CompFoo pt' 2: Security basics 2 Attacks and Defenses

1
Comp-Foo pt. 2 Security basics 2Attacks and
Defenses

• Spoofing
• MAC spoofing
• OS spoofing
• HTTP Header spoofing
• Caller ID spoofing
• Email spoofing
• IP spoofing

• Denial of Service
• Ping flood
• Ping of Death
• SYN flood
• DDoS
• DRDoS
• Smurf/Fraggle

2
Spoofing

• Lies, deceit, and lies.

3
MAC SpoofingThe MAC attacks

• Useful tools MAC Makeup (Win32), GNU macchanger
  (Linux)Many people believe that your MAC
  address is entirely unmodifiable without hardware
  changes or other drastic modifications.Well,
  that's true. But...

4
MAC SpoofingMACaroni and ch33se.

• That doesn't mean you can't lie about it!

5
MAC SpoofingMAC the Knife

• Why is this useful?
• Pretending to be someone else on a network for
  privileges
• Pretending to be using different hardware, to
  bypass hardware restrictions
• Pretending to be someone that you're not to avoid
  being denied service based on MAC address

6
MAC Spoofing Defenses

• Good luck.

7
MAC Spoofing Defenses

• The only way to logically defend against MAC
  spoofing is on an ethernet network, where
  physical connections would determine that two
  people are using the same address.
• If the same address is not in use twice on a
  network, the only logical way to prevent any
  attack would be to restrict the network to
  addresses with registered prefixes.

8
MAC Spoofing Defenses

• So, banning people from a network based on MAC
  address is NOT effective.
• In addition, privileges on a network should NEVER
  EVER be based on MAC address.

9
OS Spoofing

• Useful tools Security Cloak (Win32), Morph
  (Linux)This is mostly done for protection
  against the information gathering phase of an
  attack, so that OS-specific exploits are more
  difficult to use.Or in the rare case that your
  access to something is restricted based on your
  OS.

10
OS Spoofing

• In reality, there's simply no way to detect or
  defend against this at all, besides avoiding the
  use of restrictions based on OS.
• But, it's not really much of an attack.
• This is almost always done as a defensive measure
  in itself.

11
HTTP Header Spoofing

• Useful Tools WebScarab, Burp Suite, Telnet,
  NetcatThis attack involves modifying the
  headers sent in an HTTP request or other request
  based on or similar to an HTTP request.Some
  examples include referral spoofing and user agent
  spoofing.

12
HTTP Header SpoofingReferer

• The Referer header indicates the page which
  linked to the page being requested. Or, it's
  supposed to.
• Some people use this to verify that someone is
  coming from a certain location, and to
  authenticate them without the need for a password.

13
BAD
WRONG
DUMB
SHOE
GOES
ON
HAND
DUR
14
HTTP Header SpoofingUser-Agent

• Similarly, some sites require you to use a
  certain browser in order to use their site,
  without there actually being a need.
• (Please refer to the previous slide.)
• This is determined by the User-Agent header,
  which can also be spoofed.

15
HTTP Header SpoofingX-Forwarded-For

• Furthermore, for HTTP proxies, there is a header
  called X-Forwarded-For. This is usually filled in
  with the IP of the computer for whom the data is
  being forwarded, in non-anonymous proxies.
• Usually. But it doesn't have to be.
• Often, servers will trust this header to be the
  real IP. A safer assumption is that it's worth
  recording, along with the real IP address making
  the request.

16
HTTP Header Spoofingfor Code Injection

• Finally, since many people assume that HTTP
  headers cannot be controlled by the client (refer
  to slide 12), they often go unchecked, and are
  usually sources of code injection
  vulnerabilities.
• Even Sun Microsystems made this mistake with
  their iPlanet web server!

17
Caller ID Spoofing

• Like email spoofing, Caller ID can be spoofed.
  Several sites like Telespoof.com allow you to
  make phone calls with spoofed caller ID.
  Additionally, setting up a PBX yourself will
  allow you to do the same.

18
Email Spoofing

• Useful Tools Telnet, Netcat, and various
  anonymous mail programsIt is possible to send
  an email and specify a fake From address, so do
  not use email as a form of authentication. Plain
  and simple.

19
Analogies and diagrams are fun!
Frank
Red Guy
Hey Frank, it's Ed. What's the password again?
Here's your buddy.
Here's some red guy.
No password for you, Red Guy!
Ed
???
Hey Ed, it's Frank. The password is doggy.
Here's you.
20
IP Spoofing

• Useful Tools Hunt (Linux), Mendax (Linux),
  ipspoof (Linux)
• Difficulty of exploitation Very Hard to
  RidiculousSpoofing your IP address is not
  difficult. Nor is sending data from someone
  else's IP address. It's similar to sending mail
  with a fake return address. Receiving the reply
  is the difficult part. As such, this attack is
  referred to more accurately as TCP sequence
  prediction.

21
Three-Way TCP Handshake

• In the case of making a TCP connection, there is
  a three-way handshake which is made. The first
  packet is sent from the client, and is a request
  to SYNchronize. (SYN)
• The next packet is from the server, and is a
  SYNchronization ACKnowledgement. This contains a
  sequence number. (SYN/ACK)
• Finally, the client responds by ACKnowledging
  that it received the sequence number and returns
  it, incremented by 1. (ACK)

22
IP Spoofing

• This is supposed to verify that the client's IP
  address is valid. How else could he have received
  that number?
• The problem comes in when an attacker can
  successfully predict the sequence number to be
  used.

23
IP Spoofing

• There is, however, another big problem for Red
  Guy. How can he keep the person he's
  impersonating from getting flooded with packets?
• He can either pick a time where their system is
  off, or simply DoS them. And speaking of which...

24
Denial-of-Service (DoS)

• See, this is why we can't have nice things.

25
Ping Flood

• Useful tools Ping
• Difficulty of exploitation EasyIt involves
  pinging the victim so frequently and with so much
  data that their bandwidth is exhausted, and they
  cannot continue to deliver or receive the data
  they want to.The chance of success for this
  attack is based on a pure test of the attacker's
  bandwidth vs. the victim's.

26
Ping Flood

• With the simplicity of this attack, even a
  preteen with a couple minutes worth of training
  can successfully execute this attack, given
  enough resources.
• The downsides to this attack is that it is VERY
  noisy, it is easy to trace back, and is an attack
  based on attrition. Whoever has the most
  bandwidth wins.

27
Ping Flood

• The defense against a ping flood is fairly
  simple.
• Look for lots of huge pings coming from one IP
  address, and drop them.

28
Ping of Death

• Useful Tools Ping of Death, HPing (Linux)
• Difficulty of exploitation EasyThis attack
  violates one of the simplest rules of ICMP echo
  packets, specifically that their payload cannot
  be larger than 65535 bytes. Many old versions of
  operating systems couldn't handle larger packets,
  and would crash due to a buffer
  overflow.Sending repeated pings of death could
  keep a system offline for a long time.
  Fortunately, this problem is largely historical.

29
SYN Flood

• Useful Tools HPing
• Difficulty of exploitation MediumThis attack
  involves starting multiple TCP handshakes with a
  SYN packet from a fake IP address and
  deliberately not finishing them.As more and
  more SYN packets are sent, the availible slots
  for connection attempts are filled up and
  eventually, even legitimate users are denied a
  connection.

30
SYN Flood Defenses
SYN Cookies
Random Drop
Just like grandma used to make.
Eenie, meenie, minie, mo.

• Drop one random entry when the queue is
  full
• Allows legitimate connections to have a chance

• Craft TCP sequence numbers so that they contain
• A counter value t
• A Maximum segment size m
• The result of a secret cryptographic function
  performed on the source ip/port, server ip/port,
  and t.
• SYN entries no longer need to be logged

31
Distributed Denial-of-Service(DDoS)

• Useful Tools Trinoo, Tribe Flood Network,
  Stacheldraht (all win32)
• Difficulty of exploitation EasyThis attack
  involves a denial of service attack (usually a
  ping flood) coming from multiple sources. This is
  usually achieved by compromising many systems and
  sending commands to all of them to ping flood the
  victim at once.The more compromised systems,
  often referred to as zombies, the more powerful
  the attack.

32
DDoS Defenses

• The police, and the legal system.
• It is very difficult to block DDoS attacks, as
  often the packets are legitimate in content but
  used with malicious intent.

33
Distributed Reflected Denial-of-Service (DRDoS)

• Useful Tools HPing, Stacheldraht
• Difficulty of exploitation Medium/HardThis
  improves upon the DDoS model by sending packets
  with a source IP address spoofed to that of your
  victim to various servers.The packets are then
  responded to by sending packets to the victim.
  With enough traffic, the flood is both effective
  and very difficult to trace.

34
Smurfs and Fraggles

• Useful Tools HPing, smurf.c, fraggle.c
• Difficulty of exploitation Medium/HardThis
  attack involves pinging a broadcast address of a
  network from the outside with a spoofed source
  address. If the network is configured a certain
  way, each individual computer within that
  particular subnet will respond.With several
  large misconfigured networks, there is great
  potential for traffic amplification.

35
Smurfs and Fraggles

• Oh and by the way, the difference between a smurf
  attack and a fraggle attack is the protocol
  used. Smurfing uses TCP, Fraggling uses UDP.

36
And now you know how attackers can be sneaky, and
completely not sneaky.