Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | nigel-lambert |
View: | 214 times |
Download: | 0 times |
Security (Part 1)
School of BusinessEastern Illinois University
© Abdou Illia, Spring 2007
(Week 13, Tuesday 4/3/2007)
2Learning Objectives
Discuss types of system attacks– Scanning process– Types of attacks
Discuss system defense tools & techniques– Security goals– Defense tools and techniques
3Received: from hotmail.com (bay103-f21.bay103.hotmail.com [65.54.174.31]) by barracuda1.eiu.edu (Spam Firewall) with ESMTP id B10BA1F52DC for <[email protected]>; Wed, 8 Feb 2006 18:14:59 -0600 (CST)Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 8 Feb 2006 16:14:58 -0800Message-ID: <[email protected]>Received: from 65.54.174.200 by by103fd.bay103.hotmail.msn.com with HTTP; Thu, 09 Feb 2006 00:14:58 GMTX-Originating-IP: [192.30.202.14]X-Originating-Email: [[email protected]]X-Sender: [email protected]: <10E30E5174081747AF9452F4411465410C5BB560@excma01.cmamdm.enterprise.corp>X-PH: V4.4@ux1From: <[email protected]>To: [email protected]: RE: FW: Same cell#Subject: RE: FW: Same cell#Date: Thu, 09 Feb 2006 00:14:58 +0000Mime-Version: 1.0Content-Type: text/plain; format=flowedX-OriginalArrivalTime: 09 Feb 2006 00:14:58.0614 (UTC) FILETIME=[DCA31D60:01C62D0D]X-Virus-Scanned: by Barracuda Spam Firewall at eiu.eduX-Barracuda-Spam-Score: 0.00
4Identifying security attacks’ targets
Scanning (Probing)– Ping messages (To know if a potential victim exist)
Firewalls usually configured to prevent pinging by outsiders – Supervisory messages (To know if victim available)– Tracert, Traceroute (To know how to get to target)
http://www.netscantools.com/nstpro_netscanner.html
5Identifying security attacks’ targets
Examining scanning results reveal IP addresses of potential victims What services victims are running. Different services have
different weaknesses Host’s operating system, version number, etc.
Whois database at NetworkSolutions also used when ping scans fail
Social engineering– Tricking employees into giving out passwords and keys
Guessing passwords and Dictionary attacks (Using Password Recovery software and other tools)
6Review Questions 1
What do ping messages allow? Why are ping scans often not effective?
What does social engineering mean?
An organization has a DNS server with IP address 128.171.3.1. What IP address range would an attacker search to find hosts to attack?
7Types of system attacks
Attacks
Physical Access Attacks-Wiretapping - Vandalism - Drive-by-hacking
Denial-of-Service- Flooding - Smurf - Ping of death - LAND - DDoS
Intercepting messages- Eavesdropping - Message alteration
Malware-Virus – Worms - Trojan horse - Logic bomb
8Denial of Service (DoS) attacks
Types of DoS attacks:Flooding DoS
Smurf Flooding DoS
Ping of Death attacks
LAND attacks
Distributed Denial of Service attacks
9Flooding DoS
Send a stream of request messages to the target
Makes the target run very slowly or crash
Objective is to have the target deny service to legitimate users
DoS requests
Server Attacker
http://www.netscantools.com/nstpro_netscanner.html
Legitimate user
Legitimate user
Legitimate request
Legitimate request
10Smurf Flooding DoS
Attacker uses IP spoofing (false source IP address in outgoing messages)
Attacker sends ping / echo messages to third party computers on behalf of the target
All third party computers respond to target
11Ping of Death attacks
Take advantage of– Fact that TCP/IP allows large packets to be fragmented – Some operating systems’ inability to handle packets larger than
65536 bytes
Attacker sends a request message that are larger than 65,536 bytes
Ping of Death are usually single-message DoS attacks
Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring
http://insecure.org/sploits/ping-o-death.html
12LAND attacks First, appeared in 1997 Attacker uses IP spoofing (false source IP address in outgoing messages) Attacker sends IP packets where the source and destination address refer to
target itself. LAND attacks are usually single-message DoS attacks Back in time, OS and routers were not designed to deal with loopback Problem resurfaces recently with Windows XP and Windows 2003 Server
13Distributed DoS (DDoS) Attack
Server
DoS Messages
DoS MessagesComputer with
Zombie
Computer with
Zombie
Attacker
AttackCommand
AttackCommand
Attacker hacks into multiple clients and plants Zombie programs on them
Attacker sends commands to Zombie programs which execute the attacks
First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, dell.com, etc.
14Review Question 2
All DoS messages are requests that require a response message from the target
T F
DDoS can be seen as a way to launch a denial of service attack rather than a type of attack
T F
Single-message DoS attacks send unusual messages for which the software designer on the target device did not plan.
T F
Why don’t all DoS attacks use IP address spoofing to maintain anonymity?
15Intercepting messages
Eavesdropping: Intercepting confidential messages
Attacker (Eve) Taps into the Conversation:Tries to Read Messages
Client PC(Allex’s)
Server(Steve’s)
What is account #?
Account number 111-2233444
Message Exchange
Eavesdropping is also called Person-in-the-middle attack
16Intercepting messages
Message alteration
Attacker intercepts the message,alters it and, then, forwards it
Client PC Server
Balance = $1.00 Balance = $1000.00
Message Exchange
Balance = $1.00 Balance = $1000.00
What is the balance?
17Malware attacks
Types of malware:Viruses
Worms
Trojan horses
Logic bombs
18Virus
Program (script, macro) that:– Attaches to files– Performs annoying actions when they are executed– Performs destructive actions when they are executed– Spreads by user actions (floppy disk, flash drive,
opening email attachment, IRC, etc), not by themselves.
Could be– Boot sector virus: attaches itself to files in boot sector of
HD– File infector virus: attaches itself to program files and
user files– Polymorphic virus: mutates with every infection,
making them hard to locate
19Worm
Does not attach to files
A self-replicating computer program that propagate across a system
Uses a host computer’s resources and network connections to transfer a copy of itself to another computer
Harms the host computer by consuming processing time and memory
Harms the network by consuming the bandwidth
Q: Distinguish between viruses and worms
20Trojan horse
A computer program– That appears as a useful program like a game, a screen
saver, etc.– But, is really a program designed to damage or take
control of the host computer
When executed, a Trojan horse could– Format disks– Delete files– Open some TCP ports to allow a remote computer to
take control of the host computer
NetBus and SubSeven used to be attackers’ favorite programs for target remote control
21Trojan horse
NetBus Interface
22Logic bomb
Piece of malicious code intentionally inserted into a software system
The bomb is set to run when a certain condition is met– Passing of specified date/time– Deletion of a specific record in a database
Example: a programmer could insert a logic bomb that will function as follow:
– Scan the payroll records each day. – If the programmer’s name is removed from payroll, then the logic
bomb will destroy vital files weeks or months after the name removal.
23Review Questions 3
What kind of malware is a malicious program that could allow an attacker to take control of a target computer?
What kind of malware could harm a host computer by consuming processor time and random access memory?