This presentation summarizes SQL injection and SYN attacks. It discusses the different types of SQL injection including in-band, inferential, and out-of-band SQL injection. In-band SQL injection can be error-based or union-based. Inferential SQL injection is blind-boolean or blind-time based. SYN attack defenses include firewall-based, server-based like SYN cache, and SYN kill approaches. The presentation concludes with 10 headline-making hacks.
1. Slide 1
Bahir Dar University
Bahir Dar institute of technology
Faculty of computing
Department of computer science 4th year Section B
Computer Security Assignment Presentation
BY:-Tesfahunegn Minwuyelet
S
Date of Submission: 09/11/2016 GC.
2. Slide 2
SQL injection and SYN Attack
Contents
SQL injection
Types of SQL injection (SQLi)
Parameters to protection
SYN Attack
SYN flood defence categories
10 Hacks that made headlines
3. Slide 3
SQL Injection
is a technique where malicious users can inject SQL commands into an SQL
statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security
of a web application.
is a code injection technique, used to attack data-driven applications, in which
nefarious SQL statements are inserted into an entry field for execution (e.g. to
dump the database contents to the attacker).
consists of insertion or "injection" of a SQL query via the input data from the
client to the application.
The risk of SQL injection exploits is on the rise because of automated tools. In
the past, the danger was somewhat limited because an exploit had to be carried
out manually: an attacker had to actually type their SQL statement into a text
box.
4. Slide 4
Types of SQL injection
SQL Injection can be used in a range of ways to cause serious
problems. By levering SQL Injection, an attacker could bypass
authentication, access, modify and delete data within a database. In
some cases, SQL Injection can even be used to execute commands on
the operating system, potentially allowing an attacker to escalate to
more damaging attacks inside of a network that sits behind a
firewall.
There are three types of SQLI
In-band SQLi(Classic SQLI)
Inferential SQLI
Out-of –band SQLI
5. Slide 5
In-band sqli(classic sql)
is the most common and easy-to-exploit of SQL Injection
attacks.
it occurs when an attacker is able to use the same
communication channel to both launch the attack and gather
results.
The two most common types of in-band SQL Injection are
Error-based SQLi
Union-based SQLi
6. Slide 6
Error-based SQLi
is an in-band SQL Injection technique that relies on error
messages thrown by the database server to obtain
information about the structure of the database.
In some cases, error-based SQL injection alone is enough for
an attacker to enumerate an entire database.
While errors are very useful during the development phase of
a web application, they should be disabled on a live site, or
logged to a file with restricted access instead.
7. Slide 7
Union-based SQLi
Union-based SQLi is an in-band SQL injection
technique that leverages the UNION SQL
operator to combine the results of two or more
SELECT statements into a single result which is
then returned as part of the HTTP response
8. Slide 8
Inferential sqli (Blind sqli)
unlike in-band SQLi, may take longer for an attacker to
exploit, however, it is just as dangerous as any other form of
SQL Injection
commonly referred to as “blind SQ , no data is actually
transferred via the web application and the attacker would
not be able to see the result of an attack in-band L Injection
attacks” because
The two types of inferential SQL Injection are
Blind-boolean-based SQLi
Blind-time-based SQLi.
9. Slide 9
Blind-boolean-based SQLi
technique that relies on sending an SQL query to the
database which forces the application to return a
different result depending on whether the query
returns a TRUE or FALSE result.
even though no data from the database is returned.
This attack is typically slow (especially on large
databases) since an attacker would need to enumerate
a database, character by character.
10. Slide 10
Blind-time-based SQLi
that relies on sending an SQL query to the database which
forces the database to wait for a specified amount of time (in
seconds) before responding. The response time will indicate
to the attacker whether the result of the query is TRUE or
FALSE.
even though no data from the database is returned.
This attack is typically slow (especially on large databases)
since an attacker would need to enumerate a database
character by character.
11. Slide 11
Out-of-band SQLi
is not very common, mostly because it depends on features being
enabled on the database server being used by the web application
It occurs when an attacker is unable to use the same channel to
launch the attack and gather results.
would rely on the database server’s ability to make DNS or HTTP
requests to deliver data to an attacker
Such is the case with Microsoft SQL Server’s xp_dirtree command,
which can be used to make DNS requests to a server an attacker
controls; as well as Oracle Database’s UTL_HTTP package, which
can be used to send HTTP requests from SQL and PL/SQL to a server
an attacker controls.
12. Slide 12
SQL Injection Based on 1=1 is Always True
SQL Injection Based on ""="" is Always True
SQL Injection Based on Batched SQL Statements
Parameters for protection
Some web developers use a "blacklist" of words or characters to search for in
SQL input, to prevent SQL injection attacks. This is not a very good idea. Many
of these words (like delete or drop) and characters (like semicolons and quotation
marks), are used in common language, and should be allowed in many types of
input. (In fact, it should be perfectly legal to input an SQL statement in a
database field.) The only proven way to protect a web site from SQL injection
attacks, is to use SQL parameters. SQL parameters are values that are added to
an SQL query at execution time, in a controlled manner.
13. Slide 13
SYN Attack
A SYN flood is a form of denial-of-service attack in which an
attacker sends a succession of SYN requests to a target's system in an
attempt to consume enough server resources to make the system
unresponsive to legitimate traffic.
A SYN attack is a type of denial-of-service (DoS) attack in which an
attacker utilizes the communication protocol of the Internet
For each SYN packet received, the target machine allocates resources
and sends an acknowledgement (SYN-ACK) to the source IP address.
Because the target machine doesn't receive a response from the
attacking machine, it attempts to resend the SYN-ACK five times, at
3-, 6-, 12-, 24-, and 48-second intervals, before un allocating the
resources 96 seconds after attempting the last retry
14. Slide 14
Continue…
The SYN flood attack is the most common type of flooding
attack. The attack occurs when the attacker sends large
number of SYN packets to the victim, forcing them to wait
for replies that never come. The third part of the TCP three-
way handshake is not executed
The source address of these SYN packets in a SYN flood
attack is typically set to an unreachable host. As a result, it is
impossible to find the attacking computer.
15. Slide 15
SYN flood defense categories
Firewall based
• Examples: SYN Defender, SYN proxying
• Filters packets and requests before router
• Maintains state for each connection
• Drawbacks: can be overloaded, extra delay for processing each
packet
16. Slide 16
Continue…
Server Based
• Examples: SYN Cache, SYN cookies
• SYN cache receives packets first and then uses a hash
table, to partially store states,
• Removes the need to watch half open connections
• Implemented in LINUX
17. Slide 17
Continue…
SYN kill
SYN kill monitors the network and if it detects SYNs
that are not being acknowledge.
It automatically generates RST packets to free
It automatically generates RST packets to free resources,
It classifies addresses as likely to be spoofed or
legitimate…
18. Slide 18
Continue…
MULTOPS
Monitors the packets going to and from a victim
Blocks IPs from outside of network…
limiting IP range of attack.
19. Slide 19
Continue…
Route-based Distributed Packet filtering
Uses packet information to determine if packet
arriving at router has a spoofed Source
/Destination addresses
Results show many packets can be filtered and
those that can’t can be traced back easily
20. Slide 20
10 HACKS THAT MADE HEADLINES
Markus Hess hacks on behalf of the KGB
Robert Morris hacks the internet
Vladimir Levin hacks Citibank
Jonathon James hacks NASA
Adrian Lamo hacks the New York Times
Gary McKinnon hacks the US military
Albert Gonzalez hacks TJX (and many more)
Anonymous hacks HB Gary
Lulzsec hacks Sony
News of the World hacking scandal