Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Attack and Defense

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Attack and Defense"— Presentation transcript:

1 Network Attack and Defense
Chapter 18 Network Attack and Defense Quote from Fairfax “security isn’t something we do, it is the thing we do” Ecommerce is dependent on security. While 80% of attacks are internal, 20% are still external. Many of these are international, this is one of the big changes that the net has created. Your attackers can be from anywhere in the world.

2 The Most common attacks
This is the list of the top 20 attacks. How many does encryption solve? How many does firewalls solve? How many are software flaws?

3 Combination Many attacks are combinations of what we already have looked at: Buffer overflows Password crackers Sniffing Root kits Software vulnerabilities Open ports etc SQL infection Programming errors Some from this chapter Protocol vulnerabilities (TCP/IP suite) Denial of Service

4 It’s Sad Many attacks you read about are exploits where patches already exist. It’s the ones you don’t know about that keep security administrators up at night. The patch for Code Red worm had existed months before the attack. TCP/IP vulnerabilities Huge number of services are enabled by default in Operating Systems

5 OSI model Layer 7 Attacks Layer 2 Attacks Layer 3 Attacks
We can look at attacks by level in OSI model Layer 2 Attacks VLAN Hopping MAC Spoofing Attack Private VLAN Attacks DHCP Starvation Layer 3 Attacks Spoofing IP Fragmentation Ping of Death Land Attack Layer 4 Attacks SYN Flooding Sniffing MitM Session Replay Session Hijacking TCP Sequence Prediction Denial of Service Backhoe Attenuation Smurf Attack Domain Hijacking Layer 8 Attacks Trusted Insiders Social Engineering Identity Theft Layer 7 Attacks Buffer Overflow Malware Viruses Worms Trojan Horses Back Door Malware Attack Vectors Malware Protection Hoaxes UCE Application Attacks Exploiting Software Reverse Engineering Software Testing and Monitoring Password Attacks Logic Bombs Downgrade Attacks Store and Forward Transmissions Automated Software Distribution Audit Log Attacks Rootkits Covert Channels Web-Based Attacks Web Cookies Leaking Browser Information Spyware Databases on the Web Web Site Blocking Active Content CGI Java ActiveX

6 Script kiddies/Packaged defense
Hacking is becoming de-skilled TCP/IP suite designed to work in open sharing honest environment Various levels of hackers script kiddies download script run it have no real idea what they are doing Experienced hackers (typically excellent programmers) Many companies can not find or afford proper security personnel Easy to find tools to automate hack Hard to trace international hack, requires international cooperation. Massive amount of information on how to hack on the internet. Next slide protocol vulnerabilities Network protocol mainly TCP/IP suite

7 Denial of Service Attacks
Jolt2 source code widely available sends identical fragmented IP packets systems use 100% resources attempting to re-assemble these malformed packets can attack servers as well as routers patches exist for most systems some firewalls recognize the malformed packets and drop them

8 Denial of Service Attacks
SYN flood violates 3-way handshake by establishing a large number of half open connections Eventually fills storage allocated for these and system does not allow new connections Prevention, well if you limit the number of these connections, then legit users still can not access system Various OS’s are working on changes to prevent these attacks, need to adjust how ½ openeds are stored A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this: The client requests a connection by sending a SYN (synchronize) message to the server. The server acknowledges this request by sending SYN-ACK back to the client, which, Responds with an ACK, and the connection is established. This is called the TCP three-way handshake, and is the foundation for every connection established using TCP/IP protocols. A malicious client can skip sending this last ACK message. The server will wait for this bit for some time, as simple network congestion could also be the cause of the missing ACK.

9 Denial of Service Attacks
Smurf, Papa Smurf, Fraggle Uses forged address to send packets (ICMP) to broadcast address ( ) All machines on the network then attempt to respond to the forged address Simply generates large amounts of traffic on both networks address where original message sent forged return address when all respond for smurf, papa smurf and fraggle are all simliar, but they don’t all use ICMP some use others, UDP….

10 Denial of Service Attacks
Smurf amplifiers are sites that allow ICMP echo packets to broadcast address allows ICMP replies out nmap can also be used to find Smurf amplifiers reports smurf amplifiers Was years ago

11 Denial of Service Attacks
So smurf attacks basically use the following hacker amplifier misconfigured system router broadcasts packets to subnet machines respond to pings/echoes victim receives all the responses solutions for victim don’t really exist, simply floods your system with traffic. If block at router still ties up your network up to the router…draw on the board

12 Denial of Service Attacks
as you can see most of these attacks utilize networking protocols sending malformed packets cause problems for the attacked machine IP spoofing is typically used to hide source of attack Not going to cover all of these from the chapter, please read them though. Many Many others exist and most are available on Packet Storm just search on DOS BTW again just a note that virus software would not allow downloading of these.

13 Distributed Denial of Service
In February of 2000 these became famous Amazon CNN E*Trade Yahoo eBay ……………….. all attacked and brought to their knees

14 Distributed Denial of Service
The seeds were in the wind before 2000 In August of 1999 University of Minnesota was subject to a 2 day attack. Before we look at these attacks we need to understand a little about them.

15 Distributed Denial of Service
These attacks use compromised machines to attack others. Hackers over time develop a network of compromised machines that are set to “do their bidding” that is attack. these are often called zombie machines or just zombies

16 Distributed Denial of Service
Once the network of zombies are built specific commands typically on specific ports instruct the zombies where to attack dos would launch the attack against that address

17 Distributed Denial of Service
OK so Trinoo was the first major one Used to launch attack against U of Minnesota Did not use IP spoofing from attacking machine so admins were able to contact compromised machines and stop the attack Most of these machines were Solaris 2.x systems While doing this the attacker simply continued to release new Zombies against the network Progressed for 2 days. Newer ones are being developed:

18 Bot networks can be rented
The following is a great source of Dist DOS information

19 Blind IP Spoofing Attacker 192.113.123.010 From address: 65.67.68.05
To address: OK we simply change our TCP/IP address of the intended spoofed address When we send to the target it “thinks” we are the spoofed machine This is blind spoofing because the target sends the results back to the spoofed address Doesn’t seem very useful, but it is!!! Target Spoofed Address

20 Defenses Configuration management Current copies of OS
All patches applied Service and config files hardened Default passwords removed Organizational discipline to make sure stays this way.

21 Firewalls Hardware and software
Protects internal network from external Installed between internal and external Uses rules to limit incoming traffic Uses rules to decide what traffic is allowed in and what traffic is not allowed in

22 Firewall techniques NAT Basic Packet filtering
Stateful packet inspection Application gateways Access control lists NAT Network address translation Basic packet filtering, decides whether to forward packets in based on factors Stateful – looks at ports, three way handshake, where connection initiated (which side of firewall) Application gateways, acts as proxy, can strip out macros etc…(slow) Access control lists – rules concerning blocking or allowing inbound and outbound packets

23 Intrusion detection systems
Must tune and monitor systems Discussed IDS previously Security Information Management Systems Attempt to combine and automatically monitor all systems

24 Articles Egress filtering Lawsuits stemming from DOS
Intrusion Detection Intrusion/Penetration testing programs Satan saint Lawsuits stemming from losses incurred do to insufficient protection. Current DOS canned packages

25 List of Resources Jolt2 SYN flood
SYN flood

26 List or resources Smurf Distributed Denial of Service
Distributed Denial of Service Defenses

27 List of resource Network Protocol vulnerabilities

Download ppt "Network Attack and Defense"

Similar presentations

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Objectives  Give examples of common network.

Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Objectives  Give examples of common network.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Attacks and Malicious Code Chapter 3. Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major.

Attacks and Malicious Code Chapter 3. Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major.

Similar presentations

Ads by Google