Recent Attack Technologies Neil Long OxCert Introduction Hope - - PowerPoint PPT Presentation

recent attack technologies
SMART_READER_LITE
LIVE PREVIEW

Recent Attack Technologies Neil Long OxCert Introduction Hope - - PowerPoint PPT Presentation

Sep 28, 2022 341 likes •538 views

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation! At least two aspects Target payloads Attack origins Future? arenas Attack Payloads Buffer overflow Format strings

slide-1
SLIDE 1

Recent Attack Technologies

Neil Long OxCert

slide-2
SLIDE 2

Introduction

  • Hope for audience participation!
  • At least two aspects

– Target payloads – Attack origins

  • Future? arenas
slide-3
SLIDE 3

Attack Payloads

  • Buffer overflow
  • Format strings

– Any experts in the audience?

  • Network DoS

– volume vs. content

slide-4
SLIDE 4

Buffer Overflow

  • Kernel switches, defences
  • stack vs heap vs libc
  • Options off by default
slide-5
SLIDE 5

Format Strings

  • Relatively recent - major examples

– Wu-ftpd - Linux – rpc.statd - Linux – telnetd - IRIX – Local uid to root exploits

slide-6
SLIDE 6

Built-in Defences?

  • Libc modifications

– Are they enough?

  • POSIX compliance

– LibC from major vendors??

  • Source code re-writes

– continuous release of new exploits

slide-7
SLIDE 7

Bugtraq

Libc Sperl Screen Imp pam_smb and pam_ntdom Sysklogd Envcheck klogd wu-ftpd new variants Traceroute Cfengine Su Ncurses rpc.statd improved Php Apache mod_rewrite

slide-8
SLIDE 8

Attacks

  • Scanning granularity
  • Real-time IDS
  • Post-event IDS
  • Multi-source attacks

– scan host – exploit host – intrusion host(s)

slide-9
SLIDE 9

Tools used

  • Root-kits
  • hidden ‘extras’
  • rapid evolution
  • IRC still major factor
slide-10
SLIDE 10

Counteractive Tools

  • LSOF
  • TCT

– mactime – lsi & icat

  • Netflows
  • Active IDS
slide-11
SLIDE 11

DDoS tools

  • Trinoo still popular - evolving
  • Stacheldraht
  • ‘TFN3K’ very worrying
  • Trinity (Entitee)
  • Handler-agent communication differences
slide-12
SLIDE 12

DDoS Payloads

  • UDP volume
  • TCP SYN flood
  • Smurf & Fraggle amplifiers
  • Stream
  • Fragments and others?
  • Higher bandwidth will make them more

effective

slide-13
SLIDE 13

IP Spoofing

  • All vs. partial vs. none at all
  • Generator efficiency
  • benefits to them (and us)
slide-14
SLIDE 14

Locating the intruder

  • Traceback
  • Mobility becoming easier - locating more

difficult

– e.g. Use of non-contract cell phones

  • Wireless networks

– promiscuous mode?

slide-15
SLIDE 15

New targets?

  • Voice-over-IP?
  • DNS revisited
  • WAP
slide-16
SLIDE 16

What is to come?

  • DDoS Net of nets? How long?
  • Pipes get fatter -

– firewalls & IDS fall behind? – Cost prohibitive?

  • Disks keep getting bigger
slide-17
SLIDE 17

Finally

  • Story is not changing -

– Demand for fatter pipes, bigger faster machines – But security is still an after-thought

  • Less logging by ISPs?
  • Growing awareness == more incidents

– increased IRT load

  • Liability issues on the horizon?
slide-18
SLIDE 18