Embed Size (px)
Citation preview
Targeted Break-in, DoS, & Malware attacks (II)
(February 23 2015)
© Abdou Illia – Spring 2015
2
Learning Objectives
Discuss DoS attacks Discuss Malware attacks
Denial of Service Attacks
4
TCP opening and DoS
For each TCP connection request (SYN), server has to: Respond to the request (SYN/ACK) Set resources aside in order respond to each data request
....
SYNSYN/ACKACK
Waiting for request from Computer 1
1
SYNSYN/ACKACK
2
SYNSYN/ACKACK
3
Waiting for request from Computer 2
Waiting for request from Computer 3
Server
.
.
.
5
Web Server configuration
6
Denial of Service (DoS)
What resources the web server would use to respond to each of the HTTP requests it receives?
What could be the consequences of the web server being invaded by too much requests from the attacker?
Home Network
Hub
Workstation
WorkstationWorkstation
WorkstationWorkstation
Router
Internet
Web Server
Intel Pentium 4 540 (3 Ghz)512 MB SDRAM2 x 100 GB SATA HDD16x CD DriveGateway 3-button mouseGateway 108 keyboardSVGA graphic card
Legitimate user
Legitimate user
Legitimate user
Legitimate user
Stream of HTTP requests
All workstations use IP spoofingto send HTTP requests to the
web server.
HTTP requests
HTTP requests
Attacker’s Home Network
7
Denial of Service (DoS) Attack
Attack that makes a computer’s resources unavailable to legitimate users
Types of DoS attacks: Single-message DoS Flooding DoS Distributed DoS
8
Single-message DoS attacks
First kind of DoS attacks to appear Exploit weakness in the coding of operating
systems and network applications Three main single-message DoS:
Ping-of-Death Teardrop LAND attack
9
Ping of Death attacks Take advantage of
Fact that TCP/IP allows large packets to be fragmented Some network applications & operating systems’ inability to handle
packets larger than 65536 bytes
Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation.
Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring.
Example of PoD code and vulnerable Operating Systems: http://insecure.org/sploits/ping-o-death.html
Fix Add checks in the reassembly process or in firewall to protect hosts with
bug not fixed Check: Sum of Total Length fields for fragmented IP is < 65536 bytes
Total Length (16 bits) Flags Fragment Offset (13 bits)
Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be fragmented or not
10
Teardrop attacks Take advantage of IP fragmentation Attacker sends a pretend fragmented IP packet But Fragment Offset values are not consistent Earlier operating systems* and poorly coded
network applications crash because Unable to reassemble the packet due to missing
fragments
AttackerVictim
Frag 1 Frag 2 Frag 4
Pretend fragmented IP packet
* Win 3.1, Win 95, Win NT, and Linux prior to 2.163
Total Length (16 bits) Flags Fragment Offset (13 bits)
11
LAND attacks First, appeared in 1997
Attacker uses IP spoofing with
source and destination addresses referring to target itself.
Back in time, OS and routers were not designed to deal with this kind of loopback
Problem resurfaces recently with Windows XP and Windows 2003 Server
12
Summary Questions 1 Do DoS attacks primarily attempt to jeopardize confidentiality,
integrity, or availability? Which of the following DoS attacks takes advantage of IP
fragmentation?a) LAND attackb) Teardropc) Ping of Deathd) None of the above
In which of the following DoS attacks the attacker makes use of IP spoofing?
a) LAND attackb) Teardropc) Ping of Deathd) None of the above
13
Flooding DoS Attacks Flood a target with a series of messages in
an attempt to make it crash Main types of flooding DoS attacks:
Flooding with regular requests SYN flooding Smurf flooding Distributed DoS
14
Flooding with regular request Open cmd and type: ping /? Show the –l option Show the following video about using ping –l in
a possible attempt to flood the allrecipes.com website.
Youtube: How To DOS a Website Another Fooding attack DoS using Low Orbit Ion Cannon
15
SYN Flooding Attacker sends a series of TCP SYN opening requests
For each SYN, the target has to Send back a SYN/ACK segment, and set aside memory, and other resources to respond
When overwhelmed, target slows down or even crash
SYN takes advantage of client/server workload asymmetry
Attacker
Victim
SYN SYN SYN SYN SYN
16
Smurf Flooding DoS Attacker uses IP spoofing
Attacker sends ping / echo messages to third party computers on behalf of the target
All third party computers respond to target
17
Distributed DoS (DDoS) Attack
Server
DoS Messages
DoS Messages
Bots
Link to how to deal with DDoS (by Cisco)
Handler
AttackCommand
AttackCommand
Attacker hacks into multiple clients and plants handler programs on them. Clients become bots or intermediaries
Attacker sends attack commands to handlers which execute the attacks
First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc.
Attacker
AttackCommand
18
Distributed DoS (DDoS) Attack
19
Distributed DoS (DDoS) Attack
20
A DoS story:
The Spamhaus was a victim of a DoS in 2013 The following video discusses how the attack
was lauched and how it was stopped The Spamhaus attack video
21
Summary Questions 2
Describe SYN flooding. Describe Smurf flooding What is a DDoS attack? What is a Handler program?
Malware Attacks
23
Malware attacks
Types of malware:
Viruses
Worms
Trojan horses
Logic bombs
24
Virus Code/Program (script, macro) that:
attaches to files Spreads by user actions (floppy disk, flash drive,
opening email attachment, IRC, FTP, etc), not by themselves.
Symptoms: Annoying actions when the virus is executed: hog up
memory, crash the system, drives are not accessible, antivirus disabled, etc.
Performing destructive actions when they are executed: delete files, alter files, etc.
25
Viruses Could be
Boot sector viruses: attach themselves to files in boot sector of HD File infector viruses: attach themselves to files (i.e. program files
and user files) Polymorphic viruses: mutate with every infection (using encryption
techniques), making them hard to locate Metamorphic viruses: rewrite themselves completely each time
they are to infect new executables* Stealth: hides itself by intercepting disk access requests by
antivirus programs.
Request by antivirus
OS
StealthThe stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean”.
* metamorphic engine is needed
26
Worm
Does not attach to files A self-replicating computer program that
propagate across a system Uses a host computer’s resources and network
connections to transfer a copy of itself to another computer
Harms the host computer by consuming processing time and memory
Harms the network by consuming the bandwidth
Question: Distinguish between viruses and worms
27
Trojan horse
A computer program That appears as a useful program like a game, a
screen saver, etc. But, is really a program designed to damage or
take control of the host computer When executed, a Trojan horse could
Format disks Delete files Open TCP ports to allow a remote computer to
take control of the host computer (Back Door) NetBus and SubSeven used to be attackers’
favorite programs for target remote control
28
Trojan horse
NetBus Interface
29
Logic bomb
Piece of malicious code intentionally inserted into a software system
The bomb is set to run when a certain condition is met Passing of specified date/time Deletion of a specific record in a database
Example: a programmer could insert a logic bomb that will function as follow: Scan the payroll records each day. If the programmer’s name is removed from payroll,
then the logic bomb will destroy vital files weeks or months after the name removal.
30
Summary Questions 3
Distinguish between a virus and a worm What kind of malware is a malicious program
that could allow an attacker to take control of a target computer?
What kind of malware could harm a host computer by consuming processor time and random access memory?
