1 Dong Lang Dong Lang - - Sheau [email protected] Sheau [email protected] University of Central Florida University of Central Florida Network Attacks (Lecture #16) Network Attacks (Lecture #16) School of Electrical Engineering & Computer Science School of Electrical Engineering & Computer Science Instructor : Instructor : Advanced Topics in Network Security Advanced Topics in Network Security 2 s machine s machine ’ ’ Edition, Syngress Edition, Syngress nd nd out ed Introduction Introduction carri s cker being able to run code on user a An attacker being able to run code on user Denial of Service (DOS) attack Information leakage An att Denial of Service (DOS) attack Information leakage commerce company commerce company „ „ „ „ „ „ - - Hack Proofing Your Network, 2 out carried attack is the How What damage is done to the comprimised system Home users: E E Hack Proofing Your Network, 2 attack i the How What damage is done to the comprimised system Home users: „ „ „ „ „ „ „ „ „ „ Reference for this lecture How serious a particular attack is depends on Example Reference for this lecture How serious a particular attack is depends on Example „ „ „ „ „ „ 3 Different Types of Attacks Different Types of Attacks Denial of Service (DOS) Information Leakage Regular File Access Misinformation Database Access Remote Arbitrary Code Execution Elevation of Privileages Denial of Service (DOS) Information Leakage Regular File Access Misinformation Database Access Remote Arbitrary Code Execution Elevation of Privileages „ „ „ „ „ „ „ „ „ „ „ „ „ „ 4 by by (1) Denial of Service (DOS) (1) Denial of Service (DOS) ck from the local system a Attack from the local system Attack Attack remotely from across a network Att Attack remotely from across a network „ „ „ „ Availability to a resource is intentionally blocked or degraded Local Vector Denial of Service Network Vector Denial of Service an attacker Availability to a resource is intentionally blocked or degraded Local Vector Denial of Service Network Vector Denial of Service an attacker „ „ „ „ „ „ Definition Two Categories Definition Two Categories „ „ „ „ 5 (1) Denial of Service (DOS) (1) Denial of Service (DOS) ck from the local system node exhaustion (Unix specific) a node exhaustion (Unix specific) - - i Disk space exhaustion Process degradation i Disk space exhaustion Process degradation - - Attack from the local system Attack Common but preventable These types of attacks can be easily traced and the attacker infrastructure be identified with right security Three types - - - - Att Common but preventable These types of attacks can be easily traced and the attacker infrastructure be identified with right security Three types „ „ „ „ „ „ „ „ Local Vector Denial of Service Local Vector Denial of Service „ „ 6 loading the target system loading the target system Denial of Service (DOS) Denial of Service (DOS) Local Vector Denial of Service Local Vector Denial of Service (1) (1) Spawning multiple processes to eat up all available resources Spawning enough processes to fill capacity of the system process table Spawning enough processes to overload the CPU Spawning multiple processes to eat up all available resources Spawning enough processes to fill capacity of the system process table Spawning enough processes to overload the CPU „ „ „ „ „ „ Reduces performance by over [Methods] [Methods] Reduces performance by over „ „ „ „ Process Degradation Process Degradation „ „ 7 k is k is ing ing of one of one ” ” cat cat “ “ on various platforms on various platforms OSs OSs flooded processes the system from receiving CPU the system from receiving CPU h mpt to reference the symbolic lin e Denial of Service (DOS) Denial of Service (DOS) Local Vector Denial of Service Local Vector Denial of Service (1) (1) fix and upgrade the OS kernel Limit the number of processes per user fix and upgrade the OS kernel Limit the number of processes per user preventing any other processes on preventing any other processes on Vulnerabilities in LINUX kernel before version 2.4.12 fork bomb Vulnerabilities in LINUX kernel before version 2.4.12 fork bomb of other processes when an attempt to reference the symbolic lin time made Æ of the deeply links files, process scheduler is blocked By creating a deep symbolic link, user can prevent the schedul Upon creating the symbolic link, attempting to perform Solution: Degrade the system performance with flooded processes Not specific to Linux, it affects a number of 1 line of code for a fork bomb: void main() { for (;;) fork();} Solution: of other processes when an att made time Æ void main() { for (;;) fork();} of the deeply links files, process scheduler is blocked By creating a deep symbolic link, user can prevent the schedul Upon creating the symbolic link, attempting to perform Solution: Degrade the system performance wit Not specific to Linux, it affects a number of 1 line of code for a fork bomb: Solution: „ „ „ „ „ „ „ „ „ „ „ „ „ „ [EX] [EX] [EX] [EX] „ „ „ „ 8 ity ity /local, etc /local, etc usr usr , / , / var var without Internet access, or both without Internet access, or both maliciousfile maliciousfile Denial of Service (DOS) Denial of Service (DOS) Local Vector Denial of Service Local Vector Denial of Service (1) (1) Separate directories, /home, / cat /dev/zero > ~/ Separate directories, /home, / cat /dev/zero > ~/ mail is easily traced via SMTP headers mail is easily traced via SMTP mail is easily traced via SMTP headers mail is easily traced via SMTP „ „ „ „ Filling a disk with garbage values Mail bomb Filling a disk with garbage values Mail bomb Not an OS design flaw Need to administrate the storage safely 1 line of code /dev/zero simply generates zeros and this operation continues stops the process or partition is full until the user Not commonly used Å Most mail bombers were jailed, Not an OS design flaw Need to administrate the storage safely 1 line of code /dev/zero simply generates zeros and this operation continues stops the process or partition is full until the user Not commonly used Å Most mail bombers were jailed, „ „ „ „ „ „ „ „ „ „ „ „ Fills disk space to capacity UNIX systems crash when the root partition reaches storage capac [EX] [EX] Fills disk space to capacity UNIX systems crash when the root partition reaches storage capac [EX] [EX] „ „ „ „ „ „ „ „ Disk Space Exhaustion Disk Space Exhaustion „ „ 9 this file for the desired size this file for the desired size results in a zero size file results in a zero size file mmap mmap zeroes, zeroes,

n n (Appendix) Special Devices in Linux (Appendix) Special Devices in Linux to test for the case when disk is full to test for the case when disk is full „ „ Linux discards whatever you write to this device Linux you can discard output from a program read from this device results in EOF copy this file to another infinite long file filled with 0 if you need mimic a file with no more room useful to stress test a program Linux discards whatever you write to this device Linux you can discard output from a program read from this device results in EOF infinite long file filled with 0 if you need mimic a file with no more room useful to stress test a program copy this file to another „ „ „ „ „ „ „ „ „ „ „ „ „ „ „ „ dev/null dev/null / /dev/zero /dev/full / /dev/zero /dev/full „ „ „ „ „ „ 10 mber of random numbers mber of random numbers urandom urandom generates generates (Appendix) special devices (Appendix) special devices urandom urandom generates only a limited number of random numbers but perfectly random generates an infinite nu not perfect generates only a limited number of random numbers but perfectly random not perfect generates an infinite nu „ „ „ „ „ „ „ „ /dev/random generates random number based on your actions on mouse and keyboard /dev/ numbers from rand() function are reproducible /dev/random generates random number based on your actions on mouse and keyboard /dev/ numbers from rand() function are reproducible „ „ „ „ „ „ /dev/random /dev/ /dev/random /dev/ „ „ 11 UNIX System V i-node Structure eate new r are created are created Denial of Service (DOS) Denial of Service (DOS) city attack a Local Vector Denial of Service Local Vector Denial of Service inodes inodes (1) (1) filling the disk actually, t mber of for the partition for the partition u using up all the available using up all the available files it can create the similar situation it can create Without filling the disk actually, Without new System is unable to create Withou the similar situation it can create System is unable to c files „ „ „ „ Similar to disk capacity attack Is focused on the design of file systems When a file system is formatted, of finite number [EX] inodes Similar to disk cap Is focused on the design of file systems When a file system is formatted, finite n [EX] inodes node (index node) Exhaustion : node (index node) node (index node) Exhaustion : node (index node) „ „ „ „ „ „ „ „ - - specific to UNIX file system I specific to UNIX file system I „ „ 12 all all line storage of and access to line storage of and access to erating system and all the users erating system and all the users - - ysically or logically collections of h (Appendix) File Systems (Appendix) File Systems both data and programs of the op of the computer system It provides the mechanism for on Resides permanently on secondary storage (hard disk) Files : collection of information (data, program, etc.) Directory structures : organizes and provides information about or logically collections of physically Partitions : separates the files in system directories both data and programs of the op of the computer system directories It provides the mechanism for on Resides permanently on secondary storage (hard disk) Files : collection of information (data, program, etc.) Directory structures : organizes and provides information about p Partitions : separates the files in system „ „ „ „ „ „ „ „ „ „ File System Three components of a file system File System Three components of a file system „ „ „ „ 13 ed ed pointer sk blocks: blocks may be scatter sk blocks: blocks may be scatter block = (Appendix) Linked Allocation (Appendix) Linked Allocation Each file is a linked list of di anywhere on the disk. Each file is a linked list of di anywhere on the disk. „ „ 14 0.78% 0.78% Æ Æ no need for compaction no need for compaction block in the file? block in the file? Æ Æ th th i i need to traverse the list need to traverse the list (Appendix) Linked Allocation (Cont.) space management system (Appendix) Linked Allocation (Cont.) space management system - - Æ Æ How can we access Block size = 512 bytes, pointer 4 bytes What if a pointer is lost? overhead How can we access Block size = 512 bytes, pointer 4 bytes What if a pointer is lost? overhead „ „ „ „ „ „ Simple: need only starting address in directory Free No external fragmentation No random access Space overhead for the pointers Reliability Simple: need only starting address in directory Free No external fragmentation No random access Space overhead for the pointers Reliability „ „ „ „ „ „ „ „ „ „ „ „ Advantages Disadvantages Advantages Disadvantages „ „ „ „ 15 (Appendix) Linked Allocation (Appendix) Linked Allocation 16 valued table valued table - - r, a dedicated r, a dedicated out moving the disk h without moving the disk wit Å Å finding the first 0 finding the first 0 intain the pointe intain the pointe Æ Æ (Appendix) FAT (File Allocation Table) (Appendix) FAT (File Allocation Table) DOS and OS/2 DOS and OS/2 head, we can find the location of block entry Simple and efficient (ex) allocating a new block Improved random access time Excessive disk head movements to access FAT look up the pointer entry head, we can find the location of block (ex) allocating a new block Simple and efficient Improved random access time Excessive disk head movements to access FAT look up the pointer - - „ „ „ „ „ „ table contains all the pointer information MS At the beginning of a partition, there is FAT Instead of making each block ma (Advantage) (Disadvantage) table contains all the pointer information Instead of making each block ma MS At the beginning of a partition, there is FAT (Advantage) (Disadvantage) „ „ „ „ „ „ „ „ „ „ Variation of the linked allocation scheme Variation of the linked allocation scheme „ „ 17 Allocation Table Allocation Table - - (Appendix) File (Appendix) File 18

index block. index block. e h index table (Appendix) Indexed Allocation (Appendix) Indexed Allocation Brings all pointers together into the Logical view. Brings all pointers together into t Logical view. „ „ „ „ 19 Index table can be located in the main memory Index table can be located in the main memory (Appendix) Example of Indexed Allocation (Appendix) Example of Indexed Allocation 20 e size of one block h (ex) what if a file has only 2 blocks and we still need fixed size index table, usually the size of one block (ex) what if a file has only 2 blocks and we still need fixed size index table, usually t (Appendix) Indexed Allocation (Cont.) (Appendix) Indexed Allocation (Cont.) „ „ Each entry has a disk block address Faster random access No external fragmentation overhead of index block. Each entry has a disk block address Faster random access No external fragmentation overhead of index block. „ „ „ „ „ „ „ „ Trying to solve the problem of excessive random access time in linked allocation Each file has its own index table Advantage Disadvantage Trying to solve the problem of excessive random access time in linked allocation Each file has its own index table Advantage Disadvantage „ „ „ „ „ „ „ „ 21 block block Mapping (Cont.) Mapping (Cont.) – – in a file of unbounded length ( in a file of unbounded length ( l a Link blocks of index table (no limit on size). Link blocks of Link blocks of index table (no limit on size). Link blocks of – – Mapping from logical to physical Linked scheme size of 512 words). Mapping from logical to physic Linked scheme size of 512 words). (Appendix) Indexed Allocation (Appendix) Indexed Allocation „ „ „ „ 22 file index table level index scheme level index scheme - - M outer-index (Appendix) Multi (Appendix) Multi 23 *64 bytes *64 bytes *64 bytes *64 bytes 16 16 * * 16 16 l index 16 16 e node (UNIX file system), node (UNIX file system), - - combined scheme combined scheme two level index two lev one level index one level index three level index three level index – – addresses of data blocks addresses of data blocks – – – – – – Then, add all those numbers Then, add all those numbers Triple indirect = 16* single indirect = 16*64 bytes 16* double indirect = Triple indirect = 16* single indirect = 16*64 bytes 16* double indirect = (Appendix) i (Appendix) i Direct blocks Single indirect Double indirect Triple indirect Direct blocks Single indirect Double indirect Triple indirect (Question) what would be the maximum file size? bytes Block size = 64 bytes, block pointer 4 (Answer) direct blocks = 13*64 bytes „ „ „ „ (Question) what would be the maximum file size? bytes Block size = 64 bytes, block pointer 4 (Answer) direct blocks = 13*64 bytes „ „ „ „ 24 (Appendix) Combined Scheme: UNIX (Appendix) Combined Scheme: UNIX 25 DoS DoS DoS DoS DoS DoS Directed Network Directed Network Based Network Based Network - - - ck that affects a specific service - Side Network Side Network a - - (1) Denial of Service (DOS) (1) Denial of Service (DOS) tegories a An attack that affects a specific service entire system An attack that targets an Client Service System An att entire system An attack that targets an Client Service System „ „ „ „ „ „ „ „ „ „ Two categories Three types Two c Three types „ „ „ „ Network Vector Denial of Service Network Vector Denial of Service „ „ 26 ty ty y capable of performing any activi capable of performing any activi against a client against a client DoS DoS DoS DoS Denial of Service (DOS) Denial of Service (DOS) ending loop of window creation ending ending loop of window creation ending - - (1) (1) Network Vector Denial of Service Network Vector Denial of Service resource starvation eventually never resource starvation eventuall never JavaScript Bomb JavaScript Bomb Æ Æ By default, web browser enables JavaScript JavaScript can be used in a number of malicious ways including launching a Æ Æ By default, web browser enables JavaScript JavaScript can be used in a number of malicious ways including launching a „ „ „ „ Typically targeted at a specific product Render the user of client in [EX] with the client Typically targeted at a specific product [EX] with the client Render the user of client in „ „ „ „ „ „ Client Side Network Client Side Network „ „ 27 HTTPD, Mail HTTPD, Mail DoS DoS Denial of Service (DOS) Denial of Service (DOS) (1) (1) Network Vector Denial of Service Network Vector Denial of Service Transport Agent (MTA), etc Targeted at a specific service Render the service unavailable to legitimate users Attacks are usually launched at services such as Transport Agent (MTA), etc Targeted at a specific service Render the service unavailable to legitimate users Attacks are usually launched at services such as „ „ „ „ „ „ Service Side Network Service Side Network „ „ 28 DoS DoS Attack Attack ng eti k Denial of Service (DOS) Denial of Service (DOS) Packeting Pac or or (1) (1) Network Vector Denial of Service Network Vector Denial of Service Directed Network Directed Network - - Ping of Death TCP SYN Flooding Sumrfing Ping of Death TCP SYN Flooding Sumrfing „ „ „ „ „ „ Used to degrade performance or make the target system completely unavailable Types of attacks Used to degrade performance or make the target system completely unavailable Types of attacks „ „ „ „ System System „ „ 29 Ping of Death : Ping of Death : frame frame - - datagrams datagrams IP Fragmentation and Reassembly IP Fragmentation and Reassembly MTUs MTUs Different link types, different One datagram fragmented into several Reassembled only at the final destination IP header bits used to identify, order related fragments different into several final destination identify, order related fragments Different link types, One datagram fragmented Reassembled only at the IP header bits used to „ „ „ „ „ „ „ „ Network links have MTU (Max transfer size) largest possible link level Large IP datagram divided within net (Max transfer size) largest possible link level within net Network links have MTU Large IP datagram divided „ „ „ „ 30 ket ket tackers t death.html death.html - - o o - - feature when they found that a feature when they found feature when they found that a feature when they found wed by the IP protocol lo Denial of Service (DOS) Denial of Service (DOS) (1) (1) Network Vector Denial of Service Network Vector Denial of Service http://www.pp.asu.edu/support/ping http://www.pp.asu.edu/support/ping began to take advantage of that packet broken down into fragments could add up to more than the allowed 65,536 bytes. Many operating systems didn't know what to do when they received an oversized packet, so froze, crashed, or rebooted. Refer to Caused by an attacker deliberately sending IP packet larger than the 65,536 bytes allowed by the IP protocol Exploit TCP/IP fragmentation features; it allows a single IP pac to be broken down into smaller segments. In 1996, attackers began to take advantage of that packet broken down into fragments could add up to more than the allowed 65,536 bytes. Many operating systems didn't know what to do when they received an oversized packet, so froze, crashed, or rebooted. Refer to Caused by an attacker deliberately sending IP packet larger than the 65,536 bytes al Exploit TCP/IP fragmentation features; it allows a single IP pac to be broken down into smaller segments. In 1996, a „ „ „ „ „ „ Ping of Death Ping of Death „ „ ine ine 31 d and d and ure ure ty of ty of inue to inue to Crash Crash 7.x.x: 7.x.x: eir firewalls to prevent any fut eir firewalls to prevent any fut to know anything about the mach to know anything about the mach d packet could be easily spoofe d packet could be easily spoofe MacOS MacOS icularly nasty because the identi icularly nasty because the identi death. Still, many Web sites cont death. Still, many Web sites cont attack attack Reboot Reboot DoS DoS Denial of Service (DOS) Denial of Service (DOS) System abort System abort 2.5.1: 2.5.1: - - Reboot, Hang, or No effect Reboot, Hang, or No effect 2.1.5 2.1.5 - - 2.5.1 2.5.1 (1) (1) Network Vector Denial of Service Network Vector Denial of Service – – By the end of 1997, OS vendors had made patches By the end of 1997, OS vendors had made patches BSD 2.0 BSD BSD 2.0 BSD cker sending the oversize - - a ion] t Windows 95, NT 4.0, Solaris (x86) 2.4 3000 MPE/ix: HP LINUX 1.2.13: Solaris 2.3 Free IRIX 6.2 Windows 95, NT 4.0, Solaris (x86) 2.4 3000 MPE/ix: HP LINUX 1.2.13: Solaris 2.3 Free IRIX 6.2 „ „ „ „ „ „ „ „ „ „ „ „ „ „ they were attacking except for its IP address because the attacker didn't need variations of this kind available to avoid the ping of block ICMP (ping) messages at th the attacker sending the oversize Ping of death attacks were part [Solution] Sample symptoms on various platforms Safe operating systems they were attacking except for its IP address because the attacker didn't need variations of this kind block ICMP (ping) messages at th available to avoid the ping of the att Ping of death attacks were part [Solu Sample symptoms on various platforms Safe operating systems „ „ „ „ „ „ „ „ 32 is monitored by the routers is monitored by the routers s alive s alive ’ ’ same as Echo request with timestamp same as Echo request with timestamp – – same as Echo reply with timestamp same as Echo reply with timestamp – – yes, I am alive yes, I am alive – – ask a machine if it ask a machine if it – – Destination unreachable Time exceeded Parameter problem Source quench Redirect Echo Echo reply Timestamp request Timestamp reply Destination unreachable Time exceeded Parameter problem Source quench Redirect Echo Echo reply Timestamp request Timestamp reply (Appendix) What is ICMP or ping? (Appendix) What is ICMP or ping? „ „ „ „ „ „ „ „ „ „ „ „ „ „ „ „ „ „ The operation of the Internet When something unexpected occurs, the event is reported by the ICMP ICMP message types encapsulated in an IP packet When something unexpected occurs, the event is reported by the ICMP ICMP message types encapsulated in an IP packet The operation of the Internet „ „ „ „ „ „ Internet Control Message Protocol (ICMP) Internet Control Message Internet Control Message Protocol (ICMP) Internet Control Message „ „ What is ping or ICMP message/packet? What is ping or ICMP message/packet? „ „ 33 s machine has to be faster than s machine has to be faster than ’ ’ Denial of Service (DOS) Denial of Service (DOS) (1) (1) Network Vector Denial of Service Network Vector Denial of Service Mainly degrade the target system Usually the attacker the target machine Send TCP connection request faster than a system can process them Mainly degrade the target system Usually the attacker the target machine Send TCP connection request faster than a system can process them „ „ „ „ „ „ TCP SYN Flooding TCP SYN Flooding „ „ n n

34 tem; tem; s sent an s sent an s sent a tem that is tem that is can be made can be made ACK ACK open connections. open connections. - - 21.html 21.html - - SYN SYN ACK ACK 1996 1996 - - - - SYN SYN side is of finite size, and it side is of finite size, and it ACK messages. This means that the final ACK messages. This means that the final - - ACK) back to client but has not yet received the ACK) back to client but has not yet received the - - open connection). The data structure to store all open connection). The data structure to store all - - TCP SYN Flooding TCP SYN Flooding open connections is easily accomplished with IP spoofing. open connections is easily accomplished with IP spoofing. - - http://www.cert.org/advisories/CA http://www.cert.org/advisories/CA Client: sends a request for connection, Server: acknowledges it by sending Client: finishes establishing the connection by sending The attacking system sends SYN messages to the victim server sys these appear to be legitimate but in fact reference a client sys unable to respond the SYN ACK message will never be sent to the victim server system. ACK message will never be sent to the The potential for abuse: at the point where server system ha acknowledgment (SYN Creating half to overflow by intentionally creating too many partially ACK message (half pending connections at the server The attacking system sends SYN messages to the victim server sys these appear to be legitimate but in fact reference a client sys unable to respond the SYN ACK message will never be sent to the victim server system. ACK message will never be sent to the Client: sends a request for connection, Server: acknowledges it by sending Client: finishes establishing the connection by sending The potential for abuse: at the point where server system ha acknowledgment (SYN Creating half to overflow by intentionally creating too many partially ACK message (half pending connections at the server „ „ „ „ „ „ „ „ „ „ Attack Method Refer to TCP connection establishment using 3 way handshake Refer to TCP connection establishment using 3 way handshake Attack Method „ „ „ „ „ „ TCP three way handshake protocol TCP three way handshake protocol „ „ 35 rative. rative. that the that the time after time after tion can tion can with the with the k; usually k; usually es, the f these es, the f these e of one o e of one c overflows" overflows" lf is not harmed by the attac harmed lf is not lf is not harmed by the attac harmed lf is not rvice is impaired. In some cas while under attack and for some rvice is impaired. In some cas while under attack and for some tcp tcp listenqueue listenqueue p p " " – – n n – – based services to the Internet community may be based services to the Internet community may be inet - inet - grep grep f f - - TCP SYN Flooding s | s | TCP SYN Flooding a a - - - - no generally accepted solution to this problem no generally accepted solution no generally accepted solution to this problem no generally accepted solution netstat netstat netstat netstat netstat netstat Systems providing TCP ability to provide the se only the system may exhaust memory, crash, or be rendered otherwise inope There is, as yet, SYN flooding attacks Some firewalls can detect and prevent TCP Check the state of server system's network traffic. Windows 2000: SunOS : FreeBSD : unable to provide those services the attack ceases. The service itse attacks. Too many connections in the state "SYN_RECEIVED" could indicate system is being attacked. current IP protocol technology. However, proper router configura reduce the likelihood that your site will be the source of one o of one source reduce the likelihood that your site will be Systems providing TCP ability to provide the se only the system may exhaust memory, crash, or be rendered otherwise inope There is, as yet, SYN flooding attacks Some firewalls can detect and prevent TCP Check the state of server system's network traffic. Windows 2000: SunOS : FreeBSD : unable to provide those services the attack ceases. The service itse attacks. Too many connections in the state "SYN_RECEIVED" could indicate system is being attacked. current IP protocol technology. However, proper router configura reduce the likelihood that your site will be the sour reduce the likelihood that your site will be „ „ „ „ „ „ „ „ „ „ „ „ „ „ Impact Solution Detection Impact Solution Detection „ „ „ „ „ „ ed ed 36 oadcast to a Layer 2 oadcast to a Layer 2 ” ” echo traffic directed toward IP echo traffic directed toward IP dcast responds back to the spoof dcast responds back to the spoof can be inundated with traffic can be inundated with traffic , converts the IP br , converts the IP br attacks attacks script kiddies script kiddies “ “ amplifier amplifier Denial of Service (DOS) Denial of Service (DOS) smurf smurf packeting packeting (1) (1) Network Vector Denial of Service Network Vector Denial of Service or or decrease of network performance decrease of network performance broadcast and sends it on its way Æ Typically purveyed by The attacker, spoofing the source IP address of target host, generates a large amount of ICMP The router, Each host that receives the broa Both the router and target host source IP with an echo reply broadcast address broadcast and sends it on its way Æ Each host that receives the broa Both the router and target host Typically purveyed by The attacker, spoofing the source IP address of target host, The router, source IP with an echo reply generates a large amount of ICMP broadcast address „ „ „ „ „ „ „ „ „ „ Smurfing Smurfing „ „ 37 Denial of Service (DOS) Denial of Service (DOS) (1) (1) Network Vector Denial of Service Network Vector Denial of Service 38 raffic raffic ) ) DDoS DDoS inundating it with a flood of t inundating it with a flood of t ts hosts start sending the heavy ts hosts start sending the heavy attack attack Denial of Service (DOS) Denial of Service (DOS) staff.washington.edu/dittrich/misc/ddos staff.washington.edu/dittrich/misc/ddos ” ” (1) (1) smurf smurf Network Vector Denial of Service Network Vector Denial of Service http:// http:// agents agents “ “ Refer to Similar to Install special daemon programs on the hundreds of compromised hosts, Multiple masters hosts control the compromised hosts, agents, to attack When attack is initiated, agen stream of traffic to the target, Refer to Similar to Install special daemon programs on the hundreds of compromised hosts, Multiple masters hosts control the compromised hosts, agents, to attack When attack is initiated, agen stream of traffic to the target, „ „ „ „ „ „ „ „ „ „ Distributed Denial of Service ( Distributed Denial of Service ( „ „ 39 (2) Information Leakage (2) Information Leakage Service information leakage Protocol information leakage Service information leakage Protocol information leakage „ „ „ „ Whenever something comes out, it is almost always undesirable and results in some sort of damage An abused resource that precludes attacks Types of information leakage Whenever something comes out, it is almost always undesirable and results in some sort of damage An abused resource that precludes attacks Types of information leakage „ „ „ „ „ „ 40 tem via any tem via any Mail Transfer Mail Transfer default default serveices serveices (2) Information Leakage (2) Information Leakage This error message shows the information about web server one of the many configuration The text presented to a user when they attempt log into sys telnet, Simple (FTP), Secure Shell (SSH), File Transfer Protocol users in their They happily yield version information to outside error message from CS dept web server Below shows the Protocol (SMTP), Post Office 3 (POP3) one of the many configuration The text presented to a user when they attempt log into sys telnet, Simple (FTP), Secure Shell (SSH), File Transfer Protocol users in their They happily yield version information to outside error message from CS dept web server Below shows the Protocol (SMTP), Post Office 3 (POP3) „ „ „ „ „ „ „ „ Banners Error Messages Banners Error Messages „ „ „ „ Service information leakage Service information leakage „ „ S S 41 s design against a system to yield s design against a system to yield ’ ’ FTP server information is shown (2) Information Leakage (2) Information Leakage Use the constraints of a protocol Below shows the information we can get using ftp connection to C department ftp server information about a system Use the constraints of a protocol Below shows the information we can get using ftp connection to C department ftp server information about a system „ „ „ „ Protocol information leakage Protocol information leakage „ „ 42 ) ) Operating System info www.insecure.org/nmap www.insecure.org/nmap ( ( Publicly available ports info , gathers information about a target , gathers information about a target

Nmap Nmap , , (2) Information Leakage (2) Information Leakage Mapper Mapper system such as publicly reachable ports on the and operating system of the target (ex) Analysis of responses to IP Network system such as publicly reachable ports on the and operating system of the target (ex) Analysis of responses to IP Network „ „ „ „ Protocol Analysis Protocol Analysis „ „ 43 about about (2) Information Leakage (2) Information Leakage Simple Network Management Protocol (SNMP) use clear text Simple Network Management Simple Network Management Protocol (SNMP) use clear text Simple Network Management communication to interact with other systems Some programs happily and willingly yield sensitive information Some programs happily [EX] network design communication to interact with other systems Some programs happily and willingly yield sensitive information Some programs happily [EX] network design „ „ „ „ Leaky by Design Leaky by Design „ „ is is d d

44 ls ls to see the full list of system to see the full list of system Rootkits Rootkits (2) Information Leakage (2) Information Leakage usr/include/asm/unistd.h usr/include/asm/unistd.h nux Kernel 2.6.9 has 290 system cal nux Kernel 2.4.27 has 230 system cal particularly exploit the systems calls in OS particularly exploit the systems calls in OS Linux Kernel 2.4.27 has 230 system calls Linux Kernel 2.6.9 has 290 system calls Check / calls Li Li Check / calls „ „ „ „ „ „ also known, which can be exploited by the malicious code targete for that specific version of OS LINUX system calls Once the version of OS is known, systems used in that also known, which can be exploited by the malicious code targete for that specific version of OS LINUX system calls Once the version of OS is known, systems used in that „ „ „ „ Rootkits Rootkits „ „ Information Leakage and Information Leakage and „ „ 45 directory? directory? public_html public_html (3) Regular File Access (3) Regular File Access what would be the proper permission setting for your what would be the proper permission setting for your UNIX OS allow the setting of attributes on files [Question] home directory and your UNIX OS allow the setting of attributes on files [Question] home directory and your „ „ „ „ Regular file access can give an attacker several different means from which to launch an attack Permissions Regular file access can give an attacker several different means from which to launch an attack Permissions „ „ „ „ , , 46 ps ps term term - - ching ker files ching ker files , du, , du, df df , , ls ls s activities , s activities , ’ ’ netstat netstat at a user other than the attac at a user at a user other than the attac at a user fool an administrator into wat fool an administrator into wat ous log events to fill up the ous log events to fill up the vari f s activity can be hidden s activity can be hidden ’ ’ (4) Misinformation (4) Misinformation s first choice for keeping access to a system on long s first choice for keeping access to a system on long made program designed to hide an attacker made program designed to hide an attacker ’ ’ - - cker a top so that the attacker inside a system basis Try to stay unnoticed and untraceable Or, try to implicate somebody else in attack [ex] generate noise in the log to vari [ex] create high volume of A ready Attacker Replaces key program on the system such as a different system or believing th top so that the attacker inside a system basis Try to stay unnoticed and untraceable Or, try to implicate somebody else in attack [ex] generate noise in the log to [ex] create high volume o A ready Att Replaces key program on the system such as a different system or believing th „ „ „ „ „ „ „ „ „ „ „ „ „ „ When an attacker has compromised a system, much effort is made to hide her presence and leave as much misinformation as possible Log Editing Rootkits When an attacker has compromised a system, much effort is made to hide her presence and leave as much misinformation as possible Log Editing Rootkits „ „ „ „ „ „ ? ? 47 ge. ge. , it , it fic fic to to it it y they th y they th '. '. Rootkits Rootkits warez warez e utilities wi s ', which you used to use ', which you used to use ps ps thin the compromised computer thin the compromised thin the compromised computer thin the compromised ght be a different version, or ght be a different version, or from a clean external machine to from a clean external machine to ' or ' or by intruders using your server by intruders using your server ports opened in the computer ports opened in the computer usage patterns. If you routinely monitor usage patterns. If you routinely monitor truders replace these utilities wi truders replace these truders replace the - - Nmap Nmap netstat netstat (4) Misinformation (4) Misinformation r this is that in o Must not run the port scanner wi Must not run the port scanner wi check if there is any suspicious believed to be compromised does not have the same options you are used to. could have been compiled with different options, and as a result versions designed to hide their malicious activities. The utilit versions designed replace your original one with mi patterns. This is usually caused distribute copyrighted software, commonly known as ' Æ as local system utilities may have already been compromised your bandwidth usage, you might notice an increase in the amount of traffic your server is pushing compared with normal traf without a problem everyday, might start returning an error messa Utility programs such as ' A change in your bandwidth Run port scanner such as The reason for this is that in The reason for believed to be compromised check if there is any suspicious does not have the same options you are used to. could have been compiled with different options, and as a result versions designed to hide their malicious activities. The utilit versions designed replace your original one with mi distribute copyrighted software, commonly known as ' Æ as local system utilities may have already been compromised your bandwidth usage, you might notice an increase in the amount of traffic your server is pushing compared with normal traf patterns. This is usually caused without a problem everyday, might start returning an error messa Utility programs such as ' A change in your bandwidth Run port scanner such as The reason f „ „ „ „ „ „ How do I know if the system is compromised with How do I know if the system is compromised with „ „ el el 48 any any lower level, intercepting lower level, intercepting lity to a kernel when needed lity to a kernel when needed . Network interface card driver) . Network interface card driver) native file system native file system - - eg eg (4) Misinformation (4) Misinformation : acts as a filter to prevent any data that may be : acts as a filter to prevent any data that may be rootkits rootkits Support for non Device driver ( Rootkits incriminating from reaching administrators Kernel module: works on a much information queries at the system call level, and filtering out data that may alert administrator Support for non Device driver ( Rootkits incriminating from reaching administrators Kernel module: works on a much information queries at the system call level, and filtering out data that may alert administrator „ „ „ „ „ „ „ „ Pieces of code that may be loaded and unloaded by a running kern Provides additional functiona Kernel module can be compromised to create misinformation just like An attacker can compromise and backdoor a system without the danger of modifying system utilities This approach is getting the standard in concealing intrusion Pieces of code that may be loaded and unloaded by a running kern Provides additional functiona Kernel module can be compromised to create misinformation just like An attacker can compromise and backdoor a system without the danger of modifying system utilities This approach is getting the standard in concealing intrusion „ „ „ „ „ „ „ „ „ „ Kernel Modules Kernel Modules „ „ d d 49 e root h (5) Database Access (5) Database Access u root u root – – mysql anyone can connect with full privileges by the following comman mysql anyone can connect with full privileges by the following comman Æ By default, it does not have a password for the root Æ Æ By default, it does not have a password for t Æ „ „ MySQL MySQL „ „ 50 ble ble iates iates he he he target he target em em d by on the e on the er init k against other hosts against other hosts ss, the attac e software on the target system software on the target system tive access, the attacker init tive acc tication and can be exploited by tication and can be exploit executes the script against t executes the script against t y use the compromised host to y use the compromised host to service against the target syst service against the target syst er ma k gaining local administrative access gaining local administrative access tools tools scanning scanning remote arbitrary code execution attacks remote arbitrary code execution attacks (6) Remote Arbitrary Code Execution (6) Remote Arbitrary Code Execution anybody It often does not require authen Identify the vulnerable version of After identification, the attacker After gaining the local administra Following that, the attacker ma using some program with hopes of host misinformation process launch It often does not require authen Identify the vulnerable version of After identification, the attacker After gaining the local administra Following that, the attac using some program with hopes of host anybody misinformation process launch „ „ „ „ „ „ „ „ „ „ system Aimed at giving a remote user ad ministrative access on vulnera Why serious? If an attacker can execute arbitrary code through a service on t Traditional steps of attacks system, the attacker can use system Aimed at giving a remote user ad ministrative access on vulnera Why serious? If an attacker can execute arbitrary code through a service on t Traditional steps of attacks system, the attacker can use „ „ „ „ „ „ „ „