Explain denial-of-service (DoS) attacks
Explain and discuss ping-of-death attacks
Identify major components used in a DDoS
attack and how they are installed
Understand major types of spoofing attacks
Discuss man-in-the-middle attacks, replay
attacks, and TCP session hijacking
Explain denial-of-service (DoS) attacks
Explain and discuss ping-of-death attacks
Identify major components used in a DDoS
attack and how they are installed
Understand major types of spoofing attacks
Discuss man-in-the-middle attacks, replay
attacks, and TCP session hijacking
43 trang |
Chia sẻ: candy98 | Lượt xem: 563 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Security + Certification - Chapter 3: Attacks and Malicious Code Part 1 - Athena, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 3:
Attacks and Malicious Code
Objectives in this chapter
Explain denial-of-service (DoS) attacks
Explain and discuss ping-of-death attacks
Identify major components used in a DDoS
attack and how they are installed
Understand major types of spoofing attacks
Discuss man-in-the-middle attacks, replay
attacks, and TCP session hijacking
ATHENA
continued
Learning Objectives
Detail three types of social-engineering attacks
and explain why they can be incredibly
damaging
List major types of attacks used against
encrypted data
List major types of malicious software and
identify a countermeasure for each one
ATHENA
Why Secure a Network?
External
attacker
Internal
attacker
ATHENA
A network security design protects assets from threats and
vulnerabilities in an organized manner
To design security, analyze risks to your assets and create
responses
Corporate Assets Incorrect
permissionsVirus
Terminology
Vulnerability – a problem or error that opens
up a security “hole”
Patch – code that will eliminate the
vulnerability (patch must be applied)
Exploit – code (often a virus or a worm) that
can take advantage of a particular vulnerability
ATHENA
What should happen
Vulnerability is found and published
Patch is written and made available
Everybody patches their computers
Then, somebody releases an exploit
ATHENA
Denial-of-Service Attacks
Any malicious act that causes a system to be
unusable by its real user(s)
Take numerous forms
Are very common
Can be very costly
Major types
• SYN flood
• Smurf attack
ATHENA
TCP Three-Way Handshake
ATHENA
SYN Flood
Exploits the TCP three-way handshake
Initiating machine sends a SYN, receiving
machine sends back a SYN, ACK. Initiating
machine never sends back the final ACK to
complete the connection.
Receiving machine will wait a certain length of
time before before clearing the connection.
ATHENA
SYN Flood
When the receiving machine’s stack was
written, the programmers decided on a certain
number of connections that could be “waiting”.
When this number is reached the machine can’t
accept new connections, so it is effectively not
listening.
ATHENA
SYN Flood
ATHENA
ATHENA
Things the Blackhat Must Consider
The receiving machine will send a SYN/ACK to
the spoofed address.
If this is a real machine, it will reply with a RST,
which will clear the connection. This is not
what the blackhat wants.
Solution, use a private address or an
unallocated address as the spoofed source IP
address.
ATHENA
What Can the Good-guys Do?
Shorten the time the receiving computer will
wait before clearing the connection.
Allow for a greater number of connection
attempts.
Use a firewall to send an ACK packet to the
receiving machine. This will allow the
connection to be moved out of the half-open
queue.
ATHENA
ATHENA
Smurf
Non-OS specific attack that uses the network
to amplify its effect on the victim
Sends ping reply request to the network
broadcast address using the victim’s address
as the source
Network floods the victim with ICMP ping
replies
Saturates Internet connection with bogus
traffic and delays/prevents legitimate traffic
from reaching its destination
ATHENA
ATHENA
Protective Measures Against Smurf
Routers should be configured to drop ICMP
messages with a destination of an internal
broadcast or multicast address.
Hosts should be configured to ignore echo
requests directed to their broadcast address.
Check for a
list of smurf amplifier networks and
to make sure your
network is configured properly.
ATHENA
IP Fragmentation Attacks:
Ping of Death
Uses IP packet fragmentation techniques to
crash remote systems.
Maximum size of IP packet is 65,536 bytes, but
most network topologies can’t handle packets of
that size – so the packet is broken into smaller
packets (fragmentation).
Reassembled packet larger than 65,536 bytes
would crash older operating systems.
ATHENA
Ping of Death
ATHENA
Distributed Denial-of-Service Attacks
Use hundreds of hosts on the Internet to attack
the victim by flooding its link to the Internet or
depriving it of resources
Used by hackers to target government and
business Internet sites
Automated tools; can be executed by script
kiddies
Result in temporary loss of access to a given site
and associated loss in revenue and prestige
ATHENA
ATHENA
DDoS Tools and Attack Methods
ATHENA
DDoS Countermeasures
Install latest security patches from software
vendors
Antivirus software will detect DDoS agent
software
Firewalls are always a good idea
Ingress (inbound) and egress (outbound)
filtering
ATHENA
Ingress and Egress Filtering
ATHENA
Preventing the Network from
Inadvertently Attacking Others
Filter packets coming into the network destined
for a broadcast address
Turn off directed broadcasts on internal routers
Block any packet from entering the network
that has a source address that is not permissible
on the Internet (see Figures 3-8 and 3-9)
ATHENA
continued
Preventing the Network from
Inadvertently Attacking Others
Block at the firewall any packet that uses a
protocol or port that is not used for Internet
communications on the network
Block packets with a source address originating
inside your network from entering your
network
ATHENA
Ingress Filtering of Packets
with RFC 1918 Addresses
ATHENA
Filtering of Packets
with RFC 2827 Addresses
ATHENA
IP – What to Filter
All private addresses: 10.0.0.0, 172.16.0.0 –
172.31.0.0, 192.168.0.0 coming in or going out
127.0.0.0 coming in or going out
Unallocated IP numbers (1.0.0.0, 2.0.0.0, etc. –
see
ipv4-address-space) coming or going
Your addresses coming in
ATHENA
Spoofing
Act of falsely identifying a packet’s IP address,
MAC address, etc
Four primary types
• IP address spoofing
• ARP poisoning
• Web spoofing
• DNS spoofing
ATHENA
IP Address Spoofing
Used to exploit trust relationships between two
hosts
Trust relationship could be enforced at the
router, the firewall, by an application, or by the
OS
Involves creating an IP address with a forged
source address
ATHENA
Problems to be overcome
Although its easy to craft packets and spoof IP
addresses, the attacker can’t cause the return
packets to be delivered back to him/her.
The return packets will be delivered to the
trusted host, which could reset the connection
and foil the attack.
The packets sent to the victim must have the
correct sequence number.
ATHENA
ATHENA
ARP Poisoning
Attacker takes over victim’s IP address by
corrupting ARP caches of directly connected
machines (gratuitous arp)
Used in man-in-the-middle and session
hijacking attacks
Attack tools
• ARPoison
• Ettercap
• Parasite
ATHENA
Web Spoofing
Convinces victim that he or she is visiting a real
and legitimate site
Considered both a man-in-the-middle attack
and a denial-of-service attack
ATHENA
Web Spoofing
ATHENA
DNS Spoofing Effects
Can direct users to a compromised server
Can redirect corporate e-mail through a
hacker’s server where it can be copied or
modified before sending mail to final
destination
ATHENA
DNS Spoofing 1
The attacker compromises the real DNS server
and changes hostname-to-IP address mappings.
When the DNS server answers client requests,
the clients could be directed anywhere.
(DNS is the most important server in the
organization.)
ATHENA
DNS Spoofing 2
Attacker poses as the victim’s legitimate DNS
server and gives out bogus info
Attacker poisons the arp caches of the client
machines to direct their requests to the bogus
DNS machine
Attacker shuts the legitimate DNS server up
(DoSes it)
ATHENA
DNS Spoofing 3
When the real DNS server does a lookup for an
IP number “out there”, the attacker sends a
reply packet to the DNS server with bogus info.
Attacker must correctly “guess” query number.
DNS server will accept the first reply with
correct query number.
ATHENA
To Thwart Spoofing Attacks
IP spoofing
• Disable source routing on all internal routers
• Filter out packets entering local network
from the Internet that have a source address
of the local network
ARP poisoning
• Use network switches that have MAC binding
features
ATHENA
continued
To Thwart Spoofing Attacks
Web spoofing
• Educate users
DNS spoofing
• Thoroughly secure DNS servers
• Deploy anti-IP address spoofing measures
ATHENA