Download Attacks and Mitigations

Attack Vectors and
Mitigations
Attack Vectors ?
•
http://en.wikipedia.org/wiki/Vector_%28epidemiology%29:
- In epidemiology, a vector is any agent (person, animal or
microorganism) that carries and transmits an infectious pathogen
into another living organism.
•
http://searchsecurity.techtarget.com/definition/attack-vector:
- In computing, a vector or attack vector is a path or means by
which a hacker can gain access to a computer or network server in
order to deliver a payload or malicious outcome.
- Attack vectors enable hackers to exploit system vulnerabilities,
including the human element.
- Attack vectors include viruses, e-mail attachments, Web pages,
pop-up windows, instant messages, chat rooms, and deception. All
of these methods involve programming (or, in a few cases,
hardware), except deception, in which a human operator is fooled
into removing or weakening system defenses.
T. A. Yang
Network Security
2
Vector vs Payload
• http://cybercoyote.org/security/vectors.shtml:
– Don't confuse attack vectors with payloads.
– payload : malicious code carried by attack vectors -- spyware,
Trojan-horses, dialers, destructive code and other malware.
Some attacks deliver multiple payloads (warheads).
– For example, worms attack through the network connection to
get in. That's just the first step. Worms usually carry an installer
for malware, such as spyware or botware as their payload. The
worm's work is done when the payload is installed and running
on the computer.
T. A. Yang
Network Security
3
Vulnerabilities
• The million buck question:
Why not remove all vulnerabilities from the systems?
• At least two reasons:
1.The computer and networking systems that we use
today were designed and developed long before
security was considered an important factor in
computing. e.g., TCP/IP
2.New attacking schemes keep coming up.
Q: Is it possible to define a ‘perfectly secure’ system?
e.g., The castle was an almost perfect defense
mechanism until big guns and airplanes emerged.
T. A. Yang
Network Security
4
Types of Attacks
• Reconnaissance
– Discovery and mapping of systems, services, or vulnerabilities
• Unauthorized access
• Unauthorized modifications
• Denial of service
– A service/resource is blocked, degraded, disabled, or corrupted
and becomes unavailable to authorized users.
• Pattern of attack:
–
–
–
–
Mapping the potential victim’s system(s)
Gaining access to a user account
Escalating privilege
Exploiting the system (or using it as a jumping board)
T. A. Yang
Network Security
5
Types of Attack Vectors
•
•
•
•
•
•
•
•
Viruses, Worms, Trojans, Password crackers
Buffer overflows
IP spoofing, ARP spoofing
TCP hijacking (a type of man-in-the-middle attacks)
Ping sweeps, Port scanners
Packet sniffers
Flooding, DoS/DDoS attacks
Rootkits and botnets (aka zombie army)
– The most prevailing threats as reported by the Kaspersky Labs and the
Symantec.
– A master thesis (2011): A comparative analysis of rootkit detection techniques
(available at http://sceweb.sce.uhcl.edu/yang/research/sampleTheses.htm)
T. A. Yang
Network Security
6
Rootkits and botnets
•
http://searchsecurity.techtarget.com/definition/botnet:
– A zombie or bot is often created through an Internet port that has
been left open and through which a small Trojan horse program
can be left for future activation.
•
http://en.wikipedia.org/wiki/Botnet:
– Computers are often recruited into a botnet by running malicious
software. This may be achieved by luring users with a drive-by
download, exploiting web browser vulnerabilities, or tricking the
user into running a Trojan horse program, possibly in an email
attachment. It will typically install modules which allow the
computer to be commanded and controlled by the botnet's owner.
The Trojan may delete itself, or may remain present to update and
maintain the modules.
– The controller (aka master) of a botnet directs these compromised
computers via standards-based network protocols such as IRC
(Internet Relay Chat) and HTTP (Hypertext Transfer Protocol).
T. A. Yang
Network Security
7
Mitigation Techniques
against the Attacks
• What can and should be done to mitigate these attacks?
–
–
–
–
–
–
–
–
Viruses, Worms, Trojans, Password crackers
Buffer overflows
IP spoofing, ARP spoofing
TCP hijacking (a type of man-in-the-middle attacks)
Ping sweeps, Port scanners
Packet sniffers
Flooding, DoS/DDoS attacks
Rootkits and botnets (aka zombie army)
• Principles: defense in depth, controls at multiple layers
T. A. Yang
Network Security
8
Mitigations at Layer 3
• Deployed on layer-3 devices
– Firewalls
– Routers
– Layer-3 switches
• Example attacks at layer 3:
–
–
–
–
–
ICMP Flood (Smurf Attacks)
SYN Flood
DoS Attacks
IP Spoofing
Packet interception ?
T. A. Yang
Network Security
9
L-3 Mitigation Techniques
• Mechanisms in IOS
–
–
–
–
–
–
–
–
–
–
–
–
Traffic characterization using ACL
IP source tracker
Antispoofing with ACL, uRPF, IP source guard
Packet classification and marking
Committed access rate (CAR)
Modular QoS CLI (MQC)
Traffic policing
Network-Based Application Recognition (NBAR)
TCP Intercept
Policy-Based Routing (PBR)
uRPF
NetFlow
T. A. Yang
Network Security
10
Mitigations at Layer 2
• Deployed on layer-2 devices
• Bhaiji:
– Layer 2 attacks are difficult to achieve from outside
the network.
– The attacker needs to be inside the network to be
able to abuse layer 2.
• True? How about attacks against WLAN?
T. A. Yang
Network Security
11
Example Layer-2 Attacks
(and mitigations)
Attacks
Mitigations ?
CAM Table Overflow (aka MAC attacks)
MAC Spoofing Attacks
ARP Spoofing Attacks
VTP Attacks
VLAN Hopping Attacks
Attacks against PVLAN
Attacks against Spanning Tree
DHCP Spoofing and Starvation Attacks
Attacks against 802.1x
T. A. Yang
Network Security
12