Chapter 3:
Attacks and Malicious Code
Objectives in this chapter
ATHENA
Explain denial-of-service (DoS) attacks
Explain and discuss ping-of-death attacks
Identify major components used in a DDoS
attack and how they are installed
Understand major types of spoofing attacks
Discuss man-in-the-middle attacks, replay
attacks, and TCP session hijacking
continued…
Learning Objectives
ATHENA
Detail three types of social-engineering attacks
and explain why they can be incredibly
damaging
List major types of attacks used against
encrypted data
List major types of malicious software and
identify a countermeasure for each one
Why Secure a Network?
Internal
attacker
External
attacker
Corporate Assets
Virus
Incorrect
permissions
A network security design protects assets from threats and
vulnerabilities in an organized manner
To design security, analyze risks to your assets and create
responses
ATHENA
Terminology
ATHENA
Vulnerability – a problem or error that opens
up a security “hole”
Patch – code that will eliminate the
vulnerability (patch must be applied)
Exploit – code (often a virus or a worm) that
can take advantage of a particular vulnerability
What should happen
ATHENA
Vulnerability is found and published
Patch is written and made available
Everybody patches their computers
Then, somebody releases an exploit
Denial-of-Service Attacks
Any malicious act that causes a system to be
unusable by its real user(s)
Take numerous forms
Are very common
Can be very costly
Major types
• SYN flood
• Smurf attack
ATHENA
TCP Three-Way Handshake
ATHENA
SYN Flood
ATHENA
Exploits the TCP three-way handshake
Initiating machine sends a SYN, receiving
machine sends back a SYN, ACK. Initiating
machine never sends back the final ACK to
complete the connection.
Receiving machine will wait a certain length of
time before before clearing the connection.
SYN Flood
ATHENA
When the receiving machine’s stack was
written, the programmers decided on a certain
number of connections that could be “waiting”.
When this number is reached the machine can’t
accept new connections, so it is effectively not
listening.
SYN Flood
ATHENA
ATHENA
Things the Blackhat Must Consider
ATHENA
The receiving machine will send a SYN/ACK to
the spoofed address.
If this is a real machine, it will reply with a RST,
which will clear the connection. This is not
what the blackhat wants.
Solution, use a private address or an
unallocated address as the spoofed source IP
address.
What Can the Good-guys Do?
ATHENA
Shorten the time the receiving computer will
wait before clearing the connection.
Allow for a greater number of connection
attempts.
Use a firewall to send an ACK packet to the
receiving machine. This will allow the
connection to be moved out of the half-open
queue.
ATHENA
Smurf
ATHENA
Non-OS specific attack that uses the network
to amplify its effect on the victim
Sends ping reply request to the network
broadcast address using the victim’s address
as the source
Network floods the victim with ICMP ping
replies
Saturates Internet connection with bogus
traffic and delays/prevents legitimate traffic
from reaching its destination
ATHENA
Protective Measures Against Smurf
ATHENA
Routers should be configured to drop ICMP
messages with a destination of an internal
broadcast or multicast address.
Hosts should be configured to ignore echo
requests directed to their broadcast address.
Check for a
list of smurf amplifier networks and
to make sure your
network is configured properly.
IP Fragmentation Attacks:
Ping of Death
ATHENA
Uses IP packet fragmentation techniques to
crash remote systems.
Maximum size of IP packet is 65,536 bytes, but
most network topologies can’t handle packets of
that size – so the packet is broken into smaller
packets (fragmentation).
Reassembled packet larger than 65,536 bytes
would crash older operating systems.
Ping of Death
ATHENA
Distributed Denial-of-Service Attacks
ATHENA
Use hundreds of hosts on the Internet to attack
the victim by flooding its link to the Internet or
depriving it of resources
Used by hackers to target government and
business Internet sites
Automated tools; can be executed by script
kiddies
Result in temporary loss of access to a given site
and associated loss in revenue and prestige
ATHENA
DDoS Tools and Attack Methods
ATHENA
DDoS Countermeasures
ATHENA
Install latest security patches from software
vendors
Antivirus software will detect DDoS agent
software
Firewalls are always a good idea
Ingress (inbound) and egress (outbound)
filtering
Ingress and Egress Filtering
ATHENA