Review Exam 2 Spring 2015
Dec 28, 2015
3
Unobtrusive InformationCollection Sending packets into a network is “noisy” Need to do unobtrusive info gathering, first, by
Visiting target corporate website for Employees’ names and emails Officers names and organizational structure, etc.
Reading trade press (often online & searchable) for Info about products under development
Firms’ financial prospects, etc.
Searching U.S. EDGAR* system online for Ownership, shareholder information, etc.
Searching the Whois database at: NetworkSolutions.com/whhois/index.jsp, internic.net/whois.html, etc.
* Electronic Data Gathering, Analysis, and Retrieval
4
Host Scanning
Objective: identify IP addresses of active hosts
Pinging individual hosts
Ping scanning Pinging a range of IP addresses
IP scanning software: fping, gping, Ping Sweep, Pinger
SYN/ACK scanning used when firewall configured to block pinging from outside
5
Network Scanning
Objective: understand a network internal structure including routers, firewalls location
Also called network mapping
Main tools used
Tracert (in Windows) or Traceroute (in Linux)
Network scanning software, e.g NetScanner
6
Port Scanning
Port Scanning
Most break-ins exploit specific services/applications
Service Default Portwww 80FTP 21SMTP 25
Scan target for open ports Send SYN segments to a
particular port number Observe SYN/ACK or reset
(RST) responses
7
Fingerprinting
Determining specific software run by target
Identify a particular operating system or application program and (if possible) version
For example, Microsoft Windows 2000 Server
For example, BSD LINUX 4.2
For example, Microsoft IIS 5.0
Useful because most exploits are specific to particular programs or versions
8
Active vs. Passive fingerprinting
Active Fingerprinting Send odd messages and observe replies
Different operating systems and application programs respond differently
Active fingerprinting may set off alarms Attackers usually use rate of attack messages below IDSs volume
thresholds
Passive Fingerprinting Read headers (IP-H, TCP-H, etc.) of normal response messages
e.g. Windows 2000 uses TTL = 128 and Window Size = 18000
Passive Fingerprint difficult b/c Admin could change default values
Time To Live(8 bits)
Protocol (8 bits)1=ICMP, 6=TCP,17=UDP
Window Size(16 bits)
9
Fingerprinting by reading banners
Many programs have preset banners used in initiating communications
Using telnet or FTP to connect to a server could display the banner
10
Summary Questions 1 (cont.)
In preparing his attack, the attacker sent normal HTTP requests to a web server. Then, he spent some time analyzing the protocol-related information in the response received from the web server in order to determine what software are installed on the web server. Which of the following did the attacker do?
a) Active learning
b) Network scanning
c) Passive fingerprinting
d) None of the above
11
Password guessing
Brute force Generating possible password combinations
by changing one character at a time If password is 4 decimal numbers
Start with 0000; next try 0001; then 0002; etc. How many possible combinations? ___________
If password is 6 alphabetical characters, how many possible combinations? _____________
Brute force password cracking software available
12
Summary Questions 2 (cont.)
Assume that a password is 2 decimal number long. What is the maximum number of passwords that an attacker would have to try in order to crack the password?
a) 4b) 67108864c) 1024d) None of the above
How much time (in minutes) will it take to crack the password if it requires 1.2 second to try each password?Answer: a maximum of ______ minutes.
14
TCP opening and DoS
For each TCP connection request (SYN), server has to: Respond to the request (SYN/ACK) Set resources aside in order respond to each data request
....
SYNSYN/ACKACK
Waiting for request from Computer 1
1
SYNSYN/ACKACK
2
SYNSYN/ACKACK
3
Waiting for request from Computer 2
Waiting for request from Computer 3
Server
.
.
.
15
Denial of Service (DoS)
What resources the web server would use to respond to each of the HTTP requests it receives?
What could be the consequences of the web server being invaded by too much requests from the attacker?
Home Network
Hub
Workstation
WorkstationWorkstation
WorkstationWorkstation
Router
Internet
Web Server
Intel Pentium 4 540 (3 Ghz)512 MB SDRAM2 x 100 GB SATA HDD16x CD DriveGateway 3-button mouseGateway 108 keyboardSVGA graphic card
Legitimate user
Legitimate user
Legitimate user
Legitimate user
Stream of HTTP requests
All workstations use IP spoofingto send HTTP requests to the
web server.
HTTP requests
HTTP requests
Attacker’s Home Network
16
Denial of Service (DoS) Attack
Attack that makes a computer’s resources unavailable to legitimate users
Types of DoS attacks: Single-message DoS Flooding DoS Distributed DoS
17
Single-message DoS attacks
First kind of DoS attacks to appear Exploit weakness in the coding of operating
systems and network applications Three main single-message DoS:
Ping-of-Death Teardrop LAND attack
18
Ping of Death attacks Take advantage of
Fact that TCP/IP allows large packets to be fragmented Some network applications & operating systems’ inability to handle
packets larger than 65536 bytes
Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation.
Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring.
Example of PoD code and vulnerable Operating Systems: http://insecure.org/sploits/ping-o-death.html
Fix Add checks in the reassembly process or in firewall to protect hosts with
bug not fixed Check: Sum of Total Length fields for fragmented IP is < 65536 bytes
Total Length (16 bits) Flags Fragment Offset (13 bits)
Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be fragmented or not
19
Teardrop attacks Take advantage of IP fragmentation Attacker sends a pretend fragmented IP packet But Fragment Offset values are not consistent Earlier operating systems* and poorly coded
network applications crash because Unable to reassemble the packet due to missing
fragments
AttackerVictim
Frag 1 Frag 2 Frag 4
Pretend fragmented IP packet
* Win 3.1, Win 95, Win NT, and Linux prior to 2.163
Total Length (16 bits) Flags Fragment Offset (13 bits)
20
LAND attacks First, appeared in 1997
Attacker uses IP spoofing with
source and destination addresses referring to target itself.
Back in time, OS and routers were not designed to deal with this kind of loopback
Problem resurfaces recently with Windows XP and Windows 2003 Server
21
Summary Questions 1 Do DoS attacks primarily attempt to jeopardize confidentiality,
integrity, or availability? Which of the following DoS attacks takes advantage of IP
fragmentation?a) LAND attackb) Teardropc) Ping of Deathd) None of the above
In which of the following DoS attacks the attacker makes use of IP spoofing?
a) LAND attackb) Teardropc) Ping of Deathd) None of the above
22
Flooding DoS Attacks Flood a target with a series of messages in
an attempt to make it crash Main types of flooding DoS attacks:
Flooding with regular requests SYN flooding Smurf flooding Distributed DoS
23
SYN Flooding Attacker sends a series of TCP SYN opening requests
For each SYN, the target has to Send back a SYN/ACK segment, and set aside memory, and other resources to respond
When overwhelmed, target slows down or even crash
SYN takes advantage of client/server workload asymmetry
Attacker
Victim
SYN SYN SYN SYN SYN
24
Smurf Flooding DoS Attacker uses IP spoofing
Attacker sends ping / echo messages to third party computers on behalf of the target
All third party computers respond to target
25
Distributed DoS (DDoS) Attack
Server
DoS Messages
DoS Messages
Bots
Link to how to deal with DDoS (by Cisco)
Handler
AttackCommand
AttackCommand
Attacker hacks into multiple clients and plants handler programs on them. Clients become bots or intermediaries
Attacker sends attack commands to handlers which execute the attacks
First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc.
Attacker
AttackCommand
30
Virus Code/Program (script, macro) that:
attaches to files Spreads by user actions (floppy disk, flash drive,
opening email attachment, IRC, FTP, etc), not by themselves.
Symptoms: Annoying actions when the virus is executed: hog up
memory, crash the system, drives are not accessible, antivirus disabled, etc.
Performing destructive actions when they are executed: delete files, alter files, etc.
31
Viruses Could be
Boot sector viruses: attach themselves to files in boot sector of HD File infector viruses: attach themselves to files (i.e. program files
and user files) Polymorphic viruses: mutate with every infection (using encryption
techniques), making them hard to locate Metamorphic viruses: rewrite themselves completely each time
they are to infect new executables* Stealth: hides itself by intercepting disk access requests by
antivirus programs.
Request by antivirus
OS
StealthThe stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”.
* metamorphic engine is needed
32
Worm
Does not attach to files A self-replicating computer program that
propagate across a system Uses a host computer’s resources and network
connections to transfer a copy of itself to another computer
Harms the host computer by consuming processing time and memory
Harms the network by consuming the bandwidth
Question: Distinguish between viruses and worms
33
Trojan horse
A computer program That appears as a useful program like a game, a
screen saver, etc. But, is really a program designed to damage or
take control of the host computer When executed, a Trojan horse could
Format disks Delete files Open TCP ports to allow a remote computer to
take control of the host computer (Back Door) NetBus and SubSeven used to be attackers’
favorite programs for target remote control
34
Logic bomb
Piece of malicious code intentionally inserted into a software system
The bomb is set to run when a certain condition is met Passing of specified date/time Deletion of a specific record in a database
Example: a programmer could insert a logic bomb that will function as follow: Scan the payroll records each day. If the programmer’s name is removed from payroll,
then the logic bomb will destroy vital files weeks or months after the name removal.
36
Test your Firewall knowledge
Which of the following is true about firewalls?a) A firewall is a hardware device
b) A firewall is a software program
c) Firewalls could be hardware or software
Which of the following is true about firewalls?a) They are used to protect a whole network against attacks
b) They are used to protect single computers against attacks
c) Both a and b.
37
Test your Firewall knowledge (cont)
Which of the following is true about firewalls?a) They are configured to monitor inbound traffic and protect
against attacks by intruders
b) They are configured to monitor outbound traffic and prevent specific types of messages from leaving the protected network.
c) Both a and b
38
Firewall: definition
Hardware or software tool used to protect a single host1 or an entire network2 by “sitting” between a trusted network (or a trusted host)
and an untrusted network Applying preconfigured rules and/or traffic knowledge to
allow or deny access to incoming and outgoing traffic
1 Host-based or personal firewall 2 network-based firewall
Untrusted network
Trusted network
PC with Host-based
Firewall
PC with Host-based
Firewall
Network-BasedFirewall
39
Questions
What is the main advantage of having a host-based firewall in addition to having a network-based one?
Answer:_________________________________________
What kind of security issue could be associated with having host-based firewall on users PCs?
Answer:__________________________________________
Untrusted network
Trusted network
PC with Host-based
Firewall
PC with Host-based
Firewall
Network-BasedFirewall
40
Firewall ArchitectureMost firms have multiple
firewalls. Their arrangementis called the firm’s
firewall architecture
InternetInternet
Main BorderFirewall
172.18.9.x Subnet
Marketing Client on
172.18.5.x Subnet
Accounting Server on 172.18.7.x
Subnet
Public Webserver 60.47.3.9
SMTP Application
Proxy Server 60.47.3.10
HTTPApplication
Proxy Server 60.47.3.1
External DNS Server
60.47.3.4
ScreeningRouterFirewall
InternalFirewall
HostFirewall
HostFirewall
Email Server on 172.18.6.x
Subnet
HostFirewall
Demilitarized Zone (DMZ)
41
Questions What is a DMZ?
Which of the following may be placed in a DMZ?a) A SMTP proxy serverb) A server that contains files available for downloading by employeesc) An File Transfer Protocol serverd) A SQL (Structured Query Language) database server
What IP addresses should a DNS server in the DMZ be able to find?
a) All company’s IP addresses
b) Only the IP addresses of the computers in the internal subnet
c) Only the IP addresses of the computers in the DMZ
You work as the security administrator at King.com. King.com has been receiving a high volume of attacks on the king.com web site. You want to collect information on the attackers so that legal action can be taken. Which of the following can you use to accomplish this?
a) A DMZ (Demilitarized Zone).b) A honey pot.c) A firewall.d) None of the above.
42
Basic Firewall Operation
Attack Packet 1
1. Internet(Not Trusted)
Attacker
LogFile
Dropped Packet(Ingress)
LegitimateUser
Legitimate Packet 1
Attack Packet 1
Internal Corporate Network (Trusted)
BorderFirewall
Passed LegitimatePacket (Ingress)Legitimate Packet 1
Egress filtering: filtering packets leaving to external networksIngress filtering:filtering packets coming from external networks
Legitimate Packet 2
Passed Packet(Egress)
Legitimate Packet 2
43
Connection Source IP Destination IP State
Connection 1 123.12.13.4 60.47.3.9:80 TCP opening
Connection 2 213.14.33.56 60.47.3.9:80 Data transfer
…… ………. ………. ………
Types of Firewalls Static Packet Filtering Firewalls (1st generation)
Inspect TCP, UDP, IP headers to make filtering decisions Do static filtering of individual packets based on configured ruleset
(or Access Control List) Prevent attacks that use IP or port spoofing, etc.
Stateful Packet Filtering Firewalls (2nd generation) Inspect TCP, UDP, IP headers to make filtering decisions Do stateful filtering by checking the firewall’s state table for relation
of packets to packets already filtered If packet does not match existing connect, ruleset (static filt.) is used If packet matches existing connection, it is allowed to pass Prevent SYN attacks, teardrops, etc.
State Table
IP-H
IP-H
TCP-H
UDP-H Application Layer Message
Application Layer Message
44
Types of Firewalls (cont.) Application Firewalls (3rd generation)
Also called proxy firewalls Inspect the Application Layer message (e.g. HTTP requests, emails,
etc. Specialized proxy firewalls more effective than general-purpose
HTTP proxy firewalls for HTTP requests SMTP proxy firewalls for SMTP emails FTP proxy firewall for FTP-based file transfer requests
Prevent malware attacks
IP-H
IP-H
TCP-H
UDP-H Application Layer Message
Application Layer Message
HTTPProxy
Browser WebserverApplication
1. HTTP Request2. Passed inspected
HTTP Request
3. HTTPResponse
4. Passed inspectedHTTP Response Log
File
45
Types of Firewalls (cont.) Network Address Translation Firewall
Replace IP address in outgoing message by a spoof IP address Hide internal hosts’ IP address to outsiders Help prevent IP spoofing attacks using internal IP addresses
Host IP Address Outgoing IP Address Request ID
135.12.23.12 135.12.20.1 120121
135.12.22.2 135.12.20.2 120122
135.12.21.3 135.12.20.3 120123
…….. …….. ………
135.12.20.1135.12.20.2135.12.20.3
135.12.23.12
135.12.22.2
135.12.21.3