data and network security
TRANSCRIPT
-
7/29/2019 Data and Network Security
1/74
Data And Network Security
GSM 522 Session 13
September 22, 2011G Krishnamurthy
-
7/29/2019 Data and Network Security
2/74
Agenda
Introduction To Data Security
Introduction To Network Security
ICMP (Ping) Abuse
Smurfing
Fragmentation Attacks
OS Vulnerabilities
Firewall Failures
-
7/29/2019 Data and Network Security
3/74
DATA SECURITY
-
7/29/2019 Data and Network Security
4/74
4
Cryptography
Involves coding a message to ensure data
security
Can be characterized by: type of encryption operations used
substitution / transposition / product
number of keys used
single-key or private / two-key or public way in which plaintext is processed
block / stream
-
7/29/2019 Data and Network Security
5/74
Types of Cryptanalytic Attacks
Select plaintext and obtain ciphertext to attackcipher chosen ciphertext
select ciphertext and obtain plaintext to attackcipher
Choose text select either plaintext or ciphertext to encrypt/decrypt to
attack cipher
-
7/29/2019 Data and Network Security
6/74
6
Caesar Cipher
Earliest known substitution cipher by JuliusCaesar
First attested use in military affairs
Replaces each letter by 3rd letter on Example:
Text: meet me after the toga party
Cipher: PHHW PH DIWHU WKH WRJD SDUWB
-
7/29/2019 Data and Network Security
7/74
Encryption Exercises
Please go to www.cryptoclub.org
This is a site where work is in progress
However, we can try to encrypt and decrypt text
Form unique groups and we will assign numbersto each group
http://www.cryptoclub.org/http://www.cryptoclub.org/ -
7/29/2019 Data and Network Security
8/74
Encryption Exercises
Please encrypt the following sentence usingCaesar ciphers The quick brown fox jumps over the lazy dog
India has won one bronze medal at the 2012 London
Olympics Use the following values of the key Group : n; e.g Group 1 1, Group 2 2, Group 3 3 and
so on
Check how the text gets encrypted
What are the changes in the encrypted text bychanging the key?
-
7/29/2019 Data and Network Security
9/74
9
Cryptanalysis of Caesar Cipher
Characteristics Only have 26 possible ciphers
A maps to A,B,..Z
Could simply try each in turn How would cryptanalysis be done
a brute force search
given ciphertext, just try all shifts of letters
need to recognize when we have plaintext
-
7/29/2019 Data and Network Security
10/74
NETWORK SECURITY
-
7/29/2019 Data and Network Security
11/74
11
Security Services
X.800 defines it as: a service provided by a protocollayer of communicating open systems, which ensuresadequate security of the systems or of datatransfers
RFC 2828 defines it as: a processing orcommunication service provided by a system to give aspecific kind of protection to system resources
X.800 defines it in 5 major categories
-
7/29/2019 Data and Network Security
12/74
12
Security Services (X.800)
Authentication - assurance that the communicating entity is theone claimed
Access Control - prevention of the unauthorized use of aresource
Data Confidentialityprotection of data from unauthorized
disclosure Data Integrity - assurance that data received is as sent by anauthorized entity
Non-Repudiation - protection against denial by one of theparties in a communication
-
7/29/2019 Data and Network Security
13/74
Security Mechanisms (X.800)
Specific security mechanisms: encipherment, digital signatures, access controls, data
integrity, authentication exchange, traffic padding, routingcontrol, notarization
Pervasive security mechanisms: trusted functionality, security labels, event detection,security audit trails, security recovery
13
-
7/29/2019 Data and Network Security
14/74
14
Classify Security Attacks
passive attacks - eavesdropping on, or monitoring of,transmissions to: obtain message contents, or monitor traffic flows
active attacks modification of data stream to: masquerade of one entity as some other replay previous messages modify messages in transit denial of service
-
7/29/2019 Data and Network Security
15/74
15
Types of Attacks
-
7/29/2019 Data and Network Security
16/74
Scans and Recon
If an attacker wants to map your network, the
trivial way is to ping all the IP addresses in
your network...
Therefore, if you allow pings, your network is
exposed.
-
7/29/2019 Data and Network Security
17/74
Smurf Attack
Ping a broadcast address, with the (spoofed) IP of avictim as source address
All hosts on the network respond to the victim
The victim is overwhelmed
Keys: Amplification and IP spoofing Protocol vulnerability; implementation can be
patched by violating the protocol specification, toignore pings to broadcast addresses
ICMP echo just used for convenience All ICMP messages can be abused this way
"Fraggle" is the equivalent, using UDP instead of ICMP
-
7/29/2019 Data and Network Security
18/74
Defending Against IP spoofing
Ingress filtering Forbid inbound broadcasts from the internet into your
networks
Forbid inbound packets from non-routable networks
Egress filtering Prevent stations in networks you control from
spoofing IPs from other networks by dropping theiroutbound packets
Make your network a less attractive and useful target forattackers that want to launch other attacks
Be a good internet citizen (reputation is important)
Drop outbound broadcasts
-
7/29/2019 Data and Network Security
19/74
References
RFC 2267 - "Network Ingress Filtering:
Defeating Denial of Service Attacks whichEmploy IP Source Address Spoofing".
-
7/29/2019 Data and Network Security
20/74
What is a Firewall?
A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
only authorized traffic is allowed
Auditing and controlling access
can implement alarms for abnormal behavior
Itself immune to penetration Provides perimeter defence
-
7/29/2019 Data and Network Security
21/74
Firewalls Packet Filters
-
7/29/2019 Data and Network Security
22/74
Firewalls Packet Filters
Simplest of components Uses transport-layer information only
IP Source Address, Destination Address
Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports
TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
ICMP message type Examples
DNS uses port 53
No incoming port 53 packets except known trusted servers
-
7/29/2019 Data and Network Security
23/74
Usage of Packet Filters
Filtering with incoming or outgoinginterfaces
E.g., Ingress filtering of spoofed IP addresses
Egress filtering
Permits or denies certain services
Requires intimate knowledge of TCP and UDP portutilization on a number of operating systems
-
7/29/2019 Data and Network Security
24/74
How to Configure a Packet Filter
Start with a security policy
Specify allowable packets in terms of logical
expressions on packet fields
Rewrite expressions in syntax supported by
your vendor
General rules - least privilege
All that is not expressly permitted is prohibited
If you do not need it, eliminate it
-
7/29/2019 Data and Network Security
25/74
Every ruleset is followed by an implicit
rule reading like this.
-
7/29/2019 Data and Network Security
26/74
Firewall Rules - Example 1
We wish to allow inbound mail (SMTP, port
25) but only to the gateway machine GW. Also,
mail from site SPIGOT is to be dropped.
-
7/29/2019 Data and Network Security
27/74
Solution 1:
-
7/29/2019 Data and Network Security
28/74
Firewall Rules - Example 2
Now suppose that we want to implement
the policy any inside host can send mail to
the outside.
-
7/29/2019 Data and Network Security
29/74
Solution 2:
This solution allows calls to come from
any port on an inside machine, and will
direect them to port 25 on the outside.
Simple enough
-
7/29/2019 Data and Network Security
30/74
Firewall Ruleset Review
action ourhost port theirhost port Flags Remarks
Block * * * * Default
Block * * SPIGOT * Do not
trust
SPIGOT
Allow GW * * 25
Allow * 25 * * ACK Mar 09
Allow * * NET-2 * ACK Mar 09
Allow * * NET-3 * ACK Mar 09
Block * * NET-4 * ACK Jan 12
Block * * NET-5 * ACK Jan 12
Block * * NET-6 * ACK Jan 12
Allow * * * * Sep 12
-
7/29/2019 Data and Network Security
31/74
Firewall Ruleset Review
How would you rate the firewall ruleset?
What do you feel would happen if I send a
mail from NET-5?
X sends a mail from NIIT University (NU).
Will it reach?
-
7/29/2019 Data and Network Security
32/74
Spoofing
-
7/29/2019 Data and Network Security
33/74
IP Spoofing
Any station can send packets pretending to be fromany IP address
Replies will be routed to the appropriate subnet Route asymmetry
So, attacker might not get replies if spoofing a host on adifferent subnet
For some attacks this is not important
Analogy Nothing prevents you from physically mailing a letter with
an invalid return address, or someone elses, or your own. Likewise, packets can be inserted in the network with
invalid or other IP addresses.
-
7/29/2019 Data and Network Security
34/74
IP Spoofing with Amplification
Use broadcasts pretending to originate from victim
All replies go back to victim
Class B broadcast: 253^2 = 64 009 replies
Assuming class C subnetting This may use any IP protocol (ICMP, TCP, UDP)
Any application or service that replies using theseprotocols
Famous attack: Smurf (using ICMP) DoS CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks Many others
Smurf Amplifier Registry: http://www.powertech.no/smurf/
-
7/29/2019 Data and Network Security
35/74
BotNets
-
7/29/2019 Data and Network Security
36/74
Agenda
Intro To Botnets What Are They?
How Does A BotNet Operate?
How Is A BotNet Organized?
How Do BotNets Hide?
What is the function of Botnets?
-
7/29/2019 Data and Network Security
37/74
Part 1: Intro to BotnetsWhat are they?
-
7/29/2019 Data and Network Security
38/74
In the news
Sep 13 2012 Malware inserted on PC productionlines, says study
July 19 2012 Huge spam botnet Grum is taken outby security researchers
Mar 26 2012 - Microsoft moves to disable Zeus
botnet
Dec 5 2011 Botnets: Hi-tech crime in the UK
July 29 2010 - Multi-Purpose Botnet Used in Major
Check Counterfeiting Operation
-
7/29/2019 Data and Network Security
39/74
IntroductionAttacker
(Botmaster)
Zombies
Malwareis currently the major
source of attacks and fraudulentactivities on the Internet.
Malware is used to infect computers.
Botnet is a network of zombies, i.e.compromised computers undercontrol of an attacker.
Bot is a program loaded on zombiecomputer that provides remotecontrol mechanisms to an attacker.
39
-
7/29/2019 Data and Network Security
40/74
Bot
Bot - a small program to remotely control a computer
Characterized by
Remote control & communication (C&C) channels
to command a victim E.g. perform DOS attack, send spam
The implemented remote commands
E.g. update bot binary to a new version Spreading mechanisms to propagate it further
E.g. port scanning, email
40
-
7/29/2019 Data and Network Security
41/74
htt : en.wiki edia.or wiki Botnet41
-
7/29/2019 Data and Network Security
42/74
C&C channel
Means of receiving and sending commands andinformation between the botmaster and the zombies.
Typical protocols
Internet Relay Chat (IRC) protocol
HTTP
Overnet (Kademlia)
Protocols imply (to an extend) a botnetscommunication topology.
The topology provides trades-off in terms of bandwidth,effectiveness, stealth, and so forth.
42
-
7/29/2019 Data and Network Security
43/74
Botnet Infection Stages - Centralized
43
-
7/29/2019 Data and Network Security
44/74
Part 2How does a botnet
operate?
-
7/29/2019 Data and Network Security
45/74
45
Popular Botnets Propagation MethodsSpammed Messages
Social Networking Websites
Malicious Websites
Install Malware
Become Bot
Removable Devices
Worm
-
7/29/2019 Data and Network Security
46/74
46
Shift in the way that malware is distributed
Every 1.3 seconds a new web page is getting infected
Every month almost 2 million web pages across 210,000 websites are
infected with Malware
Malware attacks have grown by 600% since 2008
-
7/29/2019 Data and Network Security
47/74
47
Sample subjects and attachments
Sample subjects:
A killer at 11, he's free at 21 and kill again!
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text
Radical Muslim drinking enemies's blood.
Saddam Hussein alive!
Fidel Castro dead.
FBI vs. Facebook
Sample attachments:
Postcard.exe
ecard.jpg
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exeGreetingPostcard.exe
MoreHere.exe
FlashPostcard.exe
GreetingCard.exe
ClickHere.exe
ReadMore.exe
FlashPostcard.exeFullNews.exe
NflStatTracker.exe
ArcadeWorld.exe
Left-right-brain-test.gif
-
7/29/2019 Data and Network Security
48/74
Part 3How is a botnet
organized?
-
7/29/2019 Data and Network Security
49/74
Traditional botnetAttacker
Zombies
Commands &
controls
Attack
Victim
Your
home
computerInfect
Botnet topology
mainly refers to the
organization of C&C
channels betweenzombies and an
attacker.
49
-
7/29/2019 Data and Network Security
50/74
Topology
Based on C&C channels, there are two typical botnet topologies: Centralized
Decentralized (P2P)
Traditional botnet metrics:
Resiliency A botnet ability to cope with a loss of members (zombies) or servers
Latency
Reliability in message transmission
Enumeration
An ability to accurately estimate a botnet size Difficuly for security analysis
Re-sale
A possibility to carve off sections of the botnet for lease or resale to otheroperators.
50
-
7/29/2019 Data and Network Security
51/74
Centralized botnet
Communication between attacker
and zombies goes via centralized
server
Classical communication method
IRC (Internet Relay Chat)Centralized
server
51
-
7/29/2019 Data and Network Security
52/74
Centralized botnet topologies
Centralized topology can be represented in different shapes.
The exact organization of botnet depends on the bot operator
nothing prevents a bot operator to come up with a new topology.
Often seen topologies:
HierarchicalMulti-serverStar
52
-
7/29/2019 Data and Network Security
53/74
Star topology
Communication is directly between asingle centralized server and ALL
zombies.
When new machine is infected, it is
preconfigured to contact the server to
announce its membership.
Pros: Low latency
Each zombie is issued commands
directly from the server.
Cons: Low resilience
Only server needs to be blocked to
neutralize the whole botnet
53
-
7/29/2019 Data and Network Security
54/74
Example
Koobface
Old variant employed start architecture:
Zombies connected to C&C server directly
54
-
7/29/2019 Data and Network Security
55/74
Multi-server topology Similar to start topology
Instead of one server, multipleservers are used to provideinstructions to zombies.
Pros:
Better resilience No single point of failure Geographical distribution of
servers Communication speed up
More resistant to legal shut downs
Cons: Requires advance planning
55
-
7/29/2019 Data and Network Security
56/74
Hierarchical topology
Zombies are generally not aware of theserver location
Pros:
Ease of re-sale A botnet operator can easily carve off
sections of their botnet for lease or resaleto other operators.
Hard to enumerate Hard to evaluate the size and complexity of
the botnet
Cons:
High latency makes some botnet attacks difficult.
56
-
7/29/2019 Data and Network Security
57/74
Example - Gumblar
Gumblars architecture is notwell studied, fully built onzombies
Website visitors are infectedwith the Windows executable, itgrabs FTP credentials from thevictim machines. The FTPaccount is then used to infectevery webpage on new
webserver.
57
-
7/29/2019 Data and Network Security
58/74
Hybrid topologies
High resilience
Low latency
Example, Hierarchical P2P
Centralized P2P
Centralized Peer-to-peer
58
-
7/29/2019 Data and Network Security
59/74
Storm botnet
A three-level self-organizing hierarchy:
master servers
proxy bots
transfers traffic betweenworkers and master
servers.
worker bots
responsible for sending
the spam, proxy bots
Once a Storm binary is downloaded, an infectedhost might become a worker bot(if not reachable fromthe Internet) or aproxy
59
-
7/29/2019 Data and Network Security
60/74
Part 4How do botnets hide?
-
7/29/2019 Data and Network Security
61/74
61
-
7/29/2019 Data and Network Security
62/74
62
Rootkit
A rootkit is a tool that is designed to hide itself and
other processes, data, and/or activity on a system
To hide what is taking place an attacker wants to:Survive system restart
Hide processes
Hide services
Hide listening TCP/UDP ports
Hide kernel modulesHide drivers
-
7/29/2019 Data and Network Security
63/74
63
How Rootkit Works
Overwrite first few bytes of target function with a jump to rootkit code
Create trampoline function that first executes overwritten bytes from original function, then jumps
back to original function
When function is called, rootkit code executes
Rootkit code calls trampoline, which executes original function
-
7/29/2019 Data and Network Security
64/74
64
Rootkit Usage Example Hide process
Process list BEFORE the rootkit is launched. Process list AFTER the rootkit is launched.
-
7/29/2019 Data and Network Security
65/74
Part 5What is the function of
botnets?
-
7/29/2019 Data and Network Security
66/74
Botnet Activities
The least damage caused by Botnets:Bandwidth Consumption
Other things:
DDOS attacks Spam
Click Fraud
Data Theft Phishing
Mistrustful services
66 / 4
-
7/29/2019 Data and Network Security
67/74
DDOS attacks
e.g. Google.com
ChinaBrazilRussia US
Attacker
67http://en.wikipedia.org/wiki/Denial-of-service_attack
-
7/29/2019 Data and Network Security
68/74
Click Fraud
Pay per Click (PPC) is an Internet advertising modelused on websites in which advertisers pay their hostonly when an ad is clicked.
Famous Bots: ClickBot(100k), Bahama Botnet (200k)
68
-
7/29/2019 Data and Network Security
69/74
Click Fraud - FFSearcher
http://blog.trendmicro.com/click-fraud-takes-a-step-forward-with-troj_ffsearch/69
-
7/29/2019 Data and Network Security
70/74
Data Theft
Accounts for a great deal of botnet activity.
Purpose: Harvesting user data
Screen captures
Typed data
Files
Anti-Spyware software
Highly controversial.
Has resulted in
Scareware.
70http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
-
7/29/2019 Data and Network Security
71/74
Data Theft-Mumba Zeus Botnet
http://avg.typepad.com/files/revised-mumba-botnet-whitepaper_approved_yi_fv-2.pdf71
-
7/29/2019 Data and Network Security
72/74
Phishing
A deceptive email/website/etc. to harvestconfidential information.
72
http://library.thinkquest.org/06aug/00446/Phishing.html
-
7/29/2019 Data and Network Security
73/74
73
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
-
7/29/2019 Data and Network Security
74/74
Thank You