11
Topic 1 – Lesson 3Topic 1 – Lesson 3Network AttacksNetwork Attacks
SummarySummary
2
QuestionsQuestions► Compare passive attacks and active attacksCompare passive attacks and active attacks► How do packet sniffers work? How to mitigate?How do packet sniffers work? How to mitigate?► How does spoofing work? How to mitigate?How does spoofing work? How to mitigate?► A step by step description of DoS attacks; How to A step by step description of DoS attacks; How to
mitigate?mitigate?► Compare virus, worms, and Trojan HorsesCompare virus, worms, and Trojan Horses
How to mitigate?How to mitigate?► How do malicious applets work? How to mitigate?How do malicious applets work? How to mitigate?► How do war dialers work? How to mitigate?How do war dialers work? How to mitigate?► How do logic bombs work? How to mitigate?How do logic bombs work? How to mitigate?► How do buffer overflow attacks work? How to mitigate?How do buffer overflow attacks work? How to mitigate?► How can hackers use social engineering tactic? How to How can hackers use social engineering tactic? How to
mitigate?mitigate?► How does dumpster diving work? How to mitigate? How does dumpster diving work? How to mitigate?
3
Compare passive attacks and active Compare passive attacks and active attacksattacks
► Passive attacks eavesdropPassive attacks eavesdrop► Active attacks change dataActive attacks change data►Defeating passive attacks should focus on Defeating passive attacks should focus on
detectiondetection► Active attacks are malicious and will directly Active attacks are malicious and will directly
cause damagecause damage► 4 example active attacks: masquerade, 4 example active attacks: masquerade,
replay, denial of service, modificationreplay, denial of service, modification► Active attacks generally are preceded by Active attacks generally are preceded by
passive attackspassive attacks
4
How do packet sniffers work? How do packet sniffers work? How to mitigate?How to mitigate?
►Packet sniffers are discovering Packet sniffers are discovering information by listening ininformation by listening in
►Packet sniffers are passive attacks & Packet sniffers are passive attacks & do not alter datado not alter data
►How to mitigateHow to mitigate Use encryption to prevent sniffingUse encryption to prevent sniffing Use one time passwords to help defeatUse one time passwords to help defeat Packet sniffers are hard to detect because Packet sniffers are hard to detect because
they do not alter network trafficthey do not alter network traffic
5
How does spoofing work? How How does spoofing work? How to mitigate?to mitigate?
► Spoofing is a camouflage techniqueSpoofing is a camouflage technique► Three common types of spoofing attacksThree common types of spoofing attacks
IP spoofingIP spoofing Email address spoofing: fake an email addressEmail address spoofing: fake an email address Web page spoofing: fake a web page Web page spoofing: fake a web page
► How to mitigate?How to mitigate? Sender-side access control: Filters can stop people from Sender-side access control: Filters can stop people from
sending out spoofed IP packets or emailssending out spoofed IP packets or emails Receiver-side access control: need to know whether an Receiver-side access control: need to know whether an
arriving packet is spoofed arriving packet is spoofed Cryptography and authentication may helpCryptography and authentication may help IP address-based authentication is limited: why?IP address-based authentication is limited: why? Mitigation difficult if you have trusted systems outside your Mitigation difficult if you have trusted systems outside your
network; You should use firewallsnetwork; You should use firewalls
6
A step by step description of A step by step description of DDoS attacks; How to mitigate?DDoS attacks; How to mitigate?► Step 1: the attacker breaks into 1001 computersStep 1: the attacker breaks into 1001 computers► Step 2: the attacker installs the Step 2: the attacker installs the mastermaster program on program on
one computer and the one computer and the daemondaemon software on the other software on the other 1000 computers 1000 computers
► Step 3: the attacker picks a victimStep 3: the attacker picks a victim► Step 4: when the attacker launches the DDoS attack, Step 4: when the attacker launches the DDoS attack,
the attacker will instruct the master program to the attacker will instruct the master program to launch the attack; then the master program will launch the attack; then the master program will instruct the 1000 daemons to send a lot packets to instruct the 1000 daemons to send a lot packets to the victim the victim
► How to mitigate?How to mitigate? Ways to stop server from crashing are limiting nonessential Ways to stop server from crashing are limiting nonessential
traffictraffic Hard to defend because they look like normal trafficHard to defend because they look like normal traffic Harder to defend because they spoof IP addressesHarder to defend because they spoof IP addresses
7
Compare virus, worms, and Compare virus, worms, and Trojan Horses. How to mitigate?Trojan Horses. How to mitigate?► In Lesson 2, we clarified the differences In Lesson 2, we clarified the differences
between virus and wormsbetween virus and worms► Trojan horses are a special type of virusTrojan horses are a special type of virus► A Trojan horse refers to a computer A Trojan horse refers to a computer
program that does things more than it program that does things more than it claims. claims.
►One possible purpose of Trojan horses is to One possible purpose of Trojan horses is to get passwords and info and send backget passwords and info and send back
►How to mitigate?How to mitigate? Use antivirus softwareUse antivirus software Only downloading from trusted web sitesOnly downloading from trusted web sites Do not execute unknown applications/toolsDo not execute unknown applications/tools
8
On Trojan HorsesOn Trojan Horses
A clean program, e.g., a tool
A clean program, e.g., a toolBeing attacked
Maliciouscode
A Trojan Horse
9
How do malicious applets work? How do malicious applets work? How to mitigate?How to mitigate?
► Java applets are embedded in web Java applets are embedded in web pagespages
►When you open a web page or click a When you open a web page or click a hyperlink, a malicious applet could be hyperlink, a malicious applet could be executed on executed on youryour computer computer
►Applets compromise privacy and Applets compromise privacy and security by stealing passwords and security by stealing passwords and modifying files, and spoofing emailmodifying files, and spoofing email
►How to mitigate?How to mitigate? Disable java to avoidDisable java to avoid
10
How do war dialers work? How How do war dialers work? How to mitigate?to mitigate?
►Dial numerous numbers and try to Dial numerous numbers and try to establish an illegal connectionestablish an illegal connection
►Break into a computer via its dial-up Break into a computer via its dial-up connectionconnection
►How to mitigate?How to mitigate? Change passwords and do not use dialup. Change passwords and do not use dialup.
Use strong passwords.Use strong passwords. Do not use dictionary words.Do not use dictionary words. Less vulnerability using Ethernet Less vulnerability using Ethernet
connection.connection.
11
How do logic bombs work? How How do logic bombs work? How to mitigate?to mitigate?
► Logic bombs can be viewed as a special type of Logic bombs can be viewed as a special type of Trojan horsesTrojan horses
► A typical Trojan horse will be activated whenever A typical Trojan horse will be activated whenever the infected software program is executed; the infected software program is executed; however, logic bombs however, logic bombs typically stay dormant until typically stay dormant until certain conditions are satisfied. certain conditions are satisfied.
► Can be deployed by worm or viruses? -- YesCan be deployed by worm or viruses? -- Yes► Can be internal attacks from employees.Can be internal attacks from employees.► How to mitigate?How to mitigate?
Can be detected and removed by virus scanningCan be detected and removed by virus scanning Tripwire: a tool to check if a program is modified by the Tripwire: a tool to check if a program is modified by the
attackerattacker► Hash the original program: a hash is a unique value based on Hash the original program: a hash is a unique value based on
content of the program file, and if content changes then hash content of the program file, and if content changes then hash value changesvalue changes
12
How can hackers use social How can hackers use social engineering tactic? How to engineering tactic? How to
mitigate?mitigate?►Take advantage of human Take advantage of human
characteristicscharacteristics►Talk unsuspecting employees out of Talk unsuspecting employees out of
sensitive info.sensitive info.►Comprehensive security policies will Comprehensive security policies will
helphelp►Employees should be educated about Employees should be educated about
this threatthis threat
13
How does dumpster diving How does dumpster diving work? How to mitigate?work? How to mitigate?
►Sift through a company’s garbage to Sift through a company’s garbage to find information to help break into the find information to help break into the computerscomputers
►Sensitive documents should be Sensitive documents should be shreddedshredded
14
How do buffer overflow attacks How do buffer overflow attacks work? How to mitigate?work? How to mitigate?
► When a web server is executed, its stack contains When a web server is executed, its stack contains the return addressthe return address
► The hacker sends a carefully crafted URL request The hacker sends a carefully crafted URL request message to the web servermessage to the web server The request contains a piece of codeThe request contains a piece of code
► The request text overwrites the stack and the The request text overwrites the stack and the return address is changedreturn address is changed
► The changed return address will mislead the CPU to The changed return address will mislead the CPU to execute the code contained in the attacking execute the code contained in the attacking messagemessage
► More than 90% percent of real world hacking is via More than 90% percent of real world hacking is via buffer overflowbuffer overflow
15
Buffer overflow in depthBuffer overflow in depth
code
Inputbuffer
stack
other data
Step 1. The hackersends a malicious URL request
Return address
code
other data
New Return addr
Malicious codeThe message
A Web Server
Inside RAM
http://www.cnn.com/a/b/c/x.html
A normalURL requesthttp://www.x.y