Security + Certification - Chapter 3: Attacks and Malicious Code Part 1 - Athena

Chapter 3: Attacks and Malicious Code Objectives in this chapter  Explain denial-of-service (DoS) attacks  Explain and discuss ping-of-death attacks  Identify major components used in a DDoS attack and how they are installed  Understand major types of spoofing attacks  Discuss man-in-the-middle attacks, replay attacks, and TCP session hijacking ATHENA continued Learning Objectives  Detail three types of social-engineering attacks and explain why they can be incredibly damaging  List major types of attacks used against encrypted data  List major types of malicious software and identify a countermeasure for each one ATHENA Why Secure a Network? External attacker Internal attacker ATHENA A network security design protects assets from threats and vulnerabilities in an organized manner To design security, analyze risks to your assets and create responses Corporate Assets Incorrect permissionsVirus Terminology  Vulnerability – a problem or error that opens up a security “hole”  Patch – code that will eliminate the vulnerability (patch must be applied)  Exploit – code (often a virus or a worm) that can take advantage of a particular vulnerability ATHENA What should happen  Vulnerability is found and published  Patch is written and made available  Everybody patches their computers  Then, somebody releases an exploit ATHENA Denial-of-Service Attacks  Any malicious act that causes a system to be unusable by its real user(s)  Take numerous forms  Are very common  Can be very costly Major types • SYN flood • Smurf attack ATHENA TCP Three-Way Handshake ATHENA SYN Flood  Exploits the TCP three-way handshake  Initiating machine sends a SYN, receiving machine sends back a SYN, ACK. Initiating machine never sends back the final ACK to complete the connection.  Receiving machine will wait a certain length of time before before clearing the connection. ATHENA SYN Flood When the receiving machine’s stack was written, the programmers decided on a certain number of connections that could be “waiting”. When this number is reached the machine can’t accept new connections, so it is effectively not listening. ATHENA SYN Flood ATHENA ATHENA Things the Blackhat Must Consider  The receiving machine will send a SYN/ACK to the spoofed address.  If this is a real machine, it will reply with a RST, which will clear the connection. This is not what the blackhat wants.  Solution, use a private address or an unallocated address as the spoofed source IP address. ATHENA What Can the Good-guys Do?  Shorten the time the receiving computer will wait before clearing the connection.  Allow for a greater number of connection attempts.  Use a firewall to send an ACK packet to the receiving machine. This will allow the connection to be moved out of the half-open queue. ATHENA ATHENA Smurf  Non-OS specific attack that uses the network to amplify its effect on the victim  Sends ping reply request to the network broadcast address using the victim’s address as the source  Network floods the victim with ICMP ping replies  Saturates Internet connection with bogus traffic and delays/prevents legitimate traffic from reaching its destination ATHENA ATHENA Protective Measures Against Smurf  Routers should be configured to drop ICMP messages with a destination of an internal broadcast or multicast address.  Hosts should be configured to ignore echo requests directed to their broadcast address.  Check for a list of smurf amplifier networks and to make sure your network is configured properly. ATHENA IP Fragmentation Attacks: Ping of Death  Uses IP packet fragmentation techniques to crash remote systems. Maximum size of IP packet is 65,536 bytes, but most network topologies can’t handle packets of that size – so the packet is broken into smaller packets (fragmentation).  Reassembled packet larger than 65,536 bytes would crash older operating systems. ATHENA Ping of Death ATHENA Distributed Denial-of-Service Attacks  Use hundreds of hosts on the Internet to attack the victim by flooding its link to the Internet or depriving it of resources  Used by hackers to target government and business Internet sites  Automated tools; can be executed by script kiddies  Result in temporary loss of access to a given site and associated loss in revenue and prestige ATHENA ATHENA DDoS Tools and Attack Methods ATHENA DDoS Countermeasures  Install latest security patches from software vendors  Antivirus software will detect DDoS agent software  Firewalls are always a good idea  Ingress (inbound) and egress (outbound) filtering ATHENA Ingress and Egress Filtering ATHENA Preventing the Network from Inadvertently Attacking Others  Filter packets coming into the network destined for a broadcast address  Turn off directed broadcasts on internal routers  Block any packet from entering the network that has a source address that is not permissible on the Internet (see Figures 3-8 and 3-9) ATHENA continued Preventing the Network from Inadvertently Attacking Others  Block at the firewall any packet that uses a protocol or port that is not used for Internet communications on the network  Block packets with a source address originating inside your network from entering your network ATHENA Ingress Filtering of Packets with RFC 1918 Addresses ATHENA Filtering of Packets with RFC 2827 Addresses ATHENA IP – What to Filter  All private addresses: 10.0.0.0, 172.16.0.0 – 172.31.0.0, 192.168.0.0 coming in or going out  127.0.0.0 coming in or going out  Unallocated IP numbers (1.0.0.0, 2.0.0.0, etc. – see ipv4-address-space) coming or going  Your addresses coming in ATHENA Spoofing  Act of falsely identifying a packet’s IP address, MAC address, etc  Four primary types • IP address spoofing • ARP poisoning • Web spoofing • DNS spoofing ATHENA IP Address Spoofing  Used to exploit trust relationships between two hosts  Trust relationship could be enforced at the router, the firewall, by an application, or by the OS  Involves creating an IP address with a forged source address ATHENA Problems to be overcome  Although its easy to craft packets and spoof IP addresses, the attacker can’t cause the return packets to be delivered back to him/her.  The return packets will be delivered to the trusted host, which could reset the connection and foil the attack.  The packets sent to the victim must have the correct sequence number. ATHENA ATHENA ARP Poisoning  Attacker takes over victim’s IP address by corrupting ARP caches of directly connected machines (gratuitous arp)  Used in man-in-the-middle and session hijacking attacks  Attack tools • ARPoison • Ettercap • Parasite ATHENA Web Spoofing  Convinces victim that he or she is visiting a real and legitimate site  Considered both a man-in-the-middle attack and a denial-of-service attack ATHENA Web Spoofing ATHENA DNS Spoofing Effects  Can direct users to a compromised server  Can redirect corporate e-mail through a hacker’s server where it can be copied or modified before sending mail to final destination ATHENA DNS Spoofing 1  The attacker compromises the real DNS server and changes hostname-to-IP address mappings. When the DNS server answers client requests, the clients could be directed anywhere.  (DNS is the most important server in the organization.) ATHENA DNS Spoofing 2  Attacker poses as the victim’s legitimate DNS server and gives out bogus info  Attacker poisons the arp caches of the client machines to direct their requests to the bogus DNS machine  Attacker shuts the legitimate DNS server up (DoSes it) ATHENA DNS Spoofing 3 When the real DNS server does a lookup for an IP number “out there”, the attacker sends a reply packet to the DNS server with bogus info.  Attacker must correctly “guess” query number.  DNS server will accept the first reply with correct query number. ATHENA To Thwart Spoofing Attacks  IP spoofing • Disable source routing on all internal routers • Filter out packets entering local network from the Internet that have a source address of the local network  ARP poisoning • Use network switches that have MAC binding features ATHENA continued To Thwart Spoofing Attacks Web spoofing • Educate users  DNS spoofing • Thoroughly secure DNS servers • Deploy anti-IP address spoofing measures ATHENA