review for exam 2 march 9, 2010 mis 4600 – mba 5880 - © abdou illia
TRANSCRIPT
Review For Exam 2
March 9, 2010
MIS 4600 – MBA 5880 - © Abdou Illia
Network & Computer Attacks (Part 2)
Denial of Service (DoS)
The attackers tries to overload the server by sending a stream of HTTP requests. The server needs to use its limited resources (processor, RAM) to respond to each request When overloaded, the server slows down or even crashes.
Home Network
Hub
Workstation
WorkstationWorkstation
WorkstationWorkstation
Router
Internet
Web Server
Intel Pentium 4 540 (3 Ghz)512 MB SDRAM2 x 100 GB SATA HDD16x CD DriveGateway 3-button mouseGateway 108 keyboardSVGA graphic card
Legitimate user
Legitimate user
Legitimate user
Legitimate user
Stream of HTTP requests
All workstations use IP spoofingto send HTTP requests to the
web server.
HTTP requests
HTTP requests
Attacker’s Home Network
3
Attempt to make a computer resources unavailable to legitimate users
TCP opening and DoS
Server can maintain multiple connections For each TCP connection request (SYN), server…
Responds to the request (SYN/ACK)Set resources aside (Processor’s capacity, RAM, bandwidth) in order respond to
each upcoming data request
....
SYNSYN/ACKACK
Waiting for request from Computer 1
1
SYNSYN/ACKACK
2
SYNSYN/ACKACK
3
Waiting for request from Computer 2
Waiting for request from Computer 3
Server
.
.
.
4
TCP Connection opening TCP connection opening is accomplish as follow
Client sends a TCP SYN to request connectionServer responds by sending back a TCP SYN/ACKClient responds by sending a TCP ACK
Some form of computer attacks exploit the 3-way handshake process
Example: A client may send a TCP ACK without the two steps of the 3-way handshake being accomplished
Attacker
Victim
ACK
5
3-wayhandshake
SYN Flood DoS Attacker sends a series of TCP SYN opening requests For each SYN, the target has to
Send back a SYN/ACK segment, andset aside memory, and other resources to respond
When overwhelmed, target slows down or even crash SYN takes advantage of client/server workload
asymmetry
Attacker
Victim
SYN SYN SYN SYN SYN
6
Web Server configuration
7
Bandwidth ThrottlingMethod of ensuring a bandwidth-intensive
device, such as a server…will limit ("throttle") the quantity of data it transmits
and/or accepts within a specified period of time
For web servers, bandwidth throttling …helps limit network congestion and server crashes
For ISPs, bandwidth throttling …can be used to limit users' speeds across certain
applications (such as BitTorrent), or limit upload speeds.
When allowed bandwidth is reached, the server will block further connection attempts…By moving them into a queue, orBy dropping them8
Bandwidth Throttling (cont)
When you enable bandwidth throttling, Internet Information Services (IIS) activates a set of counters to monitor it in System Monitor (SysMon).
9
Current Blocked Async I/O Requests counter
Number of requests blocked or held in a buffer until bandwidth is available.
Measured Async I/O Bandwidth Usage/Minute
number of bytes sent per minute as indicated by a sample taken by bandwidth throttling.
Rejected Async I/O Requests number of requests rejected by bandwidth throttling since the service was last started.
Ping of Death attacks Take advantage of
Fact that TCP/IP allows large packets to be fragmented Some network applications & operating systems’ inability to handle
packets larger than 65536 bytes Attacker sends IP packets that are larger than 65,536
bytes through IP fragmentation. Ping of death attacks are rare today as most operating
systems have been fixed to prevent this type of attack from occurring.
List of OS that were vulnerable:http://insecure.org/sploits/ping-o-death.html
Fix Add checks in the reassembly process of servers Add checks in firewall to protect hosts with bug not fixed Check that Sum of Total Length fields for fragmented IP is < 65536
bytes or less than maximum allowed
Total Length (16 bits) Flags Fragment Offset (13 bits)
10
Distributed DoS (DDoS) Attack
Server
DoS Messages
DoS MessagesComputer with
Zombie
Computer withZombie
Handler
AttackCommand
AttackCommand
Attacker hacks into multiple clients and plants handler programs and Zombie programs on them
Attacker sends attack commands to Handlers and Zombie programs which execute the attacks
First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc.
Attacker
AttackCommand
11
Buffer Overflow Attack Occurs when ill-written programs allow data destined to
a memory buffer to overwrite instructions in adjacent memory register that contains instructions.
If the data contains malware, the malware could run and creates a DoS
Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD
12
Buffer Instructions
1 2 3 4 5 6
Run Program
Accept input
Buffer Instructions
1 2 3 4 5 6
A B C D E F LET JOHN IN WITHOUT PASSWORD
Run Program
Accept input
KeyloggersUsed to capture keystrokes on a computer
HardwareSoftware
SoftwareBehaves like Trojan programs
HardwareEasy to installGoes between the keyboard and the CPUKeyKatcher and KeyGhost
13
Summary QuestionsDescribe SYN flooding. What is a Zombie program?Explain how Ping of Death attack occurs?Explain difference between DoS and DDoS.Do DoS attacks primarily attempt to
jeopardize confidentiality, integrity, or availability?
What is a Buffer Overflow attack?What is a hardware keylogger?
14
Footprinting
Footprinting
16
Process of collecting information about an organization, its network, its IP address ranges, its IP address registration, and the people involved in network/computers issues.
Footprinting is conducted through social engineering and by researching information
from printed resources From online resources
Footprinting tools/techniques:Gathering WHOIS informationPerforming web reconnaissanceDNS interrogation
Understanding Footprinting Lab (Lab 4)
17
You must understand the footprinting activities performed in Lab 4. In particular:What Footprinting tools were usedWhat can be done with each
You are allowed to have your lab sheet during the exam
Scanning
What is Scanning?
19
Step after footprintingReferred to as port scanning, service scanning,
or network scanningProcess of scanning a range of IP addresses in
order to determine what services/programs are running on networked computers
Typically performed using scanning tools like Command line utilities like Fping, Hping, nmap,
tcpdump, etc GUI scanners
1. Footprinting
2. Scanning
3. Enumeration
4. AttackSearching
vulnerabilities
Types of Port scanning
20
SYN scan—In normal TCP session, first the client sends the server a TCP packet with the SYN flag set. The server responds to this with a packet having both SYN and ACK flags set, acknowledging the SYN. The client then replies with an ACK of its own, completing the connection. With SYN scan the 3-way handshaking is not completed; which means the target never log the “transaction”. After all you don’t want the log to show your IP address.
FIN scan—In this scan, a TCP packet with the FIN flag set is sent to the target computer to “see” how it react. Normally, a TCP packet with the FIN flag set is sent to a client when the server is ready to terminate the connection. The client responds with an ACK which acknowledges the disconnect.
NULLscan—In a NULL scan, all the packet flags are turned off, that means none of the RST (reset), FIN, SYN, or ACK flags is set. If the ports of the target are closed, the target responds with a TCP RST packet. If the ports are open, the target sends no reply, effectively noting that port number as an open port to the user.
ACK scan—A TCP packet with the ACK flag set. Scans of the TCP ACK type are used to identify Web sites that are active, which are normally set not to respond to ICMP pings. Active Web sites respond to the TCP ACK with a TCP RST, giving the user confirmation of the status of a site.
TCP Connect scan—The “three-way handshake” process described under TCP SYN above. When one system sends a packet with the SYN flag set, the target device responds with SYN and ACK flags set, and the initiator completes the connection with a packet containing a set ACK flag. Unlike in a SYN scan, the “transaction” is logged.
SYNSYN/ACK
ACK
Types of Port scanning
21
XMAS scan—In this kind of scan, the FIN, PSH, and URG flags are set. Closed ports respond with a RST packet. Can be used to determine which ports are open. Not getting the RST packet doesn’t mean that the port is open because firewalls or other packet filtering devices may be configured to drop the UDP scan packet.
UDP scan—In this scan, a UDP packet is sent to the target computer. If the computer sends back an ICMP “Port unreachable” message, the port is. Not getting this message doesn’t mean that the port is open because firewalls or other packet filtering devices may be configured to drop the UDP scan packet.
Understanding Scanning Lab (Lab 5)
22
You must understand the scanning activities performed in Lab 5. In particular:What scanning tools were usedWhat can be done with eachWhat kind of information can be collected using
the tools
You are allowed to have your lab sheet during the exam
Enumeration
What is Enumeration?
24
Security Testing Step to be performed afterDiscovering live targets >>[Scanning]Determining open ports and services hosted
by discovered live targets >>[Scanning]Determining OS >> [Scanning]
Process of extracting the following from targetsAvailable resources or sharesUser/group names and password
Enumeration is more intrusive than footprinting and scanning because you try to access resources
Typically performed using Enumeration tools like
NetBIOS names scanners Share scanners Vulnerability scanners such as Nessus
1. Footprinting
2. Scanning
3. Enumeration
4. AttackSearching
vulnerabilities
Understanding Enumeration Lab (Lab 6)
25
You must understand the Enumeration activities performed in Lab 6. In particular:What Enumeration tools were usedWhat can be done with eachWhat kind of information can be collected using
the tools
You are allowed to have your lab sheet during the exam