Topic 1 – Lesson 3
Network Attacks
Summary
1
Questions
►
►
►
►
►
Compare passive attacks and active attacks
How do packet sniffers work? How to mitigate?
How does spoofing work? How to mitigate?
A step by step description of DoS attacks; How to mitigate?
Compare virus, worms, and Trojan Horses
 How to mitigate?
►
►
►
►
►
►
How do malicious applets work? How to mitigate?
How do war dialers work? How to mitigate?
How do logic bombs work? How to mitigate?
How do buffer overflow attacks work? How to mitigate?
How can hackers use social engineering tactic? How to
mitigate?
How does dumpster diving work? How to mitigate?
2
Compare passive attacks and active
attacks
► Passive
attacks eavesdrop
► Active attacks change data
► Defeating passive attacks should focus on
detection
► Active attacks are malicious and will directly cause
damage
► 4 example active attacks: masquerade, replay,
denial of service, modification
► Active attacks generally are preceded by passive
attacks
3
How do packet sniffers work? How
to mitigate?
► Packet
sniffers are discovering information
by listening in
► Packet sniffers are passive attacks & do not
alter data
► How to mitigate
 Use encryption to prevent sniffing
 Use one time passwords to help defeat
 Packet sniffers are hard to detect because they
do not alter network traffic
4
How does spoofing work? How to
mitigate?
►
►
Spoofing is a camouflage technique
Three common types of spoofing attacks
 IP spoofing
 Email address spoofing: fake an email address
 Web page spoofing: fake a web page
►
How to mitigate?
 Sender-side access control: Filters can stop people from sending
out spoofed IP packets or emails
 Receiver-side access control: need to know whether an arriving
packet is spoofed
 Cryptography and authentication may help
 IP address-based authentication is limited: why?
 Mitigation difficult if you have trusted systems outside your
network; You should use firewalls
5
A step by step description of DDoS
attacks; How to mitigate?
►
►
►
►
►
Step 1: the attacker breaks into 1001 computers
Step 2: the attacker installs the master program on one
computer and the daemon software on the other 1000
computers
Step 3: the attacker picks a victim
Step 4: when the attacker launches the DDoS attack, the
attacker will instruct the master program to launch the
attack; then the master program will instruct the 1000
daemons to send a lot packets to the victim
How to mitigate?
 Ways to stop server from crashing are limiting nonessential traffic
 Hard to defend because they look like normal traffic
 Harder to defend because they spoof IP addresses
6
Compare virus, worms, and Trojan
Horses. How to mitigate?
► In
Lesson 2, we clarified the differences between
virus and worms
► Trojan horses are a special type of virus
► A Trojan horse refers to a computer program
that does things more than it claims.
► One possible purpose of Trojan horses is to get
passwords and info and send back
► How to mitigate?
 Use antivirus software
 Only downloading from trusted web sites
 Do not execute unknown applications/tools
7
On Trojan Horses
A clean
program,
e.g., a tool
Being attacked
A clean
program,
e.g., a tool
A
Trojan
Horse
Malicious
code
8
How do malicious applets work? How
to mitigate?
► Java
applets are embedded in web pages
► When you open a web page or click a
hyperlink, a malicious applet could be
executed on your computer
► Applets compromise privacy and security by
stealing passwords and modifying files, and
spoofing email
► How to mitigate?
 Disable java to avoid
9
How do war dialers work? How to
mitigate?
► Dial
numerous numbers and try to establish
an illegal connection
► Break into a computer via its dial-up
connection
► How to mitigate?
 Change passwords and do not use dialup. Use
strong passwords.
 Do not use dictionary words.
 Less vulnerability using Ethernet connection.
10
How do logic bombs work? How to
mitigate?
Logic bombs can be viewed as a special type of Trojan
horses
► A typical Trojan horse will be activated whenever the
infected software program is executed; however, logic
bombs typically stay dormant until certain conditions are
satisfied.
► Can be deployed by worm or viruses? -- Yes
► Can be internal attacks from employees.
► How to mitigate?
►
 Can be detected and removed by virus scanning
 Tripwire: a tool to check if a program is modified by the attacker
► Hash
the original program: a hash is a unique value based on content
of the program file, and if content changes then hash value changes
11
How can hackers use social
engineering tactic? How to mitigate?
► Take
advantage of human characteristics
► Talk unsuspecting employees out of
sensitive info.
► Comprehensive security policies will help
► Employees should be educated about this
threat
12
How does dumpster diving work?
How to mitigate?
► Sift
through a company’s garbage to find
information to help break into the
computers
► Sensitive documents should be shredded
13
How do buffer overflow attacks
work? How to mitigate?
►
►
When a web server is executed, its stack contains the
return address
The hacker sends a carefully crafted URL request message
to the web server
 The request contains a piece of code
►
►
►
The request text overwrites the stack and the return
address is changed
The changed return address will mislead the CPU to
execute the code contained in the attacking message
More than 90% percent of real world hacking is via buffer
overflow
14
Buffer overflow in depth
Inside RAM
code
A normal
URL request
http://www.x.y
Step 1. The hacker
sends a
malicious URL
request
Input
buffer
Return address
code
http://www.cnn.
com/a/b/c/x.html
Malicious code
New Return addr
The
message
stack
other data
A Web Server
other data
15