Review Exam 2 Spring 2014. Targeted Break-in, DoS, & Malware attacks (I)

Review Exam 2

Spring 2014

Targeted Break-in, DoS, & Malware attacks (I)

3

Unobtrusive InformationCollection Sending packets into a network is “noisy” Need to do unobtrusive info gathering, first, by

Visiting target corporate website for Employees’ names and emails Officers names and organizational structure, etc.

Reading trade press (often online & searchable) for Info about products under development

Firms’ financial prospects, etc.

Searching U.S. EDGAR* system online for Ownership, shareholder information, etc.

Searching the Whois database at: NetworkSolutions.com/whhois/index.jsp, internic.net/whois.html, etc.

* Electronic Data Gathering, Analysis, and Retrieval

4

Host Scanning

Objective: identify IP addresses of active hosts

Pinging individual hosts

Ping scanning Pinging a range of IP addresses

IP scanning software: fping, gping, Ping Sweep, Pinger

SYN/ACK scanning used when firewall configured to block pinging from outside

5

Network Scanning

Objective: understand a network internal structure including routers, firewalls location

Also called network mapping

Main tools used

Tracert (in Windows) or Traceroute (in Linux)

Network scanning software, e.g NetScanner

6

Port Scanning

Port Scanning

Most break-ins exploit specific services/applications

Service Default Portwww 80FTP 21SMTP 25

Scan target for open ports Send SYN segments to a

particular port number Observe SYN/ACK or reset

(RST) responses

7

Fingerprinting

Determining specific software run by target

Identify a particular operating system or application program and (if possible) version

For example, Microsoft Windows 2000 Server

For example, BSD LINUX 4.2

For example, Microsoft IIS 5.0

Useful because most exploits are specific to particular programs or versions

8

Active vs. Passive fingerprinting

Active Fingerprinting Send odd messages and observe replies

Different operating systems and application programs respond differently

Active fingerprinting may set off alarms Attackers usually use rate of attack messages below IDSs volume

thresholds

Passive Fingerprinting Read headers (IP-H, TCP-H, etc.) of normal response messages

e.g. Windows 2000 uses TTL = 128 and Window Size = 18000

Passive Fingerprint difficult b/c Admin could change default values

Time To Live(8 bits)

Protocol (8 bits)1=ICMP, 6=TCP,17=UDP

Window Size(16 bits)

9

Fingerprinting by reading banners

Many programs have preset banners used in initiating communications

Using telnet or FTP to connect to a server could display the banner

10

Summary Questions 1 (cont.)

In preparing his attack, the attacker sent normal HTTP requests to a web server. Then, he spent some time analyzing the protocol-related information in the response received from the web server in order to determine what software are installed on the web server. Which of the following did the attacker do?

a) Active learning

b) Network scanning

c) Passive fingerprinting

d) None of the above

11

Password guessing

Brute force Generating possible password combinations

by changing one character at a time If password is 4 decimal numbers

Start with 0000; next try 0001; then 0002; etc. How many possible combinations? ___________

If password is 6 alphabetical characters, how many possible combinations? _____________

Brute force password cracking software available

12

Summary Questions 2 (cont.)

Assume that a password is 2 decimal number long. What is the maximum number of passwords that an attacker would have to try in order to crack the password?

a) 4b) 67108864c) 1024d) None of the above

How much time (in minutes) will it take to crack the password if it requires 1.2 second to try each password?Answer: a maximum of ______ minutes.

Targeted Break-in, DoS, & Malware attacks (II)

14

TCP opening and DoS

For each TCP connection request (SYN), server has to: Respond to the request (SYN/ACK) Set resources aside in order respond to each data request

....

SYNSYN/ACKACK

Waiting for request from Computer 1

1

SYNSYN/ACKACK

2

SYNSYN/ACKACK

3

Waiting for request from Computer 2

Waiting for request from Computer 3

Server

.

.

.

15

Denial of Service (DoS)

What resources the web server would use to respond to each of the HTTP requests it receives?

What could be the consequences of the web server being invaded by too much requests from the attacker?

Home Network

Hub

Workstation

WorkstationWorkstation

WorkstationWorkstation

Router

Internet

Web Server

Intel Pentium 4 540 (3 Ghz)512 MB SDRAM2 x 100 GB SATA HDD16x CD DriveGateway 3-button mouseGateway 108 keyboardSVGA graphic card

Legitimate user

Legitimate user

Legitimate user

Legitimate user

Stream of HTTP requests

All workstations use IP spoofingto send HTTP requests to the

web server.

HTTP requests

HTTP requests

Attacker’s Home Network

16

Denial of Service (DoS) Attack

Attack that makes a computer’s resources unavailable to legitimate users

Types of DoS attacks: Single-message DoS Flooding DoS Distributed DoS

17

Single-message DoS attacks

First kind of DoS attacks to appear Exploit weakness in the coding of operating

systems and network applications Three main single-message DoS:

Ping-of-Death Teardrop LAND attack

18

Ping of Death attacks Take advantage of

Fact that TCP/IP allows large packets to be fragmented Some network applications & operating systems’ inability to handle

packets larger than 65536 bytes

Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation.

Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring.

Example of PoD code and vulnerable Operating Systems: http://insecure.org/sploits/ping-o-death.html

Fix Add checks in the reassembly process or in firewall to protect hosts with

bug not fixed Check: Sum of Total Length fields for fragmented IP is < 65536 bytes

Total Length (16 bits) Flags Fragment Offset (13 bits)

Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be fragmented or not

19

Teardrop attacks Take advantage of IP fragmentation Attacker sends a pretend fragmented IP packet But Fragment Offset values are not consistent Earlier operating systems* and poorly coded

network applications crash because Unable to reassemble the packet due to missing

fragments

AttackerVictim

Frag 1 Frag 2 Frag 4

Pretend fragmented IP packet

* Win 3.1, Win 95, Win NT, and Linux prior to 2.163

Total Length (16 bits) Flags Fragment Offset (13 bits)

20

LAND attacks First, appeared in 1997

Attacker uses IP spoofing with

source and destination addresses referring to target itself.

Back in time, OS and routers were not designed to deal with this kind of loopback

Problem resurfaces recently with Windows XP and Windows 2003 Server

21

Summary Questions 1 Do DoS attacks primarily attempt to jeopardize confidentiality,

integrity, or availability? Which of the following DoS attacks takes advantage of IP

fragmentation?a) LAND attackb) Teardropc) Ping of Deathd) None of the above

In which of the following DoS attacks the attacker makes use of IP spoofing?

a) LAND attackb) Teardropc) Ping of Deathd) None of the above

22

Flooding DoS Attacks Flood a target with a series of messages in

an attempt to make it crash Main types of flooding DoS attacks:

Flooding with regular requests SYN flooding Smurf flooding Distributed DoS

23

SYN Flooding Attacker sends a series of TCP SYN opening requests

For each SYN, the target has to Send back a SYN/ACK segment, and set aside memory, and other resources to respond

When overwhelmed, target slows down or even crash

SYN takes advantage of client/server workload asymmetry

Attacker

Victim

SYN SYN SYN SYN SYN

24

Smurf Flooding DoS Attacker uses IP spoofing

Attacker sends ping / echo messages to third party computers on behalf of the target

All third party computers respond to target

25

Distributed DoS (DDoS) Attack

Server

DoS Messages

DoS Messages

Bots

Link to how to deal with DDoS (by Cisco)

Handler

AttackCommand

AttackCommand

Attacker hacks into multiple clients and plants handler programs on them. Clients become bots or intermediaries

Attacker sends attack commands to handlers which execute the attacks

First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc.

Attacker

AttackCommand

26

Distributed DoS (DDoS) Attack

27

Distributed DoS (DDoS) Attack

Malware Attacks

29

Malware attacks

Types of malware:

Viruses

Worms

Trojan horses

Logic bombs

30

Virus Code/Program (script, macro) that:

attaches to files Spreads by user actions (floppy disk, flash drive,

opening email attachment, IRC, FTP, etc), not by themselves.

Symptoms: Annoying actions when the virus is executed: hog up

memory, crash the system, drives are not accessible, antivirus disabled, etc.

Performing destructive actions when they are executed: delete files, alter files, etc.

31

Viruses Could be

Boot sector viruses: attach themselves to files in boot sector of HD File infector viruses: attach themselves to files (i.e. program files

and user files) Polymorphic viruses: mutate with every infection (using encryption

techniques), making them hard to locate Metamorphic viruses: rewrite themselves completely each time

they are to infect new executables* Stealth: hides itself by intercepting disk access requests by

antivirus programs.

Request by antivirus

OS

StealthThe stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”.

* metamorphic engine is needed

32

Worm

Does not attach to files A self-replicating computer program that

propagate across a system Uses a host computer’s resources and network

connections to transfer a copy of itself to another computer

Harms the host computer by consuming processing time and memory

Harms the network by consuming the bandwidth

Question: Distinguish between viruses and worms

33

Trojan horse

A computer program That appears as a useful program like a game, a

screen saver, etc. But, is really a program designed to damage or

take control of the host computer When executed, a Trojan horse could

Format disks Delete files Open TCP ports to allow a remote computer to

take control of the host computer (Back Door) NetBus and SubSeven used to be attackers’

favorite programs for target remote control

34

Logic bomb

Piece of malicious code intentionally inserted into a software system

The bomb is set to run when a certain condition is met Passing of specified date/time Deletion of a specific record in a database

Example: a programmer could insert a logic bomb that will function as follow: Scan the payroll records each day. If the programmer’s name is removed from payroll,

then the logic bomb will destroy vital files weeks or months after the name removal.

35

Firewalls

36

Test your Firewall knowledge

Which of the following is true about firewalls?a) A firewall is a hardware device

b) A firewall is a software program

c) Firewalls could be hardware or software

Which of the following is true about firewalls?a) They are used to protect a whole network against attacks

b) They are used to protect single computers against attacks

c) Both a and b.

37

Test your Firewall knowledge (cont)

Which of the following is true about firewalls?a) They are configured to monitor inbound traffic and protect

against attacks by intruders

b) They are configured to monitor outbound traffic and prevent specific types of messages from leaving the protected network.

c) Both a and b

38

Firewall: definition

Hardware or software tool used to protect a single host1 or an entire network2 by “sitting” between a trusted network (or a trusted host)

and an untrusted network Applying preconfigured rules and/or traffic knowledge to

allow or deny access to incoming and outgoing traffic

1 Host-based or personal firewall 2 network-based firewall

Untrusted network

Trusted network

PC with Host-based

Firewall

PC with Host-based

Firewall

Network-BasedFirewall

39

Questions

What is the main advantage of having a host-based firewall in addition to having a network-based one?

Answer:_________________________________________

What kind of security issue could be associated with having host-based firewall on users PCs?

Answer:__________________________________________

Untrusted network

Trusted network

PC with Host-based

Firewall

PC with Host-based

Firewall

Network-BasedFirewall

40

Firewall ArchitectureMost firms have multiple

firewalls. Their arrangementis called the firm’s

firewall architecture

InternetInternet

Main BorderFirewall

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

Public Webserver 60.47.3.9

SMTP Application

Proxy Server 60.47.3.10

HTTPApplication

Proxy Server 60.47.3.1

External DNS Server

60.47.3.4

ScreeningRouterFirewall

InternalFirewall

HostFirewall

HostFirewall

Email Server on 172.18.6.x

Subnet

HostFirewall

Demilitarized Zone (DMZ)

41

Questions What is a DMZ?

Which of the following may be placed in a DMZ?a) A SMTP proxy serverb) A server that contains files available for downloading by employeesc) An File Transfer Protocol serverd) A SQL (Structured Query Language) database server

What IP addresses should a DNS server in the DMZ be able to find?

a) All company’s IP addresses

b) Only the IP addresses of the computers in the internal subnet

c) Only the IP addresses of the computers in the DMZ

You work as the security administrator at King.com. King.com has been receiving a high volume of attacks on the king.com web site. You want to collect information on the attackers so that legal action can be taken. Which of the following can you use to accomplish this?

a) A DMZ (Demilitarized Zone).b) A honey pot.c) A firewall.d) None of the above.

42

Basic Firewall Operation

Attack Packet 1

1. Internet(Not Trusted)

Attacker

LogFile

Dropped Packet(Ingress)

LegitimateUser

Legitimate Packet 1

Attack Packet 1

Internal Corporate Network (Trusted)

BorderFirewall

Passed LegitimatePacket (Ingress)Legitimate Packet 1

Egress filtering: filtering packets leaving to external networksIngress filtering:filtering packets coming from external networks

Legitimate Packet 2

Passed Packet(Egress)

Legitimate Packet 2

43

Connection Source IP Destination IP State

Connection 1 123.12.13.4 60.47.3.9:80 TCP opening

Connection 2 213.14.33.56 60.47.3.9:80 Data transfer

…… ………. ………. ………

Types of Firewalls Static Packet Filtering Firewalls (1st generation)

Inspect TCP, UDP, IP headers to make filtering decisions Do static filtering of individual packets based on configured ruleset

(or Access Control List) Prevent attacks that use IP or port spoofing, etc.

Stateful Packet Filtering Firewalls (2nd generation) Inspect TCP, UDP, IP headers to make filtering decisions Do stateful filtering by checking the firewall’s state table for relation

of packets to packets already filtered If packet does not match existing connect, ruleset (static filt.) is used If packet matches existing connection, it is allowed to pass Prevent SYN attacks, teardrops, etc.

State Table

IP-H

IP-H

TCP-H

UDP-H Application Layer Message

Application Layer Message

44

Types of Firewalls (cont.) Application Firewalls (3rd generation)

Also called proxy firewalls Inspect the Application Layer message (e.g. HTTP requests, emails,

etc. Specialized proxy firewalls more effective than general-purpose

HTTP proxy firewalls for HTTP requests SMTP proxy firewalls for SMTP emails FTP proxy firewall for FTP-based file transfer requests

Prevent malware attacks

IP-H

IP-H

TCP-H

UDP-H Application Layer Message

Application Layer Message

HTTPProxy

Browser WebserverApplication

1. HTTP Request2. Passed inspected

HTTP Request

3. HTTPResponse

4. Passed inspectedHTTP Response Log

File

45

Types of Firewalls (cont.) Network Address Translation Firewall

Replace IP address in outgoing message by a spoof IP address Hide internal hosts’ IP address to outsiders Help prevent IP spoofing attacks using internal IP addresses

Host IP Address Outgoing IP Address Request ID

135.12.23.12 135.12.20.1 120121

135.12.22.2 135.12.20.2 120122

135.12.21.3 135.12.20.3 120123

…….. …….. ………

135.12.20.1135.12.20.2135.12.20.3

135.12.23.12

135.12.22.2

135.12.21.3

46

Firewall Principles

Danger of Overload

If a firewall is overloaded and cannot handle the traffic, it drops unprocessed packets

This is the safest choice, because attack packets cannot enter the network

However, this creates a self-inflicted denial-of-service attack

47

Host Hardening

Computer Hardware & Software

Computer Hardware

Operating System

Web service software (IIS, Apache, ...)Web browser

Productivity Software

Client & server

application programs

Your knowledge about Host hardening

Which of the following is most likely to make a computer system unable to perform any kind of work or provide any service?

a) Client application programs get hacked

b) Server application programs (web service software, database service, network service, etc.) get hacked

c) The operating system get hacked

d) The connection to the network/Internet get shut down

OS market share

OS Vulnerability test2010 by omnired.com

OS tested: Win XP, Win Server 2003, Win Vista Ultimate, Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise

10, Ubuntu 6.10 Tools used to test vulnerabilities:

Scanning tools (Track, Nessus) Network mapping (Nmap command) All host with OS installation defaults

Results Microsoft's Windows and Apple's OS X are ripe with remotely accessible

vulnerabilities and allow for executing malicious code The UNIX and Linux variants present a much more robust exterior to the

outside Once patched, however, both Windows and Apple’s OS are secure.

Your knowledge about Host hardening

You performed an Out-of-the-box installation of Windows XP and Linux FreeBSD 6.2 on two different computers. Which computer is more likely to be secure ?

a) Windows XPb) Linux FreeBSD 6.2c) They will have the same level of security

What needs to be done, first, in order to prevent a hacker from taking over a server with OS installation defaults that has to be connected to the Internet?

a) Lock the server roomb) Configure the firewall to deny all inbound traffic to the serverc) Download and install patches for known vulnerabilities

Security Baseline

Because it’s easy to overlook something in the hardening process, businesses need to adopt a standard hardening methodology: standard security baseline

Need to have different security baseline for different kind of host; i.e. Different security baselines for different OS and

versions Different security baselines for different types of server

applications (web service, email service, etc.) Different security baselines for different types of client

applications.

Options for Security Baselines

Organization could use different standards OS vendors’ baselines and tools

e.g. Follow MS Installation procedure and use Microsoft Baseline Security Analyzer (MBSA)

Standards Agencies baselines e.g. CobiT* Security Baseline

Company’s own security baselines Security Baseline to be implemented by

Server administrators known as systems admin

* Control Objectives for Information and Related Technology

Elements of Hardening

Physical security Secure installation and configuration Fix known vulnerabilities Remove/Turn off unnecessary services (applications) Harden all remaining applications Manage users and groups Manage access permissions

For individual files and directories, assign access permissions to specific users and groups

Back up the server regularly Advanced protections

According to

baseline

Hardening servers

Choose the OS that provides the following: Ability to restrict admin access (Administrator vs. Administrators) Granular control of data access Ability to disable services Ability to control executables Ability to log activities Host-based firewall Support for strong authentication and encryption

Disable or remove unnecessary services or applications If no longer needed, remove rather than disable to prevent re-enabling Additional services increases the attack vector More services can increase host load and decrease performance Reducing services reduces logs and makes detection of intrusion easier

Hardening servers (cont.)

Configure user authentication Remove or disable unnecessary accounts

(e.g. Guest account) Change names and passwords for default accounts Disable inactive accounts Assign rights to groups not individual users Don't permit shared accounts if possible Configure time sync Enforce appropriate password policy Use 2-factor authentication when necessary Always use encrypted authentication

UNIX / Linux Hardening

Many versions of UNIX No standards guideline for hardening

User can select the user interface Graphic User Interface (GUI) Command-Line Interfaces (CLIs) or shells

CLIs are case-sensitive with commands in lowercase except for file names

UNIX / Linux Hardening

Three ways to start services

Start a service manually (a) through the GUI, (b) by typing its name in the CLI, or (c) by executing a batch file that does so

Using the inetd program to start services when requests come in from users

Using the rc scripts to start services automatically at boot up

Inetd = Internet daemon; i.e. a computer program that runs in the background

UNIX / Linux Hardening

Program A

Program B

Program C

Program D

inetd

Port 23 Program APort 80 Program BPort 123 Program CPort 1510 Program D

1. Client RequestTo Port 123

4. Start and Process

This Request

3. Program C 2. Port 123

/etc/inetd.config

Starting services upon client requests Services not frequently used are dormant Requests do not go directly to the service Requests are sent to the inetd program which is started at server boot up

UNIX / Linux Hardening

Turning On/Off unnecessary Services In UNIX

Identifying services running at any moment

ps command (process status), usually with –aux parameters, lists running programs

Shows process name and process ID (PID)

netstat tells what services are running on what ports

Turning Off Services In UNIX kill PID command is used to kill a particular process

kill 47 (If PID=47)

Advanced Server Hardening Techniques

File Integrity Checker

Creates snapshot of files: a hashed signature (message digest) for each file

After an attack, compares post-hack signature with snapshot

This allows systems administrator to determine which files were changed

Tripwire is a file integrity checker for Linux/UNIX, Windows, etc.: www.tripwire.com (ftp://coast.cs.purdue.edu/pub/tools/unix)

Advanced Server Hardening Techniques

File 1File 2…Other Files inPolicy List

File 1File 2…Other Files inPolicy List

File 1 SignatureFile 2 Signature……

File 1 SignatureFile 2 Signature……

Tripwire

Tripwire

1.EarlierTime

2.After

Attack

Post-Attack Signatures

3. Comparison to Find Changed Files

Reference Base

File Integrity problem: many files change for legitimate reasons. So it is difficult to know which ones the attacker changed.