1Web Site SecurityJohn MitchellTypical website architecturePresentation Business DataWebsite Securityu Network security – cover later• Secure the connection between browser and server– Integrity and confidentiality of datau Denial of service• DDOS attacku Scripting vulnerabilities• Similar to other attacks on buggy code• Scripting languages have their own problemsu Authentication hacks• Lots of good stories …General guidelines [Stein, Web Security]u Disable unnecessary features• Automatic directory listings, symbolic linkfollowing, CGI scripts and server modules, server-side includes, user-supported directoriesu Start and Stop server without requiring rootu Run in change-root environmentu Limit denial of serviceu Monitor performance and integrity of system• System logs, web server logsu Back up your system210 Principles [Viega and McGraw]• Secure the weakest link• Practice defense in depth• Fail securely• Follow the principle of least privilege• Compartmentalize• Keep it simple• Promote privacy• Remember that hiding is hard• Be reluctant to trust• Use your community resourcesHow disaster strikes …To: [email protected]: Yahoo network outageFrom: Declan McCullagh <[email protected]>Date: Mon, 07 Feb 2000 16:22:41 -0500Delivered-To: [email protected]: [email protected] … I was wondering whether anyone has some insight into whathappened with Yahoo. The main site (although not allproperties) has been offline since 10:30 am pt Monday. Itdoesn't *appear* to be Global Crossing's problem, though I can'tbe sure. GC is mum on the phone. -DeclanTo: Declan McCullagh <[email protected]>Subject: Re: Yahoo network outageFrom: Richard Irving <[email protected]>Date: Mon, 07 Feb 2000 16:34:44 -0500 To Quote my Noc: I just got off the phone with Global Center NOC. GlobalCenterSunnyvale Router is down. Both Yahoo! and Global Center areworking on the problem at this time. No ETA for repairTo: [email protected]: Re: Yahoo network outageFrom: Kai Schlichting <[email protected]>Date: Mon, 07 Feb 2000 16:37:10 -0500Delivered-To: [email protected] Yahoo seems to be down by itself, but GC (The former Exodus?)was majorly hosed for a couple of hours today, at least whenseen from UUnet. This has cleared up since. The way it looked,they must have lost a larger circuit and traffic was falling backonto something smaller. I certainly heard about it fromcustomers today.3To: <[email protected]>Subject: Yahoo offline because of attack (was: Yahoo network outage)From: Declan McCullagh <[email protected]>Date: Mon, 07 Feb 2000 20:31:24 -0500 Yahoo told me on the phone that it's a malicious attack, and GlobalCenter says the same thing. In Yahoo's words: "a coordinateddistributed denial of service attack." We've got a brief story up at:http://www.wired.com/news/business/0,1367,34178,00.html Theproblem apparently originated with a router. But what kind of attackcould have taken the network offline for that period of time and notaffected other Global Center customers? I mean, there had to havebeen a gaping security hole somewhere: It looks like the routes got lostfor (nearly) all of the Yahoo network, but no other non-Yahoo sites... -DeclanRouters Blamed for Yahoo Outageby Declan McCullagh and Joan• Most of the Yahoo network was unreachable for three hours onMonday as the company weathered what it described as awidespread malicious attack on its Web sites.• Attackers reportedly laid siege …, snarling Yahoo's internalnetwork and denying millions of visitors access …• An engineer at another company … told Wired News the outagewas due to misconfigured equipment.• Details remained sketchy, with service provider Global Centerblaming an intentional surge in traffic and Yahoo claiming a cadreof as-yet-unknown vandals fouled their system. No Web contentappeared to have been altered or deleted.• A Yahoo spokesperson called it a "coordinated distributed denialof service attack“…To: Declan McCullagh <[email protected]>Subject: Re: Yahoo offline because of attack (was: Yahoo network outage)From: Paul Ferguson <[email protected]>Date: Tue, 08 Feb 2000 12:19:25 -0500 Declan, This is a very complex issue, and made the DDoS BoF lastnight evenmore lively. ;-) Read RFC2267. More people should be doing it, andmost of these silly problems will go away. - paulRouters Blamed for Yahoo Outageby Declan McCullagh and Joan• …• Jeff Schiller, MIT's network manager, said that a denial ofservice attack could be mistaken for router failure at first.• "They might have thought they had a bad card in a router, andthey shut down the router and replaced the card, and theproblem didn't go away," Schiller said. "They probably replacedequipment and then discovered that it didn't solve the problem.“• Schiller speculated that any assault might have been a "TribalFlood Network" attack. "If this is a denial of service attack, thisis the one of the first attacks against a public business."4What happened?u Coordinated effort from many sitesu Sites were compromised• According to Dittrich's DDoS analysis, "trinooand tfn daemons were originally found in binaryform on a number of Solaris 2.x systems, whichwere identified as having been compromised byexploitation of buffer overrun bugs in the RPCservices statd, cmsd and ttdbserverd."DDOS [Ruwen Hess]ClientHandlerVictimAgent AgentHandler HandlerUnidirectional commandsAttack trafficCoordinating communicationAgent Agent Agent Agent Agent Agent Agent AgentTrin00u Attacks through UDP floodu Client to Handler to Agent to Victimu Multi-master supportu Restarts agents periodicallyu Warns of additional connectsu Passwords protect handlers and agents ofTrin00 network, though sent in clear textTribal Flood Network (TFN)u Client to Daemon to Victimu TCP, SYN and UDP floodsu No passwords for clientu Client-Daemon communication only in ICMPu Needs root accessu Fixed payload sizeu Does not authenticate incoming ICMP5Stacheldrahtu Combines Trin00 and TFN featuresu Communication is symmetric key encryptedu Able to upgrade agents on demandu Client to Handler to Agent to Victim topology,just like Trin00u Authenticates communicationSerious Business Issue CYBER LAW JOURNAL Can Hacking Victims Be Held Legally Liable? By CARL S. KAPLAN August 24, 2001 Suppose, Margaret Jane Radin of Stanford LawSchool wrote recently, that a Web site operated bya
View Full Document
Unlocking...