CSC 6575: Internet Security Fall 2017

Transcription

1 CSC 6575: Internet Security Fall 2017 Attacks on Different OSI Layer Protocols Attacks at Upper OSI Layers Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee Tech University

2 Presentation Topic Name Sub-Topic Date Cloud 9/27/2017 Cloud 9/29/2017 SDN/NFV 10/9/2017 SDN/NFV 10/13/2017 CPS 10/18/2017 CPS 10/23/2017 CPS 10/25/2017 CPS 10/30/2017 CPS 11/08/2017 CPS 11/10/2017 CPS 11/13/2017 CPS 11/15/2017 Each group will need to talk about some future works on their topics. The presenter(s) will the slides to all before the presentation. The quiz question will be sent to me only. The marks of the quizzes will be added as BONUS to the final exam. M. Ashiq Rahman, Tennessee Tech University 2

3 Term Proposal Presentation Term project proposal presentations on Monday, October 02, 2017 and Wednesday, October 04, minutes each. I need to discuss with each individual about his/her term project topic by the 29 th of September. M. Ashiq Rahman, Tennessee Tech University 3

4 Agenda Attacks on DNS DNS Hijacking/Poisoning DNS ID Guessing DDoS Attacks against DNS SQL Injection Attacks M. Ashiq Rahman, Tennessee Tech University 4

5 DNS Attacks: Redirection Client sends DNS query to its local DNS server Sniffed by attacker. Attacker hijacking the session by responding with bogus (?) DNS reply. Spoofed IP address M. Ashiq Rahman, Tennessee Tech University 5

6 Poisoning Local DNS Server Attacker queries local DNS server. Local DNS makes iterative queries. Attacker: Waits for some time Sends a bogus reply setting itself as the authoritative server M. Ashiq Rahman, Tennessee Tech University 7

7 Poisoning Local DNS Server (2) The local server provides the IP address of the attacker as the designated DNS server. M. Ashiq Rahman, Tennessee Tech University 8

8 DNS Cache Poisoning Force DNS server to recursively query attack server Attack server provides additional poisoned information M. Ashiq Rahman, Tennessee Tech University 9

9 DNS Poisoning through ID Guessing Attacker (4) A of some.somewhere.org?... not in victim s DNS (5) Forged A records are flooded for some.somewhere.org? with predicted IDs (1) A of some.attacker.org? (3) Sniff ID DNS at Attacker s Network (associated with *.attacker.org) (2) A of some.attacker.org with ID? Victim DNS Flood DNS server with queries for domains Each query associated with an ID Flood DNS server with forged responses for domains If forged ID of response matches, forged answers wins M. Ashiq Rahman, Tennessee Tech University 10

10 Why is DNS Poisoning Possible? (Cache) poisoning works because there is no authentication for replies. Only IP address (and ID) can be used for authentication BUT IP addresses can be spoofed. DNS is based on UDP Easier to do with UDP as TCP handshake provides some authentication. M. Ashiq Rahman, Tennessee Tech University 11

11 DoS Attacks on Servers: Content-Based Attacks Attacker can cause many machines by flooding victim with HTTP requests DB and Disk bandwidth Hard to detect Attack traffic is indistinguishable from legitimate traffic M. Ashiq Rahman, Tennessee Tech University 12

12 SQL Injection Attack Many web applications take user input using forms. This user input is often used literally in the construction of a SQL query submitted to a database. For example: SELECT productdata FROM table WHERE productname = <user input- product name>; A SQL injection attack is an exploitation by placing SQL statements in the user input. M. Ashiq Rahman, Tennessee Tech University 13

13 An Example SQL Injection Attack Product Search: blah OR x = x This input is put directly into the SQL statement within the Web application: $query = SELECT productinfo FROM producttable WHERE productname =. $_POST[ productsearch ]. ; The following SQL query is formed: SELECT productinfo FROM producttable WHERE productname = blah OR x = x ; Attacker has now successfully caused the entire database to be returned. M. Ashiq Rahman, Tennessee Tech University 14

14 A More Malicious Example What if the attacker had instead entered: blah ; DROP TABLE producttable; -- Results in the following SQL: SELECT productinfo FROM producttable WHERE productname = blah ; DROP TABLE producttable; -- Note how comment (--) consumes the final quote It causes the entire table to be deleted. It depends on knowledge of table name. Sometimes it is exposed to the user in debug code called during a database error. It can use non-obvious table names, and never expose them to user. M. Ashiq Rahman, Tennessee Tech University 15

15 Other Potential SQL Injections Using SQL injections, attackers can: Add new data to the database Could be embarrassing to find yourself selling politically incorrect items on an ecommerce site Perform an INSERT in the injected SQL Modify data currently in the database Could be very costly to have an expensive item suddenly be deeply discounted Perform an UPDATE in the injected SQL Gain access to other user s system capabilities by obtaining their password M. Ashiq Rahman, Tennessee Tech University 16

16 Defenses Use provided functions for escaping strings Many attacks can be thwarted by simply using the SQL string escaping mechanism blah' OR 'x' = 'x will be given to the query as blah'' OR ''x'' = ''x Not a silver bullet! Consider: SELECT fields FROM table WHERE id = 23 OR 1=1 No quotes here! M. Ashiq Rahman, Tennessee Tech University 17

17 More Defenses Check syntax of input for validity Many classes of input have fixed languages addresses, dates, part numbers, etc. Verify that the input is a valid string in the language Sometime languages allow problematic characters (e.g., * in addresses); may decide to not allow these. If you can exclude quotes and semicolons that s good. If the name Bill O Reilly! Need to allow the use of single quotes in names Rather than "remove known bad data", it's better to "remove everything but known good data. Impose a limit on the length of the input Many SQL injection attacks depend on entering long strings. M. Ashiq Rahman, Tennessee Tech University 18

18 Even More Defenses Scan query string for undesirable word combinations that indicate SQL statements. INSERT, DROP, etc. If you see these, can check against SQL syntax to see if they represent a statement or valid user input. Limit database permissions and segregate users If you re only reading the database, connect to database as a user that only has read permissions. Never connect as a database administrator in your web application. Configure database error reporting Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.) Configure so that this information is never exposed to a user M. Ashiq Rahman, Tennessee Tech University 19

19 THANKS Acknowledgement: - Most of the figures are taken from different online sources - Ehab Al-Shaer, UNC Charlotte - Dr. Ambareen Siraj, Tennessee Tech University M. Ashiq Rahman, Tennessee Tech University 20

20 Sources M. Ashiq Rahman, Tennessee Tech University 21