1 / 51

Dr. Igor Santos

Security of Information Systems Network Attacks. Dr. Igor Santos. Contents. Denial of Service Man in the middle ICMP attacks. Denial of Service ( DoS ). Denial of Service - DoS. Denial -of- Service ( DoS )

Télécharger la présentation

Dr. Igor Santos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Security of InformationSystemsNetworkAttacks Dr. Igor Santos

  2. Contents • Denial of Service • Man in themiddle • ICMP attacks

  3. Denial of Service (DoS)

  4. Denial of Service - DoS • Denial-of-Service (DoS) • Exclusive appropiationof a resource or service with the intention of preventing access to third parties • Attacks designed to collapse a resource or system with the intent to destroy the service • Removing the service delivery of system connected to a network

  5. Denial of Service - DoS • Many DoS are based on bandwidth • If I have more bandwidth than you, I can send you lot of traffic and you get flooded • What if the attacker does not have more bandwidth than the victim? • Use DoSnot based on the bandwidth (eg Ping-Of-Dead, Winnuke, etc..)ç • Use DDoS

  6. DistributedDenialof Service - DDoS • DistributedDenial-of-Service (DDoS) • Denial of service attack in which a number of compromised systems attack a single system, causing the termination of a service

  7. DistributedDenial of Service - DDoS

  8. DistributedDenial of Service - DDoS • Goals • Disable the service • Disable the net • Disable the organization • Cause economical losses

  9. DistributedDenial of Service - DDoS • DDoStoWikileaks 28/11/2010 http://news.cnet.com/8301-1009_3-57492527-83/wikileaks-endures-a-lengthy-ddos-attack/ Response attackstomastercard, paypal, …

  10. DistributedDenial of Service - DDoS • Anonymousattacksinstitutional webs in response totheclosure of Megaupload 20/01/2012 http://www.guardian.co.uk/technology/2012/jan/20/anonymous-attacks-after-megauploads-closure

  11. Denial of Service • Types of DoS attacks • Network Flooding • SYN Flood • FIN Flood • Connection Flood • ICMP Smurf • System Overload • Computation (eg: lots of encrypted sessions) • Memory (eg: heavy SQL queries) • Disk (eg: temporal files) • OS Vulnerabilities • Ping of Death • Land Attack

  12. PORTADA INUNDACIÓN Network Flooding

  13. SYN Flood • Based on the Three-Way Handshake to establish a TCP connection • Attacker initiates a high number of connections that are never completed, leaving the server waiting for the final ACK • They consume a lot of resources on the server and there is a DoS • Very easy to perform

  14. SYN Flood • Pera-attack(Three-WayHandshake)

  15. SYN Flood • Attack

  16. SYN Flood • The problem is that the OS have a very low limit of the number of half-open connections that can handle • If the limit is exceeded, the server does not respond to new connection requests • The half-open connections expire, releasing 'slots' for new connections • If the attack is maintained, the probability that one of these 'slots' is used by a malicious SYN is very high

  17. SYN Flood • Example • Limit 5-30 half-open connections that expire after about 2 minutes • To cause DoS -> send SYN every 4 sec

  18. SYN Flood • Tools • Hping3 • hping3 --flood –S –p 80 <IP> • Others • http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=syn+flood&type=archives&[search].x=0&[search].y=0

  19. SYN Flood • Countermeasures • SYN-cookies • Using TCP sequence numbers as session state control • The SYN queue is released from the state maintenance • Raise'backlogqueue' • More 'slots'toconnectto • If not supplemented with syn-cookies can be counterproductive

  20. FIN Flood • Sending a TCP packet with the FIN flag active and falsified source IP, different ports and source and sequence number • If there is a connection to that IP and source port, and the sequence number matches, the legitimate connection ends • Formerly the OS used consecutive sequence numbers! • Otherwise, simply saturate the network with traffic

  21. ConnectionFlood • The connection-oriented services (eg ftp, http, smtp, ...) have a limit of simultaneous connections supported • When the limit is reached, new connections are rejected • The attacker attempts to monopolize established connections • Similar to SYN flood, but in this case a TCP connection (three way handshake) is established

  22. ICMP Smurf • Based on IP spoofing and broadcast • It involves sending a ICMP packet, for example Echo Request, to the broadcast of a subnet (amplifier) • All machines on this subnet answer the broadcast • If we spoof the packet's source IP, all the responses will go to that IP (victim)

  23. ICMP Smurf • For every packet sent, the victim will receive hundreds of responses -> FLOOD • This attack works if the amplifier router is misconfigured

  24. ICMP Smurf

  25. OS Vulnerabilities

  26. LandAttack • Bug in the implementation of the TCP / IP stack for Windows platforms • Sending SYN packet to an open port of the victim, with the same source and destination addresses • The OS kernel sends ACKs to itself, and causes a DoS

  27. LandAttack

  28. Ping of Death • ICMP is sent with a total size greater than the maximum allowed by the RFC (65,535 bytes) • The packet is fragmented and reassembled at the destination • If the system is vulnerable, it crashes when reassembling • Current systems are not vulnerable

  29. Ping of Death

  30. Man in the Middle (MitM)

  31. Man in theMiddle • MitM: Man in theMiddle • Attack in which one is able to read, insert and modify at will, messages between two parties without either of them knowthat the link between them has been compromised • The attacker must be able to observe and intercept messages between the two victims

  32. Man in theMiddle • MostusedMitM • MAC flooding • ARP spoofing • DNS spoofing • SSL strip

  33. MAC Flooding • Attacktocompromiseswitches • CAM Table(Content AddressableMemory) • Mapsthe MAC addresseswithswitchports • The attacker sends packets with different source MAC in order to saturate the limited memory of the CAM table. • Once saturated, the switch acts as a hub

  34. MAC Flooding

  35. ARP Spoofing • Alsoknown as ARP poisoning • SendingfakeARPstothenetwork • Usually the aim is to associate the attacker's MAC address with the IP address of another node (the node attacked) • Eg default gateway (gateway) to see all traffic to Internet.

  36. ARP Spoofing • Any traffic directed to the attacked node's IP address, will be mistakenly sent to the attacker, rather than to its actual destination • PassiveAttack • Traffic is only observed • It redirects it the gateway • ActiveAttack • The data are modified before forwarding it to the gateway

  37. ARP Spoofing

  38. ARP Spoofing

  39. ARP Spoofing

  40. ARP Spoofing

  41. ARP Spoofing • Tool: Ettercap • Ettercap -G • Sniff → Unifiedsniffing • Hosts → Host list • Hosts → Scanfor hosts • Addthe Gateway as Target1 • Addthevictim as Target2 • Start → StartSniffing • Mitm → Arppoisoning (sniffremoteconnections)

  42. ARP Spoofing • Countermeasures • ArpON - http://arpon.sourceforge.net • Patriot NG - http://www.security-projects.com/?Patriot_NG

  43. DNS Spoofing • Faketherelationship “DomainName-IP" fornameresolutionqueries • Solvingitwith a fakeaddresscertain DNS nameor viceversa • Tool: Ettercap • Edit /usr/local/share/ettercap/etter.dns • Plugins -> Manageplugins… • Dns_spoof

  44. SSL Strip • Intercept HTTPS traffic • Perform a MitMbetweenthe server and theclient and replaceeveryanquery“https://”withan“http://” • The victim and perpetrator communicate via HTTP • The attacker and the server communicate over HTTPS with server certificate • The attacker is able to see all unencrypted traffic of the victim

  45. SSL Strip

  46. ICMP Attacks

  47. ICMP Attacks • Attacks based on sending special ICMP packets (not 'echo-requests') • ICMP redirect • Source Quench • Blind Connection-Reset • …

  48. ICMP Redirect • It makes use of ICMP type 5 - Redirect • Used by a router to indicate to other computers that an alternative route bypassing it • The router generates an ICMP "redirect" with the path information that he believes best • If the team receiving the package "redirect" have faith in what you say, accept the new route • Can be used to carry out attacks "Man in the middle“ • ICMP redirect should be filtered

  49. SourceQuench • It makes use of ICMP type 4 - Source Quench • In the next review of ICMPwill be declared obsolete • It is used for the destination IP lowers the rate at which is sending traffic • It can be used to cause DoS

  50. ICMP ConnectionReset • When a TCP receivesan ICMP serious error, abortstheconnection • Errorsconsideredserious • ICMP type 3 (DestinationUnreachable) • Code 2 (protocolunreachable) • Code 3 (portunreachable) • Code 4 (fragmentationneeded and DF bit set) • Tools: icmp-reset • http://www.gont.com.ar/tools/icmp-attacks/

More Related