Chapter 7
This presentation is the property of its rightful owner.
Sponsored Links
1 / 88

Chapter 7 PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on
  • Presentation posted in: General

Chapter 7. Denial-of-Service-Attacks. Denial-0f-Service ( DoS ) Attack. The NIST Computer Security Incident Handling Guide defines a DoS attack as:

Download Presentation

Chapter 7

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Chapter 7

Chapter 7

Denial-of-Service-Attacks


Denial 0f service dos attack

Denial-0f-Service (DoS) Attack

The NIST Computer Security Incident Handling Guide defines a DoS attack as:

“an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.”


Denial of service dos

Denial-of-Service (DoS)

  • a form of attack on the availability of some service

  • categories of resources that could be attacked are:


Classic denial of service attacks

Classic Denial-of-Service Attacks

  • flooding ping command

    • aim of this attack is to overwhelm the capacity of the network connection to the target organization

    • traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases

    • source of the attack is clearly identified unless a spoofed address is used

    • network performance is noticeably affected


Source address spoofing

Source Address Spoofing

  • use forged source addresses

    • usually via the raw socket interface on operating systems

    • makes attacking systems harder to identify

  • attacker generates large volumes of packets that have the target system as the destination address

  • congestion would result in the router connected to the final, lower capacity link

  • requires network engineers to specifically query flow information from their routers

  • backscatter traffic

    • advertise routes to unused IP addresses to monitor attack traffic


Syn spoofing

SYN Spoofing

  • common DoS attack

  • attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them

  • thus legitimate users are denied access to the server

  • hence an attack on system resources, specifically the network handling code in the operating system


Tcp connection handshake

TCP Connection Handshake


Tcp syn spoofing attack

TCP SYN Spoofing Attack


Flooding attacks

Flooding Attacks

  • classified based on network protocol used

  • intent is to overload the network capacity on some link to a server

  • virtually any type of network packet can be used


Distributed denial of service ddos attacks

Distributed Denial of Service DDoS Attacks


Ddos attack architecture

DDoS Attack Architecture


Session initiation protocol sip flood

Session Initiation Protocol (SIP) Flood

standard protocol for VoIP telephony

text-based protocol with a syntax similar to that of HTTP

two types of SIP messages: requests and responses


Hypertext transfer protocol http based attacks

Hypertext Transfer Protocol (HTTP) Based Attacks

HTTP flood

Slowloris

attempts to monopolize by sending HTTP requests that never complete

eventually consumes Web server’s connection capacity

utilizes legitimate HTTP traffic

existing intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recognize Slowloris

  • attack that bombards Web servers with HTTP requests

  • consumes considerable resources

  • spidering

    • bots starting from a given HTTP link and following all links on the provided Web site in a recursive way


Reflection attacks

Reflection Attacks

  • attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system

  • when intermediary responds, the response is sent to the target

  • “reflects” the attack off the intermediary (reflector)

  • goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary

  • the basic defense against these attacks is blocking spoofed-source packets


Dns reflection attacks

DNS Reflection Attacks


Amplification attacks

Amplification Attacks


Dns amplification attacks

DNS Amplification Attacks

  • use packets directed at a legitimate DNS server as the intermediary system

  • attacker creates a series of DNS requests containing the spoofed source address of the target system

  • exploit DNS behavior to convert a small request to a much larger response (amplification)

  • target is flooded with responses

  • basic defense against this attack is to prevent the use of spoofed source addresses


Dos attack defenses

DoS Attack Defenses

four lines of defense against DDoS attacks

  • these attacks cannot be prevented entirely

  • high traffic volumes may be legitimate

    • high publicity about a specific site

    • activity on a very popular site

    • described as slashdotted, flash crowd, or flash event


Dos attack prevention

DoS Attack Prevention

  • block spoofed source addresses

    • on routers as close to source as possible

  • filters may be used to ensure path back to the claimed source address is the one being used by the current packet

    • filters must be applied to traffic before it leaves the ISP’s network or at the point of entry to their network

  • use modified TCP connection handling code

    • cryptographically encode critical information in a cookie that is sent as the server’s initial sequence number

      • legitimate client responds with an ACK packet containing the incremented sequence number cookie

  • drop an entry for an incomplete connection from the TCP connections table when it overflows


  • Dos attack prevention1

    DoS Attack Prevention

    • block IP directed broadcasts

    • block suspicious services and combinations

    • manage application attacks with a form of graphical puzzle (captcha) to distinguish legitimate human requests

    • good general system security practices

    • use mirrored and replicated servers when high-performance and reliability is required


    Responding to dos attacks

    Responding to DoS Attacks

    • antispoofing, directed broadcast, and rate limiting filters should have been implemented

    • ideally have network monitors and IDS to detect and notify abnormal traffic patterns


    Responding to dos attacks1

    Responding to DoS Attacks

    • identify type of attack

      • capture and analyze packets

      • design filters to block attack traffic upstream

      • or identify and correct system/application bug

    • have ISP trace packet flow back to source

      • may be difficult and time consuming

      • necessary if planning legal action

    • implement contingency plan

      • switch to alternate backup servers

      • commission new servers at a new site with new addresses

    • update incident response plan

      • analyze the attack and the response for future handling


    Chapter 7 summary

    Chapter 7 Summary

    • denial-of-service (DoS) attacks

      • network bandwidth

      • system resources

      • application resources

      • overwhelm capacity of network

      • forged source addresses (spoofing)

      • SYN spoofing/TCP connection requests

      • flooding attacks

      • ICMP flood

      • UDP flood

      • TCP SYN flood

    • distributed denial-of-service attacks (DDoS)

    • reflection attacks

    • amplification attacks

    • DNS amplification attacks

    • application-based bandwidth attacks

    • SIP flood

    • HTTP-based attacks

    • defenses against DoS attacks

    • responding to a DoS attack


    Chapter 8

    Chapter 8

    Intrusion Detection


    Intruders

    Intruders

    • two most publicized threats to security are malware and intruders

    • generally referred to as a hacker or cracker

    • classes:


    Examples of intrusion

    Examples of Intrusion

    • remote root compromise

    • web server defacement

    • guessing / cracking passwords

    • copying databases containing credit card numbers

    • viewing sensitive data without authorization

    • running a packet sniffer

    • distributing pirated software

    • using an unsecured modem to access internal network

    • impersonating an executive to get information

    • using an unattended workstation


    Hackers

    Hackers

    • motivated by thrill of access and/or status

      • hacking community is a strong meritocracy

      • status is determined by level of competence

    • benign intruders consume resources and slow performance for legitimate users

    • intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are designed to help counter hacker threats

      • can restrict remote logons to specific IP addresses

      • can use virtual private network technology (VPN)

    • intruder problem led to establishment of computer emergency response teams (CERTs)


    Hacker patterns of behavior

    Hacker Patterns of Behavior


    Criminals

    Criminals

    • organized groups of hackers now a threat

      • corporation / government / loosely affiliated gangs

      • typically young

      • often Eastern European, Russian, or southeast Asian hackers

      • meet in underground forums

      • common target is credit card files on e-commerce servers

    • criminal hackers usually have specific targets

      • once penetrated act quickly and get out

    • IDS / IPS can be used but less effective

    • sensitive data should be encrypted


    Criminal enterprise patterns of behavior

    Criminal EnterprisePatterns of Behavior


    Insider attacks

    Insider Attacks

    • among most difficult to detect and prevent

    • employees have access and systems knowledge

    • may be motivated by revenge/entitlement

      • employment was terminated

      • taking customer data when moving to a competitor

    • IDS / IPS can be useful but also need:

      • enforcement of least privilege, monitor logs, strong authentication, termination process


    Internal threat patterns of behavior

    Internal ThreatPatterns of Behavior


    Chapter 7

    The following definitions from RFC 2828

    (Internet Security Glossary)

    are relevant to our discussion:

    Security Intrusion: A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

    Intrusion Detection : A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.


    Intrusion detection systems idss

    Intrusion Detection Systems (IDSs)

    host-based IDS

    monitors the characteristics of a single host for suspicious activity

    network-based IDS

    monitors network traffic and analyzes network, transport, and application protocols to identify suspicious activity


    Ids principles

    IDS Principles

    assume intruder behavior differs from legitimate users

    overlap in behaviors causes problems

    false positives

    false negatives


    Ids requirements

    IDS Requirements


    Host based ids

    Host-Based IDS

    • adds a specialized layer of security software to vulnerable or sensitive systems

    • monitors activity to detect suspicious behavior

      • primary purpose is to detect intrusions, log suspicious events, and send alerts

      • can detect both external and internal intrusions


    Host based ids approaches to intrusion detection

    Host-Based IDS Approaches to Intrusion Detection

    anomaly detection

    signature detection

    involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder

    • threshold detection

      • involves counting the number of occurrences of a specific event type over an interval of time

      • profile based

      • profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts


    Audit records

    Audit Records


    Chapter 7

    Table 8.2

    Measures

    That May

    Be Used For Intrusion

    Detection


    Signature detection

    Signature Detection

    • rule-based anomaly detection

      • historical audit records are analyzed to identify usage patterns

      • rules are generated that describe those patterns

      • current behavior is matched against the set of rules

      • does not require knowledge of security vulnerabilities within the system

      • a large database of rules is needed

    • rule-based penetration identification

      • key feature is the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses

      • rules can also be defined that identify suspicious behavior

      • typically rules are specific to the machine and operating system


    Table 8 3 ustat actions vs sunos event types

    Table 8.3USTAT Actions vs. SunOS Event Types


    Chapter 7

    Distributed Host-Based IDS


    Distributed host based ids

    Distributed Host-Based IDS


    Network based ids nids

    Network-Based IDS (NIDS)


    Nids sensor deployment

    NIDS Sensor Deployment

    inline sensor

    inserted into a network segment so that the traffic that it is monitoring must pass through the sensor

    passive sensors

    monitors a copy of network traffic


    Intrusion detection techniques

    Intrusion Detection Techniques

    • signature detection

      • at application, transport, network layers; unexpected application services, policy violations

    • anomaly detection

      • denial of service attacks, scanning, worms

    • when a sensor detects a potential violation it sends an alert and logs information related to the event

      • used by analysis module to refine intrusion detection parameters and algorithms

      • security administration can use this information to design prevention techniques


    Intrusion detection exchange format

    Intrusion Detection Exchange Format


    Honeypot

    Honeypot

    • decoy systems designed to:

      • lure a potential attacker away from critical systems

      • collect information about the attacker’s activity

      • encourage the attacker to stay on the system long enough for administrators to respond

      • filled with fabricated information that a legitimate user of the system wouldn’t access

      • resource that has no production value

      • incoming communication is most likely a probe, scan, or attack

      • outbound communication suggests that the system has probably been compromised

      • once hackers are within the network, administrators can observe their behavior to figure out defenses


    Honeypot deployment

    Honeypot Deployment


    Snort

    SNORT

    • lightweight IDS

      • real-time packet capture and rule analysis

      • easily deployed on nodes

      • uses small amount of memory and processor time

      • easily configured


    Snort rules

    SNORT Rules

    use a simple, flexible rule definition language

    each rule consists of a fixed header and zero or more options


    Chapter 7

    Examples

    of

    SNORT Rule Options


    Chapter 8 summary

    Chapter 8 Summary

    • intruders

      • masquerader

      • misfeasor

      • clandestine user

      • intruder behavior patterns

      • hacker

      • criminal enterprise

      • internal threat

      • security intrusion/intrusion detection

      • intrusion detection systems

      • host-based

      • network-based

      • sensors, analyzers, user interface

    • host-based

      • anomaly detection

      • signature detection

      • audit records

      • distributed host-based intrusion detection

      • network-based

      • sensors: inline/passive

      • distributed adaptive intrusion detection

      • intrusion detection exchange format

      • honeypot

      • SNORT


    Chapter 9

    Chapter 9

    Firewalls and Intrusion Prevention Systems


    The need for firewalls

    The Need For Firewalls

    • internet connectivity is essential

      • however it creates a threat

    • effective means of protecting LANs

    • inserted between the premises network and the Internet to establish a controlled link

      • can be a single computer system or a set of two or more systems working together

    • used as a perimeter defense

      • single choke point to impose security and auditing

      • insulates the internal systems from external networks


    Firewall characteristics

    Firewall Characteristics


    Firewall capabilities and limits

    Firewall Capabilities And Limits


    Types of firewalls

    Types of Firewalls


    Packet filtering firewall

    Packet Filtering Firewall

    • applies rules to each incoming and outgoing IP packet

      • typically a list of rules based on matches in the IP or TCP header

      • forwards or discards the packet based on rules match

    • two default policies:

      • discard - prohibit unless expressly permitted

        • more conservative, controlled, visible to users

      • forward - permit unless expressly prohibited

        • easier to manage and use but less secure


    Table 9 1 packet filter rules

    Table9.1Packet Filter Rules


    Packet filter advantages and weaknesses

    Packet Filter Advantages And Weaknesses

    • advantages

      • simplicity

      • typically transparent to users and are very fast

    • weaknesses

      • cannot prevent attacks that employ application specific vulnerabilities or functions

      • limited logging functionality

      • do not support advanced user authentication

      • vulnerable to attacks on TCP/IP protocol bugs

      • improper configuration can lead to breaches


    Chapter 7

    Example

    Stateful Firewall Connection State Table


    Stateful inspection firewall

    Stateful Inspection Firewall


    Application level gateway

    Application-Level Gateway

    • also called an application proxy

    • acts as a relay of application-level traffic

      • user contacts gateway using a TCP/IP application

      • user is authenticated

      • gateway contacts application on remote host and relays TCP segments between server and user

    • must have proxy code for each application

      • may restrict application features supported

    • tend to be more secure than packet filters

    • disadvantage is the additional processing overhead on each connection


    Circuit level gateway

    Circuit-Level Gateway


    Socks circuit level gateway

    SOCKS Circuit-Level Gateway

    components

    • SOCKS v5 defined in RFC1928

    • designed to provide a framework for client-server applications in TCP/UDP domains to conveniently and securely use the services of a network firewall

    • client application contacts SOCKS server, authenticates, sends relay request

      • server evaluates and either establishes or denies the connection


    Bastion hosts

    Bastion Hosts

    • system identified as a critical strong point in the network’s security

  • serves as a platform for an application-level or circuit-level gateway

  • common characteristics:

    • runs secure O/S, only essential services

    • may require user authentication to access proxy or host

    • each proxy can restrict features, hosts accessed

    • each proxy is small, simple, checked for security

    • each proxy is independent, non-privileged

    • limited disk use, hence read-only code


  • Host based firewalls

    Host-Based Firewalls

    • used to secure an individual host

    • available in operating systems or can be provided as an add-on package

    • filter and restrict packet flows

    • common location is a server


    Personal firewall

    Personal Firewall

    • controls traffic between a personal computer or workstation and the Internet or enterprise network

    • for both home or corporate use

    • typically is a software module on a personal computer

    • can be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interface

    • typically much less complex than server-based or stand-alone firewalls

    • primary role is to deny unauthorized remote access

    • may also monitor outgoing traffic to detect and block worms and malware activity


    Example personal firewall interface

    ExamplePersonal Firewall Interface


    Example firewall configuration

    ExampleFirewallConfiguration


    Virtual private networks vpns

    Virtual Private Networks (VPNs)


    Chapter 7

    ExampleDistributed Firewall Configuration


    Firewall topologies

    Firewall Topologies


    Intrusion prevention systems ips

    Intrusion Prevention Systems (IPS)

    • recent addition to security products

      • inline network-based IDS that can block traffic

      • functional addition to firewall that adds IDS capabilities

    • can block traffic like a firewall

    • makes use of algorithms developed for IDSs

    • may be network or host based


    Host based ips hips

    Host-Based IPS (HIPS)

    • identifies attacks using both signature and anomaly detection techniques

      • signature: focus is on the specific content of application payloads in packets, looking for patterns that have been identified as malicious

      • anomaly: IPS is looking for behavior patterns that indicate malware

  • can be tailored to the specific platform

  • can also use a sandbox approach to monitor behavior


  • Network based ips nips

    Network-Based IPS (NIPS)

    • inline NIDS with the authority to discard packets and tear down TCP connections

    • uses signature and anomaly detection

    • may provide flow data protection

      • monitoring full application flow content

    • can identify malicious packets using:

      • pattern matching

      • stateful matching

      • protocol anomaly

      • traffic anomaly

      • statistical anomaly


    Snort inline

    Snort Inline

    • enables Snort to function as an intrusion prevention capability

      • includes a replace option which allows the Snort user to modify packets rather than drop them

      • useful for a honeypot implementation

      • attackers see the failure but can’t figure out why it occurred


    Unified threat management products

    Unified Threat Management Products


    Chapter 7

    Table 9.3

    Sidewinder G2 Security Appliance Attack Protections Summary - Transport Level Examples


    Chapter 7

    Table 9.4

    Sidewinder G2 Security Appliance Attack Protections Summary - Application Level Examples (page 1 of 2)


    Chapter 7

    Table 9.4

    Sidewinder G2 Security Appliance Attack Protections Summary - Application Level Examples (page 2 of 2)


    Other topics

    Other topics

    • Botnets

    • Easter Eggs

    • Logic Bombs

    • Firewalls


    Chapter 9 summary

    Chapter 9 Summary

    • firewall location and configurations

      • DMZ networks

      • virtual private networks

      • distributed firewalls

    • intrusion prevention systems (IPS)

    • host-based IPS (HIPS)

    • network-based IPS (NIPS)

    • Snort Inline

    • UTM products

    • firewalls

      • need for

      • characteristics of

      • techniques

      • capabilities/limitations

      • types of firewalls

        • packet filtering firewall

        • stateful inspection firewalls

        • application proxy firewall

        • circuit level proxy firewall

        • bastion host

        • host-based firewall

        • personal firewall


  • Login