Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick

Published byRoss Walker Modified over 10 years ago

Similar presentations

Presentation on theme: "Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick"— Presentation transcript:

1 slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com

2 Internet Attacks – The Gory Details slide 2 of 172

3 Internet Attacks – The Gory Details slide 3 of 172 Some Internet Basics Internet communication Application level TCP/UDP IP Hardware Application level TCP/UDP IP Hardware Internet Client Server

4 Internet Attacks – The Gory Details slide 4 of 172 Some Internet Basics Internet communication Application level TCP/UDP IP Hardware Application level TCP/UDP IP Hardware Internet Client Server

5 Internet Attacks – The Gory Details slide 5 of 172 Some Internet Basics Internet communication Application level TCP/UDP IP Hardware Client IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router IP Hardware Router Application level TCP/UDP IP Hardware Server

6 Internet Attacks – The Gory Details slide 6 of 172 Application level Talks to a host with some protocol Examples: – SMTP, POP3, IMAP (mail) – telnet, rlogin (login) – HTTP (web access) – DNS (name service) – RIP, BGP4, OSPF (routing) – NFS, SMB (network file access) Any one can invent a new protocol between two hosts. Application level TCP or UDP IP Ethernet, etc.

7 Internet Attacks – The Gory Details slide 7 of 172 TCP TCP supplies a reliable connection to the other end Sets up “circuit” between client and server Breaks a stream of data into packets Reassembles packets into a stream Services 1 - 65535 Application level TCP or UDP IP Ethernet, etc.

8 Internet Attacks – The Gory Details slide 8 of 172 UDP Connectionless messages No error correction No flow control Suitable for some network services that don’t have to be reliable, like voice Services are numbered – 1-65535 As a rule, its connectionless-nature makes it dangerous Application level TCP or UDP IP Ethernet, etc.

9 Internet Attacks – The Gory Details slide 9 of 172 IP Packets have limited sizes May be dropped in transit if congestion May arrive out of order May be duplicated Addressing by IP number Currently using IP Version 4 – Version 6 is dubious IP/SEC gives authentication and/or encryption May be tunneled Application level TCP or UDP IP Ethernet, etc.

10 Internet Attacks – The Gory Details slide 10 of 172 ICMP Provides various controls and auxiliary functions: – ping – ping replies – TTL time exceeded – source quench (TCP only) – net unreachable – host unreachable – packet filtered Application level TCP or UDP IP + ICMP Ethernet, etc.

11 Internet Attacks – The Gory Details slide 11 of 172 TCP/IP stack is hard to do 25,000 lines of code is typical RFCs don’t give all the details It takes practice and experience to get it right – Learning curve is still evident in Linux and Microsoft Usually kernel-level code: debugging is tedious Hard to debug error states in a protocol crashme attacks – send random packets with valid checksums IP options TCP reassembly

12 Internet Attacks – The Gory Details slide 12 of 172 Hardware level Sniffable if on same net. There are attacks that fiddle at this level Application level TCP or UDP IP Ethernet, ATM, wireless

13 slide 13 of 172 Internet Weaknesses

14 Internet Attacks – The Gory Details slide 14 of 172 The Internet Ad hoc collection of TCP/IP interconnections No real central authority No central knowledge of connections – maybe flows, but not yet No per-packet billing, in most places Core equipment too busy to help law enforcement Large perimeters are impossible to control

15 Internet Attacks – The Gory Details slide 15 of 172 Remote Attacks, and anonymity, are easy Attacks can be laundered through many hosts around the world brief attacks are hard to track down the average defender is clueless

16 Internet Attacks – The Gory Details slide 16 of 172 Traceback can be very hard clueless ISPs ignorant law enforcement treaties with foreign countries may not be against the local law attacker may cease attack before traceback is completed

17 Internet Attacks – The Gory Details slide 17 of 172 “Monoculture” Small set of target types and versions – Microsoft OS and applications – Apache – Samba – DNS – Cisco IOS Like planting Kansas with a single strain of wheat, or vineyards with a single root stock

18 Internet Attacks – The Gory Details slide 18 of 172 Attacking scripts are published and shared Loners develop attack software for the rest of us Hacking FAQs are common Software tools are easily available – look up “rootkit” “Script kiddies” are a major source of current Internet attacks

19 Internet Attacks – The Gory Details slide 19 of 172 Unsafe Services Useful Poorly written Poor auditing Found in most hosts Safer services and protocols are rare Vendors sell flawed software Users don’t fix holes Host-based security is usually broken Security requires discipline: not found in market leaders – And often not found in open source software either

20 Internet Attacks – The Gory Details slide 20 of 172 Unsafe Services Some Typical Errors Unchecked user input submitted to the shell or Perl – wildcard and escape characters take over the process – CGI scripts Secret options, commands, or back doors – DEBUG and others in sendmail Input string length is not checked – string buffer overrun corrupts stack strcpy, gets, sprintf – caller supplies assembly code, and jumps to it – finger (Morris worm) – early Netscape – statd (latest)

21 Internet Attacks – The Gory Details slide 21 of 172 Unsafe Services: Privileged programs are much too large Sendmail is tens of thousands of lines of complex code, running as root. Netscape browser/communicator is huge Operating systems are huge – Windows – Unix – Features are never retired, only added A short, simple program is hard to get right

22 Internet Attacks – The Gory Details slide 22 of 172 Unsafe Protocols Passwords transmitted in the clear – Challenge/response is better, though subject to dictionary attacks – EKE can hide this – Machine generated passwords are better, but require devices or printouts Address-based authentication – Can be OK in controlled environments – DNS and routing attacks can fool these

23 Internet Attacks – The Gory Details slide 23 of 172 Weakest Link Compromises many targets Vulnerabilities are common in network services One break-in compromises – the rest of the host – the host’s net (via sniffers) – trusting hosts “non-vital” targets may be vital

24 Internet Attacks – The Gory Details slide 24 of 172 How Do They Find Dangerous Ports? Port scanners Easy to write Half-open (SYN-only) scanners often don’t show up in logs Harder to scan for UDP services, but not by much “Firewalking” can scan through a firewall – Uses packets that a firewall often admits, such as ICMP or TCP SYN/ACK

25 slide 25 of 172 Attacks Stack Smashing

26 Internet Attacks – The Gory Details slide 26 of 172 Programs don’t check their input Routines like gets, strcpy, and sprintf, which are inherently dangerous If input length is too long, it can overwrite memory in C, overwriting variables and subroutine return addresses. Every piece of external data must be checked before it is used. It doesn’t hurt to check internal stuff, too – assert.h – CPU time is cheap

27 Internet Attacks – The Gory Details slide 27 of 172 Variables A Stack: before a procedure call

28 Internet Attacks – The Gory Details slide 28 of 172 Return addr String buffer Local vars. Local vars Other stuff A Stack: while a procedure is running Where to go after the procedure is finished

29 Internet Attacks – The Gory Details slide 29 of 172 Return addr String buffer Local vars. Local vars Other stuff A Stack: while a procedure is running Input line goes in here

30 Internet Attacks – The Gory Details slide 30 of 172 Return addr String buffer Local vars. Local vars Other stuff A Stack: while a procedure is running Input line goes in here

31 Internet Attacks – The Gory Details slide 31 of 172 Return addr String buffer Local vars. Local vars Other stuff “Stack smashing” attack New return address, points to...

32 Internet Attacks – The Gory Details slide 32 of 172 Return addr String buffer Local vars. Local vars Other stuff “Stack smashing” attack …new code loaded in some space on the stack The code runs with the privileges of the attacked program, usually root

33 Internet Attacks – The Gory Details slide 33 of 172 Some former victims of stack-smashing attacks Fingerd (Morris worm) sendmail syslogd rstatd early Netscape browsers file names in attachments to mail sshd IIS web server

34 slide 34 of 172 Attacks Portable Programs

35 Internet Attacks – The Gory Details slide 35 of 172 Dangerous services: portable programs JAVA ActiveX^H^H^H^H^H^H^HCOMX^H^H^H^H SOAP Viruses: – PC – Word – Excel

36 Internet Attacks – The Gory Details slide 36 of 172 Where do Programs Run? Kernel Program

37 Internet Attacks – The Gory Details slide 37 of 172 Where do Programs Run? Kernel Program This model is wrong!

38 Internet Attacks – The Gory Details slide 38 of 172 Applets run in an incompletely- defined environment Kernel Program

39 Internet Attacks – The Gory Details slide 39 of 172 Java’s “sandbox” Is incompletely defined Can be different for each vendor Often optimized for speed, not security Allows “native methods”, which can break the security model ActiveX – like Java, but no sandbox at all

40 slide 40 of 172 Attacks Sniffing attacks (“eavesdropping”)

41 Internet Attacks – The Gory Details slide 41 of 172 Host with TCP Services ClientServer Attacker

42 Internet Attacks – The Gory Details slide 42 of 172 Ethernet and Passwords Was never secure from eavesdropping “Sniffing” tools are common – grab host name, user name, and password – check any hacker collection Credit card numbers are easy Over 1,000,000 captured in 1994 It doesn’t matter how good your password is if it can be sniffed! Still in wide use - even for root!

43 Internet Attacks – The Gory Details slide 43 of 172 Wireless passwords

44 Internet Attacks – The Gory Details slide 44 of 172 Wireless passwords

45 slide 45 of 172 Attacks IP Spoofing a trusted host

46 Internet Attacks – The Gory Details slide 46 of 172 IP Spoofing Defeats address-based authentication – i.e. rlogin, rsh, tcp wrappers Common tools available to the hackers – they don’t have to be TCP/IP experts This was used to crack Tsutomu Shimomura’s machines in “Takedown.” Robert Morris Jr. wrote a paper on this in 1984 Steve Bellovin republished it in 1989 First known use in 1994

47 Internet Attacks – The Gory Details slide 47 of 172 Normal TCP connection, initial SYN packet ClientServer SYN,SEQ 0

48 Internet Attacks – The Gory Details slide 48 of 172 Response to Open, connection is “half open” ClientServer SYN,SEQ 0 SYN,ACK, SEQ 0 +1,SEQ 0

49 Internet Attacks – The Gory Details slide 49 of 172 Client completes handshake, TCP connection is now open ClientServer SYN,SEQ 0 SYN,ACK, SEQ 0 +1,SEQ 0 ACK, SEQ 0 +1,SEQ 0 +1

50 Internet Attacks – The Gory Details slide 50 of 172 IP Spoof of a Trusted Client Determine Likely SEQ 0 ClientServer Attacker

51 Internet Attacks – The Gory Details slide 51 of 172 IP Spoof of a Trusted Client Suppress the Trusted Client ClientServer Attacker killer packet or SYN attack

52 Internet Attacks – The Gory Details slide 52 of 172 IP Spoof of a Trusted Client Suppress the Trusted Client ClientServer Attacker

53 Internet Attacks – The Gory Details slide 53 of 172 Attacker opens connection “from” trusted client ClientServer Attacker SYN,SEQ 0

54 Internet Attacks – The Gory Details slide 54 of 172 Open seems to come from trusted client ClientServer Attacker SYN,SEQ 0

55 Internet Attacks – The Gory Details slide 55 of 172 IP Spoof of a Trusted Client Server responds to dead client ClientServer Attacker SYN,ACK, SEQ 0 +1,SEQ 0

56 Internet Attacks – The Gory Details slide 56 of 172 IP Spoof of a Trusted Client Spoof final open message ClientServer Attacker ACK, SEQ 0 +1,SEQ 0 +1

57 Internet Attacks – The Gory Details slide 57 of 172 IP Spoof of a Trusted Client “Open” is complete ClientServer Attacker

58 Internet Attacks – The Gory Details slide 58 of 172 IP Spoof of a Trusted Client Open Server to outside access ClientServer Attacker “evil trusted command”

59 Internet Attacks – The Gory Details slide 59 of 172 Preventing IP spoofing Spoofing can be stopped at the perimeter – “No internal addresses accepted from the outside” – Helps to have a coherent address space A firewall can prevent access also Address-based authentication is a BAD IDEA.

60 slide 60 of 172 Attacks TCP hijacking

61 Internet Attacks – The Gory Details slide 61 of 172 Attacker is watching an existing connection, perhaps through the strong authentication stage ClientServer Attacker

62 Internet Attacks – The Gory Details slide 62 of 172 Kill the client connection... ClientServer Attacker killer packet

63 Internet Attacks – The Gory Details slide 63 of 172 …and continue the connection ClientServer Attacker

64 Internet Attacks – The Gory Details slide 64 of 172 TCP hijacking Takes over an existing, authenticated connection Needs access to the packet flow Common tools are available to the hackers now Cryptographic signatures of packets can defeat this

65 slide 65 of 172 Attacks Denial of Service

66 Internet Attacks – The Gory Details slide 66 of 172 Host with TCP Services ClientServer Attacker

67 Internet Attacks – The Gory Details slide 67 of 172 Denial-of-service Attacks In your face - not subtle like traditional hacking attacks Random packets are very hard to trace Can go on for weeks Attackers can exploit poor local software or... Simply flood the site’s network with incoming packets These attacks are always possible on a public service

68 slide 68 of 172 Attacks Denial of Service: SYN packet attacks

69 Internet Attacks – The Gory Details slide 69 of 172 Normal TCP open ClientServer SYN,SEQ 0 SYN,ACK, SEQ 0 +1,SEQ 0 ACK, SEQ 0 +1,SEQ 0 +1

70 Internet Attacks – The Gory Details slide 70 of 172 Normal TCP open Client half- open <300ms

71 Internet Attacks – The Gory Details slide 71 of 172 SYN Attacks First seen at Panix.com in fall 1996 Half-open processing was implemented poorly – Quadratic behavior – Wasn’t much call for improving it We’ve been expecting it – The only thing we left out of our firewalls book – Removed at the last minute We knew of no good solution We are sorry we left it out A new one appeared in fall 1997 – SYN with same source and destination address kills some TCP/IP implementation There will be more attacks on TCP/IP implementations – lots of code involved – hard to test code in a kernel

72 slide 72 of 172 Attacks Denial of Service Ping flood (smurf)

73 Internet Attacks – The Gory Details slide 73 of 172 Identify ping generator networks target G GG G G G

74 Internet Attacks – The Gory Details slide 74 of 172 Trigger packets with spoofed return address target packet cannon G GG G G G

75 Internet Attacks – The Gory Details slide 75 of 172 Generators flood the target with packets target packet cannon G GG G G G

76 Internet Attacks – The Gory Details slide 76 of 172 Traceback The target cannot tell where the trigger is coming from Attacking hosts may not know that they are being used Broadcast storms can generate more load

77 slide 77 of 172 Attacks DNS, routing, and infrastructure attacks

78 Internet Attacks – The Gory Details slide 78 of 172 Routing attacks Packet Diversion and man-in-the-middle attacks ClientServer Attacker

79 Internet Attacks – The Gory Details slide 79 of 172 Routing attacks Packet Diversion and man-in-the-middle attacks ClientServer Attacker (router)

80 Internet Attacks – The Gory Details slide 80 of 172 Routing attacks Packet Diversion and man-in-the-middle attacks ClientServer Attacker (router)

81 Internet Attacks – The Gory Details slide 81 of 172 DNS attacks Include an extra “glue” record on a DNS query – short cache time-out hides the evidence – newest bind program checks for this – “DNS cache poisoning” Capture DNS server and return incorrect result DNSSEC can fix this – going through final comments now

82 Internet Attacks – The Gory Details slide 82 of 172 Infrastructure attacks Our tools are still weak – authenticated SBGP4 is coming, maybe Keep up with the latest name server Move to secure router implementations, when available Question: what will you do if the entire Internet is down for a week?

83 slide 83 of 172 Attacks Social Engineering (a.k.a. spying)

84 Internet Attacks – The Gory Details slide 84 of 172 Social Engineering (cont.) Click here to infect your computer.

85 Internet Attacks – The Gory Details slide 85 of 172 Another problem with strange programs

86 Internet Attacks – The Gory Details slide 86 of 172 Social Engineering ``Hello, this is Dennis Ritchie calling. I’m in Israel now and I have forgotten my password.’’ ``Hello,, I’ve just started work here. said I should have an account on ‘‘

87 slide 87 of 172 Attacks Unsafe services

88 Internet Attacks – The Gory Details slide 88 of 172 Host with TCP Services ClientServer Attacker

89 Internet Attacks – The Gory Details slide 89 of 172 Host with TCP Services ClientServer Attacker

90 Internet Attacks – The Gory Details slide 90 of 172 ftp stream tcp nowait root /v/gate/ftpd telnet stream tcp nowait root /usr/etc/telnetd shell stream tcp nowait root /usr/etc/rshd login stream tcp nowait root /usr/etc/rlogind exec stream tcp nowait root /usr/etc/rexecd finger stream tcp nowait guest /usr/etc/fingerd bootp dgram udp wait root /usr/etc/bootp tftp dgram udp wait guest /usr/etc/tftpd ntalk dgram udp wait root /usr/etc/talkd tcpmux stream tcp nowait root internal echo stream tcp nowait root internal discard stream tcp nowait root internal chargen stream tcp nowait root internal daytime stream tcp nowait root internal time stream tcp nowait root internal echo dgram udp wait root internal discard dgram udp wait root internal chargen dgram udp wait root internal daytime dgram udp wait root internal time dgram udp wait root internal sgi-dgl stream tcp nowait root/rcv dgld uucp stream tcp nowait root /usr/lib/uucp/uucpd Default services SGI workstation

91 Internet Attacks – The Gory Details slide 91 of 172 More default services mountd/1 stream rpc/tcp wait/lc root rpc.mountd mountd/1 dgram rpc/udp wait/lc root rpc.mountd sgi_mountd/1 stream rpc/tcp wait/lc root rpc.mountd sgi_mountd/1 dgram rpc/udp wait/lc root rpc.mountd rstatd/1-3 dgram rpc/udp wait root rpc.rstatd walld/1 dgram rpc/udp wait root rpc.rwalld rusersd/1 dgram rpc/udp wait root rpc.rusersd rquotad/1 dgram rpc/udp wait root rpc.rquotad sprayd/1 dgram rpc/udp wait root rpc.sprayd bootparam/1 dgram rpc/udp wait root rpc.bootparamd sgi_videod/1 stream rpc/tcp wait root ?videod sgi_fam/1 stream rpc/tcp wait root ?fam sgi_snoopd/1 stream rpc/tcp wait root ?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait root ?cvpcsd sgi_pod/1 stream rpc/tcp wait root ?podd tcpmux/sgi_scanner stream tcp nowait root ?scan/net/scannerd tcpmux/sgi_printer stream tcp nowait root ?print/printerd 9fs stream tcp nowait root /v/bin/u9fs u9fs webproxy stream tcp nowait root /usr/local/etc/webserv

92 Internet Attacks – The Gory Details slide 92 of 172 Some Dangerous Services Telnet FTP NFS RPC “secure” RPC rlogin/rsh/rcp X11 DNS (web servers)

93 Internet Attacks – The Gory Details slide 93 of 172 Why are they insecure? telnet Eavesdropping attacks sniff passwords – >1,000,000 sniffed in 1994 from hacked ISPs TCP hijacking takes over authenticated connections: strong passwords aren’t enough Insecure accounts are subject to probes and use Corruption of client host compromises the session

94 Internet Attacks – The Gory Details slide 94 of 172 Why are they insecure? FTP Same as telnet, plus history of bugs in servers setup errors for anonymous FTP – get permissions wrong – distribute the real password file to the masses – “why”

95 Internet Attacks – The Gory Details slide 95 of 172 Why are they insecure? NFS Root file handle can be sniffed Relies on RPC software

96 Internet Attacks – The Gory Details slide 96 of 172 Why are they insecure? RPC and secure RPC RPC – address-based – local relay feature can obscure address information from the server Secure RPC – cryptographica lly weak

97 Internet Attacks – The Gory Details slide 97 of 172 Why are they insecure? Rlogin, rsh, rcp rlogin, rsh, rcp – can be hijacked – can be spoofed use addressed-based authentication –.rhosts and /etc/hosts.equiv leak trusted host information –.rhosts: users should not be making security policy

98 Internet Attacks – The Gory Details slide 98 of 172 Why are they insecure? X11 Clear text leaks secrets Cookie authentication is in the clear Advanced authentication not widely available xhost configuration errors Historically, bugs in xdm

99 Internet Attacks – The Gory Details slide 99 of 172 Why are they insecure? DNS - domain name system Bind runs as root – it is big, and not well understood – runs on vital hosts Cache poisoning: cache wrong answers – attack address-based auth – spoof servers

100 Internet Attacks – The Gory Details slide 100 of 172 DNS lookup A asks D for B’s IP address Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B?

101 Internet Attacks – The Gory Details slide 101 of 172 DNS lookup: D asks B (or someone who knows about B) Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B?

102 Internet Attacks – The Gory Details slide 102 of 172 DNS lookup: B answers, D caches the answer, and tells A Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B -> 1.2.3.4

103 Internet Attacks – The Gory Details slide 103 of 172 DNS lookup A uses the answer Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B -> 1.2.3.4 X: 5.6.7.8

104 Internet Attacks – The Gory Details slide 104 of 172 DNS lookup: D remembers the answer for a given period Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B -> 1.2.3.4 X: 5.6.7.8

105 Internet Attacks – The Gory Details slide 105 of 172 DNS cache poisoning attack: Attacker C arranges for D to ask him a question Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D X? X: 5.6.7.8

106 Internet Attacks – The Gory Details slide 106 of 172 DNS cache poisoning attack: Attacker C arranges for D to ask him a question Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D X? X: 5.6.7.8

107 Internet Attacks – The Gory Details slide 107 of 172 DNS cache poisoning attack: The attacker gives an answer, plus… Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B -> 5.6.7.8 X -> 5.6.7.8 X: 5.6.7.8

108 Internet Attacks – The Gory Details slide 108 of 172 DNS cache poisoning attack: A gets his answer, and uses it Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B -> 5.6.7.8 X -> 5.6.7.8 X: 5.6.7.8

109 Internet Attacks – The Gory Details slide 109 of 172 DNS cache poisoning attack: The cache has an extra answer Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B -> 5.6.7.8 X -> 5.6.7.8 X: 5.6.7.8

110 Internet Attacks – The Gory Details slide 110 of 172 DNS cache poisoning attack: Now A asks for B’s address Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B -> 5.6.7.8 X -> 5.6.7.8 X: 5.6.7.8 B?

111 Internet Attacks – The Gory Details slide 111 of 172 DNS cache poisoning attack: D “knows” the answer already, and returns it Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B -> 5.6.7.8 X -> 5.6.7.8 X: 5.6.7.8 B -> 5.6.7.8

112 Internet Attacks – The Gory Details slide 112 of 172 DNS cache poisoning attack: A uses the answer Client Server Attacker B -> 1.2.3.4 B: 1.2.3.4 A cache D B -> 5.6.7.8 X -> 5.6.7.8 X: 5.6.7.8 B -> 5.6.7.8

113 Internet Attacks – The Gory Details slide 113 of 172 DNS cache poisoning Gives the wrong answer on inverse lookups, foiling rsh, rlogin If you connect to the wrong site they can – spoof a login, and capture passwords – spoof a web page, and give wrong answers – set themselves up for man-in-the-middle attacks, relaying info to the real server

114 Internet Attacks – The Gory Details slide 114 of 172 DNS cache poisoning Older versions of bind fall for this You can even send an answer without a query, to some implementations! DNS responses can be spoofed to – what if the query gets two answers: use the first?! DNSSEC fixes this

115 Internet Attacks – The Gory Details slide 115 of 172 Why are they insecure? Web servers Complex, and buggy – stack smashing attacks, etc CGI scripts :it is always dangerous to add programs Numerous configuration options – Apache security relies on good configuration Needs access to internal databases

116 Internet Attacks – The Gory Details slide 116 of 172 Unsafe services: SMB Protocol uses weak authentication samba is big: I prefer using chroot

117 Internet Attacks – The Gory Details slide 117 of 172 Unsafe services: Microsoft authentication over PPTP Weak authentication Probably weak encryption implementation – see Bruce Schneier’s paper in ACM CCS-5

118 Internet Attacks – The Gory Details slide 118 of 172 Other services POP3 and IMAP IRC - no! Realaudio – UDP is dangerous, TCP ok Mbone – hard to gate – some UDP implementations respond to multicast packets

119 slide 119 of 172 Exponential attacks

120 Internet Attacks – The Gory Details slide 120 of 172 Viruses PC viruses – there are tens of thousands of them, including variants – defense is best made at the host, with a virus checker update the database often Unix viruses – Tom duff made one – Shell viruses are easy – Unix viruses are rare!

121 Internet Attacks – The Gory Details slide 121 of 172 Viruses Firewalls can filter them – It seems like the right place – It requires a lot of work, and they can be hidden Macro viruses are the most alarming They have access to the entire PC, with a little work

122 Internet Attacks – The Gory Details slide 122 of 172 The Morris Worm November 2, 1988 Spread using – fingerd (stack smashing) – sendmail (DEBUG back door) – password guessing Poorly controlled exponential growth A team of experts fought it quickly

123 slide 123 of 172 Attacks Unsafe programs

124 Internet Attacks – The Gory Details slide 124 of 172 find / -perm -4000 -user root -print | wc -l Root: the gateway to privilege

125 Internet Attacks – The Gory Details slide 125 of 172 AIX 4.2 & 242 & a staggering number \\ BSD/OS 3.0 & 78\\ FreeBSD 4.3 & 42 & someone's guard machine\\ FreeBSD 4.3 & 47 & 2 appear to be third-party\\ FreeBSD 4.5 & 43 & see text for closer analysis \\ HPUX A.09.07 & 227 & about half may be special for this host \\ Linux (Mandrake 8.1) & 39 & 3 appear to be third-party \\ Linux (Red Hat 2.4.2-2) & 39 & 2 third-party programs \\ Linux (Red Hat 2.4.7-10) & 31 & 2 third-party programs\\ Linux (Red Hat 5.0) & 59\\ Linux (Red Hat 6.0) & 38 & 2--4 third-party \\ Linux 2.0.36 & 26 & approved distribution for one university \\ Linux 2.2.16-3 & 47 \\ Linux 7.2 & 42\\ NCR Intel 4.0v3.0 & 113 & 34 may be special to this host \\ NetBSD 1.6 & 35 \\ SGI Irix 5.3 & 83 \\ SGI Irix 5.3 & 102 \\ Sinux 5.42c1002 & 60 & 2 third-party programs\\ Sun Solaris 5.4 & 52 & 6 third-party programs\\ Sun Solaris 5.6 & 74 & 11 third-party programs\\ Sun Solaris 5.8 & 70 & 6 third-party programs\\ Sun Solaris 5.8 & 82 & 6 third-party programs\\ Tru64 4.0r878 & 72 & \\ Setuid-root

126 Internet Attacks – The Gory Details slide 126 of 172 Insecure clients This is not the same as TCP hijacking encryption on the link won’t fix this any persistent connection is vulnerable – rlogin, ftp, ssh Tsutomu left an rlogin session running when he went skiing YOU HAVE TO BE ABLE TO TRUST YOUR CLIENT – laptop PCs vs. terminal rooms

127 Internet Attacks – The Gory Details slide 127 of 172 Insecure clients: attacker takes over client host ClientServer Attacker

128 Internet Attacks – The Gory Details slide 128 of 172 Insecure clients: attacker takes over client host… ClientServer Attacker

129 Internet Attacks – The Gory Details slide 129 of 172 …installs the TAP kernel load module… ClientServer Attacker TAP

130 Internet Attacks – The Gory Details slide 130 of 172 …user makes authenticated connection to server… ClientServer Attacker TAP

131 Internet Attacks – The Gory Details slide 131 of 172 hacker takes over terminal connection with “TAP” ClientServer Attacker TAP

132 Internet Attacks – The Gory Details slide 132 of 172 We’ve been losing ground for decades Bad guys are figuring out attacks that we have been waiting for over the years – Very few surprises Defense has not improved much – Ssh – IPsec – Better Linux and Unix systems

133 slide 133 of 172 How Do We Fix All This?

134 slide 134 of 172 How Do We Fix All This? Hide behind a perimeter defense?

135 Firewalls Perimeter defenses

136 Internet Attacks – The Gory Details slide 136 of 172 Firewalls: Not a panacea Backdoors usually diminish the effectiveness Commercial firewalls are probably OK May give community a false sense of security The firewall is often the only secure part of a configuration – People go around them – People go through the bad ones – No protection from insiders

137 slide 137 of 172 Anything large enough to be called an “intranet” is probably out of control

138 Internet Attacks – The Gory Details slide 138 of 172

139 Internet Attacks – The Gory Details slide 139 of 172 This was Supposed To be a VPN

140 Internet Attacks – The Gory Details slide 140 of 172 Some intranet statistics from Lumeta clients

141 Internet Attacks – The Gory Details slide 141 of 172 You don’t know to whom you are connected Modems are cheap and easy to hook up. – Sun’s “fax” machines Home commuting networks may link to spouse’s company, or the Internet. – even routing worked! Remote managers can make extranet connections that aren’t authorized. – these connections can be very hard to find – but the security threat is still there

142 Internet Attacks – The Gory Details slide 142 of 172 You don’t know how many hosts you have Most control is at the network level, not the host level. Name server entries are optional. Nobody keeps the reverse name service information up-to-date. Mapping takes work, and doesn’t catch hosts that are down Some network links are ephemeral.

143 Internet Attacks – The Gory Details slide 143 of 172 Lucent’s intranet c. 1997 Allentown Murray Hill Columbus Holmdel SLIP PPP ISDN X.25 cable... Lucent - 130,000, 266K IP addresses, 3000 nets ann. Murray Hill The Internet ~200 business partners thousands of telecommuters

144 slide 144 of 172 None of this protects us from an insider threat, so…

145 slide 145 of 172 How Do We Fix All This? Life without a firewall “skinny dipping”

146 Internet Attacks – The Gory Details slide 146 of 172 Secure computing needs… Safe clients Secure communication Safe servers Strong, 2-factor authentication – Something you have and something you know – Emergency 1-factor authentication, something you know, used extremely rarely

147 Internet Attacks – The Gory Details slide 147 of 172 Safe clients and servers need: A trustable Trusted Computing Base Simple, well-specified and debugged kernel – Check out the semantics of setuid in Unix flavors (Setuid Demystified. Chen, Wagner, and Dean; Usenix Security 2002) – MAC controls: more permissions, use of file system permissions, and programs that know how to use them “root” is bad; see Multics!) – Better, more routing sandboxing Make chroot much better, and easier

148 Internet Attacks – The Gory Details slide 148 of 172 Free, new servers by Don Knuth? He’s busy with Volume 4 Literate programming of key servers might be the way to go Other languages might be better: C and C++ still have buffer overflow problems – Modula 3? – Java?

149 Internet Attacks – The Gory Details slide 149 of 172 We need better suspenders We should never trust the application writers to get it right, though they should try hard Jails/chroot/sandboxes need to be easy and common-place – More restrictive jails should be possible – Unprivileged user should be able to set these up, even if he is already in a jail The /etc/passwd problem – Static builds should be easier – Careful documentation of what a program needs to access.

150 Internet Attacks – The Gory Details slide 150 of 172 Improve chroot Already some new work in this area: FreeBSD jail Goal: routine jailing of everything that processes external input – Netscape client routinely jailed – mail readers – SpamAssassin – Openssl (!) See Plan 9 for some good ideas – Network access through the file system?!

151 Internet Attacks – The Gory Details slide 151 of 172 Related chroot wishes Easier builds of static binaries: dynamic libraries make the TCB tougher to build Chroot options to all the useful network services: they should jail themselves! – Apache (Ben Laurie is considering this) – Samba – Ntp – DNS (done)

152 Internet Attacks – The Gory Details slide 152 of 172 Microsoft desperately needs to do this I am convinced that they actually are trying to get better They have a long way to go I wonder if they can wedge good sandboxing into their OS

153 Internet Attacks – The Gory Details slide 153 of 172 Simpler Software One of the underlying problems with Microsoft applications is creeping featurism – For most uses, is Word much better than WordStar or any of the other early word processors? – Is this version of PowerPoint that much better than the first ones (bugs aside)?

154 Internet Attacks – The Gory Details slide 154 of 172 Simpler Software in Unix Skim through the Unix V7 man pages (http://plan9.bell-labs.com)http://plan9.bell-labs.com How many options does cat(1) need? How many setuid-to-root programs does your system have?

155 Internet Attacks – The Gory Details slide 155 of 172 New file system switch Revisit the DOOFUS wars of the mid 80s Check Plan 9 for possible uses Kernel file system switch that has userland file system computation – Must be robust…hung inodes, etc. – Does not involve the network, as NFS does Reimplement SFS, Samba client, etc.,

156 slide 156 of 172 Communications

157 Internet Attacks – The Gory Details slide 157 of 172 Communication encryption options Ssh IPsec SSL

158 Internet Attacks – The Gory Details slide 158 of 172 Communications solutions: ssh Source code is available Widely examined But: 2 protocol flaws found so far stack smashing scare Tunneling is valuable IPsec has better crypto, maybe

159 Internet Attacks – The Gory Details slide 159 of 172 IPsec Protocol well-vetted by expert community We have the CPUs, I want everyone to use it, for all communications Needs simpler setup – Microsoft requires certificates, no? – Secret key pairs are fine for small setups Key exchange daemons worry me – They gotta run as root, no? – They can use complicated crypto libraries, and are exposed network services

160 Internet Attacks – The Gory Details slide 160 of 172 SSL Well-documented and ver. 3 is probably ok Implemented by openssl… …which uses X.509… …which uses ASN.1… …which is complicated, a monoculture, and has had several bugs exposed Can you jail the SSL parts of your web server? (I have: sslwrap + chroot)

161 slide 161 of 172 Authentication

162 Internet Attacks – The Gory Details slide 162 of 172 Security doesn’t need to be inconvenient Modern hotel room keys Modern car keys

163 Internet Attacks – The Gory Details slide 163 of 172 Some solutions: Hardware tokens Digital Pathways SNK-004 SecureID – time-based S/Key – software or printout solution Many others – usually proprietary server software – New USB dongles are just the ticket!

164 Internet Attacks – The Gory Details slide 164 of 172 One-time Passwords RISC/os (inet) Authentication Server. Id? ches Enter response code for 70202: 04432234 Destination? cetus $

165 Internet Attacks – The Gory Details slide 165 of 172 How does it work? Server and client share a secret key ClientServer Secret key

166 Internet Attacks – The Gory Details slide 166 of 172 How does it work? Server generates a unique challenge ClientServer Secret key challenge 70202

167 Internet Attacks – The Gory Details slide 167 of 172 How does it work? The client encrypts the challenge with key… ClientServer Secret key 70202

168 Internet Attacks – The Gory Details slide 168 of 172 How does it work? …and returns the result ClientServer Secret key 70202 04432234

169 Internet Attacks – The Gory Details slide 169 of 172 How does it work? The server checks the result ClientServer Secret key 70202 04432234

170 Internet Attacks – The Gory Details slide 170 of 172 One-time passwords The client proves he has the key, without revealing it With hardware, he may not even know the key the keys are computer-generated – no weak passwords If the challenges don’t repeat, an eavesdropper can’t predict the answer, unless the encryption (DES) is broken

171 Internet Attacks – The Gory Details slide 171 of 172 One-time passwords The key can be generated from a password but the challenge/response pair is subject to a dictionary attack This extra work for the user is worth the effort: – very strong authentication – spies use this – needs about a page of C code – can be implemented in a remote authentication server

172 Internet Attacks – The Gory Details slide 172 of 172 Human-computed one-time password: a research project challenge: 00193 Wed Sep 11 11:22:09 2002 response: ab0dh1kd0jkfj1kye./

173 Internet Attacks – The Gory Details slide 173 of 172 Not Gory Enough For You? Bugtraq mailing list Firewalls and Internet Security Chapman and Zwicky Keyword search in search engines for hacking tools – “rootkit”

174 Internet Attacks – The Gory Details slide 174 of 172

175 Internet Attacks – The Gory Details slide 175 of 172 Questions http://research.lumeta.com/ches/ ches@lumeta.com Yes, I’d love to sign your book

Download ppt "Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
NCAR National Center for Atmospheric Research 1 Security At NCAR Pete Siemsen National Center for Atmospheric Research November 22, 1999.

NCAR National Center for Atmospheric Research 1 Security At NCAR Pete Siemsen National Center for Atmospheric Research November 22, 1999.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.

How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Similar presentations

Ads by Google