The Protocols that run the Internet

Transcription

1 The Protocols that run the Internet Attack types in the Internet Seminarvortrag Sommersemester 2003 Jens Gerken

2 Content Internet Attacks Introduction Network Service Attacks Distributed Denial of Service Attacks Classification of DDoS Attacks Classification of DDoS Defends Conclusion

3 DNS Root Server Attack 22. October 2002 DDoS attack on 13 DNS root servers of the internet Only 4-5 survived without DoS

4 What causes Internet Attacks Conceptional Errors No standard encryption in protocols Programming Errors Basis for most attacks (overflow, etc) Configuration Errors Open ports which don t have to be open

5 Effect of Internet Attacks Loss of Confidentiality Data usually not encrypted Can be catched/read from 3rd persons Loss of Integrity Data can be manipulated Loss of Availability Denial of Service Attacks

6 Attack Techniques Social Engineering Viruses/Worms/Trojan horses Spoofing (IP, DNS, Web) Sniffing Connection Hijacking Attacks Network Service Attacks

7 Network Service Attacks Process Manipulation Overflow based attacks Non overflow-based attacks Denial of Service attacks Information Leaks System offers information to the attacker which can be used to compromise the system

8 Overflow based attacks Trying to pass extreme long query/argument to victim service programm Buffer overflow Attack Code attached Put on executable stack area of memory Code being run on the server

9 Overflow based attacks Example: MS Internet Information Services NNNNNNNNNNNNNNNNNNNNNNNNNNNN...attack_code 224 N s to fill up buffer Raw machine code put to executable Stack area

10 Non Overflow Based Attacks Uses insecure network service features Example: Web based CGI Exploits Attack on CIA Servers wd %0a = Shell Escape possibility to run every command locally on the server

11 Denial of Service Attacks Defintion: Explicit Attempt by attackers to prevent legitimate users of a service from using that service First widespread appearance of Distributed DoS in 1999 Continuous develepment of attack tools

12 DDoS Why Possible? Internet designed in terms of functionality not security Interdependence of Security Limitation of Resources Power of many > power of few

13 DDoS Attack Strategy Attacker recruits multiple agents/slaves Normally less secured machines easy to hack Agents can recruit new agents When DDoS Network is installed, agents run the attack on the victim

14

15 Classification of DDoS Attacks By Degree of automation Manual Semi automatic Automatic By exploited vulnerability Protocol Brute force

16 Classification of DDoS Attacks By Attack rate dynamics Continuous Variable By impact Disruptive degrading

17 Degree of Automation Manual Attacker scans for possible agents Hacks into and installs attack code Semi-automatic Attacker handler agents Direct and indirect communication possible Automated scripts for scanning and compromising Automatic Attacks

18 Degree of Automation Scanning Random Scanning Trial & error Scanning of possible agents Hitlist Scanning List with possible agents Topological Scanning Worms tactic

19 Degree of Automation Propagation Central Source Propagation

20 Degree of Automation Propagation Back Chaining Propagation

21 Degree of Automation Propagation Autonomous Propagation

22 Exploited Vulnerability Protocol Attacks Exploitation of Protocol Bugs/Features TCP SYN, Malformed Packets Brute Force Attack Filterable Attacks ICMP request Non filterable Attacks Attack packets request legitimate services (HTTP Flood) Filtering leads to DoS

23 Attack Rate Dynamics Continuous Rate Attacks Majority of Attacks Variable Rate Attacks Increasing Rate Attacks Fluctuation Rate Attacks

24 Impact of Attack Disruptive Attacks Goal: completely deny the victim s service to ist clients Currently all attacks aim to be disruptive Degrading Attacks Only partly DoS difficult to detect Nevertheless immense damage possible

25 Classification of DoS Defense By activity Level Preventive Attack prevention DoS prevention Reactive Detection strategy Response strategy

26 Preventive Mechanisms Attack Prevention System Security Firewalls Virus scanners Intrusion detection systems Protocol Security Problem: protocols designed being cheap for the client expensive for the server New or redesigned Protocols needed

27 Preventive Mechanisms Denial of Service Prevention Resource Accounting Mechanisms Access to resources depends on priviliges and behavior of the user Resource Multiplication Mechanisms Several servers Load Balancer High internal bandwith links

28 Reactive Mechanisms Detection Strategy Pattern Attack Detection Database with known attack signatures Anomaly Attack Detection Model of normal system behavior Unknown attacks can be detected

29 Reactive Mechanisms Response Strategy Agent Identification Traceback techniques Filtering Filter out the attack stream Reconfiguration Mechanisms Add more resources or isolate the attacked machine

30 DDoS & Final Conclusion No silver Bullet! Developing of new, easy to use attack tools continues As long as most systems are insecure, the whole internet is open to attacks Only global solutions can help