Date post: | 03-Jun-2018 |
Category: |
Documents |
Upload: | hatim44026 |
View: | 221 times |
Download: | 0 times |
of 26
8/11/2019 Attacks on Apache
1/26
ATTACKS ON APACHE
Hatim Khalafallah Al-Tom
Mohammed Al-Hadi
8/11/2019 Attacks on Apache
2/26
What is a web server?
A web servercan be A computer program
Responsible for accepting HTTP requests fromclients (web browsers)
client Web server
HTTP request
HTML data
Browser Web serverrequest
response
8/11/2019 Attacks on Apache
3/26
Web servers
Apache Web Server
IIS Web Server
Sun ONE Web Server
8/11/2019 Attacks on Apache
4/26
Apache
Initially started in 1996 by Robert McCool.
Since 1996, Apache web server has been the most popular HTTP server inthe market on the World Wide Web.
The Apache was the first web server architecture that was used by theNetscape Communication Corporation.
Apache has evolved with the years of the internet. Server is used tosupport both static and dynamic pages online. Many programminglanguages are supported by the Apache Server are as follows: PHPl,Python, the Apache Server serves approximately 50% of the current webpages.
1.1 . Apache Brief Background
8/11/2019 Attacks on Apache
5/26
Denial of Service
Buffer Overflows
Web servers, like all other computers, can be compromised bybuffer overflows
The Web server is easy to find, and connected to the Internet, soit is a common target
A buffer overflow occurs when the amount of data being written to memory is largerthan the amount of memory reserved for the operation. When that occurs, the data
being written actually gets written to memory beyond the reserved section. As aresult, the extra data has to go somewhere; and you can bet your next paycheck thatit will be going somewhere undesirable.
As weve noted throughout this book, the dreaded buffer overflow attack symbolizesthe coup de grace of hacking. Given the appropriate conditions, buffer overflowsoften result in the ability to execute arbitrary commands on the victim machine,typically with very high privilege levels.
8/11/2019 Attacks on Apache
6/26
Denial of service Attacks
serviceof. Denial1
A denial of service is designed to stop legitimate users from u
some service.
You can cause a denial of service against a web site by simply
sending an awful lot of traffic to it.
The web server didnt know what is legitimate traffic and wh
is part of the denial or service?
8/11/2019 Attacks on Apache
7/26
Distributed Denial of Service Attacks
Attacker
zombiezombie
zombie
victim
8/11/2019 Attacks on Apache
8/26
Reflection DoS Attacks
Distributed reflection denial of service attack
Attacker
hosthost
hostvictim
8/11/2019 Attacks on Apache
9/26
Reflection DoS Attacks
Uses innocent intermediary nodes (routers and servers) knownas reflectors.
An attacker sends packets that require responses to thereflectors with the packets inscribed source address set tovictims address.
Can be done using TCP, UDP or other.
Examples: Smurf Attacks: Attacker sends ICMP echo request to a subnetdirected broadcast address with the victims address as the sourceaddress.
SYN-ACK flooding: Reflectors respond with SYN-ACK packets tovictims address.
8/11/2019 Attacks on Apache
10/26
Reflection DDoS: SYN-Attack
TCP connection tables in servers are a limited
resource.
By generating huge numbers of connection
requests to a server, it can effectively be taken
down Doesnt require huge amounts of bandwidth to
launch this attack
8/11/2019 Attacks on Apache
11/26
SYN-Attack
SYN-ACK
SYN
ACK
ClientServer
SYN-ACK
SYN
Attacker
(spoofed IP)Server
SYNSYN-ACK
Handshake Attack
8/11/2019 Attacks on Apache
12/26
Reflection DDoS :Smurf Attack
Every host on the amplifiernetwork sees the ping (because
it is broadcast) and replies to the
(apparent) source with a 65000
byte reply)
N x 65000 byte ping replies hit the
(where N is the number of hosts on
amplifier network)
8/11/2019 Attacks on Apache
13/26
LOIC tool
Low Orbit Ion Cannon.
Anonymous group.
8/11/2019 Attacks on Apache
14/26
LOIC tool
Primitive DDoS Attack, controlled via IRC (Internet Relay
Chat ) Sends thousands of packets per second from the
attacker directly to the target .
Takes thousands of participants to bring down a large site.
There are two versions Windows binary
Javascript
They tried bring down Amazon but failed.
8/11/2019 Attacks on Apache
15/26
Another of DoS Slowloris
One Attacker One Target
Send incomplete GET requests
Freezes Apache with one packet per second
Incomplete HTTP POSTs Stops IIS, butrequires thousands of packets per second
8/11/2019 Attacks on Apache
16/26
Apache has a queue of approx. 256
requests
Each one waits approx. 400 seconds by
default for the request to complete
So less than one packet per second is
enough to occupy them all
Low-bandwidth DoS--no collateral damage!
8/11/2019 Attacks on Apache
17/26
Buffer overflow
Buffer overflow occurs when an attempt is made to use a
limited-length buffer to store a larger piece of data.
Because of the lack of boundary checking, some amount of
data will be written to memory locations immediately
following the buffer.
8/11/2019 Attacks on Apache
18/26
Study example
Apache Slapper WormThe Apache Slapper Worm is arguably the worst thing to happen to the Apache. It uses
vulnerabilities in the Open SSL subsystem to break into a system running Apache. It proceeinfect other systems and calls back home to become a part of a distributed denial of service
(DDoS) network. Some variants install a backdoor, listening on a TCP/IP port. The worm on
works on Linux systems running on the Intel architecture. The behavior of this worm serves
excellent case study and a good example of how some of the techniques we used to secure
Apache help in real life. The worm uses a probing request to determine the web server ma
version from the Server response header and attacks the servers it knows are vulnerable. A
server signature would, therefore, protect from this worm. Subsequent worm mutations stop
using the probing request, but the initial version did and this still serves as an important poin
vulnerable system is found, the worm source code is uploaded (to/tmp) and compiled. The
would not spread to a system without a compiler, to a system where the server is running fr
jail, or to a system where code execution in the/tmp directory is disabled (for example, by
mounting the partition with a
8/11/2019 Attacks on Apache
19/26
Common Web Application Vulnerabilities
Cross-Site Scripting (XSS)
SQL Injection
8/11/2019 Attacks on Apache
20/26
SQL injection
Using SQL injections, attackers can: Delete or Add new data to the database
Could be embarrassing to find yourself selling politically incorrectitems on an eCommerce site
Perform an INSERT in the injected SQL
Modify data currently in the database
Could be very costly to have an expensive item suddenly be deeplydiscounted
Perform an UPDATE in the injected SQL
Often can gain access to other users system capabilities byobtaining their password
8/11/2019 Attacks on Apache
21/26
Cross-Site Scripting (XSS) Attacks
One user injects code that attacks another user
Common on guestbooks, comment pages, forums,etc.
Caused by failure to filter out HTML tags These characters < > ( ) # &
Also watch out for hex-encoded versions%3c instead of
%22 instead of "
8/11/2019 Attacks on Apache
22/26
Apache Vulnerabilities
errorsProgramming
come in different shapes. Many have security implications. A programming error
that can be exploited to abuse system resources should be classified
as a vulnerability. For example, in 1998, a programming error was discovered in
Apache: specially crafted small-sized requests caused Apache to allocate large
amounts of memory. For more information, see:
YA Apache DoS Attack, discovered by Dag-Erling Smrgrav (http://marc.
theaimsgroup.com/?l=bugtraq&m=90252779826784&w=2)
8/11/2019 Attacks on Apache
23/26
Apache Vulnerabilities
overflowsbufferno exploitablecan cause the server to crash when attacked. (Exploitable buffer overflows are
not likely to be used as DoS attacks since they can and will be used instead tocompromise the host.)
When Apache is running in a prefork mode as it usually is, there are many
instances of the server running in parallel. If a child crashes, the parent process
will create a new child. The attacker will have to send a large number ofrequests constantly to disrupt the operation.
8/11/2019 Attacks on Apache
24/26
Apache Vulnerabilities
)preforkmultithreaded (not
of operationmode
there is only one server process.A crash while processing a request will cause
the whole server to go down and make
it unavailable. This will be easy to detect because you have server monitoring in
place or you start getting angry calls from your customers.
8/11/2019 Attacks on Apache
25/26
Apache Vulnerabilities
Reverse Proxy Servers
Depending on the reverse proxy configuration, the vulnerabilitycould allow access to internal systems from the Internet.
Web proxy servers may work both ways!
Typically meant to allow users from within a network to accessexternal web sites.
May end up proxying HTTP requests from the outside world to
the internal network. e.g. Compaq Insight Manager
Usually happens when the front end web server proxies requeststo back end app servers.
8/11/2019 Attacks on Apache
26/26
DB
10.0.1.2
GET http://10.0.1.2/ HTTP/1.0
192.
168
.7.
248
10.0
.1.
1