Presentation is loading. Please wait.

Presentation is loading. Please wait.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Published byRaven Brick Modified over 9 years ago

Similar presentations

Presentation on theme: "Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia."— Presentation transcript:

1 Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia

2 Network & Computer Attacks (Part 2)

3 Denial of Service (DoS)  The attackers tries to overload the server by sending a stream of HTTP requests.  The server needs to use its limited resources (processor, RAM) to respond to each request  When overloaded, the server slows down or even crashes. Attacker’s Home Network 3  Attempt to make a computer resources unavailable to legitimate users

4 TCP opening and DoS  Server can maintain multiple connections  For each TCP connection request (SYN), server…  Responds to the request (SYN/ACK)  Set resources aside (Processor’s capacity, RAM, bandwidth) in order respond to each upcoming data request........ SYN SYN/ACK ACK Waiting for request from Computer 1 1 SYN SYN/ACK ACK 2 SYN SYN/ACK ACK 3 Waiting for request from Computer 2 Waiting for request from Computer 3 Server...... 4

5 TCP Connection opening  TCP connection opening is accomplish as follow  Client sends a TCP SYN to request connection  Server responds by sending back a TCP SYN/ACK  Client responds by sending a TCP ACK  Some form of computer attacks exploit the 3-way handshake process  Example: A client may send a TCP ACK without the two steps of the 3-way handshake being accomplished Attacker Victim ACK 5 3-way handshake

6 SYN Flood DoS  Attacker sends a series of TCP SYN opening requests  For each SYN, the target has to  Send back a SYN/ACK segment, and  set aside memory, and other resources to respond  When overwhelmed, target slows down or even crash  SYN takes advantage of client/server workload asymmetry Attacker Victim SYN 6

7 Web Server configuration 7

8 Bandwidth Throttling  Method of ensuring a bandwidth-intensive device, such as a server…  will limit ("throttle") the quantity of data it transmits and/or accepts within a specified period of time  For web servers, bandwidth throttling …  helps limit network congestion and server crashes  For ISPs, bandwidth throttling …  can be used to limit users' speeds across certain applications (such as BitTorrent), or limit upload speeds.  When allowed bandwidth is reached, the server will block further connection attempts…  By moving them into a queue, or  By dropping them 8

9 Bandwidth Throttling (cont)  When you enable bandwidth throttling, Internet Information Services (IIS) activates a set of counters to monitor it in System Monitor (SysMon). 9 Current Blocked Async I/O Requests counter Number of requests blocked or held in a buffer until bandwidth is available. Measured Async I/O Bandwidth Usage/Minute number of bytes sent per minute as indicated by a sample taken by bandwidth throttling. Rejected Async I/O Requestsnumber of requests rejected by bandwidth throttling since the service was last started.

10 Ping of Death attacks  Take advantage of  Fact that TCP/IP allows large packets to be fragmented  Some network applications & operating systems’ inability to handle packets larger than 65536 bytes  Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation.  Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring.  List of OS that were vulnerable:  http://insecure.org/sploits/ping-o-death.html http://insecure.org/sploits/ping-o-death.html  Fix  Add checks in the reassembly process of servers  Add checks in firewall to protect hosts with bug not fixed  Check that Sum of Total Length fields for fragmented IP is < 65536 bytes or less than maximum allowed Total Length (16 bits)FlagsFragment Offset (13 bits) 10

11 Distributed DoS (DDoS) Attack Server DoS Messages Computer with Zombie Computer with Zombie Handler Attack Command Attack Command  Attacker hacks into multiple clients and plants handler programs and Zombie programs on them  Attacker sends attack commands to Handlers and Zombie programs which execute the attacks  First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc. Attacker Attack Command 11

12 Buffer Overflow Attack  Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions.  If the data contains malware, the malware could run and creates a DoS  Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD 12 BufferInstructions 123456 Print Run Program Accept input BufferInstructions 123456 ABCDEFLET JOHN IN WITHOUT PASSWORD Run Program Accept input

13 Keyloggers  Used to capture keystrokes on a computer  Hardware  Software  Behaves like Trojan programs  Hardware  Easy to install  Goes between the keyboard and the CPU  KeyKatcher and KeyGhost 13

14 Summary Questions  Describe SYN flooding.  What is a Zombie program?  Explain how Ping of Death attack occurs?  Explain difference between DoS and DDoS.  Do DoS attacks primarily attempt to jeopardize confidentiality, integrity, or availability?  What is a Buffer Overflow attack?  What is a hardware keylogger? 14

15 Footprinting

16 16  Process of collecting information about an organization, its network, its IP address ranges, its IP address registration, and the people involved in network/computers issues.  Footprinting is conducted through social engineering and by researching information  from printed resources  From online resources  Footprinting tools/techniques:  Gathering WHOIS information  Performing web reconnaissance  DNS interrogation

17 Understanding Footprinting Lab (Lab 4) 17  You must understand the footprinting activities performed in Lab 4. In particular:  What Footprinting tools were used  What can be done with each  You are allowed to have your lab sheet during the exam

18 Scanning

19 What is Scanning? 19  Step after footprinting  Referred to as port scanning, service scanning, or network scanning  Process of scanning a range of IP addresses in order to determine what services/programs are running on networked computers  Typically performed using scanning tools like  Command line utilities like Fping, Hping, nmap, tcpdump, etc  GUI scanners 1. Footprinting 2. Scanning 3. Enumeration 4. Attack Searching vulnerabilities

20 Types of Port scanning 20  SYN scan—In normal TCP session, first the client sends the server a TCP packet with the SYN flag set. The server responds to this with a packet having both SYN and ACK flags set, acknowledging the SYN. The client then replies with an ACK of its own, completing the connection. With SYN scan the 3-way handshaking is not completed; which means the target never log the “transaction”. After all you don’t want the log to show your IP address.  FIN scan—In this scan, a TCP packet with the FIN flag set is sent to the target computer to “see” how it react. Normally, a TCP packet with the FIN flag set is sent to a client when the server is ready to terminate the connection. The client responds with an ACK which acknowledges the disconnect.  NULLscan—In a NULL scan, all the packet flags are turned off, that means none of the RST (reset), FIN, SYN, or ACK flags is set. If the ports of the target are closed, the target responds with a TCP RST packet. If the ports are open, the target sends no reply, effectively noting that port number as an open port to the user.  ACK scan—A TCP packet with the ACK flag set. Scans of the TCP ACK type are used to identify Web sites that are active, which are normally set not to respond to ICMP pings. Active Web sites respond to the TCP ACK with a TCP RST, giving the user confirmation of the status of a site.  TCP Connect scan—The “three-way handshake” process described under TCP SYN above. When one system sends a packet with the SYN flag set, the target device responds with SYN and ACK flags set, and the initiator completes the connection with a packet containing a set ACK flag. Unlike in a SYN scan, the “transaction” is logged. SYN SYN/ACK ACK

21 Types of Port scanning 21  XMAS scan—In this kind of scan, the FIN, PSH, and URG flags are set. Closed ports respond with a RST packet. Can be used to determine which ports are open. Not getting the RST packet doesn’t mean that the port is open because firewalls or other packet filtering devices may be configured to drop the UDP scan packet.  UDP scan—In this scan, a UDP packet is sent to the target computer. If the computer sends back an ICMP “Port unreachable” message, the port is. Not getting this message doesn’t mean that the port is open because firewalls or other packet filtering devices may be configured to drop the UDP scan packet.

22 Understanding Scanning Lab (Lab 5) 22  You must understand the scanning activities performed in Lab 5. In particular:  What scanning tools were used  What can be done with each  What kind of information can be collected using the tools  You are allowed to have your lab sheet during the exam

23 Enumeration

24 What is Enumeration? 24  Security Testing Step to be performed after  Discovering live targets >>[Scanning]  Determining open ports and services hosted by discovered live targets >>[Scanning]  Determining OS >> [Scanning]  Process of extracting the following from targets  Available resources or shares  User/group names and password  Enumeration is more intrusive than footprinting and scanning because you try to access resources  Typically performed using Enumeration tools like  NetBIOS names scanners  Share scanners  Vulnerability scanners such as Nessus 1. Footprinting 2. Scanning 3. Enumeration 4. Attack Searching vulnerabilities

25 Understanding Enumeration Lab (Lab 6) 25  You must understand the Enumeration activities performed in Lab 6. In particular:  What Enumeration tools were used  What can be done with each  What kind of information can be collected using the tools  You are allowed to have your lab sheet during the exam

Download ppt "Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CCNA – Network Fundamentals

CCNA – Network Fundamentals
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Footprinting February 16, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Footprinting February 16, 2010 MIS 4600 – MBA © Abdou Illia.
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Similar presentations

Ads by Google