Network Attack and Defense

1
Chapter 18

• Network Attack and Defense

2
The Most common attacks

• http//www.sans.org/top20/
• This is the list of the top 20 attacks.
• How many does encryption solve?
• How many does firewalls solve?
• How many are software flaws?

3
Script kiddies/Packaged defense

• Hacking is becoming de-skilled
• TCP/IP suite designed to work in open sharing
  honest environment
• Various levels of hackers
• script kiddies
• download script run it have no real idea what
  they are doing
• Experienced hackers (typically excellent
  programmers)
• Many companies can not find or afford proper
  security personnel
• Easy to find tools to automate hack
• Hard to trace international hack, requires
  international cooperation.
• Massive amount of information on how to hack on
  the internet.

4
Denial of Service Attacks

• Jolt2
• source code widely available
• sends identical fragmented IP packets
• systems use 100 resources attempting to
  re-assemble these malformed packets
• can attack servers as well as routers
• patches exist for most systems
• some firewalls recognize the malformed packets
  and drop them

5
Denial of Service Attacks

• SYN flood
• violates 3-way handshake by establishing a large
  number of half open connections
• Eventually fills storage allocated for these and
  system does not allow new connections
• Prevention, well if you limit the number of these
  connections, then legit users still can not
  access system
• Various OSs are working on changes to prevent
  these attacks, need to adjust how ½ openeds are
  stored

6
Denial of Service Attacks

• Smurf, Papa Smurf, Fraggle
• Uses forged address to send packets (ICMP) to
  broadcast address (12.255.255.255)
• All machines on the network then attempt to
  respond to the forged address
• Simply generates large amounts of traffic on both
  networks
• address where original message sent
• forged return address when all respond

7
Denial of Service Attacks

• Smurf amplifiers are sites that
• allow ICMP echo packets to broadcast address
• allows ICMP replies out
• nmap can also be used to find Smurf amplifiers
• www.netscan.org reports 1730 amplifiers

8
Denial of Service Attacks

• So smurf attacks basically use the following
• hacker
• amplifier
• misconfigured system
• router broadcasts packets to subnet
• machines respond to pings/echoes
• victim
• receives all the responses

9
Denial of Service Attacks

• as you can see most of these attacks utilize
  networking protocols
• sending malformed packets cause problems for the
  attacked machine
• IP spoofing is typically used to hide source of
  attack
• Not going to cover all of these from the chapter,
  please read them though.
• Many Many others exist and most are available on
  Packet Storm just search on DOS

10
Distributed Denial of Service

• In February of 2000 these became famous
• Amazon
• CNN
• ETrade
• Yahoo
• eBay
• ..
• all attacked and brought to their knees

11
Distributed Denial of Service

• The seeds were in the wind before 2000
• In August of 1999 University of Minnesota was
  subject to a 2 day attack.
• Before we look at these attacks we need to
  understand a little about them.

12
Distributed Denial of Service

• These attacks use compromised machines to attack
  others.
• Hackers over time develop a network of
  compromised machines that are set to do their
  bidding that is attack.
• these are often called zombie machines
• or just zombies

13
Distributed Denial of Service

• Once the network of zombies are built
• specific commands typically on specific ports
  instruct the zombies where to attack
• dos 192.192.192.192 would launch the attack
  against that address

14
Distributed Denial of Service

• OK so Trinoo was the first major one
• Used to launch attack against U of Minnesota
• Did not use IP spoofing from attacking machine so
  admins were able to contact compromised machines
  and stop the attack
• Most of these machines were Solaris 2.x systems
• While doing this the attacker simply continued to
  release new Zombies against the network
• Progressed for 2 days.

15
Blind IP Spoofing
Attacker 192.113.123.010
From address 65.67.68.05 To address 65.67.68.07
Target 65.67.68.07
Spoofed Address 65.67.68.05
16
Defenses

• Configuration management
• Current copies of OS
• All patches applied
• Service and config files hardened
• Default passwords removed
• Organizational discipline to make sure stays this
  way.

17
Firewalls

• Hardware and software
• Protects internal network from external
• Installed between internal and external
• Uses rules to limit incoming traffic
• Uses rules to decide what traffic is allowed in
  and what traffic is not allowed in

18
Firewall techniques

• NAT
• Basic Packet filtering
• Stateful packet inspection
• Application gateways
• Access control lists

19
Articles

• Egress filtering
• Lawsuits stemming from DOS
• Intrusion Detection
• Intrusion/Penetration testing programs
• Satan saint