CS 419: Computer Security Week 13: DDoS, Mobility, DRM © 2020 Paul Krzyzanowski. No part of this Paul Krzyzanowski content, may be reproduced or reposted in whole or in part in any manner without the permission of the copyright owner. Denial of Service December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 2 Denial of Service (DoS) Attacks • Find bugs – Get the system to crash • Overwhelm a system so it will not be be responsive Challenge: overwhelm targets that may be far bigger than you – Find asymmetries • Cases where handling requests is more expensive than issuing them – Avoid getting responses • Fake return addresses – Send responses to the target • Set the return address to the target ⇒ amplification – Join forces • Get many systems to participate ⇒ create a botnet for a Distributed DoS (DDoS) attack • Systems contact a command & control server for directions December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 3 Bugs & Asymmetric attacks • Challenge Collapser – Attacker sends URLs that require time-consuming operations on the server • ICMP attacks – Ping flood • Send ICMP Echo Request messages with responses that go to the target – Ping of Death • Send fragmented IP packets so that they will be >64KB when reassembled ⇒buffer overflow – Send spoofed source addresses to unreachable destinations • Routers will return Destination Unreachable to the target December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 4 Amplification Attacks Send a small request that produces a large response – Have the response go to the target – Need UDP so there's no connection state • DNS amplification – Request as much info as possible about a domain – Responses may be 179x larger than requests • NTP amplification – Request monlist: server returns the last 600 hosts that connected to it – Responses may be 500x larger than requests • Memcached amplification – Send queries to open memcached servers that return large responses (often web caches) December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 5 DDoS: Distributed Denial of Service • Vast quantities of compromised systems reduce need for amplification – Create a botnet of millions of systems • Some targets are too huge to hurt with traffic – Amazon, Google, sites using CDNs such as Akamai December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 6 Dealing with DDoS Really difficult in general • Disable unnecessary UDP services – So you're not a participant in the attacks • Enable bandwidth management in routers – Either in data center or ISP – Limit outbound or inbound traffic on a per-IP basis • Blackhole routing – Set a null route route when DNS attack was detected – Traffic to attacked DNS goes nowhere • Egress filtering by ISPs – Attempt to find malicious hosts participating in DDoS or sending spam • Identify incoming attackers & block traffic at firewall – Difficult with a truly distributed DDoS attack December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 7 AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever The previous record for the largest DDoS attack ever recorded was of 1.7 Tbps, recorded in March 2018. Catalin Cimpanu • June 17, 2020 Amazon said its AWS Shield service mitigated the largest DDoS attack ever recorded, stopping a 2.3 Tbps attack in mid-February this year. The incident was disclosed in the company's AWS Shield Threat Landscape [PDF], a report detailing web attacks mitigated by Amazon's AWS Shield protection service. The report didn't identify the targeted AWS customer but said the attack was carried out using hijacked CLDAP web servers and caused three days of "elevated threat" for its AWS Shield staff. CLDAP (Connection-less Lightweight Directory Access Protocol) is an alternative to the older LDAP protocol and is used to connect, search, and modify Internet-shared directories. The protocol has been abused for DDoS attacks since late 2016, and CLDAP servers are known to amplify DDoS traffic by 56 to 70 times its initial size, making it a highly sought-after protocol and a common option provided by DDoS-for- hire services. https://www.zdnet.com/article/aws-said-it-mitigated-a-2-3-tbps-ddos-attack-the-largest-ever/ December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 8 Mobile Device Security December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 9 Threat Landscape December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 10 Mobile Devices: Users • Lots of users! – 1.6B Android users, ~1B iOS users U.S.: Android: 47%, iOS: 52.4% – Much of the world is mobile-first Worldwide: Android: 72.92%, iOS: 26.53% • Users don't think of phones as computers – Social engineering may work more easily on phones • Small form factor – Users may miss security indicators (e.g., certificates on web sites) – Easy to lose/steal a device • Users tend to pick bad PINs • Users may grant app permission requests without thinking https://gs.statcounter.com/os-market-share/mobile/worldwide https://9to5mac.com/2020/01/28/apple-hits-1-5-billion-active-devices-with-80-of-recent-iphones-and-ipads-running-ios-13/ December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 11 Mobile Devices: Interfaces • Phones have lots of sensors – GSM/3G/4G LTE/5G – Wi-Fi – Bluetooth – GPS – NFC – Microphone – Cameras – 6-axis Gyroscope and Accelerometer – Barometer – Magnetometer (compass) – Proximity – Ambient light – LiDAR – Fingerprint – Face • Sensors enable attackers to monitor the world around you – Where you are & whether you are moving – Conversations – Video – Sensing vibrations due to neighboring keyboard activity led to a word recovery rate of 80% December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 12 Mobile Devices: Apps • Lots of apps – 2.87 million Android apps on Google Play – 1.96 million iOS apps on the Apple App Store* • Most written by untrusted parties – We'd be wary of downloading these on our PCs – With mobile apps we rely on • Testing & approval by Google (automated) and Apple (automated + manual) • App sandboxing • Explicit granting of permissions for resource access • Apps often ask for more permissions than they use – Most users ignore permission screens • Most apps do not get security updates *Statista.com, as of 3rd quarter 2020 December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 13 Mobile platforms aren't impervious December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 14 Mobile Devices: Platform • Mobile phones are comparable to desktop systems in complexity – The OS & libraries will have bugs • Single user environment • Limited screen space – No hovering, no multiple browser windows (usually) • Malicious apps may be able to get root privileges – Attackers may install rootkits, enabling long-term control while concealing their presence December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 15 Some apps are preinstalled (Android) Malware Found Pre-Installed on Low- Cost Android Smartphones Phones Sold Through U.S. Government-Subsidized Program Prajeet Nair – July 10, 2020 For the second time this year, security researchers have found malware embedded in low-cost Android smartphones distributed through a U.S. government program, security firm Malwarebytes reports. In this latest case, Malwarebytes analysts found the malware embedded in the "settings" feature of the Android smartphone making it nearly impossible to detect or remove from the devices, according to a new research report. Malwarebytes obtained an infected ANS UL40 smartphone and studied the malware embedded in the device, according to the report. https://www.databreachtoday.com/malware-found-pre-installed-on-low-cost-android-smartphones-a-14594 December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 16 Example: fake Facebook authentication • July 2020 – 25 apps discovered in the Google Play Store that trick Facebook users to give authentication credentials • Apps infect target phones with malware – Detects opening of the Facebook app – Launches a browser and navigates to Facebook’s login window – Malware uses JavaScript to copy login credentials and send them to a server https://www.evina.com/they-steal-your-facebook/ December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 17 / ios_security_skycure /2017/07/20/ Ways to Infiltrate an iOS Device www.theregister.co.uk Here are a few ways to get malware onto an iOS device, along with examples of real exploits that used that method. https:// December 1, 2020 18 Threats • Privacy – Data leakage – Identifier leakage – Location privacy – Microphone/camera access • Security vulnerabilities – Bugs – Phishing – Malware – Malicious Android intents (inter-app communication) – Broad access to resources (more than the app needs) December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 19 iOS input validation vulnerabilities in Messages • May 2015: "Unicode of Death" – Single string in a text message could crash an iPhone • Again in Jan 2018: "ChaiOS" – Receiving a link causes the messages app to go blank & crash instantly after opening – Malformatted characters in the message causes the Webkit HTML engine to crash – The target file contains multiple such characters, so CoreText spends a lot of CPU time trying to match fonts for them • Again in Feb 2018 – A character in an Indian language (Telugu) causes Apple's iOS Springboard to crash when the message is received – Messages will no longer open as it fails to load the character – Affects third-party messaging apps too • Again in May 2018: Black dot of death – Thousands-character-long string of invisible Unicode text causes iMessages to crash when the user launches the app • Again in April 2020: Sindhi characters – Several characters from the Sindhi language that cause iOS to lock up and an iPhone to crash December 1, 2020 CS 419 © 2020 Paul Krzyzanowski 20 Another data validation problem… Wallpaper crash explained: Here’s how a simple image can soft-brick phones Bogdan Petrovan • June 1, 2020 How can a simple image crash an Android phone to the point that it becomes unusable? … Here’s a recap: Setting a particular image as wallpaper can send some phones into a loop of crashes that makes them unusable. There are a few solutions, depending on how hard the phone is hit.