Being an Intermediary for Another Attack - PowerPoint PPT Presentation

About This Presentation
Title:

Being an Intermediary for Another Attack

Description:

Title: PowerPoint Presentation Last modified by: Majali Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show Other titles – PowerPoint PPT presentation

Number of Views:79
Avg rating:3.0/5.0
Slides: 25
Provided by: justEduJ4
Category:

less

Transcript and Presenter's Notes

Title: Being an Intermediary for Another Attack


1
Being an Intermediary for Another Attack
  • Prepared By Muhammad Majali
  • Supervised By Dr. Loai Tawalbeh
  • New York Institute of Technology (winter 2007)

2
Introduction
  • The rapid development of Internet and computer
    technologies makes it easier for the intruders to
    break into other people's computers. On one hand,
    application software becomes more and more
    complex and, therefore, thorough testing becomes
    increasingly difficult. As a result, "security
    holes" are unintentionally left open which are
    discovered and exploited by hackers.

3
  • On the other hand, the computational power of
    computers is continuously increasing which means
    that a large number of computers connected on the
    Internet can be scanned in a short time and
    various security holes can be discovered quite
    easily.

4
Ways of being an intermediary for another attack
  1. Smurf Flooding Attacks
  2. Distributed DoS attack by compromising others
    host. (ex.MafiaBoy)

5
1- Smurf Flooding Attacks
  • The attacker sends a long stream of pings (ICMP
    echo messages) to a third party. The attacker
    uses IP address spoofing, making source IP
    address in these pings the IP address of the
    victim. Consequently, pinged hosts send their
    ICMP echo replies to the victim host,
    overwhelming it.

6
  • For this attack to be successful, the third party
    being pinged must have a router that will
    broadcast the ping message to all hosts in the
    routers attached networks. This way, a single
    echo request give rise to dozens or even hundreds
    or echo response packets that will flood the
    victim.

7
Smurf Flooding Scenario
  • Let's look at the scenario to paint a picture of
    the dangerous nature of this attack. Assume a
    co-location switched network with 100 hosts, and
    that the attacker has a T1. The attacker sends,
    say, a 768kb/s stream of ICMP echo (ping)
    packets, with a spoofed source address of the
    victim, to the broadcast address of the "bounce
    site".

8
  • These ping packets hit the bounce site's
    broadcast network of 100 hosts each of them
    takes the packet and responds to it, creating 100
    ping replies out-bound. If you multiply the
    bandwidth, you'll see that 76.8 Mbps is used
    outbound from the "bounce site" after the traffic
    is multiplied. This is then sent to the victim
    (the spoofed source of the originating packets).

9
Smurf Flooding DoS Attack
Innocent Firm
Echo
4. Echo Replies
Attacker 1.34.150.37
2. Router with Broadcasting Enabled
1. Single
ICMP Echo Message Source IP 60.168.47.47
(Victim) Destination IP Broadcast
3. Broadcast Echo Message
Victim 60.168.47.47
10
HOW TO DETERMINE IF YOUR NETWORK IS VULNERABLE
  • Several sites have been established to do both
    active and passive scanning of networks to
    determine whether or not directed-broadcast is
    enabled.
  • http//www.powertech.no/smurf/ is a site which
    will test scan your network and allow you to
    enter a known smurf amplifier site.

11
(No Transcript)
12
How to keep your site from being an intermediary
use to attack victims
  • The perpetrators of these attacks rely on the
    ability to source spoofed packets to the
    "amplifiers" in order to generate the traffic
    which causes the denial of service.

13
Disable IP-directed broadcasts at your router
  • In order to stop this, all networks should
    perform filtering either at the edge of the
    network where customers connect (access layer) or
    at the edge of the network with connections to
    the upstream providers, in order to defeat the
    possibility of source-address-spoofed packets
    from entering from downstream networks, or
    leaving for upstream networks.

14
Disable IP-directed broadcasts at your router
  • Additionally, router vendors have added or are
    currently adding options to turn off the ability
    to spoof IP source addresses by checking the
    source address of a packet against the routing
    table to ensure the return path of the packet is
    through the interface it was received on.

15
Configure your operating system to prevent the
machine from responding to ICMP packets sent to
IP broadcast addresses.
  • If an intruder compromises a machine on your
    network, the intruder may try to launch a smurf
    attack from your network using you as an
    intermediary. In this case, the intruder would
    use the compromised machine to send the ICMP echo
    request packet to the IP broadcast address of the
    local network. Since this traffic does not travel
    through a router to reach the machines on the
    local network, disabling IP-directed broadcasts
    on your routers is not sufficient to prevent this
    attack.

16
  • Some operating systems can be configured to
    prevent the machine from responding to ICMP
    packets sent to IP broadcast addresses.
    Configuring machines so that they do not respond
    to these packets can prevent your machines from
    being used as intermediaries in this type of
    attack.

17
Information for victims and how to suppress
attacks
  • Filtering ICMP echo reply packets destined for
    your high-profile machines at the ingress
    interfaces of the network border routers will
    then permit the packets to be dropped at the
    earliest possible point. However, it does not
    mean that the network access pipes won't fill, as
    the packets will still come down the pipe to be
    dropped at the router. It will, however, take the
    load off the system being attacked. Keep in mind
    that this also denies others from being able to
    ping from that machine (the replies will never
    reach the machine).

18
Distributed DoS attack by compromising others
host
  • Intruders will frequently use compromised
    computers as launching pads for attacking other
    systems. An example of this is how distributed
    denial-of-service (DDoS) tools are used. The
    intruders install an "agent" (frequently through
    a Trojan horse program) that runs on the
    compromised computer awaiting further
    instructions. Then, when a number of agents are
    running on different computers, a single
    "handler" can instruct all of them to launch a
    denial-of-service attack on another system. Thus,
    the end target of the attack is not your own
    computer, but someone elses -- your computer is
    just a convenient tool in a larger attack

19
Installing Handler and Zombie Computers
  • Before initiating the denial-of-service attack,
    the attacker first installs attack programs on
    the other computers. Zombie programs actually
    carry out the attack on the victim.
  • Handler Programs tell the Zombie programs when to
    carry out attacks.

20
Implementing the Attack
  • Once the handler and zombie programs are in
    place, the attacker sends messages to the handler
    computers, telling them to carry out the attack.
    The handlers in turn tell the zombie programs
    under their control to carry out the attack.

21
Difficulty in Identification
  • The attackers computer, which is two steps
    removed from the attack, is very difficult to
    identify. In addition, because zombies can be
    spread all over the internet, the attack messages
    come from many different sources, making them
    difficult to filter out at border firewalls.
    Example (Mafiaboy).

22
Distributed Denial-of-Service (DDoS) Attack
Zombie
Handler
Attack Command
Attack Command
Attack Packet
Victim 60.168.47.47
Attacker 1.34.150.37
Attack Packet
Attack Command
Attack Command
Zombie
Attack Packet
Attack Command
Handler
Zombie
23
How to avoid your host of being Compromised by
attackers
  1. Use anti-virus software
  2. Use firewall protection
  3. Do not open unknown e-mail attachment
  4. Disable Hidden File Extensions
  5. Keep your system updated
  6. Disable "Mobile Code
  7. Backups and start-up disk
  8. Consult the Experts

24
References
  • Books
  • Corporate Computer and Network Security
  • By Raymond R. Panko
  • Websites
  • http//www.cert.org/tech_tips/home_networks.htmlI
    II-B-4
  • http//www.cert.org/advisories/CA-1998-01.html
  • www.hp.com/rnd/support/manuals/pdf/release_06628_0
    7110/Bk2_ApixB_DoS_Protection.pdf
  • http//www.strategic.gr/publications/InternetObser
    vatory2001/Makris.htm
  • http//www.pentics.net/denial-of-service/white-pap
    ers/smurf.cgi
Write a Comment
User Comments (0)
About PowerShow.com