Download Slides 6 - USC Upstate: Faculty

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
SCSC 455 Computer Security
Chapter 6 Network Attacks
Index





Overview of attacks
DoS & DDoS
Buffer overflow
Other attacks
Physical security
Attacks on Networks and Computers

Attack
 Any attempt by an unauthorized person to access or use
network resources

Computer security
 Concerned with the security of a computer, which is not
part of a network infrastructure

Network security
 Concern with security of network resources
Common Network Attacks

Common network attacks include:





Denial-of-Service (DoS)
Distributed Denial-of-Service (DDoS)
Buffer overflow
Ping of Death
Session hijacking
Index





Overview of attacks
DoS & DDoS
Buffer overflow
Other attacks
Physical security
Denial-of-Service Attacks

Denial-of-Service (DoS) attack


Attacks do not attempt to access information



Prevents legitimate users from accessing network
resources
Cripple the network
Make it vulnerable to other type of attacks
DoS include two major types


SYN flood
Smurf attack
SYN Flood

Exploits the TCP three-way handshake


Overwhelm server by SYN packets with spoofed
source
Inhibits server’s ability to accept new TCP
connections
TCP Three-Way Handshake
Smurf Attack

Smurf attack is Non-OS specific attack that uses the
network to amplify its effect on the victim



Floods a host with ICMP
Saturates Internet connection with bogus traffic and
delays/prevents legitimate traffic from reaching its
destination
To prevent smurf attack, ISP needs to take
responsibility and filter out bogus packets
bogus packets:
 broadcast packets
 packets with fake source IP address

not every ISP is willing to enforce the security policy
(Read article 2: The strange tale of the DoS)

Distributed Denial-of-Service (DDoS)
Attacks



DDoS attack on a host from multiple servers or
workstations
Network could be flooded with billions of requests
 Loss of bandwidth
 Degradation or loss of speed
Often participants (zombies) are not aware they are part
of the attack
 Thousands zombies are controlled by the attacker via
Trojan programs
DDoS Tools and Countermeasures
DDoS countermeasures:
• Security patches from software vendors
• Antivirus software
• Firewalls: Ingress (inbound) and egress (outbound) filtering
(details next …)
How to Prevent the Network from
Inadvertently Attacking Others
•
Block any packets coming into the network
destined for a broadcast address
•
Block any ingress packet that uses a protocol or
port that is not permissible on the Internet
•
•
•
Private IP addresses: 10.0.0.0, 172.16.0.0, 192.168.0.0;
Multicast address space: 224.0.0.0
Block any packets with a source address
originating inside your network from entering your
network
Index





Overview of attacks
DoS and DDoS
Buffer overflow
Other attacks
Physical security
Buffer Overflow Attacks

A vulnerability in poorly written code
 does not check predefined size of input field

Goal of buffer overflow attack:
 Fill overflow buffer with executable code
 OS executes this code, elevates attacker’s permission



Administrator
Owner of running application
To stop software exploits
 Train your programmer in developing applications with security in
mind
 Stay appraised of latest security patches provided by software
vendors
Buffer Overflow Exploits

Buffer Overflow Exploits is the Most common cause of
Internet attacks
Over 50% of advisories published by CERT (computer
security incident report team) are caused by various
buffer overflows

Morris worm (1988): overflow in fingerd
Infected 10% of the existing Internet
CodeRed (2001): overflow in MS-IIS server
300,000 machines infected in 14 hours
SQL Slammer (2003): overflow in MS-SQL server
75,000 machines infected in 10 minutes


Memory Buffers

Buffer is a data storage area inside computer
memory (stack or heap)



Intended to hold pre-defined amount of data
 If more data is stuffed into it, it spills into adjacent
memory
If executable code is supplied as “data”, victim’s machine
may be fooled into executing it
 Code will self-propagate or give attacker control over
machine
Attack can exploit any memory operation

Pointer assignment, format strings, memory allocation
and de-allocation, function pointers, calls to library
routines via offset tables
Stack Buffers

Suppose Web server contains this function
void func(char *str) {
char buf[126];
strcpy(buf,str);
}

Allocate local buffer
(126 bytes reserved on stack)
Copy argument into local buffer
When this function is invoked, a new frame with
local variables is pushed onto the stack
Stack grows this way
Top of
stack
Frame of the
calling function
buf
Local variables
sfp
ret
addr
str
Pointer to Execute
Arguments
previous
code at
frame this address
after func()
finishes
What If Buffer is Overstuffed?

Memory pointed to by str is copied onto stack…
void func(char *str) {
char buf[126];
strcpy does NOT check whether the string
strcpy(buf,str); at *str contains fewer than 126 characters
}

If a string longer than 126 bytes is copied into
buffer, it will overwrite adjacent stack locations
Top of
stack
Frame of the
calling function
buf
overflow
This will be
interpreted
as return address!
str
Executing Attack Code

Suppose buffer contains attacker supplied string
 For example, *str contains a string received from the network as
input to some network service daemon
Top of
stack
Frame of the
calling function
code
Attacker puts actual
instructions into his input string, e.g.,
binary code of execve(“/bin/sh”)

ret
str
In the overflow, a pointer back
into the buffer appears in
the location where the system
expects to find return address
When function exits, code in the buffer will be
executed, giving attacker a shell
 The attacker gets a root shell if the victim program is SUID root
Some Issues on Buffer Overflow

Executable attack code is stored on stack, inside the buffer
containing attacker’s string
 Stack memory is supposed to contain only data, but…

Overflow portion of the buffer must contain correct address of
attack code in the RET position
 The value in the RET position must point to the beginning
of attack code in the buffer
 Otherwise application will crash with segmentation
violation
 Attacker must know or correctly guess in which stack
position his buffer will be when the function is called
The Cause : No Range Checking

strcpy does not check input size
 strcpy(buf, str) simply copies memory contents into buf
starting from *str until “\0” is encountered
 Ignoring the size of area allocated to buf

Many C library functions are unsafe
 strcpy(char *dest, const char *src)
 strcat(char *dest, const char *src)
 gets(char *s)
 scanf(const char *format, …)
 printf(const char *format, …)
Common Buffer Overflow Attacks
(details are not required)
Common Buffer Overflow Attacks
(details are not required)
Index





Overview of attacks
DoS and DDoS
Buffer overflow
Other attacks
Physical security
Ping of Death Attacks

Ping of death is actually a type of DoS attack


Not as common as during the late 1990s
How ping of death works




Attacker creates a large ICMP packet (More than 65,535 B)
Large packet is fragmented at source network
Destination network reassembles large packet
Destination point cannot handle oversize packet and
crashes
Ping of Death
Ping of death uses IP packet fragmentation techniques
to crash remote systems
Session Hijacking

Session hijacking -- the exploitation of a valid computer session to
gain unauthorized access to information or services in a computer
system.

the HTTP session cookies used to maintain a session on many web
sites can be easily stolen by an attacker

In order that the user does not have to re-enter their username /
password on every page to maintain their session, many web sites use
session cookies: a token of information issued by the server and
returned by the user's web browser to confirm its identity.

If an attacker is able to steal this cookie, they can make
requests themselves as if they were the genuine user.
How to steal session cookie

Sniffing

steal the session key by obtaining the file or memory
contents of the appropriate part of either the user or the
server's computer.

session fixation: the attacker sets a user's session id to
one known to him

sending the user an email with a link that contains a particular
session id. The attacker now only has to wait until the user logs in
by clicking that link.
How to prevent session hijacking

Regenerating the session id after a successful login.


Encryption of the session key.


prevents session fixation because the attacker does not
know the session id of the user after she has logged in.
prevents sniffing-style attacks.
Some services make secondary checks against the
identity of the user.

E.g., a web server could check with each request made
that the IP address of the user matched the one last used
during that session.
Spoofing

Spoofing is act of falsely identifying a
packet’s IP address, MAC address, etc

Four primary spoofing types




IP address spoofing
ARP poisoning
Web spoofing
DNS spoofing
IP Address Spoofing

IP Address Spoofing exploits trust relationships between two hosts

Involves creating an IP address with a forged source address
Issues on IP Address Spoofing
Three issues the attacker must solve:
The reply message from the victim is NOT delivered to
the attacker;
•
•
since the attacker is outside LAN, it’s difficult to intercept
packets
•
If the impersonated host (host B in the figure) replies
packets to the victim machine, it could interference the
attacker’s spoofing message.
•
In order for the victim to accept the spoofed packets,
the packets must guess / have the correct sequence
number
ARP Poisoning
Q: What is ARP?
Address resolution protocol
ARP
Address resolution protocol is a protocol used by the IP, specifically IPv4, to
map IP address to the hardware addresses (MAC address) used by a data link
protocol.
ARP Poisoning

Attacker sends fake ARP messages to an Ethernet LAN.
 These fake ARP messages confusing network
devices, such as network switches – poisoning their
ARP table.
 As a result frames intended for one machine can be
mistakenly sent to another (the attacker’s computer) or
an unreachable host (a denial of service attack).

ARP Poisoning can be used in man-in-the-middle attack
and session hijacking attack
Web Spoofing

Convinces victim that he or she is visiting a real and
legitimate site


creating a website, as a hoax, with the intention of misleading
readers that the website has been created by a different
organization.
Normally, the website will adopt the design of the target website
and sometimes has a similar URL
DNS Spoofing

DNS server translates human-readable computer
hostnames into the IP addresses that networking
equipment needs for delivering information.

In DNS spoofing, attacker poses as the victim’s
legitimate DNS server


Direct users to a compromised server
Or redirect corporate e-mail through a hacker’s server where it
can be copied or modified before sending mail to final destination
How To Thwart Spoofing Attacks

Prevent IP spoofing
 Disable source routing on all internal routers


source routing allows a sender of a packet to specify the route the
packet takes through the network.
Filter out packets entering local network from the Internet that
have a source address of the local network

Prevent ARP poisoning
 Using static ARP records.
 Using certain tools that watch the local ARP cache and report to
the administrator if anything unusual happens.

Prevent Web spoofing
 Educate users

Prevent DNS spoofing
 Thoroughly secure DNS servers
Man-in-the-Middle Attack

Man-in-the-Middle Attack is a class of attacks in which the attacker
places himself between two communicating hosts and listens in on their
session
 Is a general form of attack

Can be executed in different methods



ARP poisoning
ICMP redirects
DNS poisoning
Index





Overview of attacks
DoS and DDoS
Buffer overflow
Other attacks
Physical security
Physical security

Physical security is as important as network or computer
security
 Protecting a network also requires physical security
 Inside attacks are more likely than attacks from outside the
company

Locks



Choose hard-to-pick locks
Security cards
Keyloggers


Software-based
Hardware-based
Behind Locked Doors

Lock up your servers





Average person can pick deadbolt locks in less than
five minutes, after only a week or two of practice
Experienced hackers can pick deadbolt locks in under
30 seconds
Rotary locks are harder to pick
Keep a log of who enters and leaves the room
Security cards can be used instead of keys for
better security
Keyloggers

Keyloggers are used to capture
keystrokes on a computer



Software


Hardware
Software
Behaves like Trojan programs
Hardware



Easy to install
Goes between the keyboard and the
CPU
KeyKatcher and KeyGhost
An email message captured by keycatcher