Computer Security Final

Describe the resources targeted by DoS.

1. Network bandwidth

   1. The capacity of the network links connecting a server to the Internet

   2. For most organizations this is their connection to Internet Service Provider (ISP)

2. System resources

   1. temporary buffers used to hold arriving packets

   2. tables of open connections

   3. and similar memory data structures

3. Application resources

   1. capability of accepting client connections

   2. capability of carrying out database operations

   3. can be crashed if the application is vulnerable

How to crash a system with vulnerability?

poison packets such as ping of death and teardrop attacks crash Windows 9x

How to increase DoS attack effect?

• Exploit resource-consuming operations that are disproportionate to the attack effort

• Two protocols that suffer from such attacks

  • SIP (Session Initiation Protocol) flood

  • HTTP (Hypertext Transfer Protocol) flood

Describe SYN spoofing attack scenario, principle, and requirements.

Scenario & Principle:

• A common classic DoS attack

• Exhausts the table of open connections of a TCP server so

  • it can not respond to future connection requests

  • Thus legitimate users are denied access to the server

• Targets the network handling code in the application and the operating system

Requirements:

• If the SYN-ACK is sent to an existant system, it will respond with a RST packet to cancel this unknown connection request

  • The server removes the corresponding table entry once it received the RST packet

• Overloading the TCP open connection table is successful

  • No need of large volume of SYN spoof packets

  • But consistent attack is needed since the server will remove a table entry after several times of resend

What is a flash crowd? Can it be completely prevented?

• Cannot be prevented completely

• High traffic volumes may be legitimate

  • High publicity about a specific site

  • Activity on a very popular site

  • Described as slashdotted, flash crowd, or flash event

Describe the defenses against DoS.

• Four lines of defense against DDoS attacks

  • Attack prevention and preemption

    • Before attack

  • Attack detection and filtering

    • During the attack

  • Attack source traceback and identification

    • During and after the attack

  • Attack reaction

    • After the attack

Describe mechanisms used by DDoS.

• Use multiple systems to launch attacks

  • usually through botnet

• by command and control (C&C) software

• uses a layered control structure (attacker → handler zombies → agent zombies) to obscure the path back to the attacker

HTTP Flood

• Bombards Web servers with HTTP requests

  • Consumes considerable resources by requesting to download large files

• Spidering

  • Bots start from webpage by a given HTTP link, access all links on this webpage recursively

Slowloris

• Attempts to monopolize all of the available request handling threads on the Web server by sending HTTP requests that never complete to keep the connection alive

  • these requests have no header delimiter, a blank line

  • The Web server keeps the connection open, expecting more information to complete the request

    • Eventually consumes Web server’s connection capacity

• Utilizes legitimate HTTP traffic

  • not recognized by signature-based intrusion detection and prevention systems

• Countermeasure of delay binding with a load balancer

  • checks the completeness of HTTP request header

  • only forward complete HTTP request to web server

Reflection attack

• Attacker sends packets to a known service on the intermediary with a spoofed source address of the target system

  • the response from intermediary is sent to the target

  • the attack is reflected off the intermediary (reflector)

• Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary

  • Method 1: any accessible UDP service could be exploited for this goal

  • Method 2: TCP SYN packets with spoofed source address can be exploited as well

  • Method 3: establishes a self-contained loop between the intermediary and the target system

Amplification attack

• a variant of reflector attacks

• differ in generating multiple response packets for each spoofed packet sent

  • achieved by directing the original request to broadcast addresses, such as

    • Smurf attack uses ICMP echo request packets

    • fraggle attack, a variant of Smurf attack, exploits UDP service

  • Broadcasts are inherently connectionless so TCP services can't be used

How to respond to DoS attacks?

• Good Incident Response Plan

  • Details on how to contact technical personal and ISP

  • Needed to impose traffic filtering upstream

  • Details of how to respond to the attack

• Antispoofing, directed broadcast, and rate limiting filters should have been implemented

• Ideally have network monitors and IDS to detect and notify abnormal traffic patterns

• Identify type of attack

  • Capture and analyze packets

  • Design filters to block attack traffic upstream

  • Or identify and correct system/application bug

• Have ISP trace packet flow back to source

  • May be difficult and time consuming

  • Necessary if planning legal action

• Implement contingency plan

  • Switch to alternate backup servers

  • Commission new servers at a new site with new addresses

• Update incident response plan

  • Analyze the attack and the response for future handling

Describe intrusion and its types.

• trespass IT systems through

  • unauthorized logon or access to machines

  • malware

• also known as hackers, crackers, or computer criminals

• explore methods for breaching defenses

• exploit weaknesses in a computer system or network

• motivated by profit, protest, challenge, recreation, etc.

• classified into several categories based on motivations

  • Cyber criminals

  • Hacktivists

  • State-sponsored organizations

  • Miscellaneous

Cyber criminals

• pursue financial reward

• typical cybercrimes:

  • Identity theft

  • Theft of financial credentials

  • Corporate espionage

  • Data theft and ransoming

• trade malware, stolen data and identities

• coordinate attacks on the internet

• meet in underground forums, dark webs hosted on darknet through Tor

Hacktivists

• motivated by social or political causes

• promote and publicize their causes typically through:

  • Website defacements and redirects

  • Denial of service attacks

  • Theft and distribution of data that results in negative publicity or compromise of their targets

State-sponsored organizations

• conduct espionage or sabotage activities

• sponsored by governments such as

  • Russia, USA, UK, and their intelligence allies

• Also known as Advanced Persistent Threats (APTs) due to

  • the covert nature and persistence over extended periods

Miscellaneous

• motivated by technical challenge, peer-group esteem and reputation, etc.

• many of them discovered new categories of buffer overflow vulnerabilities

• some are hobby hackers using attack toolkits to explore system and network security

Three qualitative skill levels of intruders

• Apprentices:

  • Also known as “script-kiddies”

  • comprise the largest number of intruders

  • primarily use existing attack toolkits

  • have rudimentary technical skills

• Journeymen:

  • have sufficient technical skills

  • able to modify and extend attack toolkits to

    • exploit newly discovered or purchased vulnerabilities

    • locate and exploit vulnerabilities similar to the known

  • Adapt tools for use by others

• Masters:

  • have high-level technical skills

  • be able to

    • discover new vulnerabilities

    • Write new powerful attack toolkits

  • Some are employed by state-sponsored organizations

Describe an IDS and its components.

• A hardware or software function

• Gathers and analyzes information from various areas within a computer or a network identifies ­

• Possible security intrusions

• Sensors

  • collect evidences of an intrusion such as

    • network packets, log files, and system call traces

    • file integrity checksums, registry access

• Analyzers

  • aggregate the evidences

  • determine whether an intrusion has occurred

  • provide guidance about reactions to the intrusion

• User interfaces let users

  • view reports

  • configure and control the behavior of the system

Intrusion Analysis Approaches

• Anomaly Detection

  • get patterns of legitimate behavior over a period of time

  • intrusion typically deviates from normal behavior patterns

  • based on defined normal or expected behavior

• Signature-based Detection

  • compare current observed data with a set of known malicious data patterns

• Heuristic Detection

  • compare current observed data with a set of known malicious attack rules

• The last two approaches are also called misuse detection

  • based on defined malicious patterns and rules

• Anomaly detection typically has higher level of false alarm than misuse detection

  • but is slower and more inefficient

What are the 3 types of events input to a central IDS?

• Summary events summarize information collected from network segments

• Distributed detection and inference (DDI) events alert that an attack is under way

• Policy enforcement points (PEPs) events show intrusions synthesized from distributed information

What is a firewall?

• A system inserted between an organization's network and the Internet to establish a controlled link.

• It serves as a single choke point to impose security and auditing, insulating internal systems from external networks.

• Its design goals are that all traffic between inside and outside must pass through it (with only authorized traffic allowed), and that the firewall itself is immune to penetration.

Types of Firewalls based on inspected network level

• packet filtering firewall

  • inspect packet individually

• stateful inspection firewall

  • inspect all packets of a transport connection

• application proxy firewall

  • inspect details of application protocol

• circuit-level proxy firewall

  • such as SOCKS Circuit-Level Gateway

• The choice of which level is appropriate is determined by the desired firewall access policy

Types of Firewalls based on basing or deployed location

• Bastion Host

  • A system identified as a critical strong point in the network's security

  • Serves as a platform for an application-level or circuit-level gateway.

  • It runs a secure OS with only essential services.

• Host-Based Firewall

  • Used to secure an individual host

  • Available in OS or can be installed as an add-on package

  • Filter and restrict packet flows

  • Advantages:

    • Filtering rules can be tailored to the host environment

    • Protection is provided independent of topology

    • Provides an additional layer of protection

• Personal Firewall

  • a software module on a personal computer

  • Controls traffic between a personal computer or workstation and the Internet or enterprise network

  • Can be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet connection

  • Typically much less complex than server-based or stand-alone firewalls

  • Primary role is to deny unauthorized remote access

  • May also monitor outgoing traffic to detect and block worms and malware activity

• Network device firewall

• Virtual firewall

Describe attacks on packet filter and countermeasures.

• IP address spoofing attacks

  • spoof source ip addresses of intrusion packets as internal hosts

  • Countermeasure: discard packets with inside source address but arrives on an external interface

• Source routing attacks

  • specify the route in a packet to bypass firewall

  • Countermeasure: discard all packets that use this option

• Tiny fragment attacks

  • divide TCP header information into separate fragment using IP fragmentation option

  • Countermeasure: enforce a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header

Application-Level Gateway

• Also called an application proxy

  • Acts as a relay of application-level traffic

  • User contacts gateway using a TCP/IP application

  • User is authenticated

  • Gateway contacts application on remote host and relays TCP segments between server and user

• Must have proxy code for each application

  • May restrict application features supported

• Tend to be more secure than packet filters

• Disadvantage is the additional processing overhead on each connection

Circuit-Level Gateway

• Circuit level proxy

  • Sets up two TCP connections, one between itself and a TCP user on an inner host and one on an outside host

  • Relays TCP segments from one connection to the other without examining contents

  • Security function consists of determining which connections will be allowed

• Typically used when inside users are trusted

  • May use application-level gateway inbound and circuit-level gateway outbound

  • Lower overheads

SOCKS Circuit-Level Gateway

• Designed to provide a framework for client-server applications in TCP/UDP domains to conveniently and securely use the services of a network firewall

• Client application contacts SOCKS server, authenticates, sends relay request

  • Server evaluates and either establishes or denies the connection

• Components

  • SOCKS server runs on firewall

  • SOCKS client library runs on internal hosts protected by the firewall

  • SOCKS-ified client applications

List firewall capabilities and limitations.

• Capabilities:

  • Defines a single choke point for simplified and centralized management

    • Provides a location for monitoring, auditing and alarming security events

    • Integrates other Internet functions such as NAT, DNS, DHCP, etc.

  • Can serve as the platform for IPSec and VPN

• Limitations:

  • Cannot protect against attacks bypassing firewall such as

    • backdoor

    • unmonitored mobile broadband connections

  • May not protect fully against internal threats

  • Improperly secured wireless LAN can be accessed from outside the organization

  • Infected laptop, smart phones, or portable storage device may be used internally

What is a Unified threat management (UTM) system?

• integrates into one box with multiple security modules such as

  • antivirus, IDS, IPS, firewall, patch generation, system update

  • and non-security modules such as

    • management of users, hardware and software

    • log, audit, analysis and report

How to use hping3 and HOIC to launch DoS or DDoS attacks?

hping3:

hping3 -S [TargetIP] -a [SpoofedIP] -p [Port] --flood

• -S sets the SYN flag.

• -a allows spoofing the source IP address.

• -p specifies the target port (e.g., 80 for HTTP).

• --flood sends packets as fast as possible.

HOIC:

1. Run HOIC and add the target (e.g., http://TargetIP).

2. Set the attack power (e.g., "high") and select a booster file (e.g., GenericBoost.hoic).

3. Set the number of threads.

4. Initiate the attack ("FIRE THE LAZER!").