Download General Overview of Attacks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
Document related concepts

PaX wikipedia , lookup

Wireless security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cyberwarfare wikipedia , lookup

Cryptanalysis wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cross-site scripting wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Operation Payback wikipedia , lookup

Computer security wikipedia , lookup

Unix security wikipedia , lookup

Mobile security wikipedia , lookup

Cyberattack wikipedia , lookup

Cyberterrorism wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
General Overview of Attacks
Regardless of the motivation, a network
security specialist must be aware of
the threats and appropriate
responses
What is an attack
 Any malicious activity directed at a
computer system or the services it
provides.
 Eg: Viruses, use of a system by an
unauthorized individual, denial of
service, physical attack against
computer hardware.
Reasons for attacks
1)
2)
3)
4)
Gaining access to the system
Simply for the challenge
To Collect information
Desire to cause damage
Attacks





Criminal Attacks
Publicity Attacks
Logon Abuse
Inappropriate System Use
Network Intrusion
Criminal Attacks
 Fraud: Involvement of money and
commerce
 Scams: Selling something of no value and
getting the money
 Destructive Attacks: Work of Terrorists,
employees bent on revenge or hacks gone
over to the wrong side.
Eg: Denial of Service Attacks on Yahoo,
CNN, eBay, Amazon etc
 Intellectual Property Theft: Electronic
versions of property. Eg: Piracy of software
Criminal Attacks Continued…
 Identity Theft: Why steal from
someone when you can just become
that person?
 Brand Theft: How do users know
which sites are worth visiting and
bookmarking?
 Please update your Amazon/eBay profile
Publicity Attacks
 How can I get my name in the
newspapers?
 Motivated by a desire to fix the
problems.
 Possibility of exploitation by
criminals.
 Public confidence
 Eg: Denial-of-service attacks
Different Forms of attacks
 Non-Technical Form of Attack:
 Social Engineering
 Technical Form of Attack:




Implementation Bugs
Abuse of Feature
System Misconfiguration
Masquerading
 DoS / DDoS
 Session Hijacking
Social Engineering
 Attacker making use of his social
contacts or people skills to get private
information.
Eg: Attacker acting as an administrator
and convincing the individual on
telephone to reveal confidential
information like passwords,
filenames, details about security
policies.
Implementation Bugs
 Attackers use bugs in trusted
programs to exploit and gain
unauthorized access to a computer
system.
Eg: buffer overflows, race conditions,
and mishandled temporary files.
Abuse of Feature
 These are legitimate actions that one
can perform that when taken to the
extreme can lead to system failure.
Eg: Opening hundreds of telnet
connections to a machine to fill its
process table or filling up a mail spool
with junk email.
System Misconfiguration
 Refers to an attacker gaining access
to the system because of an error in
the configuration of a system
Eg: the default configuration of some
systems includes “guest” account that
is not protected with a password.
Masquerading
 Sometimes, it is possible to fool a
system into giving access by
misrepresenting oneself.
Eg: Sending a TCP packet that has
forged source address that makes the
packet appear to come from a trusted
host.
Broad Categories of Attacks
1) Denial of service attacks
2) Attacks that give local user super user
access.
3) Attacks that give remote user local access
4) Probes
(Attempts to probe a system to find
potential weaknesses)
5) Physical attack against computer hardware
Possible Types of Actions in an
Attack
Denial of Service (DoS) Attacks
 Is an attack in which the attacker
makes some computing or memory
resource too busy or too full to
handle legitimate requests, or denies
legitimate users access to a machine.
 Some DoS attacks abuse a perfectly
legitimate feature.
 Eg: mailbomb, smurf attack
DoS continued…
 Some DoS attacks create malformed
packets that confuse the TCP/IP stack
of the machine that is trying to
reconstruct the packet.
 Eg: teardrop, ping of death
 Others take advantage of bugs in a
particular network daemon.
 Eg: apache2, back, syslogd
Summary of Denial of Service
attacks
Footprinting
 Footprinting is gathering information about
networks, specific computers, companies &/or
people.
 Scouring the website
 Whois Lookup on the domain or command at shell
 Get the IP address to know about the network (Ping or
nslookup)
 Search in ARIN database (American Registry for Internet
Numbers) to find out who owns that specific netblock.
 Talk to the ISP that somebody from their network is
sending spam or possibly start a social engineering
attack
Where to start
Locations
Related Companies
Merger or acquisition news
Phone numbers
Contact names and email addresses
Privacy and security policies indicating the
security mechanisms in place
 Links to other web servers related to
organization






Port Scanning





Stealth scans
Spoofed scans
TCP syn, syn/ack, & fin scans
ICMP (ping sweep)
TCP ftp proxy
 Scanner connects to real ftp server &
requests data transfer to other system
Scanning Tools








HPing
Legion
Nessus
Nmap
SAINT
SATAN
Tcpview
Snort
User to Root Attacks
 Attacker starts out with access to a normal user on
the system (perhaps by sniffing passwords, a
dictionary attack, or social engineering) and
exploits some vulnerability to gain root access.
 The most common attacks are




Buffer overflow attacks. (eg: Eject, Ftbconfig)
Poor Environment Sanitation. (eg:Loadmodule, perl)
Poor Temp File Management.
Lack of chroot in vulnerable system services
Summary of User to Root attacks
Remote to User Attacks
 Attacker who has the ability to send
packets to a machine over a network,
but who does not have an account on
that machine—exploits some
vulnerability to gain local access as a
user of that machine.
 Some of theses attacks exploit buffer
overflows in network server software.
Remote to User Attacks
 Most common attacks are
 Abuse of feature (eg: Dictionary)
 Misconfiguration (eg: Ftp-write, guest,
xlock)
 Bug (eg: Imap, Named, Phf, Sendmail)
Summary
Probes
 Programs that can automatically scan
a network of computers to gather
information or find known
vulnerabilities.
 Scanning tools like satan, saint,
mscan enable even a very unskilled
attacker to very quickly check
thousands of machines on a network
for known vulnerabilities.
Summary
Most Serious Problems pointed
out by CERT (2003)
1. Exploitation of weaknesses in the “cgibin/phf” program used on web servers to
steal system password files.
2. Attacks on systems running free Linux
version of UNIX, including installation of
“Sniffers” that can steal unencrypted
passwords when people log on to the
systems.
3. Denial-of-service attacks were particularly
troubling for internet service providers.
Continued…
4. Widely available hacker kits 
ScriptKiddies attacking systems with
known vulnerabilities.
5. Abuse of email including mail-bombing,
forgeries(spoofing), and a large increase in
the amount of junk mail.
6. Viruses and hoaxes about viruses
(especially wild claims about dangerous
mail)
Problems in ascertaining the
threats
 Unknown number of crimes of all kinds
is undetected. Some of them are
discovered long after they have
occurred.
 Similarly, computer crimes may not be
detected by the victims. Estimate is
1/10th of the total crimes are detected.
 Some of them go unreported. Estimate
is 1/10th of the detected crimes are
reported.
Precautions against attacks
 Intrusion detection systems:
 1)Those detect system attacks in real time
and can be used to stop an attack in
progress.
 2)Those provide after-the-fact information
about the attacks that can be used to repair
damage, understand the attack
mechanism, and reduce the possibility if
future attacks are of the same type.
Intrusion Detection Systems
 Intrusion detection system should be
designed in such a way that they can
handle all level sophistications of the
hacker right from a novice cracker to
an experienced cracker who knows
about the intrusion detection systems
and take steps to avoid being caught.
Sources of data for an IDS
 Traffic sent over the network
 System Level Audit Data
 Information about file system state
There are other sources of data such
as real-time process lists, log files,
processor loads etc. However, they
are used rarely.
Traffic sent over the network
All data sent over an Ethernet
network is visible to every machine
that is present on the local network
segment. Hence, one machine
connected to this Ethernet can be
used to monitor traffic for all hosts on
the network.
System Level Audit Data
 Most operating system offer some
level of auditing of operating systems
events.
 Eg: Logging failed attempts to log in,
logging every systems call.
Information about file system
state
 An intrusion detection system that
examines this file system data can
alert an administrator whenever a
system binary file (such as ps, login,
or ls program) is modified. Since
normal user have no legitimate
reason to alter these files, a change
to a system binary file indicates that
the system has been compromised.
Strategies for Intrusion
Detection




Signature Verification
Anomaly Detection
Specification Based Intrusion Systems
Bottleneck verification
Signature Verification example
 An oversized ping packet of length
greater than 64 kilobytes can often
cause some systems to reboot. A
signature verification system that is
looking for a ping of death denial
service attack would have a simple
rule that says “any ping packet of
length greater than 64 kilobytes is an
attack.”
Signature Verification
 Advantages:
 Can be devised to detect attempts to
exploit many possible vulnerabilities
 One sniffer can monitor many work
stations
 The computation required to construct
network sessions and search for
keywords is not excessive
Signature Verification
 Drawbacks:
 Difficult to establish rules
 Chances of false alarm rates are very
high
 Can not identify novel type of attacks
Anomaly Detection
 These systems track typical behavior of a
system and issue warning when they
observe actions that deviate significantly
from those models.
 Construct Statistical Models of a user,
system, or network activity to observe
typical behavior during an initial training
phase. After training, anomalies are
detected and flagged as attacks.
Eg: NIDES (Next-Generation Intrusion Detection
Expert System) by SRI international.
Anomaly Detection
 These systems are frequently suggested
approaches to detect novel attacks.
 Involve large computations and memory
resources
 High False alarm rates
 Can not detect if the attacker’s activity
overlaps with that of a user or system.
Specification Based Intrusion
Systems
 This type of approach detects the attacks
that make improper use of system or
application programs.
 Results in far lesser false alarm rates.
 Detects wide range of new attacks including
many forms of malicious code such as
trojan horses, viruses, attacks that take
advantage of race conditions, and attacks
that take advantage of improperly
synchronized distributed programs.
Bottleneck verification
 This approach applies to situations where there
are only a few, well-defined ways to transition
between two groups of states.
 Eg: Transition between a normal user and a
superuser with in a shell. If an individual is in
a normal use state, the only way to legally gain
a root privileges is by using the su command
and entering the root password.
 Thus, if a bottleneck verification system can
detect a shell being launched, determine the
permission of the new shell and detect the
successful su command to gain root access.
Time Vs Vulnerability
References
 www.exploitresearch.org/faqs/networkfootprinting.html
 www.ll.mit.edu/IST/ideval/pubs/
1998/kkendall_thesis.pdf
 http://www.sans.org/rr/audit/footprint.php
 http://www.icsalabs.com/html/library/white
papers/crime.pdf
 http://csrc.nist.gov/SBC/PDF/NIST_ITL_Bul
letin_05-99_Comp_Attacks.pdf
 Secrets & Lies
Related documents
No Slide Title
No Slide Title
Skating on Stilts
Skating on Stilts
Honeynet Project
Honeynet Project
Systems Security
Systems Security
dos_nanog
dos_nanog
Research Areas - The George Washington University
Research Areas - The George Washington University
Malicious code, Mobile Code and Denial of Service attacks
Malicious code, Mobile Code and Denial of Service attacks
Heart Attack - Coffee Regional Medical Center
Heart Attack - Coffee Regional Medical Center
Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS)
Chapter 1 Exploring the Network
Chapter 1 Exploring the Network