1. CS 478 /CIS 678 Network Security Dr. Susan Lincke
Hacking & Defense 1
CS 478 /CIS 678 Network Security
Dr. Susan Lincke

2. Network Security Hacking & Defense Part 1
 Text:
Computer Security: Principles and Practice, W Stallings, L Brown
Chapter 12 Operating System Security
Objectives:
The student should be able to:
Define traceroute, ping sweep, port scanning, finger printing, man-in-the-middle, spoofing, directory traversal, SQL injection, Nessus, nmap, native virtualization, hosted virtualization
List 3 attacks and countermeasures for each of the hacking steps: 1) Footprint, 2) Scan/Enumerate, 3) Gain Access , and 4) Exploit (3 attacks only)
Describe the 3 major steps of hardening a computer. Explain the reason and methods of each of the steps.
Class Time:
Lecture:
Hacking 1 hour
General Controls 1/2 hour
Lab 1: Footprinting 1 hour
Total: hours

3. The Problem of Network Security
The Internet allows an attacker to attack from anywhere in the world from their home desk.
They just need to find one vulnerability: a security analyst needs to close every vulnerability.

4. Traditional Hacking
The traditional way to break into a bank/museum/store include:
Reconnaissance or Footprint:
When are the worst guards off duty?
When are there fewest people?
What is the lingo?
Scan & Enumerate:
Where are the goods? Is there a back door?
Who is the person to contact for social engineering?
Gain Access:
Break in
Exploit:
Dig tunnel to have continual access
Find out needed information: payment card or company secrets
Establish good social engineering relationship to access further info.

5. Traditional Network Hacking
The traditional way to hack into a system the steps include:
Reconnaissance: Get a big picture of what the network is
1b. Initial break-in: Social Engineering: Phishing: establish base residence to…
Scan & Enumerate: Identify reachable hosts, services, OS/service versions
Gain Access: Break in
3b. Establish persistence, hide tracks, escalate privileges
Exploit: Obtain information: payment card or corporate info; continual access

6. Stages of a Cyber-Operation
Assessment
Exploit
Establish Persistence
Hiding Presence
Gaining Access
Reconnaissance
Target Identification
Stages of a Cyber-Operation
Target Identification
Opportunistic Attack: focuses on any easy-to-break-into site
Targeted Attack: specific victim in mind
Searches for a vulnerability that will work.

7. Hacking Networks Phase 1: Reconnaissance / Footprint
Physical Break-In
Dumpster Diving
Google, Newsgroups, Web sites
WhoIs Database & Sam Spade
Social Engineering
Domain Name Server Interrogations
Shoulder surfing
Registrant:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 US
Domain name: MICROSOFT.COM
Administrative Contact:
Administrator, Domain
Technical Contact:
Hostmaster, MSN
Redmond, WA US
Registration Service Provider:
DBMS VeriSign, x4
Please contact DBMS VeriSign for domain updates, DNS/Nameserver
changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 27-Aug-2006.
Record expires on 03-May-2014.
Record created on 02-May-1991.
Domain servers in listed order:
NS3.MSFT.NET
NS1.MSFT.NET
NS4.MSFT.NET
NS2.MSFT.NET
NS5.MSFT.NET
“Hi Ann, This is Tom, the Admin.
We are having a bad problem.
What is your password?”

8. Reconnaisance / Footprinting
Footprinting: Gather information about target. Stages include:
Determine scope of activity: What is out there & what does hacker hope to accomplish?
Search company web pages: locations, subsidiaries, contact names, phone numbers, , privacy or security policies, links to organization’s other web servers.
Monitor HTML comment tags not publicly shown
Perform open-source searches for info on target: news, press releases
EDGAR database lists publicly traded companies: recently-listed or recently-acquired often vulnerable
Network Enumeration: Discover networks attached to the domains
Obtain information from whois databases
Identify domain names: ms.com and Microsoft.com
Network Reconnaissance: Learn network topology via DNS interrogation and network commands (e.g., traceroute)

9. Network Reconnaissance
Network Reconnaissance: Learn network topology
DNS: Domain Name Server maps IP addresses to hostnames and vice versa
DNS Interrogation: Learn location of web, , firewall servers
Zone transfers dump the contents of the DNS database to a secondary site (intention: backup site)

10. DNS Lookup Command: nslookup…
set type=any
ls –d Tellurian.net. >> /tmp/store
ce 1D IN CNAME Aesop
au 1D IN A
1D IN TXT “Location: Library”
1D IN RP jcoy.erebus jcoy.who
1D IN MX 0 tellurianadmin-smtp
Above we are asking to use the Tellurian.net DNS server to list all records for the domain
HINFO: Identifies platform/OS
MX: Mail Exchange ( server)
A: Internet Address

11. DNS Controls To Guard Security: Don’t give away information!
Exclude internal network information in external name servers
Eliminate HINFO records from name servers
Prevent or restrict zone transfers to authorized machines/users
Restrict access to internal DNS from outside
Disable inbound connections to TCP port 53: TCP zone transfer, UDP name lookups
UDP name lookups sent as TCP requests when > 512 bytes
Log inbound connections to port 53 to track potential attacks

12. Reconnaissance: Traceroute
Traceroute: Provides list of routers between source and destination
To run:
[bash]$ traceroute cs.uwp.edu
[DOS]: tracert
Traceroute can be run from multiple locations to learn multiple entry points into network
How traceroute operates:
Traceroute uses ICMP_TIME_EXCEEDED messages
Windows: Uses ICMP echo request packet
UNIX: uses UDP or ICMP with –I option
To Guard Security:
Do not permit pings from outside the network
Block ICMP and UDP at network edge (firewall or router)
Note: Blocking only ICMP or UDP may allow access, since both may be used
Detect attacks
Use IDS systems to detect traceroute requests
Free IDS program detects these
RotoRouter: generates fake responses to traceroutes.

13. Reconnaissance: Whois & Initial Break-in
Whois provides information on:
Registrar: Sponsoring company
Organizational/Point of contact: Contact information
Whois databases include:
Guard Security by:
Posting fictitious name in whois database
Keep contact information, contact registration in registry up-to-date
Ensure secure access to registry (AOL was defrauded in 1998)
Guard personnel books

14. Initial Break-in: 1b: Social Engineering Attacks
Social Engineering: break into company via human interface – via phone or
Poses as a trusted user, manager, admin
Phishing: sending an pretending to be someone else
Water Hole: Infected website infects visitors.
Shoulder surfing: Reads terminal info by looking over someone’s shoulder
Reading login/passwords or other confidential info
Tailgating: Passing an ID check point by walking out of view of the guard with others
Goal: Establish a hold internal to the network
Launch attacks from internal network

15. 1b: Initial Break-in: Virus/Worm
Virus: Code that causes a copy of itself to be inserted into one or more programs.
Worm: Independent program which replicates itself and sends copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate.
Total Losses, 2005 Est: $42, 787,767
To Joe
To Ann
To Jill
List:

16. Hacking Networks Phase 2: Scanning & Enumeration
After successful phishing attack, can install network scanner
Where is data? Company trade secrets? Point of sale machines?
Scanning
Host Scanning: Which IP addresses are valid?
Network Scanning: How is the network routing system organized?
Port Scanning: Which services are running on which ports?
Enumeration
Fingerprinting: Which software versions are running on different sockets?
Active fingerprinting: Send specific messages & observe replies
Passive fingerprinting: Observe patterns in IP packets
Stealth scanning: Slow scanning stays under intrusion detection radar screen

17. 2: Hacking Networks: Scanning & Enumeration: Scanning Tools
War Driving: NetStumbler
War Dialing: Dialing numbers looking for modems
Network Mapping: Nmap
Vulnerability-Scanning Tools: Nessus

18. 2: IP/ICMP Scanning Ping Sweep (Nmap)
Which hosts exist?
SRC: DEST:
Ping->
Ping->
<-Ping Reply
Ping->
Ping->
Ping->
Windump Output:
15:19: IP > : icmp 1480: echo request seq 7168
15:19: IP > : icmp 1480: echo reply seq 7168

19. 2: Which ports exist? Initiate a TCP connection: SYN   SYN,ACK ACK 
Windump of establish connection:
14:54: IP > : S : (0) win (DF)
14:54: IP > : S : (0) ack win (DF)
14:54: IP > : . ack 1 win (DF)

20. TCP/UDP Port Scanning (NMAP)
16:05: IP > : icmp 8: echo request seq 21868
16:05: IP > : . ack win 1024
16:05: IP > : icmp 8: echo reply seq 21868
16:05: IP > : R : (0) win 0
16:05: arp who-has tell
16:05: arp reply is-at 00:14:1c:cb:7e:40
16:05: IP > : . ack win 4096
16:05: IP > : R : (0) win 0
16:05: IP > : S : (0) win 3072
16:05: IP > : S : (0) win 2048
16:05: IP > : S : (0) win 2048
16:05: IP > : S : (0) win 4096
16:05: IP > : S : (0) ack win <mss 1460>
16:05: IP > : R : (0) win 0
16:05: IP > : S : (0) ack win 4128 <mss 536>
16:05: IP > : S : (0) ack win 4128 <mss 536>
16:05: IP > : R : (0) win 0
16:05: IP > : R 0:0(0) ack win 0

21. NMAP Results
Interesting ports on sholmes.cybersec.cs.uwp.edu ( ):
(The 1647 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
113/tcp open auth
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
548/tcp open afpovertcp
631/tcp open ipp
644/tcp open unknown
668/tcp open unknown
993/tcp open imaps
2049/tcp open nfs
3128/tcp open squid-http
MAC Address: 00:0E:A6:5C:E1:67 (Asustek Computer)
Nmap finished: 3 IP addresses (3 hosts up) scanned in seconds
Starting nmap 3.81 ( ) at :05 Central Daylight Time
Interesting ports on MainRouter.cybersec.cs.uwp.edu ( ):
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
MAC Address: 00:14:69:3A:FE:F6 (Unknown)
Interesting ports on MainSwitch.cybersec.cs.uwp.edu ( ):
(The 1661 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
MAC Address: 00:14:1C:CB:7E:40 (Unknown)

22. Scan Types TCP connect scan: Performs 3-way handshake
TCP SYN: SYN SYN/ACK
TCP FIN: FINRST (UNIX)
TCP XmasTree scan: FIN/URG/PUSHRST
TCP Null: no flagsRST
TCP ACK: ACK Is firewall stateful?
TCP Windows: Identify system via window size reporting
TCP RCP: Identify RCP ports, program names and version numbers
UDP Scan: If inactive ICMP port unreachable

23. Scanner - Controls To Guard Security: Detect attack Prevent attacks
Detect ping sweeps and incoming ICMP traffic for port scans via IDS/IPS
Identify attacker and possible time of attack
Prevent attacks
Filter all incoming sessions from ports except those that are expressly permitted
Filter traffic from attack source IP addresses
Filter all ICMP traffic or
Filter ICMP TIMESTAMP and ADDRESS MASK packet requests
Minimal: Allow ECHO_REPLY, HOST_UNREACHABLE, TIME_EXCEEDED into demilitarized zone (DMZ)

24. 2: Enumeration => Fingerprinting: Identifying the system software
Active Stack Fingerprinting: Send messages to determine versions of system software
Stack Fingerprinting: Identify host OS.
Banner Grabbing: Identify applications (including version if possible)
Identify host OS version: FIN probe, Bogus Flag probe, Initial Sequence Number sampling, Don’t fragment bit monitoring, TCP initial window size, ACK value, ICMP message reactions, etc.
Passive Stack Fingerprinting: Monitors network traffic to determine OS type/version
Tool: Siphon
TTL: What is initial Time To Live value?
Window Size: What is the default window size?
DF: Is the Don’t Fragment flag set?

25. Scanning & Enumeration: Which services exist? Nessus
epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of this host. Note that this is NOT the same bug as the one described in MS which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.
Solution: see Risk factor : High CVE : CAN , CAN , CAN BID : 8458 Other references : IAVA:2003-A-0012
Plugin ID : 11835

26. Nessus
unknown (5900/tcp)   The remote server is running VNC. VNC permits a console to be displayed remotely. Solution: Disable VNC access from the network by using a firewall, or stop VNC service if not needed. Risk factor : Medium Plugin ID : Version of VNC Protocol is: RFB Plugin ID : Port is open Plugin ID : 11219

27. Enumeration Tools Port scanners and Enumeration Tools include:
Nmap or Network Mapper: TCP/UDP, decoy or bogus scans supported to complicate IDS detection
Scanners & Probes: Nessus, OpenVAS, Greenbone Security Assistant, Inprotect, Nmap, THC-Amap, THC-Vmap, NBTScan, nmbscan, AuditMyPc.com, Gibson Research Corporation (Shields Up), Security Auditor's Research Assistant (SARA)
Unix scanners: Samba: Smbclient, Nmblookup, Rpcclient, Rpcinfo, showmount, R-tools…
Wireless tools: NetStumbler, AiroPeek, Wellenreiter, Kismet
War Dialers: ToneLoc, THC-Scan, Shokdial
Netcat or nc: TCP & UDP port scanning, verbose options
NetScan: axfr, whois, ping sweeps, NetBIOS name table scans, SNMP walks, etc.

28. Enumeration Controls To Guard Security:
Evaluate computer from the inside
Enumeration tools help the administrator to determine available services and evaluate vulnerabilities
MS Baseline Security Analyzer (MBSA)
NESSUS
Evaluate computer from the outside
Scan to find unnecessary services from outside FW
Can use nmap or (LeakTest) to scan your own machine or network
Disable all unnecessary services
UNIX: comment out unnecessary services in /etc/inetd.conf
WINDOWS: Disable services via Control Panel/Services

29. Hacking Networks: Phase 3: Gaining Access
Network Attacks:
Sniffing
Spoofing
Session Hijacking
Man in the middle
Replay
DDOS
System Attacks:
Buffer Overflow
Password Cracking
SQL Injection
Web Protocol Abuse
Denial of Service
Spyware (obtain passwords)
Login: Ginger Password: Snap

30. 3. Gaining Access: System Attacks…
Buffer Overflows
Overflowing input buffers to corrupt system stack and cause code execution with intention of gaining access.
Requires zero privilege
Can exploit any node.
Directory Traversal
Using
Password Attacks:
Automatically guessing passwords
SQL Injection

31. 3. Gaining Access: Network Attacks
Distributed Denial of Service: Zombies attack one victim.
Spoofing: Pretending to be another network node (e.g., IP, MAC, spoofing)
Man in the Middle: Insert oneself between two communicating nodes: a form of spoofing
Sniffing or Eavesdropping: e.g., Wireshark
Replay: Capture a packet and resend it
DNS Poisoning: Giving DNS false addresses; providing false information: e.g., ARP poisoning
Session Hijacking: Generating fake packets to alter communication between two points

32. Analyzing Protocols: ARP
ARP Sequence:
ARP Request
ARP Reply
Windump Output:
14:54: arp who-has tell
14:54: arp reply is-at 0:90:27:1c:50:d0

33. ARP: Man-in-the-Middle Attack
(1) ARP ?
(3) ARP !
(1) ARP ?
(2) ARP !

34. ARP: Man-in-the-Middle Attack
(2) Login
(1) Login
(3) Password
(4) Password

35. Spoofing
DNS Spoofing: Attacker provides DNS reply before the real DNS server
MAC Address Spoofing: Impersonate another terminal to gain access
IP Address Spoofing: Send Receive-Window = 0 or Session Hijacking
Phishing: Sending an or providing a web page, pretending you are someone else but using your IP address
May not receive any replies…
Joe
I am John…
Router/AP
John

36. Man-In-The-Middle Attack
Real AP
Login
Login
Trojan AP or
Rogue Access Point
Also implements SPOOFING
Victim

37. SQL Injection
Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”;
Inserted Password: Aa’ OR ‘’=’
Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;
Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘%
Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’
Inserted entry: ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’
Login:
Password:
Welcome to My System

38. Hacking Networks: 3b: Gain Access: Persistence Hide Presence/Establish Persistence/Exploit
Hidden entrance
Undesirable feature:
e.g., log keystrokes
access data
Backdoor
Trojan Horse
Replaces system
executables: e.g.
Login, ls, du
User-Level Rootkit
Bots
Spyware/
Adware
Replaces OS kernel:
e.g. process or file
control to hide
Kernel-Level Rootkit
Slave forwards/performs
commands; spreads,
list addrs, DOS
attacks
Collect info,
insert ads,
filter search results

39. 3b: Gaining Access: Persistence
Establish Persistence/Hide Presence
Escalation of Privileges:
Password Guessing
Keystroke Logger: Learn passwords
Exploit known vulnerabilities of software
Session Hijacking: Take over existing session
After Break-In:
Create backdoors for reentry
Weaken security
Hide tracks: Delete logs

40. Gaining Access: Auditing Checks
Be careful of false positives and false negatives!
Slow responses can result in negative (wrong) conclusion
Vulnerabilities may be eligible only if combined with a particular version of OS
Vulnerability tests can have bugs
A vulnerability may exist – but the context may not exist for the application
Specific network h/w may impact test (e.g., load balancing, firewall proxies)
Therefore:
Use two tools to test!
Determine if vulnerability exist in context of OS, applications, etc.
Treat information as confidential

41. Stage 4: Exploit Exploit:
Exfiltrate data: corporate secrets, payment card info
Launch DOS/DDOS attacks
Web defacement
Establish continual access
Stage 4: Exploit

42. Distributed Denial of Service
Zombies
Victim
Attacker
Handler
N. Korea
Russia
United
States
SYN Flood
Smurf Attack (Pings)

43. To understand the operation of these attacks, we need to review the three-way
handshake that TCP uses to establish a connection. This is illustrated in Figure 7.2 .
The client system initiates the request for a TCP connection by sending a SYN packet
to the server. This identifies the client’s address and port number and supplies an
initial sequence number. It may also include a request for other TCP options. The
server records all the details about this request in a table of known TCP connections.
It then responds to the client with a SYN-ACK packet. This includes a sequence
number for the server and increments the client’s sequence number to confirm receipt
of the SYN packet. Once the client receives this, it sends an ACK packet to the server
with an incremented server sequence number and marks the connection as established.
Likewise, when the server receives this ACK packet, it also marks the connection
as established. Either party may then proceed with data transfer. In practice, this
ideal exchange sometimes fails. These packets are transported using IP, which is an
unreliable, though best-effort, network protocol. Any of the packets might be lost in
transit, as a result of congestion, for example. Hence both the client and server keep
track of which packets they have sent and, if no response is received in a reasonable
time, will resend those packets. As a result, TCP is a reliable transport protocol, and
any applications using it need not concern themselves with problems of lost or reordered
packets. This does, however, impose an overhead on the systems in managing
this reliable transfer of packets.

44. A SYN spoofing attack exploits this behavior on the targeted server system.
The attacker generates a number of SYN connection request packets with forged
source addresses. For each of these the server records the details of the TCP connection
request and sends the SYN-ACK packet to the claimed source address,
as shown in Figure If there is a valid system at this address, it will respond
with a RST (reset) packet to cancel this unknown connection request. When the
server receives this packet, it cancels the connection request and removes the saved
information. However, if the source system is too busy, or there is no system at the
forged address, then no reply will return. In these cases the server will resend the
SYN-ACK packet a number of times before finally assuming the connection request
has failed and deleting the information saved concerning it. In this period between
when the original SYN packet is received and when the server assumes the request
has failed, the server is using an entry in its table of known TCP connections. This
table is typically sized on the assumption that most connection requests quickly
succeed and that a reasonable number of requests may be handled simultaneously.
However, in a SYN spoofing attack, the attacker directs a very large number of
forged connection requests at the targeted server. These rapidly fill the table of
known TCP connections on the server. Once this table is full, any future requests,
including legitimate requests from other users, are rejected. The table entries will
time out and be removed, which in normal network usage corrects temporary
overflow problems. However, if the attacker keeps a sufficient volume of forged
requests flowing, this table will be constantly full and the server will be effectively
cut off from the Internet, unable to respond to most legitimate connection requests.
In order to increase the usage of the known TCP connections table, the
attacker ideally wishes to use addresses that will not respond to the SYN-ACK with
a RST. This can be done by overloading the host that owns the chosen spoofed
source address, or by simply using a wide range of random addresses. In this case,
the attacker relies on the fact that there are many unused addresses on the Internet.
Consequently, a reasonable proportion of randomly generated addresses will not
correspond to a real host.
There is a significant difference in the volume of network traffic between a
SYN spoof attack and the basic flooding attack we discussed. The actual volume of
SYN traffic can be comparatively low, nowhere near the maximum capacity of the
link to the server. It simply has to be high enough to keep the known TCP connections
table filled. Unlike the flooding attack, this means the attacker does not need
access to a high-volume network connection. In the network shown in Figure 7.1 ,
the medium-sized organization, or even a broadband home user, could successfully
attack the large company server using a SYN spoofing attack.
A flood of packets from a single server or a SYN spoofing attack originating
on a single system were probably the two most common early forms of DoS attacks.
In the case of a flooding attack this was a significant limitation, and attacks evolved
to use multiple systems to increase their effectiveness. We next examine in more
detail some of the variants of a flooding attack. These can be launched either from a
single or multiple systems, using a range of mechanisms, which we explore.

45. Amplification attacks are a variant of reflector attacks and also involve sending a
packet with a spoofed source address for the target system to intermediaries. They
differ in generating multiple response packets for each original packet sent. This can
be achieved by directing the original request to the broadcast address for some network.
As a result, all hosts on that network can potentially respond to the request,
generating a flood of responses as shown in Figure It is only necessary to use
a service handled by large numbers of hosts on the intermediate network. A ping
flood using ICMP echo request packets was a common choice, since this service
is a fundamental component of TCP/IP implementations and was often allowed
into networks. The well-known smurf DoS program used this mechanism and was
widely popular for some time. Another possibility is to use a suitable UDP service,
such as the echo service. The fraggle program implemented this variant. Note that
TCP services cannot be used in this type of attack; because they are connection
oriented, they cannot be directed at a broadcast address. Broadcasts are inherently
connectionless.
The best additional defense against this form of attack is to not allow directed
broadcasts to be routed into a network from outside. Indeed, this is another longstanding
security recommendation, unfortunately about as widely implemented as
that for blocking spoofed source addresses. If these forms of filtering are in place,
these attacks cannot succeed. Another defense is to limit network services like echo
and ping from being accessed from outside an organization. This restricts which
services could be used in these attacks, at a cost in ease of analyzing some legitimate
network problems.
Attackers scan the Internet looking for well-connected networks that do allow
directed broadcasts and that implement suitable services attackers can reflect off.
These lists are traded and used to implement such attacks.

46. DNS Amplification Attacks
Use packets directed at a legitimate DNS server as the intermediary system
Attacker creates a series of DNS requests containing the spoofed source address of the target system
Exploit DNS behavior to convert a small request to a much larger response (amplification)
Target is flooded with responses
Basic defense against this attack is to prevent the use of spoofed source addresses
In addition to the DNS reflection attack discussed previously, a further variant of an
amplification attack uses packets directed at a legitimate DNS server as the intermediary
system. Attackers gain attack amplification by exploiting the behavior of the
DNS protocol to convert a small request into a much larger response. This contrasts
with the original amplifier attacks, which use responses from multiple systems to a
single request to gain amplification. Using the classic DNS protocol, a 60-byte UDP
request packet can easily result in a 512-byte UDP response, the maximum traditionally
allowed. All that is needed is a name server with DNS records large enough for
this to occur.
These attacks have been seen for several years. More recently, the DNS
protocol has been extended to allow much larger responses of over 4000 bytes to
support extended DNS features such as IPv6, security, and others. By targeting
servers that support the extended DNS protocol, significantly greater amplification
can be achieved than with the classic DNS protocol.
In this attack, a selection of suitable DNS servers with good network connections
are chosen. The attacker creates a series of DNS requests containing
the spoofed source address of the target system. These are directed at a number
of the selected name servers. The servers respond to these requests, sending the
replies to the spoofed source, which appears to them to be the legitimate requesting
system. The target is then flooded with their responses. Because of the amplification
achieved, the attacker need only generate a moderate flow of packets to
cause a larger, amplified flow to flood and overflow the link to the target system.
Intermediate systems will also experience significant loads. By using a number of
high-capacity, well-connected systems, the attacker can ensure that intermediate
systems are not overloaded, allowing the attack to proceed.
A further variant of this attack exploits recursive DNS name servers. This is
a basic feature of the DNS protocol that permits a DNS name server to query a
number of other servers to resolve a query for its clients. The intention was that this
feature is used to support local clients only. However, many DNS systems support
recursion by default for any requests. They are known as open recursive DNS servers.
Attackers may exploit such servers for a number of DNS-based attacks, including
the DNS amplification DoS attack. In this variant, the attacker targets a number
of open recursive DNS servers. The name information being used for the attack
need not reside on these servers, but can be sourced from anywhere on the Internet.
The results are directed at the desired target using spoofed source addresses.
Like all the reflection-based attacks, the basic defense against these is to
prevent the use of spoofed source addresses. Appropriate configuration of DNS
servers, in particular limiting recursive responses to internal client systems only, as
described in RFC 5358, can restrict some variants of this attack.

47. A Few….
General Controls

48. Key security mechanisms
Maximize software security
Patch OS, applications, 3rd Party applications with auto-update
Configure security settings carefully
Restrict access
Restrict admin privileges
Disable unnecessary accounts
Password controls
Restrict number of services
White-list approved applications
Uninstall or disable unnecessary services

49. Plan to Maximize Security
Design security into the system
Security in Requirements
Authentication & Access Control
Configure properly first time
Careful administration
Logs, synchronized clocks
Local/remote management

50. Hardening a Computer Carefully install OS/App
Install, patch in a protected network
Anti-virus, firewall, IDS/IPS
Auto-update patches
Minimize access to services
Remove unnecessary services
Configure access permissions: users & groups
Secure boot process
Test the system
Outside & Inside

51. Install Additional Security Controls
Anti-virus software
Also for smart-phones
IDS/IPS: traffic monitoring, file integrity checking (tripwire)
Firewall: Can restrict input to certain ports, or protocols
Check for rogue machines, systems
Whitelist applications (if possible)
Only certain set of executables may run

52. Remove Unnecessary Services
If every app has 1 vulnerability, then fewer apps are better
Remove unnecessary services
Customize installation
Remove OS services and capabilities
Balance between usability & security
Remove, don’t disable
Restrict account access
Restrict default accounts
Change default passwords
Minimize access to existing services
Restrict elevated privileges
Use elevated privileges minimally
Log privileged actions
GUEST

53. Securing Applications
Install in protected network
Limit permissions
Web application should have minimal permissions
Permissions can be increased for certain actions
Set file permissions for administrator versus web user
UNIX Chroot jail limits file system access
Set security settings: logs, account lockout, password, banners
Add controls as necessary: Encryption, digital certificate

54. Security Maintenance Monitor log information Perform regular backups
Detective technique catches after-the-fact
System, network, application
Allocate sufficient space, best off-line
Perform regular backups
Archive: retain copies of data over time
Off-site storage works for fires, disasters, on-site thief
Regularly test system security
Automate: daily tests, hourly, every 10 minutes
Patch & update critical software
Recover from Security compromises

55. Virtual Machine App App App App Guest OS Guest OS Guest OS Guest OS
Disk
Hypervisor/
VMM
Hypervisor/VMM
Host OS
Physical Hardware
Physical Hardware
Native Virtualization
Preferred for servers
Hosted Virtualization
Common in clients

56. Virtual Machine Security
Plan for security: Each VM is one isolated function
Secure host system, hypervisor, guest OSes, guest applications
Restrict administrator access to the virtualized solution

57. From: Hacking Exposed: Network Security Secrets & Solutions
A Few….
Specific Applications Only let in Specifically Permitted Applications Why are some Ports Important to Close?

58. Firewall Recommendations: Default Deny
In Rules
Out Rules
Default Deny: Deny all IP/Port addresses, except those
specifically allowed
Default Accept: Accept all IP/Port addresses, except those
specifically denied

59. Network Protocols Simple Network Management Protocol (SNMP) UDP 161
TFTP TCP/UDP Port 69
Simple Network Management Protocol (SNMP) UDP 161
Simple file transfer protocol that sends in cleartext
Lacks any authentication mechanism
[root$] tftp
Tftp> connect
Tftp> get /etc/passwd /tmp/crackpasswd
Tftp> quit
Countermeasures:
Avoid tftp all together
Block TCP/UDP port 69 at firewall
Limit access to the /tftpboot directory
Collects information from the network – and may give it away too.
Can provide usernames, OS version, share names/paths, running services, etc.
Countermeasures:
Block TCP/UDP 161 at network perimeter
Use an excellent password
Disable if not required
Use authentication & encryption

60. More Network Services ICMP Function: IP error reporting protocol
Consider closing in ICMP:
Echo (Ping)
Destination Unreachable,
(Subnet) Address Mask Request,
Host Unreachable,
Port Unreachable,
Redirect,
Time Exceeded,
Admin Prohibited (ACL denied)
DHCP:
Function: Dynamically allocates IP addresses
DHCP Manager: TCP 135
DHCP Lease: UDP 67-68

61. UNIX-Specific Applications
UNIX Remote Procedure Call, TCP/UDP 111, 32771
The portmapper provides info on RPC programs, versions, protocol, port
[root$] rpcinfo –p <ip_addr>
C:\> rpcdump <ip_addr>
[root$] nmap –sS –sR <ip_addr>
Countermeasures:
Use authentication (and possibly encryption) with RPC
Block ports 111, and other RPC ports to outside
UNIX: port 111
Sun: port 32771
Network File System, TCP/UDP 2049
List directories being shared
[root$] showmount –e <ip_addr>
export list for <ip_addr>
/pub (everyone)
/usr user
Countermeasures:
Ensure exported file systems have proper permissions (set read/write permissions per host)
Block NFS at network perimeter: TCP/UDP 2049

62. Windows-Specific Applications
After Windows 2000:
Domain Name Server (DNS): UDP 53
Lightweight Directory Access Protocol (LDAP): Selecting My Network Places to search to in Active Directory Server
TCP/UDP 389; TCP port 3268
TCP 3269: Global Catalog
TCP 636: LDAP SSL
Server Message Block (SMB) Direct Hosting: Working with a service within My Network Places (e.g., print): TCP port 445 (older: )
Kerberos: Encrypted Authentication: TCP/UDP 88.
TCP/UDP 464
TCP 544: KShell

63. Surely Port 80 & 443 should be kept open?
We have webpages encrypted (port 443) and unencrypted (port 80). We leave these open.
Crackers know port 80 & 443 are usually open
Malware can use these ports to get in (command & control, botnets)
So… which servers serve web pages? Permit for them only (encrypted/unencrypted)
Clients should not have ports 80 & 443 open

64. Additional Resources SANS has webcasts, documents, news
US National Institute of Standards and Technology (NIST)
Web pages for MS Windows for security tools, checklists, and guides:
Recognize Trojans
Close off all ports used by Trojan horses:
Port 80 (web) can also be used by trojans and other applications when their normal port is closed

65. Summary of Controls
Vendor-Independent Controls to Minimize Security Risks
Filter incoming connections for all ports, except those that are needed
Build machines – OS, Applications – in a controlled environment
Ensure machines run minimal services
Run software with patches installed – auto-update patches
Restrict access to services (data, configuration files) based on need
Display warnings against trespassing
Collect and monitor logs via remote server (login attempts, changes in permissions, accounts, or log/audit settings, file/printer accesses, etc.)
Ensure remote administration uses strong authentication and encryption controls
Partition services and hardware in network to maximize security
Use IDS/IPS to detect attack patterns