1.5 Los aviones de caza

S E C U R I T Y + 2 e

Exam Objectives Review:

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Attacks

One of the more exciting and dynamic aspects of network security relates to attacks. A great deal of media attention and many vendor product offerings have been targeting attacks and attack methodologies.This is perhaps the reason that CompTIA has been focusing many questions in this particular area.While there are many different varieties and methods of attack, they can generally all be grouped into several categories:

■ By the general target of the attack (application, network, or mixed)

■ By whether the attack is active or passive

■ By how the attack works (e.g., via password cracking, or by exploiting code and cryptographic algorithms)

It’s important to realize that the boundaries between these three categories aren’t fixed. As attacks become more complex, they tend to be both application- based and network-based, which has spawned the new term “mixed threat applica- tions.” An example of such an attack can be seen in the MyDoom worm, which targeted Windows machines in 2004.Victims received an e-mail indicating a delivery error, and if they executed the attached file, MyDoom would take over. The compromised machine would reproduce the attack by sending the e-mail to contacts in the user’s address book, and copying the attachment to peer-to-peer (P2P) sharing directories. It would also open a backdoor on port 3127, and try to launch a denial of service (DoS) attack against The SCO Group or Microsoft. So, as attackers get more creative, we have seen more and more combined and sophisti- cated attacks. In this chapter, we’ll focus on some of the specific types of each attack, such as:

■ Active Attacks These include DoS, Distributed Denial of Service

(DDoS), buffer overflow, synchronous (SYN) attack, spoofing, Man-in-the- Middle (MITM), replay,Transmission Control Protocol/Internet Protocol (TCP/IP) hijacking, wardialing, dumpster diving, social engineering and vulnerability scanning.

■ Passive Attacks These include sniffing, and eavesdropping.

■ Password Attacks These include brute-force and dictionary-based pass- word attacks.

Head of the Class…

■ Code and Cryptographic Attacks These include backdoors, viruses, Trojans, worms, rootkits, software exploitation, botnets and mathematical attacks.

Attack Methodologies in Plain English

In this section, we’ve listed network attacks, application attacks, and mixed threat attacks, and within those are included buffer overflows, DDoS attacks, fragmentation attacks, and theft of service attacks. While the list of descriptions might look overwhelming, generally the names are self-explanatory. For example, consider a DoS, or denial of service

attack. As its name implies, this attack is designed to do just one thing— render a computer or network non-functional so as to deny service to its legitimate users. That’s it. So, a DoS could be as simple as unplugging machines at random in a data center or as complex as organizing an army of hacked computers to send packets to a single host in order to over- whelm it and shut down its communications. Another term that has caused some confusion is a mixed threatattack. This simply describes any type of attack that is comprised of two different, smaller attacks. For example, an attack that goes after Outlook clients and then sets up a bootleg music server on the victim machine, is classified as a mixed threat attack.

Active Attacks

Active attacks can be described as attacks in which the attacker is actively

attempting to cause harm to a network or system.The attacker isn’t just listening on the wire, but is attempting to breach or shut down a service. Active attacks tend to be very visible, because the damage caused is often very noticeable. Some of the more well known active attacks are DoS/DDoS, buffer overflows, SYN attacks, and Internet Protocol (IP) spoofing; these and many more are detailed in the following section.

DoS and DDoS

To understand a DDoS attack and its consequences, you first need to grasp the fundamentals of DoS attacks.The progression from understanding DoS to DDoS is quite elementary, though the distinction between the two is important. Given its name, it should not come as a surprise that a DoS attack is aimed squarely at ensuring that the service a computing infrastructure usually delivers is negatively affected in some way.This type of attack does not involve breaking into the target

system. Rather, a successful DoS attack reduces the quality of the service delivered by some measurable degree, often to the point where the target infrastructure of the DoS attack cannot deliver a service at all. In early 2000, high profile sites like Yahoo, eBay, CNN, and Amazon were hit by DDoS attacks that crippled their availability for hours.

A common perception is that the target of a DoS attack is a server, though this is not always the case.The fundamental objective of a DoS attack is to degrade ser- vice, whether it is hosted by a single server or delivered by an entire network infrastructure. A DoS attack attempts to reduce the ability of a site to service clients, whether those clients are physical users or logical entities such as other computer systems.This can be achieved by either overloading the ability of the target network or server to handle incoming traffic, or by sending network packets that cause target systems and networks to behave unpredictably. Unfortunately for the administrator, “unpredictable” behaviour usually translates into a hung or crashed system.

Although DoS attacks do not by definition generate a risk to confidential or sensitive data, they can act as an effective tool to mask more intrusive activities that could take place simultaneously.While administrators and security officers are attempting to rectify what they perceive to be the main problem, the real penetra- tion could be happening elsewhere.

Some of the numerous forms of DoS attacks can be difficult to detect or deflect.Within weeks, months, or even days of the appearance of a new attack, subtle “copycat” variations begin appearing elsewhere. By this stage, not only must defenses be deployed for the primary attack, but also for its more distant cousins.

Most DoS attacks take place across a network, with the perpetrator seeking to take advantage of the lack of integrated security within the current iteration of IP (i.e., IP version 4 [IPv4]). Hackers are fully aware that security considerations have been passed on to higher-level protocols and applications. IP version 6 (IPv6), which may help rectify some of these problems, includes a means of validating the source of packets and their integrity by using an authentication header. Although the continuing improvement of IP is critical, it does not resolve today’s problems, because IPv6 is not yet in widespread use.

DoS attacks not only originate from remote systems, but can also be launched against the local machine. Local DoS attacks are generally easier to locate and rec- tify, because the parameters of the problem space are well defined (local to the host). A common example of a locally based DoS attack is a fork bomb that repeat- edly spawns processes to consume system resources.

The financial and publicity-related implications of an effective DoS attack are hard to measure—at best they are embarrassing, and at worst they are a deathblow. Companies reliant on Internet traffic and e-purchases are at particular risk from DoS and DDoS attacks.The Web site is the engine that drives e-commerce, and customers are won or lost on the basis of the site’s availability and speed. If a site is inaccessible or unresponsive, an alternate virtual storefront is usually only a few clicks away. A hacker, regardless of motive, knows that the best way to hurt an e- business is to affect its Internet presence in some way. DoS attacks can be an effi- cient means of achieving this end; the next sections cover two elemental types of DoS attacks:Resource Consumption attacks(such as SYN flood attacks and amplifica- tion attacks) and Malformed Packet attacks.

Resource Consumption Attacks

Computing resources are, by their very nature, finite. Administrators around the world bemoan the fact that their infrastructures lack network bandwidth, central processing unit (CPU) cycles, Random-Access Memory (RAM), and secondary storage. Invariably, the lack of these resources leads to some form of degradation of the services the computing infrastructure delivers to clients.The reality of having finite resources is highlighted even further when an orchestrated attack consumes these precious resources.

The consumption of resources involves the reduction of available resources, whatever their nature, by using a directed attack. One of the more common forms of a DoS attack targets network bandwidth. In particular, Internet connections and the supporting devices are prime targets of this type of attack, due to their limited bandwidth and their visibility to the rest of the Internet community.Very few busi- nesses are in the fortunate position of having excessive Internet bandwidth, and when a business relies on its ability to service client requests quickly and efficiently, a bandwidth consumption attack can bring the company to its knees.

Resource consumption attacks predominantly originate from outside the local network, but you should not rule out the possibility that the attack is from within. These attacks usually take the form of a large number of packets directed at the victim, a technique commonly known as flooding.

A target network can also be flooded when an attacker has more available bandwidth than the victim and overwhelms the victim with pure brute force.This situation is less likely to happen on a one-to-one basis if the target is a medium- sized e-commerce site. Such companies generally have a larger “pipe” than their attackers. On the other hand, the availability of broadband connectivity has driven

high-speed Internet access into the homes of users around the world.This has increased the likelihood of this type of attack, as home users replace their analog modems with Digital Subscriber Line (DSL) and cable modem technologies.

Another way of consuming bandwidth is to enlist the aid of loosely configured networks, causing them to send traffic directed at the victim. If enough networks can be duped into this type of behaviour, the victim’s network can be flooded with relative ease.These types of attacks are often called amplification attacks,with a smurf

attack—which sends an Internet Control Message Protocol (ICMP) request to a broadcast address, causing all hosts in the network to send ICMP replies to the victim—being a classic one.

Other forms of resource consumption can include the reduction of connections available to legitimate users and the reduction of system resources available to the host operating system (OS) itself. “Denial of service” is a very broad term, and con- sequently various types of exploits can fit the description due to the circumstances surrounding their manifestation. A classic example is the Structured Query

Language (SQL) Slammer worm, which exploited a known vulnerability in

Microsoft SQL Server to generate excessive amounts of network traffic in attempts to reproduce itself to other vulnerable system, which resulted in a global slowdown of the Internet on January 25, 2003.

Another form of DoS is the now ever-present e-mail spam, or Unsolicited Bulk Email (UBE). Spammers can send a large amount of unwanted e-mail in a very short amount of time. If a company’s mail server is bombarded with spam, it may slow down, fail to receive valid e-mails, or even crash entirely. Getting spammed is a very real DoS danger and e-mail protection is now high on every company’s security checklist.

SYN Attacks

A SYN attack is a DoS attack that exploits a basic weakness found in the TCP/IP protocol, and its concept is fairly simple. As discussed later in this chapter, a standard Transmission Control Protocol (TCP) session consists of the two communicating hosts exchanging a SYN | SYN/acknowledgement (ACK) | ACK.The expected behavior is that the initiating host sends a SYN packet, to which the responding host will issue a SYN/ACK and wait for an ACK reply from the ini- tiator.With a SYN attack, or SYN flood, the attacker simply sends only the SYN packet, leaving the victim waiting for a reply.The attack occurs when the attacker sends thousands and thousands of SYN packets to the victim, forcing them to wait for replies that never come.While the host is waiting for so many replies, it can’t

accept any legitimate requests, so it becomes unavailable, thus achieving the pur- pose of a DoS attack. For a graphical representation of a SYN attack, refer to Figure 2.1. Some stateful firewalls protect against SYN attacks by resetting pending connections after a specific timeout. Another protection is with the use of SYN cookies, where a computer under attack responds with a special SYN/ACK packet and does not wait for an ACK response. Only when the ACK packet in response to the SYN/ACK packet returns, does the entry generate a queue entry from infor- mation within the special SYN/ACK packet.

Figure 2.1 SYN Attack Diagram

DDoS Attacks

Though some forms of DoS attacks can be amplified by multiple intermediaries, the first step of a DoS exploit still originates from a single machine. However, DoS attacks have evolved beyond single-tier (SYN flood) and two-tier (smurf) attacks. DDoS attacks advance the DoS conundrum one more painful step forward. Modern attack methodologies have now embraced the world of distributed multi- tier computing. One of the significant differences in the methodology of a DDoS attack is that it consists of two distinct phases. During the first phase, the perpe- trator compromises computers scattered across the Internet and installs specialized software on these hosts to aid in the attack. In the second phase, the compromised hosts (referred to as zombies) are then instructed through intermediaries (called

Victim

Awaiting SYN/ACK Reply

Attacker Sending Only SYN Packets Internet Thousands of SYN Packets

masters) to commence the attack.The most widely known DDoS attacks are Trinoo,Tribe Flood Network, and Stacheldracht.

Hundreds, possibly thousands, of zombies can be co-opted into the attack by diligent hackers. Using the control software, each of these zombies can then be used to mount its own DoS attack on the target.The cumulative effect of the zombie attack is to either overwhelm the victim with massive amounts of traffic or to exhaust resources such as connection queues.

Additionally, this type of attack obfuscates the source of the original attacker: the commander of the zombie hordes.The multi-tier model of DDoS attacks and their ability to spoof packets and to encrypt communications, can make tracking down the real offender a tortuous process.

The command structure supporting a DDoS attack can be quite convoluted (see Figure 2.2), and it can be difficult to determine a terminology that describes it clearly. Let’s look at one of the more understandable naming conventions for a DDoS attack structure and the components involved.

Software components involved in a DDoS attack include:

■ Client The control software used by the hacker to launch attacks.The client directs command strings to its subordinate hosts.

■ Daemon Software programs running on a zombie that receive incoming client command strings and act on them accordingly.The daemon is the process responsible for actually implementing the attack detailed in the command strings.

Hosts involved in a DDoS attack include:

■ Master A computer that runs the client software.

■ Zombie A subordinate host that runs the daemon process.

■ Target The recipient of the attack.

In order to recruit hosts for the attack, hackers target inadequately secured machines connected in some form to the Internet. Hackers use various inspection techniques—both automated and manual—to uncover inadequately secured net- works and hosts. After the insecure machines have been identified, the attacker compromises the systems through a variety of ways.The first task a thorough hacker undertakes is to erase evidence that the system has been compromised, and also to ensure that the compromised host will pass a cursory examination. Some of the compromised hosts become masters, while others are destined to be made into

zombies. Masters receive orders that they then trickle through to the zombies for which they are responsible.The master is only responsible for sending and receiving short control messages, making lower bandwidth networks just as suitable as higher bandwidth networks.

Figure 2.2A Generic DDoS Attack Tree

On the hosts not designated as zombies, the hacker installs the software (called a daemon) used to send out attack streams.The daemon runs in the background on the zombie, waiting for a message to activate the exploit software and launch an attack targeted at the designated victim. A daemon may be able to launch multiple types of attacks, such as User Datagram Protocol (UDP) or SYN floods. Combined with the ability to use spoofing, the daemon can prove to be a very flexible and powerful attack tool.

Server

Attacker may install client software on multiple machines. Client software is capable of waking daemons installed on zombies and commanding them to commence targeted attacks. Attacker

Attacker can initiate attack by sending messages to compromised hosts with DDoS client software installed on them.

Master

Zombie

Hacker compromises multiple hosts to act as zombies included in the coordinated attack. Zombies are responsible for contducting actual attack.

Master

Zombie

Zombie _Zombie

Target host becomes the victim of multiple attacks originating from multiple sources/zombies.

N

Despite its rather evil-sounding name, a daemon is defined as any pro- gram that runs on a continuous basis and handles requests for service that come in from other computers. There are many legitimate and useful daemon programs that have nothing to do with launching attacks (e.g., the line printer daemon [LPD] that runs on a remote print server to monitor for print requests). The term is more often used in ref- erence to UNIX/Linux systems. On Windows systems, services can be con- sidered the analogue of daemons, which run in the background waiting for requests.

After the attacker has recruited a sufficient number of zombies, he can contact the masters and instruct them to launch a particular attack.The master then passes on these instructions to multiple zombies who commence the DDoS attack. After