Hands-On Ethical Hacking and Network Security

advertisement
Network & Computer Attacks
(Part 2)
February 11, 2010
MIS 4600 – MBA 5880 - © Abdou Illia
Objectives
 Understand the types of network attacks and how the
occur





Denial of Service attacks (DoS)
SYN Flood DoS
Distributed DoS attacks
Ping of Death attacks
Buffer Overflow attacks
 Identify physical security attacks and vulnerabilities
2
Denial of Service (DoS)
 Attempt to make a computer resources unavailable to
legitimate users
Intel Pentium 4 540 (3 Ghz)
512 MB SDRAM
2 x 100 GB SATA HDD
16x CD Drive
Gateway 3-button mouse
Gateway 108 keyboard
SVGA graphic card
NetworkNetwork
Attacker’sHome
Home
Legitimate user
Legitimate user
HTTP requests
Workstation
Stream of HTTP requests
Workstation
Internet
Router
Hub
Workstation
Web Server
HTTP requests
All workstations use IP spoofing
to send HTTP requests to the
web server.
Legitimate user
Workstation
Workstation
Legitimate user

3

What resources the web server would use to respond to each of the HTTP requests it receives?
What could be the consequences of the web server being invaded by too much requests from the
attacker?
TCP opening and DoS
Server
1
SYN
SYN/ACK
ACK
Waiting for request
from Computer 1
2
SYN
SYN/ACK
ACK
Waiting for request
from Computer 2
3
SYN
SYN/ACK
ACK
Waiting for request
from Computer 3
.
.
.
...
.
 For each TCP connection request, server has to:
 Respond to the request
 Set resources aside in order respond to each data request
4
SYN Flood DoS
 Attacker sends a series of TCP SYN opening requests
 For each SYN, the target has to
 Send back a SYN/ACK segment, and
 set aside memory, and other resources to respond
 When overwhelmed, target slows down or even crash
 SYN takes advantage of client/server workload
asymmetry
SYN
SYN
SYN
SYN
SYN
Attacker
5
Victim
Web Server configuration
6
Total Length (16 bits)
Flags
Fragment Offset (13 bits)
Ping of Death attacks
 Take advantage of
 Fact that TCP/IP allows large packets to be fragmented
 Some network applications & operating systems’ inability to handle
packets larger than 65536 bytes
 Attacker sends IP packets that are larger than 65,536
bytes through IP fragmentation.
 Ping of death attacks are rare today as most operating
systems have been fixed to prevent this type of attack
from occurring.
 List of OS that were vulnerable:
 http://insecure.org/sploits/ping-o-death.html
 Fix
 Add checks in the reassembly process or in firewall to protect hosts with
bug not fixed
 Check: Sum of Total Length fields for fragmented IP is < 65536 bytes
7
Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be
fragmented or not
Distributed DoS (DDoS)
Attack
 Attacker hacks into multiple clients and plants handler
programs and Zombie programs on them
 Attacker sends attack commands to Handlers and Zombie
programs which execute the attacks
 First appeared in 2000 with Mafiaboy attack against cnn.com,
ebay.com, etrade.com, yahoo.com, etc.
Attack
Command
DoS Messages
Computer with
Zombie
Server
8
Attack
Command
Handler
DoS Messages Computer with
Zombie
Attack
Command
Attacker
Buffer Overflow Attack
 Occurs when ill-written programs allow data destined to a
memory buffer to overwrite instructions in adjacent
memory register that contains instructions.
 If the data contains malware, the malware could run and
creates a DoS
 Example of input data: ABCDEF LET JOHN IN WITHOUT
PASSWORD
Buffer
1
2
3
Instructions
4
5
6
Print
Run Program
Accept input
Buffer
1
A
2
B
3
C
Instructions
4
D
5
E
6
F
LET JOHN IN WITHOUT PASSWORD
Run Program
9
Accept input
Addressing Physical Security
 Protecting a network also requires physical
security
 Inside attacks are more likely than attacks
from outside the company
10
Keyloggers
 Used to capture keystrokes on a computer
Hardware
Software
 Software
Behaves like Trojan programs
 Hardware
Easy to install
Goes between the keyboard and the CPU
KeyKatcher and KeyGhost
11
Keyloggers (continued)
 Protection
Software-based
 Antivirus
Hardware-based
 Random visual tests
12
Behind Locked Doors
 Lock up your servers
 Average person can pick deadbolt locks in
less than five minutes
After only a week or two of practice
 Experienced hackers can pick deadbolt locks
in under 30 seconds
 Rotary locks are harder to pick
 Keep a log of who enters and leaves the
room
 Security cards can be used instead of keys
for better security
13
Summary Questions
 Describe SYN flooding.
 What is a Zombie program?
 Explain how Ping of Death attack occurs?
 Explain difference between DoS and DDoS.
Do DoS attacks primarily attempt to
jeopardize confidentiality, integrity, or
availability?
What is a Buffer Overflow attack?
What is a hardware keylogger?
14
Download