Download CHAPTER 3 Classes of Attack

CHAPTER 3
CLASSES OF ATTACK
1
Denial of Service (DoS)
Takes place when availability to resource is
intentionally blocked or degraded
 Degrading processes, storage capability,
destroying files or shutting down parts of
the system or processes
 Degrading the processes by reduces the
performance through overload the target
system

2
Denial of Service (DoS)
Degrading processes can also directed at a
network application such as FTP, Simple
Mail Transfer Protocol (SMTP) or network
service IP (Internet Protocol) or Internet
Control Message Protocol (ICMP)
 Example attacks that degrade processes are
snork and chargen
 Both affect Windows NT except if have
Service Pack 4 and higher

3
Denial of Service (DoS)

Snork
– send spoofed Remote Procedure Control (RPC)
datagrams to the User Datagram Protocol (UDP)
destination port 135
– Giving appearance as an attacked RPC server
– RPC server sent bad data to another RPC server, then
replies with reject packet
– Creating a loop that is not broken until a packet is
dropped
– Waste processor resources and network bandwith
4
Denial of Service (DoS)

Chargen
– Functions against Windows NT systems that
have the Simple TCP/IP Services
– Flood of UDP datagrams is sent from a spoofed
source IP address to port 19 (chargen port) to
the subnet broadcast adress
– Affected Windows NT systems respond to each
broadcast
– Creating a flood of UDP datagrams on the
network
5
Denial of Service (DoS)

Smurf
– Performs a network level attack against the
target host
– Using a router (smurf amplifier) spoofing the
source IP address, generates a large amount of
ICMP echo traffic
– Host that received respond back with an echo
reply
– Degraded network service availability
6
Denial of Service (DoS)

SYN (synchronization)
– Accomplished by sending Transmission Control
Protocol (TCP) connection requests faster than a system
can process them

Storage Capability (Degrading)
–
–
–
–
Use all storage resources
Example The Love Letter Worm
UNIX also not exempted
Destroying Files
» Bat, exe, com, dll and sys
7
Denial of Service (DoS)

Storage Capability (Degrading)
– Shutdown System
» Ping of death sending ICMP echo packet of just over
65535 bytes
» Default packet size 64 bytes
– Latest Distributed Denial of Service (DDoS)
8
Information Leakage





Gather info from target as much as possible
Use finger or DNS to get info on layout of
network
DNS, determine system names and locations
Advertising type of search engine or FTP server
used, help determine the type of Web server being
used
Occur in SMTP through application banner,
SNMP (Simple Network Management Protocol)
9
File Creation, Reading,
Modification, Removal
Capability exist in NFS ( Network File
System) in statd
 Never validate info that received from the
remote lockd
 Statd and lockd is used by NFS to maintain
crash and recovery functions for file locking

10
Misinformation

Log files cannot be trusted
11
Special File/ Database Access
Access registry for NT can take over the
system, can attack NT that used SP1 and SP
2
 DB use standard security, need to put
password for all users account

12
How To Secure Against These
Classes of Attacks

Using commercial scanning software such as
Internet Security System, Internet Scanner, Nessus
Security Scanner
– Scan purpose only, you still need to fix the problem

Intrusion Detection System (IDS) such as
Network Flight Recorder (NFR)
– Purpose to detect / alert of any attacks
– Cannot prevent or patch it
– Need to find the patches or report to organization that
responsible to create patches
13
How To Secure Against These
Classes of Attacks

Denial of Service (DoS)
– Windows NT close port 139 (NetBIOS Session
Service) that vulnerable to Winnuke at router /
firewall
– Cisco Routers, to prevent SYN flood, can be
prevent by utilizing features in Internetwork
Operating System (IOS)11.3 and higher
» Has feature TCP intercept
14
How To Secure Against These
Classes of Attacks

Denial of Service (DoS)
– Smurf
» Disable IP-directed broadcast at each routers
» If possible, configure OS not to respond to ICMP
packets sent to IP broadcast addresses
– DDoS
» Block default ports that used by DDoS tools
– Traffic flood
» Need to contact ISP to prevent it
15
How To Secure Against These
Classes of Attacks

Information Leakage
– Hide banner, version number, OS etc, that could
give attacker any info
– Changing finger print of your OS

File Creation, Reading, Modification,
Removal
– Apply all precautions available including
patching known vulnerabilities
16
How To Secure Against These
Classes of Attacks

Misinformation
– Use Tripwire and keep your system logs on a
protected server to prevent them from being
tampered with
– Tripwire creates a database of all files in your
systems and then compares the integrity of
them the next time Tripwire is run
– LogCheck is useful for verifying you
immediately by e-mail of problems and security
violations that appear in your log
17
How To Secure Against These
Classes of Attacks

Special File / Database Access
– Protecting by blocking port 135 (Location
Service), 137 (NetBIOS Name Service), 138
NetBIOS Datagram Service), 139 (NetBIOS
Session Service) at boundary router so attacker
cannot gain access from internet
– To protect from inside ensure the winreg key is
set in the proper location to limit who has
access to the Registries remotely
18
End Of Chapter 3
19