PIRMG4 l TCP SYN Flooding (SYN Attack) l ICMP_Echo Flooding (Ping Attack) l ICMP_Echo Flooding (Smurf Attack) l UDP_Echo Flooding (Fraggle) l ICMP_ECHO Reply Flooding (Ping of Death) l Distributed Denial Of Service 3 Trinoo 3 Tribe Flood Network (TFN) Denial of Service Attacks
6 TCP CONNECTION SYN=1 ACK=0 141521 win 4096 SYN = 1 ACK = 1 181521 141522 win 4096 SYN = 0 ACK = 1 181522 Segment 1 Segment 2 Segment 3 CLIENT SERVER THREE-WAY CONNECTION l Segment 1 shows the client sending a SYN segment with an Initial Sequence Number of 141521. The ISN is randomly generated. This is called an Active Open. The field win 4096 shows the advertised window size of the sending station while the field shows the receiving maximum segment size specified by the sender. SYN=1, ACK=0. l Segment 2 shows the server responding with a SYN segment of 181521 and ACKnowledging the clients ISN with ISN + 1. This is called a Passive Open. SYN=1,ACK=1 l Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN + 1. SYN=0,ACK=1. l Data can now be transmitted. THREE-WAY CONNECTION
PIRMG7 Attack Method. l Most hosts will only support 8-16 simultaneous communication channels. l The Hacker sends a sequence of SYN packets. 4 Each SYN packet (about 120 /second) has a different and unreachable IP address. l This consumes all the communication channels and results in a denial to any TCP based service. Countermeasure. l Expand the number of ports, reduce the time-out period, validate TCP request packets. TCP SYN Flooding SYN=1 ACK=0 141521 win 4096 (unreachable address SYN = 1 ACK = 1 181521 141522 win 4096(unreachable address) Hacker SYN = 1 ACK =1 181521 141687 win 4096(unreachable address) SYN = 1 ACK = 1 181521 141723 win 4096(unreachable address) SYN=1 ACK=0 141686 win 4096 (unreachable address) SYN=1 ACK=0 141721 win 4096 (unreachable address) Unreachable IP Address Legitimate Client is denied access Legitimate Client Target Host
PIRMG9 Ping Attack l The Hacker sends an ICMP Echo request to the target expecting an ICMP echo reply to be returned for each request. l The hacker, because of the high bandwidth, can send more requests then the target can handle. Countermeasures l No known defense ICMP ECHO Flooding Hacker INTERNET Target Packet 1 Packet 2 Packet 3 Packet 5 Packet 4 Packet n 128K Link T-1 Link Packet n
11 SMURF Attack l The Hacker sends an ICMP Echo request to the target network with a destination broadcast address and a spoofed source address of the target. l The network serves as a "bounce site" and returns an Echo Reply for each station on the network. 4 The network serves to multiply the effect of the "ping". The Echo Request could be sent to multiple networks. Countermeasures l Disable IP-directed broadcasts at your router. l Configure the workstation to not respond to an IP broadcast packet. ICMP ECHO Flooding Hacker INTERNET Target Packet 5 Packet n Echo Request Echo Reply
PIRMG12 DoS LAND attack In LAND attack a crafted SYN packet is send in which a source IP address and Port no is same as of destination IP and port causing some implementations of TCP/IP to allocate excessive resources and slow down and eventually reboot or hang.
14 Ping o' Death Attack l ICMP, an integral part of IP, is utilized to report network errors. l PING (Packet InterNet Grouper) utilizes ICMP Echo and Reply packets to test host reachability. l ICMP messages normally consist of the IP Header and enclosed ICMP data with a default size of 64 bytes. 4 If the Hacker sends an ICMP Echo request that is greater than 65,536 this can crash or reboot the system. l A newer attack method modifies the header to indicate that there is more data in the packet than there actually is. Countermeasure l Router updates that check the size of the ICMP packet. l Block PING (ICMP) traffic at the Firewall. ICMP ECHO Request Attack Hacker INTERNET Target Packet > 65,536 128K Link T-1 Link Packet > 65,536
16 Other DOS Attacks l Papasmurf: A combination of Smurf and Fraggle. l Land: A spoofed packet where: 4Source IP = Destination IP 4Source Port = Destination Port l Latierra: A Land relative that sends multiple land packets to multiple ports. l Jolt2: A stream of packet fragments none of which have an offset of zero. l Winnuke: Sends out of band packets to port 139 on the victims machine.
PIRMG17 Distributed Denial of Service Attacks - DDoS -
PIRMG18 l DOS is designed to bring down a network or a computer by overloading it with large amounts of network traffic using TCP, UDP or ICMP. 4 Past attacks have been from a single source and were relatively easy to detect. 4 Current attacks now use distributed system tools such as Trinoo and TFN 4 Distributed DOS tools launch simultaneous attacks from multiple computer systems at individual or multiple targets. 4 Almost impossible to track to the source. General
PIRMG19 l Trinoo/WinTrinoo 4 The earliest DDoS. 4 Initiates a UDP flood attack. 4 Communicates between Master and Agents with unencrypted TCP/UDP. 4 Root access is not needed to launch the attack. l Tribal Flood Network (TFN)/TFN2K) 4 Employs Smurf, UDP, ICMP and TCP SYN floods. 4 Communicates between Master and Agents with ICMP_ECHO REPLY packets. * Commands are sent as part of the ICMP ID field. 4 The Agent is silent and does not reply to the Master. The Master sends multiple commands to the agent. 4 Agent host root or Administrator privileges are required. Common DDoS Types
PIRMG20 Fragmentation Attack l Teardrop Attack l Fragment Overflow Attack
22 Teardrop Attack Teardrop attack involves sending two IP fragments, the later contained entirely in the former, causing the server to allocate too much of memory and crash. Many Implementations of TCP/IP cannot handle this behavior.
23 Teardrop Attack VERS FCS PREAMBLE DESTINATION ADDRESS SOURCE ADDRESS FIELD TYPE ETHERNET 0-65535 2 6 6 8 4 HLEN TOS Total Length 4 bits 8 bits16 bits Identification 16 bits Flags 3 bits Fragment Offset 13 bits TTL 8 bits Protocol 17 Checksum 16 bits Source IP Address 32 bits Destination IP Address 32 bits IP Options(if any) 32 bits 0 15 16 31 IP Header UDP Header IP HEADER UDP HEADER DATA UDP Source Port UDP Message Length Data UDP Destination Port UDP Checksum... 53
24 Teardrop Attack VERS HLEN TOS Total Length 4 bits 8 bits 16 bits Identification Flags Fragment Offset TTL 8 bits Protocol 8 bits Checksum 16 bits Source IP Address 32 bits Destination IP Address 32 bits IP Options(if any) 32 bits IP Datagram Data 32 bits 0 15 16 31 60 bytes 20 bytes <= 40 bytes MTU = 1500 MTU = 512 Fragment 1 TL512 ID26313 DF0 MF1 OS0 Fragment 2 TL32 ID26313 DF0 MF0 OS1 l This attack takes advantage of a bug in the IP fragmentation reassembly code. The code checks for the fragment length that is too large but not for a fragment length that is too short. The attack is directed toward NT, WIN 95 and Linux boxes 3 Encapsulate a UDP packet inside an IP packet. 3 Spoof the source IP address and Port 3 Create two specially constructed IP fragments The first packet has the OS = 0, MF = 1 and a size of N. The second packet has the OS < N, MF = 0 and a size < N. l NT/WIN 95 can normally withstand 5-10 pair attacks before it crashes or reboots. l Fixes have been posted by Microsoft. Teardrop Attack Concept 0 Rec Fragment 1 Hacker Target Rec Fragment 2 2 512 bytes 32 bytes
PIRMG26 Fragment Overflow Attack Attack Method l The IP Data Length field is 16 bits so each datagram can have a maximum size of 65515. l Intermediate routers can fragment the datagram based upon the MTU of the next network. 4 The MF flag set to 0 indicates the last packet. l If the receiving station does not receive a last packet it keeps allocating buffer space until an overflow occurs and the system crashes. Countermeasures l No known defense VERS HLEN TOS Total Length 4 bits 8 bits16 bits Identification 16 bits Flags Fragment Offset 13 bits TTL 8 bits Protocol 8 bits Checksum 16 bits Source IP Address 32 bits Destination IP Address 32 bits IP Options(if any) (<= 40 bytes) IP Datagram Data 0 D F F M
PIRMG28 Spoofing Attacks l IP Spoof. 3 TCP Sequence Attack. l ARP Spoof. l ICMP Spoof. l RIP Spoof.
PIRMG29 IP Spoof Attack l The IP attack is really a trust-relationship exploitation. A trusted relationship only requires IP address based authentication. l The attack is composed of several components. 3 Identify a host target. 3 Identify a host with a trusted relationship with the target. 3 Execute a Denial of Service attack against the trusted host(eg.A TCP SYN Attack). 3 Sample and guess the TCP sequence number of the target. 3 Impersonate the trusted host and attempt a connection that only requires address based authentication.
PIRMG30 IP SPOOFING Screening Router 220.127.116.11 18.104.22.168 181.10.13. 1 Hacker packet APPEARS to come from 22.214.171.124 1. Hacker assumes source address 126.96.36.199 in order to fool the screening Router by appearing to reside on the internal network ( a trusted host). 2. Screening Router is fooled into believing that this packet is coming from an internal address. Internet From:188.8.131.52 To: 184.108.40.206 NET: 220.127.116.11 NET: 18.104.22.168 Target Countermeasure This attack can be defeated by filtering on both the input and output ports of the Firewall. packet REALLY comes from hacker
PIRMG33 DNS Attacks Background 1.The DNS Server: 3 Translates hostnames into IP addresses. 3 Translates IP addresses into hostnames. 3 Provides host information, etc. 2. There are three main categories of DNS servers: 3 primary: There is only one primary server for each domain. All domain data is derived from this server. * It is loaded by the Domain Administrator. The primary server is authoritative. 3 secondary: There can be more than one secondary server per domain. It acts as a backup to the primary. * The domain database is transferred, zone file transfer, from the primary to the secondary on a scheduled basis. 3 cache-only: These servers acquire their information from other name servers. It then caches the information. These servers are non-authoritative. Internet DNS.Server.Com Host.Target.Com Hacker.Bad.Com DNS.Bad.Com
PIRMG34 DNS Attacks Background Contd 3. DNS server does this by maintaining the following files: 3 named.hosts: The zone file that maps host names into IP addresses. 3 named.rev: The reverse main zone file that maps IP addresses into host names. 3 named.ca: Addresses pointing to the root domain servers. 3 named.local: The loop back address - 127.0.0.1. 3 named.boot:: Contains the named parameters and points to the source of the domain data base information. 4. The local DNS server maintains a cache of its most recent queries. 3 It examines this cache first to see if it already knows the answers. 3 If not it forwards the query to other DNS servers for an answer. 3 Upon receiving the answer it updates its DNS cache and forwards the response to the client. Internet DNS.Server.Com Host.Target.Com Hacker.Bad.Com DNS.Bad.Com Possible Attacks. 3 Poison the DNS cache. 3 Poison the Name Server. 3 Imitate the Name Server.
PIRMG35 Attack 1: DNS Cache Poisoning 1. The hacker.bad.com sends a recursive query to DNS.server.com requesting the IP address of unknown.bad.com. 2. DNS.server.com is not authoritative for this domain so it queries DNS.bad.com. 4 The Hacker is monitoring this query to determine the recursive query ID. 4 The Hacker needs this ID to fool the DNS server into taking the poison. 3. Hacker.bad.com submits a query to DNS.server.com looking for the address of www.anyone.com. 4. The hacker immediately spoofs the reply with a response of www.anyone.com = 127.0.0.1. 4 This seeds the DNS server. 4 The IP address could be any address specified by the Hacker. The Seed Internet DNS.Server.Com Host.Target.Com Hacker.Bad.Com DNS.Bad.Com (1) What is the IP address of Unknown.Bad.Com? (2) What is the IP address of www.anyone.com? (3) What is the IP address of www.anyone.com? (4) The IP address of www.anyone.com is 127.0.0.1!
PIRMG36 Attack 1: DNS Cache Poisoning Internet DNS.Server.Com Host.Target.Com 1. Target.good.com sends a query to DNS.server.com wanting to connect to www.anyone.com. 2. DNS.server.com responds with the address in the poisoned cache. The Spoof Hacker.Bad.Com DNS.Bad.Com What is the IP address of www.anyone.com? The IP address of www.anyone.com is 127.0.0.1!
PIRMG38 B B l Ethernet operates in a broadcast mode. Each station looks for its physical address. l The Hacker can operate a Sniffer on the Ethernet LAN in the promiscuous mode to look for: 4 Unencrypted passwords 4 Encrypted passwords 4 Private data 4 Financial information(account numbers) 4 Low level protocol information l A Sniffer attack is normally a prelude to other type attacks. Host A Host B Hacker l Host A Telnets to Host B with its User Name and Password. l Hacker steals password for later use. Concept Action Sniffer Attack l Segment the LANs. l Encrypt the passwords w/ a timestamp. l Zero-knowledge authentication (card, ring,etc) Countermeasures
PIRMG40 Normal FTP Connection 1. The Client opens a FTP command channel to server (Port 21) and tells the server its data port number (Port 4141). 2. The server acknowledges the request. 3. The server opens the data channel (Port 20) to the clients data channel (Port 4141). 4. The client acknowledges this connection. The Attack Concept. 1. The PORT command has the form n1,n2,n3,n4,n5,n6. 2. The client IP address(n1.n2.n3.n4) and port(n5 x 256+n6) FTP CONNECTION EXAMPLE FTP Server FTP Client Port 20 Port 21 Port 4140 Port 4141 Port (IP Address, 4141) :"OK" Data Channel :"OK"
PIRMG41 Normal FTP Connection 4 The Client opens a FTP command channel to server (Port 21) and tells the server its data port number (Port 4141). 4 The server acknowledges the request. 4 The server opens the data channel (Port 20) to the clients data channel (Port 4141). 4 The client acknowledges this connection. FTP CONNECTION EXAMPLE Contd FTP Server FTP Client Port 20 Port 21 Port 4140 Port 4141 "Port 4141" :"OK" Data Channel :"OK" :"PASV" :"OK 2266" Port 2266 Data Channel :"OK" Passive FTP Connection 4 The Client opens a FTP command channel to server (Port 21) in a passive mode. 4 The server acknowledges the passive mode and allocates Port 2266 to be the clients data channel. 4 The client opens the data channel from it data channel (Port 4141 to the servers data channel (Port 2266). 4 The server acknowledges the data connection.
PIRMG42 FTP Bounce Attack Concept Hacker Server Bounce Server 4 The Target Server will allow a connection from the Bounce Server. 4 The Hacker cannot access the Target server. 4 The hacker can perform the ftp passive mode on her machine. 4 A world writable directory is available to the incoming ftp connection. The Hacker 4 The Hacker can open an ftp passive mode on her server. Target Server
PIRMG43 FTP Bounce Attack - Phase 1 Hacker Server The Hacker 4 The Hacker opens an ftp connection to her server. 4 She changes to a writable directory and issues an: * ftp "pasv" command and an * ftp "stor" command 4 She remembers the IP address and port(H,H,H,H,P,P) returned by the "pasv" command. 4 She constructs a file called "retrvit" containing a series of ftp commands that will: * Sign onto the Target Server. * Change the directory to the desired file. * Use the FTP Port command to specify the IP address and port(H,H,H,H,P,P) of the Hacker Server.
44 FTP Bounce Attack - Phase 2 Hacker Server Bounce Server Target Server The Hacker l She then: 4 Transfer the file "retrevit" to the Bounce Server, 4 Opens a port to the target and 4 issues the command "retrevit" l She opens an ftp command connection to the Bounce Server, logs in anonymously and changes to a world writable incoming directory. l This series of commands opens a port to the target server and executes the ftp commands contained in the "retrivit" command. l The commands contained within "retrevit" specifies that a : * connection should be established to the IP address and port (H,H,H,H,P,P) of the Hacker Server and that * the desired fields should be downloaded to the Hacker Server.
PIRMG45 Web Attacks Cross Side Scripting SQL Injection Directory transversal Command Injection Malicious Code Execution
PIRMG47 XSS Many web sites contain forms, which are used to post information such as names and addresses, or comments on bulletin boards. The hacker can inject scripting code into the vulnerable web server using the forms. Scripting code includes tags such as. The code can instruct the server to send its cookies to another location, such as another web site (hence the name: Cross Site Scripting), where the hacker can see the cookies. These cookies might contain the login credentials
PIRMG49 XSS Consider the following URL: http://www.example.com/search.pl?text= alert(document.cookie) http://www.example.com/search.pl?text= alert(document.cookie)</script If an attacker can get us to select a link like this and the Web application does not validate input, then our browser will pop up an alert showing our current set of cookies. This particular example is harmless; an attacker can do much more damage, including stealing passwords, resetting your home page, or redirecting you to another Web site.
PIRMG50 SQL Injection In SQL injection attack the attacker can Execute commands thru forms or as a URL. With SQL, the CGI inserts the input data into a string which is then submitted to an SQL server. The attack is to add characters to the input so that extra SQL commands are performed or so the action is done on more database entries than expected. Example- a web address www.example.com/article.asp/id=2 it has a file, parameter and value fields. www.example.com/article.asp/id=2
PIRMG51 SQL Injection In this case a script may use only numeric values. If a letter is sent instead, the script should reject the request. Not doing so means malicious commands can make it to the database. The commands can be SQL query and based on the result of the query the attacker can proceed with other queries. Also the attacker can bypass login.
PIRMG52 SQL Injection Start with a single quote trick. Input something like: hi' or 1=1-- Into login, or password, or even in the URL. Example: - Login: hi' or 1=1-- - Pass: hi' or 1=1-- - http://duck/index.asp?id=hi' or 1=1-- If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly.http://duck/index.asp?id=hi
PIRMG53 SQL Injection http://duck/Search/search.asp If luck is on your side, you will get login without any login name or password.
PIRMG54 Command Injection Command injection attacks allow a remote attacker to execute operating system commands disguised as a URL or form input to the web server. A successful system command execution can provide a remote attacker with administrative access to a web server. This could result in damage such as defacement of the web site, data theft or data loss. Commands are to be Injected using HTTP request like %20%ls%0x81
PIRMG55 Directory Transversal Attacker try to access files and folders he is not supposed to access and may run malicious code by just typing deep character crossing root directory like www.example.com/abc/Newuser?Image=../../database/rbsserv.mdb Also can try with encoded characters like http:// >/............/autoexec.bat%5%2%a% etc. http:// >/............/autoexec.bat
PIRMG56 Defense Block /Script tags Form input should be validated before passing to database. Invalid value should not give information about wrong input. Non ASC II characters should be blocked. Block some unsafe HTTP methods like Delete, Options, Trace etc.
PIRMG57 Links http://www.antiserver.it/Cisco-Exploit/ http://staff.washington.edu/dittrich/misc/ddos/ http://www.extropia.com/tutorials/sql/toc.html http://www.l0t3k.org/security/tools/packetgenerator/ http://www.zone-h.org/en/download/category=52/ Some Tools used- Hping, SendIP, Retina Scanner, Nmap, Nessus, Nstealth, Web Sleuth, Webinject, Netcat Some other tools- John-The ripper, Lophtrack, Legion, SubSeven.