NETWORKS Fall 2012 1 REVIEW – LAST LECTURE Computer Crimes DDoS Attack Types DDoS Attack Tools 2 REVIEW - PING OF DEATH Ping of Death attacks exploit weaknesses in the reassembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original IP packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 200 through 400 of the original (non fragmented) IP packet." The Ping of Death program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot. Packet 1 bytes 1-100 Packet 2 bytes 90-190 Packet 1 bytes 1-100 Packet 3 bytes 180 - 280 cket 2 bytes 90-190 3 REVIEW - ATTACK TOOLS As with any attacks there are tools available that will almost completely automate a DDoS attack These include: TRIN00 TFN Stacheldraht They have all been used to generate DDoS attacks 4 OUTLINE Computer Legal Crimes Issues Example Attack 5 Computer Crimes 6 CRIMES 1 The editor of Durban's (South Africa) Independent newspaper found himself in the hot seat in December 2002 after a cracker broke into the newspaper's e-mail system and sent around an e-mail from the editor to the paper's managing director. In the e-mail message, the editor had listed a number of senior staff who he felt should be ousted from their positions. The editor is on leave indefinitely. 7 CRIMES 2 Lawyers are being sued for hacking into the Web site of an expert witness they hoped to discredit in a class-action lawsuit against a Cleveland company accused of sickening nuclearweapons assembly workers with beryllium. Occupational illness expert David Egilman accuses attorneys for Jones, Day, Reavis & Pogue of breaking into his passwordprotected web site and accessing records to use against him in court. Egilman says he became suspicious when Jones, Day attorneys introduced pages from the restricted site during the trial. Testimony indicated the information was accessed after someone at the law firm guessed the passcode, according to The Washington Post. Egilman maintains the lawyers involved violated the Computer Fraud and Abuse Act. 8 CRIMES 3 E-mail viruses were almost twice as prevalent in 2002 as they were in 2001, with one e-mail in every 200 containing a virus. Virus-scanning firm MessageLabs said it stopped 9.3 million viruses in two billion e-mails this year, which equated to one virus in every 215 e-mails. This is compared to 1.8 million viruses stopped in 718 million emails in 2001, or one virus in every 398 e-mails. Alex Shipp, senior antivirus technologist at MessageLabs, said the more prevalent viruses owed their success to the fact that people found them hard to spot. "This is because these are able to 'spoof' e-mail addresses, so that the identity of the real sender is difficult to trace," said Shipp. "It also means that by mass mailing contacts from a recipient's address book, further victims are likely to open the rogue e-mail, because they think it is from someone they know and trust." 9 Legal Issues 10 WHAT IS YOUR LEGAL STANDING? If your system is broken into or is used to break into someone else’s system who is at fault? Who can be sued and for how much? What is your liability? There is new legal ground being explored that may result in many multi-million dollar lawsuits in the near future. 11 A HYPOTHETICAL EXAMPLE The players: 1. The first Jane G. - a network security administrator in the United Kingdom. She works for a company that does approximately US$200M in business per year. Her yearly salary is US$55,000. 2. The second is Megacorp’s web server, a non-mission-critical machine accessible from the Internet. MegaCorp is a US$10.4 billion/year public company. The server is hosted internally, and is physically located at MegaCorp’s facility in Iowa. MegaCorp exercises complete control over all aspects of the web server. 3. The third is a web server that belongs to a non-profit research hospital in the state of Washington. 4. The last is Mr. Big Star, who receives medical treatment at the research hospital. 12 JANE’S INITIAL ATTACK While accessing the Internet at work, Jane finds a sixmonth old vulnerability in Megacorp’s web server. Exploiting this vulnerability, Jane is able to gain privileged access to the system. From Megacorp’s system, Jane then discovers a monthold vulnerability on the hospital system located in Washington state She is able to exploit this as well and gains privileged access to the hospital server. Once Jane is a privileged user on the hospital’s system, she is able to penetrate more deeply into the hospital’s network wherein she finds a database server containing sensitive patient records. While browsing the database, Jane G. stumbles on Mr. Big Star’s file and decides to download a copy. 13 JANE’S FINAL ACTIONS Having finished her shift at work, Jane G. installs a Denial of Service attack tool on the MegaCorp server. She begins an attack against the hospital’s web server to throw the administrators off her trail. She goes home and posts Mr. B. Star’s file to a web site in Canada and sends it to her friends on IRC. Possible Plaintiff’s MegaCorp The Hospital Mr. Big Star Possible Defendant’s Jane G. MegaCorp The Hospital Who can sue who? 14 LEGAL THEORIES Obviously the three injured parties can all sue Jane G. But she only makes $55k/year so how much can they recover? Under the principle of downstream liability it may be possible for both the Hospital and MegaCorp to be sued and both are certainly deeper pockets than Jane G. The crux of the downstream liability issue is negligence Negligence consists of four parts: duty, breach, causation, and damages. 15 DUTY Duty is simply defined as a prudent person’s obligation to use reasonable care. A more detailed definition can be found in Prosser, Wade, and Schwartz’s Cases and Materials on Torts: “requiring the actor to conform to a certain standard of conduct, for the protection of others against unreasonable risks”. To use an automotive analogy, a driver has the duty to ensure his vehicle has fully functioning brakes and lights, good tread on the tires, and so forth. Furthermore, the driver of the vehicle has the duty to operate her car with reasonable care and not to drive recklessly. Regarding downstream liability, does an owner of IT assets on the Internet have a duty to keep his systems secure and not to be used to hurt another? Prevailing legal opinion seems to be yes. 16 BREACH Assume for now that the duty exists; showing negligence means there must be a breach. For a breach to occur, the plaintiff must show that the defendant failed to perform her duty. In the worst case, the defendant did nothing at all to address network security issues. In the less extreme case, the defendant could simply have failed to perform her duty to the appropriate standard. Either will suffice to show a breach in the duty, as long as the remainder of the requirements are met. 17 CAUSATION & DAMAGES Causation means that the aforementioned breach caused the damages in the incident. In this case, you will have to show what each of the parties did (or didn’t do) which led to some real damages. It is imperative for the plaintiff to directly link the breach in duty to very specific damages, and show that the damages which would not have been incurred but for the breach. In order for damages to be awarded, something has to be harmed. Damages are broken down into three types: Nominal – just enough to say ‘you won’ Compensatory – repayment for actual and real damages Punitive – Amount above compensatory to punish the defendant and make an example so as to deter similar conduct in the future 18 WHAT SHOULD THEY HAVE DONE? The problem is what is the due standard of care in a given situation? What are the accepted best practices? What, exactly, should MegaCorp have done to avoid being used as a conduit to the hospital intrusion? In general the duty is defined as the actions taken by “a reasonable and prudent person”. Unfortunately this definition provides a wide range of possibilities: one person’s “reasonable” and “prudent” is another person’s “overkill” and yet another person’s “insufficient”. The problem often becomes the need to discover what these terms mean in a given trade or industry. However, a caveat applies: the tendency of an industry to be generally negligent in its practices does not mean that the court will - or should - use these practices as the de facto standard. 19 FIREWALL REQUIREMENT At the very least, both MegaCorp and the Hospital should have had a reasonable firewall in place The DDoS attacks were made possible by the almost nonexistent use of egress filtering by network-connected entities. Ten to fifteen years ago, firewalls were strange and almost unheardof beasts. However, times have changed, and any organization that does not protect its network with a firewall is likely to be greeted with incredulity and dismay. Egress filtering is a simple concept: examine packets as they leave the corporate network to ensure no inappropriate or malicious traffic escapes into the world. For example, spoofed packets should not be allowed to leave the network because they do not bear a valid source address. The legal world would argue that an organization which owns/operates a connection to the Internet and does not filter traffic is already in breach of its duty to protect its assets from misuse and abuse. 20 PATCHING REQUIREMENTS there is a great deal of debate over the process of obtaining and installing necessary patches for applications and operating systems. On one side are the proponents who feel that all patches should be applied immediately. On the other side are those who cite any number of patches in recent years that fixed one problem but created three more, and so they feel that patching should be deferred until the patch is deemed safe and stable. Regardless of which side of the ‘patch war’ you take, installing patches is one of the best things an organization can do to protect itself against automated attacks It also can provide proof of due diligence 21 DUE DILIGENCE 1 A proposed standard: Security-related patches, when potential exists to harm a third party should be installed no later than ten (10) calendar days after release of the patch by the vendor. Many individuals will think that this interval is too short or (probably) far too short. Many of the reasons given for this 10 day period include the fact that there are simply not enough personnel to handle the work. However, going back to the issue of organizational responsibility, the owner of the network has a duty to make sure the network is as safe as it can reasonably be made. This duty includes having access to the resources i.e. personnel and equipment - needed to test and apply patches in a timely fashion. 22 DUE DILIGENCE 2 Egress filtering should be enabled on the network perimeter. there is no legitimate business purpose for spoofed packets, and a simple set of rules on the firewall or border router can block this traffic before it affects someone else. These rules could likely remain static and still do the job, which is as close as anything can get to “set it and forget it” in this arena. 23 JANE’S EMPLOYER What role does Jane G.’s employer play in the event? Her employer provided the computer and Internet connection to perpetrate the act. The legal world has a theory of vicarious liability Under this theory, the harmed plaintiffs may be able to sue Jane’s employer for compensation. Where an employee is acting within the scope of employment and doing something in the furtherance of his work; and The employer is or should be exercising some control; Then the employer will be liable for the negligent acts of the employee Jane G. is a network security administrator, and she conducted the attacks while at work, using her employer’s resources. If her employer has published policies in place, and enforces them regularly, it will be difficult to hold Jane’s employer vicariously liable. 24 Example Attack 25 SYN FLOOD –THE MITNICK ATTACK Kevin Mitnick is a reformed (?) hacker who for many years broke into computer systems around the world He was arrested at least 5 times and eventually became the subject of a book called Takedown The Mitnick Attack used two techniques SYN Flooding and TCP hijacking The SYN Flood kept one system from being able to transmit so the attacker assumed its identity and hijacked the TCP connection 26 REVIEW – THE SYN FLOOD To establish a TCP connection, two parties execute a 3-way handshake Attacker Victim 1 2 3 SYN Packet SYN/ACK OK In a SYN Flood attack, the attacker does not return the OK signal 27 REVIEW – SYN FLOOD GOAL The goal of SYN Flooding is not to complete the 3-way handshake rather it is to exceed the limits for the number of waiting connections The result is that the system under attack cannot establish any other connections It is a basic DNS (denial of service) attack 28 HIDING THE ATTACK Since the purpose of such an attack is to shut down a system there is no need to allow the source of the attack to be identified Hence, the source address of the initial SYN packets are spoofed IP Header from SYN Flooding attack code /* Fill in all the IP header information */ packet.ip.version=4; /* 4-bit version */ packet.ip.ihl=5; /* 4-bit header version */ packet.ip.tos=0; /* 8-bit type of service */ packet.ip.tot_len=htons(40); /* 16-bit total length */ packet.ip.id=getpid(); /* 16-bit ID field */ packet.ip.frag_off=0; /* 13-bit Fragment offset */ packet.ip.ttl=255; /* 8-bit time to live */ packet. Ip.protocol-IPPROTO_TCP; /* 8-bit protocol */ packet.ip.check=0; /* 16-bit Header checksum (filled in below) */ packet.ip.saddr=sadd; /* 32-bit source address */ packet.ip.daddr=dadd; /* 32-bit destination address */ 29 PROTECTING THE FAKE SOURCE ADDRESS If the fake source address exists, then the system will contact it and receive a RESET in return So, the source address must be routable but not active Hence, the source address is checked first by the attacking code and then used if it will work 30 INFORMATION GATHERING Prior to any attack, basic information about the target system is needed Hence, complex attacks are preceded by “recon” probes (intelligence-gathering efforts) Here is a sample of the actual probes used by Mitnick They were discovered by TCPdump, a network monitoring tool Probe source time 14:09:32 14:10:21 14:10:50 14:11:07 14:11:38 14:11:49 14:12:05 toad.com# toad.com# toad.com# toad.com# toad.com# toad.com# toad.com# command Machine names finger -1 @target finger -1 @server finger -1 root@server finger -1 @x-terminal showmount –e x-terminal rpcinfo -p x-terminal finger -1 root@server 31 UNIX COMMANDS The unix commands used in these probes include: finger: will tell you who is logged on to the system, when they last logged in, . . . showmount –e: will provide information about the file systems that are mounted with NFS. Of interest to attackers are file systems that are world readable or writable rpcinfo: provides information about the remote procedure call services that are available on a system, the –p option gives the ports where the services reside. 32 ASIDE – READING THE TCPDUMP TRACE A TCPdump trace entry provides information on the 3-way handshake process Timestamp source host.source port > dst host.dst port : TCP Flag(s) 14:18:25.906002 apollo.it.luc.edu.1000 > x-terminal.shell: S Seq Num : ACK Num 1382726990:1382726990(0) TCP Window Size win 4096 33 ASIDE - TCP HANDSHAKE SYN SYN/ACK Reset A TCPdump will show all three packets in the 3-way handshake: 14:18:25.906002 apollo.it.luc.edu.1000 > x-terminal.shell: S 1382726990:1382726990(0) win 4096 14:18:26.094731 x-terminal.shell > apollo.it.luc.edu.1000: S 2021824000:2021824000(0) ack 1382726991 win 4096 14:18:26.172394 apollo.it.luc.edu.1000 > x-terminal.shell: R 1382726991:1382726991(0) win 0 34 ASIDE – SEQUENCE NUMBERS To hijack a connection, it is necessary to detemine the correct sequence number that will be attached to each return SYN/ACK For14:18:26.094731 example, say the return SYN/ACK Sfor x-terminal.shell > apollo.it.luc.edu.1000: 1382726991 two2021824000:2021824000(0) sets of packetsack are: win 4096 14:18:26.694691 x-terminal.shell > apollo.it.luc.edu.999: S 2021952000:2021952000(0) ack 1382726992 win 4096 The difference is: 128,000 Check a few more sets to verify it 35 IP ADDRESS CHECKING Mitnick’s goal was to assume the identity of a trusted system How can one system appear to be another? Wouldn’t the victim notice that the attacker has the wrong IP address? The IP address is checked for establishing a trust relationship when the connection is being established if the host is running software like TCP wrappers 36 TCP WRAPPER TCP Wrappers is a tool that controls host access, tracks and logs intruders. It provides some firewall-like functionality It’s goal is to check out incoming tcp connections before the real server gets the connection TCP Wrapper defaults to a “paranoid” mode As a connection is being established, the host compares the results of DNS Name Lookup to the results of DNS Address Lookup and makes sure the address and name of the connecting system match If not, it drops the connection 37 SOME IMPORTANT OBSERVATIONS Checking things only once is a problem One of the primary classes of attacks on a host is to allow a program to validate the ownership or permissions of a file once and then to quickly introduce a different file before the program notices Computers that are not in a paranoid mode, doing both forward and reverse DNS lookups when establishing a connection, are fairly vulnerable to being spoofed 38 IP ADDRESS FORGING Why the host does not detect the wrong IP address: The Internet address is in the IP header and the sequence number is in the TCP header TCP applications only track the sequence number If a packet has the wrong sequence number the other side will send a RESET and break off the connection Hence the importance of predicting the sequence number 39 SUMMARY: ATTACK STATUS The real server is shut down by a SYN Flood Attack A forged SYN is sent to x-terminal.shell from the fake server.login Since server.login is a trusted server, xterminal will execute its commands x-terminal responds with a SYN/ACK A forged ACK is sent back with the correct sequence number 40 RLOGIN unix has a remote login service called rlogin that bypasses password checking It is available to systems listed in /etc/hosts.equiv and /.rhosts If a wild card (++) is placed in the /.rhosts file, then the system will trust all computers and all users as root 41 BACK TO THE ATTACK Once a trusted connection is established as the fake server.login, modify the the /.rhosts file to allow everything trust root status The command is: rshell –rsh x-terminal “echo ++ >>/.rhosts Now terminate the connection, release the server with a series of RESETS and login to the target system from any computer (it is accepted as root) 42
© Copyright 2026 Paperzz