Targeted Break-in, DoS, & Malware attacks (II)

Transcription

1 Targeted Break-in, DoS, & Malware attacks (II) (February 22, 2016) Abdou Illia Spring 2016 Learning Objectives Discuss DoS attacks Discuss Malware attacks 2 Denial of Service Attacks 1

2 TCP opening and DoS 1 2 SYN SYN/ACK ACK SYN SYN/ACK ACK Server Waiting for request from Computer 1 Waiting for request from Computer SYN SYN/ACK ACK Waiting for request from Computer 3. For each TCP connection request (SYN), server has to: Respond to the request (SYN/ACK) 4 Set resources aside in order respond to each data request Web Server configuration 5 Denial of Service (DoS) Attacker s Home Network What resources the web server would use to respond to each of the HTTP requests it receives? What could be the consequences of the web server being invaded by too much requests 6 from the attacker? 2

3 Denial of Service (DoS) Attack Attack that makes a computer s resources unavailable to legitimate users Types of DoS attacks: Single-message DoS Flooding DoS Distributed DoS 7 Single-message DoS attacks First kind of DoS attacks to appear Exploit weakness in the coding of operating systems and network applications Three main single-message DoS: Ping-of-Death Teardrop LAND attack 8 Total Length (16 bits) Flags Fragment Offset (13 bits) Ping of Death attacks Take advantage of Fact that TCP/IP allows large packets to be fragmented Some network applications & operating systems inability to handle packets larger than bytes Attacker sends IP packets that are larger than 65,536 bytes through IP fragmentation. Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring. Example of PoD code and vulnerable Operating Systems: Fix Add checks in the reassembly process or in firewall to protect hosts with bug not fixed Check: Sum of Total Length fields for fragmented IP is < bytes 9 Fragment offset: identify which fragment this packet is attached to. Flags: indicates whether packet could be fragmented or not 3

4 Total Length (16 bits) Flags Fragment Offset (13 bits) Teardrop attacks Take advantage of IP fragmentation Attacker sends a pretend fragmented IP packet But Fragment Offset values are not consistent Earlier operating systems* and poorly coded network applications crash because Unable to reassemble the packet due to missing fragments Pretend fragmented IP packet Frag 1 Frag 2 Frag 4 Attacker * Win 3.1, Win 95, Win NT, and Linux prior to Victim 10 LAND attacks First, appeared in 1997 Attacker uses IP spoofing with source and destination addresses referring to target itself. Back in time, OS and routers were not designed to deal with this kind of loopback Problem resurfaces recently with Windows XP and Windows 2003 Server 11 Summary Questions 1 Do DoS attacks primarily attempt to jeopardize confidentiality, integrity, or availability? Which of the following DoS attacks takes advantage of IP fragmentation? a) LAND attack b) Teardrop c) Ping of Death d) None of the above In which of the following DoS attacks the attacker makes use of IP spoofing? a) LAND attack b) Teardrop c) Ping of Death d) None of the above 12 4

5 Flooding DoS Attacks Flood a target with a series of messages in an attempt to make it crash Main types of flooding DoS attacks: Flooding with regular requests SYN flooding Smurf flooding Distributed DoS 13 Flooding with regular request Open cmd and type: ping /? Show the l option Show the following video about using ping l in a possible attempt to flood the allrecipes.com website. Youtube: How To DOS a Website Another Fooding attack DoS using Low Orbit Ion Cannon 14 SYN Flooding Attacker sends a series of TCP SYN opening requests For each SYN, the target has to Send back a SYN/ACK segment, and set aside memory, and other resources to respond When overwhelmed, target slows down or even crash SYN takes advantage of client/server workload asymmetry SYN SYN SYN SYN SYN Attacker Victim 15 5

6 Smurf Flooding DoS Attacker uses IP spoofing Attacker sends ping / echo messages to third party computers on behalf of the target All third party computers respond to target 16 Distributed DoS (DDoS) Attack Attacker hacks into multiple clients and plants handler programs on them. Clients become bots or intermediaries Attacker sends attack commands to handlers which execute the attacks First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, yahoo.com, etc. Server DoS Messages Bots Attack Command Handler Attack DoS Messages Command Link to how to deal with DDoS (by Cisco) Attack Command Attacker 17 Distributed DoS (DDoS) Attack 18 6

7 Distributed DoS (DDoS) Attack 19 A DoS story: The Spamhaus was a victim of a DoS in 2013 The following video discusses how the attack was lauched and how it was stopped The Spamhaus attack video 20 Summary Questions 2 Describe SYN flooding. Describe Smurf flooding What is a DDoS attack? What is a Handler program? 21 7

8 Malware Attacks Malware attacks Types of malware: Viruses Worms Trojan horses Logic bombs 23 Virus Code/Program (script, macro) that: attaches to files Spreads by user actions (floppy disk, flash drive, opening attachment, IRC, FTP, etc), not by themselves. Symptoms: Annoying actions when the virus is executed: hog up memory, crash the system, drives are not accessible, antivirus disabled, etc. Performing destructive actions when they are executed: delete files, alter files, etc. 24 8

9 Viruses Could be Boot sector viruses: attach themselves to files in boot sector of HD File infector viruses: attach themselves to files (i.e. program files and user files) Polymorphic viruses: mutate with every infection (using encryption techniques), making them hard to locate Metamorphic viruses: rewrite themselves completely each time they are to infect new executables* Stealth: hides itself by intercepting disk access requests by antivirus programs. Request by antivirus The stealth returns an uninfected version of files to the anti-virus software, so that infected files seem "clean. * metamorphic engine is needed Stealth OS 25 Worm Does not attach to files A self-replicating computer program that propagate across a system Uses a host computer s resources and network connections to transfer a copy of itself to another computer Harms the host computer by consuming processing time and memory Harms the network by consuming the bandwidth Question: Distinguish between viruses and worms 26 Trojan horse A computer program That appears as a useful program like a game, a screen saver, etc. But, is really a program designed to damage or take control of the host computer When executed, a Trojan horse could Format disks Delete files Open TCP ports to allow a remote computer to take control of the host computer (Back Door) NetBus and SubSeven used to be attackers favorite programs for target remote control 27 9

10 Trojan horse NetBus Interface 28 Logic bomb Piece of malicious code intentionally inserted into a software system The bomb is set to run when a certain condition is met Passing of specified date/time Deletion of a specific record in a database Example: a programmer could insert a logic bomb that will function as follow: Scan the payroll records each day. If the programmer s name is removed from payroll, then the logic bomb will destroy vital files weeks or 29 months after the name removal. Summary Questions 3 Distinguish between a virus and a worm What kind of malware is a malicious program that could allow an attacker to take control of a target computer? What kind of malware could harm a host computer by consuming processor time and random access memory? 30 10

11 SQL Injection Error-based SQL Injection Error-based SQL Injection Typical modern Web application Client Web Server may host ebusiness applications Database Server hosts databases including customers accounts, payments info, etc. Web Server Database Server 32 Error-based SQL Injection Typical user login (authentication) Client 1 4 1) Client submits login request (username and password) 2) Web application sanitizes the login request and creates an SQL query that is passed to the Database Server 3) The Database Server replies 4) The Web app authenticates the user or sends an errormessage Web Server 2 3 Database Server 33 11

12 SQL Injection An SQL query asking if there is a matching pair of username and password looks like: SELECT id FROM users WHERE username = 'aillia' AND password = 'xyx@#$' This SQL query should return a result like this Row id SQL has a syntax. Using special characters including single quotes to pass values like 'aillia' is part of the syntax SQL Injection is a result of braking SQL syntax (e.g. 34 misusing the special characters) and bad programming. SQL Injection Braking SQL syntax generates runtime errors Runtime errors play a key role in SQL Injection Example of SQL query with broken syntax SELECT id FROM users WHERE username = 'aillia ' ' AND password = 'xyx@#$' Example of runtime error: msg ORA-00103, Level 15, Row 1, Line 1 Incorrect syntax near = 'xyx@#$' msg ORA-00105, Level 15, Row 1, Line 1 Unclosed quotations after string ''. 35 SQL Injection In order for SQL Injections to succeed, Attackers must brake SQL syntax by smuggling special characters in SQL queries they type in online forms. The poisonous SQL must modify the Web application behavior to make it do what the attacker wants. Example: aillia ' Oracle Enterprise 9g error '80040e14' Unclosed quotation mark after the character string like 'aillia' AND cust_password = ' '. /portal/default.asp, line 20 Error message shown in attackers browser with part of the SQL query revealed 36 12

13 SQL Injection Once the attacker gets a runtime error message revealing part of the SQL query, it s an indication that there is hole in the Web application The attacker can, then, try to bypass the authentication by entering something like this at login: aillia ' OR 1= As a result, the user may be authenticated as the first user from the top of the list (first row) Row id SQL Injection: What happens behind the scene Attacker s login (aillia ' OR 1=1 -- ) becomes: SELECT id FROM users WHERE username = 'aillia ' OR 1=1 -- AND password = xxxxx' Which is a true statement because: 1 = 1 is True and -- is a symbol used for comments in SQL syntax. 38 SQL Injection: determining the DBMS version To get the DBMS version, the attacker may enter the following at login: aillia ' OR The result may be an error message like the following that can reveal the DBMS version: Error when converting the nvarchar value Oracle Enterprise 10g Release 2: on Windows 2003 Server R2 to data type int. /portal/default.asp, line

14 SQL Injection: Extracting data from a database To extract multiple rows from the database, the attacker may enter the following at login: aillia ' OR 1=(SELECT top 1 name FROM master sysdatabases WHERE name NOT IN (SELECT top 0 name FROM master..sysdatabases)) The result may be an error message revealing more data. But to automate extraction of more data, tools like Burp Suite or SQL Map 40 14