Final Exam - Chapter 2, 6-9
Denial of services attack
--------- is a form of attack on the availability of some service. In the context of computer and communications security, the focus is generally on network services that are attacked over their network connection. We distinguish this form of attack on availability from other attacks, such as the classic acts of god, that cause damage or destruction of IT infrastructure and consequent loss of service. Network bandwidth relates to the capacity of the network links connecting a server to the wider Internet. For most organizations, this is their connection to their Internet service provider (ISP), as shown in the example network in Figure 7.1. Usually this connection will have a lower capacity than the links within and between ISP routers. This means that it is possible for more traffic to arrive at the ISP's routers over these higher-capacity links than to be carried over the link to the organization. In this circumstance, the router must discard some packets, delivering only as many as can be handled by the link. In normal network operation, such high loads might occur to a popular server experiencing traffic from a large number of legitimate users. A random portion of these users will experience a degraded or nonexistent service as a consequence. This is expected behavior for an overloaded TCP/IP network link. In a ______ attack, the vast majority of traffic directed at the target server is malicious, generated either directly or indirectly by the attacker. This traffic overwhelms any legitimate traffic, effectively denying legitimate users access to the server. Some recent high volume attacks have even been directed at the ISP network supporting the target organization, aiming to disrupt its connections to other networks. A number of DDoS attacks are listed in [AROR11], with comments on their growth in volume and impact. A ______ attack targeting system resources typically aims to overload or crash its network handling software. Rather than consuming bandwidth with large volumes of traffic, specific types of packets are sent that consume the limited resources available on the system. These include temporary buffers used to hold arriving packets, tables of open connections, and similar memory data structures. The SYN spoofing attack, which we will discuss shortly, is of this type. It targets the table of TCP connections on the server. Another form of system resource attack uses packets whose structure triggers a bug in the system's network handling software, causing it to crash. This means the system can no longer communicate over the network until this software is reloaded, generally by rebooting the target system. This is known as a poison packet. The classic ping of death and teardrop attacks, directed at older Windows 9x systems, were of this form. These targeted bugs in the Windows network code that handled ICMP (Internet Control Message Protocol) echo request packets and packet fragmentation, respectively. An attack on a specific application, such as a Web server, typically involves a number of valid requests, each of which consumes significant resources. This then limits the ability of the server to respond to requests from other users. For example, a Web server might include the ability to make database queries. If a large, costly query can be constructed, then an attacker could generate a large number of these that severely load the server. This limits its ability to respond to valid requests from other users. This type of attack is known as a cyberslam. [KAND05] discusses attacks of this kind, and suggests some possible countermeasures. Another alternative is to construct a request that triggers a bug in the server program, causing it to crash. This means the server is no longer able to respond to requests until it is restarted. _________ attacks may also be characterized by how many systems are used to direct traffic at the target system. Originally only one, or a small number of source systems directly under the attacker's control, was used. This is all that is required to send the packets needed for any attack targeting a bug in a server's network handling code or some application. Attacks requiring high traffic volumes are more commonly sent from multiple systems at the same time, using distributed or amplified forms of ________ attacks. We will discuss these later in this chapter.
Types of Malware: Trojan horse
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes it.
Types of Malware: Worm
A computer program that can run independently and can propagate a complete working version of itself onto other hosts on a network, by exploiting software vulnerabilities in the target system, or using captured authorization credentials.
Briefly describe the four generations of anti virus software: Simple Scanners
A first-generation scanner requires a malware signature to identify the malware. The signature may contain "wildcards" but matches essentially the same structure and bit pattern in all copies of the malware. Such signature-specific scanners are limited to the detection of known malware. Another type of first-generation scanner maintains a record of the length of programs and looks for changes in length as a result of virus infection. • Requires a malware signature to identify the malware • Limited to the detection of known malware
Briefly describe the four generations of anti virus software: Heuristic Scanners
A second-generation scanner does not rely on a specific signature. Rather, the scanner uses _________ to search for probable malware instances. One class of such scanners looks for fragments of code that are often associated with malware. For example, a scanner may look for the beginning of an encryption loop used in a polymorphic virus and discover the encryption key. Once the key is discovered, the scanner can decrypt the malware to identify it, then remove the infection and return the program to service.
Types of Malware: Macro virus
A type of virus that uses macro or scripting code, typically embedded in a document or document template, and triggered when the document is viewed or edited, to run and replicate itself into other such documents.
Digital Signature
DSA, RSA, ECDSA
Persistent
Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success. A variety of attacks may be progressively, and often stealthily, applied until the target is compromised.
How can public key encryption be used to distribute a secret key?
Diffie-hellman exchange RSA (Rivest, Shamir, and Adleman) key exchange Several different approaches are possible, involving the private key(s) of one or both parties. One approach is the Diffie-Hellman key exchange. Another approach is for the sender to encrypt a secret key with the recipient's public key (digital envelope) a pair of keys that if one is used for encryption, the other is used for decryption
DSS has
Digital Signature
Elliptic Curve
Digital Signature, Symmetric Key Distribution, Encryption of Secret Keys
RSA HAS
Digital Signature, Symmetric Key Distribution, Encryption of Secret Keys
Message Authentication: with MAC and one way hashing function
Encryption protects against passive attack (eavesdropping). A different requirement is to protect against active attacks (falsification of data and transactions). Protection against such attacks is known as ____________ or data authentication. A message, file, document, or other collection of data is said to be authentic when it is genuine and came from its alleged source. ______________ is a procedure that allows communicating parties to verify that received or stored messages are authentic. 2 The two important aspects are to verify that the contents of the message have not been altered and that the source is authentic. We may also wish to verify a message's timeliness (it has not been artificially delayed and replayed) and sequence relative to other messages flowing between two parties. All of these concerns come under the category of data integrity, as was described in Chapter 1. 2 For simplicity, for the remainder of this section, we refer to ________________. By this, we mean both authentication of transmitted messages and of stored data (data authentication).
Briefly describe the four generations of anti virus software: Full featured protection
Fourth-generation products are packages consisting of a variety of anti-virus techniques used in conjunction. These include scanning and activity trap components. In addition, such a package includes access control capability, which limits the ability of malware to penetrate a system and then limits the ability of a malware to update files in order to propagate. • Packages consisting of variety of anti-virus techniques used in conjunction • Include scanning an activity trap components an access control capability
Describe the differences between a host-based IDS and a network-based IDS. How can their advantages be combined into a single system?
Host-based IDS (HIDS), Network-based IDS (NIDS), Distributed or hybrid IDS
Inline Sensor:
Sensors can be deployed in one of two modes: ________ and passive. An ________ sensor is inserted into a network segment so the traffic that it is monitoring must pass through the sensor. One way to achieve an _______ sensor is to combine NIDS sensor logic with another network device, such as a firewall or a LAN switch. This approach has the advantage that no additional separate hardware devices are needed; all that is required is NIDS sensor software. An alternative is a stand-alone _______ NIDS sensor. The primary motivation for the use of ________ sensors is to enable them to block an attack when one is detected. In this case, the device is performing both intrusion detection and intrusion prevention functions.
Describe the three logical components of an IDS.
Sensors, Analyzers,User interface
Types of Malware: Rootkit
Set of hacker tools used after attacker has broken into a computer system and gained root-level access.
Types of Malware: Attack kit
Set of tools for generating new malware automatically using a variety of supplied propagation and payload mechanisms.
Briefly describe the four generations of anti virus software.
Simple Scanners, Heuristic Scanners and Integrity Checking, Activity Traps, Full-Featured Protection
Types of Malware: Mobile code
Software (e.g., script and macro) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
Types of Malware: Spyware
Software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data, and/or network traffic; or by scanning files on the system for sensitive information.
What is the difference between a "phishing" attack and a "spear phishing" attack, particularly in terms of who the target may be?
Spear phishing attacks are just a more focused version of phishing attacks where the targets are researched and the content is specifically targeted towards them.
Message Authentication Code
One authentication technique involves the use of a secret key to generate a small block of data, known as a ______________ that is appended to the message. This technique assumes that two communicating parties, say A and B, share a common secret key KAB. When A has a message to send to B, it calculates the message authentication code as a complex function of the message and the key: MACM=F(KAB, M).3 The message plus code are transmitted to the intended recipient. The recipient performs the same calculation on the received message, using the same secret key, to generate a new message authentication code. The received code is compared to the calculated code (see Figure 2.3). If we assume that only the receiver and the sender know the identity of the secret key, and if the received code matches the calculated code, then: 3 Because messages may be any size and the message authentication code is a small fixed size, there must theoretically be many messages that result in the same MAC. However, it should be infeasible in practice to find pairs of such messages with the same MAC. This is known as collision resistance. Figure 2.3 message authentication using a message authentication code (mac) · The receiver is assured that the message has not been altered. If an attacker alters the message but does not alter the code, then the receiver's calculation of the code will differ from the received code. Because the attacker is assumed not to know the secret key, the attacker cannot alter the code to correspond to the alterations in the message. · The receiver is assured that the message is from the alleged sender. Because no one else knows the secret key, no one else could prepare a message with a proper code. · If the message includes a sequence number (such as is used with X.25, HDLC, and TCP), then the receiver can be assured of the proper sequence, because an attacker cannot successfully alter the sequence number. A number of algorithms could be used to generate the code. The now withdrawn NIST publication FIPS PUB 113 (Computer Data Authentication, May 1985), recommended the use of DES. However, AES would now be a more suitable choice. DES or AES is used to generate an encrypted version of the message, and some of the bits of ciphertext are used as the code. A 16- or 32-bit code used to be typical, but would now be much too small to provide sufficient collision resistance, as we will discuss shortly.4 4 Recall from our discussion of practical security issues in Section 2.1 that for large amounts of data, some mode of operation is needed to apply a block cipher such as DES to amounts of data larger than a single block. For the MAC application mentioned here, DES is applied in what is known as cipher block chaining mode (CBC). In essence, DES is applied to each 64-bit block of the message in sequence, with the input to the encryption algorithm being the XOR of the current plaintext block and the preceding ciphertext block. The MAC is derived from the final block encryption. See Chapter 20 for a discussion of CBC. The process just described is similar to encryption. One difference is that the authentication algorithm need not be reversible, as it must for decryption. It turns out that because of the mathematical properties of the authentication function, it is less vulnerable to being broken than encryption.
Types of Malware: Zombie, bot
Program installed on an infected machine that is activated to launch attacks on other machines.
Information Gathering or System Exploit:
Actions by the attacker to access or modify information or resources on the system, or to navigate to another target system.
Maintaining Access:
Actions such as the installation of backdoors or other malicious software as we discussed in Chapter 6, or through the addition of covert authentication credentials or other configuration changes to the system, to enable continued access by the attacker after the initial attack.
Privilege Escalation:
Actions taken on the system, typically via a local access vulnerability as we will discuss in Chapters 10 and 11, to increase the _________ available to the attacker to enable their desired goals on the target system.
Advanced Persistent Threats (APTs): Characteristics and why it is more dangerous.
Advanced, Persistent, Threats.
Types of Malware: Adware
Advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site.
IDS
An _________ may use a single sensor and analyzer, such as a classic HIDS on a host or NIDS in a firewall device. More sophisticated _______s can use multiple sensors, across a range of host and network devices, sending information to a centralized analyzer and user interface in a distributed architecture.
one-way hashing function
An alternative to the message authentication code is the_____________. As with the message authentication code, a ____________ accepts a variable-size message M as input and produces a fixed-size message digest H(M) as output (see Figure 2.4). Typically, the message is padded out to an integer multiple of some fixed length (e.g., 1024 bits) and the padding includes the value of the length of the original message in bits. The length field is a security measure to increase the difficulty for an attacker to produce an alternative message with the same hash value.
UDP Flood
An alternative to using ICMP packets is to use __________ packets directed to some port number, and hence potential service, on the target system. A common choice was a packet directed at the diagnostic echo service, commonly enabled on many server systems by default. If the server had this service running, it would respond with a _______ packet back to the claimed source containing the original packet data contents. If the service is not running, then the packet is discarded, and possibly an ICMP destination unreachable packet is returned to the sender. By then the attack has already achieved its goal of occupying capacity on the link to the server. Just about any _______ port number can be used for this end. Any packets generated in response only serve to increase the load on the server and its network links. Spoofed source addresses are normally used if the attack is generated using a single source system, for the same reasons as with ICMP attacks. If multiple systems are used for the attack, often the real addresses of the compromised, zombie, systems are used. When multiple systems are used, the consequences of both the reflected flow of packets and the ability to identify the attacker are reduced.
Statistical:
Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.
What is the difference between anomaly detection and signature or heuristic intrusion detection?
Anomaly Detection, Signature or Heuristic Detection, Rule-based heuristic identification
TCP SYN Flood
Another alternative is to send _________ packets to the target system. Most likely these would be normal ______ connection requests, with either real or spoofed source addresses. They would have an effect similar to the SYN spoofing attack we have described. In this case, though, it is the total volume of packets that is the aim of the attack rather than the system code. This is the difference between a SYN spoofing attack and a SYN flooding attack. This attack could also use TCP data packets, which would be rejected by the server as not belonging to any known connection. But again, by this time, the attack has already succeeded in flooding the links to the server. All of these flooding attack variants are limited in the total volume of traffic that can be generated if just a single system is used to launch the attack. The use of a single system also means the attacker is easier to trace. For these reasons, a variety of more sophisticated attacks, involving multiple attacking systems, have been developed. By using multiple systems, the attacker can significantly scale up the volume of traffic that can be generated. Each of these systems need not be particularly powerful or on a high-capacity link. But what they do not have individually, they more than compensate for in large numbers. In addition, by directing the attack through intermediaries, the attacker is further distanced from the target and significantly harder to locate and identify. Indirect attack types that utilize multiple systems include:
Briefly describe the four generations of anti virus software: integrity checking
Another second generation approach is integrity _________. A checksum can be appended to each program. If malware alters or replaces some program without changing the checksum, then an integrity check will catch this change. To counter malware that is sophisticated enough to change the checksum when it alters a program, an encrypted hash function can be used. The encryption key is stored separately from the program so the malware cannot generate a new hash code and encrypt that. By using a hash function rather than a simpler checksum, the malware is prevented from adjusting the program to produce the same hash code as before. If a protected list of programs in trusted locations is kept, this approach can also detect attempts to replace or install rogue code or programs in these locations. • sees heuristic rules to search for probable malware instances • Another approach is integrity checking
Types of Malware: Backdoor (trapdoor)
Any mechanism that bypasses a normal security check; it may allow unauthorized access to functionality in a program, or onto a compromised system.
Machine-learning:
Approaches automatically determine a suitable classification model from the training data using data mining techniques.
Knowledge based:
Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.
Elliptic Curve Digital Signature Algorithm (ECDSA)
Based on __________ cryptography.
RSA Digital Signature Algorithm
Based on the __________ public-key algorithm.
AES (Advanced Encryption Standard)
Because of its drawbacks, 3DES is not a reasonable candidate for long-term use. As a replacement, NIST in 1997 issued a call for proposals for a new _____________ (______), which should have a security strength equal to or better than 3DES and significantly improved efficiency. In addition to these general requirements, NIST specified that AES must be a symmetric block cipher with a block length of 128 bits and support for key lengths of 128, 192, and 256 bits. Evaluation criteria included security, computational efficiency, memory requirements, hardware and software suitability, and flexibility. In a first round of evaluation, 15 proposed algorithms were accepted. A second round narrowed the field to 5 algorithms. NIST completed its evaluation process and published the final standard as FIPS PUB 197 (__________________, November 2001). NIST selected Rijndael as the proposed AES algorithm. AES is now widely available in commercial products. AES will be described in detail in Chapter 20.
Types of Malware: Keyloggers
Captures keystrokes on a compromised system.
Types of Malware: Logic bomb
Code inserted into malware by an intruder. A logic bomb lies dormant until a predefined condition is met; the code then triggers some payload.
Types of Malware: Exploits
Code specific to a single vulnerability or set of vulnerabilities.
Types of Malware: Downloaders
Code that installs other items on a machine that is under attack. It is normally included in the malware code first inserted on to a compromised system to then import a larger malware package.
Distributed or hybrid IDS:
Combines information from a number of sensors, often both host and network-based, in a central analyzer that is able to better identify and respond to intrusion activity.
Types of Malware: Advanced Persistent Threat (APT)
Cybercrime directed at business and political targets, using a wide variety of intrusion technologies and malware, applied persistently and effectively to specific targets over an extended period, often attributed to state-sponsored organizations.
What steps should be taken when a DoS attack is detected?
Identify the type of attack and the best approach to defend the attack, such as by capturing the packets and analyzing them for common attack packet types. Suitable filters are designed to block the flow of attack packets. If the attack creates a bug on the system instead of high traffic, then it must be IDed and recovered through corrective steps. Identification of the type of attack, application of suitable filters to block the attack packets. In addition, an ISP may trace the flow of packets back in attempt to identify the source. 1) Identify type of attack• capture and analyze packets• design filters to block attack traffic upstream • or identify and correct system/application bug 2) Have ISP trace packet flow back to source • may be difficult and time consuming• necessary if planning legal action 3) Implement contingency plan• switch to alternate backup servers• commission new servers at a new site with new addresses 4) Update incident response plan• analyze the attack and the response for future handling is detected, the first step is to identify the type of attack and hence the best approach to defend against it. Typically, this involves capturing packets flowing into the organization and analyzing them, looking for common attack packet types. This may be done by organizational personnel using suitable network analysis tools. If the organization lacks the resources and skill to do this, it will need to have its ISP perform this capture and analysis. From this analysis, the type of attack is identified and suitable filters are designed to block the flow of attack packets. These have to be installed by the ISP on its routers. If the attack targets a bug on a system or application, rather than high traffic volumes, then this must be identified and steps taken to correct it and prevent future attacks.
DNS Amplification Attacks
In addition to the _______ reflection attack discussed previously, a further variant of an amplification attack uses packets directed at a legitimate ______ server as the intermediary system. Attackers gain attack amplification by exploiting the behavior of the ______ protocol to convert a small request into a much larger response. This contrasts with the original amplifier attacks, which use responses from multiple systems to a single request to gain amplification. Using the classic ______ protocol, a 60-byte UDP request packet can easily result in a 512-byte UDP response, the maximum traditionally allowed. All that is needed is a name server with ____ records large enough for this to occur. These attacks have been seen for several years. More recently, the ______ protocol has been extended to allow much larger responses of over 4000 bytes to support extended _______ features such as IPv6, security, and others. By targeting servers that support the extended _____ protocol, significantly greater amplification can be achieved than with the classic _______ protocol. In this attack, a selection of suitable _______ servers with good network connections are chosen. The attacker creates a series of ______ requests containing the spoofed source address of the target system. These are directed at a number of the selected name servers. The servers respond to these requests, sending the replies to the spoofed source, which appears to them to be the legitimate requesting system. The target is then flooded with their responses. Because of the amplification achieved, the attacker need only generate a moderate flow of packets to cause a larger, amplified flow to flood and overflow the link to the target system. Intermediate systems will also experience significant loads. By using a number of high-capacity, well-connected systems, the attacker can ensure that intermediate systems are not overloaded, allowing the attack to proceed. A further variant of this attack exploits recursive _____ name servers. This is a basic feature of the ______ protocol that permits a ______ name server to query a number of other servers to resolve a query for its clients. The intention was that this feature is used to support local clients only. However, many ______ systems support recursion by default for any requests. They are known as open recursive _______ servers. Attackers may exploit such servers for a number of ____-based attacks, including the _____ amplification DoS attack. In this variant, the attacker targets a number of open recursive ____ servers. The name information being used for the attack need not reside on these servers, but can be sourced from anywhere on the Internet. The results are directed at the desired target using spoofed source addresses. Like all the reflection-based attacks, the basic defense against these is to prevent the use of spoofed source addresses. Appropriate configuration of ______ servers, in particular limiting recursive responses to internal client systems only, as described in RFC 5358, can restrict some variants of this attack.
Describe the types of sensors that can be used in a NIDS.
Inline Sensor, Passive Sensors, WIRED and WIRELESS NETWORK
Types of Malware: Virus
Malware that, when executed, tries to replicate itself into other executable machine or script code; when it succeeds, the code is said to be infected. When the infected code is executed, the virus also executes.
What are four broad categories of payloads that malware may carry? Stealthing
Malware will attempt to make itself undetectable without the usage of advanced removal software.
Network-based IDS (NIDS):
Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.
Host-based IDS (HIDS):
Monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity.
What is the primary defense against many DoS attacks, and where is it implemented?
Spoofed address filtering must be implemented and needs to be done close to the source packet with the help of routers or gateways by identifying the valid address range of incoming packets. An ISP is the best place for this implementation, since it knows which addresses belong to which customers. Limiting the ability of systems to send packets with spoofed source addresses. An ISP knows which addresses are allocated to all its customers and hence can ensure that valid source addresses are used in all packets from its customers. A critical component of many DoS attacks is the use of spoofed source addresses. These either obscure the originating system of direct and distributed DoS attacks or are used to direct reflected or amplified traffic to the target system. Hence, one of the fundamental, and longest-standing, recommendations for defense against these attacks is to limit the ability of systems to send packets with spoofed source addresses. RFC 2827, Network Ingress Filtering: Defeating Denial-of-service attacks which employ IP Source Address Spoofing,8 directly makes this recommendation, as do SANS, CERT, and many other organizations concerned with network security.
List and briefly define the three broad categories of classification approaches used by anomaly detection systems.
Statistical, Knowledge based, Machine-learning
Diffie-Hellman HAS
Symmetric Key Distribution
What are four broad categories of payloads that malware may carry?
System Corruption Attack Agent Information Theft Stealthing
List and briefly describe the steps typically used by intruders when attacking a system.
Target Acquisition and Information Gathering, Initial Access: Privilege Escalation, Information Gathering or System Exploit, Maintaining Access, Covering Tracks
User interface:
The _________ to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the __________ may equate to a manager, director, or console component.
reflection attack
The __________ is a direct implementation of this type of attack. The attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system. When the intermediary responds, the response is sent to the target. Effectively this _________ the attack off the intermediary, which is termed the reflector, and is why this is called a reflection attack. Ideally, the attacker would like to use a service that created a larger response packet than the original request. This allows the attacker to convert a lower volume stream of packets from the originating system into a higher volume of packet data from the intermediary directed at the target. Common UDP services are often used for this purpose. Originally, the echo service was a favored choice, although it does not create a larger response packet. However, any generally accessible UDP service could be used for this type of attack. The chargen, DNS, SNMP, or ISAKMP6 services have all been exploited in this manner, in part because they can be made to generate larger response packets directed at the target. 6 Chargen is the character generator diagnostic service that returns a stream of characters to the client that connects to it. Domain Name Service (DNS) is used to translate between names and IP addresses. The Simple Network Management Protocol (SNMP) is used to manage network devices by sending queries to which they can respond with large volumes of detailed management information. The Internet Security Association and Key Management Protocol (ISAKMP) provides the framework for managing keys in the IP Security Architecture (IPsec), as we will discuss in Chapter 22. The intermediary systems are often chosen to be high-capacity network servers or routers with very good network connections. This means they can generate high volumes of traffic if necessary, and if not, the attack traffic can be obscured in the normal high volumes of traffic flowing through them. If the attacker spreads the attack over a number of intermediaries in a cyclic manner, then the attack traffic flow may well not be easily distinguished from the other traffic flowing from the system. This, combined with the use of spoofed source addresses, greatly increases the difficulty of any attempt to trace the packet flows back to the attacker's system. Another variant of ____________ uses TCP SYN packets and exploits the normal three-way handshake used to establish a TCP connection. The attacker sends a number of SYN packets with spoofed source addresses to the chosen intermediaries. In turn, the intermediaries respond with a SYN-ACK packet to the spoofed source address, which is actually the target system. The attacker uses this attack with a number of intermediaries. The aim is to generate high enough volumes of packets to flood the link to the target system. The target system will respond with a RST packet for any that get through, but by then the attack has already succeeded in overwhelming the target's network link. This attack variant is a flooding attack that differs from the SYN spoofing attack we discussed earlier in this chapter. The goal is to flood the network link to the target, not to exhaust its network handling resources. Indeed, the attacker would usually take care to limit the volume of traffic to any particular intermediary to ensure that it is not overwhelmed by, or even notices, this traffic. This is both because its continued correct functioning is an essential component of this attack, as is limiting the chance of the attacker's actions being detected. The 2002 attack on GRC.com was of this form. It used connection requests to the BGP routing service on core routers as the primary intermediaries. These generated sufficient response traffic to completely block normal access to GRC.com. However, as GRC.com discovered, once this traffic was blocked, a range of other services, on other intermediaries, were also being used. GRC noted in its report on this attack that "you know you're in trouble when packet floods are competing to flood you." Any generally accessible TCP service can be used in this type of attack. Given the large number of servers available on the Internet, including many well-known servers with very high capacity network links, there are many possible intermediaries that can be used. What makes this attack even more effective is that the individual TCP connection requests are indistinguishable from normal connection requests directed to the server. It is only if they are running some form of intrusion detection system that detects the large numbers of failed connection requests from one system that this attack might be detected and possibly blocked. If the attacker is using a number of intermediaries, then it is very likely that even if some detect and block the attack, many others will not, and the attack will still succeed. A further variation of the __________ establishes a self-contained loop between the intermediary and the target system. Both systems act as reflectors. Figure 7.6 shows this type of attack. The upper part of the figure shows normal Domain Name System operation. 7 The DNS client sends a query from its UDP port 1792 to the server's DNS port 53 to obtain the IP address of a domain name. The DNS server sends a UDP response packet including the IP address. The lower part of the figure shows a reflection attack using DNS. The attacker sends a query to the DNS server with a spoofed IP source address of j.k.l.m; this is the IP address of the target. The attacker uses port 7, which is usually associated with echo, a reflector service. The DNS server then sends a response to the victim of the attack, j.k.l.m, addressed to port 7. If the victim is offering the echo service, it may create a packet that echoes the received data back to the DNS server. This can cause a loop between the DNS server and the victim if the DNS server responds to the packets sent by the victim. Most _________ can be prevented through network-based and host-based firewall rulesets that reject suspicious combinations of source and destination ports. While very effective if possible, this type of attack is fairly easy to filter for because the combinations of service ports used should never occur in normal network operation. When implementing any of these reflection attacks, the attacker could use just one system as the original source of packets. This suffices, particularly if a service is used that generates larger response packets than those originally sent to the intermediary. Alternatively, multiple systems might be used to generate higher volumes of traffic to be reflected and to further obscure the path back to the attacker. Typically a botnet would be used in this case. Another characteristic of ____________ is the lack of backscatter traffic. In both direct flooding attacks and SYN spoofing attacks, the use of spoofed source addresses results in response packets being scattered across the Internet and thus detectable. This allows security researchers to estimate the volumes of such attacks. In _____________, the spoofed source address directs all the packets at the desired target and any responses to the intermediary. There is no generally visible side effect of these attacks, making them much harder to quantify. Evidence of them is only available from either the targeted systems and their ISPs or the intermediary systems. In either case, specific instrumentation and monitoring would be needed to collect this evidence. Fundamental to the success of reflection attacks is the ability to create spoofed-source packets. If filters are in place that block spoofed-source packets, as described in (RFC 2827), then these attacks are simply not possible. This is the most basic, fundamental defense against such attacks. This is not the case with either SYN spoofing or flooding attacks (distributed or not). They can succeed using real source addresses, with the consequences already noted.
Initial Access:
The __________ to a target system, typically by exploiting a remote network vulnerability as we will discuss in Chapters 10 and 11, by guessing weak authentication credentials used in a remote service as we discussed in Chapter 3, or via the installation of malware on the system using some form of social engineering or drive-by-download attack as we discussed in Chapter 6.
Triple DES (3DES)
The life of DES was extended by the use of _________ (_______), which involves repeating the basic DES algorithm three times, using either two or three unique keys, for a key size of 112 or 168 bits. 3DES was first standardized for use in financial applications in ANSI standard X9.17 in 1985. 3DES was incorporated as part of the Data Encryption Standard in 1999, with the publication of FIPS PUB 46-3. ________ has two attractions that assure its widespread use over the next few years. First, with its 168-bit key length, it overcomes the vulnerability to brute-force attack of DES. Second, the underlying encryption algorithm in ______ is the same as in DES. This algorithm has been subjected to more scrutiny than any other encryption algorithm over a longer period of time, and no effective cryptanalytic attack based on the algorithm rather than brute force has been found. Accordingly, there is a high level of confidence that ______ is very resistant to cryptanalysis. If security were the only consideration, then ________ would be an appropriate choice for a standardized encryption algorithm for decades to come. The principal drawback of _______is that the algorithm is relatively sluggish in software. The original DES was designed for mid-1970s hardware implementation and does not produce efficient software code. _______, which requires three times as many calculations as DES, is correspondingly slower. A secondary drawback is that both DES and _________ use a 64-bit block size. For reasons of both efficiency and security, a larger block size is desirable.
Digital Signature Algorithm (DSA)
The original NIST-approved algorithm, which is based on the difficulty of computing discrete logarithms.
Types of Malware: Flooders (DoS client)
Used to generate a large volume of data to attack networked computer systems, by carrying out some form of denial-of-service (DoS) attack.
Types of Malware: Spammer programs
Used to send large volumes of unwanted e-mail.
ICMP Flood
The ping flood using ______ echo request packets we discussed in Section 7.1 is a classic example of an ________. This type of _______ packet was chosen since traditionally network administrators allowed such packets into their networks, as ping is a useful network diagnostic tool. More recently, many organizations have restricted the ability of these packets to pass through their firewalls. In response, attackers have started using other _______ packet types. Since some of these should be handled to allow the correct operation of TCP/IP, they are much more likely to be allowed through an organization's firewall. Filtering some of these critical _______ packet types would degrade or break normal TCP/IP network behavior. ______ destination unreachable and time exceeded packets are examples of such critical packet types. An attacker can generate large volumes of one of these packet types. Because these packets include part of some notional erroneous packet that supposedly caused the error being reported, they can be made comparatively large, increasing their effectiveness in flooding the link. ____________ attacks remain one of the most common types of DDoS attacks [SYMA16].
Briefly describe the four generations of anti virus software: Activity Traps
Third-generation programs are memory-resident programs that identify malware by its actions rather than its structure in an infected program. Such programs have the advantage that it is not necessary to develop signatures and heuristics for a wide array of malware. Rather, it is necessary only to identify the small set of actions that indicate malicious activity is being attempted and then to intervene. This approach uses dynamic analysis techniques, such as those we will discuss in the next sections. • Memory-resident programs that identify • malware by its actions rather than its structure in an infected program
What architecture does a DDoS attack typically use?
Typically uses a control hierarchy approach, where the attacker controls the small number of handler systems, and the handles control the large number of agent systems. Usually a botnet consisting of infected zombie PCs is used, that is under the control of a hacker. Usually a small number of systems act as handlers controlling a much larger number of agent systems that ultimately launch the attack. - use of multiple systems to generate attacks. - attacker used some well-known flaw in the operating system or in some common application to gain access to these systems and to install their own programs (zombies)- Large collections of such systems under the control of one attacker can be created, collectively forming a botnet - generally a control hierarchy is used. - A small number of systems act as handlers controlling a much larger number of agent systems- The attacker can send a single command to a handler, which then automatically forwards it to all the agents under its control. While the attacker could command each zombie individually, more generally a control hierarchy is used. A small number of systems act as handlers controlling a much larger number of agent systems, as shown in Figure 7.4. There are a number of advantages to this arrangement. The attacker can send a single command to a handler, which then automatically forwards it to all the agents under its control. Automated infection tools can also be used to scan for and compromise suitable zombie systems
DES (Data Encryption Standard)
Until recently, the most widely used encryption scheme was based on the ______________ (___________) adopted in 1977 by the National Bureau of Standards, now the National Institute of Standards and Technology (NIST), as FIPS PUB 46 (Data Encryption Standard, January 1977).1 The algorithm itself is referred to as the Data Encryption Algorithm (DEA). _______ takes a plaintext block of 64 bits and a key of 56 bits, to produce a ciphertext block of 64 bits. 1 See Appendix C for more information on NIST and similar organizations, and the "List of NIST and ISO Documents" for related publications that we discuss. Concerns about the strength of ________ fall into two categories: concerns about the algorithm itself, and concerns about the use of a 56-bit key. The first concern refers to the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. Over the years, there have been numerous attempts to find and exploit weaknesses in the algorithm, making DES the most-studied encryption algorithm in existence. Despite numerous approaches, no one has so far reported a fatal weakness in DES. A more serious concern is key length. With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2×1016 keys. Given the speed of commercial off-the-shelf processors, this key length is woefully inadequate. A paper from Seagate Technology [SEAG08] suggests that a rate of one billion (109) key combinations per second is reasonable for today's multicore computers. Recent offerings confirm this. Both Intel and AMD now offer hardware-based instructions to accelerate the use of AES. Tests run on a contemporary multicore Intel machine resulted in an encryption rate of about half a billion encryptions per second [BASU12]. Another recent analysis suggests that with contemporary supercomputer technology, a rate of 1013 encryptions/s is reasonable [AROR12]. With these results in mind, Table 2.2 shows how much time is required for a brute-force attack for various key sizes. As can be seen, a single PC can break DES in about a year; if multiple PCs work in parallel, the time is drastically shortened. And today's supercomputers should be able to find a key in about an hour. Key sizes of 128 bits or greater are effectively unbreakable using simply a brute-force approach. Even if we managed to speed up the attacking system by a factor of 1 trillion (1012), it would still take over 100,000 years to break a code using a 128-bit key. Fortunately, there are a number of alternatives to ______, the most important of which are triple DES and AES, discussed in the remainder of this section.
Advanced
Use by the attackers of a wide variety of intrusion technologies and malware, including the development of custom malware if required. The individual components may not necessarily be technically ________, but are carefully selected to suit the chosen target.
What defenses are possible against nonspoofed flooding attacks? Can such attacks be entirely prevented?
Using a modified version of the TCP connection handling code, where the connection details are stored in a cookie on the client computer rather than the server. Provision of significant excess network bandwidth and replicated distributed servers when overload on the network is predicted. Rate limits. Having excess network bandwidth and replicated distributed servers, particularly when the overload is anticipated. This does have a significant implementation cost though. Rate limits of various types on traffic can also be imposed. However such attacks cannot be entirely prevented, and may occur "accidentally" as a result of very high legitimate traffic loads. The provision of significant excess network bandwidth and replicated distributed servers, particularly when the overload is anticipated. ➢ This does have a significant implementation cost though.- Rate limits of various types on traffic can also be imposed. However such attacks cannot be entirely prevented, and may occur "accidentally"as a result of very high legitimate traffic loads.
Covering Tracks:
Where the attacker disables or edits audit logs such as we will discuss in Chapter 18, to remove evidence of attack activity, and uses rootkits and other measures to hide covertly installed files or code as we discussed in Chapter 6.
Target Acquisition and Information Gathering
Where the attacker identifies and characterizes the target systems using publicly available information, both technical and non technical, and the use of network exploration tools to map target resources.
Analyzers:
_______ receive input from one or more sensors or from other ________. The __________ is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion occurred. The _______ may provide guidance about what actions to take as a result of the intrusion. The sensor inputs may also be stored for future analysis and review in a storage or database component.
Threats
_________ to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets. The active involvement of people in the process greatly raises the threat level from that due to automated attacks tools, and also the likelihood of successful attack.
Sensors:
__________ are responsible for collecting data. The input for a sensor may be any part of a system that could contain evidence of an intrusion. Types of input to a ______ includes network packets, log files, and system call traces. Sensors collect and forward this information to the analyzer.
Phishing
__________ is another form of attacks upon users. A basic _________ attack results in attackers obtaining sensitive information by appearing as a legitimate source such as a website. A website used in a phishing attack may mimic a website used frequently by the victim, such as a login page for a specific bank. The attack occurs when the victim enters his or her credentials and attempts to use the intended web site.
Amplification Attacks
___________ are a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to intermediaries. They differ in generating multiple response packets for each original packet sent. This can be achieved by directing the original request to the broadcast address for some network. As a result, all hosts on that network can potentially respond to the request, generating a flood of responses as shown in Figure 7.7. It is only necessary to use a service handled by large numbers of hosts on the intermediate network. A ping flood using ICMP echo request packets was a common choice, since this service is a fundamental component of TCP/IP implementations and was often allowed into networks. The well-known smurf DoS program used this mechanism and was widely popular for some time. Another possibility is to use a suitable UDP service, such as the echo service. The fraggle program implemented this variant. Note that TCP services cannot be used in this type of attack; because they are connection oriented, they cannot be directed at a broadcast address. Broadcasts are inherently connectionless. The best additional defense against this form of attack is to not allow directed broadcasts to be routed into a network from outside. Indeed, this is another long-standing security recommendation, unfortunately about as widely implemented as that for blocking spoofed source addresses. If these forms of filtering are in place, these attacks cannot succeed. Another defense is to limit network services such as echo and ping from being accessed from outside an organization. This restricts which services could be used in these attacks, at a cost in ease of analyzing some legitimate network problems. Attackers scan the Internet looking for well-connected networks that do allow directed broadcasts and that implement suitable services attackers can reflect off. These lists are traded and used to implement such attacks.
From this definition, you can see there are several categories of resources that could be attacked:
· Network bandwidth · System resources · Application resources
Describe some malware countermeasure elements.
___________ exist to deal with the persistent threats of malware. Malware _______________ have at least three elements. Prevention involves deterring malware from entering the system, rendering it useless relative to its core functions. Detection involves determining the actual location of the malicious software on a system. Identification is the method of determining the type of malware and its purpose on a system. Removal is the process of eliminating all elements of malware on an infected system; ensuring it can no longer propagate on the target machine • ensure all systems are as current as possible, with all patches applied, on order to reduce the number of vulnerabilities that might be exploited on the system •detection to determine that an infection has occurred and locate the malware •identification to identify the specific malware that has infected the system •removal to remove all traces of malware virus from all infected systems so it cannot spread further
Symmetric Block Encryption for confidentialality
_______________Algorithms The most commonly used _______________ algorithms are block ciphers. A block cipher processes the plaintext input in fixed-size blocks and produces a block of ciphertext of equal size for each plaintext block. The algorithm processes longer plaintext amounts as a series of fixed-size blocks. The most important symmetric algorithms, all of which are block ciphers, are the Data Encryption Standard (DES), triple DES, and the Advanced Encryption Standard (AES); see Table 2.1. This subsection provides an overview of these algorithms. Chapter 20 will present the technical details.
What are four broad categories of payloads that malware may carry? Spyware
also collects information about the target system and user of the system, transmitting the information to the attacker or grants direct access to the system for remote usage.
Spear Phishing Attack
attacks are just a more focused version of phishing attacks where the targets are researched and the content is specifically targeted towards them.
Types of Malware: Drive
by-download - An attack using code on a compromised website that exploits a browser vulnerability to attack a client system when the site is viewed.
Anomaly Detection
collect data of legitimate users over time, then compare against current behavior to determine if current behavior is legitimate or not involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. approach involves first developing a model of legitimate user behavior by collecting and processing sensor data from the normal operation of the monitored system in a training phase. This may occur at distinct times, or there may be a continuous process of monitoring and evolving the model over time. Once this model exists, current observed behavior is compared with the model in order to classify it as either legitimate or anomalous activity in a detection phase.
Rule-based heuristic identification
involves the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses. _____ can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage. Typically, the _______ used in these systems are specific to the machine and operating system. The most fruitful approach to developing such rules is to analyze attack tools and scripts collected on the Internet. These rules can be supplemented with _____ generated by knowledgeable security personnel. In this latter case, the normal procedure is to interview system administrators and security analysts to collect a suite of known penetration scenarios and key events that threaten the security of the target system. The SNORT system, which we will discuss later in Section 8.9, is an example of a rule-based NIDS. A large collection of rules exists for it to detect a wide variety of network attacks.
What are four broad categories of payloads that malware may carry? zombie
is a program that establishes a connection between the target computer and the attacker. The attacker can use a zombie to collect sensitive information about the target system, network, and user.
What is "backscatter traffic?" Which types of DoS attacks can it provide information on? Which types of attacks does it not provide any information on?
is a side effect of spoofed DoS/DDoS attacks. The victim responds to the spoofed packets as it normally would, and the traffic generated by these responses is called the backscatter traffic. The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the IP address space to determine characteristics of DoS attacks and victims. There is a useful side effect of this scattering of response packets to some original flow of spoofed-source packets. Security researchers, such as those with the Honeynet Project, have taken blocks of unused IP addresses, advertised routes to them, then collected details of any packets sent to these addresses. Since no real systems use these addresses, no legitimate packets should be directed to them. Any packets received might simply be corrupted. It is much more likely, though, that they are the direct or indirect result of network attacks. The ICMP echo response packets generated in response to a ping flood using randomly spoofed source addresses is a good example. The result of advertising routes to unused IP addresses to see what packets go to them. This is because the vast majority of any packets that come here will be the result of DoS attacks that randomly generated an address that matches one of the unused ones Monitoring the type of packets received gives valuable information on the type and scale of attacks being used "response" packets generated in response to "request" packets.Request packets contain randomly spoofed source IP addresses Sooo response packets go back to these random IP addresses
A denial of service (DoS)
is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.
Spear phishing
is another form attack in which attackers attack from compromised e-mail accounts that may be of known associates, friends, and family. The e-mail directs the victim to a web page asking for user credentials, in which the method is similar to a general ___________.
What are four broad categories of payloads that malware may carry? Key loggers
record the keystroke inputs on the target computer, resulting in the creation of a log file. The malware itself performs the action of releasing the payload upon a user's computer system.
Types of Malware: Auto
rooter - Malicious hacker tools used to break into new machines remotely.
Flooding attack forms
take a variety of forms, based on which network protocol is being used to implement the attack. In all cases, the intent is generally to overload the network capacity on some link to a server. The attack may alternatively aim to overload the server's ability to handle and respond to this traffic. These attacks flood the network link to the server with a torrent of malicious packets competing with, and usually overwhelming, valid traffic flowing to the server. In response to the congestion, this causes in some routers on the path to the targeted server, many packets will be dropped. Valid traffic has a low probability of surviving discard caused by this flood, and hence of accessing the server. This results in the server's ability to respond to network connection requests being either severely degraded or failing entirely. Virtually any type of network packet can be used in a ____________. It simply needs to be of a type that is permitted to flow over the links toward the targeted system, so it can consume all available capacity on some link to the target server. Indeed, the larger the packet is, the more effective will be the attack. Common _________ attacks use any of the ICMP, UDP, or TCP SYN packet types. It is even possible to ________ with some other IP packet type. However, as these are less common and their usage more targeted, it is easier to filter for them and hence hinder or block such attacks.
Signature or Heuristic Detection
use known malicious data patterns (_______) or attack rules (_________) and compare against current behavior to determine if current behavior is legitimate or not, aka "misuse detection", only works for attacks with known patterns uses a set of known malicious data patterns (_________) or attack rules (_________) that are compared with current behavior to decide if is that of an intruder. It is also known as misuse detection. This approach can only identify known attacks for which it has patterns or rules. _____________________ techniques detect intrusion by observing events in the system and applying either a set of signature patterns to the data, or a set of rules that characterize the data, leading to a decision regarding whether the observed data indicates normal or anomalous behavior. _____________ match a large collection of known patterns of malicious data against data stored on a system or in transit over a network. The ________ need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data. This approach is widely used in anti virus products, in network traffic scanning proxies, and in NIDS. The advantages of this approach include the relatively low cost in time and resource use, and its wide acceptance. Disadvantages include the significant effort required to constantly identify and review new malware to create signatures able to identify it, and the inability to detect zero-day attacks for which no signatures exist.
Indirect attack types that utilize multiple systems include:
· Distributed denial-of-service attacks. · Reflector attacks. · Amplifier attacks. We will consider each of these in turn.
List desirable characteristics of an IDS.
· Run continually with minimal human supervision. · Be fault tolerant in the sense that it must be able to recover from system crashes and reinitializations. · Resist subversion. The IDS must be able to monitor itself and detect if it has been modified by an attacker. · Impose a minimal overhead on the system where it is running. · Be able to be configured according to the security policies of the system that is being monitored. · Be able to adapt to changes in system and user behavior over time. · Be able to scale to monitor a large number of hosts. · Provide graceful degradation of service in the sense that if some components of the IDS stop working for any reason, the rest of them should be affected as little as possible. · Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without having to restart it.
List three places malware mitigation mechanisms may be located.
• Anti-virus software may exist on a system level of a user's operating system, detecting any unnatural changes or modification to files and applications. Organizations may use firewalls and other tools such as intrusion detection systems. Organizations may also use host-based and perimeter sensors to detect malware over larger networks •Anti-virus software may exist on a system level of a user's operating system, •detecting any unnatural changes or modification to files and applications. •Organizations may use firewalls and other tools such as intrusion detection systems. •Organizations may also use host-based and perimeter sensors to detect
