NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security
Overview Denial of service attacks –DoS and DDoS –Flood attacks –SYN flood Man-in-the-middle attack –ARP poisoning –IP spoofing 2
Denial of Service Attacks Denial-of-service (DoS): attacker sends large number of connection or information requests to a target. –Target system cannot handle other, legitimate service requests. –May result in system crash or inability to perform ordinary functions. Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously. 3
Types of DoS Voluntary DoS –Occurs when the administrator has allowed the system to perform a variety of services without considering the system’s limitations. Involuntary DoS –Takes place regardless of preparation and readiness by the administrator. –Usually is malicious.
Flood Attacks The basic approach to creating a DoS attack is to consume the limited resources of a computer or a network by transmitting a large number of packets as quickly as possible. A flood attack can occur under the following conditions: –Sending connection requests –Consuming the bandwidth –Consuming target’s local resources 5
SYN Flood Goal: to overwhelm the target with SYN packets. Works by taking advantage of the TCP three-way handshake. –The attacker initiates a connection with a SYN packet. –The target replies with a SYN/ACK packet. –The attacker doesn’t reply with an ACK packet. 6
SYN Flood The number of connections a system can support is finite. –Typically 128 to 1024 “slots” in the connection queue. Once the target sends the SYN/ACK response, it waits for the third step in the handshake to happen. –The timeout value often is > 1 min. by default. If the attacker sends requests faster than the time-out can eliminate them, the system is filled with requests. –SYN flood creates numerous half-open connections that take up “slots” in the queue. Once the queue is filled up, further requests will be dropped and legitimate users who want to connect to the target system will not be able to do so. 7
SYN Flood Many SYN flood tools send SYN packets using spoofed (fake) source address. –To hide the identity of the attacker. –If the address is used by a real host, the host whose address was spoofed will receive the SYN/ACK packet from the target. Since the host never initiated a connection, it will send a RST packet to the target to refuse a connection. The “half-open” connection will be shut down immediately, before timing out. –If the address is not assigned to a real host, the “half-open” connection will not be shut down until time-out is reached. –Thus attackers prefer bogus addresses. 8
Distributed Denial of Service A DoS attack implemented by staging a DoS attack against a target from multiple systems simultaneously. Takes advantage of the distributed nature of the Internet to create a massive flood of packets against the victim. The attacker first breaks into and gains control of a large number of machines (“zombies”, “bots”, or “agents”). The attacker installs zombie software (“daemon”) on the zombies. –Popular programs include: Tribe Flood Network (TFN), Trin00, Stacheldraht. Daemons on the zombies wait for commands from a master. 9
Botnets A bot is a program that surreptitiously installs itself on a computer so it can be controlled by an attacker. A botnet is a network of robot, or zombie, computers. –Can harness their collective power to do damage –Or send out huge amounts of junk 10
DDoS: Raising the Dead The attacker communicates with a small number of “masters” via control software (“client”) installed on those masters. The attacker uses the masters to summon the zombies to life and orders all the zombies to wage an attack simultaneously. –The commands are often issued into a shared IRC (Internet Relay Chat) channel used by all of the attacker’s zombies. When the zombies receive their masters’ command, they spring into action and conduct a DoS attack against the target. The two layers of communication (attacker-master, master- zombie) make it difficult to hunt down the attacker. 11
Distributed Denial of Service 12
Smurf The attacker sends an echo request packet to the broadcast address of a network, e.g., –Directed broadcast can be initiated from within or outside the network. –When a packet coming from outside a local network is addressed to the network’s broadcast address, the packet is also sent to every machine on the network. The source address of the packet is spoofed and belongs to the target. All other hosts on network will reply with an echo reply packet and send it to the target’s address, inundating the target. 13
Fraggle Similar to a smurf attack, but uses UDP instead of ICMP. Sends packets to a broadcast address with a destination UDP port set to: –A service that will generate a response, e.g., echo service (Port 7). When the hosts on the network receive the packet, they will send back a response containing exactly the same data they received. –A closed port. Many systems will respond with an ICMP Port Unreachable message. In both cases, the target will receive packets from all the hosts on the network. 14
Man-in-the-Middle Attacks Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network. It is technically possible for the attacker to control what data are sent between the two hosts. Can be achieved by ARP poisoning. –The attacker sets up two NICs and sends packets to each host, falsely notifying the host of the other host’s MAC address, which in fact belongs to one of the attacker’s NICs. 15
ARP Poisoning Computers resolve IP addresses to MAC addresses using ARP. –The IP-MAC mappings are stored in the ARP cache for a limited amount of time. After it times out, a record is deleted from the cache. Resolution has to be done again if a packet needs to go to that IP. –Computers welcome unsolicited updates of the mappings (just like websites and the postal services welcome your unsolicited update on your address). 16
ARP Poisoning An attacker can “poison” a computer’s ARP cache by sending it a bogus record mapping a target’s IP address to the attacker’s MAC address. Packets going from the “duped” computer to the target then will be sent to the attacker. 17
IP Address Spoofing TCP/IP doesn’t have a mechanism to prevent the insertion of a fake source IP address. An attacker can make packets look like they are from a different host than the real originator. –Helpful for attackers who don’t want to have their actions traced back. Often used to “impersonate” another (authenticated) host to get around authentication. –A Dos attack usually is waged against the real McCoy so that the other party of the communication (the attack target) won’t be alerted. 18
IP Address Spoofing If the attacker’s purpose simply is to obfuscate investigation by faking her identity, such as in the cases of spamming or in a DoS attack, spoofing is relatively easy. The goal is to change the “source IP address” field in the header (blind spoofing). This can be done by: –Changing NIC properties (Windows) or ifconfig (*nix) command. –Packet crafting tools like Hping2, Nemesis, and NetDude. Works fine when the attacker doesn’t expect a response from the target. Won’t work if the attacker desires an interactive session with the target. 19