Lecture 19 - Network Security

Similar documents
CS Network Security: Botnets

Lecture 13 - Network Security

CSC574 Computer and Network Security Module: Internet Malware

Changing threat landscape The Botnet perspective

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Multifaceted Approach to Understanding the Botnet Phenomenon

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Seminar Computer Security

A Critical Investigation of Botnet

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

The HoneyNet Project Scan Of The Month Scan 27

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

HoneyBOT User Guide A Windows based honeypot solution

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

Computer Security DD2395

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

Detecting peer-to-peer botnets

Lecture 15 - Web Security

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Yahoo Attack. Is DDoS a Real Problem?

1 Introduction. Agenda Item: Work Item:

BotNets- Cyber Torrirism

Sapphire/Slammer Worm. Code Red v2. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Why Was Slammer So Fast?

1 Introduction. Agenda Item: Work Item:

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

CS549: Cryptography and Network Security

About Botnet, and the influence that Botnet gives to broadband ISP

Malware Analysis Quiz 6

CEH Version8 Course Outline

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Information Security Threat Trends

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

SECURING APACHE : DOS & DDOS ATTACKS - II

Network Incident Report

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Firewalls and Software Updates

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

The Hillstone and Trend Micro Joint Solution

Common Cyber Threats. Common cyber threats include:

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

IBM Protocol Analysis Module

Current Threat Scenario and Recent Attack Trends

WHITE PAPER. Understanding How File Size Affects Malware Detection

Denial of Service (DoS) Technical Primer

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Countermeasures against Bots

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Security A to Z the most important terms

Threat Events: Software Attacks (cont.)

CS 356 Lecture 9 Malicious Code. Spring 2013

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

The Evolution of Computer Security Attacks and Defenses. Angelos D. Keromytis Columbia University

Intelligent Worms: Searching for Preys

Top Ten Cyber Threats

Denial of Service (DoS)

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

How To Classify A Dnet Attack

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Uncover security risks on your enterprise network

2010 Carnegie Mellon University. Malware and Malicious Traffic

Computer Viruses: How to Avoid Infection

Windows Remote Access

Test Case - Privatefirewall 5.0, Intrusion and Malware Defense

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

DDoS Attacks & Defenses

TIME TO LIVE ON THE NETWORK

E-BUSINESS THREATS AND SOLUTIONS

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

13 Ways Through A Firewall What you don t know will hurt you

INTERNET & COMPUTER SECURITY March 20, Scoville Library. ccayne@biblio.org

24/7 Visibility into Advanced Malware on Networks and Endpoints

Revealing Botnets Using Network Traffic Statistics

Covert Operations: Kill Chain Actions using Security Analytics

CRYPTUS DIPLOMA IN IT SECURITY

How To Stop A Ddos Attack On A Website From Being Successful

Hacking Database for Owning your Data

Transcription:

Lecture 19 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/

Exploiting the network... The Internet is extremely vulnerable to attack it is a huge open system... which adheres to the end-to-end principle smart end-points, dumb network Can you think of any large-scale attacks that would be enabled by this setup? 2

Malware Malware - software that exhibits malicious behavior (typically manifest on user system) virus - self-replicating code, typically transferring by shared media, filesystems, email, etc. worm - self propagating program that travels over the network The behaviors are as wide ranging as imagination backdoor - hidden entry point into system that allows quick access to elevated privileges rootkit - system replacement that hides adversary behavior key logger - program that monitors, records, and potentially transmits keyboard input to adversary trojan - malicious software disguised as legitimate program 3

Worms A worm is a self-propagating program. As relevant to this discussion 1. Exploits some vulnerability on a target host 2. (often) embeds itself into a host 3. Searches for other vulnerable hosts 4. Goto (1) Q: Why do we care? 4

The Danger What makes worms so dangerous is that infection grows at an exponential rate A simple model: s (search) is the time it takes to find vulnerable host i (infect) is the time is take to infect a host Assume that t=0 is the worm outbreak, the number of hosts at t=j is 2 (j/(s+i)) For example, if (s+i = 1), how many hosts are compromised at time t=32? 5

The result 5,000,000,000 4,500,000,000 4,000,000,000 3,500,000,000 3,000,000,000 2,500,000,000 2,000,000,000 1,500,000,000 point of criticality 1,000,000,000 500,000,000 0 6

The Morris Worm Robert Morris, a 23 year old doctoral student from Cornell Wrote a small (99 line) program November 3rd, 1988 Simply disabled the Internet How it did it Reads /etc/password, they tries the obvious choices and dictionary, /usr/dict words Used local /etc/hosts.equiv,.rhosts,.forward to identify hosts that are related Tries cracked passwords at related hosts (if necessary) Uses whatever services are available to compromise other hosts Scanned local interfaces for network information Covered its tracks (set is own process name to sh, prevented accurate cores, re-forked itself) 7

Code Red Anatomy of a worm: Maiffret (good reading) Exploited a Microsoft IIS web-server vulnerability A vanilla buffer overflow (allows adversary to run code) Scans for vulnerabilities over random IP addresses Sometimes would deface the served website July 16th, 2001 - outbreak CRv1- contained bad randomness (fixed IPs searched) CRv2 - fixed the randomness, added DDOS of www.whitehouse.gov Turned itself off and on (on 1st and 16th of month) August 4 - Code Red II Different code base, same exploit Added local scanning (biased randomness to local IPs) Killed itself in October of 2001 8

Worms and infection The effectiveness of a worm is determined by how good it is at identifying vulnerable machines Morris used local information at the host Code Red used what? Multi-vector worms use lots of ways to infect E.g., network, DFS partitions, email, drive by downloads Another worm, Nimda did this Lots of scanning strategies Signpost scanning (using local information, e.g., Morris) Random IP - good, but waste a lot of time scanning dark or unreachable addresses (e.g., Code Red) Local scanning - biased randomness Permutation scanning - instance is given part of IP space 9

Other scanning strategies Hit-list scanning Setup - use low and slow scanning to determine which hosts are vulnerable (i.e., create a hit list) Start the worm, passing the list of vulnerable hosts, reduce/ device the list at each host Gets past the slow start part, gets right into the exponential Essentially removes the window to stop worm 5,000,000,000 4,500,000,000 4,000,000,000 3,500,000,000 3,000,000,000 2,500,000,000 2,000,000,000 1,500,000,000 1,000,000,000 500,000,000 0 10

Other scanning strategies The doomsday worm: a flash worm Create a hit list of all vulnerable hosts Staniford et al. argue this is feasible Would contain a 48MB list Do the infect and split approach Use a zero-day vulnerability 11

Worms: Defense Strategies (Auto) patch your systems: most, if not all, large worm outbreaks have exploited known vulnerabilities (with patches) Heterogeneity: use more than one vendor for your networks Shield (Ross): provides filtering for known vulnerabilities, such that they are protected immediately (analog to virus scanning) Shield Network Traffic Network Interface Operating System Filtering: look for unnecessary or unusual communication patterns, then drop them on the floor This is the dominant method, getting sophisticated (Arbor Networks) 12

Advanced Methods Quarantine - how do stop it once it is out? Internet Quarantine: Requirements for Containing Self- Propagating Code. David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage Assume you have a LAN/WAN environment We have already talked about how to prevent Q1: How do you recognize a worm? Q2: How do you stop a worm? Much work in this area... number of new addresses contacted number of incomplete IP handshakes number of connections to new local hosts (COI?) 13

Botnet Story 14

Botnets A botnet is a network of software robots (bots) run on zombie machines which run are controlled by command and control networks IRCbots - command and control over IRC Bot herder - owner/controller of network "scrumping" - stealing resources from a computer Surprising Factoid: the IRC server is exposed. 15

Statistics (controversial) The actual number of bots, the size of the botnets and the activity is highly controversial. As of 2005/6: hundreds of thousands of bots 1/4 of hosts are now part of bot-nets Growing fast (many more bots) Assertion: botnets are getting smaller(?!?) 16

What are botnets being used for? piracy mining attacks hosting Activities we have seen Stealing CD Keys: 50 botnets ying!ying@ying.2.tha.yang PRIVMSG #atta :BGR 0981901486 $getcdkeys BGR 0981901486!nmavmkmyam@212.91.170.57 100-20,000 PRIVMSG #atta :Microsoft Windows Product ID bots/net CD Key: (55274-648-5295662-23992). BGR 0981901486!nmavmkmyam@212.91.170.57 PRIVMSG #atta :[CDKEYS]: Search completed. Clients/servers spread around the world Reading a user's clipboard: B][!Guardian@globalop.xxx.xxx PRIVMSG ##chem## :~getclip Ch3m 784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem## :- [Clipboard Data]- Ch3m 784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem## :If You think the refs screwed the seahawks over put your name down!!! Different geographic concentrations DDoS someone: devil!evil@admin.of.hell.network.us PRIVMSG #t3rr0r0fc1a :!pflood 82.147.217.39 443 1500 s7n 2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0fc1a :\002Packets\002 \002D\002one \002;\002>\n s7n 2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0fc1a flooding...\n Set up a web-server (presumably for phishing): [DeXTeR]!alexo@l85-130-136-193.broadband.actcom.net.il PRIVMSG [Del]29466 :.http 7564 c:\\ [Del]38628!zaazbob@born113.athome233.wau.nl PRIVMSG _[DeXTeR] :[HTTPD]: Server listening on IP: 10.0.2.100:7564, Directory: c:\\. 17

IRC 1988 - one-to-many or many-to-many chat (for BBS) Client/server -- TCP Port 6667 Used to report on 1991 Soviet coup attempt Channels (sometimes password protected) are used to communicate between parties. Invisible mode (no list, not known) Invite only (must be invited to participate) Server Server Server Server Server 18

IRC botnets An army of compromised hosts ( bots ) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster. IRC Server Find and infect more machines! Bots (Zombies) A botnet is comparable to compulsory military service for windows boxes -- Bjorn Stromberg 19

Typical (IRC) infection cycle optional Bots usually require some form of authentication from their botmaster 20

Infection Worms, Trojan horses, backdoors Note: the software on these systems is updated Bot theft: bot controllers penetrate/"steal" bots. 21

Not only for launching attacks... Some botmasters pay very close attention to their bots hence covert infiltration is important In many cases, Botmasters inspect their bots fairly regularly, and isolate certain bots ( cherry picking ) #HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ] #HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara #HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s #HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s #HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" ** #HINDI-FILMZ :** -= #Hindi-Filmz=- ** #HINDI-FILMZ :** I M 100% Desi!! ** #HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB That s a lot of movies served! ( ~ 300) 22

Measuring botnet size Two main categories Indirect methods: inferring botnet size by exploiting the side-effects of botnet activity (e.g., DNS requests) Direct methods: exploiting internal information from monitoring botnet activity 23

How many bots? Approach: infiltration templates based on collected honeynet data, e.g., observing compromised hosts that are identified within the channel How many? 1.1 million distinct user IDs used 425 thousand distinct IP addresses Issues: NAT/DHCP? Cloaked IP address (SOCKS proxies?) Botnet membership overlap 24

Botnet size, what does it mean? Infection Footprint: the total number of infected bots throughout a botnet s lifetime Relevance: how wide spread the botnet infection Effective Botnet Size: the number of bots simultaneously connected to the command and control channel Relevance: the botnet capacity to execute botmaster commands (e.g., flood attacks) An Example: While a botnet appeared to have a footprint of 45,000 bots, the number of online bots (i.e. its effective size) was < 3,000 25

Take away Internet malware is used to gain control of hosts Lots of them potentially Worms: self-propagating malware Lifecycle Find, Infect, Propagate Zero-day Botnets Network of zombies under command and control Used for a variety of malicious purposes Key concern: botnet size 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information