11

Topic 1 – Lesson 3Topic 1 – Lesson 3Network AttacksNetwork Attacks

SummarySummary

2

QuestionsQuestions► Compare passive attacks and active attacksCompare passive attacks and active attacks► How do packet sniffers work? How to mitigate?How do packet sniffers work? How to mitigate?► How does spoofing work? How to mitigate?How does spoofing work? How to mitigate?► A step by step description of DoS attacks; How to A step by step description of DoS attacks; How to

mitigate?mitigate?► Compare virus, worms, and Trojan HorsesCompare virus, worms, and Trojan Horses

How to mitigate?How to mitigate?► How do malicious applets work? How to mitigate?How do malicious applets work? How to mitigate?► How do war dialers work? How to mitigate?How do war dialers work? How to mitigate?► How do logic bombs work? How to mitigate?How do logic bombs work? How to mitigate?► How do buffer overflow attacks work? How to mitigate?How do buffer overflow attacks work? How to mitigate?► How can hackers use social engineering tactic? How to How can hackers use social engineering tactic? How to

mitigate?mitigate?► How does dumpster diving work? How to mitigate? How does dumpster diving work? How to mitigate?

3

Compare passive attacks and active Compare passive attacks and active attacksattacks

► Passive attacks eavesdropPassive attacks eavesdrop► Active attacks change dataActive attacks change data►Defeating passive attacks should focus on Defeating passive attacks should focus on

detectiondetection► Active attacks are malicious and will directly Active attacks are malicious and will directly

cause damagecause damage► 4 example active attacks: masquerade, 4 example active attacks: masquerade,

replay, denial of service, modificationreplay, denial of service, modification► Active attacks generally are preceded by Active attacks generally are preceded by

passive attackspassive attacks

4

How do packet sniffers work? How do packet sniffers work? How to mitigate?How to mitigate?

►Packet sniffers are discovering Packet sniffers are discovering information by listening ininformation by listening in

►Packet sniffers are passive attacks & Packet sniffers are passive attacks & do not alter datado not alter data

►How to mitigateHow to mitigate Use encryption to prevent sniffingUse encryption to prevent sniffing Use one time passwords to help defeatUse one time passwords to help defeat Packet sniffers are hard to detect because Packet sniffers are hard to detect because

they do not alter network trafficthey do not alter network traffic

5

How does spoofing work? How How does spoofing work? How to mitigate?to mitigate?

► Spoofing is a camouflage techniqueSpoofing is a camouflage technique► Three common types of spoofing attacksThree common types of spoofing attacks

IP spoofingIP spoofing Email address spoofing: fake an email addressEmail address spoofing: fake an email address Web page spoofing: fake a web page Web page spoofing: fake a web page

► How to mitigate?How to mitigate? Sender-side access control: Filters can stop people from Sender-side access control: Filters can stop people from

sending out spoofed IP packets or emailssending out spoofed IP packets or emails Receiver-side access control: need to know whether an Receiver-side access control: need to know whether an

arriving packet is spoofed arriving packet is spoofed Cryptography and authentication may helpCryptography and authentication may help IP address-based authentication is limited: why?IP address-based authentication is limited: why? Mitigation difficult if you have trusted systems outside your Mitigation difficult if you have trusted systems outside your

network; You should use firewallsnetwork; You should use firewalls

6

A step by step description of A step by step description of DDoS attacks; How to mitigate?DDoS attacks; How to mitigate?► Step 1: the attacker breaks into 1001 computersStep 1: the attacker breaks into 1001 computers► Step 2: the attacker installs the Step 2: the attacker installs the mastermaster program on program on

one computer and the one computer and the daemondaemon software on the other software on the other 1000 computers 1000 computers

► Step 3: the attacker picks a victimStep 3: the attacker picks a victim► Step 4: when the attacker launches the DDoS attack, Step 4: when the attacker launches the DDoS attack,

the attacker will instruct the master program to the attacker will instruct the master program to launch the attack; then the master program will launch the attack; then the master program will instruct the 1000 daemons to send a lot packets to instruct the 1000 daemons to send a lot packets to the victim the victim

► How to mitigate?How to mitigate? Ways to stop server from crashing are limiting nonessential Ways to stop server from crashing are limiting nonessential

traffictraffic Hard to defend because they look like normal trafficHard to defend because they look like normal traffic Harder to defend because they spoof IP addressesHarder to defend because they spoof IP addresses

7

Compare virus, worms, and Compare virus, worms, and Trojan Horses. How to mitigate?Trojan Horses. How to mitigate?► In Lesson 2, we clarified the differences In Lesson 2, we clarified the differences

between virus and wormsbetween virus and worms► Trojan horses are a special type of virusTrojan horses are a special type of virus► A Trojan horse refers to a computer A Trojan horse refers to a computer

program that does things more than it program that does things more than it claims. claims.

►One possible purpose of Trojan horses is to One possible purpose of Trojan horses is to get passwords and info and send backget passwords and info and send back

►How to mitigate?How to mitigate? Use antivirus softwareUse antivirus software Only downloading from trusted web sitesOnly downloading from trusted web sites Do not execute unknown applications/toolsDo not execute unknown applications/tools

8

On Trojan HorsesOn Trojan Horses

A clean program, e.g., a tool

A clean program, e.g., a toolBeing attacked

Maliciouscode

A Trojan Horse

9

How do malicious applets work? How do malicious applets work? How to mitigate?How to mitigate?

► Java applets are embedded in web Java applets are embedded in web pagespages

►When you open a web page or click a When you open a web page or click a hyperlink, a malicious applet could be hyperlink, a malicious applet could be executed on executed on youryour computer computer

►Applets compromise privacy and Applets compromise privacy and security by stealing passwords and security by stealing passwords and modifying files, and spoofing emailmodifying files, and spoofing email

►How to mitigate?How to mitigate? Disable java to avoidDisable java to avoid

10

How do war dialers work? How How do war dialers work? How to mitigate?to mitigate?

►Dial numerous numbers and try to Dial numerous numbers and try to establish an illegal connectionestablish an illegal connection

►Break into a computer via its dial-up Break into a computer via its dial-up connectionconnection

►How to mitigate?How to mitigate? Change passwords and do not use dialup. Change passwords and do not use dialup.

Use strong passwords.Use strong passwords. Do not use dictionary words.Do not use dictionary words. Less vulnerability using Ethernet Less vulnerability using Ethernet

connection.connection.

11

How do logic bombs work? How How do logic bombs work? How to mitigate?to mitigate?

► Logic bombs can be viewed as a special type of Logic bombs can be viewed as a special type of Trojan horsesTrojan horses

► A typical Trojan horse will be activated whenever A typical Trojan horse will be activated whenever the infected software program is executed; the infected software program is executed; however, logic bombs however, logic bombs typically stay dormant until typically stay dormant until certain conditions are satisfied. certain conditions are satisfied.

► Can be deployed by worm or viruses? -- YesCan be deployed by worm or viruses? -- Yes► Can be internal attacks from employees.Can be internal attacks from employees.► How to mitigate?How to mitigate?

Can be detected and removed by virus scanningCan be detected and removed by virus scanning Tripwire: a tool to check if a program is modified by the Tripwire: a tool to check if a program is modified by the

attackerattacker► Hash the original program: a hash is a unique value based on Hash the original program: a hash is a unique value based on

content of the program file, and if content changes then hash content of the program file, and if content changes then hash value changesvalue changes

12

How can hackers use social How can hackers use social engineering tactic? How to engineering tactic? How to

mitigate?mitigate?►Take advantage of human Take advantage of human

characteristicscharacteristics►Talk unsuspecting employees out of Talk unsuspecting employees out of

sensitive info.sensitive info.►Comprehensive security policies will Comprehensive security policies will

helphelp►Employees should be educated about Employees should be educated about

this threatthis threat

13

How does dumpster diving How does dumpster diving work? How to mitigate?work? How to mitigate?

►Sift through a company’s garbage to Sift through a company’s garbage to find information to help break into the find information to help break into the computerscomputers

►Sensitive documents should be Sensitive documents should be shreddedshredded

14

How do buffer overflow attacks How do buffer overflow attacks work? How to mitigate?work? How to mitigate?

► When a web server is executed, its stack contains When a web server is executed, its stack contains the return addressthe return address

► The hacker sends a carefully crafted URL request The hacker sends a carefully crafted URL request message to the web servermessage to the web server The request contains a piece of codeThe request contains a piece of code

► The request text overwrites the stack and the The request text overwrites the stack and the return address is changedreturn address is changed

► The changed return address will mislead the CPU to The changed return address will mislead the CPU to execute the code contained in the attacking execute the code contained in the attacking messagemessage

► More than 90% percent of real world hacking is via More than 90% percent of real world hacking is via buffer overflowbuffer overflow

15

Buffer overflow in depthBuffer overflow in depth

code

Inputbuffer

stack

other data

Step 1. The hackersends a malicious URL request

Return address

code

other data

New Return addr

Malicious codeThe message

A Web Server

Inside RAM

http://www.cnn.com/a/b/c/x.html

A normalURL requesthttp://www.x.y