1 / 20

The Five Most Popular Attacks on the Internet

The Five Most Popular Attacks on the Internet. Peter Mell, 1-7-98 peter.mell@nist.gov National Institute of Standards and Technology Computer Security Division. Outline. Sources of attacks and vulnerability information Details on the most frequently requested attacks

romney
Download Presentation

The Five Most Popular Attacks on the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Five Most Popular Attacks on the Internet Peter Mell, 1-7-98 peter.mell@nist.gov National Institute of Standards and Technology Computer Security Division

  2. Outline • Sources of attacks and vulnerability information • Details on the most frequently requested attacks • Statistics on attacks available on the Internet

  3. Web Site Resources Attack Scripts Rootshell, http://www.rootshell.com Fyodor’s Playhouse, http://www.insecure.org Vulnerability Information Bugtraq, http://geek-girl.com/bugtraq NTBugtraq, http://www.ntbugtraq.com Vulnerability Advisories CERT, http://www.cert.org L0pht, http://www.l0pht.com/

  4. We are Measuring the Popularity of Attacks • Rootshell makes available a cgi scripts that reveals the last 50 search requests made on its database of 700+ attack scripts • We created a perl script that harvests search requests each hour • Approximately 170,000 queries are made each month (our current sample size is 20% of the total number: 33,000 queries)

  5. The Top 18 Search Requests (12-98)

  6. Search Requests on OSs

  7. Search Requests on Applications

  8. Attacks on Applications • ICQ: 6 exploits in the last year Spoof any ICQ user id and send people files that get stored anywhere • Sendmail: 11 exploits in the last year Local get root, DOS, Remote control • imap: 8 exploits in the last year Scanners and remote get root attacks Manuals on performing a buffer overflow attacks: http://www.insecure.org/stf/smashstack.txt http://www.l0pht.com/advisories/bufero.html

  9. Search Requests on Attacks

  10. Back Orifice: What Microsoft Says “Microsoft takes security seriously, and has issued this bulletin to advise customers that Windows 95 and Windows 98 users following safe computing practices are not at risk…” According to Wired (1998-Nov-17), 79% of Australian ISPs are "infected" with Back Orifice. http://www.wired.com/news/news/technology/story/16310.html

  11. Back Orifice Author: Cult of the Dead Cow http://www.cultdeadcow.com Publish Date: Released in August 1998 at the annual hacker DEF CON convention Summary: Remotely control Windows 95 hosts Transmission Method: Web site downloads, e-mailing free apps, piggybacking with “ordinary” remote exploits

  12. Back Orifice Applications File System Control: Add/delete any file Process Control: Run/kill any process Registry Control: List, create, delete, and set registry keys and values Network Control: View all exported resources and their passwords. View and kill connections. Multimedia Control: Keystroke monitor. Take screen shots. Control host cameras. Packet Redirection: Redirect local ports to remote ports Packet Sniffer: Views any network packets Plug in Interface: Much like netscape plug-ins

  13. Other Back Orifice Features Plug-Ins: Butt Trumpet: Penetration Notification via e-mail Saran Wrap: Easily bundle BO with legitimate software Speakeasy: Broadcast a penetration to an IRC channel Other Features: Encrypted Connections Autonomous mode

  14. Netbus Similar to Back Orifice except that anyone can log into a netbus server Start optional application. Download/Upload/Delete files Send keystrokes and disable keys. Record sounds from the microphone. Go to an optional URL. Control mouse. Shut down Windows. Listen to keystrokes. Take a screendump.

  15. Published before 11/14/97 Teardrop Reboots or halts Windows 95, NT and Linux using 2 fragmented packets P1 Offset=0 P1 Offset=0 P1 End=N P1 End=N a a a a a a a a a a a a c c c b b c c c P2 Offset<N P2 End=N+M P2 Offset=N P2 End=N+M P1 Offset=0 P1 Offset=0 P1 End=N P1 End=N a a a a a a a a a a a a b P2 Offset<N P2 End<N P2 Offset=N P2 End<N

  16. Published before 10/13/97 Smurf Smurf freezes a target by sending it large numbers of ICMP ping packets Attacker is not traceable Each of the attacker’s ping packets is amplified into hundred of packets Attacker Target Network that responds to broadcast pings Ping packets: Source: Target Destination: Broadcast address Target receives hundreds of packets for each of the attacker’s packets

  17. Published before 5/7/97 (Win)Nuke Winnuke crashes window 95/NT hosts by establishing a tcp connection and sending out of band data Target Attacker 1. TCP connection established (port 139) 2. Send a packet of out of band data (e.g. send(s,str,strlen(str),MSG_OOB)

  18. Listing of the top 20 attacks Recommended scanning software: nmap, queso, strobe, netcat DOS attack toolkit: targa

  19. Statistics on attacks published on the Internet • 37% of attacks can be launched from Windows hosts(people don’t need Unix to be dangerous anymore) • 4% of attacks compromise hosts that visit web sites(surfing the Internet is not risk free) • 3% of attacks exploit more than one vulnerability(attack toolkits that allow children to penetrate hosts with the push of a button are becoming a reality) • 8% are scanning tools that look for vulnerabilities(automated searching for vulnerable hosts is common place)

  20. Even Firewalls, Routers, and Switches are not safe Percent of attacks that work against: firewalls (7%) (no penetration attacks found) routers (6%) (no penetration attacks found) Percent of attacks that penetrate: switches (2%) (nbase and 3com backdoor passwords)

More Related