1 / 135

Attacks and Malware: Understanding Computer and Network Threats

This lesson provides an overview of computer and network attacks, including Denial-of-Service, spoofing, hijacking, and password guessing, as well as information on different types of malicious software. It also explains the importance of auditing and what should be audited.

johnsonkathy
Download Presentation

Attacks and Malware: Understanding Computer and Network Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 15-Attacks and Malware

  2. Background • While viruses are the most talked about, they are not the only methods to attack computer systems and networks. • This lesson addresses the ways computers and networks may be attacked. • Each type of attack threatens at least one of the three security services: • Confidentiality • Integrity • Availability

  3. Objectives • Describe computer and network attacks, including Denial-of-Service, spoofing, hijacking, and password guessing. • Describe malicious software that exists, including viruses, worms, Trojan horses, and logic bombs. • Explain how social engineering can be used as a means to gain access to computers and networks. • Explain the importance of auditing and what should be audited.

  4. Major Topics Covered • Attacks • Malware • Auditing

  5. Attacks • Computer Systems and Networks

  6. Types of Attacks • The objective is to take over an authorized session or disrupt service to authorized users. • Attacks on computer systems and networks can be grouped into two broad categories: • Attacks on specific software, such as an application or the operating system itself. • Attacks on a specific protocol or service.

  7. Types of Attacks • A specific application or an operating system can be attacked by: • An oversight in the code. • Possibly in the testing of that code. • A flaw or bug in the code. • A lack of thorough testing.

  8. Types of Attacks • Attacks on specific protocols or services are: • Attempts to either take advantage of a specific feature of the protocol or service. • Use of the protocol or service in a manner for which it was not intended.

  9. Two Types of Targets • Targets of opportunity • The attacker attempts to find any system that is susceptible to a specific vulnerability. • Defined targets • The attacker attempts to gain access to a specific target and find an existing vulnerability.

  10. Denial-of-Service Attacks • In a Denial-of-Service (DOS) attack, the attacker attempts to deny authorized users access either to specific information or to the computer system or network. • This attack may prevent access to the target system. • The attack can be used with other actions to gain unauthorized access to a computer or network.

  11. SYN Flood Attack • A SYN flooding attack temporarily prevents service to a system to take advantage of a trusted relationship that exists between that system and another. • A SYN flood is an example of a DOS attack. • It takes advantage of the way TCP/IP networks were designed. • It can be used to illustrate the principles of any DOS attack.

  12. SYN Flood • A SYN flood exploits the TCP three-way handshake used to establish a connection between two systems. The TCP three-way handshake

  13. SYN Flood • In a SYN flood attack, the attacker sends fake communication requests to the targeted system. • Each request is answered by the target system which waits for the third part of the handshake. A SYN flooding DOS attack

  14. SYN Flood • A nonexistent IP address is used in the requests. • The target system responds to a system that does not exist. • The target waits for responses that will never come.

  15. SYN Flood • The target system drops these connections after a specific time-out period. • If the attacker sends requests faster than the time-out period eliminates them, the system is filled with requests.

  16. SYN Flood • The number of connections a system can support is finite. • When more requests come in than can be processed, the system will soon be reserving all its connections for fake requests. • Further requests are dropped (ignored). • Legitimate users who want to connect to the target system will not be able to do so.

  17. Ping of Death • Another simple DOS attack is the ping-of-death (POD) attack. • It illustrates the other type of attack – one targeted at a specific application or operating system. • In contrast, the SYN flood targets a protocol.

  18. Ping of Death • The attacker sends an Internet Control Message Protocol (ICMP) “ping” packet equal to, or exceeding 64KB (64 * 1024 = 65,536 bytes). • Packets this large should not occur naturally (there is no reason for a ping packet to be larger than 64KB). • Some systems cannot handle this size of packet. • The system hangs or crashes.

  19. Distributed Denial-of-Service • Denial-of-service attacks employing multiple attacking systems are known as a distributed Denial-of-Service (DDOS) attack. • The goal of a DDOS attack is to deny the use of or access to a specific service or system. Distributed denial of service attacks

  20. Distributed Denial-of-Service • The DDOS attack overwhelms the target with traffic from many systems. • A network of attack agents (zombies) is created by the attacker, and upon receiving the attack command, the attack agents commence sending a specific type of traffic against the target. • The attack agents are not willing agents. • They are systems that have been compromised and on which the DDOS attack software has been installed.

  21. Distributed Denial-of-Service • To compromise these agents, the attacker gains unauthorized access to the system or trick authorized users to run a program that installed the attack software.

  22. Distributed Denial-of-Service • The creation of the attack network may be a multistep process. • The attacker compromises a few systems. • These are used as handlers or masters, and they compromise other systems. • Once the attack network has been created, the agents wait for an attack message that includes data on the specific target.

  23. Preventing Denial-of-Service Attacks • Precautions to take to mitigate or stop DOS or DDOS attacks include: • Applying the latest patches and upgrades to systems and the applications running on them. • Changing the timeout option for TCP connections making the SYN flooding attack difficult since unused connections are dropped more quickly.

  24. Mitigating DDOS Attacks • DDOS attacks may be mitigated by distributing the workload across several systems, so any attack against the system would have to target several hosts to be completely successful. • This mitigates the attack, as opposed to preventing or stopping an attack.

  25. Preventing DDOS Attacks • To prevent a DDOS attack, intercept or block the attack messages or keep the DDOS network from being established. • This type of prevention approach does not prevent an attack on the network, but keeps the network from being used to attack other networks or systems. • Several forms of DOS and DDOS attacks rely on ICMP. • They can be prevented by blocking ICMP packets at the border.

  26. Backdoors and Trapdoors • Trapdoor • A hard-coded password used to gain access to the program if administrators forget the system password is sometimes referred to as a trapdoor.

  27. Backdoors and Trapdoors • Backdoor • The term backdoor refers to programs that attackers install after gaining unauthorized access to a system to ensure that they have unrestricted access to the system even if the initial access method is discovered and blocked. • If authorized individuals run software that contains a Trojan horse, they may inadvertently install a backdoor.

  28. Backdoor Variation – Rootkit • A variation of the backdoor is the rootkit. • Rootkits are established not only to gain root access, but to ensure continued root access. • They are installed at a lower level. • They are closer to the actual kernel level of the operating system.

  29. Sniffing • A network sniffer is a software or hardware device used to observe traffic as it passes through a network on shared media. • It can be used to view all traffic, or it can target a specific protocol, service, or string of characters.

  30. Sniffing • The network device that connects a computer to a network is designed to ignore all traffic that is not destined for that computer. • Sniffers ignore this friendly agreement and observe all traffic on the network, whether destined for that computer or other computers. • A network card that is listening to all network traffic and not just its own is said to be in “promiscuous mode.” • Some network sniffers are designed not just to observe traffic, but to modify traffic as well.

  31. Sniffing • For network sniffers to be effective, they need to be on the internal network. Network sniffers listen to all network traffic

  32. Spoofing E-Mail • E-mail spoofing is when a message is sent in your name from an address different than your own. • There are different ways to do this and programs that can assist in doing so. • A method used to demonstrate how simple it is to spoof an e-mail address is to telnet to port 25 on a system (25 is the port associated with e-mail). • Any address can be filled in the From and To sections of the message, whether or not the addresses actually exist.

  33. URL Spoof • The URL Spoof is not technically spoofing. • Attackers acquire a URL close to the one they want to spoof so that e-mail sent from their system appears to have come from the official site unless the address is read carefully.

  34. IP Address Spoofing • The IP protocol works by having the originators of any IP packet include their own IP address in the “From” portion of the packet. • While this is the intent, there is nothing that prevents a system from inserting a different address in the “From” portion of the packet.

  35. Smurf • A specific DOS attack, known as a smurfattack, sends a spoofed packet to the broadcast address for a network, which distributes the packet to all systems on that network. Spoofing used in a smurf DOS attack

  36. Smurf • The packet sent by the attacker to the broadcast address is an echo request with the From address forged so that it appears that another system (the target system) has made the echo request. • The normal response of a system to an echo request is an echo reply, and it is used in the ping utility to let a user know if a remote system is reachable and is responding.

  37. Spoofing and Trusted Relationships • Spoofing can also take advantage of a trusted relationship between two systems.

  38. Trust Relationship • If two systems are configured to accept the authentication from each other, they have a trust relationship. • An individual logged on to one system might not go through authentication again to access the other system. • Attackers take advantage of this by sending a packet to one system that appears to have come from a trusted system.

  39. Trust Relationship • With a trust relationship in place, the target system may perform the requested task without authentication. • Since a reply may be sent once a packet is received, the impersonated system could interfere with the attack. • It would be aware of the problem since it receives an acknowledgement for a request it never made. • To avoid detection, the attacker may launch a DOS attack (such as SYN flooding attack) to take out the spoofed system for the time that the attacker is exploiting the trusted relationship.

  40. Trust Relationship • Once the attack is completed, the DOS attack is terminated. • Apart from having a temporarily non-responsive system, the administrators for the systems may never notice that the attack occurred.

  41. Trust Relationship • Countermeasures • Limit trusted relationships between hosts. • Configure firewalls to discard packets from outside the firewall that have From addresses indicating they originated from inside the network.

  42. Spoofing and Sequence Numbers • Spoofing attacks from inside a network are easier to perform. • The insider can observe the traffic to and from the target and can do a better job of formulating the necessary packets.

  43. Spoofing and Sequence Numbers • Packet Formation • Formulating the packets is more complicated for external attackers. • There is a sequence number associated with TCP packets.

  44. Spoofing and Sequence Numbers • Sequence Numbers • A sequence number is a 32-bit number established by the host that is incremented for each packet sent. • Packets are not guaranteed to be received in order, and the sequence number can be used to help reorder packets as they are received and to refer to packets that may have been lost in transmission.

  45. Spoofing and Sequence Numbers • In the TCP three-way handshake discussed earlier, two sets of sequence numbers are created. Spoofing to take advantage of a trusted relationship

  46. Spoofing and Sequence Numbers • To spoof and sequence numbers: • The system chooses a sequence number to send with the original SYN packet that it sends. • The system receiving this SYN packet acknowledges with a SYN/ACK. • It sends back the first sequence number plus one (that is, it increments the sequence number sent to it by one) and creates its own sequence number and sends that along with it. • The original system receives the SYN/ACK with the new sequence number. It increments the sequence number by one and uses it in an ACK package it responds with.

  47. Spoofing and Sequence Numbers • The difference in the difficulty of attempting a spoofing attack from inside a network and from outside involves determining the sequence number. Three-way handshake with sequence numbers

  48. Spoofing and Sequence Numbers • An inside attacker of the network can observe the traffic with which the target host responds. • The attacker can easily see the sequence number the system creates and can respond with the correct sequence number. • An external attacker cannot observe the sequence number the target system generates. • It is difficult for the attacker to provide the final ACK with the correct sequence number.

  49. Spoofing and Sequence Numbers • Predicting sequence numbers is possible, but difficult. • Session sequence numbers do not start from the same number. • Different packets from different concurrent connections will not have the same sequence numbers. • Sequence number for each new connection is incremented by some large number to keep them from being the same. • The sequence number may also be incremented by some large number every second (or some other time period).

  50. Man-in-the-Middle Attacks • A man-in-the-middle attack occurs when attackers place themselves in the middle of two other hosts that are communicating to view and/or modify the traffic. A man-in-the middle attack

More Related