware
Viruses Worms Trojan Horses Back Door Malware Attack Vectors Malware Protection
Hoaxes UCE Application Attacks
Exploiting Software Reverse Engineering Software Testing and Monitoring Password Attacks Logic Bombs Downgrade Attacks
Store and Forward Transmissions Automated Software Distribution Audit Log Attacks Rootkits Covert Channels Web-Based Attacks
Web Cookies Leaking Browser Information Spyware Databases on the Web Web Site Blocking Active Content CGI Java ActiveX
Script kiddies/Packaged defense
Hacking is becoming de-skilled TCP/IP suite designed to work in open sharing honest
environment Various levels of hackers
script kiddies download script run it have no real idea what they are doing
Experienced hackers (typically excellent programmers) Many companies can not find or afford proper security personnel Easy to find tools to automate hack Hard to trace international hack, requires international
cooperation. Massive amount of information on how to hack on the internet.
Denial of Service Attacks
Jolt2 source code widely available sends identical fragmented IP packets systems use 100% resources attempting to re-
assemble these malformed packets can attack servers as well as routers patches exist for most systems some firewalls recognize the malformed packets
and drop them
Denial of Service Attacks
SYN flood violates 3-way handshake by establishing a large
number of half open connections Eventually fills storage allocated for these and
system does not allow new connections Prevention, well if you limit the number of these
connections, then legit users still can not access system
Various OS’s are working on changes to prevent these attacks, need to adjust how ½ openeds are stored
Denial of Service Attacks
Smurf, Papa Smurf, Fraggle Uses forged address to send packets (ICMP) to
broadcast address (12.255.255.255) All machines on the network then attempt to
respond to the forged address Simply generates large amounts of traffic on both
networks address where original message sent forged return address when all respond
Denial of Service Attacks
Smurf amplifiers are sites that allow ICMP echo packets to broadcast address allows ICMP replies out
nmap can also be used to find Smurf amplifiers
http://www.powertech.no/smurf/ reports smurf amplifiers
Denial of Service Attacks
So smurf attacks basically use the following hacker amplifier
misconfigured system router broadcasts packets to subnet machines respond to pings/echoes
victim receives all the responses
Denial of Service Attacks
as you can see most of these attacks utilize networking protocols
sending malformed packets cause problems for the attacked machine
IP spoofing is typically used to hide source of attack
Not going to cover all of these from the chapter, please read them though.
Many Many others exist and most are available on Packet Storm just search on DOS
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=DOS&type=archives&%5Bsearch%5D.x=14&%5Bsearch%5D.y=10
Distributed Denial of Service
In February of 2000 these became famousAmazonCNNE*TradeYahooeBay………………..all attacked and brought to their knees
Distributed Denial of Service
The seeds were in the wind before 2000In August of 1999 University of
Minnesota was subject to a 2 day attack.Before we look at these attacks we need
to understand a little about them.
Distributed Denial of Service
These attacks use compromised machines to attack others.
Hackers over time develop a network of compromised machines that are set to “do their bidding” that is attack. these are often called zombie machines
or just zombies
Distributed Denial of Service
Once the network of zombies are builtspecific commands typically on specific
ports instruct the zombies where to attackdos 192.192.192.192 would launch the attack
against that address
Distributed Denial of Service
OK so Trinoo was the first major one Used to launch attack against U of Minnesota Did not use IP spoofing from attacking
machine so admins were able to contact compromised machines and stop the attack Most of these machines were Solaris 2.x systems
While doing this the attacker simply continued to release new Zombies against the network
Progressed for 2 days. Newer ones are being developed:http://news.zdnet.com/2100-1009_22-60
50688.html
Bot networks can be rented
http://news.zdnet.com/2100-1009_22-6030270.html http://news.zdnet.com/2100-1009_22-5772238.html?tag=nl
The following is a great source of Dist DOS information
http://staff.washington.edu/dittrich/misc/ddos/
Blind IP Spoofing
Attacker 192.113.123.010
From address: 65.67.68.05
To address:
65.67.68.07
Target 65.67.68.07Spoofed Address
65.67.68.05
Defenses
Configuration managementCurrent copies of OSAll patches appliedService and config files hardenedDefault passwords removedOrganizational discipline to make sure stays
this way.
Firewalls
Hardware and softwareProtects internal network from externalInstalled between internal and external Uses rules to limit incoming trafficUses rules to decide what traffic is
allowed in and what traffic is not allowed in
Firewall techniques
NATBasic Packet filteringStateful packet inspectionApplication gatewaysAccess control lists
Intrusion detection systems
Must tune and monitor systems http://www.snort.org/
Discussed IDS previously
Security Information Management Systems Attempt to combine and automatically monitor all
systems http://www.netforensics.com/ http://www.managementsoftware.hp.com/ http://www.sourcefire.com/products.html
Articles
Egress filteringLawsuits stemming from DOSIntrusion Detection Intrusion/Penetration testing programs
Satan saintLawsuits stemming from losses incurred
do to insufficient protection.Current DOS canned packages
List of Resources
Jolt2http://www.securiteam.com/exploits/5RP090
A1UE.htmlhttp://www.networkworld.com/details/673.ht
ml?defSYN flood
http://en.wikipedia.org/wiki/SYN_floodhttp://www.cert.org/advisories/CA-1996-21.h
tml
List or resources
Smurfhttp://en.wikipedia.org/wiki/Smurf_attackhttp://en.wikipedia.org/wiki/Smurf_amplifier
Distributed Denial of Service http://en.wikipedia.org/wiki/Denial_of_service http://staff.washington.edu/dittrich/misc/ddos/
Defenseshttp://www.dtc.umn.edu/resources/perrig.pdf
List of resource
Network Protocol vulnerabilities http://www.javvin.com/networksecurity/
tcpipnetwork.html http://www.ja.net/CERT/Bellovin/TCP-
IP_Security_Problems.html http://www.kb.cert.org/vuls/id/222750 http://www.insecure.org/stf/tcpip_smb.txt