1. Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) – Interrogating DNS, split-horizon DNS Scanning – Learn about live machines, open ports, firewall rules, network topology, OSes, vulnerabilities – NATs – Firewalls Gaining access – Buffer overflow attacks – Sniffing – ARP poisoning, DNS poisoning – Spoofing TCP sessions Summary From the Last Lecture

2. Midterm in two weeks Midterm review next week – We will go over two sample midterms, posted on class Web page – Bring any questions you may have Reading list posted on the class Web page Announcements

3. Packet (stateless) firewall – Rules speak about IP/TCP header fields – No connection state kept – E.g. drop all traffic with TCP SYN and src IP from the outside Statefull firewall – Connection state is kept – E.g. drop all traffic except TCP ACK on established TCP connections Proxy firewall – Act as a middleman to every connection, i.e. act as the destination and the source for every connection. – Can normalize protocols, reset TTL fields, etc. Firewall Types

4. Phase 4: Maintaining Access Attacker establishes a listening application on a port (backdoor) so he can log on any time with or without a password Attackers frequently close security holes they find to stop others from taking over their compromised machines

5. Netcat Tool Similar to Linux cat command – http://netcat.sourceforge.net/ – Client: Initiates connection to any port on remote machine – Server: Listens on any port – To open a shell on a victim machine On victim machine: nc –l –p 1234 /* This opens a backdoor */ On attacker machine: nc 123.32.34.54 1234 –c /bin/sh /* This enters through a backdoor, opens a shell */ Dangerous

6. Netcat Tool Used for – Port scanning – Backdoor – Relaying the attack (stepping stones)

7. Trojans Application that claims to do one thing (and looks like it) but it also does something malicious Users download Trojans from Internet (thinking they are downloading a free game) or get them as greeting cards in E-mail, or as ActiveX controls when they visit a Web site Trojans can scramble your machine – They can also open a backdoor on your system, steal data, misuse your machine, etc. They will report successful infection to the attacker

8. Back Orifice Trojan application that can – Log keystrokes – Steal passwords – Create dialog boxes – Mess with files, processes or system (registry) – Redirect packets – Set up backdoors – Take over screen and keyboard – http://www.bo2k.com/Dangerous

9. Trojan Defenses Antivirus software Don’t download suspicious software Check MD5 sum on trusted software you download Disable automatic execution of attachments

10. At the End of Maintaining Access The attacker has opened a backdoor and can now access victim machine at any time

11. Phase 5: Covering Tracks Rootkits Alter logs Create hard-to-spot files Use covert channels

12. Application Rootkits Alter or replace system components (for instance DLLs) E.g., on Linux attacker replaces ls program Rootkits frequently come together with sniffers: – Capture a few characters of all sessions on the Ethernet and write into a file to steal passwords – Administrator would notice an interface in promiscuous mode Not if attacker modifies an application that shows interfaces - netstat

13. Application Rootkits Attacker will modify all key system applications that could reveal his presence – List processes e.g. ps – List files e.g. ls – Show open ports e.g. netstat – Show system utilization e.g. top He will also substitute modification date with the one in the past

14. Defenses Against App. Rootkits Don’t let attackers gain root access Use integrity checking of files: – Carry a CD with md5sum, check hashes of system files against hashes advertised on vendor site or hashes you stored before Use Tripwire – Free integrity checker that saves md5 sums of all important files in a secure database (read only CD), then verifies them periodically – http://www.tripwire.org/

15. Kernel Rootkits Replace system calls – Intercept calls to open one application with calls to open another, of attacker’s choosing – Now even checksums don’t help as attacker did not modify any system applications – You won’t even see attacker’s files in file listing – You won’t see some processes or open ports Usually installed as kernel modules Defenses: disable kernel modules

16. Altering Logs Attackers can: – Stop logging services – Load files into memory, change them – Restart logging service – Or simply change log file through scripts Change login and event logs, command history file, last login data

17. Defenses Against Altering Logs Use separate log servers – Machines will send their log messages to these servers Encrypt log files Make log files append only Save logs on write-once media

18. Creating Hard-to-Spot Files Names could look like system file names, but slightly changed – Start with. – Start with. and add spaces – Make files hidden Defenses: intrusion detection systems and caution

19. Denial of Service

20. Distributed Denial Of Service?

22. Denial of Service Attacks Unlike other forms of computer attacks, goal isn’t access or theft of information or services The goal is to stop the service from operating – To deny service to legitimate users – Slowing down may be good enough This is usually a temporary effect that passes as soon as the attack stops

23. How Can a Service Be Denied? Lots of ways – Crash the machine – Or put it into an infinite loop – Crash routers on the path to the machine – Use up a key machine resource – Use up a key network resource – Deny another service needed for this one (DNS) Using up resources is the most common approach

24. High-level Attack Categorization Floods Congestion control exploits Unexpected header values Invalid content Invalid fragments Large packets Impersonation attacks

25. Simple Denial of Service 25

26. Simple Denial of Service One machine tries to bring down another machine There is a fundamental problem for the attacker: – The attack machine must be “more powerful” than the target machine to overload it OR – Attacker uses approaches other than flooding The target machine might be a powerful server

27. Denial of Service and Asymmetry Sometimes generating a request is cheaper than formulating a response e.g. sending a bogus packet is cheaper than decrypting this packet and checking that it’s bogus If so, one attack machine can generate a lot of requests, and effectively multiply its power Not always possible to achieve this asymmetry This is called amplification effect

28. DDoS “Solves” That Problem Use multiple machines to generate the workload For any server of fixed power, enough attack machines working together can overload it Enlist lots of machines and coordinate their attack on a single machine

29. Distributed Computing

30. Typical Attack Modus Operandi

31. Is DDoS a Real Problem? Yes, attacks happen every day – One study reported ~4,000 per week 1 On a wide variety of targets Tend to be highly successful There are very few mechanisms that can stop certain attacks There have been successful attacks on major commercial sites 1 ”Inferring Internet Denial of Service Activity,” Moore, Voelker, and Savage, Usenix Security Symposium, 2002

32. DDoS on Twitter August 2009, hours-long service outage – 44 million users affected At the same time Facebook, LiveJournal, YouTube and Blogger were under attack – Only some users experienced an outage Real target: a Georgian blogger Image borrowed from Wired.com article. Originally provided by Arbor Networks

33. DDoS on Mastercard and Visa December 2010 Parts of services went down briefly Attack launched by a group of vigilantes called Anonymous – Bots recruited through social engineering – Directed to download DDoS software and take instructions from a master – Motivation: Payback to services that cut their support of WikiLeaks after their founder was arrested on unrelated charges Several other services affected

34. Potential Effects of DDoS Attacks Most (if not all) sites could be rendered non- operational The Internet could be largely flooded with garbage traffic Essentially, the Internet could grind to a halt – In the face of a very large attack Almost any site could be put out of business – With a moderate sized attack

35. Who Is Vulnerable? Everyone connected to the Internet can be attacked Everyone who uses Internet for crucial operations can suffer damages

36. But My Machines Are Well Secured! 36 Doesn’t matter! The problem isn’t your vulnerability, it’s everyone elses’

37. But I Have a Firewall! Doesn’t matter! Either the attacker slips his traffic into legitimate traffic Or he attacks the firewall

38. But I Use a VPN! Doesn’t matter! The attacker can fill your tunnel with garbage Sure, you’ll detect it and discard it... But you’ll be so busy doing so that you’ll have no time for your real work

39. But I’m Heavily Provisioned Doesn’t matter! The attacker can probably get enough resources to overcome any level of resources you buy

40. Attack Toolkits Widely available on the net – Easily downloaded along with source code – Easily deployed and used Automated code for: – Scanning – detection of vulnerable machines – Exploit – breaking into the machine – Infection – placing the attack code Rootkits – Hide the attack code – Restart the attack code – Keep open backdoors for attacker access DDoS attack code

41. DDoS Attack Code Attacker can customize: – Type of attack UDP flood, ICMP flood, TCP SYN flood, Smurf attack (broadcast ping flood) Web server request flood, authentication request flood, DNS flood – Victim IP address – Duration – Packet size – Source IP spoofing – Dynamics (constant rate or pulsing) – Communication between master and slaves

42. Implications Of Attack Toolkits You don’t need much knowledge or great skills to perpetrate DDoS Toolkits allow unsophisticated users to become DDoS perpetrators in little time DDoS is, unfortunately, a game anyone can play

43. DDoS Attack Trends Attackers follow defense approaches, adjust their code to bypass defenses Use of subnet spoofing defeats ingress filtering Use of encryption and decoy packets, IRC or P2P obscures master-slave communication Encryption of attack packets defeats traffic analysis and signature detection Pulsing attacks defeat slow defenses and traceback Flash-crowd attacks generate legitimate (well- formed) application traffic

44. Implications For the Future If we solve simple attacks, DDoS perpetrators will move on to more complex attacks Recently seen trends: – Larger networks of attack machines – Rolling attacks from large number of machines – Attacks at higher semantic levels – Attacks on different types of network entities – Attacks on DDoS defense mechanisms Need flexible defenses that evolve with attacks

45. How Come We Have DDoS? Natural consequence of the way Internet is organized – Best effort service means routers don’t do much processing per packet and store no state – they will let anything through – End to end paradigm means routers will enforce no security or authentication – they will let anything through It works real well when both parties play fair It creates opportunity for DDoS when one party cheats

46. There Are Still No Strong Defenses Against DDoS You can make yourself harder to attack But you can’t make it impossible And, if you haven’t made it hard enough, there’s not much you can do when you are attacked – There are no patches to apply – There is no switch to turn – There might be no filtering rule to apply – Grin and bear it