General Overview of Attacks

Regardless of the motivation, a network security specialist must be aware of

the threats and appropriate responses

What is an attack

Any malicious activity directed at a computer system or the services it provides.

Eg: Viruses, use of a system by an unauthorized individual, denial of service, physical attack against computer hardware.

Reasons for attacks

1) Gaining access to the system2)     Simply for the challenge3)     To Collect information4)     Desire to cause damage

Attacks

Criminal Attacks Publicity Attacks Logon Abuse Inappropriate System Use Network Intrusion

Criminal Attacks Fraud: Involvement of money and

commerce Scams: Selling something of no value and

getting the money Destructive Attacks: Work of Terrorists,

employees bent on revenge or hacks gone over to the wrong side. Eg: Denial of Service Attacks on Yahoo, CNN, eBay, Amazon etc

Intellectual Property Theft: Electronic versions of property. Eg: Piracy of software

Criminal Attacks Continued…

Identity Theft: Why steal from someone when you can just become that person?

Brand Theft: How do users know which sites are worth visiting and bookmarking? Please update your Amazon/eBay profile

Publicity Attacks

How can I get my name in the newspapers?

Motivated by a desire to fix the problem

Possibility of exploitation by criminals.

Public confidence Eg: Denial-of-service attacks

Different Forms of attacks Non-Technical Form of Attack:

Social Engineering Technical Form of Attack:

Implementation Bugs Abuse of Feature System Misconfiguration Masquerading

DoS / DDoS Session Hijacking

Social Engineering

Attacker making use of his social contacts or people skills to get private information.

Eg: Attacker acting as an administrator and convincing the individual on telephone to reveal confidential information like passwords, filenames, details about security policies.

Implementation Bugs

Attackers use bugs in trusted programs to exploit and gain unauthorized access to a computer system.

Eg: buffer overflows, race conditions, and mishandled temporary files.

Abuse of Feature

These are legitimate actions that one can perform that when taken to the extreme can lead to system failure.

Eg: Opening hundreds of telnet connections to a machine to fill its process table or filling up a mail spool with junk email.

System Misconfiguration

Refers to an attacker gaining access to the system because of an error in the configuration of a system

Eg: the default configuration of some systems includes “guest” account that is not protected with a password.

Masquerading

Sometimes, it is possible to fool a system into giving access by misrepresenting oneself.

Eg: Sending a TCP packet that has forged source address that makes the packet appear to come from a trusted host.

Broad Categories of Attacks

1) Denial of service attacks2) Attacks that give local user super user

access.3) Attacks that give remote user local access4) Probes

(Attempts to probe a system to find potential weaknesses)

5) Physical attack against computer hardware

Possible Types of Actions in an Attack

Denial of Service (DoS) Attacks

Is an attack in which the attacker makes some computing or memory resource too busy or too full to handle legitimate requests, or denies legitimate users access to a machine.

Some DoS attacks abuse a perfectly legitimate feature. Eg: mailbomb, smurf attack (ping -b) (no ip directed-

broadcast)

DoS continued… Some DoS attacks create malformed

packets that confuse the TCP/IP stack of the machine that is trying to reconstruct the packet. Eg: teardrop

(overlapping payload to NT & kernel 2.1.63)

ping of death (fixed since 1997 or 98) Others take advantage of bugs in a

particular network daemon. Eg: apache2, back, syslogd

Summary of Denial of Service attacks

Footprinting

Footprinting is gathering information about networks, specific computers, companies &/or people. Scouring the website Whois Lookup on the domain or command at shell Get the IP address to know about the network (Ping or

nslookup) Search in ARIN database (American Registry for Internet

Numbers) to find out who owns that specific netblock. Talk to the ISP that somebody from their network is

sending spam or possibly start a social engineering attack

Where to start Locations Related Companies Merger or acquisition news Phone numbers Contact names and email addresses Privacy and security policies indicating the

security mechanisms in place Links to other web servers related to

organization

Port Scanning

Stealth scans Spoofed scans TCP syn, syn/ack, & fin scans ICMP (ping sweep) TCP ftp proxy

Scanner connects to real ftp server & requests data transfer to other system

Scanning Tools HPing Legion Nessus Nmap SAINT SATAN TcpView Snort

User to Root Attacks Attacker starts out with access to a normal user on

the system (perhaps by sniffing passwords, a dictionary attack, or social engineering) and exploits some vulnerability to gain root access.

The most common attacks are Buffer overflow attacks. Poor Environment Sanitation. (eg:Loadmodule, perl) Poor Temp File Management. Lack of chroot in vulnerable system services

Summary of User to Root attacks

Remote to User Attacks

Attacker who has the ability to send packets to a machine over a network, but who does not have an account on that machine—exploits some vulnerability to gain local access as a user of that machine.

Some of these attacks exploit buffer overflows in network server software.

Remote to User Attacks

Most common attacks are Abuse of feature (eg: Dictionary) Misconfiguration (eg: Ftp-write, guest,

xlock) Bug (eg: Imap, Named, Phf, Sendmail)

Summary

Probes

Programs that can automatically scan a network of computers to gather information or find known vulnerabilities.

Scanning tools like satan, saint, mscan enable even a very unskilled attacker to very quickly check thousands of machines on a network for known vulnerabilities.

Summary

Most Serious Problems pointed out by CERT (2003)

1. Exploitation of weaknesses in the “cgi-bin/phf” program used on web servers to steal system password files.

2. Attacks on systems running free Linux version of UNIX, including installation of “Sniffers” that can steal unencrypted passwords when people log on to the systems.

3. Denial-of-service attacks were particularly troubling for internet service providers.

Continued… Widely available hacker kits

ScriptKiddies attacking systems with known vulnerabilities.

1. Abuse of email including mail-bombing, forgeries(spoofing), and a large increase in the amount of junk mail.

Viruses and hoaxes about viruses (especially wild claims about dangerous mail)

1. The 4 Most Dangerous Security Myths (10/05)

Problems in ascertaining the threats Unknown number of crimes of all kinds is

undetected. Some of them are discovered long after they have occurred.

Similarly, computer crimes may not be detected by the victims. Estimate is 1/10th of the total crimes are detected.

Some of them go unreported. Estimate is 1/10th of the detected crimes are reported.

Precautions against attacks Intrusion detection systems: 1)Those detect system attacks in real time

and can be used to stop an attack in progress.

2)Those provide after-the-fact information about the attacks that can be used to repair damage, understand the attack mechanism, and reduce the possibility if future attacks are of the same type.

Intrusion Detection Systems

Intrusion detection system should be designed in such a way that they can handle all level sophistications of the hacker right from a novice cracker to an experienced cracker who knows about the intrusion detection systems and take steps to avoid being caught.

Sources of data for an IDS

Traffic sent over the network System Level Audit Data Information about file system state

There are other sources of data such as real-time process lists, log files, processor loads etc. However, they are used rarely.

Traffic sent over the network

All data sent over an Ethernet network is visible to every machine that is present on the local network segment. Hence, one machine connected to this Ethernet can be used to monitor traffic for all hosts on the network.

System Level Audit Data

Most operating system offer some level of auditing of operating systems events.

Eg: Logging failed attempts to log in, logging every systems call.

Information about file system state

An intrusion detection system that examines this file system data can alert an administrator whenever a system binary file (such as ps, login, or ls program) is modified. Since normal user have no legitimate reason to alter these files, a change to a system binary file indicates that the system has been compromised.

Strategies for Intrusion Detection

Signature Verification Anomaly Detection Specification Based Intrusion Systems Bottleneck verification

Signature Verification example

An oversized ping packet of length greater than 64 kilobytes can cause some older systems to reboot. A signature verification system that is looking for a ping of death denial service attack would have a simple rule that says “any ping packet of length greater than 64 kilobytes is an attack.”

Signature Verification

Advantages: Can be devised to detect attempts to

exploit many possible vulnerabilities One sniffer can monitor many work

stations The computation required to construct

network sessions and search for keywords is not excessive

Signature Verification

Drawbacks: Difficult to establish rules Chances of false alarm rates are very

high Can not identify novel type of attacks

Anomaly Detection These systems track typical behavior of a

system and issue warning when they observe actions that deviate significantly from those models.

Construct Statistical Models of a user, system, or network activity to observe typical behavior during an initial training phase. After training, anomalies are detected and flagged as attacks.Eg: NIDES (Next-Generation Intrusion Detection Expert System) by SRI international.

Anomaly Detection These systems are frequently suggested

approaches to detect novel attacks. Involve large computations and memory

resources High False alarm rates Can not detect if the attacker’s activity

overlaps with that of a user or system.

Specification Based Intrusion Systems This type of approach detects the attacks

that make improper use of system or application programs.

Results in far lesser false alarm rates. Detects wide range of new attacks

including many forms of malicious code such as trojan horses, viruses, attacks that take advantage of race conditions, and attacks that take advantage of improperly synchronized distributed programs.

Bottleneck verification This approach applies to situations where there

are only a few, well-defined ways to transition between two groups of states.

Eg: Transition between a normal user and a superuser with in a shell. If an individual is in a normal use state, the only way to legally gain a root privileges is by using the su command and entering the root password.

Thus, if a bottleneck verification system can detect a shell being launched, determine the permission of the new shell and detect the successful su command to gain root access.

Time Vs Vulnerability

References www.exploitresearch.org/faqs/network-footpri

nting.html

http://www.ll.mit.edu/IST/ideval/pubs/1998/kkendall_thesis.pdf

http://www.sans.org http://www.icsalabs.com/html/library/whitepa

pers/crime.pdf

http://csrc.nist.gov/SBC/PDF/NIST_ITL_Bulletin_05-99_Comp_Attacks.pdf

Secrets & Lies