MALICIOUS SOFTWARE

advertisement
MALICIOUS SOFTWARE
(악성 소프트웨어)
ABHILASH SREERAMANENI
Department Of Computer Science
Seoul National University Of Science And Technology
2014
CONTENTS
•
•
•
•
•
•
INTRODUCTION
TYPES OF MALICIOUS SOFTWARE
VIRUSES
VIRUS COUNTERMEASURES(바이러스대책)
WORMS(웜)
DITRIBUTED DENIAL OF SERVICE ATTACKS
(DDoS)
2
INTRODUCTION
• A Malicious Software(Malware) is a set of instructions that
run on your computer and make your system do something
that an attacker wants it to do on our personal or public
system’s.
• In this context, we are concerned with threats to
application programs as well as utility programs, such
as editors and compilers, and kernel-level programs.
• This presentation examines malicious software, with a
special emphasis on viruses and worms.
3
TYPES OF MALICIOUS SOFTWARE
•
•
•
•
•
Backdoor (백도어)
Logic Bomb (논리 폭탄)
Trojan Horses (트로이 목마)
Mobile Code(모바일 코드)
Multiple-Threat Malware(다중 위협 악성 코드)
The terminology in this area presents
problems because of a lack of universal agreement
(보편적 합의) on all of the terms and because
some of the categories overlap.
4
Terminology of Malicious Programs
5
TYPES OF MALICIOUS SOFTWARE
• Malicious software can be divided into two categories those that
need a host program, and those that are independent. The former,
referred to as parasitic (기생적인), are essentially fragments
( 기 본 적 으 로 프 래 그 먼 트 ) of programs that cannot exist
independently of some actual application program, utility, or system
program.
6
Backdoor (백도어)/ Trapdoor
• A backdoor, also known as a trapdoor, is a secret entry point into
a program that allows someone who is aware of the backdoor to
gain access without going through the usual security access
procedures.
• Have been commonly used by developers
• Backdoors become threats when unscrupulous ( 사 악 한 )
programmers use them to gain unauthorized access.
• It is difficult to implement operating system controls for backdoors.
• Security measures must focus on the program development and
software update activities.
7
Logic Bomb (논리 폭탄)
• One of the oldest types of program threat, predating (낳은)
viruses and worms, is the logic bomb.
• The logic bomb is code embedded in some legitimate (합법적
인)program that is set to “explode” when certain conditions
are met.
• Logic Bombs that execute on certain days are known as Time
Bombs. Activated when specified conditions met.
– E.g., presence/absence of some file
– particular date/time
– particular user
• Once triggered, a bomb may alter or delete data or entire files,
cause a machine halt, or do some other damage.
8
Trojan Horses (트로이 목마)
• Trojan horse is a malicious program that is designed as authentic, real and
genuine software (program with hidden side-effects ).
• Trojan horse programs can be used to accomplish (달성) functions indirectly
that an unauthorized user could not accomplish directly.
• Induce (유도 ) users to run the program by placing it in a common directory and
naming it, such that it appears to be a useful utility program or application.
• The code creates a backdoor in the login program that permits the author to log
on to the system using a special password. This Trojan horse can never be
discovered by reading the source code of the login program.
• Another common motivation for the Trojan horse is data destruction. The
program appears to be performing a useful function (e.g., a calculator
program), but it may also be quietly deleting the user’s files.
• Trojan horses fit into one of three models:
1) additionally performing a separate malicious activity
2) modifying the function to perform malicious activity
.
3)Performing a malicious function that completely replaces the function
of the original program
9
Mobile Code(모바일 코드)
• Mobile code refers to programs (script, macro, or other portable
instruction) that can be shipped unchanged to a heterogeneous(이종의)
collection of platforms and the term also applies to situations involving
a large homogeneous(동종의) collection of platforms ( Microsoft
Windows).
• Transmitted from remote system to local system & then executed on
local system without the user’s explicit (명백한) instruction.
• Mobile code often acts as a mechanism for a virus, worm, or Trojan
horse to be transmitted to the user’s workstation.
• In other cases, mobile code takes advantage of vulnerabilities (취약점)
to perform its own exploits, such as unauthorized data access or root
compromise.
• The most common ways of using mobile code for malicious operations
on local system are cross-site scripting, interactive and dynamic Web
sites, e-mail attachments, and downloads from un-trusted sites or of
un-trusted software.
10
Multiple-Threat Malware
(다중 위협 악성 코드)
• Viruses and malware may operate in multiple ways.
• Multipartite virus(여러 부분 바이러스) infects in multiple ways. It is
Capable of infecting multiple file types, so that virus eradication
(근절) must deals with all possible sites of infection.
• Blended attack (혼합 공격) uses multiple methods of infection or
transmission, to maximize the speed of contagion (전염병) and the
severity (엄격) of the attack. To maximize speed of contagion and
severity may include multiple types of malware
EX. Nimda has worm, virus, mobile code
• E-mail, windows shares, web servers, web clients, thus Nimda has
worm, virus, and mobile code characteristics.
• Blended attacks may also spread through other services, such
as instant messaging and peer-to-peer file sharing.
11
VIRUSES
•
•
•
•
•
Nature of Viruses (바이러스의 자연)
Viruses Classification (바이러스 분류)
Virus Kits (바이러스 키트)
Macro Viruses (매크로 바이러스)
E-Mail Viruses
12
VIRUSES
• Nature
of
Viruses
( 바 이 러 스 의
자 연 )
• Computer viruses first appeared in the early 1980s, and the term
itself is attributed to Fred Cohen in 1983.
• A computer virus is a piece of software that can “infect” other
programs by modifying them; the modification includes injecting
the original program with a routine to make copies of the virus
program, which can then go on to infect other programs.
• A virus can do anything that other programs do. The difference
is that a virus attaches itself to another program and executes
secretly when the host program is run.
• Once a virus is executing, it can perform any function, such as
erasing files and programs that is allowed by the privileges
(권한) of the current user.
13
Nature of Viruses (바이러스의 자연)
• A computer virus has three parts
• Infection Mechanism: The means by which a virus spreads,
enabling it to replicate, also referred as Infection Vector.
• Trigger: The event or condition that determines when the payload
is activated Or delivered.
• Payload: The payload may involve damage or may Involve benign
but NOTICEABLE activity.
• Four Phases – Life Cycle
• Dormant (잠자는) Phase: The virus is idle. The virus will eventually
be activated by some event, such as a date, the presence of
another program or file, or the capacity of the disk exceeding some
limit. Not all viruses have this stage.
• Propagation (번식) Phase: The virus places a copy of itself into
other programs or into certain system areas on the disk. The copy
may not be identical to the propagating version; viruses often
morph to evade detection.
14
VIRUSES
• Triggering Phase: The virus is activated to perform the function for
which it was intended.
• Execution Phase: The function is performed. The function may be
harm-less, such as a message on the screen, or damaging, such as
the destruction of programs and data files.
• VIRUS STRUCTURE (바이러스의 구조)
• A virus can be prepended (앞에 추가) or postpended to an
executable program, or it can be embedded in some other fashion.
• The key to its operation is that the infected program, when invoked
(호출), will first execute the virus code and then execute the original
code of the program.
15
VIRUSES
• The infected program begins with the virus code and works as
follows.
16
VIRUSES
• Initial Infection: Unfortunately, prevention is extraordinarily
difficult because a virus can be part of any program or outside a
system.
• It is easy enough to write a machine code virus for UNIX systems,
they were almost never seen in practice because the existence of
access controls on these systems prevented effective propagation
of the virus.
• Viruses Classification (바이러스 분류)
• In this section, we follow and classify viruses along two orthogonal
axes (직교 축): the type of target the virus tries to infect and the
method the virus uses to conceal itself from detection by users and
antivirus software.
• A virus classification by target includes the following categories:
• Boot sector infector: Infects a master boot record or boot record
and spreads when a system is booted from the disk containing the
virus.
17
VIRUSES
• File infector: Infects files that the operating system or shell consider to be
executable.
• Macro(매크로) virus: Infects files with macro code that is interpreted by an
application.
• Concealment (은폐) strategy includes the following categories:
• Encrypted Virus : A portion of virus creates a random encryption key and
encrypts the remainder of the virus. The key is stored with the virus. When the
virus replicates, a different random key is generated.
• Stealth Virus (스텔스 바이러스): explicitly designed to hide from Virus
Scanning programs.
• Polymorphic Virus (다형성 바이러스 ): mutates with every New host to
prevent signature detection, signature detection is useless.
• Metamorphic Virus (변성 바이러스 ): Rewrites itself completely with every
new host, May change their behavior and appearance.
• Virus Kits (바이러스 키트)
• viruses created with toolkits tend to be less sophisticated (정교한 ) than viruses
designed from scratch, the sheer number of new viruses that can be generated
using a toolkit creates a problem for antivirus schemes.
18
VIRUSES
• Became very common in mid-1990s since.
1) Platform independent.
2) Infect Microsoft Word documents.
3) Easily spread.
• Exploit (익스플로잇 ) macro capability of office apps.
1) Executable program embedded in office doc.
2) Often a form of Basic.
•
Successive releases of MS Office products provide increased protection against
macro viruses. Recognized by many anti-virus programs
•
E-Mail Viruses
• A more recent development in malicious software is the e-mail virus. The first
rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft Word
macro embedded in an attachment.
– exploits MS Word macro in attached doc
– if attachment opened, macro activates
– sends email to all on users address list
19
– does local damage
VIRUSES
• Then saw versions triggered reading email
• Hence much faster propagation
• Fake HR (human resources) emails with virus
VIRUS COUNTERMEASURES(바이러스대책)
• Antivirus Approaches (바이러스 백신 접근)
• Advanced Antivirus Techniques
• The ideal solution to the threat of viruses is prevention, do
not allow a virus to get into the system in the first place. This
goal is, in general, impossible to achieve, although
prevention can reduce the number of successful viral attacks.
20
Antivirus Approaches (바이러스 백신 접근)
•
•
•
•
•
•
Detection: Once the infection has occurred, determine that it has occurred and
locate the virus.
Identification: Once detection has been achieved, identify the specific virus that
has infected a program.
Removal: Once the specific virus has been identified, remove all traces of the
virus from the infected program and restore it to its original state. Remove the
virus from all infected systems so that the disease cannot spread further.
If detection succeeds but either identification or removal is not possible, then the
alternative is to discard (폐기) the infected program and reload a clean backup
version.
Advances in virus and antivirus technology go hand in hand. Early viruses were
relatively simple code fragments (조각 ) and could be identified and purged
(제거) with relatively simple antivirus software packages. As the virus arms race
has evolved, both viruses and, necessarily, antivirus software have grown more
complex and sophisticated (복잡하고 , 정교한).
Identifies four generations of antivirus software:
21
Antivirus Approaches (바이러스 백신 접근)
• A first-generation scanner requires a virus signature(바이러스 서명) to identify a
virus. The virus may contain “wildcards(와일드 카드)” but has essentially the same
structure and bit pattern in all copies. Such signature-specific scanners are limited to
the detection of known viruses.
• A second-generation scanner uses heuristic(스스로 발견하게하는) rules to
search for probable virus infection, eg. to look for fragments (프래그먼트) of code
that are often associated with viruses.. Another second-generation approach is
integrity (보전) checking, using a hash function rather than a simpler checksum
(간단한 검사).
• Third-generation programs are memory-resident programs that identify(확인) a
virus by its actions rather than structure in an infected program. These have the
advantage that it is not necessary to develop signatures / heuristics, but only to
identify the small set of actions indicating an infection is attempted and then
intervene (개입) .
• Fourth-generation products are packages consisting of a variety of antivirus
techniques used in conjunction (결합) . These include scanning and activity trap
components. In addition, such a package includes access control capability, which
limits the ability of viruses to penetrate a system and then limits the ability of a virus
to update files in order to pass on the infection.
22
Advanced Antivirus Techniques
• More sophisticated antivirus approaches and products continue to
appear. In this sub-section, we highlight some of the most
important.
• GENERIC DECRYPTION (일반적인 암호 해독)
• Generic decryption (GD) technology enables the antivirus program
to easily detect even the most complex polymorphic (다형성)
viruses while maintaining fast scanning speeds . Recall a file
containing a polymorphic virus is executed, the virus must decrypt
itself to activate. In order to detect such a structure, executable
files are run through a GD scanner.
• CPU emulator (에뮬레이터): A software-based virtual computer
that interprets instructions in an executable file rather than
executing them on the underlying processor.
• Virus signature scanner: scans the target code looking for known
virus signatures.
23
Advanced Antivirus Techniques
• Emulation (에뮬레이션) control module: Controls the execution
of the target code.
• DIGITAL IMMUNE SYSTEM (디지털 면역 시스템)
• The digital immune system is a comprehensive approach to virus protection
developed by IBM and subsequently refined by Symantec. The objective of this
system is to provide rapid response time so that viruses can be stamped out
almost as soon as they are introduced. When a new virus enters an organization,
the immune system automatically captures it, analyzes it, adds detection and
shielding for it, removes it, and passes information about that virus to other
systems so that it can be detected before it is allowed to run elsewhere.
• Integrated mail systems: Systems such as Lotus Notes and Microsoft Outlook
make it very simple to send anything to anyone and to work with objects that
are received.
• Mobile-program systems: Capabilities such as Java and ActiveX allow programs
to move on their own from one system to another.
24
DIGITAL IMMUNE SYSTEM (디지털 면역 시스템)
25
BEHAVIOR-BLOCKING SOFTWARE OPERATION
• Block suspicious software in real-time, it has an
advantage over such established antivirus detection
techniques as fingerprinting or heuristics.
• In its simplest form, behavior blocking monitors file
activities, preventing certain modifications to the
operating system or related files.
• For example, behavior blockers may monitor the
system registry, and warn users accordingly if a file
being executed is attempting to modify it.
BEHAVIOR-BLOCKING SOFTWARE OPERATION
(행동 차단 소프트웨어 작업)
27
Motivation
• large
scale systems
need to be high performance
2000
1990
2010
Standalone Antivirus
Security suits
`
Sandboxes
• We have to found a suitable technology for
lightweight secure environmnts in large scale
systems.
• Latest and most sophisticated technology
emerged recently is Sand Box technology.
28/36
SANDBOX
User allows to run suspicious program in the Sandbox, the program
Will run as usual but operations like files opened/created/renamed
and read/writes from registry are monitored and virtualized, that
means stored only in the sandbox and no permanent changes will be
saved to user’s system.
29/36
SANDBOX
Auto Sandbox offers three options for users
When ever suspicious application is identified
1. Execute the file within the virtual autoSandbox,
2. Run it outside the sandbox or
3. Cancel running the application entirely,
suspicious application is identified:
Usage of sandboxes
Network
monitoring tools,
Network traffic FVM
control
IDS
BlueBox
Resource
Management
systems
Virtualization
Anti
viruses
Norman
Avast
Chromium
Java sandbox
Sandbox
approach
Rule base
management
systems
Mobile
computing
Mobile codes
Honey pots
Full
virtualization
FVM
EVM
Cloud/Grid
Gridbox
computing
DGMonitor
Sandbox technology present by Arash
Janus
Karami
31/36
Some surveyed sandboxes
Sandbox name
Goal
Implantation
Level
Heterogonous
Compatible OS
Application
Domain
Program
Chroot
OS virtualization
User mode
No
Most Unix-like OS
Secure policy
Chroot
Gridbox
Improve security
in grid
User mode
Y/N
All Unix-like OS
Grid computing,
Pro Grid,SETI@
ACL, customize
confige file,
BlueBox
N IDS
Kernel mode
No
Linux
Network IDS,
Host base real –
time IDS,
webservers
Host base driven
DGMonitor
Virtualized
resources
User mode
Yes
Linux,windows,U
nix
Entropia,
DCGrid,Xterm
web
Portable,
Entropia VM
Virtualization
Kernle mode
No
Windows NT or
higher
Grid systems,
image –
processing
Combine VM
approach with
Sandbox
approach, File
Virtualzaiton,
Thread mng,Job
manager
Janus
Monitoring
User mode
No
Solaris 2.4
Chromium
Sandboxing
User mode
Yes
Unix-like,
windows
Ptrace/proc
mechanism
Web application
32/36
Time-Line
• Progress sandboxes
Systrace
chromium
Condor
Gridbox
Avast
Chroot
1980
Janus
1985
FreeBSD Jail
1990
1995
2000
Sandbox technology present by Arash
Karami
2005
2010
33
WORMS(웜)
•
•
•
•
•
•
The Morris Worm (모리스 웜)
Worm Propagation Model (웜의 전파 모델)
Recent Worm Attacks
State of Worm Technology
Mobile Phone Worms
Worm Countermeasures (웜 대책)
34
WORMS(웜)
•
•
•
•
•
•
A worm is a program that can replicate (복제) itself and send copies from computer to
computer across network connections. Upon arrival, the worm may be activated to
replicate and propagate (전파) again.
Examples include, a network worm uses some sort of network vehicle:
1) Electronic mail facility
2) Remote execution capability
3) Remote login capability
A network worm exhibits the same characteristics as a computer virus:
. A Dormant (잠자는) phase, a propagation phase, a triggering phase, and an
execution phase.
The propagation phase generally performs the following functions:
1) Search for other systems to infect by examining host tables.
2) Establish a connection with a remote system.
3) Copy itself to the remote system and cause the copy to be run.
In a multiprogramming system, it may also disguise (가장) its presence by
naming itself as a system process
Concept seen in John Brunner’s in 1975 in novel called “Shockwave Rider”. The first
known worm implementation was done in Xerox Palo Alto labs in 1980’s.
35
WORMS(웜)
• The Morris Worm (모리스 웜)
• Until the current generation of worms, the best known was the worm.
• Released onto the Internet by Robert Morris in 1988.
• The Morris worm was designed to spread on UNIX systems and used a
number of different techniques for propagation.
• For each discovered host, the worm tried a number of methods for
gaining access:
1) It attempted to log on to a remote host as a legitimate (합법적 인) user,
having cracked the local password file, and assuming that many users use the
same password on different systems.
2) It exploited a bug in the UNIX finger protocol.
3) It exploited a trapdoor in the debug option of the remote send mail
process.
• If any of these attacks succeeded, the worm achieved communication with the
operating system command interpreter (통역사) .
• The bootstrap program then called back the parent program and downloaded
the remainder of the worm. The new worm was then executed.
36
WORMS(웜)
• Worm Propagation Model (웜의 전파 모델)
• The speed of propagation and the total number of hosts infected
depend on a number of factors, including the mode of propagation,
the vulnerability or vulnerabilities (취약점) exploited, and the
degree of similarity to preceding attacks.
• Worm Propagation Model (웜의 전파 모델)
37
Recent Worm Attacks
• The contemporary era of worm threats began with the release of
the Code Red worm in July of 2001.
• Code Red exploits a security hole in the Microsoft Internet
Information Server (MIIS) to penetrate and spread.
• The worm probes random IP addresses to spread to other hosts,
then initiates a denial-of-service attack against a government Web
site by flooding (홍수) the site with packets from numerous hosts.
• Code Red II is a variant that targets Microsoft IISs. In addition, this
newer worm installs a backdoor, allowing a hacker to remotely
execute commands on victim (희생자) computers.
• In early 2003, the SQL Slammer worm appeared. This worm
exploited a buffer overflow vulnerability in Microsoft SQL server.
• My doom is a mass-mailing e-mail worm that appeared in 2004. It
followed a growing trend of installing a backdoor in infected
computers, thereby enabling hackers to gain remote access to data
such as passwords and credit card numbers.
38
WORMS(웜)
• Recent Worm Attacks
• A recent worm that rapidly became prevalent in a variety of
versions is the Ware-zov family of worms. Ware-zov scans
several types of files for e-mail addresses and sends itself as an
e-mail attachment.
• State of Worm Technology
•
1.
2.
3.
4.
5.
6.
7.
The state of the art in worm technology includes the following:
Multi-platform (멀티 플랫폼)
Multi-exploit (다중 이용)
Ultrafast spreading (초고속 확산 )
Polymorphic (다형성 )
Metamorphic (변성 )
Transport vehicles (운송 차량 )
Zero-day exploit (제로 데이 공격 )
39
WORMS(웜)
• Mobile Phone Worms
• Worms first appeared on mobile phones in 2004. The target
is the smart phone, which is a mobile phone that permits
users to install software applications from sources other than
the cellular network operator. These worms communicate
through Bluetooth wireless connections or via (MMS).
• Mobile phone malware can completely disable the phone,
delete data on the phone, or force the device to send costly
messages to premium- priced numbers.
• Comm Warrior, which was launched in 2005. This worm
replicates by means of Bluetooth to nearby phones . It also
sends itself as an MMS file to numbers in the phone's
address book and in automatic replies to incoming text
messages and MMS messages.
40
WORMS(웜)
• Worm Countermeasures (웜 대책)
• Considerable overlap (중복) in techniques for dealing with viruses and worms.
• Once a worm is resident on a machine, antivirus software can be used to detect it.
• In addition, because worms propagation generates considerable network activity,
the monitoring of that activity can lead form the basis of a worm defense.
• Requirements for an effective worm countermeasure scheme:
1) Generality (보편성)
2) Timeliness (적시)
3) Resiliency (복원력)
4) Minimal denial-of-service costs (최소 서비스 거부 비용)
5) Transparency (투명도)
6) Global and local coverage
• Worm Defense Counter approaches include:
A. Signature-based worm scan filtering
B. Filter-based worm containment
C. Payload-classification-based worm containment
D. Threshold (임계 값) random walk scan detection
E. Rate limiting and rate halting
41
WORMS(웜)
• PROACTIVE (사전 조치) WORM CONTAINMENT (견제) (PWC)
• The PWC (PROACTIVE WORM CONTAINMENT ) scheme is host
based rather than being based on network devices such as
honey-pots, firewalls, and network IDSs.
• PWC is designed to address the threat of worms that spread
rapidly.
• A surge is detected, the software immediately blocks its host
from further connection attempts.
• In contrast, the Slammer worm on average sent out 4000
infected packets per second.
• A deployed PWC system consists of a PWC manager and PWC
agents in hosts.
42
WORMS(웜)
• Example PWC Deployment
43
WORMS(웜)
• NETWORK-BASED WORM DEFENSE
• The key element of a network-based worm defense is worm monitoring
software.
• Two types of monitoring software:
1) Ingress (수신) monitors: These are located at the border between
the enterprise network and the Internet.
2) Egress (출구) monitors: These can be located at the egress point
of individual LANs on the enterprise network as well as at the border
between the enterprise network and the Internet.
• Worm monitors can act in the manner of intrusion (침입) detection
systems and generate alerts to a central administrative system.
• It is also possible to implement a system that attempts to react in real
time to a worm attack, so as to counter zero-day exploits effectively.
• This is similar to the approach taken with the digital immune system
44
WORMS(웜)
• Placement of Worm Monitors
45
DITRIBUTED DENIAL OF SERVICE ATTACKS
(DDoS)
• Distributed denial of service (DDoS) attacks present a significant
security threat to corporations.
•
DDoS attacks make computer systems inaccessible by flooding
servers, networks, or even end user systems.
• In a typical DDoS attack, a large number of compromised
(zombie) hosts are amassed(축적) to send useless packets.
• In recent years, the attack methods and tools have become more
sophisticated, effective.
46
DITRIBUTED DENIAL OF SERVICE ATTACKS (DDoS)
• DDoS Attack Description
• A DDoS attack attempts to consume the target’s resources . One
way to classify DDoS attacks, either an internal host resource on
the target system, or data transmission capacity in the target local
network.
• INTERNAL RESOURCE ATTACK
(a) Distributed SYN flood attack
47
DITRIBUTED DENIAL OF SERVICE ATTACKS (DDoS)
• DDoS Attack Description
•
Stallings Figure illustrates an example of an attack that consumes data transmission resources.
•
1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP
ECHO packets with the target’s spoofed IP address to a group of hosts that act as reflectors .
2. Nodes at the bounce site receive multiple spoofed(스푸핑) requests and respond by sending
echo reply packets to the target site.
3. The target’s router is flooded with packets from the bounce site, leaving no data transmission
capacity for legitimate traffic.
•
•
(b) Distributed ICMP attack
48
DITRIBUTED DENIAL OF SERVICE ATTACKS (DDoS)
• Constructing the Attack Network
• The first step in a DDoS attack is for the attacker to infect a number of
machines with zombie software that will ultimately be used to carry out the
attack.
• Essential ingredients are:
1. Software that can carry out the DDoS attack, runnable on a large number
of machines,
2. A vulnerability in a large number of systems, that many system admins
/users have failed to patch .
3. A strategy for locating vulnerable machines, known as scanning, such as:
• Random, Hit-list, Topological, Local subnet.
49
DITRIBUTED DENIAL OF SERVICE ATTACKS (DDoS)
• Constructing the Attack Network
•
•
classify DDoS attacks as either direct or reflector DDoS attacks.
In a direct DDoS attack , the attacker is able to implant(임플란트) zombie software on a number of
sites distributed throughout the Internet. Often, the DDoS attack involves two levels of zombie
machines: master zombies and slave zombies. The hosts of both machines have been infected with
malicious code. The attacker coordinates and triggers the master zombies, which in turn coordinate
and trigger the slave zombies. The use of two levels of zombies makes it more difficult to trace the
attack back to its source and provides for a more resilient network of attackers.
(a) Direct DDoS Attack
50
DITRIBUTED DENIAL OF SERVICE ATTACKS (DDoS)
• Constructing the Attack Network
•
A reflector DDoS attack adds another layer of machines. In this type of attack, the slave zombies
construct packets requiring a response that contain the target's IP address as the source IP address
in the packet's IP header. These packets are sent to uninfected machines known as reflectors. The
uninfected machines respond with packets directed at the target machine. A reflector DDoS attack
can easily involve more machines and more traffic than a direct DDoS attack and hence be more
damaging. Further, tracing back the attack or filtering out the attack packets is more difficult
because the attack comes from widely dispersed uninfected machines.
51
REFERENCE
• William Stallings FOURTH EDITION
• http://en.wikipedia.org/wiki/Malware
• sandboxie http://www.sandboxie.com/
52
END
THANK YOU
53
Download