Lecture Security+ Certification: Chapter 3 (part 1) - Trung tâm Athena

Chapter 3 - Attacks and malicious code (part 1). After reading the material in this chapter, you should be able to: Explain denial-of-service (DoS) attacks, explain and discuss ping-of-death attacks, identify major components used in a DDoS attack and how they are installed, understand major types of spoofing attacks.

Chapter 3:

Attacks and Malicious Code

Objectives in this chapter

attack and how they are installed

attacks, and TCP session hijacking

ATHENA

attack and how they are installed

attacks, and TCP session hijacking

continued…

Learning Objectives

and explain why they can be incrediblydamaging

encrypted data

identify a countermeasure for each one

and explain why they can be incrediblydamaging

encrypted data

identify a countermeasure for each one

Why Secure a Network?

External attacker

Internal attacker

 Vulnerability – a problem or error that opens

up a security “hole”

 Patch – code that will eliminate the

vulnerability (patch must be applied)

 Exploit – code (often a virus or a worm) that

can take advantage of a particular vulnerability

 Vulnerability – a problem or error that opens

up a security “hole”

 Patch – code that will eliminate the

vulnerability (patch must be applied)

 Exploit – code (often a virus or a worm) that

can take advantage of a particular vulnerability

What should happen

ATHENA

Denial-of-Service Attacks

unusable by its real user(s)

unusable by its real user(s)

TCP Three-Way Handshake

ATHENA

SYN Flood

machine sends back a SYN, ACK Initiatingmachine never sends back the final ACK tocomplete the connection

time before before clearing the connection

machine sends back a SYN, ACK Initiatingmachine never sends back the final ACK tocomplete the connection

time before before clearing the connection

SYN Flood

written, the programmers decided on a certainnumber of connections that could be “waiting”

accept new connections, so it is effectively notlistening

ATHENA

written, the programmers decided on a certainnumber of connections that could be “waiting”

accept new connections, so it is effectively notlistening

SYN Flood

Things the Blackhat Must Consider

the spoofed address

 If this is a real machine, it will reply with a RST,which will clear the connection This is not

what the blackhat wants

 Solution, use a private address or an

unallocated address as the spoofed source IPaddress

the spoofed address

 If this is a real machine, it will reply with a RST,which will clear the connection This is not

what the blackhat wants

 Solution, use a private address or an

unallocated address as the spoofed source IPaddress

What Can the Good-guys Do?

wait before clearing the connection

attempts

receiving machine This will allow theconnection to be moved out of the half-openqueue

ATHENA

wait before clearing the connection

attempts

receiving machine This will allow theconnection to be moved out of the half-openqueue

to amplify its effect on the victim

broadcast address using the victim’s address

as the source

replies

traffic and delays/prevents legitimate trafficfrom reaching its destination

ATHENA

to amplify its effect on the victim

broadcast address using the victim’s address

as the source

replies

traffic and delays/prevents legitimate trafficfrom reaching its destination

Protective Measures Against Smurf

messages with a destination of an internalbroadcast or multicast address

requests directed to their broadcast address

list of smurf amplifier networks and

http://www.netscan.org/ to make sure yournetwork is configured properly

ATHENA

messages with a destination of an internalbroadcast or multicast address

requests directed to their broadcast address

list of smurf amplifier networks and

http://www.netscan.org/ to make sure yournetwork is configured properly

IP Fragmentation Attacks:

Ping of Death

crash remote systems

most network topologies can’t handle packets ofthat size – so the packet is broken into smallerpackets (fragmentation)

would crash older operating systems

crash remote systems

most network topologies can’t handle packets ofthat size – so the packet is broken into smallerpackets (fragmentation)

would crash older operating systems

Ping of Death

ATHENA

Distributed Denial-of-Service Attacks

the victim by flooding its link to the Internet ordepriving it of resources

business Internet sites

kiddies

 Result in temporary loss of access to a given site

the victim by flooding its link to the Internet ordepriving it of resources

business Internet sites

kiddies

 Result in temporary loss of access to a given site

ATHENA

DDoS Tools and Attack Methods

filtering

Ingress and Egress Filtering

Preventing the Network from

Inadvertently Attacking Others

for a broadcast address

that has a source address that is not permissible

on the Internet (see Figures 3-8 and 3-9)

ATHENA

for a broadcast address

that has a source address that is not permissible

on the Internet (see Figures 3-8 and 3-9)

continued…

Preventing the Network from

Inadvertently Attacking Others

 Block at the firewall any packet that uses a

protocol or port that is not used for Internetcommunications on the network

inside your network from entering yournetwork

 Block at the firewall any packet that uses a

protocol or port that is not used for Internetcommunications on the network

inside your network from entering yournetwork

Ingress Filtering of Packets with RFC 1918 Addresses

ATHENA

Filtering of Packets

with RFC 2827 Addresses

IP – What to Filter

 All private addresses: 10.0.0.0, 172.16.0.0 –

172.31.0.0, 192.168.0.0 coming in or going out

see http://www.iana.org/assignments/

ipv4-address-space) coming or going

ATHENA

 All private addresses: 10.0.0.0, 172.16.0.0 –

172.31.0.0, 192.168.0.0 coming in or going out

see http://www.iana.org/assignments/

ipv4-address-space) coming or going

IP Address Spoofing

hosts

router, the firewall, by an application, or by theOS

source address

ATHENA

hosts

router, the firewall, by an application, or by theOS

source address

Problems to be overcome

addresses, the attacker can’t cause the returnpackets to be delivered back to him/her

 The return packets will be delivered to the

trusted host, which could reset the connectionand foil the attack

correct sequence number

addresses, the attacker can’t cause the returnpackets to be delivered back to him/her

 The return packets will be delivered to the

trusted host, which could reset the connectionand foil the attack

correct sequence number

ATHENA

ARP Poisoning

corrupting ARP caches of directly connectedmachines (gratuitous arp)

hijacking attacks

• ARPoison

corrupting ARP caches of directly connectedmachines (gratuitous arp)

hijacking attacks

• ARPoison

Web Spoofing

 Convinces victim that he or she is visiting a realand legitimate site

and a denial-of-service attack

ATHENA

Web Spoofing

DNS Spoofing Effects

hacker’s server where it can be copied ormodified before sending mail to final

destination

ATHENA

hacker’s server where it can be copied ormodified before sending mail to final

destination

DNS Spoofing 1

and changes hostname-to-IP address mappings

the clients could be directed anywhere

organization.)

and changes hostname-to-IP address mappings

the clients could be directed anywhere

organization.)

DNS Spoofing 2

server and gives out bogus info

 Attacker poisons the arp caches of the clientmachines to direct their requests to the bogusDNS machine

(DoSes it)

ATHENA

server and gives out bogus info

 Attacker poisons the arp caches of the clientmachines to direct their requests to the bogusDNS machine

(DoSes it)

DNS Spoofing 3

IP number “out there”, the attacker sends areply packet to the DNS server with bogus info

 DNS server will accept the first reply with

correct query number

IP number “out there”, the attacker sends areply packet to the DNS server with bogus info

 DNS server will accept the first reply with

correct query number

To Thwart Spoofing Attacks

• Disable source routing on all internal routers

• Filter out packets entering local networkfrom the Internet that have a source address

of the local network

• Disable source routing on all internal routers

• Filter out packets entering local networkfrom the Internet that have a source address

of the local network

features

continued…

To Thwart Spoofing Attacks