Topic 1 – Lesson 3 Network Attacks Summary 1 Questions ► ► ► ► ► Compare passive attacks and active attacks How do packet sniffers work? How to mitigate? How does spoofing work? How to mitigate? A step by step description of DoS attacks; How to mitigate? Compare virus, worms, and Trojan Horses How to mitigate? ► ► ► ► ► ► How do malicious applets work? How to mitigate? How do war dialers work? How to mitigate? How do logic bombs work? How to mitigate? How do buffer overflow attacks work? How to mitigate? How can hackers use social engineering tactic? How to mitigate? How does dumpster diving work? How to mitigate? 2 Compare passive attacks and active attacks ► Passive attacks eavesdrop ► Active attacks change data ► Defeating passive attacks should focus on detection ► Active attacks are malicious and will directly cause damage ► 4 example active attacks: masquerade, replay, denial of service, modification ► Active attacks generally are preceded by passive attacks 3 How do packet sniffers work? How to mitigate? ► Packet sniffers are discovering information by listening in ► Packet sniffers are passive attacks & do not alter data ► How to mitigate Use encryption to prevent sniffing Use one time passwords to help defeat Packet sniffers are hard to detect because they do not alter network traffic 4 How does spoofing work? How to mitigate? ► ► Spoofing is a camouflage technique Three common types of spoofing attacks IP spoofing Email address spoofing: fake an email address Web page spoofing: fake a web page ► How to mitigate? Sender-side access control: Filters can stop people from sending out spoofed IP packets or emails Receiver-side access control: need to know whether an arriving packet is spoofed Cryptography and authentication may help IP address-based authentication is limited: why? Mitigation difficult if you have trusted systems outside your network; You should use firewalls 5 A step by step description of DDoS attacks; How to mitigate? ► ► ► ► ► Step 1: the attacker breaks into 1001 computers Step 2: the attacker installs the master program on one computer and the daemon software on the other 1000 computers Step 3: the attacker picks a victim Step 4: when the attacker launches the DDoS attack, the attacker will instruct the master program to launch the attack; then the master program will instruct the 1000 daemons to send a lot packets to the victim How to mitigate? Ways to stop server from crashing are limiting nonessential traffic Hard to defend because they look like normal traffic Harder to defend because they spoof IP addresses 6 Compare virus, worms, and Trojan Horses. How to mitigate? ► In Lesson 2, we clarified the differences between virus and worms ► Trojan horses are a special type of virus ► A Trojan horse refers to a computer program that does things more than it claims. ► One possible purpose of Trojan horses is to get passwords and info and send back ► How to mitigate? Use antivirus software Only downloading from trusted web sites Do not execute unknown applications/tools 7 On Trojan Horses A clean program, e.g., a tool Being attacked A clean program, e.g., a tool A Trojan Horse Malicious code 8 How do malicious applets work? How to mitigate? ► Java applets are embedded in web pages ► When you open a web page or click a hyperlink, a malicious applet could be executed on your computer ► Applets compromise privacy and security by stealing passwords and modifying files, and spoofing email ► How to mitigate? Disable java to avoid 9 How do war dialers work? How to mitigate? ► Dial numerous numbers and try to establish an illegal connection ► Break into a computer via its dial-up connection ► How to mitigate? Change passwords and do not use dialup. Use strong passwords. Do not use dictionary words. Less vulnerability using Ethernet connection. 10 How do logic bombs work? How to mitigate? Logic bombs can be viewed as a special type of Trojan horses ► A typical Trojan horse will be activated whenever the infected software program is executed; however, logic bombs typically stay dormant until certain conditions are satisfied. ► Can be deployed by worm or viruses? -- Yes ► Can be internal attacks from employees. ► How to mitigate? ► Can be detected and removed by virus scanning Tripwire: a tool to check if a program is modified by the attacker ► Hash the original program: a hash is a unique value based on content of the program file, and if content changes then hash value changes 11 How can hackers use social engineering tactic? How to mitigate? ► Take advantage of human characteristics ► Talk unsuspecting employees out of sensitive info. ► Comprehensive security policies will help ► Employees should be educated about this threat 12 How does dumpster diving work? How to mitigate? ► Sift through a company’s garbage to find information to help break into the computers ► Sensitive documents should be shredded 13 How do buffer overflow attacks work? How to mitigate? ► ► When a web server is executed, its stack contains the return address The hacker sends a carefully crafted URL request message to the web server The request contains a piece of code ► ► ► The request text overwrites the stack and the return address is changed The changed return address will mislead the CPU to execute the code contained in the attacking message More than 90% percent of real world hacking is via buffer overflow 14 Buffer overflow in depth Inside RAM code A normal URL request http://www.x.y Step 1. The hacker sends a malicious URL request Input buffer Return address code http://www.cnn. com/a/b/c/x.html Malicious code New Return addr The message stack other data A Web Server other data 15