Chapter 3 - Attacks and malicious code (part 1). After reading the material in this chapter, you should be able to: Explain denial-of-service (DoS) attacks, explain and discuss ping-of-death attacks, identify major components used in a DDoS attack and how they are installed, understand major types of spoofing attacks.
Chapter 3: Attacks and Malicious Code Objectives in this chapter ATHENA Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major components used in a DDoS attack and how they are installed Understand major types of spoofing attacks Discuss man-in-the-middle attacks, replay attacks, and TCP session hijacking continued… Learning Objectives ATHENA Detail three types of social-engineering attacks and explain why they can be incredibly damaging List major types of attacks used against encrypted data List major types of malicious software and identify a countermeasure for each one Why Secure a Network? Internal attacker External attacker Corporate Assets Virus Incorrect permissions A network security design protects assets from threats and vulnerabilities in an organized manner To design security, analyze risks to your assets and create responses ATHENA Terminology ATHENA Vulnerability – a problem or error that opens up a security “hole” Patch – code that will eliminate the vulnerability (patch must be applied) Exploit – code (often a virus or a worm) that can take advantage of a particular vulnerability What should happen ATHENA Vulnerability is found and published Patch is written and made available Everybody patches their computers Then, somebody releases an exploit Denial-of-Service Attacks Any malicious act that causes a system to be unusable by its real user(s) Take numerous forms Are very common Can be very costly Major types • SYN flood • Smurf attack ATHENA TCP Three-Way Handshake ATHENA SYN Flood ATHENA Exploits the TCP three-way handshake Initiating machine sends a SYN, receiving machine sends back a SYN, ACK Initiating machine never sends back the final ACK to complete the connection Receiving machine will wait a certain length of time before before clearing the connection SYN Flood ATHENA When the receiving machine’s stack was written, the programmers decided on a certain number of connections that could be “waiting” When this number is reached the machine can’t accept new connections, so it is effectively not listening Filtering of Packets with RFC 2827 Addresses ATHENA IP – What to Filter ATHENA All private addresses: 10.0.0.0, 172.16.0.0 – 172.31.0.0, 192.168.0.0 coming in or going out 127.0.0.0 coming in or going out Unallocated IP numbers (1.0.0.0, 2.0.0.0, etc – see http://www.iana.org/assignments/ ipv4-address-space) coming or going Your addresses coming in Spoofing Act of falsely identifying a packet’s IP address, MAC address, etc Four primary types • • • • ATHENA IP address spoofing ARP poisoning Web spoofing DNS spoofing IP Address Spoofing ATHENA Used to exploit trust relationships between two hosts Trust relationship could be enforced at the router, the firewall, by an application, or by the OS Involves creating an IP address with a forged source address Problems to be overcome ATHENA Although its easy to craft packets and spoof IP addresses, the attacker can’t cause the return packets to be delivered back to him/her The return packets will be delivered to the trusted host, which could reset the connection and foil the attack The packets sent to the victim must have the correct sequence number ATHENA ARP Poisoning Attacker takes over victim’s IP address by corrupting ARP caches of directly connected machines (gratuitous arp) Used in man-in-the-middle and session hijacking attacks Attack tools • ARPoison • Ettercap • Parasite ATHENA Web Spoofing ATHENA Convinces victim that he or she is visiting a real and legitimate site Considered both a man-in-the-middle attack and a denial-of-service attack Web Spoofing ATHENA DNS Spoofing Effects ATHENA Can direct users to a compromised server Can redirect corporate e-mail through a hacker’s server where it can be copied or modified before sending mail to final destination DNS Spoofing ATHENA The attacker compromises the real DNS server and changes hostname-to-IP address mappings When the DNS server answers client requests, the clients could be directed anywhere (DNS is the most important server in the organization.) DNS Spoofing ATHENA Attacker poses as the victim’s legitimate DNS server and gives out bogus info Attacker poisons the arp caches of the client machines to direct their requests to the bogus DNS machine Attacker shuts the legitimate DNS server up (DoSes it) DNS Spoofing ATHENA When the real DNS server does a lookup for an IP number “out there”, the attacker sends a reply packet to the DNS server with bogus info Attacker must correctly “guess” query number DNS server will accept the first reply with correct query number To Thwart Spoofing Attacks IP spoofing • Disable source routing on all internal routers • Filter out packets entering local network from the Internet that have a source address of the local network ARP poisoning • Use network switches that have MAC binding features ATHENA continued… To Thwart Spoofing Attacks Web spoofing • Educate users DNS spoofing • Thoroughly secure DNS servers • Deploy anti-IP address spoofing measures ATHENA ...Objectives in this chapter ATHENA Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major components used in a... spoofing attacks Discuss man-in-the-middle attacks, replay attacks, and TCP session hijacking continued… Learning Objectives ATHENA Detail three types of social-engineering attacks and explain... be very costly Major types • SYN flood • Smurf attack ATHENA TCP Three-Way Handshake ATHENA SYN Flood ATHENA Exploits the TCP three-way handshake Initiating machine sends a SYN, receiving