1 / 46

Basic Elements of Attacks and Their Detection

Basic Elements of Attacks and Their Detection. Contents. Elements of TCP/IP addressing Layers in Internet communication Phases of an attack. Elements of TCP/IP addressing. IP address IPv4: a 32 bit number usually presented as 4 dotted fields – field1.field2.field3.field4

stan
Download Presentation

Basic Elements of Attacks and Their Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Basic Elements of Attacks and Their Detection

  2. Contents • Elements of TCP/IP addressing • Layers in Internet communication • Phases of an attack

  3. Elements of TCP/IP addressing • IP address • IPv4: a 32 bit number usually presented as 4 dotted fields – field1.field2.field3.field4 • Example: 194.147.191.31 • IPv6: a 128 bit number arranged as 8 groups of 16 bits each separated by colons. • Example: 00DC:BA02:5644:A201:1FAB:BA5C:7000:001D • Multiple 0s can be replaced by double colon • All IPv4 addresses fit in the rightmost 8 digits of an IPv6 address, e.g. IPv6 ::C293:BF1F is IPv4 194.147.191.31 (C2hex=19410 etc.)

  4. Elements of TCP/IP addressing • Encapsulation is extensively used in packet data transmission • A lower level protocol is seen as data at the immediately higher level • These levels are called layers.

  5. Layers in Internet communication • Layers relevant for Internet packet communication • Hardware (link) layer • IP layer • Protocol (transport) layer • Application layer

  6. Layers in Internet communication • Hardware (link) layer • Interfaces with the network hardware (e.g. Ethernet, IEEE 802.11 etc.) • Packets physically sent/received • Handles specific information about the local hardware (e.g. MAC address).

  7. Layers in Internet communication • IP layer • Implements the IP protocol • Reads IP addresses • IP is unreliable: no guarantee whatsoever that a packet will arrive • Packets may be broken into fragments if necessary and this layer handles the fragmentation.

  8. Layers in Internet communication • IP header

  9. Layers in Internet communication • IP header fields • Version (4 bits): IP version number (4 or 6). • Length (4 bits): number of 4-byte words in the header (maximum 60 bytes). • Type of service (1 byte): routing preference: • Minimize delay • Maximize throughput • Maximize reliability • Minimize monetary cost.

  10. Layers in Internet communication • IP header fields (cont.) • Total Packet Length (2 bytes): total number of bytes of the IP datagram. • Identification (2 bytes): unique identifier for the packet. • Flags (3 bits): flags indicating fragmentation status. • Fragment Offset (13 bits): offset of fragmented packet.

  11. Layers in Internet communication • IP header fields (cont.) • Time to Live (1 byte): how many routers to allow the packet to traverse. • Protocol (1 byte): code indicating what protocol is used in the protocol header. • Header Checksum (2 bytes): error checking code to ensure the packet is not corrupted in transit.

  12. Layers in Internet communication • IP header fields (cont.) • Source IP Address (4 bytes): address of the source host. • Destination IP Address (4 bytes): address of the destination host. • Options: rarely used nowadays and often not implemented at all.

  13. Layers in Internet communication • Protocol (transport) layer • Reliability of communication is implemented here. • TCP, UDP or ICMP may be implemented at this level, unlike the IP layer where only IP packets may exist.

  14. Layers in Internet communication • TCP protocol • Provides a reliable mode of communication between applications • Implements “ports” • Two-way communication • Implements a communication “channel” with mechanisms to ensure packets arrive or are resent as needed. • Web, ftp, telnet, SSH, E-mail use TCP.

  15. Layers in Internet communication • TCP header

  16. Layers in Internet communication • TCP header fields • Source Port (2 bytes): communications port number • Destination Port (2 bytes): communications port number for the destination application • Sequence Number (4 bytes): unique number for the packet (they are sequential in the session)

  17. Layers in Internet communication • TCP header fields (cont.) • Acknowledgement Number (4 bytes): like the sequence number. • Length (4 bits): length of the header in 4 byte words. • Reserved (6 bits): reserved bits. • Flags (6 bits): flags controlling the communications session.

  18. Layers in Internet communication • TCP header fields (cont.) • Window Size (2 bytes): number of bytes in the transfer buffer. • Checksum (2 bytes): checksum for the TCP header. • Urgent Pointer (2 bytes): control for emergency aborts. • Options: various options.

  19. Layers in Internet communication • UDP protocol • Provides a mode of communication between applications • Each packet has a “port” number that indicates the application • Does not implement any guarantees of service. • One way communication • Applications must implement necessary checks.

  20. Layers in Internet communication • UDP header

  21. Layers in Internet communication • UDP header fields • Source Port (2 bytes): communications port number; 65,536 possible values • Destination Port (2 bytes): communications port number for the destination application; usually fixed for given applications (80 - Web) • Length (2 bytes): total length of the UDP datagram in bytes • Checksum (2 bytes): checksum for the UDP header.

  22. Layers in Internet communication • ICMP protocol • The control and error message mechanism for the Internet • Each packet has a type/code indicator telling what kind of information is in the packet • Different types of ICMP packets have slightly different headers/data • Automatically generated (almost always).

  23. Layers in Internet communication • ICMP header – ordinary • ICMP header – echo request/reply

  24. Layers in Internet communication • ICMP header fields • Type (1 byte): type of control message the packet represents (0 – echo reply, 8 – echo request, 3 – destination unreachable etc.) • Code (1 byte): indicator of what sub-type of message the packet contains • Checksum (2 bytes): checksum for the ICMP header.

  25. Layers in Internet communication • Application layer • Applications run at this level, i.e. application protocols are implemented here • Common applications: • Web • ftp • E-mail • telnet • SSH • ...

  26. Layers in Internet communication • Protocol headers give information about: • source and destination • protocol details • application • The data give information about: • login, password information • commands attempted • files accessed.

  27. Phases of an attack • Four phases in the attacking process: • Planning phase • Reconnaissance phase • Attack phase • Post attack phase. • The attack process is in general cyclic • After completing an attack, another attack is planned – an extension of the previous one.

  28. Phases of an attack

  29. Phases of an attack • Planning phase • Can take many different forms. • The attacker often makes use of the system in its intended manner before making the attack. • Example: the attacker may sign up for an account on an online e-commerce system or log onto a public server. • This type of publicly available legitimate access helps the attacker define the scope and goals of the attack.

  30. Phases of an attack • Planning phase (cont.) • After the initial preparation is complete, the attacker decides on the scope of the attack. • The attacker may have various goals: • Denial of service • Escalation of legitimate privileges • Unauthorized access • Data manipulation • The motivation behind an attack often dictates which of these goals are chosen.

  31. Phases of an attack • Reconnaissance phase • The attacker next gathers information or performs reconnaissance on the targeted network. • The attacker carries out a variety of different inquiries with the goal of pinpointing a specific method of attack (port scanning etc.) • The goal of the attacker in this phase is to narrow down the field of thousands of possible exploits to a small number of vulnerabilities that are specific to the targeted host/network.

  32. Phases of an attack • Reconnaissance phase (cont.) • The attacker attempts to make this reconnaissance as hard to notice as possible. • Even so, there are many different means of reconnaissance and some of them can be detected by an intrusion detection system. • Sources of information for the attacker: • Legitimate public data (forums, public databases, public monitoring tools, etc.) • Vulnerability scanning (ping, TCP connect, OS and version scanning, etc.)

  33. Phases of an attack • Attack phase • The traffic generated from attacks can take many different forms. • Types of attacks: • Denial of service • Remote exploits • Trojans and backdoor programs • Misuse of legitimate access

  34. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) • Any attack that disrupts the function of a system so that legitimate users can no longer access it. • Possible on most network equipment: routers, servers, firewalls, remote access machines, etc. • Can be specific to a service (e.g. FTP attack), or an entire machine. • Categories of DoS • Resource depletion • Malicious packet attacks.

  35. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) (cont.) • Resource depletion DoS attack • Functions by flooding a service with so much normal traffic that legitimate users cannot access the service. • An attacker inundating a service with normal traffic can exhaust finite resources such as bandwidth, memory and processor cycles. • Examples: SYN flood, Smurf, etc.

  36. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) (cont.) • Malicious packet DoS attacks • Function by sending abnormal traffic to a host to cause the service or the host itself to crash. • Occur when software is not properly coded to handle abnormal or unusual traffic. • Such traffic can cause software to react unexpectedly and crash. • Attackers can use these attacks to bring down even IDS. • Examples: Microsoft FTP DoS, SNORT ICMP DoS, etc.

  37. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) (cont.) • Malicious packet DoS attacks (cont.) • In addition to unusual traffic, malicious packets can contain payloads that cause a system to crash. • A packet's payload is taken as input into a service. • If this input is not properly checked, the application can be brought down.

  38. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) (cont.) • DoS attacks commonly utilize spoofed IP addresses because the attack is successful even if the response is misdirected. • The attacker requires no response, and in cases like the Smurf attack, wants at all costs to avoid a response. • This can make DoS attacks difficult to defend from, and even more difficult to detect.

  39. Phases of an attack • Attack phase (cont.) • Remote exploits • Attacks designed to take advantage of improperly coded software to compromise and take control of a vulnerable host. • Can function in the same manner as the malicious payload traffic DoS attacks. • Take advantage of improperly checked input or configuration errors. • Examples: buffer overflow, Unicode exploit, Cookie poisoning, SQL injection, etc.

  40. Phases of an attack • Attack phase (cont.) • Trojans and Backdoor programs • By installing a backdoor program or a Trojan, an attacker can bypass normal security controls and gain privileged unauthorized access to a host. • A backdoor program can be deployed on a system in a variety of different ways. E.g. a malicious software engineer can add a backdoor program into legitimate software code. • Backdoor programs might be added for legitimate maintenance reasons in the software development life cycle, but later forgotten.

  41. Phases of an attack • Attack phase (cont.) • Trojans and Backdoor programs (cont.) • A Trojan is defined as software that is disguised as a benign application. • Remote control Trojans typically listen on a port like a genuine application. • Through this open port, an attacker controls them remotely. • Trojans can be used to perform any number of functions on the host.

  42. Phases of an attack • Attack phase (cont.) • Trojans and Backdoor programs (cont.) • Some Trojans include portscanning and DoS features. • Others can take screen and Webcam captures and send them back to the attacker. • Trojans and backdoor programs have traditionally listened on a TCP or UDP port, making it easy to detect them and undertake countermeasures.

  43. Phases of an attack • Attacks phase (cont.) • Trojans and Backdoor programs (cont.) • Because of that, Trojans have evolved so they no longer need to listen on a TCP or UDP port. • Instead, they listen for a specific sequence of events before processing commands. • It may be a combination of predetermined source addresses, TCP header information, or false destination ports that do not match to a listening service.

  44. Phases of an attack • Attack phase (cont.) • Misuse of Legitimate Access • Attackers often attempt to gain unauthorized use of legitimate accounts by getting authentication information. • This can be performed by means of technical and/or social engineering methods. • IDS, especially the anomaly detection ones, may be used to detect such activities.

  45. Phases of an attack • Post-attack phase • After an attacker has successfully penetrated into a host on the targeted network, further actions he will take are in general unpredictable. • In this phase, the attacker carries out his plan and makes use of information resources as he considers appropriate.

  46. Phases of an attack • Post-attack phase • Possible post-attack activities: • Covering tracks • Penetrating deeper into network infrastructure • Using the host to attack other networks • Gathering, manipulating, or destroying data • Handing over the host to a friend or a hacker group • Walking or running away without doing anything.

More Related