1Security (Part 1)School of BusinessEastern Illinois University © Abdou Illia, Spring 2007(Week 13, Tuesday 4/3/2007)2Learning Objectives Discuss types of system attacks– Scanning process– Types of attacks Discuss system defense tools & techniques– Security goals– Defense tools and techniques3Received: from hotmail.com (bay103-f21.bay103.hotmail.com [65.54.174.31])by barracuda1.eiu.edu (Spam Firewall) with ESMTP id B10BA1F52DCfor <[email protected]>; Wed, 8 Feb 2006 18:14:59 -0600 (CST)Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;Wed, 8 Feb 2006 16:14:58 -0800Message-ID: <[email protected]>Received: from 65.54.174.200 by by103fd.bay103.hotmail.msn.com with HTTP;Thu, 09 Feb 2006 00:14:58 GMTX-Originating-IP: [192.30.202.14]X-Originating-Email: [[email protected]]X-Sender: [email protected]: <10E30E5174081747AF9452F4411465410C5BB560@excma01.cmamdm.enterprise.corp>X-PH: V4.4@ux1From: <[email protected]>To: [email protected]: RE: FW: Same cell#Subject: RE: FW: Same cell#Date: Thu, 09 Feb 2006 00:14:58 +0000Mime-Version: 1.0Content-Type: text/plain; format=flowedX-OriginalArrivalTime: 09 Feb 2006 00:14:58.0614 (UTC) FILETIME=[DCA31D60:01C62D0D]X-Virus-Scanned: by Barracuda Spam Firewall at eiu.eduX-Barracuda-Spam-Score: 0.0024Identifying security attacks’ targets Scanning (Probing)– Ping messages (To know if a potential victim exist)Æ Firewalls usually configured to prevent pinging by outsiders – Supervisory messages (To know if victim available)– Tracert, Traceroute (To know how to get to target)http://www.netscantools.com/nstpro_netscanner.html5Identifying security attacks’ targets Examining scanning results reveal IP addresses of potential victims What services victims are running. Different services have different weaknesses Host’s operating system, version number, etc. Whois database at NetworkSolutions also used when ping scans fail Social engineering– Tricking employees into giving out passwords and keys Guessing passwords and Dictionary attacks (Using Password Recovery software and other tools)6Review Questions 1 What do ping messages allow? Why are ping scans often not effective? What does social engineering mean? An organization has a DNS server with IP address 128.171.3.1. What IP address range would an attacker search to find hosts to attack?37Types of system attacksAttacksPhysical Access Attacks-Wiretapping - Vandalism - Drive-by-hackingDenial-of-Service- Flooding - Smurf - Ping of death - LAND - DDoSIntercepting messages- Eavesdropping - Message alterationMalware-Virus – Worms - Trojan horse - Logic bomb8Denial of Service (DoS) attacks Types of DoS attacks:9Flooding DoS9Smurf Flooding DoS9Ping of Death attacks9LAND attacks9Distributed Denial of Service attacks9Flooding DoS Send a stream of request messages to the target Makes the target run very slowly or crash Objective is to have the target deny service to legitimate usersDoS requestsServerAttackerhttp://www.netscantools.com/nstpro_netscanner.htmlLegitimate userLegitimate userLegitimate requestLegitimate request410Smurf Flooding DoS Attacker uses IP spoofing (false source IP address in outgoing messages) Attacker sends ping / echo messages to third party computers on behalf of the target All third party computers respond to target11Ping of Death attacks Take advantage of– Fact that TCP/IP allows large packets to be fragmented – Some operating systems’ inability to handle packets larger than 65536 bytes Attacker sends a request message that are larger than 65,536 bytes Ping of Death are usually single-message DoS attacks Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring http://insecure.org/sploits/ping-o-death.html12LAND attacks First, appeared in 1997 Attacker uses IP spoofing (false source IP address in outgoing messages) Attacker sends IP packets where the source and destination address refer to target itself. LAND attacks are usually single-message DoS attacks Back in time, OS and routers were not designed to deal with loopback Problem resurfaces recently with Windows XP and Windows 2003 Server513Distributed DoS (DDoS) AttackServerDoS MessagesDoS MessagesComputer withZombieComputer withZombieAttackerAttackCommandAttackCommand Attacker hacks into multiple clients and plants Zombie programs on them Attacker sends commands to Zombie programs which execute the attacks First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, dell.com, etc.14Review Question 2FTSingle-message DoS attacks send unusual messages for which the software designer on the target device did not plan. FTDDoS can be seen as a way to launch a denial of service attack rather than a type of attackWhy don’t all DoS attacks use IP address spoofing to maintain anonymity? TFAll DoS messages are requests that require a response message from the target15Intercepting messages Eavesdropping: Intercepting confidential messagesAttacker (Eve) Taps into the Conversation:Tries to Read MessagesClient PC(Allex’s)Server(Steve’s)What is account #?Account number111-2233444Message ExchangeEavesdropping is also called Person-in-the-middle attack616Intercepting messages Message alterationAttacker intercepts the message,alters it and, then, forwards itClient PCServerBalance = $1.00Balance = $1000.00Message ExchangeBalance = $1.00Balance = $1000.00What is the balance?17Malware attacks Types of malware:9Viruses9Worms9Trojan horses9Logic bombs18Virus Program (script, macro) that:– Attaches to files– Performs annoying actions when they are executed– Performs destructive actions when they are executed– Spreads by user actions (floppy disk, flash drive, opening email attachment, IRC, etc), not by themselves. Could be– Boot sector virus: attaches itself to files in boot sector of HD– File infector virus: attaches itself to program files and user files– Polymorphic virus: mutates with every infection, making them hard to locate719Worm Does not attach to files A self-replicating computer program that propagate across a system Uses a host computer’s resources and network connections to transfer a copy of itself to another computer Harms the host computer by consuming processing time and memory Harms the network by