 Overview of attacks
 DoS & DDoS
 Buffer overflow
 Other attacks
 Physical security

 Attack

Any attempt by an unauthorized person to access or use network resources
 Computer security

Concerned with the security of a computer, which is not part of a network infrastructure
 Network security

Concern with security of network resources

 Common network attacks include:

Denial-of-Service (DoS)

Distributed Denial-of-Service (DDoS)

Buffer overflow

Ping of Death

Session hijacking

 Overview of attacks
 DoS & DDoS
 Buffer overflow
 Other attacks
 Physical security

 Denial-of-Service (DoS) attack

Prevents legitimate users from accessing network resources
 Attacks do not attempt to access information

Cripple the network

Make it vulnerable to other type of attacks
 DoS include two major types

SYN flood

Smurf attack

 Exploits the TCP three-way handshake


Overwhelm server by SYN packets with spoofed source
Inhibits server’s ability to accept new TCP connections

 Smurf attack is Non-OS specific attack that uses the network to amplify its effect on the victim


Floods a host with ICMP
Saturates Internet connection with bogus traffic and delays/prevents legitimate traffic from reaching its destination
 To prevent smurf attack, ISP needs to take responsibility and filter out bogus packets
 bogus packets:
 broadcast packets
 packets with fake source IP address
 not every ISP is willing to enforce the security policy
(Read article 2: The strange tale of the DoS)



DDoS attack on a host from multiple servers or workstations
Network could be flooded with billions of requests


Loss of bandwidth
Degradation or loss of speed
 Often participants ( zombies ) are not aware they are part of the attack

Thousands zombies are controlled by the attacker via
Trojan programs

DDoS countermeasures:
• Security patches from software vendors
• Antivirus software
• Firewalls: Ingress (inbound) and egress (outbound) filtering
(details next …)

•
•
•
Block any packets coming into the network destined for a broadcast address
•
•
Block any ingress packet that uses a protocol or port that is not permissible on the Internet
Private IP addresses: 10.0.0.0, 172.16.0.0, 192.168.0.0;
Multicast address space: 224.0.0.0
Block any packets with a source address originating inside your network from entering your network

 Overview of attacks
 DoS and DDoS
 Buffer overflow
 Other attacks
 Physical security


A vulnerability in poorly written code
 does not check predefined size of input field
 Goal of buffer overflow attack:


Fill overflow buffer with executable code
OS executes this code, elevates attacker’s permission
 Administrator
 Owner of running application
 To stop software exploits

Train your programmer in developing applications with security in mind

Stay appraised of latest security patches provided by software vendors

 Buffer Overflow Exploits is the Most common cause of
Internet attacks
Over 50% of advisories published by CERT (computer security incident report team) are caused by various buffer overflows



Morris worm (1988): overflow in fingerd
Infected 10% of the existing Internet
CodeRed (2001): overflow in MS-IIS server
300,000 machines infected in 14 hours
SQL Slammer (2003): overflow in MS-SQL server
75,000 machines infected in 10 minutes

 Buffer is a data storage area inside computer memory (stack or heap)


Intended to hold pre-defined amount of data
 If more data is stuffed into it, it spills into adjacent memory
If executable code is supplied as “data”, victim’s machine may be fooled into executing it
 Code will self-propagate or give attacker control over machine
 Attack can exploit any memory operation

Pointer assignment, format strings, memory allocation and de-allocation, function pointers, calls to library routines via offset tables

 Suppose Web server contains this function void func(char *str) { char buf[126]; strcpy(buf,str);
}
Allocate local buffer
(126 bytes reserved on stack)
Copy argument into local buffer
 When this function is invoked, a new frame with local variables is pushed onto the stack
Top of stack
Stack grows this way
Frame of the calling function buf sfp ret addr str
Local variables Pointer to previous frame
Execute code at this address after func() finishes
Arguments


Memory pointed to by str is copied onto stack… void func(char *str) { char buf[126]; strcpy(buf,str);
} strcpy does NOT check whether the string at *str contains fewer than 126 characters
 If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations
Top of stack
Frame of the calling function buf overflow str
This will be interpreted as return address!

 Suppose buffer contains attacker supplied string

For example, *str contains a string received from the network as input to some network service daemon
Top of stack
Frame of the calling function code
Attacker puts actual
instructions into his input string, e.g., binary code of execve(“/bin/sh”) ret str
In the overflow, a pointer back into the buffer appears in the location where the system expects to find return address
 When function exits, code in the buffer will be executed, giving attacker a shell

The attacker gets a root shell if the victim program is SUID root

 Executable attack code is stored on stack, inside the buffer containing attacker’s string

Stack memory is supposed to contain only data, but…
 Overflow portion of the buffer must contain correct address of attack code in the RET position


The value in the RET position must point to the beginning of attack code in the buffer
 Otherwise application will crash with segmentation violation
Attacker must know or correctly guess in which stack position his buffer will be when the function is called

 strcpy does not check input size

 strcpy(buf, str) simply copies memory contents into buf starting from *str until “\0” is encountered
Ignoring the size of area allocated to buf
 Many C library functions are unsafe




 strcpy (char *dest, const char *src) strcat(char *dest, const char *src) gets(char *s) scanf (const char *format, …) printf (const char *format, …)

(details are not required)

(details are not required)

 Overview of attacks
 DoS and DDoS
 Buffer overflow
 Other attacks
 Physical security

 Ping of death is actually a type of DoS attack

Not as common as during the late 1990s
 How ping of death works


Attacker creates a large ICMP packet (More than 65,535 B)
Large packet is fragmented at source network


Destination network reassembles large packet
Destination point cannot handle oversize packet and crashes

Ping of death uses IP packet fragmentation techniques to crash remote systems

 Session hijacking -- the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system.
 the HTTP session cookies used to maintain a session on many web sites can be easily stolen by an attacker

In order that the user does not have to re-enter their username / password on every page to maintain their session, many web sites use session cookies : a token of information issued by the server and returned by the user's web browser to confirm its identity.

If an attacker is able to steal this cookie, they can make requests themselves as if they were the genuine user.

 Sniffing
 steal the session key by obtaining the file or memory contents of the appropriate part of either the user or the server's computer.
 session fixation : the attacker sets a user's session id to one known to him
 sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in by clicking that link.

 Regenerating the session id after a successful login.
 prevents session fixation because the attacker does not know the session id of the user after she has logged in.
 Encryption of the session key.
 prevents sniffing-style attacks.
 Some services make secondary checks against the identity of the user.

E.g., a web server could check with each request made that the IP address of the user matched the one last used during that session.

 Spoofing is act of falsely identifying a packet’s IP address, MAC address, etc
 Four primary spoofing types

IP address spoofing

ARP poisoning

Web spoofing

DNS spoofing

 IP Address Spoofing exploits trust relationships between two hosts

Involves creating an IP address with a forged source address

•
•
•
Three issues the attacker must solve:
•
The reply message from the victim is NOT delivered to the attacker; since the attacker is outside LAN, it’s difficult to intercept packets
If the impersonated host (host B in the figure) replies packets to the victim machine, it could interference the attacker’s spoofing message.
In order for the victim to accept the spoofed packets, the packets must guess / have the correct sequence number

Q: What is ARP?
Address resolution protocol

Address resolution protocol is a protocol used by the IP, specifically IPv4, to map IP address to the hardware addresses (MAC address) used by a data link protocol.

 Attacker sends fake ARP messages to an Ethernet LAN.

These fake ARP messages confusing network devices, such as network switches – poisoning their
ARP table.

As a result frames intended for one machine can be mistakenly sent to another (the attacker’s computer) or an unreachable host (a denial of service attack).
 ARP Poisoning can be used in man-in-the-middle attack and session hijacking attack

 Convinces victim that he or she is visiting a real and legitimate site

 creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different organization.
Normally, the website will adopt the design of the target website and sometimes has a similar URL

 DNS server translates human-readable computer hostnames into the IP addresses that networking equipment needs for delivering information.

In DNS spoofing, attacker poses as the victim’s legitimate DNS server


Direct users to a compromised server
Or redirect corporate email through a hacker’s server where it can be copied or modified before sending mail to final destination

 Prevent IP spoofing


Disable source routing on all internal routers
 source routing allows a sender of a packet to specify the route the packet takes through the network.
Filter out packets entering local network from the Internet that have a source address of the local network


Prevent ARP poisoning


Using static ARP records.
Using certain tools that watch the local ARP cache and report to the administrator if anything unusual happens.
Prevent Web spoofing

Educate users
 Prevent DNS spoofing

Thoroughly secure DNS servers

 Man-in-the-Middle Attack is a class of attacks in which the attacker places himself between two communicating hosts and listens in on their session

Is a general form of attack

Can be executed in different methods
 ARP poisoning


ICMP redirects
DNS poisoning

 Overview of attacks
 DoS and DDoS
 Buffer overflow
 Other attacks
 Physical security

 Physical security is as important as network or computer security

Protecting a network also requires physical security

Inside attacks are more likely than attacks from outside the company


Locks
 Choose hard-to-pick locks
 Security cards
Keyloggers


Software-based
Hardware-based

 Lock up your servers

Average person can pick deadbolt locks in less than five minutes, after only a week or two of practice

Experienced hackers can pick deadbolt locks in under
30 seconds

Rotary locks are harder to pick


Keep a log of who enters and leaves the room
Security cards can be used instead of keys for better security




Keyloggers are used to capture keystrokes on a computer

Hardware

Software
Software

Behaves like Trojan programs
Hardware



Easy to install
Goes between the keyboard and the
CPU
KeyKatcher and KeyGhost