Network Attack and Defense Chapter 18 Network Attack and Defense Quote from Fairfax “security isn’t something we do, it is the thing we do” Ecommerce is dependent on security. While 80% of attacks are internal, 20% are still external. Many of these are international, this is one of the big changes that the net has created. Your attackers can be from anywhere in the world.
The Most common attacks http://www.sans.org/top20/ This is the list of the top 20 attacks. How many does encryption solve? How many does firewalls solve? How many are software flaws?
Combination Many attacks are combinations of what we already have looked at: Buffer overflows Password crackers Sniffing Root kits Software vulnerabilities Open ports etc SQL infection Programming errors Some from this chapter Protocol vulnerabilities (TCP/IP suite) Denial of Service
It’s Sad Many attacks you read about are exploits where patches already exist. It’s the ones you don’t know about that keep security administrators up at night. The patch for Code Red worm had existed months before the attack. TCP/IP vulnerabilities http://www.javvin.com/networksecurity/tcpipnetwork.html Huge number of services are enabled by default in Operating Systems
OSI model Layer 7 Attacks Layer 2 Attacks Layer 3 Attacks We can look at attacks by level in OSI model Layer 2 Attacks VLAN Hopping MAC Spoofing Attack Private VLAN Attacks DHCP Starvation Layer 3 Attacks Spoofing IP Fragmentation Ping of Death Land Attack Layer 4 Attacks SYN Flooding Sniffing MitM Session Replay Session Hijacking TCP Sequence Prediction Denial of Service Backhoe Attenuation Smurf Attack Domain Hijacking Layer 8 Attacks Trusted Insiders Social Engineering Identity Theft Layer 7 Attacks Buffer Overflow Malware Viruses Worms Trojan Horses Back Door Malware Attack Vectors Malware Protection Hoaxes UCE Application Attacks Exploiting Software Reverse Engineering Software Testing and Monitoring Password Attacks Logic Bombs Downgrade Attacks Store and Forward Transmissions Automated Software Distribution Audit Log Attacks Rootkits Covert Channels Web-Based Attacks Web Cookies Leaking Browser Information Spyware Databases on the Web Web Site Blocking Active Content CGI Java ActiveX
Script kiddies/Packaged defense Hacking is becoming de-skilled TCP/IP suite designed to work in open sharing honest environment Various levels of hackers script kiddies download script run it have no real idea what they are doing Experienced hackers (typically excellent programmers) Many companies can not find or afford proper security personnel Easy to find tools to automate hack Hard to trace international hack, requires international cooperation. Massive amount of information on how to hack on the internet. Next slide protocol vulnerabilities Network protocol mainly TCP/IP suite
Denial of Service Attacks Jolt2 source code widely available sends identical fragmented IP packets systems use 100% resources attempting to re-assemble these malformed packets can attack servers as well as routers patches exist for most systems some firewalls recognize the malformed packets and drop them
Denial of Service Attacks SYN flood violates 3-way handshake by establishing a large number of half open connections Eventually fills storage allocated for these and system does not allow new connections Prevention, well if you limit the number of these connections, then legit users still can not access system Various OS’s are working on changes to prevent these attacks, need to adjust how ½ openeds are stored A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this: The client requests a connection by sending a SYN (synchronize) message to the server. The server acknowledges this request by sending SYN-ACK back to the client, which, Responds with an ACK, and the connection is established. This is called the TCP three-way handshake, and is the foundation for every connection established using TCP/IP protocols. A malicious client can skip sending this last ACK message. The server will wait for this bit for some time, as simple network congestion could also be the cause of the missing ACK.
Denial of Service Attacks Smurf, Papa Smurf, Fraggle Uses forged address to send packets (ICMP) to broadcast address (12.255.255.255) All machines on the network then attempt to respond to the forged address Simply generates large amounts of traffic on both networks address where original message sent forged return address when all respond for smurf, papa smurf and fraggle are all simliar, but they don’t all use ICMP some use others, UDP….
Denial of Service Attacks Smurf amplifiers are sites that allow ICMP echo packets to broadcast address allows ICMP replies out nmap can also be used to find Smurf amplifiers http://www.powertech.no/smurf/ reports smurf amplifiers Was 24431 3 years ago
Denial of Service Attacks So smurf attacks basically use the following hacker amplifier misconfigured system router broadcasts packets to subnet machines respond to pings/echoes victim receives all the responses solutions for victim don’t really exist, simply floods your system with traffic. If block at router still ties up your network up to the router…draw on the board
Denial of Service Attacks as you can see most of these attacks utilize networking protocols sending malformed packets cause problems for the attacked machine IP spoofing is typically used to hide source of attack Not going to cover all of these from the chapter, please read them though. Many Many others exist and most are available on Packet Storm just search on DOS http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=DOS&type=archives&%5Bsearch%5D.x=14&%5Bsearch%5D.y=10 BTW again just a note that virus software would not allow downloading of these.
Distributed Denial of Service In February of 2000 these became famous Amazon CNN E*Trade Yahoo eBay ……………….. all attacked and brought to their knees
Distributed Denial of Service The seeds were in the wind before 2000 In August of 1999 University of Minnesota was subject to a 2 day attack. Before we look at these attacks we need to understand a little about them.
Distributed Denial of Service These attacks use compromised machines to attack others. Hackers over time develop a network of compromised machines that are set to “do their bidding” that is attack. these are often called zombie machines or just zombies
Distributed Denial of Service Once the network of zombies are built specific commands typically on specific ports instruct the zombies where to attack dos 192.192.192.192 would launch the attack against that address
Distributed Denial of Service OK so Trinoo was the first major one Used to launch attack against U of Minnesota Did not use IP spoofing from attacking machine so admins were able to contact compromised machines and stop the attack Most of these machines were Solaris 2.x systems While doing this the attacker simply continued to release new Zombies against the network Progressed for 2 days. Newer ones are being developed: http://news.zdnet.com/2100-1009_22-6050688.html
Bot networks can be rented http://news.zdnet.com/2100-1009_22-6030270.html http://news.zdnet.com/2100-1009_22-5772238.html?tag=nl The following is a great source of Dist DOS information http://staff.washington.edu/dittrich/misc/ddos/
Blind IP Spoofing Attacker 192.113.123.010 From address: 65.67.68.05 To address: 65.67.68.07 OK we simply change our TCP/IP address of the intended spoofed address When we send to the target it “thinks” we are the spoofed machine This is blind spoofing because the target sends the results back to the spoofed address Doesn’t seem very useful, but it is!!! Target 65.67.68.07 Spoofed Address 65.67.68.05
Defenses Configuration management Current copies of OS All patches applied Service and config files hardened Default passwords removed Organizational discipline to make sure stays this way.
Firewalls Hardware and software Protects internal network from external Installed between internal and external Uses rules to limit incoming traffic Uses rules to decide what traffic is allowed in and what traffic is not allowed in
Firewall techniques NAT Basic Packet filtering Stateful packet inspection Application gateways Access control lists NAT Network address translation Basic packet filtering, decides whether to forward packets in based on factors Stateful – looks at ports, three way handshake, where connection initiated (which side of firewall) Application gateways, acts as proxy, can strip out macros etc…(slow) Access control lists – rules concerning blocking or allowing inbound and outbound packets
Intrusion detection systems Must tune and monitor systems http://www.snort.org/ Discussed IDS previously Security Information Management Systems Attempt to combine and automatically monitor all systems http://www.netforensics.com/ http://www.managementsoftware.hp.com/ http://www.sourcefire.com/products.html
Articles Egress filtering Lawsuits stemming from DOS Intrusion Detection Intrusion/Penetration testing programs Satan saint Lawsuits stemming from losses incurred do to insufficient protection. Current DOS canned packages
List of Resources Jolt2 SYN flood http://www.securiteam.com/exploits/5RP090A1UE.html http://www.networkworld.com/details/673.html?def SYN flood http://en.wikipedia.org/wiki/SYN_flood http://www.cert.org/advisories/CA-1996-21.html
List or resources Smurf Distributed Denial of Service http://en.wikipedia.org/wiki/Smurf_attack http://en.wikipedia.org/wiki/Smurf_amplifier Distributed Denial of Service http://en.wikipedia.org/wiki/Denial_of_service http://staff.washington.edu/dittrich/misc/ddos/ Defenses http://www.dtc.umn.edu/resources/perrig.pdf
List of resource Network Protocol vulnerabilities http://www.javvin.com/networksecurity/tcpipnetwork.html http://www.ja.net/CERT/Bellovin/TCP-IP_Security_Problems.html http://www.kb.cert.org/vuls/id/222750 http://www.insecure.org/stf/tcpip_smb.txt