CIT 612Fundamentals of Computer Security

Mohammed A. Salehhttp://ifm.ac.tz/staff/msaleh/CIT612.html

30th December 2009

1

Web Attacks and Internet Vulnerabilities With interest in computer and network security, you

would need to know about the Internet Focuses on the internet protocols that keep the internet

humming We will look at vulnerabilities of several of these

services, as well as exploits that can be used to attack them

2

About the Internet When many people think of the Internet, the first thing

that comes to mind is often the World Wide Web The Internet is composed of many different connection

schemes called protocols All the protocols transmit over a common system of

communication called Transmission Control Protocol/Internet Protocol (TCP/IP)

Protocols include: File Transfer Protocol (FTP)

allows rapid, reliable transfer of data files between repositories, called FTP servers, and between computers with FTP client software installed, called FTP clients.

3

Cont … Hypertext Transfer Protocol (HTTP)

allows users to access pages of text that are marked up using a special format called the Hypertext Markup Language (HTML)

HTML tags are inserted into a web document to indicate the desired font, color, and position of text, and it facilitates linking to different different web sites, files, or pages

Simple Mail Transfer Protocol (SMTP) The SMTP service allows a standardized method of electronic

mail transmission

Domain Name Service (DNS) The Domain Name Service resolves the easy-to-read names

familiar to Internet users, such as http://ifm.ac.tz , to the Internet Protocol addresses that actually guide information around the network, such as 66.96.134.2

4

Cont … Dynamic Host Configuration Protocol (DHCP)

DHCP automatically provides an Internet Protocol (IP) address, such as 172.16.32. 15, to a computer on a local area network

An IP address is required to communicate with other network devices that exist beyond the immediate proximity of the computer requesting the address

5

Packets, Addresses and Ports To increase the reliability of communications, messages

are chopped up into chunks of uniform length, called packets

A packet-switched network gives each packet an individual address label and then shoots it out onto the network, trusting that each packet will eventually make it to its destination

There are mechanisms deployed to determine whether packets sent are corrupted or delayed, and to facilitate retransmission of replacements.

6

Cont … So how do packets help make networks and the Internet

reliable? a packet travels over the circuit quickly

If it goes missing, its replacement can be retransmitted without taking a long time

it is understood that packets may take one of several possible routes to their destination

there is a possibility that packets may actually spend part of their journey traveling in parallel

7

More concepts An Internet Protocol (lP) address describes a location on

the network An IP is also known as a network address or a logical

address The use of logical address allow the network to route

packets to the correct part of the network IP addresses generally take the form of four numbers,

separated by periods, in which each number is between 1 and 255 For instance, 192.168.32.12

Each device on the other hand a hardware address, known as the MAC address

8

More concepts From a security perspective, It is important that packets

are identified by function, what they are intended to do. This allows them to be switched to the correct location

by inspection without having to open them up and examine their contents

Packets use the port number to state the packet function Each IP address comes with roughly 65,000 port

numbers Different types of network traffic use different ports.

9

Cont …Question: Why do you need to understand this

multitier system of addressing?

Answer: most network attacks in some way involve falsely

manipulating or replacing the IP address, MAC address, or

Port In fact, one of the most important tools used today for

network safety, the firewall, is based almost entirely on recognizing suspicious or invalid combinations of addresses and ports

10

Network Protocols A protocol is a defined procedure for interconnecting and

interacting It determines how data are transported over the Internet,

or over a LAN that uses TCP/IP, provide a variety of services

Some protocols move web pages, some move email, some move files, and some move streaming media

Many of the most important network protocols, which also happen to be most commonly attacked, are the protocols needed to make communication over a network possible.

11

Data Navigation Protocols Which is the fundamental network protocol? It describes how packets will navigate from network to

network The IP also provides a fragmentation and reassembly

function Fragmentation means that if a message, or datagram, is

too long, an IP packet can be split into smaller chunks for transmission through the network

Reassembly on the hand mean putting messages back together when it gets to its final destination

What IP does not do is keep track of whether messages actually make it to where they are going

12

Cont … IP treats each piece of a message as an independent

entity unrelated to any other message A message is also referred to as an Internet datagram The IP must link up with several other protocols to insure

reliable end-to-end delivery and retransmission of missing messages

For reliable delivery IP works with another data navigation protocol known as Transmission Control Protocol (TCP)

TCP wraps itself around the IP packet and provides the information needed to see a packet through multiple hops to its destination and determines if all packets made the trip

13

Cont … TCP can figure out which packets were lost and order up

replacements Another protocol used for delivery is User Datagram

Protocol (UDP) one that moves packets with SPEED sacrificing end-to-end delivery

The File Transfer Protocol mentioned previously operates using TCP

All the data travels reliably over the network, and the transmission is not finished until the packets have all made the trip and been reassembled in order at the destination

14

Cont … TCP can detect errors because each packet uses a

cyclical redundancy check (CRC), which is like a parity or checksum, to check itself.

A checksum is a mathematical mechanism that detects errors in transmission adds up the numeric value of all the characters transmitted and

seeing if the total is the same at both ends of the link

If IP needs to report errors to the sender, it uses helping protocols from a suite called Internet Control Message Protocol (ICMP)

15

Data Navigation Protocols Attacks These four protocols: IP, TCP, UDP, and ICMP are the

basis for Internet communications They are also the basis of many attacks that use the

Internet or of attacks against the Internet itself How does TCP assure reliability?

by introducing sequence numbers and acknowledgments to IP

For TCP to start transmission, it has to establish a link, between the sender and recipient, by using a three-way handshake

Once the handshake is complete both parties can start communicating

16

Three way handshake:

Step 1: client host sends TCP segment to server

specifies initial seq # no data

Step 2: server host receives segment, replies with ACK segment

server allocates storage specifies server initial seq. #

Step 3: client receives segment ACK, replies with ACK segment, which may contain data

TCP Connection establishment

26

clientsegment (SEQ Client#)

server

segment (SEQ Server#), ACK

ACK

Cont A hacker trick is to open up a session (begin a

communication) with a system under attack, receive an acknowledgment, and then leave the connection half-completed

Tying up resources and memory on the attacked device Do this enough times and

systems can hang up or cease functioning denying services to legitimate users can crash

Why is IP such a pushover? Simple: Because it's not being used for that which it was built The military wanted a network protocol that would survive a worst

case scenario something along the lines of global thermonuclear war 18

Cont … The network needed to pass traffic to every location smoothly

and efficiently, and to be able to reconfigure itself around bad routes and sudden outages

Instead, the Internet became an "information superhighway" that led to economic growth, prosperity, and jobs. a tool of enhanced communications, helping to bring the entire

human family closer together Along the ‘highway’ came robbers These are unintended consequences against which the Internet

was never fortified

19

Cont … The network needed to pass traffic to every location smoothly

and efficiently, and to be able to reconfigure itself around bad routes and sudden outages

Instead, the Internet became an "information superhighway" that led to economic growth, prosperity, and jobs. a tool of enhanced communications, helping to bring the entire

human family closer together Along the ‘highway’ came robbers These are unintended consequences against which the Internet

was never fortified

20

Other Internet Protocols Protocols can be subjected to attack The easiest way to attack these datagrams is by

monitoring the network using a packet sniffer Packet sniffer monitors and decodes packets, allowing

the attacker to gather information about the network and the devices and persons attached to it

A more sophisticated attack would be: change the contents of a datagram (data modification) make it appear as if it came from a different party (spoofing)

On the other hand packet sniffers are useful tools for network administrators because they allow you to see what protocols are on the network

21

File Transfer Protocol Designed to promote sharing files by connecting

machines reliably and efficiently Remote access of computers became more

commonplace

Flaws of FTP However, the FTP protocol is subject to abuse

In the first place, it transmits in the clear without encryption shielding

Attackers can just sit and listen to a network connection

FTP is also very subject to anonymous access highly desirable in many environments, where to regulate access requires

issuing passwords to every applicant

22

Simple Mail Transfer Protocol Designed to transfer email messages reliably and

efficiently It does this by setting up a channel between the initial

sender and a receiver Once the transmission channel is established, the mail

sender issues a MAIL command If the mail receiver can accept mail, it responds with an

OK reply Mail that can't be delivered because of incorrect or

invalid addresses are returned with a note from whichever mail server determined the problem

23

Cont …Flaws of SMTP Email is normally transmitted in the clear

means that a host that pretends to be an email relay can access all email that passes through it

mail could then be copied or modified When an attacker suspects that a user or administrator is getting

suspicious, it is relatively easy to disconnect the relay and lay low

It is very easy to create an email message that looks as if it was sent from someone other than the true sender an create problems in its own right also makes it easy to formulate an attack that sends tens of

thousands of emails out to various addresses on the Internet, email bombing

24

SMTP and Spam The ability to spoof a return address and easily mail the

same message to multiple recipients has lead to the uncontrolled outbreak of junk email, or spam

Spam, by some accounts, represents up to 50% of email traffic and is popular for one reason: email is dirt cheap Email has few costs: scraping up a few million email addresses off

newsgroups and chain letters is not really that hard Launching and sending such messages is largely automatic

Other recipients will resent the intrusion and request not to be disturbed as for invalid addresses, email systems will send back notices to the sender to this effect

Tracking spammers down requires a lot of detective work The best way to cope is to use the Antispam features of your email

client software to filter undesired email into the recycle bin before you even see it.

25

Domain Name Service DNS is used to resolve a friendly name, such as

www.ifm.ac.tz, to an IP address, such as 66.96.134.2 DNS is needed because while the Internet runs with IP

addresses, people tend to think in words DNS is not usually the first step in address resolution To save time and prevent wasted bandwidth, a table of

address and their URLs is usually stored on the local machine

Your computer starts at this table when you make a web request

When your local machine cannot find where to send a web request, it contacts the nearest DNS server, which tells the computer every thing it knows about the desired IP address

26

Cont … If the address is unknown at the DNS server, that DNS

server consults the next DNS server up the chain, , until your address is found

Flaws of DNS First, if you seed the local machine's cache with incorrect

data, it sends the user's communications to the wrong place, including possibly a decoy site of the attacker's own design

Second, if you pollute the database of one of the nation's big DNS servers, you may shut down a major portion of the Internet, which is always good for achieving status in the cracker underworld

27

Cont … Third, if you deny access to the DNS server that

provides address resolution to a population of users, say company networks, then your users are not going to be able to contact web sites for which they do not already have IP addresses

Poisoning the DNS system doesn't only slow down or prevent the access of web pages and services Mail may not work Remote file systems may be rendered inaccessible, and Network printing may go down.

Essentially everything that involves an external communication is at risk when DNS fails.

28

Summary Internet protocols have opened up a host of security

issues The protocols were meant to be robust, not secure The trust by which computers are able to interact and

complete complicated business processes turns out to be the undoing of much business

29

Questions