Chapter 1: Foundation - PowerPoint PPT Presentation

About This Presentation
Title:

Chapter 1: Foundation

Description:

Security in Computing, 4th Ed, Pfleeger Chapter 7 Security in Networks Part 1: Threats in Networks Threats in Active or Mobile Code Cookies cookies are not active ... – PowerPoint PPT presentation

Number of Views:712
Avg rating:3.0/5.0
Slides: 77
Provided by: Mohammed73
Category:

less

Transcript and Presenter's Notes

Title: Chapter 1: Foundation


1
Security in Computing, 4th Ed, Pfleeger
Chapter 7
Security in Networks
Part 1 Threats in Networks
2
Chapter 7. Security in Networks
  • In this chapter
  • Networks vs. stand-alone applications and
    environments differences and similarities
  • Threats against networked applications, including
    denial of service, web site defacements,
    malicious mobile code, and protocol attacks
  • Controls against network attacks physical
    security, policies and procedures, and a range of
    technical controls
  • Firewalls design, capabilities, limitations
  • Intrusion detection systems
  • Private e-mail PGP and S/MIME

3
The importance of the Networks
  • We interact with networks daily, when we perform
    banking transactions, make telephone calls, or
    ride trains and planes, and many others.
  • Life without networks would be considerably less
    convenient, and many activities would be
    impossible.
  • Not surprisingly, then, computing networks are
    attackers' targets of choice
  • Fortunately, your bank, your utility company, and
    even your Internet service provider take network
    security very seriously.
  • assess their risks and learn about the latest
    attack types and defense mechanisms so that they
    can maintain the protection of their networks.

4
In This Chapter
  • we describe what makes a network similar to and
    different from an application program or an
    operating system, which you have studied in
    earlier chapters.
  • you will learn how the concepts of
    confidentiality, integrity, and availability
    apply in networked settings
  • you will see that the basic notions of
    identification and authentication, access
    control, accountability, and assurance are the
    basis for network security, just as they have
    been in other settings.

5
Network Concepts
  • Networks involve not only the pieces but also
    importantly the connections among them
  • single point of failure vs. resilience (or fault
    tolerance)
  • Single failure fails the system or you can find
    ways around!
  • Complex routing algorithms reroute the flow not
    just around failures but also around overloaded
    segments

6
Network Views
Simple View
Complex View
7
Environment of Use
  • Although some networks are located in protected
    spaces (for example, a local area network in a
    single laboratory or office), at least some
    portion of most networks is exposed, often to
    total strangers.

8
Network Characteristics
  • Anonymity. You may have seen the cartoon image
    that shows a dog typing at a workstation, and
    saying to another dog, "On the Internet, nobody
    knows you're a dog.

9
Network Characteristics
  • Automation. In some networks, one or both
    endpoints, as well as all intermediate points,
    involved in a given communication may be machines
    with only minimal human supervision.
  • Distance. Many networks connect endpoints that
    are physically far apart. Although not all
    network connections involve distance, the speed
    of communication is fast enough that humans
    usually cannot tell whether a remote site is near
    or far.

10
Network Characteristics (Cont.)
  • Opaqueness. Users cannot distinguish whether they
    are connected to a node in an office, school,
    home, or warehouse, or whether the node's
    computing system is large or small, modest or
    powerful. In fact, users cannot tell if the
    current communication involves the same host with
    which they communicated the last time.
  • Routing diversity. To maintain or improve
    reliability and performance, routings between two
    endpoints are usually dynamic. That is, the same
    interaction may follow one path through the
    network the first time and a very different path
    the second time. In fact, a query may take a
    different path from the response that follows a
    few seconds later.

11
Threats in Networks
  • Threats aimed to compromise confidentiality,
    integrity, or availability, applied against data,
    software, and hardware by nature, accidents,
    nonmalicious humans, and malicious attackers.

12
What Makes a Network Vulnerable?
  • Consider how a network differs from a stand-alone
    environment
  • Anonymity. An attacker can mount an attack from
    thousands of miles away and never come into
    direct contact with the system, its
    administrators, or users. The potential attacker
    is thus safe behind an electronic shield. The
    attack can be passed through many other hosts in
    an effort to disguise the attack's origin.
  • Many points of attack--both targets and
    origins--. A simple computing system is a
    self-contained unit. Access controls on one
    machine preserve the confidentiality of data on
    that processor. However, when a file is stored in
    a network host remote from the user, the data or
    the file itself may pass through many hosts to
    get to the user. One host's administrator may
    enforce rigorous security policies, but that
    administrator has no control over other hosts in
    the network. Thus, the user must depend on the
    access control mechanisms in each of these
    systems. An attack can come from any host to any
    host, so that a large network offers many points
    of vulnerability.

13
What Makes a Network Vulnerable? (Cont.)
  • Consider how a network differs from a stand-alone
    environment
  • Sharing. Because networks enable resource and
    workload sharing, more users have the potential
    to access networked systems than on single
    computers. Perhaps worse, access is afforded to
    more systems, so that access controls for single
    systems may be inadequate in networks.
  • Complexity of system. A network combines two or
    more possibly dissimilar operating systems.
    Therefore, a network operating/control system is
    likely to be more complex than an operating
    system for a single computing system. And because
    an average computer is so powerful, most users do
    not know what their computers are really doing at
    any moment. This complexity diminishes confidence
    in the network's security.

14
What Makes a Network Vulnerable? (Cont.)
  • Consider how a network differs from a stand-alone
    environment
  • Unknown perimeter. A network's expandability also
    implies uncertainty about the network boundary.
    One host may be a node on two different networks,
    so resources on one network are accessible to the
    users of the other network as well. Although wide
    accessibility is an advantage, this unknown or
    uncontrolled group of possibly malicious users is
    a security disadvantage. A similar problem occurs
    when new hosts can be added to the network. Every
    network node must be able to react to the
    possible presence of new, untrustable hosts.
    Figure 7-11 points out the problems in defining
    the boundaries of a network. Notice, for example,
    that a user on a host in network D may be unaware
    of the potential connections from users of
    networks A and B. And the host in the middle of
    networks A and B in fact belongs to A, B, C, and
    E. If there are different security rules for
    these networks, to what rules is that host
    subject?

15
What Makes a Network Vulnerable? (Cont.)
  • Consider how a network differs from a stand-alone
    environment
  • Unknown perimeter.

Figure 7-11  Unclear Network Boundaries.
16
What Makes a Network Vulnerable? (Cont.)
  • Consider how a network differs from a stand-alone
    environment
  • Unknown path. Figure 7-12 illustrates that there
    may be many paths from one host to another.
    Suppose that a user on host A1 wants to send a
    message to a user on host B3. That message might
    be routed through hosts C or D before arriving at
    host B3. Host C may provide acceptable security,
    but not D. Network users seldom have control over
    the routing of their messages.

Figure 7-12  Uncertain Message Routing in a
Network.
17
Attackers Motives
  • challenge or power, fame, money, and ideology.
  • Challenge Some attackers enjoy the intellectual
    stimulation of defeating the supposedly
    undefeatable. However, the vast majority of
    attackers repeat well-known and even
    well-documented attacks
  • Fame other attackers seek recognition for their
    activities. That is, part of the challenge is
    doing the deed another part is taking credit for
    it.
  • Money and Espionage financial reward motivates
    attackers (read in the book for some examples)
  • Ideology many security analysts believe that the
    Code Red worm of 2001 was launched by a group
    motivated by the tension in U.S. - China relations

18
Reconnaissance
  • We turn to how attackers perpetrate their attacks
  • Attackers do not ordinarily sit down at a
    terminal and launch an attack.
  • A clever attacker investigates and plans before
    acting
  • a network attacker learns a lot about a potential
    target before beginning the attack
  • We study the precursors to an attack so that if
    we can recognize characteristic behavior, we may
    be able to block the attack before it is
    launched.
  • Because most vulnerable networks are connected to
    the Internet, the attacker begins preparation by
    finding out as much as possible about the target.

19
Port Scan
  • A program that, for a particular IP address,
    reports which ports respond to messages and which
    of several known vulnerabilities seem to be
    present
  • Port scanning tells an attacker three things
  • which standard ports or services are running and
    responding on the target system
  • what operating system is installed on the target
    system
  • what applications and versions of applications
    are present.
  • This information is readily available for the
    asking from a networked system
  • it can be obtained quietly, anonymously, without
    identification or authentication, drawing little
    or no attention to the scan.

20
Social Engineering
  • Social engineering involves using social skills
    and personal interaction to get someone to reveal
    security-relevant information and perhaps even to
    do something that permits an attack.
  • The point of social engineering is to persuade
    the victim to be helpful
  • The attacker often impersonates someone inside
    the organization who is in a bind
  • Ex., "I have to get out a very important report
    quickly and I can't get access to the following
    thing.
  • This attack works especially well if the attacker
    impersonates someone in a high position
  • We as humans like to help others when asked
    politely.

21
Intelligence
  • From a port scan the attacker knows what is open.
    From social engineering, the attacker knows
    certain internal details.
  • But a more detailed floor plan would be nice.
  • Intelligence is the general term for collecting
    information. In security it often refers to
    gathering discrete bits of information from
    various sources and then putting them together
    like the pieces of a puzzle.
  • One commonly used intelligence technique is
    called "dumpster diving."
  • It involves looking through items that have been
    discarded in rubbish bins or recycling boxes.
  • It is amazing what we throw away without thinking
    about it
  • Gathering intelligence may also involve
    eavesdropping.
  • Trained spies may follow employees to lunch and
    listen in from nearby tables as coworkers discuss
    security matters. Or spies may befriend key
    personnel in order to co-opt, coerce, or trick
    them into passing on useful information.

22
Operating System and Application Fingerprinting
  • An attacker can use a port scan to find out that
    port 80 is open and supports HTTP, the protocol
    for transmitting web pages.
  • Related information which commercial server
    application is running, what version, and what
    the underlying operating system and version are.
  • The network protocols are standard and vendor
    independent.
  • Still, each vendor's code is implemented
    independently, so there may be minor variations
    in interpretation and behavior.
  • Ex., coordinating sequence numbers to implement
    the connection of a TCP session
  • Some implementations respond with a given
    sequence number, others respond with the number
    one greater, and others respond with an unrelated
    number.

23
Operating System and Application Fingerprinting
  • Also, new features offer a strong clue A new
    version will implement a new feature but an old
    version will reject the request.
  • Sometimes the application identifies itself.
    Usually a client-server interaction is handled
    completely within the application according to
    protocol rules
  • "Please send me this page OK but run this
    support code thanks, I just did."
  • The attacker might use an application to send
    meaningless messages to another application
  • Ports such as 80 (HTTP), 25 (SMTP), 110 (POP),
    and 21 (FTP) may respond with something like
  • Server Netscape-Commerce/1.12 Your browser sent
    a non-HTTP compliant message.
  • or
  • Microsoft ESMTP MAIL Service, Version
    5.0.2195.3779

24
Bulletin Boards and Chats
  • Numerous underground bulletin boards and chat
    rooms support exchange of information.
  • Attackers can post their latest exploits and
    techniques, read what others have done, and
    search for additional information on systems,
    applications, or sites.

25
Availability of Documentation
  • The vendors themselves sometimes distribute
    information that is useful to an attacker.
  • For example, Microsoft produces a resource kit by
    which application vendors can investigate a
    Microsoft product in order to develop compatible,
    complementary applications.
  • This toolkit also gives attackers tools to use in
    investigating a product that can subsequently be
    the target of an attack.

26
Reconnaissance Concluding Remarks
  • A good thief, that is, a successful one, spends
    time understanding the context of the target.
  • The best defense against reconnaissance is
    silence.
  • Give out as little information about your site as
    possible, whether by humans or machines.

27
Threats in Transit Eavesdropping and Wiretapping
  • Because a network involves data in transit, we
    look first at the harm that can occur between a
    sender and a receiver
  • The easiest way to attack is simply to listen in
  • An attacker can pick off the content of a
    communication passing in the clear
  • The term eavesdrop implies overhearing without
    expending any extra effort
  • A more hostile term is wiretap, which means
    intercepting communications through some effort
  • Passive wiretapping is just "listening," much
    like eavesdropping.
  • But active wiretapping means injecting something
    into the communication
  • A wiretap can be done covertly so that neither
    the sender nor the receiver of a communication
    knows that the contents have been intercepted

28
Wiretapping
  • Wiretapping works differently depending on the
    communication medium used.
  • Cable, WiFi, Microwave, Satellite, Fiber Optics

29
Cable
  • Putting the network card (NIC) in promiscuous
    mode
  • The card allows all frames through, thus allowing
    the computer to read frames intended for other
    machines or network devices.
  • A device called a packet sniffer can retrieve all
    packets on the LAN
  • Ordinary wire (and many other electronic
    components) emit radiation. By a process called
    inductance an intruder can tap a wire and read
    radiated signals without making physical contact
    with the cable.

30
Wireless (WiFi)
  • Wireless networking is becoming very popular,
    with good reason.
  • With wireless (also known as WiFi), people are
    not tied to a wired connection
  • they are free to roam throughout an office,
    house, or building while maintaining a
    connection.
  • A wireless signal is strong for approximately 100
    to 200 feets
  • The difficulties of wireless arise in the ability
    of intruders to intercept and spoof a connection.
  • You may react to that threat by assuming that
    encryption will address it. Unfortunately,
    encryption is not always used for wireless
    communication, and the encryption built into some
    wireless devices is not as strong as it should be
    to deter a dedicated attacker.

31
Wireless (WiFi)
  • Theft of Service
  • Wireless also admits a second problem the
    possibility of rogue use of a network connection.
  • Many hosts run the Dynamic Host Configuration
    Protocol (DHCP), by which a client negotiates a
    one-time IP address and connectivity with a host.
  • Unless the host authenticates users before
    assigning a connection, any requesting client is
    assigned an IP address and network access.
  • But is it legal? In separate cases Benjamin Smith
    III in Florida in July 2005 and Dennis Kauchak in
    Illinois in March 2006 were convicted of remotely
    accessing a computer wirelessly without the
    owner's permission. Kauchak was sentenced to a
    250 fine.
  • So, even though you are able to connect, it may
    not be legal to do so.

32
Summary of Wiretapping
  • There are many points at which network traffic is
    available to an interceptor.
  • From a security standpoint, you should assume
    that all communication links between network
    nodes can be broken.
  • For this reason, commercial network users employ
    encryption to protect the confidentiality of
    their communications, as we demonstrate later in
    this chapter

33
Protocol Flaws
  • Internet protocols are publicly posted for
    scrutiny by the entire Internet community
  • Each accepted protocol is known by its Request
    for Comment (RFC) number.
  • But protocol definitions are made and reviewed by
    fallible humans. Likewise, protocols are
    implemented by fallible humans.
  • For example, TCP connections are established
    through sequence numbers. The client (initiator)
    sends a sequence number to open a connection, the
    server responds with that number and a sequence
    number of its own, and the client responds with
    the server's sequence number. Suppose (as pointed
    out by Morris) someone can guess a client's next
    sequence number. That person could impersonate
    the client in an interchange.

34
Impersonation
  • In many instances, there is an easier way than
    wiretapping for obtaining information on a
    network
  • Impersonate another person or process
  • In an impersonation, an attacker has several
    choices
  • Authentication Foiled by Guessing
  • Authentication Foiled by Eavesdropping or
    Wiretapping
  • Authentication Foiled by Avoidance
  • Nonexistent Authentication

35
Spoofing
  • When an attacker falsely carries on one end of a
    networked interchange.
  • Examples of spoofing are masquerading,
  • session hijacking, and man-in-the-middle
    attacks.

36
Masquerade
  • In a masquerade one host pretends to be another.
  • A common example is URL confusion
  • Domain names can easily be confused, or someone
    can easily mistype certain names.
  • Thus xyz.com, xyz.org, and xyz.net might be three
    different organizations, or one bona fide
    organization (for example, xyz.com) and two
    masquerade attempts from someone who registered
    the similar domain names.
  • Names with or without hyphens (coca-cola.com
    versus cocacola.com) and easily mistyped names
    (l0pht.com versus lopht.com, or citibank.com
    versus citybank.com) are candidates for
    masquerading.
  • A variation of this attack is called phishing.
    You send an e-mail message, perhaps with the real
    logo of Blue Bank, and an enticement to click on
    a link, supposedly to take the victim to the Blue
    Bank web site.

37
Session Hijacking
  • Session hijacking is intercepting and carrying on
    a session begun by another entity.
  • Suppose two entities have entered into a session
    but then a third entity intercepts the traffic
    and carries on the session in the name of the
    other.

38
Man-in-the-Middle Attack
  • Our hijacking example requires a third party
    involved in a session between two entities.
  • A man-in-the-middle attack is a similar form of
    attack, in which one entity intrudes between two
    others.
  • The difference between man-in-the-middle and
    hijacking is that a man-in-the-middle usually
    participates from the start of the session,
    whereas a session hijacking occurs after a
    session has been established. The difference is
    largely semantic and not too significant.

39
Man-in-the-Middle Attack
  • Man-in-the-middle attacks are frequently
    described in protocols.
  • To see how an attack works
  • suppose you want to exchange encrypted
    information with your friend
  • You contact the key server and ask for a secret
    key with which to communicate with your friend
  • The key server responds by sending a key to you
    and your friend
  • One man-in-the-middle attack assumes someone can
    see and enter into all parts of this protocol
  • A malicious middleman intercepts the response key
    and can then eavesdrop on, or even decrypt,
    modify, and reencrypt any subsequent
    communications between you and your friend

40
Man-in-the-Middle Attack
Figure 7-15  Key Interception by a
Man-in-the-Middle Attack.
41
Man-in-the-Middle Attack
  • Man-in-the-middle attacks in public keys
  • The man-in-the-middle intercepts your request to
    the key server and instead asks for your friend's
    public key
  • The man-in-the-middle passes to you his own
    public key, not your friend's.
  • You encrypt using the public key you received
    (from the man-in-the-middle)
  • the man-in-the-middle intercepts and decrypts,
    reads, and reencrypts, using your friend's public
    key and your friend receives.
  • In this way, the man-in-the-middle reads the
    messages and neither you nor your friend is aware
    of the interception.

42
Message Confidentiality Threats
  • Eavesdropping and impersonation attacks can lead
    to a confidentiality or integrity failure.
  • Here we consider several other vulnerabilities
    that can affect confidentiality.
  • Misdelivery
  • a destination address is modified or some handler
    malfunctions, causing a message to be delivered
    to someone other than the intended recipient
  • Exposure
  • intercepting the message at its source,
    destination, or at any intermediate node can lead
    to its exposure
  • Traffic Flow Analysis
  • Sometimes not only is the message itself
    sensitive but the fact that a message exists is
    also sensitive

43
Message Integrity Threats
  • Falsification of Messages
  • change some or all of the content of a message
  • replace a message entirely, including the date,
    time, and sender/receiver identification
  • reuse (replay) an old message
  • combine pieces of different messages into one
  • change the apparent source of a message
  • redirect a message
  • destroy or delete a message
  • Noise
  • Signals sent over communications media are
    subject to interference from other traffic on the
    same media

44
Format Failures
  • Malformed Packets
  • Packets and other data items have specific
    formats, depending on their use.
  • Field sizes, bits to signal continuations, and
    other flags have defined meanings and will be
    processed appropriately by network service
    applications called protocol handlers.
  • These services do not necessarily check for
    errors, however.
  • For example, in 2003 Microsoft distributed a
    patch for its RPC (Remote Procedure Call)
    service. If a malicious user initiated an RPC
    session and then sent an incorrectly formatted
    packet, the entire RPC service failed, as well as
    some other Microsoft services.
  • Attackers try all sorts of malformations of
    packets.
  • the result can be denial of service, complete
    failure of the system, or some other serious
    result.

45
Format Failures
  • Protocol Failures and Implementation Flaws
  • Certain network protocol implementations have
    been the source of many security flaws
  • Examples, SNMP (network management), DNS
    (addressing service), and e-mail services such as
    SMTP and S/MIME
  • the protocol itself may be incomplete If the
    protocol does not specify what action to take in
    a particular situation, vendors may produce
    different results. So an interaction on Windows,
    for example, might succeed while the same
    interaction on a Unix system would fail.

46
Web Site Vulnerabilities
  • A web site is especially vulnerable because it is
    almost completely exposed to the user.
  • In short, the attacker has some advantages that
    can be challenging to control.
  • If you use an application program, you do not
    usually get to view the program's code.
  • With a web site, the attacker can download the
    site's code for offline study over time.
  • With a program, you have little ability to
    control in what order you access parts of the
    program
  • but a web attacker gets to control in what order
    pages are accessed
  • The attacker can also choose what data to supply
    and can run experiments with different data
    values to see how the site will react

47
Web Site Vulnerabilities
  • The list of web site vulnerabilities is too long
    to explore completely here.
  • Web Site Defacement
  • Because of the large number of sites that have
    been defaced and the visibility of the result,
    the attacks are often reported in the popular
    press.
  • A defacement is common not only because of its
    visibility but also because of the ease with
    which one can be done.
  • Web sites are designed so that their code is
    downloaded
  • enabling an attacker to obtain the full hypertext
    document and all programs directed to the client
    in the loading process
  • An attacker can even view programmers' comments
    left in as they built or maintained the code

48
Web Site Vulnerabilities
  • Buffer Overflows
  • The attacker simply feeds a program far more data
    than it expects to receive. A buffer size is
    exceeded, and the excess data spill over into
    adjoining code and data locations.
  • Some web servers are vulnerable to extremely long
    parameter fields, such as passwords of length
    10,000 or a long URL padded with space or null
    characters

49
Web Site Vulnerabilities
  • Dot-Dot-Slash
  • Web server code should always run in a
    constrained environment.
  • Ideally, the web server should never have
    editors, xterm and Telnet programs, or even most
    system utilities loaded.
  • By constraining the environment in this way, even
    if an attacker escapes from the web server
    application, no other executable programs will
    help the attacker use the web server's computer
    and operating system to extend the attack.
  • But many web applications programmers are naïve.
  • They expect to need to edit a web application in
    place, so they install editors and system
    utilities on the server to give them a complete
    environment in which to program.

50
Web Site Vulnerabilities
  • Dot-Dot-Slash
  • A second, less desirable, condition for
    preventing an attack is to create a fence
    confining the web server application
  • With such a fence, the server application cannot
    escape from its area and access other potentially
    dangerous system areas (such as editors and
    utilities).
  • The server begins in a particular directory
    subtree, and everything the server needs is in
    that same subtree.
  • In both Unix and Windows, '..' is the directory
    indicator for "predecessor." And '../..' is the
    grandparent of the current location.
  • So someone who can enter file names can travel
    back up the directory tree one .. at a time.
  • For example, passing the following URL causes the
    server to return the requested file, autoexec.nt,
    enabling an attacker to modify or delete it.
  • http//yoursite.com/webhits.htw?CiWebHitsFile
    ../../../../../winnt/system32/autoexec.nt

51
Web Site Vulnerabilities
  • Application Code Errors
  • the web server passes context strings to the
    user, making the user's browser reply with full
    context. A problem arises when the user can
    modify that context.
  • Assume you have selected one CD and are looking
    at a second web page. The web server has passed
    you a URL similar to
  • http//www.CDs-r-us.com/buy.asp?i1459012p11599
  • This URL means you have chosen CD number 459012,
    and its price is 15.99. You now select a second
    and the URL becomes
  • http//www.CDs-r-us.com/ buy.asp?i1459012p11599
    i2365217p21499
  • you realize that you can edit the URL in the
    address window of your browser
  • Consequently, you change each of 1599 and 1499 to
    199.
  • This failure is an example of the time-of-check
    to time-of-use flaw that we discussed in Chapter
    3.
  • The server sets (checks) the price of the item
    when you first display the price, but then it
    loses control of the checked data item and never
    checks it again.

52
Web Site Vulnerabilities
  • Server-Side Include
  • more serious problem
  • web pages can be organized to invoke a particular
    function automatically
  • For example, many pages use web commands to send
    an e-mail message in the "contact us" part of the
    displayed page.
  • One of the server-side include commands is exec,
    to execute an arbitrary file on the server. For
    instance, the server-side include command
  • lt!exec cmd"/usr/bin/telnet "gt
  • opens a Telnet session from the server running in
    the name of (that is, with the privileges of) the
    server. An attacker may find it interesting to
    execute commands such as chmod (change access
    rights to an object), sh (establish a command
    shell), or cat (copy to a file).

53
Denial of Service
  • So far, we have discussed attacks that lead to
    failures of confidentiality or integrity problems
  • Availability attacks, sometimes called
    denial-of-service or DOS attacks, are much more
    significant in networks than in other contexts
  • Transmission Failure
  • Communications fail for many reasons.
  • a line is cut. Or network noise makes a packet
    unrecognizable or undeliverable. A machine along
    the transmission path fails for hardware or
    software reasons. A device is removed from
    service for repair or testing. A device is
    saturated and rejects incoming data until it can
    clear its overload. Many of these problems are
    temporary or automatically fixed (circumvented)
    in major networks, including the Internet.
  • From a malicious standpoint, you can see that
    anyone who can sever, interrupt, or overload
    capacity to you can deny your service.

54
Denial of Service (DoS)
  • Connection Flooding
  • The most primitive denial-of-service attack is
    flooding a connection.
  • If an attacker sends you as much data as your
    communications system can handle, you are
    prevented from receiving any other data.
  • Some Protocols are used to launch Connection
    flooding attacks, such as ICMP. ICMP protocols
    include
  • ping, which requests a destination to return a
    reply, intended to show that the destination
    system is reachable and functioning
  • echo, which requests a destination to return the
    data sent to it, intended to show that the
    connection link is reliable (ping is actually a
    version of echo)
  • destination unreachable, which indicates that a
    destination address cannot be accessed
  • source quench, which means that the destination
    is becoming saturated and the source should
    suspend sending packets for a while

55
Denial of Service (DoS)
  • Connection Flooding
  • Echo-Chargen
  • This attack works between two hosts.
  • Chargen is a protocol that generates a stream of
    packets to test the network's capacity
  • The attacker sets up a chargen process on host A
    that generates its packets as echo packets with a
    destination of host B
  • Then, host A produces a stream of packets to
    which host B replies by echoing them back to host
    A
  • This series puts the network infrastructures of A
    and B into an endless loop
  • If the attacker makes B both the source and
    destination address of the first packet, B hangs
    in a loop, constantly creating and replying to
    its own messages.

56
Denial of Service (DoS)
  • Connection Flooding
  • Ping of Death
  • Since ping requires the recipient to respond to
    the ping request, all the attacker needs to do is
    send a flood of pings to the intended victim.
  • The ping packets will saturate the victim's
    bandwidth.

57
Denial of Service (DoS)
  • Connection Flooding
  • Smurf
  • a variation of a ping attack with two extra
    twists
  • First, the attacker chooses a network of
    unwitting victims. The attacker spoofs the source
    address in the ping packet so that it appears to
    come from the victim.
  • Then, the attacker sends this request to the
    network in broadcast mode by setting the last
    byte of the address to all 1s

Figure 7-16  Smurf Attack.
58
Denial of Service (DoS)
  • Connection Flooding
  • Syn Flood

Figure 7-17  Three-Way TCP Connection Handshake.
59
Denial of Service (DoS)
  • Connection Flooding
  • Syn Flood
  • This attack uses the TCP protocol suite, making
    the session-oriented nature of these protocols
    work against the victim.
  • The destination maintains a queue called the
    SYN_RECV connections, tracking those items for
    which a SYN/ACK has been sent but no
    corresponding ACK has yet been received.
  • Normally, these connections are completed in a
    short time. If the SYNACK or the ACK packet is
    lost, eventually the destination host will time
    out the incomplete connection and discard it from
    its waiting queue.
  • The attacker can deny service to the target by
    sending many SYN requests and never responding
    with ACKs, thereby filling the victim's SYN_RECV
    queue
  • Typically, the SYN_RECV queue is quite small,
    such as 10 or 20 entries.
  • So the attacker need only send a new SYN request
    every few seconds and it will fill the queue.

60
Denial of Service (DoS)
  • Connection Flooding
  • Teardrop
  • To support different applications and conditions,
    the datagram protocol permits a single data unit
    to be fragmented, that is, broken into pieces and
    transmitted separately.
  • Each fragment indicates its length and relative
    position within the data unit.
  • The receiving end is responsible for reassembling
    the fragments into a single data unit.
  • In the teardrop attack, the attacker sends a
    series of datagrams that cannot fit together
    properly.
  • In an extreme case, the operating system locks up
    with these partial data units it cannot
    reassemble, thus leading to denial of service.

61
Denial of Service (DoS)
  • Traffic Redirection
  • So if an attacker can corrupt the routing,
    traffic can disappear.
  • Routers use complex algorithms to decide how to
    route traffic.
  • No matter the algorithm, they essentially seek
    the best path (where "best" is measured in some
    combination of distance, time, cost, quality, and
    the like).
  • Each router advises its neighbors about how well
    it can reach other network addresses.
  • Suppose a router advertises to its neighbors that
    it has the best path to every other address in
    the whole network.
  • Soon all routers will direct all traffic to that
    one router.
  • The one router may become flooded, or it may
    simply drop much of its traffic. In either case,
    a lot of traffic never makes it to the intended
    destination.

62
Denial of Service (DoS)
  • Traffic Redirection
  • DNS Attacks
  • A domain name server (DNS) is a table that
    converts domain names like ATT.COM into network
    addresses like 211.217.74.130
  • this process is called resolving the domain name
  • A domain name server queries other name servers
    to resolve domain names it does not know
  • For efficiency, it caches the answers it receives
    so it can resolve that name more rapidly in the
    future.
  • By overtaking a name server or causing it to
    cache spurious entries (called DNS cache
    poisoning), an attacker can redirect the routing
    of any traffic, with an obvious implication for
    denial of service.

63
Distributed Denial of Service (DDoS)
  • an attacker can construct a two-stage attack that
    multiplies the effect many times.
  • This multiplicative effect gives power to
    distributed denial of service.
  • In the first stage, the attacker uses any
    convenient attack to plant a Trojan horse on a
    target machine.
  • That Trojan horse may not be noticed.
  • The attacker repeats this process with many
    targets.
  • Each of these target systems then becomes what is
    known as a zombie
  • The target systems carry out their normal work,
    unaware of the resident zombie.
  • In the second stage, the attacker chooses a
    victim and sends a signal to all the zombies to
    launch the attack.
  • instead of the victim's trying to defend against
    one denial-of-service attack from one malicious
    host, the victim must try to counter n attacks
    from the n zombies all acting at once.

64
Distributed Denial of Service (DDoS)
Figure 7-18  Distributed Denial-of-Service Attack.
65
Threats in Active or Mobile Code
  • Active code or mobile code is a general name for
    code that is pushed to the client for execution.
  • A more efficient use of (server) resources is to
    download a program that runs on the client's
    machine
  • you probably are saying to yourself,
  • "You mean a site I don't control, which could
    easily be hacked by teenagers, is going to push
    code to my machine that will execute without my
    knowledge, permission, or oversight?" Welcome to
    the world of (potentially malicious) mobile code.
  • In fact, there are many different kinds of active
    code, and here we look at the related potential
    vulnerabilities.

66
Threats in Active or Mobile Code
  • Cookies
  • cookies are not active code They are data files
    that can be stored and fetched by a remote server
  • However, cookies can be used to cause unexpected
    data transfer from a client to a server, so they
    have a role in a loss of confidentiality.
  • A cookie is a data object that can be held in
    memory (a per-session cookie) or stored on disk
    for future access (a persistent cookie).
  • keystrokes the user types, the machine name,
    connection details (such as IP address), date and
    type, and so forth
  • On command a browser will send to a server the
    cookies saved for it.

67
Threats in Active or Mobile Code
  • Cookies
  • Per-session cookies are deleted when the browser
    is closed
  • persistent cookies are retained until a set
    expiration date, which can be years in the
    future.
  • Cookies provide context to a server.
  • Using cookies, certain web pages can greet you
    with "Welcome back, James Bond" or reflect your
    preferences, as in "Shall I ship this order to
    you at 135 Elm Street?"
  • However, anyone possessing someone's cookie
    becomes that person in some contexts
    (impersonation)
  • What information about you does a cookie contain?
  • Even though it is your information, most of the
    time you cannot tell what is in a cookie, because
    the cookie's contents are encrypted under a key
    from the server.
  • The philosophy behind cookies seems to be "Trust
    us, it's good for you."

68
Threats in Active or Mobile Code
  • Scripts
  • Clients can invoke services by executing scripts
    on servers.
  • Typically, a web browser displays a page.
  • As the user interacts with the web site via the
    browser, the browser organizes user inputs into
    parameters to a defined script
  • it then sends the script and parameters to a
    server to be executed.
  • But all communication is done through HTML.
  • The server cannot distinguish between commands
    generated from a user at a browser completing a
    web page and a user's handcrafting a set of
    orders.
  • The server should never trust anything received
    from a client
  • because the remote user can send the server a
    string crafted by hand, instead of one generated
    by a benign procedure the server sent the client
  • if you allow someone else to run a program on
    your machine, you can no longer be confident that
    your machine is secure

69
Threats in Active or Mobile Code
  • Active Code
  • To take advantage of the processor's power, the
    server may download code to be executed on the
    client. This executable code is called active
    code. The two main kinds of active code are Java
    code and ActiveX controls.

70
Threats in Active or Mobile Code
  • Active Code
  • A hostile applet is downloadable Java code that
    runs with the privileges of its invoking user
    and can cause harm on the client's system.
  • Necessary conditions for secure execution of
    applets
  • The system must control applets' access to
    sensitive system resources, such as the file
    system, the processor, the network, the user's
    display, and internal state variables.
  • The language must protect memory by preventing
    forged memory pointers and array (buffer)
    overflows.
  • The system must prevent object reuse by clearing
    memory contents for new objects the system
    should perform garbage collection to reclaim
    memory that is no longer in use.
  • The system must control inter-applet
    communication as well as applets' effects on the
    environment outside the Java system through
    system calls.

71
Threats in Active or Mobile Code
  • Active Code
  • ActiveX Controls
  • Microsoft's answer to Java technology is the
    ActiveX series.
  • Using ActiveX controls, objects of arbitrary type
    can be downloaded to a client.
  • If the client has a viewer or handler for the
    object's type, that viewer is invoked to present
    the object.
  • For example, downloading a Microsoft Word .doc
    file would invoke Microsoft Word on a system on
    which it is installed.
  • Files for which the client has no handler cause
    other code to be downloaded.
  • Thus, in theory, an attacker could invent a type,
    called .bomb, and cause any unsuspecting user who
    downloaded a web page with a .bomb file also to
    download code that would execute .bombs.
  • To prevent arbitrary downloads, Microsoft uses an
    authentication scheme under which downloaded code
    is cryptographically signed and the signature is
    verified before execution.
  • But the authentication verifies only the source
    of the code, not its correctness or safety.

72
Threats in Active or Mobile Code
  • Auto Exec by Type
  • Data files are processed by programs.
  • file type is implied by the file extension, such
    as .doc for a Word document, .pdf (Portable
    Document Format) for an Adobe Acrobat file, or
    .exe for an executable file.
  • On many systems, when a file arrives with one of
    these extensions, the operating system
    automatically invokes the appropriate processor
    to handle it.
  • Microsoft embeds within a file what type it
    really is.
  • Double-clicking the file in a Windows Explorer
    window brings up the appropriate program to
    handle that file.
  • The file might contain malicious macros or invoke
    the opening of another, more dangerous file.
  • Generally, we recognize that executable files can
    be dangerous, text files are likely to be safe,
    and files with some active content, such as .doc
    files, fall in between.

73
Threats in Active or Mobile Code
  • Bots (robots)
  • are pieces of malicious code under remote
    control.
  • These code objects are Trojan horses that are
    distributed to large numbers of victims'
    machines.
  • Because they may not interfere with or harm a
    user's computer (other than consuming computing
    and network resources), they are often
    undetected.
  • Bots coordinate with each other and with their
    master through ordinary network channels, such as
    Internet Relay Chat (IRC) channels or
    peer-to-peer networking (which has been used for
    sharing music over the Internet).
  • a network of bots, called a botnet, is not
    subject to failure of any one bot or group of
    bots
  • Botnets are used for distributed
    denial-of-service attacks, launching attacks from
    many sites in parallel against a victim. They are
    also used for spam and other bulk email attacks

74
Complex Attacks
  • Script Kiddies
  • Attacks can be scripted.
  • an underground establishment has written scripts
    for many of the popular attacks.
  • With a script, attackers need not understand the
    nature of the attack or even the concept of a
    network.
  • The attackers merely download the attack script
    (no more difficult than downloading a newspaper
    story from a list of headlines) and execute it
  • The script takes care of selecting an appropriate
    (that is, vulnerable) victim and launching the
    attack.
  • People who download and run attack scripts are
    called script kiddies.

75
Complex Attacks
  • Building Blocks
  • A dedicated attacker who targets one location can
    put together several pieces of an attack to
    compound the damage.
  • Often, the attacks are done in series so that
    each part builds on the information gleaned from
    previous attacks.
  • For example, a wiretapping attack may yield
    reconnaissance information with which to form an
    ActiveX attack that transfers a Trojan horse that
    monitors for sensitive data in transmission.
  • Putting the attack pieces together like building
    blocks expands the number of targets and
    increases the degree of damage.

76
Summary of Network Vulnerabilities
Check the handout
Write a Comment
User Comments (0)
About PowerShow.com