Computer Security DD2395 - - PowerPoint PPT Presentation

computer security dd2395
SMART_READER_LITE
LIVE PREVIEW

Computer Security DD2395 - - PowerPoint PPT Presentation

Sep 28, 2022 98 likes •593 views

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Nov. 15, 2010 Malicious Software, Denial of Service Nov. 15, 2010 DD2395 Sonja Buchegger 1 Malicious

slide-1
SLIDE 1

Computer Security DD2395

http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/

Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Nov. 15, 2010 Malicious Software, Denial of Service

  • Nov. 15, 2010

1 DD2395 Sonja Buchegger

slide-2
SLIDE 2
  • Nov. 15, 2010

DD2395 Sonja Buchegger 2

Malicious Software

 programs exploiting system vulnerabilities  known as malicious software or malware

  • program fragments that need a host program

 e.g. viruses, logic bombs, and backdoors

  • independent self-contained programs

 e.g. worms, bots

  • replicating or not

 sophisticated threat to computer systems

slide-3
SLIDE 3
  • Nov. 15, 2010

DD2395 Sonja Buchegger 3

Malware Terminology

 Virus  Worm  Logic bomb  Trojan horse  Backdoor (trapdoor)‏  Mobile code  Auto-rooter Kit (virus generator)‏  Spammer and Flooder programs  Keyloggers  Rootkit  Zombie, bot

slide-4
SLIDE 4
  • Nov. 15, 2010

DD2395 Sonja Buchegger 4

Viruses

 piece of software that infects programs

  • modifying them to include a copy of the virus
  • so it executes secretly when host program is run

 specific to operating system and hardware

  • taking advantage of their details and weaknesses

 a typical virus goes through phases of:

  • dormant
  • propagation
  • triggering
  • execution
slide-5
SLIDE 5
  • Nov. 15, 2010

DD2395 Sonja Buchegger 5

Virus Structure

 components:

  • infection mechanism - enables replication
  • trigger - event that makes payload activate
  • payload - what it does, malicious or benign

 prepended / appended / embedded  when infected program invoked, executes

virus code then original program code

 can block initial infection (difficult)‏  or propagation (with access controls)‏

slide-6
SLIDE 6
  • Nov. 15, 2010

DD2395 Sonja Buchegger 6

Virus Structure

slide-7
SLIDE 7
  • Nov. 15, 2010

DD2395 Sonja Buchegger 7

Compression Virus

slide-8
SLIDE 8
  • Nov. 15, 2010

DD2395 Sonja Buchegger 8

Virus Classification

 boot sector  file infector  macro virus  encrypted virus  stealth virus  polymorphic virus  metamorphic virus

slide-9
SLIDE 9
  • Nov. 15, 2010

DD2395 Sonja Buchegger 9

Macro Virus

 became very common in mid-1990s since

  • platform independent
  • infects documents
  • is easily spread

 exploit macro capability of office apps

  • executable program embedded in office doc
  • often a form of Basic

 more recent releases include protection  recognized by many anti-virus programs

slide-10
SLIDE 10
  • Nov. 15, 2010

DD2395 Sonja Buchegger 10

E-Mail Viruses

 more recent development  e.g. Melissa

  • exploits MS Word macro in attached doc
  • if attachment opened, macro activates
  • sends email to all on users address list
  • and does local damage

 then saw versions triggered reading email  hence much faster propagation

slide-11
SLIDE 11
  • Nov. 15, 2010

DD2395 Sonja Buchegger 11

Virus Countermeasures

 prevention - ideal solution but difficult  realistically need:

  • detection
  • identification
  • removal

 if detect but can’t identify or remove, must

discard and replace infected program

slide-12
SLIDE 12
  • Nov. 15, 2010

DD2395 Sonja Buchegger 12

Anti-Virus Evolution

 virus & antivirus tech have both evolved  early viruses simple code, easily removed  as become more complex, so must the

countermeasures

 generations

  • first - signature scanners
  • second - heuristics
  • third - identify actions
  • fourth - combination packages
slide-13
SLIDE 13
  • Nov. 15, 2010

DD2395 Sonja Buchegger 13

Generic Decryption

 runs executable files through GD scanner:

  • CPU emulator to interpret instructions
  • virus scanner to check known virus signatures
  • emulation control module to manage process

 lets virus decrypt itself in interpreter  periodically scan for virus signatures  issue is long to interpret and scan

  • tradeoff chance of detection vs time delay
slide-14
SLIDE 14
  • Nov. 15, 2010

DD2395 Sonja Buchegger 14

Digital Immune System

slide-15
SLIDE 15
  • Nov. 15, 2010

DD2395 Sonja Buchegger 15

Behavior-Blocking Software

slide-16
SLIDE 16
  • Nov. 15, 2010

DD2395 Sonja Buchegger 16

Worms

 replicating program that propagates over net

  • using email, remote exec, remote login

 has phases like a virus:

  • dormant, propagation, triggering, execution
  • propagation phase: searches for other systems, connects to

it, copies self to it and runs

 may disguise itself as a system process  concept seen in Brunner’s “Shockwave Rider”  implemented by Xerox Palo Alto labs in 1980’s

slide-17
SLIDE 17
  • Nov. 15, 2010

DD2395 Sonja Buchegger 17

Morris Worm

 one of best know worms  released by Robert Morris in 1988  various attacks on UNIX systems

  • cracking password file to use login/password to

logon to other systems

  • exploiting a bug in the finger protocol
  • exploiting a bug in sendmail

 if succeed have remote shell access

  • sent bootstrap program to copy worm over
slide-18
SLIDE 18
  • Nov. 15, 2010

DD2395 Sonja Buchegger 18

Worm Propagation Model

slide-19
SLIDE 19
  • Nov. 15, 2010

DD2395 Sonja Buchegger 19

Recent Worm Attacks

 Code Red

  • July 2001 exploiting MS IIS bug
  • probes random IP address, does DDoS attack
  • consumes significant net capacity when active

 Code Red II variant includes backdoor  SQL Slammer

  • early 2003, attacks MS SQL Server
  • compact and very rapid spread

 Mydoom

  • mass-mailing e-mail worm that appeared in 2004
  • installed remote access backdoor in infected systems
slide-20
SLIDE 20
  • Nov. 15, 2010

DD2395 Sonja Buchegger 20

Worm Technology

 multiplatform  multi-exploit  ultrafast spreading  polymorphic  metamorphic  transport vehicles  zero-day exploit

slide-21
SLIDE 21
  • Nov. 15, 2010

DD2395 Sonja Buchegger 21

Worm Countermeasures

 overlaps with anti-virus techniques  once worm on system A/V can detect  worms also cause significant net activity  worm defense approaches include:

  • signature-based worm scan filtering
  • filter-based worm containment
  • payload-classification-based worm containment
  • threshold random walk scan detection
  • rate limiting and rate halting
slide-22
SLIDE 22
  • Nov. 15, 2010

DD2395 Sonja Buchegger 22

Proactive Worm Containment

slide-23
SLIDE 23
  • Nov. 15, 2010

DD2395 Sonja Buchegger 23

Network Based Worm Defense

slide-24
SLIDE 24
  • Nov. 15, 2010

DD2395 Sonja Buchegger 24

Bots

 program taking over other computers  to launch hard to trace attacks  if coordinated form a botnet  characteristics:

  • remote control facility

 via IRC/HTTP etc

  • spreading mechanism

 attack software, vulnerability, scanning strategy

 various counter-measures applicable

slide-25
SLIDE 25
  • Nov. 15, 2010

DD2395 Sonja Buchegger 25

Rootkits

 set of programs installed for admin access  malicious and stealthy changes to host O/S  may hide its existence

  • subverting report mechanisms on processes, files, registry entries

etc

 may be:

  • persistent or memory-based
  • user or kernel mode

 installed by user via trojan or intruder on system  range of countermeasures needed

slide-26
SLIDE 26
  • Nov. 15, 2010

DD2395 Sonja Buchegger 26

Rootkit System Table Mods

slide-27
SLIDE 27
  • Nov. 15, 2010

DD2395 Sonja Buchegger 27

Summary

 introduced types of malicous software

  • incl backdoor, logic bomb, trojan horse, mobile

 virus types and countermeasures  worm types and countermeasures  bots  rootkits

slide-28
SLIDE 28
  • Nov. 15, 2010

DD2395 Sonja Buchegger 28

Denial of Service

 denial of service (DoS) an action that prevents or

impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space

 attacks

  • network bandwidth
  • system resources
  • application resources

 have been an issue for some time

slide-29
SLIDE 29
  • Nov. 15, 2010

DD2395 Sonja Buchegger 29

Classic Denial of Service Attacks

 can use simple flooding ping  from higher capacity link to lower  causing loss of traffic  source of flood traffic easily identified

slide-30
SLIDE 30
  • Nov. 15, 2010

DD2395 Sonja Buchegger 30

Classic Denial of Service Attacks

slide-31
SLIDE 31
  • Nov. 15, 2010

DD2395 Sonja Buchegger 31

Source Address Spoofing

 use forged source addresses

  • given sufficient privilege to “raw sockets”
  • easy to create

 generate large volumes of packets  directed at target  with different, random, source addresses  cause same congestion  responses are scattered across Internet  real source is much harder to identify

slide-32
SLIDE 32
  • Nov. 15, 2010

DD2395 Sonja Buchegger 32

SYN Spoofing

 other common attack  attacks ability of a server to respond to future

connection requests

 overflowing tables used to manage them  hence an attack on system resource

slide-33
SLIDE 33
  • Nov. 15, 2010

DD2395 Sonja Buchegger 33

TCP Connection Handshake

slide-34
SLIDE 34
  • Nov. 15, 2010

DD2395 Sonja Buchegger 34

SYN Spoofing Attack

slide-35
SLIDE 35
  • Nov. 15, 2010

DD2395 Sonja Buchegger 35

SYN Spoofing Attack

 attacker often uses either

  • random source addresses
  • or that of an overloaded server
  • to block return of (most) reset packets

 has much lower traffic volume

  • attacker can be on a much lower capacity link
slide-36
SLIDE 36
  • Nov. 15, 2010

DD2395 Sonja Buchegger 36

Types of Flooding Attacks

 classified based on network protocol used  ICMP Flood

  • uses ICMP packets, eg echo request
  • typically allowed through, some required

 UDP Flood

  • alternative uses UDP packets to some port

 TCP SYN Flood

  • use TCP SYN (connection request) packets
  • but for volume attack
slide-37
SLIDE 37
  • Nov. 15, 2010

DD2395 Sonja Buchegger 37

Distributed Denial of Service Attacks

 have limited volume if single source used  multiple systems allow much higher traffic

volumes to form a Distributed Denial of Service (DDoS) Attack

 often compromised PC’s / workstations

  • zombies with backdoor programs installed
  • forming a botnet

 e.g. Tribe Flood Network (TFN), TFN2K

slide-38
SLIDE 38
  • Nov. 15, 2010

DD2395 Sonja Buchegger 38

DDoS Control Hierarchy

slide-39
SLIDE 39
  • Nov. 15, 2010

DD2395 Sonja Buchegger 39

Reflection Attacks

 use normal behavior of network  attacker sends packet with spoofed source

address being that of target to a server

 server response is directed at target  if send many requests to multiple servers,

response can flood target

 various protocols e.g. UDP or TCP/SYN  ideally want response larger than request  prevent if block source spoofed packets

slide-40
SLIDE 40
  • Nov. 15, 2010

DD2395 Sonja Buchegger 40

Reflection Attacks

 further variation creates a self-contained loop

between intermediary and target

 fairly easy to filter and block

slide-41
SLIDE 41
  • Nov. 15, 2010

DD2395 Sonja Buchegger 41

Amplification Attacks

slide-42
SLIDE 42
  • Nov. 15, 2010

DD2395 Sonja Buchegger 42

DNS Amplification Attacks

 use DNS requests with spoofed source

address being the target

 exploit DNS behavior to convert a small

request to a much larger response

  • 60 byte request to 512 - 4000 byte response

 attacker sends requests to multiple well

connected servers, which flood target

  • need only moderate flow of request packets
  • DNS servers will also be loaded
slide-43
SLIDE 43
  • Nov. 15, 2010

DD2395 Sonja Buchegger 43

DoS Attack Defenses

 high traffic volumes may be legitimate

  • result of high publicity, e.g. “slash-dotted”
  • or to a very popular site, e.g. Olympics etc

 or legitimate traffic created by an attacker  three lines of defense against (D)DoS:

  • attack prevention and preemption
  • attack detection and filtering
  • attack source traceback and identification
slide-44
SLIDE 44
  • Nov. 15, 2010

DD2395 Sonja Buchegger 44

Attack Prevention

 block spoofed source addresses

  • on routers as close to source as possible
  • still far too rarely implemented

 rate controls in upstream distribution nets

  • on specific packets types
  • e.g. some ICMP, some UDP, TCP/SYN

 use modified TCP connection handling

  • use SYN cookies when table full
  • or selective or random drop when table full
slide-45
SLIDE 45
  • Nov. 15, 2010

DD2395 Sonja Buchegger 45

Attack Prevention

 block IP directed broadcasts  block suspicious services & combinations  manage application attacks with “puzzles” to

distinguish legitimate human requests

 good general system security practices  use mirrored and replicated servers when

high-performance and reliability required

slide-46
SLIDE 46
  • Nov. 15, 2010

DD2395 Sonja Buchegger 46

Responding to Attacks

 need good incident response plan

  • with contacts for ISP
  • needed to impose traffic filtering upstream
  • details of response process

 have standard filters  ideally have network monitors and IDS

  • to detect and notify abnormal traffic patterns
slide-47
SLIDE 47
  • Nov. 15, 2010

DD2395 Sonja Buchegger 47

Responding to Attacks

 identify type of attack

  • capture and analyze packets
  • design filters to block attack traffic upstream
  • or identify and correct system/application bug

 have ISP trace packet flow back to source

  • may be difficult and time consuming
  • necessary if legal action desired

 implement contingency plan  update incident response plan

slide-48
SLIDE 48
  • Nov. 15, 2010

DD2395 Sonja Buchegger 48

Summary

 introduced denial of service (DoS) attacks  classic flooding and SYN spoofing attacks  ICMP, UDP, TCP SYN floods  distributed denial of service (DDoS) attacks  reflection and amplification attacks  defenses against DoS attacks  responding to DoS attacks